This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #define DB(_val_) __asm __emit (_val_) | |
| #define INVALID_SYSCALL (DWORD)(-1) | |
| // code selectors | |
| #define CS_32 0x23 | |
| #define CS_64 0x33 |
Cr4sh
/ gist:fe910f0d1b0559efd43d
Created
September 3, 2014 19:55
Dynamically finding sys_call_table on Linux x86_64 systems
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void **find_sys_call_table(void *kernel_addr, int kernel_size) | |
| { | |
| /* | |
| Check for the system_call_fastpath() signature, hand-written piece of | |
| assembly code from arch/x86/kernel/entry_64.S: | |
| ja badsys | |
| mov rcx, r10 | |
| call sys_call_table[rax * 8] | |
| mov [rsp + 20h], rax |
Cr4sh
/ gist:01f856a988ab89b3b219
Created
November 2, 2014 20:23
_KTHREAD::ServiceTable hook detection macro for kd/windbg
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $$ enum active proceses | |
| r $t0 = nt!PsActiveProcessHead | |
| .for (r $t1 = poi(@$t0); | |
| (@$t1 != 0) & (@$t1 != @$t0); | |
| r $t1 = poi(@$t1)) | |
| { | |
| r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, | |
| ActiveProcessLinks) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am Cr4sh on github. | |
| * I am d_olex (https://keybase.io/d_olex) on keybase. | |
| * I have a public key whose fingerprint is 9DEA 2C4E E86D ACDB 4313 F192 7572 EE56 6093 29C3 | |
| To claim this, I am signing this object: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Extract SW SMI handlers information from | |
| Intel DQ77KB board SMRAM dump. | |
| Example: | |
| $ python smi_handlers.py TSEG.bin | |
| 0xcc: 0xd70259d8 | |
| 0xb8: 0xd706673c |
Cr4sh
/ hw_access.py
Created
September 13, 2015 16:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os | |
| from subprocess import Popen, PIPE | |
| from struct import pack, unpack | |
| from portio import * | |
| def hexdump(data, width = 16, addr = 0): | |
| ret = '' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| JTAGenum | |
| Given a Arduino compatible microcontroller JTAGenum scans | |
| pins[] for basic JTAG functionality. After programming | |
| your microcontroller open a serial terminal with 115200 | |
| baud and send 'h' to see usage information. | |
| SETUP: | |
| Define the pins[] and pinnames[] map of pin names to pins |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * fork.c | |
| * Experimental fork() on Windows. Requires NT 6 subsystem or | |
| * newer. | |
| * | |
| * Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org> | |
| * | |
| * Permission to use, copy, modify, and/or distribute this software for any | |
| * purpose with or without fee is hereby granted, provided that the above | |
| * copyright notice and this permission notice appear in all copies. |
Cr4sh
/ uac_bypass.c
Created
April 9, 2016 10:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void TestCopy() | |
| { | |
| BOOL cond = FALSE; | |
| IFileOperation *FileOperation1 = NULL; | |
| IShellItem *isrc = NULL, *idst = NULL; | |
| BIND_OPTS3 bop; | |
| SHELLEXECUTEINFOW shexec; | |
| HRESULT r; | |
| do { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Declaration | |
| */ | |
| /* | |
| 'tfp_format' really is the central function for all tinyprintf. For each output character | |
| after formatting, the 'putf' callback is called with 2 args: | |
| - an arbitrary void* 'putp' param defined by the user and passed unmodified from 'tfp_format'; | |
| - the character; |
OlderNewer