Skip to content

Instantly share code, notes, and snippets.

View hybriz's full-sized avatar

hybriz

9 followers · 58 following
View GitHub Profile
@hybriz
hybriz / caenons3.md
Created September 22, 2017 11:24 — forked from Cloudxtreme/caenons3.md
Camlistore Encryption on S3

Camlistore Encryption on S3

Here's what I found out while setting up Camlistore to sync encrypted blobs to Amazon S3. This works for me, but I'm new to Camlistore so this might not be the best way to do it.

Amazon S3 Config

The encryption handler requires two buckets, one for metadata and one for blobs. In this example, I've created two buckets called my-camlistore-meta and my-camlistore-blob.

@hybriz
hybriz / SerialDNSDOS.java
Created September 24, 2017 02:53 — forked from maestros/SerialDNSDOS.java
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.net.SocketPermission;
import java.security.SecureRandom;
import java.util.HashSet;
import java.util.Random;
@hybriz
hybriz / SerialDOS.java
Created September 24, 2017 02:53 — forked from coekie/SerialDOS.java
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.HashSet;
import java.util.Set;
// billion-laughs-style DoS for java serialization
public class SerialDOS {
@hybriz
hybriz / grsecurity_pax_copperheados.md
Created October 3, 2017 14:54 — forked from anestisb/grsecurity_pax_copperheados.md

This is an overview of the usefulness of PaX/grsecurity features for CopperheadOS especially when taking into account the overlap of the access control features with SELinux and that the Nexus line will be entirely 64-bit ARM. Note that it's missing most of the unnamed features without configuration options tied to them. A grsecurity kernel also comes with lots of security bug fixes backported from master, adapted from lkml submissions that were ignored, etc.

Previously, CopperheadOS used ports of PaX to the 3.4 Android kernels used by the Nexus 5 and Galaxy S4. The plan was to start from there, backporting from the PaX stable patches as needed along with reimplementing the relevant pieces of grsecurity without actually applying an old patch and backporting to it.

This is no longer the case for the published releases now that devices have moved to 64-bit ARM (which is not supported by PaX / grsecurity yet) and both the PaX and grsecurity stable patches have become private. There are still PaX ports for test

@hybriz
hybriz / CertTBSHash.ps1
Created November 3, 2017 01:18 — forked from mattifestation/CertTBSHash.ps1
Calculates a ToBeSigned hash of a certificate, producing the same uniquely identifying hash present in code integrity rule sets.
# Example: ls 'C:\Windows\System32\*' -Include '*.dll' | Get-AuthenticodeSignature | Select -ExpandProperty SignerCertificate | Get-TBSHash
filter Get-TBSHash {
[OutputType([String])]
param (
[Parameter(Mandatory, ValueFromPipeline)]
[Security.Cryptography.X509Certificates.X509Certificate2]
$Certificate
)
@hybriz
hybriz / windows.h__.js
Created November 3, 2017 11:38 — forked from mallyvai/windows.h__.js
windows.h.js INFINITY
var ffi = require('ffi'),
ref = require('ref'),
Struct = require('ref-struct'),
Library = require('./Library'),
Type = ref.Type,
NULL = ref.NULL,
isNull = ref.isNull;
var groups = ['libs', 'types', 'structs', 'callbacks', 'enums'];
@hybriz
hybriz / Get-InjectedThread.ps1
Created November 3, 2017 12:37 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@hybriz
hybriz / pshell_template_embedded_script.xml
Created November 3, 2017 12:38 — forked from xorrior/pshell_template_embedded_script.xml
MSBuild Powershell Script XML template
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<PropertyGroup>
<FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName>
<Cmd Condition="'$(Cmd)' == ''">None</Cmd>
</PropertyGroup>
<Target Name="Hello">
@hybriz
hybriz / LoadMethodScanner.ps1
Created November 3, 2017 12:39 — forked from mattifestation/LoadMethodScanner.ps1
A crude Load(byte[]) method scanner for UMCI bypass research
# Author: Matthew Graeber (@mattifestation)
# Load dnlib with Add-Type first
# dnlib can be obtained here: https://github.com/0xd4d/dnlib
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference
filter Get-AssemblyLoadReference {
param (
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
[Alias('FullName')]
[String]
[ValidateNotNullOrEmpty()]
@hybriz
hybriz / DmaHvBackdoor.c
Created November 3, 2017 12:41 — forked from Cr4sh/DmaHvBackdoor.c
Hyper-V backdoor for UEFI
/*
*********************************************************************
Part of UEFI DXE driver code that injects Hyper-V VM exit handler
backdoor into the Device Guard enabled Windows 10 Enterprise.
Execution starts from new_ExitBootServices() -- a hook handler
for EFI_BOOT_SERVICES.ExitBootServices() which being called by
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)