• Stars
    star
    334
  • Rank 126,264 (Top 3 %)
  • Language
    C++
  • License
    BSD 3-Clause "New...
  • Created over 6 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

C/C++ code examples of my blog.

Homework-of-C-Language

C/C++ code examples of my blog.


SetProcessCritical.cpp

Set the selected process as critical or not.

If the process is critical,when exit the process,the system will cause BSOD.

And it can also be used to turn a critical process into normal.

CheckCriticalProess.cpp

Check the selected process is critical or not.

FindCriticalProcess.cpp

Look through all the process and find the critical processes.


CreateRemoteThread.cpp

Use CreateRemoteThread to inject dll,usually used under WinXP.

NtCreateThreadEx + LdrLoadDll.cpp

Use NtCreateThreadEx + LdrLoadDll to inject dll.

Note:

You need use release mode to build it.

FreeDll.cpp

Use NtCreateThreadEx to free dll.

Use to inject Dll into a process at many times.


EnumerateProcess&GetFile'sHandle&CloseHandle(XP).cpp

Enumerate all processes and get specified file's handle,then choose whether to close it or not.

Support absolute path and relative path.

Support WinXP and later.

Note:

  • WinXP and Win7,ObjectTypeNumber = 0x1c
  • Win8 and later,ObjectTypeNumber = 0x1e

EnumerateProcess&GetFile'sHandle&CloseHandle(Win7).cpp

Enumerate all processes and get specified file's handle,then choose whether to close it or not.

Support absolute path and relative path.

Support Win7 and later.

Note:

  • WinXP and Win7,ObjectTypeNumber = 0x1c
  • Win8 and later,ObjectTypeNumber = 0x1e

GetPIDandHandle(evt).cpp

Get Eventlog Service PID and search evt file's Handle.

Use NtQuerySystemInformation to query SystemExtendedHandleInformation.

Support WinXP and later.

Note:

  • WinXP and Win7,ObjectTypeNumber = 0x1c
  • Win8 and later,ObjectTypeNumber = 0x1e

GetPIDandHandle(evtx).cpp

Get Eventlog Service PID and search evtx file's Handle.

Use NtQuerySystemInformation to query SystemHandleInformation.

Support Win7 and later.

Note:

  • WinXP and Win7,ObjectTypeNumber = 0x1c
  • Win8 and later,ObjectTypeNumber = 0x1e

GetProcessAuthority.cpp

Look through all the process and detect whether the process runs as admin.

GetProcessCommandLine.cpp

Gets the command line of the selected process.


MasqueradePEBtoCopyfile.cpp

Masquerade current process' PEB into exploer.exe and use IFileOperation to copy file.

You can use this to copy file into "C:\windows\System32" with normal user permissions.

DisableFirewall.cpp

Use to disable Windows Firewall with normal user permissions.

Expand on IFileOperation of UAC bypass.


CreateFileMapping.cpp

Create 2 file mapping object.

Use to share data between multiple processes.

OpenFileMapping.cpp

Open the 2 file mapping object.

Use to share data between multiple processes.

DeleteRecordbyTerminateProcess(ReplaceFile).cpp

Kill the eventlog service's process and replace the eventlog file,then restart the Eventlog Service.


EnablePrivilegeandGetTokenInformation.cpp

Enable the SeDebugPrivilege of current process and then get the full privileges of current process.

It can also enable other privileges.

EnableSeImpersonatePrivilege.cpp

Enable the SeImpersonatePrivilege of current process and then create an impersonation token.

Call the CreateProcessWithToken function, passing the current process token to get a process.

Using with RottenPotato,we will have full privilege on the system.

EnableSeAssignPrimaryTokenPrivilege.cpp

Enable the SeAssignPrimaryTokenPrivilege of current process and then call the CreateProcessAsUser function, passing the current process token to get a process.

Using with RottenPotato,we will have full privilege on the system.

EnableSeTcbPrivilege.cpp

Enable the SeBackupPrivilege of current process and then we can call LsaLogonUser with SeTcbPrivilege and add arbitrary groups to the resulting token returned by this call.

We will add the group SID “S-1-5-18” to the token, this is the SID for the Local System account and if we are using a token that possesses it, we will have full privilege on the system.

It will create a reg key at HKEY_LOCAL_MACHINE\SOFTWARE\testtcb.

We will have full privilege on the system.

EnableSeBackupPrivilege.cpp

Enable the SeBackupPrivilege of current process and then read the password hashes of local Administrator accounts from the registry.

The file will be saved as C:\\test\\SAM,C:\\test\\SECURITY and C:\\test\\SYSTEM.

We will have read access on the system.

