This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
% Wra7h/FlavorTown | |
% MATLAB version: R2023a | |
% Tested on Win10 x64 | |
if not(libisloaded('kernel32')) | |
loadlibrary('kernel32.dll', @kernel32proto); | |
end | |
if not(libisloaded('msvcrt')) | |
loadlibrary('msvcrt.dll', @msvcrtproto); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* PEResourceInject (C# version for x64) by Wra7h | |
* | |
* Add a bitmap resource to an executable. Parse the PE header and calculate the address of the shellcode. | |
* This avoids direct calls to VirtualAllocEx & WriteProcessMemory, but will modify the target exe on disk, | |
* and this implementation will create a backup of the executable in the same directory with a ".bak" extension. | |
* | |
* Compile: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe .\PEResourceInject.cs | |
* Use: PEResourceInject.exe <C:\Path\to\target\program.exe> <C:\Path\to\shellcode.bin> | |
* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-ProcessPipes{ | |
param( | |
[Parameter(Mandatory=$false)] | |
[string]$CSV, | |
[Parameter(Mandatory=$false)] | |
[switch]$All | |
) | |
Add-Type -TypeDefinition @" | |
using System; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Scan for any Application Recovery Callbacks on your system. Each Process ID/Callback address combination should only be displayed once. | |
// Also, it's a continuous loop so it shouldn't die until you're done with it. | |
// Full PoC here: https://github.com/Wra7h/ARCInject | |
// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe .\ARC_Scan.cs | |
// Execute: .\ARC_Scan.exe | |
using System; | |
using System.Collections.Generic; | |
using System.Diagnostics; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// IMPORTANT NOTE: | |
// It seems like when this is compiled with C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, the crash is handled more gracefully than v3.5. | |
// So you'll have to find another way to cause an _unexpected_ crash to use with v4.0.30319. | |
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe .\RecoveryCallbackToShellcode.cs | |
//Usage: .\RecoveryCallbackToShellcode.exe <path to shellcode> | |
using System; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Runtime.InteropServices; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Some fun with storing shellcode in the padding of executables, rebuilding the shellcode and executing if successfully recovered. | |
// At least on the executables I've used, the shellcode doesn't seem to prevent the executable from executing as expected. | |
// Step 1: Compile: | |
// PS C:\> C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\BrainPain.cs | |
// Step 2: generate shellcode | |
// msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o calc.bin | |
// Step 3: Execute Brainpain |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Decompressing shellcode and execution via callback | |
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\DecompressExecute.cs | |
//Windows Compression API: https://docs.microsoft.com/en-us/windows/win32/api/_cmpapi/ | |
//Supported Algorithms: https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createcompressor | |
// Step 1: generate shellcode | |
// Msfvenom: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o calc.bin | |
// Step 2: Compress the shellcode with my compress.cs gist here: https://gist.github.com/Wra7h/4d56791c2d0b5c1f27a67f3bc0ab924d | |
// Compression command: .\compress.exe -in C:\path\to\calc.bin -out .\LZMScalc.bin -alg 5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Compresses a file using the Windows API | |
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\Compress.cs | |
//Windows Compression API: https://docs.microsoft.com/en-us/windows/win32/api/_cmpapi/ | |
//Supported Algorithms: https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createcompressor | |
// Takes a file, compresses it using one of the supported algorithms and creates a file with the compressed data. | |
using System; | |
using System.IO; | |
using System.Linq; |