Skip to content

Instantly share code, notes, and snippets.

View CaledoniaProject's full-sized avatar

CaledoniaProject

View GitHub Profile
@CaledoniaProject
CaledoniaProject / write_cr0.c
Last active July 17, 2023 07:57
Disable write protection on Linux kernel >= 5.3.0
// https://medium.com/@hadfiabdelmoumene/change-value-of-wp-bit-in-cr0-when-cr0-is-panned-45a12c7e8411
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,3,0)
inline void write_cr0_new(unsigned long cr0)
{
asm volatile("mov %0,%%cr0" : "+r"(cr0), "+m"(__force_order));
}
#else
#define write_cr0_new write_cr0
#endif
@CaledoniaProject
CaledoniaProject / test.ps1
Created June 14, 2020 22:53
NtSetInformationKey
$code = @'
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
namespace RegRoutines
@CaledoniaProject
CaledoniaProject / dump_audit.sql
Created January 20, 2020 00:09
SQLServer dump audit specifications
SELECT [sa].[name] as audit_name, [sas].[name] as audit_spec_name, [sasd].[audit_action_name] as action, [dp].[name] as username, [o].[name] as tablename
FROM sys.server_audits sa
JOIN sys.database_audit_specifications sas ON sa.audit_guid = sas.audit_guid
JOIN sys.database_audit_specification_details as sasd ON sas.database_specification_id = sasd.database_specification_id
JOIN sys.database_principals dp ON dp.principal_id = sasd.audited_principal_id
JOIN sys.objects o ON o.object_id = sasd.major_id
@CaledoniaProject
CaledoniaProject / ts.py
Created November 25, 2019 03:56
modify-pe-timestamp
import pefile
pe = pefile.PE("test.exe")
pe.FILE_HEADER.TimeDateStamp = 1348054607
pe.write("new.exe")
@CaledoniaProject
CaledoniaProject / TI-Search-Shortcuts.md
Created March 25, 2019 14:06 — forked from Neo23x0/TI-Search-Shortcuts.md
Search Engine Shortcuts

Search Engine Shortcuts

Use Manage Search Engines in your browser to add these search engines. You can then use the 'keyword' in the URL bar to do a quick lookup. Find more details about managing your search engines in Chrome here.

e.g. Type

v dad8ebcbb5fa6721ccad45b81874e22c
@CaledoniaProject
CaledoniaProject / SimpleTCGLogParser.ps1
Created March 15, 2019 05:30 — forked from mattifestation/SimpleTCGLogParser.ps1
If you have the HgsDiagnostics PowerShell module, then you can parse TCG logs.
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName
$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)
$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
CloseKey = 0x00000001
QuerySecurityKey = 0x00000002
SetSecurityKey = 0x00000004
EnumerateValueKey = 0x00000010
QueryMultipleValueKey = 0x00000020
SetInformationKey = 0x00000040
FlushKey = 0x00000080
# These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process
$WINEVENT_KEYWORD_PROCESS = 0x10
$WINEVENT_KEYWORD_IMAGE = 0x40
# Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy.
# I'm going to limit collection to only image and process event
$KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic'
$KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE)
$KernelProcessLog.ProviderLevel = 0xFF
$KernelProcessLog.IsEnabled = $true
function Get-ProcessStartKey {
<#
.SYNOPSIS
Derives the process start key for one or more processes.
.DESCRIPTION
Get-ProcessStartKey derives the process start key for one or more processes. Process start keys were introduced in Win 10 1507 and are intended to serve as a locally unique identifier for a process. A process ID cannot be considered a unique identifier since process IDs are repeatable.
@CaledoniaProject
CaledoniaProject / CorruptCLRGlobal.ps1
Created December 15, 2018 15:44 — forked from mattifestation/CorruptCLRGlobal.ps1
A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
function Subvert-CLRAntiMalware {
<#
.SYNOPSIS
A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.
.DESCRIPTION
clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.