PE Injection/Impersonation:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -e | |
test -d _hollows_hunter \ | |
|| git clone --recurse-submodules https://github.com/hasherezade/hollows_hunter _hollows_hunter | |
cd _hollows_hunter | |
cmake . \ | |
-DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void TestCopy() | |
{ | |
BOOL cond = FALSE; | |
IFileOperation *FileOperation1 = NULL; | |
IShellItem *isrc = NULL, *idst = NULL; | |
BIND_OPTS3 bop; | |
SHELLEXECUTEINFOW shexec; | |
HRESULT r; | |
do { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#IDA script to print all referenced strings along with their references | |
import idautils | |
sc = idautils.Strings() | |
for s in sc: | |
curr_str = str(s) | |
str_offset = s.ea | |
for xref in idautils.XrefsTo(s.ea): | |
func = idaapi.get_func(xref.frm) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <tlhelp32.h> | |
#include <iostream> | |
#include <peconv.h> // include libPeConv header (https://github.com/hasherezade/libpeconv) | |
#include <paramkit.h> // include ParamKit header (https://github.com/hasherezade/paramkit) | |
using namespace paramkit; | |
#define PARAM_CHECKSUM "checks" | |
#define PARAM_CHECKSUM_FUNC "cfunc" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <tlhelp32.h> | |
#include <iostream> | |
#include <peconv.h> // include libPeConv header | |
DWORD get_hex_number(char *param) | |
{ | |
DWORD checksum = 0; | |
if (sscanf(param, "%X", &checksum) == 0) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <windows.h> | |
#include <peconv.h> | |
unsigned char encoded_val[0x34] = { | |
0x44, 0x29, 0x36, 0x0A, 0x29, 0x0F, 0x05, 0x1B, 0x65, 0x26, 0x10, 0x04, | |
0x2B, 0x68, 0x30, 0x2F, 0x00, 0x33, 0x2F, 0x05, 0x1A, 0x1F, 0x0F, 0x38, | |
0x02, 0x18, 0x42, 0x02, 0x33, 0x1A, 0x28, 0x04, 0x2A, 0x47, 0x3F, 0x04, | |
0x26, 0x64, 0x66, 0x4D, 0x10, 0x37, 0x3E, 0x28, 0x3E, 0x77, 0x1C, 0x3F, | |
0x7E, 0x36, 0x34, 0x2A |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <windows.h> | |
#include <peconv.h> | |
#define EXE_PATH "Z:\\flare\\m.dll" | |
__int64 (__fastcall *ini_ctx)(BYTE *ctx, BYTE *key, int key_size) = nullptr; | |
__int64 (__fastcall *decrypt_buf)(BYTE *ctx, BYTE *in_buf, BYTE *out_buf, unsigned int size) = nullptr; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <iostream> | |
#include <cstdlib> | |
#include <cstdio> | |
#include <ctime> | |
void decipher(DWORD* v, BYTE *k) | |
{ | |
unsigned int num_rounds = 32; | |
unsigned int i; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#pragma once | |
#define IMAGE_GUARD_CF_INSTRUMENTED 0x00000100 // Module performs control flow integrity checks using system-supplied support | |
#define IMAGE_GUARD_CFW_INSTRUMENTED 0x00000200 // Module performs control flow and write integrity checks | |
#define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT 0x00000400 // Module contains valid control flow target metadata | |
#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800 // Module does not make use of the /GS security cookie | |
#define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT 0x00001000 // Module supports read only delay load IAT | |
#define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION 0x00002000 // Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected | |
#define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000 // Module contains suppressed export information. This also infers that the address taken |