View buid_hh.sh
#!/bin/sh | |
set -e | |
test -d _hollows_hunter \ | |
|| git clone --recurse-submodules https://github.com/hasherezade/hollows_hunter _hollows_hunter | |
cd _hollows_hunter | |
cmake . \ | |
-DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \ |
View uac_bypass.c
void TestCopy() | |
{ | |
BOOL cond = FALSE; | |
IFileOperation *FileOperation1 = NULL; | |
IShellItem *isrc = NULL, *idst = NULL; | |
BIND_OPTS3 bop; | |
SHELLEXECUTEINFOW shexec; | |
HRESULT r; | |
do { |
View str_ref.py
#IDA script to print all referenced strings along with their references | |
import idautils | |
sc = idautils.Strings() | |
for s in sc: | |
curr_str = str(s) | |
str_offset = s.ea | |
for xref in idautils.XrefsTo(s.ea): | |
func = idaapi.get_func(xref.frm) |
View lookup.cpp
#include <Windows.h> | |
#include <tlhelp32.h> | |
#include <iostream> | |
#include <peconv.h> // include libPeConv header (https://github.com/hasherezade/libpeconv) | |
#include <paramkit.h> // include ParamKit header (https://github.com/hasherezade/paramkit) | |
using namespace paramkit; | |
#define PARAM_CHECKSUM "checks" | |
#define PARAM_CHECKSUM_FUNC "cfunc" |
View lookup.cpp
#include <Windows.h> | |
#include <tlhelp32.h> | |
#include <iostream> | |
#include <peconv.h> // include libPeConv header | |
DWORD get_hex_number(char *param) | |
{ | |
DWORD checksum = 0; | |
if (sscanf(param, "%X", &checksum) == 0) { |
View main.cpp
#include <stdio.h> | |
#include <windows.h> | |
#include <peconv.h> | |
unsigned char encoded_val[0x34] = { | |
0x44, 0x29, 0x36, 0x0A, 0x29, 0x0F, 0x05, 0x1B, 0x65, 0x26, 0x10, 0x04, | |
0x2B, 0x68, 0x30, 0x2F, 0x00, 0x33, 0x2F, 0x05, 0x1A, 0x1F, 0x0F, 0x38, | |
0x02, 0x18, 0x42, 0x02, 0x33, 0x1A, 0x28, 0x04, 0x2A, 0x47, 0x3F, 0x04, | |
0x26, 0x64, 0x66, 0x4D, 0x10, 0x37, 0x3E, 0x28, 0x3E, 0x77, 0x1C, 0x3F, | |
0x7E, 0x36, 0x34, 0x2A |
View main.cpp
#include <stdio.h> | |
#include <windows.h> | |
#include <peconv.h> | |
#define EXE_PATH "Z:\\flare\\m.dll" | |
__int64 (__fastcall *ini_ctx)(BYTE *ctx, BYTE *key, int key_size) = nullptr; | |
__int64 (__fastcall *decrypt_buf)(BYTE *ctx, BYTE *in_buf, BYTE *out_buf, unsigned int size) = nullptr; |
View main.cpp
#include <Windows.h> | |
#include <iostream> | |
#include <cstdlib> | |
#include <cstdio> | |
#include <ctime> | |
void decipher(DWORD* v, BYTE *k) | |
{ | |
unsigned int num_rounds = 32; | |
unsigned int i; |
View guard_flags.h
#pragma once | |
#define IMAGE_GUARD_CF_INSTRUMENTED 0x00000100 // Module performs control flow integrity checks using system-supplied support | |
#define IMAGE_GUARD_CFW_INSTRUMENTED 0x00000200 // Module performs control flow and write integrity checks | |
#define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT 0x00000400 // Module contains valid control flow target metadata | |
#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800 // Module does not make use of the /GS security cookie | |
#define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT 0x00001000 // Module supports read only delay load IAT | |
#define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION 0x00002000 // Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected | |
#define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000 // Module contains suppressed export information. This also infers that the address taken |
View str_decoder.cpp
#include <iostream> | |
#include <Windows.h> | |
char* decode_string(const char *a1) | |
{ | |
const BYTE *enc_str = (BYTE*)a1; | |
signed int enc_len = strlen(a1); | |
BYTE *v4; | |
int v5; |
NewerOlder