Skip to content

Instantly share code, notes, and snippets.

View c0d3inj3cT's full-sized avatar

c0d3inj3cT

12 followers · 0 following
View GitHub Profile
@c0d3inj3cT
c0d3inj3cT / locksmith_solve.py
Created May 24, 2019 12:38
Locksmith Solution - Security Fest 2019
from pwn import *
from z3 import *
import re
import time
def get_solution(diff):
print diff
s = Solver()
a = Int('a')
@c0d3inj3cT
c0d3inj3cT / z3_solve.py
Created December 23, 2018 19:17
Friedrich's Christmas Hangover - X-MAS CTF 2018 Writeup
#! /usr/bin/python
from z3 import *
# Solution for Friedrich's Christmas Hangover Challenge for X-MAS CTF 2018
s = Solver()
i1 = Int('i1')
i2 = Int('i2')
@c0d3inj3cT
c0d3inj3cT / sfmode.html
Created November 16, 2014 11:50
IE SafeMode Example
<html>
<title>IE SafeMode</title>
<script language="vbscript">
Set obj = CreateObject("Shell.Application")
obj.ShellExecute("calc.exe");
</script>
</html>
@c0d3inj3cT
c0d3inj3cT / sum.c
Created October 4, 2014 19:08
An example program to understand the Calling Convention used for 64-bit Binaries.
#include <stdio.h>
int sum(int, int, int, int);
int main(int argc, char **argv)
{
int result = 0;
result = sum(1,2,3,4);
printf("The sum is: %d\n", result);
@c0d3inj3cT
c0d3inj3cT / instrace.cpp
Last active January 4, 2021 21:13
This pintool was written to identify interesting sequence of instructions which are often used by malwares to either obfuscate the control flow, to be position independent, to identify virtual machine, to perform anti debugging tricks, usage of encryption and decryption routines.
/*
Instruction Tracer to identify
interesting sequence of instructions
in malwares.
c0d3inj3cT
*/
#include <stdio.h>
#include <iostream>
@c0d3inj3cT
c0d3inj3cT / retn_overwrite.asm
Created January 4, 2014 10:07
This is a proof of concept to show how the debugger can be confused by overwriting the RETN instruction with its own opcode (0xc3) which will result in the debugger executing the code instead of trapping into the return address.
; Overwrite RETN opcode
; Control Flow Obfuscation
; c0d3inj3cT
include \masm32\include\masm32rt.inc
.data
hMod dd 0
.code
@c0d3inj3cT
c0d3inj3cT / vmware-detect.c
Created December 11, 2013 05:08
This code will scan the process address space of csrss.exe for the string, "MS_VM_CERT". It is the OEM String of VMWare present in the SMBIOS structures.
/*
Detect VMWare using OEM String in Memory
Tested on Windows XP SP3/VMWare Workstation 7.1.0
c0d3inj3cT
*/
#include <windows.h>
#include <stdio.h>
#define MARKER "MS_VM_CERT"
@c0d3inj3cT
c0d3inj3cT / hookapi.asm
Last active July 27, 2022 19:43
API hooking code in Assembly from Win32/Gepys
ESI - Function Pointer
EDI - Buffer
00C816F9 803E E9 CMP BYTE PTR DS:[ESI],0E9 ; check if the first instruction of API is a jump instruction
00C816FC 75 09 JNZ SHORT 00C81707
00C816FE 8B46 01 MOV EAX,DWORD PTR DS:[ESI+1]
00C81701 8D4430 05 LEA EAX,DWORD PTR DS:[EAX+ESI+5]
00C81705 EB 12 JMP SHORT 00C81719
00C81707 8D46 05 LEA EAX,DWORD PTR DS:[ESI+5] ; point eax to the 5th byte of the function
00C8170A A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; store 5 bytes from the function into the buffer
@c0d3inj3cT
c0d3inj3cT / hookdetect.c
Last active January 2, 2022 04:20
This pintool was written to detect the API hooks by checking the calls to VirtualProtect() that mark the memory region of Win32 APIs as PAGE_EXECUTE_READWRITE. This method is often used in API hooking.
/*
Pintool to detect API hooks in a process
c0d3inj3cT
*/
#include <stdio.h>
#include <iostream>
#include "pin.H"
int i=0;
@c0d3inj3cT
c0d3inj3cT / wmtimer.asm
Last active October 18, 2017 05:29
This code demonstrates the method used by the virus family, Win32/Gepys to introduce delay in execution before invoking the malicious code.
; Below are the first few lines of code of the Window Procedure:
00402680 55 PUSH EBP
00402681 8BEC MOV EBP,ESP
00402683 83E4 F8 AND ESP,FFFFFFF8
00402686 83EC 4C SUB ESP,4C
00402689 A1 04A04000 MOV EAX,DWORD PTR DS:[40A004]
0040268E 33C4 XOR EAX,ESP
00402690 894424 48 MOV DWORD PTR SS:[ESP+48],EAX
00402694 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; window message code