This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef struct _PML4E | |
{ | |
union | |
{ | |
struct | |
{ | |
ULONG64 Present : 1; // Must be 1, region invalid if 0. | |
ULONG64 ReadWrite : 1; // If 0, writes not allowed. | |
ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed. | |
ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PDPT. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef struct _PDPTE | |
{ | |
union | |
{ | |
struct | |
{ | |
ULONG64 Present : 1; // Must be 1, region invalid if 0. | |
ULONG64 ReadWrite : 1; // If 0, writes not allowed. | |
ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed. | |
ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PD. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef struct _PDE | |
{ | |
union | |
{ | |
struct | |
{ | |
ULONG64 Present : 1; // Must be 1, region invalid if 0. | |
ULONG64 ReadWrite : 1; // If 0, writes not allowed. | |
ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed. | |
ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PT. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef struct _PTE | |
{ | |
union | |
{ | |
struct | |
{ | |
ULONG64 Present : 1; // Must be 1, region invalid if 0. | |
ULONG64 ReadWrite : 1; // If 0, writes not allowed. | |
ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed. | |
ULONG64 PageWriteThrough : 1; // Determines the memory type used to access the memory. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
int main() { | |
HANDLE file = CreateFileA(".\\test.txt", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_ENCRYPTED|FILE_FLAG_DELETE_ON_CLOSE, NULL); | |
if (!file || file == INVALID_HANDLE_VALUE) { | |
return GetLastError(); | |
} | |
CloseHandle(file); | |
return 0; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* PinTrace | |
* | |
* API call trace tool built with intel pin (https://software.intel.com/en-us/articles/pin-a-binary-instrumentation-tool-downloads). | |
* | |
* CC by mirar@chaosmail.org | |
* | |
* This module can either be run in audit mode (-a flag) or provided with a config file (-c path/to/config). | |
* | |
* The config format is as follows: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* EAT-based hooking for x86/x64. | |
* | |
* Big thanks to ez (https://github.com/ezdiy/) for making this! | |
* | |
* Creates "hooks" by modifying the module's export address table. | |
* The procedure works in three main parts: | |
* | |
* 1. Reading the module's PE file and getting all exported functions. | |
* 2. Finding the right function to "hook" by simple address lookup |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* fork.c | |
* Experimental fork() on Windows. Requires NT 6 subsystem or | |
* newer. | |
* | |
* Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org> | |
* | |
* Permission to use, copy, modify, and/or distribute this software for any | |
* purpose with or without fee is hereby granted, provided that the above | |
* copyright notice and this permission notice appear in all copies. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// iThome 2020 Demo: Signature Patcher for Explorer | |
// author: aaaddress1@chroot.org | |
#include <iostream> | |
#include <Windows.h> | |
int main() { | |
DWORD explorer_pid; | |
GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", NULL), &explorer_pid); | |
if (HANDLE token = OpenProcess(PROCESS_ALL_ACCESS, FALSE, explorer_pid)) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// VEH Montior by aaaddress1@chroot.org | |
#include <stdio.h> | |
#include <windows.h> | |
#pragma warning( disable : 4996 ) | |
LONG __stdcall TrapFilter(PEXCEPTION_POINTERS pexinf) { | |
if (pexinf->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION && ((DWORD)pexinf->ExceptionRecord->ExceptionAddress & 0x80000000)) | |
pexinf->ContextRecord->Eip = pexinf->ContextRecord->Eip ^ 0x80000000; | |
else if (pexinf->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP) | |
return EXCEPTION_CONTINUE_SEARCH; |
NewerOlder