This is an example of Go code calling to a C++ library with a C wrapper.
go build # this only ensures it compiles
hasherezade hasherezade
olliencc
/ DetectImpersonatingThreads.cpp
Last active
July 5, 2024 23:40
Detect Windows threads which are impersonating
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| TEB Detect Impersonating Threads for Microsoft Windows | |
| Released as open source by NCC Group Plc - http://www.nccgroup.com/ | |
| Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com | |
| Released under AGPL see LICENSE for more information | |
| */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| #> ------------------------------------ | |
| # Antimalware Scan Interface | |
| #> ------------------------------------ | |
| import sys | |
| from enum import IntEnum |
shadyeip
/ quick-disable-windows-defender.bat
Last active
May 18, 2024 03:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!! | |
| rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference | |
| rem To also disable Windows Defender Security Center include this | |
| rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f | |
| rem 1 - Disable Real-time protection | |
| reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f |
stecman
/ dump-pyc-with-gdb.md
Last active
November 2, 2024 16:00
Dumping all bytecode from a packaged Python application
This is a technique for extracting all imported modules from a packaged Python application as .pyc files, then decompiling them. The target program needs to be run from scratch, but no debugging symbols are necessary (assuming an unmodified build of Python is being used).
This was originally performed on 64-bit Linux with a Python 3.6 target. The Python scripts have since been updated to handle pyc files for Python 2.7 - 3.9.
In Python we can leverage the fact that any module import involving a .py* file will eventually arrive as ready-to-execute Python code object at this function:
PyObject* PyEval_EvalCode(PyObject *co, PyObject *globals, PyObject *locals);
evilsocket
/ magniber_decryptor.cpp
Created
October 19, 2017 14:09
Decryptor for Magniber ransomware ( https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/ )
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * This tool will decrypt files encrypted by the Magniber ransomware with | |
| * AES128 ( CBC mode ) algorithm. | |
| * | |
| * RE and report by MalwareBytes ( @hasherezade ) | |
| * | |
| * https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/ | |
| * | |
| * Decryptor written by Simone 'evilsocket' Margaritelli | |
| * |
trietptm
/ rol-ror.py
Created
August 3, 2016 16:27
— forked from vqhuy/rol-ror.py
python rol, ror operation implement
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ########################################################################### | |
| # Rotating bits (tested with Python 2.7) | |
| from __future__ import print_function # PEP 3105 | |
| # max bits > 0 == width of the value in bits (e.g., int_16 -> 16) | |
| # Rotate left: 0b1001 --> 0b0011 | |
| rol = lambda val, r_bits, max_bits: \ | |
| (val << r_bits%max_bits) & (2**max_bits-1) | \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef _UNDOCUMENTED_H | |
| #define _UNDOCUMENTED_H | |
| #include <windows.h> | |
| namespace Undocumented | |
| { | |
| #pragma pack(push) | |
| #pragma pack(1) |