hasherezade hasherezade

## buid_hh.sh
#!/bin/sh

set -e

test -d _hollows_hunter \
    || git clone --recurse-submodules https://github.com/hasherezade/hollows_hunter _hollows_hunter
cd _hollows_hunter

cmake . \
    -DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \

## uac_bypass.c
void TestCopy()
{
    BOOL                cond = FALSE;
    IFileOperation     *FileOperation1 = NULL;
    IShellItem         *isrc = NULL, *idst = NULL;
    BIND_OPTS3          bop;
    SHELLEXECUTEINFOW   shexec;
    HRESULT             r;

    do {

## str_ref.py
#IDA script to print all referenced strings along with their references
import idautils

sc = idautils.Strings()
for s in sc:
	curr_str = str(s)
	str_offset = s.ea

	for xref in idautils.XrefsTo(s.ea):
		func = idaapi.get_func(xref.frm)

## lookup.cpp
#include <Windows.h>
#include <tlhelp32.h>
#include <iostream>

#include <peconv.h> // include libPeConv header (https://github.com/hasherezade/libpeconv)
#include <paramkit.h> // include ParamKit header (https://github.com/hasherezade/paramkit)
using namespace paramkit;

#define PARAM_CHECKSUM "checks"
#define PARAM_CHECKSUM_FUNC "cfunc"

## lookup.cpp
#include <Windows.h>
#include <tlhelp32.h>
#include <iostream>

#include <peconv.h> // include libPeConv header

DWORD get_hex_number(char *param)
{
    DWORD checksum = 0;
    if (sscanf(param, "%X", &checksum) == 0) {

## main.cpp
#include <stdio.h>
#include <windows.h>
#include <peconv.h>

unsigned char encoded_val[0x34] = {
	0x44, 0x29, 0x36, 0x0A, 0x29, 0x0F, 0x05, 0x1B, 0x65, 0x26, 0x10, 0x04,
	0x2B, 0x68, 0x30, 0x2F, 0x00, 0x33, 0x2F, 0x05, 0x1A, 0x1F, 0x0F, 0x38,
	0x02, 0x18, 0x42, 0x02, 0x33, 0x1A, 0x28, 0x04, 0x2A, 0x47, 0x3F, 0x04,
	0x26, 0x64, 0x66, 0x4D, 0x10, 0x37, 0x3E, 0x28, 0x3E, 0x77, 0x1C, 0x3F,
	0x7E, 0x36, 0x34, 0x2A

## main.cpp
#include <stdio.h>
#include <windows.h>

#include <peconv.h>

#define EXE_PATH "Z:\\flare\\m.dll"

__int64 (__fastcall *ini_ctx)(BYTE *ctx, BYTE *key, int key_size) = nullptr;
__int64 (__fastcall *decrypt_buf)(BYTE *ctx, BYTE *in_buf, BYTE *out_buf, unsigned int size) = nullptr;

## main.cpp
#include <Windows.h>
#include <iostream>
#include <cstdlib>
#include <cstdio>
#include <ctime>

void decipher(DWORD* v, BYTE *k)
{
    unsigned int num_rounds = 32;
    unsigned int i;

## guard_flags.h
#pragma once

#define IMAGE_GUARD_CF_INSTRUMENTED                    0x00000100 // Module performs control flow integrity checks using system-supplied support

#define IMAGE_GUARD_CFW_INSTRUMENTED                   0x00000200 // Module performs control flow and write integrity checks
#define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT          0x00000400 // Module contains valid control flow target metadata
#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED             0x00000800 // Module does not make use of the /GS security cookie
#define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT              0x00001000 // Module supports read only delay load IAT
#define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION   0x00002000 // Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected
#define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000 // Module contains suppressed export information. This also infers that the address taken

## str_decoder.cpp
#include <iostream>
#include <Windows.h>

char* decode_string(const char *a1)
{
	const BYTE *enc_str = (BYTE*)a1;
	signed int enc_len = strlen(a1);

	BYTE *v4;
	int v5;
	#!/bin/sh

	set -e

	test -d _hollows_hunter \
	\|\| git clone --recurse-submodules https://github.com/hasherezade/hollows_hunter _hollows_hunter
	cd _hollows_hunter

	cmake . \
	-DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \
	void TestCopy()
	{
	BOOL cond = FALSE;
	IFileOperation *FileOperation1 = NULL;
	IShellItem isrc = NULL, idst = NULL;
	BIND_OPTS3 bop;
	SHELLEXECUTEINFOW shexec;
	HRESULT r;

	do {
	#IDA script to print all referenced strings along with their references
	import idautils

	sc = idautils.Strings()
	for s in sc:
	curr_str = str(s)
	str_offset = s.ea

	for xref in idautils.XrefsTo(s.ea):
	func = idaapi.get_func(xref.frm)
	#include <Windows.h>
	#include <tlhelp32.h>
	#include <iostream>

	#include <peconv.h> // include libPeConv header (https://github.com/hasherezade/libpeconv)
	#include <paramkit.h> // include ParamKit header (https://github.com/hasherezade/paramkit)
	using namespace paramkit;

	#define PARAM_CHECKSUM "checks"
	#define PARAM_CHECKSUM_FUNC "cfunc"
	#include <stdio.h>
	#include <windows.h>
	#include <peconv.h>

	unsigned char encoded_val[0x34] = {
	0x44, 0x29, 0x36, 0x0A, 0x29, 0x0F, 0x05, 0x1B, 0x65, 0x26, 0x10, 0x04,
	0x2B, 0x68, 0x30, 0x2F, 0x00, 0x33, 0x2F, 0x05, 0x1A, 0x1F, 0x0F, 0x38,
	0x02, 0x18, 0x42, 0x02, 0x33, 0x1A, 0x28, 0x04, 0x2A, 0x47, 0x3F, 0x04,
	0x26, 0x64, 0x66, 0x4D, 0x10, 0x37, 0x3E, 0x28, 0x3E, 0x77, 0x1C, 0x3F,
	0x7E, 0x36, 0x34, 0x2A
	#include <Windows.h>
	#include <iostream>
	#include <cstdlib>
	#include <cstdio>
	#include <ctime>

	void decipher(DWORD* v, BYTE *k)
	{
	unsigned int num_rounds = 32;
	unsigned int i;
	#pragma once

	#define IMAGE_GUARD_CF_INSTRUMENTED 0x00000100 // Module performs control flow integrity checks using system-supplied support

	#define IMAGE_GUARD_CFW_INSTRUMENTED 0x00000200 // Module performs control flow and write integrity checks
	#define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT 0x00000400 // Module contains valid control flow target metadata
	#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800 // Module does not make use of the /GS security cookie
	#define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT 0x00001000 // Module supports read only delay load IAT
	#define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION 0x00002000 // Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected
	#define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000 // Module contains suppressed export information. This also infers that the address taken
	#include <iostream>
	#include <Windows.h>

	char* decode_string(const char *a1)
	{
	const BYTE enc_str = (BYTE)a1;
	signed int enc_len = strlen(a1);

	BYTE *v4;
	int v5;