Skip to content

Instantly share code, notes, and snippets.

View gonzalezjo's full-sized avatar
📖

J. Gonzalez gonzalezjo

📖
35 followers · 70 following
  • Tysons, Virginia
  • 23:25 (UTC -04:00)
View GitHub Profile
@gonzalezjo
gonzalezjo / Stupid Antivirus Writeup.md
Created December 24, 2020 00:52

A Bizarrely Universal Solution to Anti-Virus

Introduction

Threat actors seeking access to a remote machine face several challenges, from infiltration to exfiltration. Among these challenges is that of persistence: after compromising a remote machine, in the face of network monitoring, machine re-images, anti-virus scanners, etc., actors have to rely on increasingly sophisticated techniques to maintain control of compromised machines.

Anti-virus scanners are perphaps the most common challenge: all modern Windows machines now come with Windows Defender, and across the Windows ecosystem, the vast number of differing anti-virus solutions present additional challenges: first, the attacker must develop tools that can operate in dozens of different security environments, where each anti-virus configuration represents a new testing scenario. And second, an attacker must now keep track of updates to each of these environments, which may require a complex testing infrastructure that is vulnerable to information

@gonzalezjo
gonzalezjo / aacthing.txt
Created December 8, 2020 21:04
almost all since its universal (and works in usermode). doesnt really try to do anything about e.g. obregistercallbacks either
if you can ID the thread doing memory scans you can just completely and universally bypass the scans by identifying the thread
setting its priority to the minimum/idle
set the affinity mask to run on a specific core
and then do all your code on a thread that also runs on that core at realtime priority
whenever you want to avoid AC watchdog timeouts you just undo your writes and call sleep lol
wildly stupid but it works
it's better than suspendthread since people have mitigations for that but not this
the open source ACs ive seen just check thread status changes to see if a thread gets suspended...but not if you just block it from running by changing priority
@gonzalezjo
gonzalezjo / FunctorStudy.cpp
Last active October 2, 2020 20:06
Example use of functors
// Functor example (jg)
#include <algorithm>
#include <atomic>
#include <cstdint>
#include <iostream>
#include <memory>
#include <vector>
namespace FunctorStudy {}
@gonzalezjo
gonzalezjo / gross version.c
Last active September 10, 2020 01:53
My generalized solution to some question that made the rounds among friends.
int main(int argc, char const *argv[])
{
int n = atoi(argv[1]);
char *buf = calloc(atoi(argv[1])+1, sizeof(char));
for (int i = 0; i < 2<<(n-1); i++) {
for (int j = 0; j < n; j++) {
buf[j] = 'X' + ((i >> j)&1);
}
printf("%s\n", buf);
@gonzalezjo
gonzalezjo / arguments
Last active September 10, 2020 01:54
I've learned that--without touching a line of code--GCC can be hacked into performing what amounts to code obfuscation.
-O3 -fPIC -fno-plt -Bsymbolic -mforce-indirect-call -minline-all-stringops -fcf-protection=branch -mindirect-branch-register -mindirect-branch=thunk -mfunction-return=thunk -funroll-all-loops -mtune-ctrl=avoid_lea_for_addr -march=native -fmerge-all-constants -fvect-cost-model=unlimited -fira-region=one -frename-registers --param min-crossjump-insns=1 --param max-crossjump-edges=500 --param max-grow-copy-bb-insns=0 --param early-inlining-insns=1000000 -Wl,-dynamicbase -Wl,-z,relro -fstack-protector-all -fira-loop-pressure
@gonzalezjo
gonzalezjo / bbcode_parse.zsh
Last active September 10, 2020 01:58
A recursive descent bbcode parser made using nothing but regex. (PCRE) I made this after someone described it as impossible.
# in response to someone on stackoverflow saying that it couldn't be done
# sorry to whoever has to see this
perl -0777 -pe 's/\[(?<tag>quote|img).*?\](?>[^\[\]]|(?R))*\[\/\k<tag>\]|(\[\/?(?>\*|url|php|code|b|u|i|s|color|align|font|list|email|size).*?\])//gs' $1
@gonzalezjo
gonzalezjo / set-anc
Last active September 10, 2020 02:01
Script for my fork of based-connect. Used to set Bose NC 700 ANC settings on Linux.
#!/bin/zsh
# TODO: add noise cancelling toggle (/* packet */ static uint8_t send[] = {1, 5, 2, 2, 0, ANY, 0x38}; )
BASED_PATH=/home/jg/dev/C/based
for address in $(bt-device -l | grep -P -o '(?<=\().*(?=\))'); do
nohup $BASED_PATH/based-connect -c $1 $address > /dev/null 2>&1 &
done
@gonzalezjo
gonzalezjo / charter.jl
Last active September 10, 2020 02:00
Compute a variety of statistics from a text corpus. Code is for Writing about Data.
using StatsBase
using Plots
gr()
subjects = ("News Articles", "Speeches", "Academic Publications", "Tweets", "Books")
p = plot(xscale=:log10,
yscale=:log10,
xlabel="Word rank",
@gonzalezjo
gonzalezjo / AntiCheatExploit.java
Created September 15, 2019 01:05
Exploit for the Verdun anticheat
package com.cucumbosoft.chlorine;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.http.Consts;
import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicNameValuePair;
@gonzalezjo
gonzalezjo / dump.java
Last active September 15, 2019 01:02
Bose product codenames (mostly boring)
package com.bose.monet.package_160;
import com.bose.monet.f.l;
import de.intrepid.bose_bmap.model.Label;
import de.intrepid.bose_bmap.model.Log;
import de.intrepid.bose_bmap.model.Set;
import de.intrepid.bose_bmap.model.enums.Sort;
import java.util.ArrayList;
import java.util.EnumMap;
import java.util.EnumSet;