Skip to content

Instantly share code, notes, and snippets.

View monoxgas's full-sized avatar

Nick Landers monoxgas

View GitHub Profile
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@monoxgas
monoxgas / CIPolicyParser.ps1
Created March 13, 2024 19:48 — forked from mattifestation/CIPolicyParser.ps1
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
# Ensure System.Security assembly is loaded.
Add-Type -AssemblyName System.Security
function ConvertTo-CIPolicy {
<#
.SYNOPSIS
Converts a binary file that contains a Code Integrity policy into XML format.
Author: Matthew Graeber (@mattifestation)
@monoxgas
monoxgas / urbandoor.cs
Created April 10, 2023 22:58
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
using NtApiDotNet;
using NtApiDotNet.Ndr.Marshal;
using NtApiDotNet.Win32;
using NtApiDotNet.Win32.Rpc.Transport;
using NtApiDotNet.Win32.Security.Authentication;
using NtApiDotNet.Win32.Security.Authentication.Kerberos;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
using NtApiDotNet.Win32.Security.Authentication.Logon;
using System;
@monoxgas
monoxgas / EraseTextBoxes.bas
Last active March 14, 2023 16:23 — forked from githubyouser/EraseTextBoxes.bas
Word VBA: Convert text boxes to plain text
'https://answers.microsoft.com/en-us/msoffice/forum/all/removing-text-box-from-word-document-without/a4d02b2f-d168-48dc-960b-4a45cbe79d86
Sub ReplaceTextBoxes()
Dim RngDoc As Range, RngShp As Range, i As Long, boundary As String
With ActiveDocument
For i = .Shapes.Count To 1 Step -1
With .Shapes(i)
'If .Type = msoTextBox Then
'https://eileenslounge.com/viewtopic.php?p=28255#p28255
If .TextFrame.HasText = True Then

Keybase proof

I hereby claim:

  • I am monoxgas on github.
  • I am monoxgas (https://keybase.io/monoxgas) on keybase.
  • I have a public key whose fingerprint is 8138 ABBC 8C08 62A4 1E16 A697 5856 495B 4691 8AB1

To claim this, I am signing this object:

@monoxgas
monoxgas / syscall.pl
Last active January 8, 2022 10:57
Perl syscall/sc injection for MacOS
use DynaLoader;
use Devel::Peek;
use Fcntl;
use 5.008001; # because 5.6 doesn't have B::PV::object_2svref
use Config;
use B (); # for B::PV
sub mmap {
my ($addr, $size, $protect, $flags) = @_;
syscall(197, $addr, $size, $protect, $flags, -1, 0);
@monoxgas
monoxgas / extract.cpp
Created May 25, 2021 22:06
MacOS Shared DYLD Cache Extraction (Big Sur)
// ref: https://opensource.apple.com/source/dyld/[VERSION]/launch-cache/dsc_extractor.cpp.auto.html
// > SDKROOT=`xcrun --sdk macosx --show-sdk-path`
// > clang++ -o extract extract.cpp
// > mkdir libraries
// > ./extract /System/Library/dyld/dyld_shared_cache_x86_64 `pwd`/libraries/
#include <stdio.h>
#include <stddef.h>
#include <dlfcn.h>
@monoxgas
monoxgas / vc_decrypt.py
Last active July 18, 2023 22:57
VoiceCrypt Crypto
import sys
import struct
import binascii
from itertools import cycle, zip_longest
from operator import itemgetter, xor
from collections import Counter
import re
# Some root key constants from the binary

Keybase proof

I hereby claim:

  • I am monoxgas on github.
  • I am monoxgas (https://keybase.io/monoxgas) on keybase.
  • I have a public key ASCY7hWSUiJvdx6-976NCpVJx_ePWPOc6E3cuJz5PA8dygo

To claim this, I am signing this object:

@monoxgas
monoxgas / main.cpp
Created February 12, 2020 22:19
Adaptive DLL Hijacking - Patching LoadLibrary Return
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
BOOL PatchTheRet(HMODULE realModule) {
// Get primary module info