EnableSeRestorePrivilege.cpp

Enable the SeRestorePrivilege of current process and then create a reg key at HKEY_LOCAL_MACHINE\SOFTWARE\testrestore.

We will have write access on the system.

EnableSeCreateTokenPrivilege.cpp

Enable the SeCreateTokenPrivilege of current process and then create primary tokens via the ZwCreateToken API.

After that enable the local administrator group on the token and enable SeDebugPrivilege and SeTcbPrivilege.

We will have all access on the system.

EnableSeLoadDriverPrivilege.cpp

Enable the SeLoadDriverPrivilege of current process and then load the driver into the kernel.

First you need to add two reg keys,the command is:

reg add hkcu\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\test\Capcom.sys"

reg add hkcu\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

Then run me to load the driver(C:\test\Capcom.sys) into the kernel.

We will have all access on the system.

EnableSeTakeOwnershipPrivilege.cpp

Enable the SeTakeOwnershipPrivilege of current process and then have write access to a registry key "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options". Then we can write it in "Medium" permission.

Eg.

reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /v takeownership /t REG_SZ /d "C:\\Windows\\System32\\calc.exe"

We will have write access on the system' registry key.

EnableSeDebugPrivilege.cpp

Enable the SeDebugPrivilege of current process and then we can inject a dll into the process.

We will have full privilege on the system.


portscan.cpp

Use to scan port.

The timeout is 3 seconds.

python version:

https://github.com/3gstudent/Homework-of-Python/blob/master/portscan.py


ListRecentFileCache.cpp

Load the RecentFileCache.bcf in Win7 and print the data.

The RecentFileCache.bcf is replaced by Amcache.hve in Win8.

DeleteRecentFileCache.cpp

Load the RecentFileCache.bcf under Win7 and delete the selected data.

The new file will be saved as NewRecentFileCache.bcf.


ListLogonSessions.cpp

List logon session information.

The output format is the same as LogonSessions.

https://docs.microsoft.com/en-us/sysinternals/downloads/logonsessions


FileTimeControl_WinAPI.cpp

Use GetFileTime and SetFileTime to view and modify the file's CreateTime,AccessTime and LastWriteTime.

Note:It doesn't support file's MFTChangeTime.

Support file and folder.

FileTimeControl_NTAPI.cpp

Use NtQueryInformationFile and NtSetInformationFile to view and modify the file's CreateTime,AccessTime,LastWriteTime and MFTChangeTime.

reference:https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/timestomp.c

Only support file.


EnumUsnJournal.cpp

Enumerate the Usn Journal Record in drive C.


ProcessCommandlineSpoofing.cpp

Implementing SwampThing with C++

Reference: https://github.com/FuzzySecurity/Sharp-Suite/tree/master/SwampThing

Spoof process command line args (x32/64). Essentially you create a process in a suspended state, rewrite the PEB, resume and finally revert the PEB. The end result is that logging infrastructure will record the fake command line args instead of the real ones.


SendKeyboardMessageToPowershell.cpp

Send keyboard messages to specified powershell process.

Default command:whoami

You can get the Virtual-Key Codes from: https://docs.microsoft.com/en-us/windows/desktop/inputdev/virtual-key-codes

SendKeyboardMessageToPowershell(Get-History).cpp

Send keyboard messages to specified powershell process.

Default command:Get-History|export-csv $env:temp"\history.csv"

GetOSVersion.cpp

Use to detect the OS's Version.

It includes Windows Vista/Win 7/Windows Server 2008/Windows Server 2008 R2/Windows Server 2012/Windows 10.

sekurlsa-wdigest.cpp

Use to get plain-text credentials of the 64-bit OS.

This is a simple implementation of Mimikatz's sekurlsa::wdigest

Support:

  • Win7 x64/Windows Server 2008 x64/Windows Server 2008R2 x64
  • Win8 x64/Windows Server 2012 x64/Windows Server 2012R2 x64
  • Win10_1507(and before 1903) x64

Source: https://gist.github.com/xpn/12a6907a2fce97296428221b3bd3b394

The following functions have been added:

  • EnableDebugPrivilege
  • GetOSVersion
  • Support different OS

UrlDecode.cpp

Use to decode URL.

Support multi-byte character sets and Unicode character sets.

Support the following characters:

  • %20->blank space
  • %22->"
  • %27->'

TextToHtmlofNewline.cpp

Use to convert line breaks (\n) in text to line breaks (
) in HTML.


UsePipeToExeCmd.cpp

Use pipe to execute CMD commands.


HTTPServerWebshell.cpp

Use the HTTP Server API to perform server-side tasks.

This is a POC that implements remote control through the browser.

