Adam Chester xpn

## getsystem_parent.cpp
#include "stdafx.h"

BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;

## tasks.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;

using System.Reflection;
using System.Reflection.Emit;

using System.Collections;
using System.Collections.Generic;

## libusb_xb_test.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <libusb-1.0/libusb.h>


void printdev(libusb_device *dev) {
struct libusb_device_descriptor desc;
struct libusb_config_descriptor *config;
struct libusb_interface_descriptor *interdesc;

## invoke-shellcode.ps1
function Invoke-Shellcode
{
<#
.SYNOPSIS

Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.

PowerSploit Function: Invoke-Shellcode
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause

## unmanaged_dotnet_unhook_etw.c
#include <stdio.h>
#include <Windows.h>
#include <MSCorEE.h>
#include <MetaHost.h>
#include <evntprov.h>

int main()
{
	ICLRMetaHost* metaHost = NULL;
	IEnumUnknown* runtime = NULL;

## sccmdecryptpoc.cs
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.

using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;

namespace SCCMDecryptPOC
{
    internal class Program

## azuread_decrypt_msol_v2.ps1
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

try {
    $client.Open()
} catch {
    Write-Host "[!] Could not connect to localdb..."
    return

## wannacry_file_extensions.txt
.der
.pfx
.key
.crt
.csr
.p12
.pem
.odt
.ott
.sxw

## clr_via_native.c
#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

## env_var_spoofing_poc.cpp
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43
	#include "stdafx.h"

	BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;
	using System;
	using System.EnterpriseServices;
	using System.Runtime.InteropServices;

	using System.Reflection;
	using System.Reflection.Emit;

	using System.Collections;
	using System.Collections.Generic;
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <libusb-1.0/libusb.h>


	void printdev(libusb_device *dev) {
	struct libusb_device_descriptor desc;
	struct libusb_config_descriptor *config;
	struct libusb_interface_descriptor *interdesc;
	function Invoke-Shellcode
	{
	<#
	.SYNOPSIS

	Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.

	PowerSploit Function: Invoke-Shellcode
	Author: Matthew Graeber (@mattifestation)
	License: BSD 3-Clause
	#include <stdio.h>
	#include <Windows.h>
	#include <MSCorEE.h>
	#include <MetaHost.h>
	#include <evntprov.h>

	int main()
	{
	ICLRMetaHost* metaHost = NULL;
	IEnumUnknown* runtime = NULL;
	// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
	// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.

	using System;
	using System.Collections.Generic;
	using System.Runtime.InteropServices;

	namespace SCCMDecryptPOC
	{
	internal class Program
	Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
	Write-Host "`t[ Updated to support new cryptokey storage method ]`n"

	$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

	try {
	$client.Open()
	} catch {
	Write-Host "[!] Could not connect to localdb..."
	return
	#include "stdafx.h"

	int main()
	{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;
	// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
	// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
	//
	// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
	// and then resuming the process.
	//
	// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

	#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
	#define INJECT_PARAM_LEN 43