Skip to content

Instantly share code, notes, and snippets.

View hasherezade's full-sized avatar

hasherezade hasherezade

5.5k followers · 27 following
View GitHub Profile
@hasherezade
hasherezade / PesieveLdr.go
Last active January 6, 2023 02:11
PE-sieve scan in Golang
package main
import (
"fmt"
"syscall"
"unsafe"
)
var (
peSieveDll = syscall.NewLazyDLL("pe-sieve64.dll")
@hasherezade
hasherezade / LZDecompress.cpp
Created February 23, 2022 22:47
#include <iostream>
#include <Windows.h>
#pragma comment(lib,"LZ32.lib")
bool decompress(LPSTR infile, LPSTR outfile)
{
INT hin, hout = 0;
OFSTRUCT ofin = { 0 };
OFSTRUCT ofout = { 0 };
@hasherezade
hasherezade / quick-disable-windows-defender.bat
Created November 10, 2021 19:18 — forked from shadyeip/quick-disable-windows-defender.bat
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
@hasherezade
hasherezade / mal_unpack_runner.py
Last active January 28, 2022 21:15
#!/usr/bin/env python3
import sys, os, subprocess
import pefile
from pathlib import Path
def mal_unp_res_to_str(returncode):
if returncode == (-1):
return "ERROR"
if returncode == 0:
@hasherezade
hasherezade / mac1_1000028.xml
Last active December 6, 2021 13:08
TrickBot configs
<mcconf>
<ver>1000028</ver>
<gtag>mac1</gtag>
<servs>
<srv>186.103.161.204:443</srv>
<srv>163.53.206.187:443</srv>
<srv>191.7.30.30:443</srv>
<srv>46.160.165.31:443</srv>
<srv>93.99.68.140:443</srv>
<srv>190.34.158.250:443</srv>
@hasherezade
hasherezade / uac_bypass.c
Created July 14, 2020 00:11 — forked from Cr4sh/uac_bypass.c
void TestCopy()
{
BOOL cond = FALSE;
IFileOperation *FileOperation1 = NULL;
IShellItem *isrc = NULL, *idst = NULL;
BIND_OPTS3 bop;
SHELLEXECUTEINFOW shexec;
HRESULT r;
do {
@hasherezade
hasherezade / trick_str.cpp
Last active October 22, 2021 23:58
Small utility do deobfuscate TrickBot strings
#include <stdio.h>
#include <windows.h>
#include "peconv.h"
/*
Requires a path to the original trick bot module: 0a7da84873f2a4fe0fcc58c88bbbe39d
*/
#define OFFSET_DECODE_LIST 0x10ab0 //decode_from_the_list
@hasherezade
hasherezade / fakedns.py
Created September 15, 2021 14:10
FakeDNS (Python3)
#!/usr/bin/python3
__author__ = 'Francisco Santos'
# URL: https://code.activestate.com/recipes/491264-mini-fake-dns-server/
import socket
class DNSQuery:
def __init__(self, data):
self.data=data
@hasherezade
hasherezade / winupdate64.dll.tag
Created July 27, 2021 06:31
Tag file from tracing a VMProtect-protected NuggetPhantom component
71941;kernel32.LoadLibraryA
Arg[0] = ptr 0x000000d19111f670 -> "kernel32.dll"
cdb3d;kernel32.GetModuleFileNameW
cdb3d;kernel32.CreateFileW
Arg[0] = ptr 0x000000d19111f280 -> L"C:\Users\tester\Desktop\winupdate64.dll"
Arg[1] = 0x0000000080000000 = 2147483648
Arg[2] = 0x0000000000000003 = 3
Arg[3] = 0
Arg[4] = 0x0000000000000003 = 3
@hasherezade
hasherezade / install.reg
Last active July 28, 2021 10:57
AppInit_DLLs : install/uninstall DLL
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="C:\\dlls\\demo64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="C:\\dlls\\demo32.dll"