Skip to content

Instantly share code, notes, and snippets.

@hasherezade hasherezade

Block or report user

Report or block hasherezade

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@hasherezade
hasherezade / main.cpp
Created Sep 5, 2019
Flare On 2019 - task 9 - reloadered
View main.cpp
#include <stdio.h>
#include <windows.h>
#include <peconv.h>
unsigned char encoded_val[0x34] = {
0x44, 0x29, 0x36, 0x0A, 0x29, 0x0F, 0x05, 0x1B, 0x65, 0x26, 0x10, 0x04,
0x2B, 0x68, 0x30, 0x2F, 0x00, 0x33, 0x2F, 0x05, 0x1A, 0x1F, 0x0F, 0x38,
0x02, 0x18, 0x42, 0x02, 0x33, 0x1A, 0x28, 0x04, 0x2A, 0x47, 0x3F, 0x04,
0x26, 0x64, 0x66, 0x4D, 0x10, 0x37, 0x3E, 0x28, 0x3E, 0x77, 0x1C, 0x3F,
0x7E, 0x36, 0x34, 0x2A
@hasherezade
hasherezade / main.cpp
Last active Oct 4, 2019
Flare-On Task 12 - string decoder
View main.cpp
#include <stdio.h>
#include <windows.h>
#include <peconv.h>
#define EXE_PATH "Z:\\flare\\m.dll"
__int64 (__fastcall *ini_ctx)(BYTE *ctx, BYTE *key, int key_size) = nullptr;
__int64 (__fastcall *decrypt_buf)(BYTE *ctx, BYTE *in_buf, BYTE *out_buf, unsigned int size) = nullptr;
@hasherezade
hasherezade / main.cpp
Created Aug 27, 2019
Flare-On Task 10 - solution
View main.cpp
#include <Windows.h>
#include <iostream>
#include <cstdlib>
#include <cstdio>
#include <ctime>
void decipher(DWORD* v, BYTE *k)
{
unsigned int num_rounds = 32;
unsigned int i;
View guard_flags.h
#pragma once
#define IMAGE_GUARD_CF_INSTRUMENTED 0x00000100 // Module performs control flow integrity checks using system-supplied support
#define IMAGE_GUARD_CFW_INSTRUMENTED 0x00000200 // Module performs control flow and write integrity checks
#define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT 0x00000400 // Module contains valid control flow target metadata
#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800 // Module does not make use of the /GS security cookie
#define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT 0x00001000 // Module supports read only delay load IAT
#define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION 0x00002000 // Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected
#define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000 // Module contains suppressed export information. This also infers that the address taken
@hasherezade
hasherezade / str_decoder.cpp
Last active Dec 20, 2018
Decoder for the obfuscated strings from malware: ef0cb0a1a29bcdf2b36622f72734aec8d38326fc8f7270f78bd956e706a5fd57
View str_decoder.cpp
#include <iostream>
#include <Windows.h>
char* decode_string(const char *a1)
{
const BYTE *enc_str = (BYTE*)a1;
signed int enc_len = strlen(a1);
BYTE *v4;
int v5;
@hasherezade
hasherezade / extracted_list.txt
Last active Oct 30, 2018
TrickBot string decoder (c3737aaf6b613a7c7d5e0c6d3c0d60a2)
View extracted_list.txt
1 : 1\
2 : 1
3 : DIAL
4 : NAT status
5 : failed
6 : client is behind NAT
7 : client is not behind NAT
8 : DNSBL
9 : listed
10 : not listed
@hasherezade
hasherezade / Driver.c
Last active Jun 25, 2018
HelloWorld driver
View Driver.c
// Sample "Hello World" driver
// creates a HelloDev, that expects one IOCTL
#include <ntddk.h>
#define HELLO_DRV_IOCTL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS)
#define DOS_DEV_NAME L"\\DosDevices\\HelloDev"
#define DEV_NAME L"\\Device\\HelloDev"
View output.txt
Region Addr: 00A50000
Full Size : 00007000
---
---ALLOC AND INFO---
nextAddr: 00A50000
info:
AllocBase: 00A50000
BaseAddress: 00A50000
RegionSize: 1000
RegionState: 1000 : MEM_COMMIT
@hasherezade
hasherezade / run_elevated.cpp
Last active Nov 11, 2019
Run elevated via rundll32.exe (NOTE: it is NOT a stealthy UAC bypass!)
View run_elevated.cpp
/**
The role of this snippet is to enforce a user to elevate a process,
simply by flooding them with repeatitive requests till they agree.
I do NOT recommend it as a UAC bypass technique as it is very noisy!
*/
#include <stdio.h>
#include <Windows.h>
char mutex_name[] = "elev_mutex";
@hasherezade
hasherezade / rabbit_ldr.cpp
Last active Apr 14, 2018
BadRabbit-based network discovery
View rabbit_ldr.cpp
#include <stdio.h>
#include <windows.h>
#pragma comment(lib,"Ws2_32.lib")
#include "peconv.h"
#include "resource.h"
signed int (__cdecl *setup_flags)(BYTE *buffer) = nullptr; //0x7897
signed int (__cdecl *scan_all_network)() = nullptr; //77D1 - scan all
You can’t perform that action at this time.