Use bpf programs as filters for seccomp, the one in the example will block all the write syscalls after it's loaded.
Compile it with just
gcc main.c
Flu0rite nek0y4nsu
nek0y4nsu
/ Program.cs
Created
November 8, 2023 02:57
— forked from susMdT/Program.cs
C# Amsi bypass with hardware breakpint
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Runtime.CompilerServices; | |
| using System.Net; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| namespace Test | |
| { | |
| // CCOB IS THE GOAT |
nek0y4nsu
/ env_var_spoofing_poc.cpp
Created
November 6, 2023 03:15
— forked from xpn/env_var_spoofing_poc.cpp
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
| // setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
| // | |
| // Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
| // and then resuming the process. | |
| // | |
| // (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
| #define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
| #define INJECT_PARAM_LEN 43 |
nek0y4nsu
/ patchless_amsi.h
Created
September 5, 2023 13:12
— forked from CCob/patchless_amsi.h
In-Process Patchless AMSI Bypass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef PATCHLESS_AMSI_H | |
| #define PATCHLESS_AMSI_H | |
| #include <windows.h> | |
| static const int AMSI_RESULT_CLEAN = 0; | |
| PVOID g_amsiScanBufferPtr = nullptr; | |
| unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) { |
nek0y4nsu
/ cmlua.cs
Created
August 30, 2023 09:13
— forked from Moriarty2016/cmlua.cs
Bypass UAC with ICMLuaUtil --- .Net Version
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Windows.Forms; | |
| using System.Runtime.InteropServices; | |
| using System.Runtime.CompilerServices; | |
| namespace Test1 | |
| { | |
| public static class Test | |
| { | |
| internal enum HRESULT : long |
nek0y4nsu
/ HInvoke.cs
Created
July 11, 2023 08:31
— forked from dr4k0nia/HInvoke.cs
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Linq; | |
| using System.Reflection; | |
| namespace HashInvoke; | |
| public class HInvoke | |
| { | |
| public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null) | |
| { | |
| // Get the System assembly and go trough all its types hash their name |
nek0y4nsu
/ Register.ps1
Created
April 27, 2023 12:12
— forked from rajbos/Register.ps1
Register Windows Startup/Shutdown script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Register-EventScript { | |
| param ( | |
| [string] $eventToRegister, # Either Startup or Shutdown | |
| [string] $pathToScript, | |
| [string] $scriptParameters | |
| ) | |
| $path = "$ENV:systemRoot\System32\GroupPolicy\Machine\Scripts\$eventToRegister" | |
| if (-not (Test-Path $path)) { | |
| # path HAS to be available for this to work |
nek0y4nsu
/ Get-InjectedThread.ps1
Created
August 31, 2022 10:02
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
nek0y4nsu
/ README.md
Created
July 14, 2022 08:52
— forked from fntlnz/README.md
Seccomp bpf filter example
nek0y4nsu
/ PSReflect-RegHide.ps1
Created
May 16, 2022 12:05
— forked from brianreitz/PSReflect-RegHide.ps1
PowerShell script to hide a Run key like Reghide/Kovter/Poweliks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # requires PSReflect.ps1 to be in the same directory as this script | |
| . .\PSReflect.ps1 | |
| $Module = New-InMemoryModule -ModuleName RegHide | |
| # Define our structs. | |
| # https://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx | |
| # typedef struct _UNICODE_STRING { | |
| # USHORT Length; | |
| # USHORT MaximumLength; |
nek0y4nsu
/ MiniJSON.cs
Created
May 9, 2022 14:09
— forked from darktable/MiniJSON.cs
Unity3D: MiniJSON Decodes and encodes simple JSON strings. Not intended for use with massive JSON strings, probably < 32k preferred. Handy for parsing JSON from inside Unity3d.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Copyright (c) 2013 Calvin Rien | |
| * | |
| * Based on the JSON parser by Patrick van Bergen | |
| * http://techblog.procurios.nl/k/618/news/view/14605/14863/How-do-I-write-my-own-parser-for-JSON.html | |
| * | |
| * Simplified it so that it doesn't throw exceptions | |
| * and can be used in Unity iPhone with maximum code stripping. | |
| * | |
| * Permission is hereby granted, free of charge, to any person obtaining |
NewerOlder