Skip to content

Instantly share code, notes, and snippets.

View Midi12's full-sized avatar
🏴‍☠️

Midi12

🏴‍☠️
158 followers · 63 following
View GitHub Profile
@NyaMisty
NyaMisty / outline_graph.py
Created September 1, 2022 01:02
IDA Graph view with outlined function included
"""
summary: drawing custom graphs
description:
Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
show how to write actions that can be performed on those.
keywords: graph, actions
"""
from __future__ import print_function
# -----------------------------------------------------------------------
@olliencc
olliencc / WindowsVEHusingProcEnumandCountandDecode.cpp
Created January 3, 2022 14:01
Enumerates processes which use VEH via their PEB and then counts the number of VEHs present - decodes pointers and works out which module they are in
/*
VEH misuse detector for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@bohops
bohops / AccCheckConsole.txt
Last active February 28, 2024 19:15
AccChecker LOLBIN [AccCheckConsole.exe]
*Purpose
- UI Accessibility Checker
- Verifies UI accessibility requirements
*LOLBIN Functionality/Steps
1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
2) Add proper assembly references (e.g. AccCheck.dll)
3) Insert your C# code under a target method such as Execute()
4) Compile to a .NET managed library (DLL)
5) Invoke the code
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active June 23, 2024 22:01
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@stevemk14ebr
stevemk14ebr / VirtualAlloc2
Created May 5, 2021 14:30
VirtualAlloc2 Bounded Allocation
// Alloc2Test.cpp : This file contains the 'main' function. Program execution begins and ends there.
//
#include <iostream>
#include <Windows.h>
#include <string>
#include <assert.h>
static inline char* AlignUpwards(const char* stack, size_t align) {
@k4nfr3
k4nfr3 / ioc_vulnerable_drivers.csv
Last active March 28, 2024 07:43
IOC vulnerable drivers
We can make this file beautiful and searchable if this error is corrected: It looks like row 9 should actually have 4 columns, instead of 2. in line 8.
SHA256,Name,Signer,Description
04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """,
05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,"""eSupport.com, Inc""",DriverAgent Direct I/O for 64-bit Windows
B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO
7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA,ALSys
@dr4k0nia
dr4k0nia / Homoglyph_Obfuscation.md
Last active October 28, 2022 16:55
Abusing homoglyphs in .NET "Obfuscation" (Write up)

Abusing homoglyphs in .NET "Obfuscation"

A while ago I watched a very interesting DEF CON talk called "Repsych: Psychological Warfare in Reverse Engineering" by Chris Domas. In his talk Chris talked about how one could fool and or piss off reverse engineers with some little tricks. This got me thinking what can I do in .net to piss off and or fool reverse engineers. After reading about homoglyphs I had a fun little idea.

What are homoglyphs?

Homoglyphs are characters that look the same but are actually from different alphabets. For our obfuscation concept, we will abuse the fact that there are unicode characters that look just like normal latin letters.

How can we use homoglyphs?

So since the homoglyph characters look just like latin characters, we can use them to have to identical looking names that are actually different. For example we could replace the character M in the name <Module> with an M from a different alphabet.

@icecr4ck
icecr4ck / idapython_cheatsheet.md
Last active July 23, 2024 15:21
Cheatsheet for IDAPython
@chinmaygarde
chinmaygarde / FlutterEmbedderGLFW.cc
Last active November 23, 2023 16:26
Flutter Embedder API Example (GLFW with OpenGL)
#include <assert.h>
#include <chrono>
#include <embedder.h>
#include <glfw3.h>
#include <iostream>
static_assert(FLUTTER_ENGINE_VERSION == 1, "");
static const size_t kInitialWindowWidth = 800;
@nmulasmajic
nmulasmajic / WorkingSetWatch.cpp
Last active July 21, 2024 14:40
/*
* Module Name:
* WorkingSetWatch.cpp
*
* Abstract:
* Tracks page faults that occur within the process.
*
* NOTE: This is not compatible with Wow64 and must be run as a 64-bit
* program on x64 and a 32-bit program on x86.
*