analyticsearch

// White Knight Labs - Offensive Development Course
// Anti-Debug Patch Check - KERNELBASE!IsDebuggerPresent function

#include <iostream>
#include <Windows.h>

// Define the expected bytes of the KERNELBASE!IsDebuggerPresent function.
// This array represents the specific sequence of bytes we expect to find at the
// beginning of the IsDebuggerPresent function in a non-modified state.
const unsigned char expectedBytes[] = {0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x0F, 0xB6, 0x40, 0x02, 0xC3};

analyticsearch

/*
	TaskManagerSecret

	Author: @splinter_code

	This is a very ugly POC for a very unreliable UAC bypass through some UI hacks.
	The core of this hack is stealing and using a token containing the UIAccess flag set.
	A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
	From there it uses a task manager "feature" to run a new High IL cmd.exe.
	This has been developed only for fun and shouldn't be used due to its high unreliability.

analyticsearch

/*
 * Rust basic Process injection using OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread
 * API dynamic resolution and shellcode XOR encoded
 */
#[allow(non_camel_case_types)]
type HANDLE = *mut u64;
#[allow(non_camel_case_types)]
type LPVOID = *mut u64;
#[allow(non_camel_case_types)]
type DWORD = u32;

analyticsearch

# Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list
# Author: Oddvar Moe - @oddvar.moe

$drivers = get-childitem -Path c:\windows\system32\drivers
$web_client = new-object system.net.webclient
$loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json

Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count)
foreach ($lol in $loldrivers.KnownVulnerableSamples)
{

analyticsearch

GET /beta/deviceLocalCredentials/[DEVICE-ID]?$select=credentials HTTP/1.1
ocp-client-version: 1.0
client-request-id: 96cbfa59-dbfc-4a92-b261-7f77bd8f4b9b
ocp-client-name: Get-LapsAADPassword Windows LAPS Cmdlet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22621; en-US) PowerShell/5.1.22621.963 Invoke-MgGraphRequest
SdkVersion: graph-powershell/1.26.0, Graph-dotnet-1.25.1
FeatureFlag: 00000047
Cache-Control: no-store, no-cache
Authorization: Bearer [AAD-JWT-HERE]
Accept-Encoding: gzip

analyticsearch

using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;

analyticsearch

# Get the DLL file path from user input
$dllPath = Read-Host "Enter the DLL file path"

# Get all running processes
$processes = Get-Process

# Loop through each process
foreach ($process in $processes) {
    $processName = $process.ProcessName

analyticsearch

using System;
using System.Runtime.CompilerServices;
using System.Reflection;
using System.Reflection.Emit;
namespace FunkyJit
{
    class Program
    {
        public static void Nothing() { Console.WriteLine(); }
        static void Main(string[] args)

analyticsearch

#include "stdafx.h"
#include <process.h>

using namespace Microsoft::WRL;

HMODULE g_currentModule;

BOOL APIENTRY DllMain(HMODULE module, DWORD reason, LPVOID reserved)
{
	switch (reason)

analyticsearch

"""
Transform a binary file into a C header file.
The binary file is splitted into 16 char strings and rebuild at execution time.

The function buildsc() must be called in your main to rebuild the binary file into the sc C variable.
The length is set in the sc_length variable.

Be carefull, try to avoid compiler code optimization as it will remove all these modifications in the final binary.
"""