Skip to content

Instantly share code, notes, and snippets.

@hasherezade
hasherezade / install.reg
Last active Jul 28, 2021
AppInit_DLLs : install/uninstall DLL
View install.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="C:\\dlls\\demo64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="C:\\dlls\\demo32.dll"
@hasherezade
hasherezade / Program.cs
Last active Jul 27, 2021
A simple app to decode #PurpleFoxEK stegano payloads
View Program.cs
using System;
using System.Drawing;
using System.IO;
namespace PurpleFoxPNGDec
{
internal class Program
{
public static int getPrintableLen(byte[] array)
{
@hasherezade
hasherezade / winupdate64.dll.tag
Created Jul 27, 2021
Tag file from tracing a VMProtect-protected NuggetPhantom component
View winupdate64.dll.tag
71941;kernel32.LoadLibraryA
Arg[0] = ptr 0x000000d19111f670 -> "kernel32.dll"
cdb3d;kernel32.GetModuleFileNameW
cdb3d;kernel32.CreateFileW
Arg[0] = ptr 0x000000d19111f280 -> L"C:\Users\tester\Desktop\winupdate64.dll"
Arg[1] = 0x0000000080000000 = 2147483648
Arg[2] = 0x0000000000000003 = 3
Arg[3] = 0
Arg[4] = 0x0000000000000003 = 3
@hasherezade
hasherezade / GzipSimpleHttpServer.py
Last active Jul 26, 2021 — forked from bkeating/GzipSimpleHttpServer.py
Python's SimpleHttpServer, but w/Gzip support. 🤙
View GzipSimpleHttpServer.py
#!/usr/bin/python3
"""Simple HTTP Server.
This module builds on BaseHTTPServer by implementing the standard GET
and HEAD requests in a fairly straightforward manner.
"""
__version__ = "0.7"
@hasherezade
hasherezade / main.cpp
Created Jul 17, 2021
A native way to enumerate processes (alternative to: EnumProcesses, CreateToolhelp32Snapshot - Process32First - Process32Next)
View main.cpp
#include <windows.h>
#include <iostream>
#include "ntddk.h"
bool enum_processes()
{
ULONG retLen = 0;
// check length:
@hasherezade
hasherezade / buid_hh.sh
Last active Dec 29, 2020
Build Hollows Hunter on Linux (MinGW)
View buid_hh.sh
#!/bin/sh
set -e
test -d _hollows_hunter \
|| git clone --recurse-submodules https://github.com/hasherezade/hollows_hunter _hollows_hunter
cd _hollows_hunter
cmake . \
-DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \
View uac_bypass.c
void TestCopy()
{
BOOL cond = FALSE;
IFileOperation *FileOperation1 = NULL;
IShellItem *isrc = NULL, *idst = NULL;
BIND_OPTS3 bop;
SHELLEXECUTEINFOW shexec;
HRESULT r;
do {
@hasherezade
hasherezade / str_ref.py
Created Jan 28, 2020
IDA script snippets
View str_ref.py
#IDA script to print all referenced strings along with their references
import idautils
sc = idautils.Strings()
for s in sc:
curr_str = str(s)
str_offset = s.ea
for xref in idautils.XrefsTo(s.ea):
func = idaapi.get_func(xref.frm)
@hasherezade
hasherezade / lookup.cpp
Last active Jan 9, 2020
Zbot - checksum lookup (v2)
View lookup.cpp
#include <Windows.h>
#include <tlhelp32.h>
#include <iostream>
#include <peconv.h> // include libPeConv header (https://github.com/hasherezade/libpeconv)
#include <paramkit.h> // include ParamKit header (https://github.com/hasherezade/paramkit)
using namespace paramkit;
#define PARAM_CHECKSUM "checks"
#define PARAM_CHECKSUM_FUNC "cfunc"