Reference:

https://docs.microsoft.com/en-us/windows/win32/http/http-server-sample-application


Install_.Net_Framework_from_the_command_line.cpp

Automatically install Microsoft .NET Framework 4/4.5/4.5.1 in the background.

You can get Microsoft .NET Framework 4 (Standalone Installer) from:https://www.microsoft.com/en-US/Download/confirmation.aspx?id=17718

You can get Microsoft .NET Framework 4.5 (Web Installer) from:https://www.microsoft.com/en-us/download/details.aspx?id=30653

You can get Microsoft .NET Framework 4.5.1 (Offline Installer) from:https://www.microsoft.com/en-us/download/details.aspx?id=40779


GetProcessMitigationPolicyForWin8.cpp

Check the ProcessMitigationPolicy of the selected process.

Support: Win8-Win10

GetProcessMitigationPolicyForWin10.cpp

Check the ProcessMitigationPolicy of the selected process.

Support: Win10

SetProcessMitigationPolicy(Signature)ForWin8_CurrentProcess.cpp

Enable the ProcessSignaturePolicy(MicrosoftSignedOnly) of the current process.

Support: Win8-Win10

SetProcessMitigationPolicy(Signature)ForWin10_CurrentProcess.cpp

Enable the ProcessSignaturePolicy(MicrosoftSignedOnly) of the current process.

Support: Win10


QueryADObject.cpp

Reference:

https://github.com/microsoft/Windows-classic-samples/tree/master/Samples/Win7Samples/netds/adsi/activedir/QueryUsers/vc

https://github.com/outflanknl/Recon-AD

This program queries for objects in the current user's domain.


GetDomainPasswordPolicy

Use to get the password policy of the current domain.

CheckUserBadPwdPolicy

Use to get all the domain users' badPasswordTime and badPwdCount properties.


tsssp_client.cpp

tsssp::client of kekeo

Source:https://github.com/gentilkiwi/kekeo

Usage:

tsssp_client.exe <target>

Eg:

tsssp_client.exe localhost
tsssp_client.exe Computer01.test.com

File_XOR_generator.cpp

Use to XOR the contents of a file.

Usage:

File_XOR_generator.exe <file path> <XOR inputs>

Eg:

File_XOR_generator.exe test.exe 0x01

HostingCLR_with_arguments_XOR.cpp

Reference:https://github.com/etormadiv/HostingCLR

Add a function of changing cElement to the number of Main arguments.(https://github.com/etormadiv/HostingCLR/blob/master/HostingCLR/HostingCLR.cpp#L218)

Support passing multiple parameters to CLR.

HostingCLR_with_arguments_XOR_TamperETW.cpp

Reference:https://github.com/etormadiv/HostingCLR

Add a function of changing cElement to the number of Main arguments.(https://github.com/etormadiv/HostingCLR/blob/master/HostingCLR/HostingCLR.cpp#L218)

Support passing multiple parameters to CLR.

All patching EtwEventWrite codes are from https://github.com/outflanknl/TamperETW/

You need to add Syscalls.asm when building.


More Repositories

1

Pentest-and-Development-Tips

A collection of pentest and development tips
1,052
star
2

Worse-PDF

Turn a normal PDF file into malicious.Use to steal Net-NTLM Hashes from windows machines.
Python
331
star
3

Homework-of-Python

Python codes of my blog.
Python
321
star
4

List-RDP-Connections-History

Use powershell to list the RDP Connections History of logged-in users or all users
PowerShell
253
star
5

Eventlogedit-evtx--Evolution

Remove individual lines from Windows XML Event Log (EVTX) files
C++
246
star
6

Javascript-Backdoor

Learn from Casey Smith @subTee
PowerShell
242
star
7

Invoke-BuildAnonymousSMBServer

Use to build an anonymous SMB file server.
PowerShell
219
star
8

msbuild-inline-task

175
star
9

CLR-Injection

Use CLR to inject all the .NET apps
Batchfile
170
star
10

Homework-of-C-Sharp

C Sharp codes of my blog.
C#
169
star
11

pyKerbrute

Use python to perform Kerberos pre-auth bruteforcing
Python
168
star
12

Inject-dll-by-APC

Asynchronous Procedure Calls
C++
163
star
13

SharpRDPCheck

Use to check the valid account of the Remote Desktop Protocol(Support plaintext and ntlmhash)
C#
154
star
14

Inject-dll-by-Process-Doppelganging

Process Doppelgänging
C
151
star
15

backup-3gstudent.github.io

old blog
SCSS
146
star
16

Smbtouch-Scanner

Automatically scan the inner network to detect whether they are vulnerable.
Python
140
star
17

ntfsDump

Use to copy a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
C++
110
star
18

