@hasherezade hasherezade

## main.cpp
#include <stdio.h>
#include <windows.h>
#include <peconv.h>

unsigned char encoded_val[0x34] = {
	0x44, 0x29, 0x36, 0x0A, 0x29, 0x0F, 0x05, 0x1B, 0x65, 0x26, 0x10, 0x04,
	0x2B, 0x68, 0x30, 0x2F, 0x00, 0x33, 0x2F, 0x05, 0x1A, 0x1F, 0x0F, 0x38,
	0x02, 0x18, 0x42, 0x02, 0x33, 0x1A, 0x28, 0x04, 0x2A, 0x47, 0x3F, 0x04,
	0x26, 0x64, 0x66, 0x4D, 0x10, 0x37, 0x3E, 0x28, 0x3E, 0x77, 0x1C, 0x3F,
	0x7E, 0x36, 0x34, 0x2A

## main.cpp
#include <stdio.h>
#include <windows.h>

#include <peconv.h>

#define EXE_PATH "Z:\\flare\\m.dll"

__int64 (__fastcall *ini_ctx)(BYTE *ctx, BYTE *key, int key_size) = nullptr;
__int64 (__fastcall *decrypt_buf)(BYTE *ctx, BYTE *in_buf, BYTE *out_buf, unsigned int size) = nullptr;

## main.cpp
#include <Windows.h>
#include <iostream>
#include <cstdlib>
#include <cstdio>
#include <ctime>

void decipher(DWORD* v, BYTE *k)
{
    unsigned int num_rounds = 32;
    unsigned int i;

## guard_flags.h
#pragma once

#define IMAGE_GUARD_CF_INSTRUMENTED                    0x00000100 // Module performs control flow integrity checks using system-supplied support

#define IMAGE_GUARD_CFW_INSTRUMENTED                   0x00000200 // Module performs control flow and write integrity checks
#define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT          0x00000400 // Module contains valid control flow target metadata
#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED             0x00000800 // Module does not make use of the /GS security cookie
#define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT              0x00001000 // Module supports read only delay load IAT
#define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION   0x00002000 // Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected
#define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000 // Module contains suppressed export information. This also infers that the address taken

## str_decoder.cpp
#include <iostream>
#include <Windows.h>

char* decode_string(const char *a1)
{
	const BYTE *enc_str = (BYTE*)a1;
	signed int enc_len = strlen(a1);

	BYTE *v4;
	int v5;

## extracted_list.txt
1 : 1\
2 : 1
3 : DIAL
4 : NAT status
5 : failed
6 : client is behind NAT
7 : client is not behind NAT
8 : DNSBL
9 : listed
10 : not listed

## Driver.c
// Sample "Hello World" driver
// creates a HelloDev, that expects one IOCTL

#include <ntddk.h>

#define HELLO_DRV_IOCTL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS)

#define DOS_DEV_NAME L"\\DosDevices\\HelloDev"
#define DEV_NAME L"\\Device\\HelloDev"

## output.txt
Region Addr:    00A50000
Full Size  :    00007000
---
---ALLOC AND INFO---
nextAddr:       00A50000
info:
AllocBase:     00A50000
BaseAddress:   00A50000
RegionSize:    1000
RegionState:   1000 : MEM_COMMIT

## run_elevated.cpp
/**
The role of this snippet is to enforce a user to elevate a process,
simply by flooding them with repeatitive requests till they agree.
I do NOT recommend it as a UAC bypass technique as it is very noisy!
*/

#include <stdio.h>
#include <Windows.h>

char mutex_name[] = "elev_mutex";

## rabbit_ldr.cpp
#include <stdio.h>
#include <windows.h>

#pragma comment(lib,"Ws2_32.lib")

#include "peconv.h"
#include "resource.h"

signed int (__cdecl *setup_flags)(BYTE *buffer) = nullptr; //0x7897
signed int (__cdecl *scan_all_network)() = nullptr; //77D1 - scan all