xpn xpn

## dotnet_inject.cpp
// Compile with g++ dotnet_injectbundle.cpp -o dotnet_injectbundle

#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include "main.h"

// libcorclr.dll signature for finding hlpDynamicFuncTable

## dotnet_injectbundle.cpp
// Compile with g++ dotnet_injectbundle.cpp -o dotnet_injectbundle

#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <mach-o/dyld.h>
#include "main.h"

## main.h
typedef unsigned int DWORD;
typedef unsigned char BYTE;
typedef unsigned char * PBYTE;
typedef DWORD HRESULT;
typedef unsigned short USHORT;
typedef unsigned int ULONG;
typedef unsigned char UCHAR;
typedef bool BOOL;

static const DWORD kCurrentMajorVersion = 2;

## memdump.c
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include "memdump.h"

#define DUMP_COUNT 50

// Headers which we will need to use throughout our session

## env_var_spoofing_poc.cpp
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43

## azuread_decrypt_msol_v2.ps1
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

try {
    $client.Open()
} catch {
    Write-Host "[!] Could not connect to localdb..."
    return

## unmanaged_dotnet_unhook_etw.c
#include <stdio.h>
#include <Windows.h>
#include <MSCorEE.h>
#include <MetaHost.h>
#include <evntprov.h>

int main()
{
	ICLRMetaHost* metaHost = NULL;
	IEnumUnknown* runtime = NULL;

## dotnet_unhook_etw.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;

namespace test
{
    class Win32
    {
        [DllImport("kernel32")]
        public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

## dotnet_etw.c
#define AssemblyDCStart_V1 155
#define MethodLoadVerbose_V1 143

#include <windows.h>
#include <stdio.h>
#include <wbemidl.h>
#include <wmistr.h>
#include <evntrace.h>
#include <Evntcons.h>

## PCMPBNMBAO_x86_poc.vba
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
' by @_xpn_
'
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro

Const EXTENDED_STARTUPINFO_PRESENT = &H80000
Const HEAP_ZERO_MEMORY = &H8&
Const SW_HIDE = &H0&
Const MAX_PATH = 260
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007
	// Compile with g++ dotnet_injectbundle.cpp -o dotnet_injectbundle

	#include <stdio.h>
	#include <fcntl.h>
	#include <string.h>
	#include <unistd.h>
	#include <stdlib.h>
	#include "main.h"

	// libcorclr.dll signature for finding hlpDynamicFuncTable
	typedef unsigned int DWORD;
	typedef unsigned char BYTE;
	typedef unsigned char * PBYTE;
	typedef DWORD HRESULT;
	typedef unsigned short USHORT;
	typedef unsigned int ULONG;
	typedef unsigned char UCHAR;
	typedef bool BOOL;

	static const DWORD kCurrentMajorVersion = 2;
	// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
	// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
	//
	// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
	// and then resuming the process.
	//
	// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

	#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
	#define INJECT_PARAM_LEN 43
	Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
	Write-Host "`t[ Updated to support new cryptokey storage method ]`n"

	$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

	try {
	$client.Open()
	} catch {
	Write-Host "[!] Could not connect to localdb..."
	return
	#include <stdio.h>
	#include <Windows.h>
	#include <MSCorEE.h>
	#include <MetaHost.h>
	#include <evntprov.h>

	int main()
	{
	ICLRMetaHost* metaHost = NULL;
	IEnumUnknown* runtime = NULL;
	using System;
	using System.Reflection;
	using System.Runtime.InteropServices;

	namespace test
	{
	class Win32
	{
	[DllImport("kernel32")]
	public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
	#define AssemblyDCStart_V1 155
	#define MethodLoadVerbose_V1 143

	#include <windows.h>
	#include <stdio.h>
	#include <wbemidl.h>
	#include <wmistr.h>
	#include <evntrace.h>
	#include <Evntcons.h>
	' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
	' by @_xpn_
	'
	' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro

	Const EXTENDED_STARTUPINFO_PRESENT = &H80000
	Const HEAP_ZERO_MEMORY = &H8&
	Const SW_HIDE = &H0&
	Const MAX_PATH = 260
	Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007