PE Injection/Impersonation:
- Process Hollowing (a.k.a. RunPE)
- Process Doppelgänging
- Transacted Hollowing
- Process Ghosting
- Module Overloading & DLL Hollowing
- Chimera PE (variant of a manual PE loader)
Shellcode injection:
hasherezade hasherezade
View install.reg
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] | |
| "LoadAppInit_DLLs"=dword:00000001 | |
| "AppInit_DLLs"="C:\\dlls\\demo64.dll" | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows] | |
| "LoadAppInit_DLLs"=dword:00000001 | |
| "AppInit_DLLs"="C:\\dlls\\demo32.dll" |
hasherezade
/ Program.cs
Last active Jul 27, 2021
A simple app to decode #PurpleFoxEK stegano payloads
View Program.cs
| using System; | |
| using System.Drawing; | |
| using System.IO; | |
| namespace PurpleFoxPNGDec | |
| { | |
| internal class Program | |
| { | |
| public static int getPrintableLen(byte[] array) | |
| { |
hasherezade
/ winupdate64.dll.tag
Created Jul 27, 2021
Tag file from tracing a VMProtect-protected NuggetPhantom component
View winupdate64.dll.tag
| 71941;kernel32.LoadLibraryA | |
| Arg[0] = ptr 0x000000d19111f670 -> "kernel32.dll" | |
| cdb3d;kernel32.GetModuleFileNameW | |
| cdb3d;kernel32.CreateFileW | |
| Arg[0] = ptr 0x000000d19111f280 -> L"C:\Users\tester\Desktop\winupdate64.dll" | |
| Arg[1] = 0x0000000080000000 = 2147483648 | |
| Arg[2] = 0x0000000000000003 = 3 | |
| Arg[3] = 0 | |
| Arg[4] = 0x0000000000000003 = 3 |
hasherezade
/ GzipSimpleHttpServer.py
🤙
Last active Jul 26, 2021
— forked from bkeating/GzipSimpleHttpServer.py
Python's SimpleHttpServer, but w/Gzip support.
View GzipSimpleHttpServer.py
| #!/usr/bin/python3 | |
| """Simple HTTP Server. | |
| This module builds on BaseHTTPServer by implementing the standard GET | |
| and HEAD requests in a fairly straightforward manner. | |
| """ | |
| __version__ = "0.7" |
hasherezade
/ main.cpp
Created Jul 17, 2021
A native way to enumerate processes (alternative to: EnumProcesses, CreateToolhelp32Snapshot - Process32First - Process32Next)
View main.cpp
| #include <windows.h> | |
| #include <iostream> | |
| #include "ntddk.h" | |
| bool enum_processes() | |
| { | |
| ULONG retLen = 0; | |
| // check length: |
View injection_demos.md
View buid_hh.sh
| #!/bin/sh | |
| set -e | |
| test -d _hollows_hunter \ | |
| || git clone --recurse-submodules https://github.com/hasherezade/hollows_hunter _hollows_hunter | |
| cd _hollows_hunter | |
| cmake . \ | |
| -DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \ |
hasherezade
/ uac_bypass.c
Created Jul 14, 2020
— forked from Cr4sh/uac_bypass.c
View uac_bypass.c
| void TestCopy() | |
| { | |
| BOOL cond = FALSE; | |
| IFileOperation *FileOperation1 = NULL; | |
| IShellItem *isrc = NULL, *idst = NULL; | |
| BIND_OPTS3 bop; | |
| SHELLEXECUTEINFOW shexec; | |
| HRESULT r; | |
| do { |
View str_ref.py
| #IDA script to print all referenced strings along with their references | |
| import idautils | |
| sc = idautils.Strings() | |
| for s in sc: | |
| curr_str = str(s) | |
| str_offset = s.ea | |
| for xref in idautils.XrefsTo(s.ea): | |
| func = idaapi.get_func(xref.frm) |
View lookup.cpp
| #include <Windows.h> | |
| #include <tlhelp32.h> | |
| #include <iostream> | |
| #include <peconv.h> // include libPeConv header (https://github.com/hasherezade/libpeconv) | |
| #include <paramkit.h> // include ParamKit header (https://github.com/hasherezade/paramkit) | |
| using namespace paramkit; | |
| #define PARAM_CHECKSUM "checks" | |
| #define PARAM_CHECKSUM_FUNC "cfunc" |
NewerOlder