Skip to content

Instantly share code, notes, and snippets.

View quick-disable-windows-defender.bat
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
@hasherezade
hasherezade / fakedns.py
Created Sep 15, 2021
FakeDNS (Python3)
View fakedns.py
#!/usr/bin/python3
__author__ = 'Francisco Santos'
# URL: https://code.activestate.com/recipes/491264-mini-fake-dns-server/
import socket
class DNSQuery:
def __init__(self, data):
self.data=data
@hasherezade
hasherezade / install.reg
Last active Jul 28, 2021
AppInit_DLLs : install/uninstall DLL
View install.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="C:\\dlls\\demo64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="C:\\dlls\\demo32.dll"
@hasherezade
hasherezade / Program.cs
Last active Jul 27, 2021
A simple app to decode #PurpleFoxEK stegano payloads
View Program.cs
using System;
using System.Drawing;
using System.IO;
namespace PurpleFoxPNGDec
{
internal class Program
{
public static int getPrintableLen(byte[] array)
{
@hasherezade
hasherezade / winupdate64.dll.tag
Created Jul 27, 2021
Tag file from tracing a VMProtect-protected NuggetPhantom component
View winupdate64.dll.tag
71941;kernel32.LoadLibraryA
Arg[0] = ptr 0x000000d19111f670 -> "kernel32.dll"
cdb3d;kernel32.GetModuleFileNameW
cdb3d;kernel32.CreateFileW
Arg[0] = ptr 0x000000d19111f280 -> L"C:\Users\tester\Desktop\winupdate64.dll"
Arg[1] = 0x0000000080000000 = 2147483648
Arg[2] = 0x0000000000000003 = 3
Arg[3] = 0
Arg[4] = 0x0000000000000003 = 3
@hasherezade
hasherezade / GzipSimpleHttpServer.py
Last active Aug 17, 2021 — forked from bkeating/GzipSimpleHttpServer.py
Python's SimpleHttpServer, but w/Gzip support. 🤙
View GzipSimpleHttpServer.py
#!/usr/bin/python3
"""Simple HTTP Server.
This module builds on BaseHTTPServer by implementing the standard GET
and HEAD requests in a fairly straightforward manner.
"""
__version__ = "0.7"
@hasherezade
hasherezade / main.cpp
Created Jul 17, 2021
A native way to enumerate processes (alternative to: EnumProcesses, CreateToolhelp32Snapshot - Process32First - Process32Next)
View main.cpp
#include <windows.h>
#include <iostream>
#include "ntddk.h"
bool enum_processes()
{
ULONG retLen = 0;
// check length:
@hasherezade
hasherezade / buid_hh.sh
Last active Dec 29, 2020
Build Hollows Hunter on Linux (MinGW)
View buid_hh.sh
#!/bin/sh
set -e
test -d _hollows_hunter \
|| git clone --recurse-submodules https://github.com/hasherezade/hollows_hunter _hollows_hunter
cd _hollows_hunter
cmake . \
-DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \
View uac_bypass.c
void TestCopy()
{
BOOL cond = FALSE;
IFileOperation *FileOperation1 = NULL;
IShellItem *isrc = NULL, *idst = NULL;
BIND_OPTS3 bop;
SHELLEXECUTEINFOW shexec;
HRESULT r;
do {