Skip to content

Instantly share code, notes, and snippets.

View output.txt
Region Addr: 00A50000
Full Size : 00007000
---
---ALLOC AND INFO---
nextAddr: 00A50000
info:
AllocBase: 00A50000
BaseAddress: 00A50000
RegionSize: 1000
RegionState: 1000 : MEM_COMMIT
@hasherezade
hasherezade / run_elevated.cpp
Last active Nov 11, 2019
Run elevated via rundll32.exe (NOTE: it is NOT a stealthy UAC bypass!)
View run_elevated.cpp
/**
The role of this snippet is to enforce a user to elevate a process,
simply by flooding them with repeatitive requests till they agree.
I do NOT recommend it as a UAC bypass technique as it is very noisy!
*/
#include <stdio.h>
#include <Windows.h>
char mutex_name[] = "elev_mutex";
@hasherezade
hasherezade / rabbit_ldr.cpp
Last active Apr 14, 2018
BadRabbit-based network discovery
View rabbit_ldr.cpp
#include <stdio.h>
#include <windows.h>
#pragma comment(lib,"Ws2_32.lib")
#include "peconv.h"
#include "resource.h"
signed int (__cdecl *setup_flags)(BYTE *buffer) = nullptr; //0x7897
signed int (__cdecl *scan_all_network)() = nullptr; //77D1 - scan all
@hasherezade
hasherezade / trick_str.cpp
Last active Oct 22, 2021
Small utility do deobfuscate TrickBot strings
View trick_str.cpp
#include <stdio.h>
#include <windows.h>
#include "peconv.h"
/*
Requires a path to the original trick bot module: 0a7da84873f2a4fe0fcc58c88bbbe39d
*/
#define OFFSET_DECODE_LIST 0x10ab0 //decode_from_the_list
@hasherezade
hasherezade / unpack.cpp
Last active Jun 27, 2018
LibPeConv-based unpacker for sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
View unpack.cpp
#include <stdio.h>
#include <windows.h>
#include "peconv.h"
// for the sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
// from: "Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1"
// https://www.youtube.com/watch?v=HfSQlC76_s4
int (__cdecl *unpack_func)(BYTE* blob, DWORD blob_size, LPCSTR lpFileName, char r_val) = nullptr;
@hasherezade
hasherezade / main.cpp
Created Jan 7, 2018
A tiny PE-sieve based process scanner
View main.cpp
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include <iostream>
#include <string>
#include <vector>
#include "pe_sieve_api.h"
#pragma comment(lib, "pe-sieve.lib")
@hasherezade
hasherezade / main.cpp
Last active Mar 10, 2021
Get PEB64 from a WOW64 process
View main.cpp
#include <Windows.h>
#include <iostream>
#include "ntdll_undoc.h"
PPEB get_default_peb()
{
#if defined(_WIN64)
return (PPEB)__readgsqword(0x60);
#else
@hasherezade
hasherezade / main.cpp
Last active Dec 3, 2017
Magniber - checksum to function name with libPeConv
View main.cpp
#include <stdio.h>
#include <windows.h>
#include "peconv.h"
#include <iostream>
HMODULE (*load_by_checksum)(DWORD checksum) = NULL;
bool print_func_by_checksum(DWORD checksum)
{
HMODULE func_from_checksum = load_by_checksum(checksum);
@hasherezade
hasherezade / main.cpp
Last active Jan 7, 2018
FlareOn4 Chall6 - solution using #libpeconv
View main.cpp
#include <stdio.h>
#include <windows.h>
#include "peconv.h"
const size_t g_flagLen = 26;
char g_flag[g_flagLen + 1] = { 0 };
int my_index()
{
static int index = 0;
View kaybase.md

Keybase proof

I hereby claim:

  • I am hasherezade on github.
  • I am hasherezade (https://keybase.io/hasherezade) on keybase.
  • I have a public key whose fingerprint is 4664 DAE5 DBAA D9CE 9769 0442 E415 3E8F 9A4C 195F

To claim this, I am signing this object: