Skip to content

Instantly share code, notes, and snippets.

View ChaitanyaHaritash's full-sized avatar

Chaitanya Haritash ChaitanyaHaritash

246 followers · 154 following
  • lost
View GitHub Profile
@psrok1
psrok1 / icedid-reconstruct.py
Last active April 19, 2020 09:09
IcedID PNG -> PE parser and reconstructor for custom steganographic loader
"""
Py3 version of IcedID custom steganographic loader (PNG parser & PE reconstructor)
Inspired by https://github.com/hasherezade/funky_malware_formats/tree/master/iced_id_parser
Authored by @nazywam and @psrok1.
pip3 install malduck lief
"""
import sys
import malduck
@Arno0x
Arno0x / shellcode.xlsm
Last active May 13, 2023 23:22
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL
1. Open Excel
2. Click on the active tab
3. Select "Insérer"
4. Click on "Macro MS Excel 4.0".
5. This will create a new worksheet called "Macro1"
================================================================================
In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:
@adrianyy
adrianyy / drvscan.cpp
Created May 2, 2019 16:37
vulnerable driver scanner
#include <string>
#include <vector>
#include <fstream>
#include <iostream>
#include <filesystem>
#include <Windows.h>
#include <winternl.h>
static_assert( sizeof( void* ) == 8 );
@mattifestation
mattifestation / ExpandDefenderSig.ps1
Created March 28, 2019 20:17
Decompresses Windows Defender AV signatures for exploration purposes
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS
Decompresses a Windows Defender AV signature database (.VDM file).
.DESCRIPTION
Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
@mint177
mint177 / RTF obfuscation techniques.rtf
Last active October 14, 2021 19:39
RTF obfuscation techniques
{\rt- RTF SPECIFICATION SUCKS
{\u0097}}
{\uc2 \u0098}}}
{\uc2 \u0099\'**}}
{\uc2 \uc31682 \u0101}
{\u0100}}
{\uc-1 \u0102}
{\object\objemb\objw-\objh-
@ryhanson
ryhanson / ExcelXLL.md
Last active July 22, 2024 15:25
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@Cr4sh
Cr4sh / WoW64_call.cpp
Created May 22, 2014 19:33
WoW64 Heaven's Gate
#include "stdafx.h"
#define DB(_val_) __asm __emit (_val_)
#define INVALID_SYSCALL (DWORD)(-1)
// code selectors
#define CS_32 0x23
#define CS_64 0x33
@mattn
mattn / getppid.c
Created December 10, 2009 01:10 — forked from hasegawayosuke/getppid.c
#if _WIN32_WINNT < 0x0500
# error "should be NT"
#endif
#include <windows.h>
#include <tlhelp32.h>
#include <winternl.h>
#include <stdio.h>
DWORD getppid()
{