Skip to content

Instantly share code, notes, and snippets.

View Und3rf10w's full-sized avatar

Und3rf10w

605 followers · 63 following
View GitHub Profile
@jackullrich
jackullrich / mainc.c
Last active November 3, 2023 17:20
Single Step Encryption/Decryption
#include <Windows.h>
LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
typedef VOID(__stdcall* Shellcode)();
LPBYTE ShellcodeBuffer;
ULONG_PTR PreviousOffset;
ULONG_PTR CurrentOffset;
ULONGLONG InstructionCount;
DWORD dwOld;
@ChoiSG
ChoiSG / rsrcDecryptAssembly.nim
Last active September 19, 2022 17:31
embed .net, decrypt, load and execute in nim poc
import nimcrypto
import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy
#[
All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t
nimble install winim nimcrypto zippy
nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim
slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time.
@MHaggis
MHaggis / conti.cna
Created August 9, 2021 14:15
#AntiVirus Query
#Author: @r3dQu1nn
#Queries the Registry for AV installed
#Thanks to @i_am_excite and @merrillmatt011 for the help
#Props to @zerosum0x0 for the wmic find!
#Long ass one-liner :)
$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE)
@fr0gger
fr0gger / DhashIcon.py
Last active November 30, 2023 11:36
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Thomas Roccia | IconDhash.py
# pip3 install lief
# pip3 install pillow
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html
import lief
import os
import argparse
@mattfysh
mattfysh / 5reqs.sh
Last active July 18, 2021 23:15
Luminati Performance
PROXY_URL=<your_proxy_url>
echo "HTTP"
time (
curl --proxy $PROXY_URL -s -o /dev/null http://example.com
curl --proxy $PROXY_URL -s -o /dev/null http://example.com
curl --proxy $PROXY_URL -s -o /dev/null http://example.com
curl --proxy $PROXY_URL -s -o /dev/null http://example.com
curl --proxy $PROXY_URL -s -o /dev/null http://example.com
)
@hasherezade
hasherezade / main.cpp
Created July 17, 2021 16:35
A native way to enumerate processes (alternative to: EnumProcesses, CreateToolhelp32Snapshot - Process32First - Process32Next)
#include <windows.h>
#include <iostream>
#include "ntddk.h"
bool enum_processes()
{
ULONG retLen = 0;
// check length:
@joepie91
joepie91 / normies-just-dont-care-about-privacy.md
Last active December 31, 2023 12:42

Normies just don't care about privacy

If you're a privacy enthusiast, you probably clicked a link to this post thinking it's going to vindicate you; that it's going to prove how you've been right all along, and "normies just don't care about privacy", despite your best efforts to make them care. That it's going to show how you're smarter, because you understand the threats to privacy and how to fight them.

Unfortunately, you're not right. You never were. Let's talk about why, and what you should do next.

So, first of all, let's dispense with the "normie" term. It's a pejorative term, a name to call someone when they don't have your exact set of skills and interests, a term to use when you want to imply that someone is clueless or otherwise below you. There's no good reason to use it, and it suggests that you're looking down on them. Just call them "people", like everybody else and like yourself - you don't need to turn them into a group of "others" to begin with.

Why does that matter? Well, would *y

@ozuma
ozuma / blacklist.dat
Created June 15, 2021 15:47
IP address block list from PhishKit.
# NETCRAFT IP RANGES
194.52.68.0-194.52.68.255
194.72.238.0-194.72.238.255
83.138.182.72-83.138.182.79
83.138.189.96-83.138.189.103
81.91.240.0-81.91.255.255
89.36.24.0-89.36.31.255
83.222.232.216-83.222.232.218
184.172.0.0-184.173.255.255
@monoxgas
monoxgas / syscall.pl
Last active January 8, 2022 10:57
Perl syscall/sc injection for MacOS
use DynaLoader;
use Devel::Peek;
use Fcntl;
use 5.008001; # because 5.6 doesn't have B::PV::object_2svref
use Config;
use B (); # for B::PV
sub mmap {
my ($addr, $size, $protect, $flags) = @_;
syscall(197, $addr, $size, $protect, $flags, -1, 0);
@hasherezade
hasherezade / injection_demos.md
Last active March 18, 2024 05:12
List of my PE injection demos