Skip to content

Instantly share code, notes, and snippets.

@hasherezade
hasherezade / aplib_decompress.py
Created August 23, 2024 13:42
Decompressor for headless APLib blobs
#!/usr/bin/env python3
import malduck
import sys
import argparse
def main():
parser = argparse.ArgumentParser(description="APLib unpacker")
parser.add_argument('--inpath', dest="inpath", default=None, help="APLib compressed blob",
required=True)
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "ntdll.lib")
#define SystemBigPoolInformation 0x42
#define ThreadNameInformation 0x26
#define DATA_TO_COPY "AAAAAAAAAAAAABBBBBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDDDDDD"
@hasherezade
hasherezade / gui_threads.cpp
Last active May 14, 2024 15:45
Find GUI thread
HANDLE find_thread(HANDLE hProcess, DWORD thAccess, bool guiOnly)
{
DWORD targetPid = GetProcessId(hProcess);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
THREADENTRY32 thEntry = { sizeof(THREADENTRY32) };
GUITHREADINFO gui = { 0 };
gui.cbSize = sizeof(GUITHREADINFO);
bool isGUIProcess = false;
@hasherezade
hasherezade / PesieveLdr.go
Last active January 6, 2023 02:11
PE-sieve scan in Golang
package main
import (
"fmt"
"syscall"
"unsafe"
)
var (
peSieveDll = syscall.NewLazyDLL("pe-sieve64.dll")
#include <iostream>
#include <Windows.h>
#pragma comment(lib,"LZ32.lib")
bool decompress(LPSTR infile, LPSTR outfile)
{
INT hin, hout = 0;
OFSTRUCT ofin = { 0 };
OFSTRUCT ofout = { 0 };
#!/usr/bin/env python3
import sys, os, subprocess
import pefile
from pathlib import Path
def mal_unp_res_to_str(returncode):
if returncode == (-1):
return "ERROR"
if returncode == 0:
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
@hasherezade
hasherezade / fakedns.py
Created September 15, 2021 14:10
FakeDNS (Python3)
#!/usr/bin/python3
__author__ = 'Francisco Santos'
# URL: https://code.activestate.com/recipes/491264-mini-fake-dns-server/
import socket
class DNSQuery:
def __init__(self, data):
self.data=data
@hasherezade
hasherezade / install.reg
Last active August 15, 2024 10:14
AppInit_DLLs : install/uninstall DLL
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="C:\\dlls\\demo64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="C:\\dlls\\demo32.dll"
@hasherezade
hasherezade / Program.cs
Last active July 27, 2021 06:48
A simple app to decode #PurpleFoxEK stegano payloads
using System;
using System.Drawing;
using System.IO;
namespace PurpleFoxPNGDec
{
internal class Program
{
public static int getPrintableLen(byte[] array)
{