Skip to content

Instantly share code, notes, and snippets.

@EvanMcBroom
EvanMcBroom / arnold.md
Last active July 20, 2022 18:06
IllBeBack - An Undocumented Function

IllBeBack - An Undocumented Function

Microsoft purchased the software Softricity SoftGrid in 2006 and renamed it to Microsoft Application Virtualization, or App-V for short. Windows shipped with several libraries in System32 and SysWOW64 to support App-V.

AppVTerminator.dll

One App-V library stands out from all the rest because it only has one exported function named IllBeBack... That's right! A library signed by Microsoft, with Terminator in the name, that only has a single callable function named IllBeBack.

@EvanMcBroom
EvanMcBroom / perfect-loaders.md
Created September 30, 2023 14:06
Perfect Loader Implementations

Perfect Loader Implementations

Thank you to SpecterOps for supporting this research and to Lee and Sarah for proofreading and editing! Crossposted on the SpecterOps Blog.

TLDR: You may use fuse-loader or perfect-loader as examples for extending an OS's native loader to support in-memory libraries.

Some software applications require the ability to load dynamic libraries from the memory of the application's own process. The majority of desktop OSes do not support this use case, so a number of developers have reimplemented the process of loading a library to overcome this limitation.

@EvanMcBroom
EvanMcBroom / fireeye-tools.md
Last active October 13, 2023 08:16
FireEye Red Team Tools - Notes

FireEye Red Team Tools - Notes

These are my notes on FireEye's yara rules for it's red team's tools.

These are the public projects that I could identify to be directly associated with a tool:

Project Source
AndrewSpecial https://github.com/hoangprod/AndrewSpecial
BloodHound https://github.com/BloodHoundAD/BloodHound
@EvanMcBroom
EvanMcBroom / pic-and-string-literals.md
Last active October 31, 2023 08:37
Position Independent Code and String Literals

Position Independent Code and String Literals

A common programming idiom when writing position independent code (PIC) is to expand a string literal into its individual characters when instantiating a local variable.

void f() {
    // Example 1: A normal instantiation with a string literal
    char a[]{ "a long string" };

 // Example 2: The Pic idiom for instantiating a string
@EvanMcBroom
EvanMcBroom / pic-and-string-literals-2.md
Last active November 20, 2023 13:19
Pic and String Literals Part 2

PIC and String Literals Part 2

I previously wrote about how to use macro metaprogramming to simplify using string literals in position independent code (PIC). The results are summarized in the below code snippet and the article can be read on GitHub.

void f() {
    // Example 1: The Pic idiom for instantiating a string
    char picString1[]{ 'a', 'b', 'c' };
@EvanMcBroom
EvanMcBroom / sleepy.md
Last active December 14, 2023 20:39
Sleepy - Python Tooling for Sleep

Sleepy - Python Tooling for Sleep

Thank you to SpecterOps for supporting this research and to Sarah, Cody, and Daniel for proofreading and editing! Crossposted on the SpecterOps Blog.

TL;DR: You can use sleepy to automate common tasks when working with Sleep code.

Raphael Mudge created the embeddable scripting language, Sleep, in April 2002. Sleep was designed to extend Java applications and has been used in few projects; most notably Cobalt Strike.

@EvanMcBroom
EvanMcBroom / sms-crypto-unobfuscate-string.c
Last active January 24, 2024 23:48
SCCM Credential Recovery for Network Access Accounts
/*
* Research by Evan McBroom and Chris Thompson (@_Mayyhem)
* Roger Zander made security recommendations for SCCM based on the claim that NAA credentials could be recovered.
* Source: https://rzander.azurewebsites.net/network-access-accounts-are-evil/
* Roger stated that recover was "possible with a few lines of code" but did not provide any code. Here is working code.
*/
#include <Windows.h>
#include <stdio.h>
@EvanMcBroom
EvanMcBroom / no_strings.hpp
Last active February 6, 2024 17:57
Encrypt Strings at Compile Time
// Copyright (C) 2022 Evan McBroom
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
@EvanMcBroom
EvanMcBroom / encrypting-strings-at-compile-time.md
Last active March 1, 2024 07:14
Encrypting Strings at Compile Time

Encrypting Strings at Compile Time

Thank you to SpecterOps for supporting this research and to Duane and Matt for proofreading and editing! Crossposted on the SpecterOps Blog.

TLDR: You may use this header file for reliable compile time string encryption without needing any additional dependencies.

Programmers of DRM software, security products, or other sensitive code bases are commonly required to minimize the amount of human readable strings in binary output files. The goal of the minimization is to hinder others from reverse engineering their proprietary technology.

Common approaches that are taken to meet this requirement often add an additional maintenance burden to the developer and are prone to error. These approaches will be presented along with t

@EvanMcBroom
EvanMcBroom / switch-statements-with-full-strings.md
Last active March 13, 2024 16:46
Switch Statements with Full Strings

Switch Statements with Full Strings

C++11 introduced the constexpr keyword for defining a constant expression. A constant expression is a variable or function that may be evaluated at compile time. This has many uses, including extending a switch statement to support full strings.

Constant Expression Hash Functions

C++ only supports using an integer as the condition in a switch statement and an integer that is known at compile time in a case statement. You can define a hash function and use it to convert a string to an integer to use in a switch statement. If you define that hash function as a constexpr you can use it to convert a string literal to an integer to use in a case statement as well.