Homework-of-Powershell

powershell codes of my blog.
PowerShell
93
star
19

Use-COM-objects-to-bypass-UAC

C++
86
star
20

Office-Persistence

Use powershell to test Office-based persistence methods
PowerShell
77
star
21

Windows-User-Clone

Create a hidden account
PowerShell
76
star
22

Windows-EventLog-Bypass

Use subProcessTag Value From TEB to identify Event Log Threads
C++
74
star
23

APT34-Jason

Use to perform Microsoft exchange account brute-force.
C#
74
star
24

pyXSSPlatform

Used to build an XSS platform on the command line.
Python
71
star
25

CVE-2017-8464-EXP

Support x86 and x64
67
star
26

bitsadminexec

Use bitsadmin to maintain persistence and bypass Autoruns
67
star
27

Code-Execution-and-Process-Injection

Powershell to CodeExecution and ProcessInjection
PowerShell
64
star
28

Shellcode-Generater

No inline asm,support x86/x64
C++
63
star
29

test

just test
C#
63
star
30

CreateRemoteThread

From 32-bit process to 64-bit process
C++
62
star
31

PasswordFilter

2 ways of Password Filter DLL to record the plaintext password
C++
61
star
32

Dump-Clear-Password-after-KB2871997-installed

PowerShell
59
star
33

From-System-authority-to-Medium-authority

Penetration test
C++
57
star
34

Waitfor-Persistence

Use Waitfor.exe to maintain persistence
PowerShell
54
star
35

Bypass-Windows-AppLocker

C
54
star
36

NinjaCopy

Powershell to copy ntds.dit
PowerShell
54
star
37

COM-Object-hijacking

use COM Object hijacking to maintain persistence.(Hijack CAccPropServicesClass and MMDeviceEnumerator)
PowerShell
54
star
38

3gstudent.github.io

Blog
SCSS
54
star
39

Winpcap_Install

Auto install WinPcap on Windows(command line)
Batchfile
52
star
40

ewsManage

My exercise of using Exchange Web Service(EWS)
C#
51
star
41

HiddenNtRegistry

Use NT Native Registry API to create a registry that normal user can not query.
C++
49
star
42

Homework-of-Go

Go code examples of my blog.
Go
49
star
43

signtools

From Windows SDK
47
star
44

Eventlogedit-evt--General

Remove individual lines from Windows Event Viewer Log (EVT) files
C++
44
star
45

PNG-Steganography

Steganography Payload
C++
44
star
46

easBrowseSharefile

Use to browse the share file by eas(Exchange Server ActiveSync)
Python
43
star
47

Bypass-McAfee-Application-Control--Code-Execution

source&exe
PowerShell
38
star
48

Smallp0wnedShell

Small modification version of p0wnedShell
C#
37
star
49

ListInstalledPrograms

List the programs that the current Windows system has installed
PowerShell
36
star
50

AutoIt-Keylogger

AutoIt
33
star
51

Hide-Process-by-kd.exe

powershell to hide process by kd.exe
PowerShell
33
star
52

NodeJS-Downloader

An example of a downloader written in NodeJS.
JavaScript
26
star
53

Use-msxsl-to-bypass-AppLocker

Learn from Casey Smith@subTee
XSLT
26
star
54

GetExpiredDomains

Search for available domain from expireddomains.net
Python
24
star
55

ExcelDllLoader

Execute DLL via the Excel.Application object's RegisterXLL() method
JavaScript
22
star
56

Add-Dll-Exports

Use to generate DLL through Visual Studio
C
19
star
57

Execute-CSharp-From-XSLT-TEST

XSLT
18
star
58

Writeup

interesting analysis
PowerShell
15
star
59

PNG_stego-test

LSB-test
C
12
star
60

SendMail-with-Attachments

Use powershell to send mail
PowerShell
11
star
61

Catch-specified-file-s-handle

Enumerate all processes and get specified file's handle,then close it.
C++
10
star
62

pdf

9
star
63

IE-BHO-POSTdata-Logger

A sample IE BHO for logging Internet Explorer's POST data.
C++
9
star
64

WanaCrypt0r-Reverse-Analysis

Record my reverse analysis of WanaCrypt0r
8
star
65

bgi-creater

Use BGInfo to bypass Application Whitelisting
PowerShell
7
star
66

Get-Wlan-Keys

Powershell to get wlan keys
PowerShell
7
star
67

Homework-of-Java

Java codes of my blog
Java
5
star
68

3gstudent

5
star
69

regsvr32-test

C++
4
star
70

Test-Exploit-for-Joomla-3.4.4-3.6.4

Test if the website allows user registration
Python
3
star
71

BlogPic

For blog post
2
star