Rich Warren rxwx
rxwx
/ encrypt_dpapi_blob.py
Created
August 29, 2024 10:46
Encrypt a DPAPI blob with arbitrary master key (using Python)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Crypto.Cipher import AES, DES3 | |
| from Crypto.Hash import HMAC, SHA1, SHA512, SHA256 | |
| from Crypto.Util.Padding import pad | |
| from io import BytesIO | |
| import argparse | |
| import string | |
| import base64 | |
| import uuid | |
| import os |
rxwx
/ gist:2d1577efc39aa0da2065d60dbcef64a8
Last active
August 24, 2024 14:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| LONG CALLBACK ShellcodeFunc(PEXCEPTION_POINTERS ExceptionInfo) | |
| { | |
| #pragma warning( disable : 6011 ) | |
| #if defined(_DEBUG) && defined(BOF) && defined(_WIN64) | |
| BeaconPrintf(CALLBACK_OUTPUT, "Got instruction pointer value: %p", ExceptionInfo->ContextRecord->Rip); | |
| #elif defined(_DEBUG) && defined(BOF) && !defined(_WIN64) | |
| BeaconPrintf(CALLBACK_OUTPUT, "Got instruction pointer value: %p", ExceptionInfo->ContextRecord->Eip); | |
| #endif | |
| #if defined(_WIN64) |
rxwx
/ AmsiContextHook.cpp
Created
November 30, 2023 17:04
Bypass AMSI on Windows 11 by hooking the AMSI context VTable on the heap with a ROP gadget. Look ma, no code patches!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <Psapi.h> | |
| #include <metahost.h> | |
| #include <comutil.h> | |
| #include <mscoree.h> | |
| #include "patch_info.h" | |
| #include "base\helpers.h" | |
| /** | |
| * For the debug build we want: |
rxwx
/ dump_beacon_datastore.py
Last active
September 25, 2023 19:34
Dump items (BOFs, assemblies, files etc.) from the CobaltStrike 4.9+ beacon datastore (stored with BeaconDataStoreProtectItem / data-store load)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ctypes import wintypes | |
| import argparse | |
| import ctypes | |
| import yara | |
| import hexdump | |
| """ | |
| .text:0000000180010840 ; char __fastcall BeaconDataStoreUnprotectItem(unsigned __int64) | |
| .text:0000000180010840 BeaconDataStoreUnprotectItem proc near ; CODE XREF: sub_1800100F8+9E↑p | |
| .text:0000000180010840 ; sub_1800102E8+AD↑p |
rxwx
/ trac-decode.py
Created
September 7, 2023 17:54
Decode "Obscured" Check Point Trac.config files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import io | |
| import sys | |
| import string | |
| KEY_STR = 'ModifiedFwPropertySheetWithOKTheSheetIDS_LDAP_AU_PROPERTIESNULL0FW_WP_OBJECTS' | |
| def get_byte(x): | |
| c = ord(chr(x).lower()) | |
| if ((c - 0x30) & 255) < 10: | |
| retval = c - 0x30 |
rxwx
/ GetSxsPath.cs
Created
July 3, 2023 12:43
Determine redirection path for SxS DotLocal DLL Hijacking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using static GetSxsPath.NativeMethods; | |
| namespace GetSxsPath | |
| { | |
| internal class NativeMethods |
rxwx
/ Generator.cs
Created
November 11, 2022 18:58
Generate ApprovedApplication BinaryFormatter payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Globalization; | |
| using System.IO; | |
| using System.Reflection; | |
| using System.Runtime.Serialization.Formatters.Binary; | |
| using System.Threading; | |
| using Microsoft.Exchange.Data.Directory.SystemConfiguration; | |
| namespace ApprovedAppGenerator | |
| { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| import sys | |
| versions = { | |
| 0x00: 'Excel 97', | |
| 0x01: 'Excel 2000', | |
| 0x02: 'Excel 2002', | |
| 0x03: 'Office Excel 2003', | |
| 0x04: 'Office Excel 2007', | |
| 0x06: 'Excel 2010', |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Crypto.Cipher import AES | |
| from Crypto.Protocol.KDF import PBKDF2 | |
| import sqlite3 | |
| import os | |
| import shutil | |
| def clean(x): | |
| return x[:-ord(x[-1])] | |
| # Make a copy of the cookie file |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <machineKey validationKey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" decryptionKey="E9D2490BD0075B51D1BA5288514514AF" validation="SHA1" decryption="3DES" /> |
NewerOlder