aaaddress1

import pefile, struct, sys

if len(sys.argv) != 2:
    print(f"Strip your personal compile info from Exe Files by aaaddress1@chroot.org")
    print(f"Usage: {sys.argv[0]} [path/to/exe]")
    sys.exit(-1)

# Rewrite from pefile: https://github.com/erocarrera/pefile/blob/593d094e35198dad92aaf040bef17eb800c8a373/pefile.py#L3402
def mask_myRichHdr(in_pefile):
    DANS = 0x536E6144  # 'DanS' as dword

aaaddress1

// iThome 2020 Demo: Signature Patcher for Explorer
// author: aaaddress1@chroot.org
#include <iostream>
#include <Windows.h>

int main() {
	DWORD explorer_pid;
	GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", NULL), &explorer_pid);
	
	if (HANDLE token = OpenProcess(PROCESS_ALL_ACCESS, FALSE, explorer_pid)) {

aaaddress1

// VEH Montior by aaaddress1@chroot.org
#include <stdio.h>
#include <windows.h>
#pragma warning( disable : 4996 )

LONG __stdcall TrapFilter(PEXCEPTION_POINTERS pexinf) {
	if (pexinf->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION && ((DWORD)pexinf->ExceptionRecord->ExceptionAddress & 0x80000000))
		pexinf->ContextRecord->Eip = pexinf->ContextRecord->Eip ^ 0x80000000;
	else if (pexinf->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP)
		return EXCEPTION_CONTINUE_SEARCH;

aaaddress1

// using WinHTTP to obtain binary data (MSVC)
// by aaaddress1@chroot.org
#include <vector>
#include <stdio.h>
#include <windows.h>
#include <Winhttp.h>
#pragma comment(lib, "winhttp")
using namespace std;

vector<char>* httpRecv(const wchar_t url[]) {

aaaddress1

// memcpy 32bit by aaaddress1@chroot.org
#include <stdint.h>
#include <stdio.h>
#include <windows.h>

int main(void) {
    int dummy(0x41414242);
    char buf[8] = {0};
    ((void(cdecl *)(DWORD, DWORD, DWORD))"\x8B\x7C\x24\x04\x8B\x74\x24\x08\x8B\x4C\x24\x0C\xF3\xA4\xC3")((size_t)buf, (size_t)&dummy, sizeof(dummy));
    puts(buf);

aaaddress1

// fetch current EXE path from 64 bit PEB->Ldr (In 32 bit mode)
// by aaaddress1@chroot.org
#include <stdint.h>
#include <stdio.h>
#include <windows.h>
typedef struct _PEB_LDR_DATA64
{
    ULONG Length;
    BOOLEAN Initialized;
    ULONG64 SsHandle;

aaaddress1

// get 64 bit Windows API in pure 32 bit mode!
// it's necessary to disable all the compiler optimization if you're using MSVC.
// more detail check out ReWolf's amazing trick: blog.rewolf.pl/blog/?p=102
// by aaaddress1@chroot.org
#include <iostream>
#include <stdio.h>
#include <windows.h>

// ref: raw.githubusercontent.com/rwfpl/rewolf-wow64ext/master/src/wow64ext.h
#include "wow64ext.h"

aaaddress1

# x96_shellcode.py
# ref: gist.github.com/aaaddress1/3c0ae754f8a40024881343a085954049
# by aaaddress1@chroot.org
'''
entry:
    call $+5
    mov ax, cs
    sub ax, 23h
    je retTo32b
    nop

aaaddress1

// simple stager, by aaaddress1@chroot.org
// using ncat to send shellcode payload, recv & execute.
#include <WS2tcpip.h>
#include <stdio.h>
#include <shlobj.h>
#include <Windows.h>
#include <shlwapi.h>
#include <winsock2.h>
#pragma warning(disable:4996)
#pragma comment(lib, "ws2_32.lib")

aaaddress1

// ETW CLR Tracker, by aaaddress1@chroot.org
// rewrite from post "Hiding your .NET - ETW"
// URL: https://blog.xpnsec.com/hiding-your-dotnet-etw/
#define AssemblyDCStart_V1 155
#define AssemblyLoad_V1 154
#define MethodLoadVerbose_V1 143

#include <windows.h>
#include <stdio.h>
#include <wbemidl.h>