alfarom256
/ SyscallInstrumentation.cpp
Last active
April 8, 2024 17:53
A detection mechanism for UM syscall hooking done with InstrumentationCallback functions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #define OFFSET_InstrumentationCallbackSp 0x2d0 | |
| #define OFFSET_InstrumentationCallbackPreviousPc 0x2d8 | |
| #define OFFSET_InstrumentationCallbackPreviousSp 0x2e0 | |
| #define OFFSET_InstrumentationCallbackDisabled 0x2ec | |
| #define OFFSET_Instrumentation 0x16b8 | |
| typedef struct SyscallInstrumentation { | |
| BYTE InstrumentationCallbackDisabled; |
alfarom256
/ ldr_data_table_entry.rs
Created
August 25, 2020 15:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #[repr(C)] | |
| pub struct LDR_DATA_TABLE_ENTRY<'ldte> { | |
| pub _reserved0: [PVOID; 2], | |
| pub in_initialize_order_links: LIST_ENTRY<'ldte>, | |
| // removed PVOID[2] | |
| pub dll_base: PVOID, | |
| pub entry_point: PVOID, | |
| pub _reserved1: [PVOID; 3], // Additional 2 PVOID's go here | |
| pub full_dll_name: UNICODE_STRING, | |
| pub _reserved3: [u8; 8], |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <threadpoolapiset.h> | |
| #define LEN 277 | |
| // run calc | |
| unsigned char op[] = | |
| "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" | |
| "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <jobapi2.h> | |
| #include <stdlib.h> | |
| // something something don't use iostream | |
| #include <iostream> | |
| #define IF_ERR(x,y) if(x == y) {std::cout<<"Error! : " << GetLastError() << std::endl; exit(-1);} | |
| int main() { | |
| int x; | |
| std::cout << "Enter PID: "; |
alfarom256
/ Netstat Expressvpn
Created
June 19, 2018 21:06
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| netstat -tulpn | |
| Active Internet connections (only servers) | |
| Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | |
| tcp 0 0 127.0.0.1:2015 0.0.0.0:* LISTEN 503/expressvpnd | |
| tcp 0 0 127.0.0.1:38629 0.0.0.0:* LISTEN 1389/expressvpn-age | |
| tcp 0 0 127.0.0.1:43569 0.0.0.0:* LISTEN 1800/openvpn-expres | |
| udp 0 0 0.0.0.0:68 0.0.0.0:* 697/dhclient | |
| udp 0 0 0.0.0.0:43381 0.0.0.0:* 1800/openvpn-expres |
alfarom256
/ Cutter AppImage Stack trace
Created
June 19, 2018 21:06
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ./Cutter-v1.4-x86_64.AppImage | |
| Setting r2 prefix = "/tmp/.mount_CutterW0QrH6/usr" for AppImage. | |
| Setting PYTHONHOME = "/tmp/.mount_CutterW0QrH6/usr" for AppImage. | |
| PYTHONHOME = "/tmp/.mount_CutterW0QrH6/usr" | |
| Exception in thread Thread-1: | |
| Traceback (most recent call last): | |
| File "/tmp/.mount_CutterW0QrH6/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner | |
| self.run() | |
| File "/tmp/.mount_CutterW0QrH6/usr/lib/python3.6/threading.py", line 864, in run | |
| self._target(*self._args, **self._kwargs) |
NewerOlder