PE Injection/Impersonation:
hasherezade hasherezade
hasherezade
/ main.cpp
Created
July 17, 2021 16:35
A native way to enumerate processes (alternative to: EnumProcesses, CreateToolhelp32Snapshot - Process32First - Process32Next)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <iostream> | |
| #include "ntddk.h" | |
| bool enum_processes() | |
| { | |
| ULONG retLen = 0; | |
| // check length: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| set -e | |
| test -d _hollows_hunter \ | |
| || git clone --recurse-submodules https://github.com/hasherezade/hollows_hunter _hollows_hunter | |
| cd _hollows_hunter | |
| cmake . \ | |
| -DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \ |
hasherezade
/ uac_bypass.c
Created
July 14, 2020 00:11
— forked from Cr4sh/uac_bypass.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void TestCopy() | |
| { | |
| BOOL cond = FALSE; | |
| IFileOperation *FileOperation1 = NULL; | |
| IShellItem *isrc = NULL, *idst = NULL; | |
| BIND_OPTS3 bop; | |
| SHELLEXECUTEINFOW shexec; | |
| HRESULT r; | |
| do { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #IDA script to print all referenced strings along with their references | |
| import idautils | |
| sc = idautils.Strings() | |
| for s in sc: | |
| curr_str = str(s) | |
| str_offset = s.ea | |
| for xref in idautils.XrefsTo(s.ea): | |
| func = idaapi.get_func(xref.frm) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <tlhelp32.h> | |
| #include <iostream> | |
| #include <peconv.h> // include libPeConv header (https://github.com/hasherezade/libpeconv) | |
| #include <paramkit.h> // include ParamKit header (https://github.com/hasherezade/paramkit) | |
| using namespace paramkit; | |
| #define PARAM_CHECKSUM "checks" | |
| #define PARAM_CHECKSUM_FUNC "cfunc" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <tlhelp32.h> | |
| #include <iostream> | |
| #include <peconv.h> // include libPeConv header | |
| DWORD get_hex_number(char *param) | |
| { | |
| DWORD checksum = 0; | |
| if (sscanf(param, "%X", &checksum) == 0) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <peconv.h> | |
| unsigned char encoded_val[0x34] = { | |
| 0x44, 0x29, 0x36, 0x0A, 0x29, 0x0F, 0x05, 0x1B, 0x65, 0x26, 0x10, 0x04, | |
| 0x2B, 0x68, 0x30, 0x2F, 0x00, 0x33, 0x2F, 0x05, 0x1A, 0x1F, 0x0F, 0x38, | |
| 0x02, 0x18, 0x42, 0x02, 0x33, 0x1A, 0x28, 0x04, 0x2A, 0x47, 0x3F, 0x04, | |
| 0x26, 0x64, 0x66, 0x4D, 0x10, 0x37, 0x3E, 0x28, 0x3E, 0x77, 0x1C, 0x3F, | |
| 0x7E, 0x36, 0x34, 0x2A |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <peconv.h> | |
| #define EXE_PATH "Z:\\flare\\m.dll" | |
| __int64 (__fastcall *ini_ctx)(BYTE *ctx, BYTE *key, int key_size) = nullptr; | |
| __int64 (__fastcall *decrypt_buf)(BYTE *ctx, BYTE *in_buf, BYTE *out_buf, unsigned int size) = nullptr; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <iostream> | |
| #include <cstdlib> | |
| #include <cstdio> | |
| #include <ctime> | |
| void decipher(DWORD* v, BYTE *k) | |
| { | |
| unsigned int num_rounds = 32; | |
| unsigned int i; |