This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function UAC-TokenMagic { | |
| <# | |
| .SYNOPSIS | |
| Based on James Forshaw's three part post on UAC, linked below, and possibly a technique | |
| used by the CIA! | |
| Essentially we duplicate the token of an elevated process, lower it's mandatory | |
| integrity level, use it to create a new restricted token, impersonate it and | |
| use the Secondary Logon service to spawn a new process with High IL. Like | |
| playing hide-and-go-seek with tokens! ;)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Masquerade-PEB { | |
| <# | |
| .SYNOPSIS | |
| Masquerade-PEB uses NtQueryInformationProcess to get a handle to powershell's | |
| PEB. From there itreplaces a number of UNICODE_STRING structs in memory to | |
| give powershell the appearance of a different process. Specifically, the | |
| function will overwrite powershell's "ImagePathName" & "CommandLine" in | |
| _RTL_USER_PROCESS_PARAMETERS and the "FullDllName" & "BaseDllName" in the | |
| _LDR_DATA_TABLE_ENTRY linked list. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys, os, select, socket | |
| from struct import pack, unpack | |
| from socketserver import ThreadingMixIn, TCPServer, StreamRequestHandler | |
| from optparse import OptionParser, make_option | |
| from config import Conf | |
| BUFF_SIZE = 0x1000 |
Cr4sh
/ gist:fdd62b94315deed78beb3ec4b6fa95d4
Created
July 23, 2019 22:35
— forked from tai2/gist:1104429
UPnP Port Mapper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # UPnP Port Mapper | |
| import os | |
| import sys | |
| import re | |
| import urllib2 | |
| from xml import sax | |
| from xml.sax import handler | |
| from xml.sax.handler import feature_namespaces | |
| import socket |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ############################################################### | |
| # | |
| # Debug messages monitor for Qualcomm cellular modems. | |
| # | |
| # This program talks to the baseband firmware over the | |
| # diag protocol serial port. | |
| # | |
| # Written by: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [+] Opening /dev/ttyUSB1 | |
| [+] Device model: 9607.gen | |
| [+] Revision: 100 | |
| [20.05.19/23:39:56] [0000] wmgrcore.c(274) : wmgr_reset_old_data: Client: 6, duration:917, reservation_time: 3656507, result: 2, collision_type: 0 | |
| [20.05.19/23:39:56] [000e] wtr2965_trx_wcdma_rx_class.cpp(779) : wtr2965_trx_wcdma_rx_class::set_port path 0, band 4,port 22 | |
| [20.05.19/23:39:56] [000e] wtr2965_trx_wcdma_rx_class.cpp(4097) : wtr2965_RX_gain: valid=0, st0=0, st1=1, st2=3, st3=4 | |
| [20.05.19/23:39:56] [005d] mcpm_resrc_modem_blk.c(991) : Reg Val: 65536; : Expected val: 65536; waitcount: 0; ID: 0x2 | |
| [20.05.19/23:39:56] [005d] mcpm_resrc_modem_blk.c(1749) : MCPM_MODEM_BLK: Committed MEM_SLP_CNTL 0x2, Reg states mem_slp: 0x200->0x20300 clamps: io 0x15->0x40 mem 0x1->0x2 | |
| [20.05.19/23:39:56] [000e] wtr2965_trx_wcdma_rx_class.cpp(534) : wtr2965_trx_wcdma_rx_class::set_chan is successful for RFM_DEVICE_0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ********************************************************************* | |
| Part of UEFI DXE driver code that injects Hyper-V VM exit handler | |
| backdoor into the Device Guard enabled Windows 10 Enterprise. | |
| Execution starts from new_ExitBootServices() -- a hook handler | |
| for EFI_BOOT_SERVICES.ExitBootServices() which being called by | |
| winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi | |
| transfers exeution to previously loaded Hyper-V kernel (hvix64.sys) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys, os, time | |
| import grequests | |
| CHECK_URL = 'http://www.google.com' | |
| CHECK_TIMEOUT = 120 | |
| CHECK_CONNECTS = 200 | |
| VERBOSE = False | |
| class AsyncRequest(grequests.AsyncRequest): |
Cr4sh
/ ocd_mem_scan
Created
April 25, 2017 00:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys, os, socket | |
| from struct import pack, unpack | |
| from hexdump import hexdump | |
| class OpenOcd: | |
| COMMAND_TOKEN = '\x1a' | |
| def __init__(self, verbose=False): |
Cr4sh
/ Qualcomm TrustZone SMC handlers list
Created
September 21, 2016 10:57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0xfe82801c: addr = 0xfe84804b, type = 0x3d, id = 0x0805, args = 2, name = tzbsp_pil_init_image_ns | |
| 0xfe828038: addr = 0xfe8482c1, type = 0x3d, id = 0x0802, args = 1, name = tzbsp_pil_auth_reset_ns | |
| 0xfe828050: addr = 0xfe847c85, type = 0x0d, id = 0x0806, args = 3, name = tzbsp_pil_mem_area | |
| 0xfe828070: addr = 0xfe847ce7, type = 0x0d, id = 0x0807, args = 1, name = tzbsp_pil_unlock_area | |
| 0xfe828088: addr = 0xfe84831b, type = 0x0f, id = 0x0808, args = 1, name = tzbsp_pil_is_subsystem_supported | |
| 0xfe8280a0: addr = 0xfe84835f, type = 0x0f, id = 0x0c01, args = 1, name = tzbsp_pil_is_subsystem_mandated | |
| 0xfe8280b8: addr = 0xfe84c7d9, type = 0x0d, id = 0x0c02, args = 1, name = tzbsp_write_lpass_qdsp6_nmi | |
| 0xfe8280d0: addr = 0xfe8079bd, type = 0x0d, id = 0x0c04, args = 2, name = tzbsp_set_cpu_ctx_buf | |
| 0xfe8280ec: addr = 0xfe80972b, type = 0x0d, id = 0x0c06, args = 2, name = tzbsp_set_l1_dump_buf | |
| 0xfe828108: addr = 0xfe8097e5, type = 0x0f, id = 0x0c07, args = 1, name = tzbsp_query_l1_dump_buf_size |