danzek

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]

danzek

HINSTANCE LoadExecuteClearSystemsBatchFile()
{
  HMODULE hModule; // eax
  HMODULE phModule; // ebx
  HRSRC hRsrcSIXSIX1; // eax
  HRSRC phRsrcSIXSIX1; // esi
  HGLOBAL hGlobalRsrcSIXSIX1; // eax
  const void *ResourceLock; // edi
  DWORD cbResourceSIXSIX1; // esi
  HGLOBAL hDecryptedResourceMemory; // ebx

danzek

// go tour fibonacci closure exercise solution
// https://tour.golang.org/moretypes/26

package main

import "fmt"

// fibonacci is a function that returns
// a function that returns an int.
func fibonacci() func() int {

danzek

// solution to rot13Reader exercise in golang tour

package main

import (
	"io"
	"os"
	"strings"
)

danzek

Sub FixLinks()
    Dim wks As Worksheet
    Dim hl As Hyperlink
    Dim sOld As String
    Dim sNew As String
    Set wks = ActiveSheet
    sOld = "G:\MyOriginalFolderIWantToReplaceInPath\"
    sNew = ".\"
    For Each hl In wks.Hyperlinks
        hl.Address = Replace(hl.Address, sOld, sNew)

danzek

<#
.SYNOPSIS
Gets data from Windows Desktop Search.

.DESCRIPTION
Uses Windows API (ADO) to get data from Windows Desktop Search JET (ESE) database.

.NOTES
File Name  : Get-DesktopSearchData.ps1
Author     : Dan O'Day - d@4n68r.com

danzek

/*
 *  singly_linked_list.c
 *  
 *  Demo of singly-linked list using simplified Process struct
 *
 *  I made this for the 2019 KPMG Lunch and Learn series entitled, 
 *  "A heuristic approach to coding in C on Windows"
 */

#include <stdio.h>

danzek

#!/usr/bin/env python
"""
Module containing class to parse and return formatted SID string given list of integers containing SID from byte array

This was made for formatting the CreatorSID from the Microsoft Windows CIM (WMI) repository database in the standard 
Windows SID format ("S-1-5-21-<RID>-<RID>...). For instance, if using a script such as [`python-cim`](https://github.com/fireeye/flare-wmi/tree/master/python-cim) 
[filter-to-consumer bindings](https://github.com/fireeye/flare-wmi/blob/master/python-cim/samples/show_filtertoconsumerbindings.py), 
to extract CreatorSID using that script, you would add `'CreatorSID'` to the filter or consumer properties like so:

    filter_sid = filter.properties["CreatorSID"].value

danzek

<# 
.SYNOPSIS   :  PowerShell script to set Ethernet connection as metered or not metered

.AUTHOR     :  Michael Pietroforte

.SITE       :  https://4sysops.com
#>

# Retrieved from https://4sysops.com/archives/set-windows-10-ethernet-connection-to-metered-with-powershell/

danzek

Important articles about Windows/NTFS

This also contains quotes from the articles in case they are moved/deleted/etc.

• File Times: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724290

A file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). The system records file times when applications create, access, and write to files.

The NTFS file system stores time values in UTC format, so they are not affected by changes in time zone or daylight saving time. The FAT file system stores time values based on the local time of the computer. For example, a file that is saved at 3:00pm PST in Washington is seen as 6:00pm EST in New York on an NTFS volume, but it is seen as 3:00pm EST in New York on a FAT volume.