Skip to content

Instantly share code, notes, and snippets.

View enum_win_callbacks.py
'''
Module Name:
enum_win_callbacks.py
Abstract:
Iterates over the nt!PspCreateProcessNotifyRoutine,
nt!PspCreateThreadNotifyRoutine, and nt!PspLoadImageNotifyRoutine
callback arrays.
Requirements:
View antidebug_long_int3.cpp
/*
* Module Name:
* antidebug_long_int3.cpp
*
* Abstract:
* Attempts to detect the presence of a debugger
* by issuing a multi-byte int 3 and inspecting
* page PTE mappings.
*
* Author:
View int3.cpp
/*
* Module Name:
* int3.cpp
*
* Abstract:
* Examines the difference in operation between a
* multi-byte int 3 (0xCD 0x03) and a single-byte
* int 3 (0xCC).
*
* Author:
View ReadProcessMemory.cpp
/*
* Module Name:
* ReadProcessMemory.cpp
*
* Abstract:
* Reads a blob of memory from the specified process.
*
* Author:
* Nemanja (Nemi) Mulasmajic <nm@triplefault.io>
* http://triplefault.io
View WorkingSetWatch.cpp
/*
* Module Name:
* WorkingSetWatch.cpp
*
* Abstract:
* Tracks page faults that occur within the process.
*
* NOTE: This is not compatible with Wow64 and must be run as a 64-bit
* program on x64 and a 32-bit program on x86.
*
@nmulasmajic
nmulasmajic / find_nt_imagebase_x64.py
Last active Mar 5, 2021
Discovers the base address of ntoskrnl when IDA's GDB stub is loaded by leveraging the IDT.
View find_nt_imagebase_x64.py
'''
Module Name:
find_nt_imagebase_x64.py
Abstract:
Discovers the base address of ntoskrnl when IDA's GDB stub is
loaded by leveraging the IDT.
NOTE: This is only compatible for 64-bit editions of Windows.