Skip to content

Instantly share code, notes, and snippets.

View blaquee's full-sized avatar

genuine_ blaquee

82 followers · 74 following
View GitHub Profile
@blaquee
blaquee / readdisk.py
Created August 2, 2013 23:19
rawdisk python
import os
import sys
SECTOR_SIZE = 512
def main():
try:
if len(sys.argv) != 4:
raise Exception('Not Enough Arguments')
else:
@blaquee
blaquee / sids.h
Created July 12, 2019 14:37
SIDs
/////////////////////////////////////////////////////////////////////////////
// //
// Universal well-known SIDs //
// //
// Null SID S-1-0-0 //
// World S-1-1-0 //
// Local S-1-2-0 //
// Creator Owner ID S-1-3-0 //
// Creator Group ID S-1-3-1 //
// Creator Owner Server ID S-1-3-2 //
@blaquee
blaquee / MSHTA-Notes.md
Last active September 13, 2021 15:58
gistpad-scratch

Mshta executable is invoked and calls the WldpGetLockdownPolicy function.

It sets the WLDP_HOST_INFORMATION members to: dwRevision = 1 and dwHostId = WLDP_HOST_ID_GLOBAL (1)

This checks the state of a lockdown policy

Checks the registry for the CLSID of the mhtml dll. RegOpenKeyExA(HKEY_CLASSES_ROOT, "clsid\\{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32", 0, 1u, &hKey)

@blaquee
blaquee / File Systerm Filter Driver Notes.md
Last active September 13, 2021 15:45
fsd

Misc Notes on Windows Drivers and Object Management

Some terminology for File System Drivers:

FSD - File System Driver: A Driver that implements a File System

FCB - File Control Block: Uniquely represents an open, on-disk object in system memory. (a similarity to vnodes in UNIX). When an object is successfully opened in the Object Manager, an FCB is created by the IO Manager.

CCB - Context Control Block: A CCB is created by the FSD when a successful open operation in made by a user mode program. A Handle is returned and the CCB is a kernel representation of this handle.

@blaquee
blaquee / alpcfiles.log
Created September 13, 2021 14:05
ALPC Binaries in Sys32
DLL utilizing ALPC
Name: C:\Windows\System32\AudioSes.dll
Name: C:\Windows\System32\CoreMessaging.dll
Name: C:\Windows\System32\csrsrv.dll
Name: C:\Windows\System32\daxexec.dll
Name: C:\Windows\System32\DispBroker.dll
Name: C:\Windows\System32\dps.dll
Name: C:\Windows\System32\dwmapi.dll
Name: C:\Windows\System32\dwmghost.dll
Name: C:\Windows\System32\dwminit.dll
@blaquee
blaquee / processlist.cpp
Created May 20, 2020 16:23
Process listing the Native way on Vista +
HANDLE curHandle = nullptr;
NTSTATUS status;
ULONG dwLen = 0;
UNICODE_STRING strProcNameBuffer = { 0 };
PUNICODE_STRING ucBuffer = nullptr;
//enumerate next processes, use flag 1 to enumerate the processlist backwards
while (NtGetNextProcess(curHandle, MAXIMUM_ALLOWED, 0, 0, &curHandle) == STATUS_SUCCESS)
{
status = NtQueryInformationProcess(curHandle, ProcessImageFileName, 0, 0, &dwLen);
@blaquee
blaquee / kraken.py
Last active May 19, 2020 15:36
import string
import random
import os
def gen_domain(seed):
multiplier = int(0x41C64E6D)
#seed = 1600000
domain = ""
ebx = seed
@blaquee
blaquee / gist:717c1fe2dac15baed082
Created July 1, 2013 05:34
raw udp
/*
* Small p2p chat program using raw udp sockets
* by: Greg Lindor
*/
#include <unistd.h>
#include <stdio.h>
#include <string.h>
@blaquee
blaquee / generated.h
Created March 31, 2020 15:04
generated opensnoop header from bpftool gen
/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
/* THIS FILE IS AUTOGENERATED! */
#ifndef __OPENSNOOP_BPF_SKEL_H__
#define __OPENSNOOP_BPF_SKEL_H__
#include <stdlib.h>
#include <bpf/libbpf.h>
struct opensnoop_bpf {
@blaquee
blaquee / update-alt.sh
Created February 26, 2020 16:02
update alternatives for llvm/clang
#!/usr/bin/env bash
# --slave /usr/bin/$1 $1 /usr/bin/$1-\${version} \\
function register_clang_version {
local version=$1
local priority=$2
update-alternatives \
--install /usr/bin/llvm-config llvm-config /usr/lib/llvm-${version}/bin/llvm-config ${priority} \