Skip to content

Instantly share code, notes, and snippets.

View rbmm's full-sized avatar

rbmm rbmm

146 followers · 0 following
View GitHub Profile
@rbmm
rbmm / gist:380b16773949b82beb17d0969c609ff2
Created February 15, 2024 14:34
void RemapSelfInternal(PVOID ImageBase, PVOID TempBase, ULONG SizeOfImage, HANDLE hSection)
{
if (UnmapViewOfFile(ImageBase))
{
PVOID BaseAddress = ImageBase;
SIZE_T ViewSize = SizeOfImage;
// for x64 only, because we not pass address of ZwMapViewOfSection
if (0 <= ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress,
0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_EXECUTE_READWRITE) && ImageBase == BaseAddress)
@rbmm
rbmm / gist:8ce74bf1fd661cb0355441c90b0b090a
Created February 9, 2024 22:26
BOOL IsParentExplorer()
{
if (HWND hwnd = GetShellWindow())
{
ULONG dwProcessId;
if (GetWindowThreadProcessId(hwnd, &dwProcessId))
{
PROCESS_BASIC_INFORMATION pbi;
if (0 <= NtQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &pbi, sizeof(pbi), 0))
{
@rbmm
rbmm / gist:5c590c266305cb6b33dfde99b565ab33
Created February 7, 2024 17:46
void ListModules()
{
PLIST_ENTRY InLoadOrderModuleList = &NtCurrentTeb()->ProcessEnvironmentBlock->Ldr->InLoadOrderModuleList;
PLDR_DATA_TABLE_ENTRY cursor = CONTAINING_RECORD(InLoadOrderModuleList->Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
while (InLoadOrderModuleList != &cursor->InLoadOrderLinks)
{
DbgPrint("%p %wZ\r\n", cursor->DllBase, &cursor->BaseDllName);
cursor = CONTAINING_RECORD(cursor->InLoadOrderLinks.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
@rbmm
rbmm / gist:3dd38d1477e374e8b384731adfb99b18
Created February 7, 2024 17:35
void GetPebModules(PLDR_DATA_TABLE_ENTRY cursor)
{
while (cursor->DllBase)
{
//DbgPrint("%p %wZ\r\n", cursor->DllBase, &cursor->BaseDllName);
cursor = (PLDR_DATA_TABLE_ENTRY)cursor->InLoadOrderLinks.Flink;
}
DbgPrint("%p !!!\n", &cursor->DllBase);
@rbmm
rbmm / gist:0a9b675e675175b739a3b45bc9817e71
Created February 6, 2024 18:58
BOOL UnhookNT()
{
BOOL fOk = FALSE;
if (HMODULE hmod = GetModuleHandleW(L"ntdll"))
{
if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod))
{
PVOID BaseAddress = (PBYTE)hmod + pinth->OptionalHeader.BaseOfCode;
@rbmm
rbmm / gist:d81717283e2ca33828be34d5a8edbcf0
Created November 18, 2023 09:00
#define FILE_NOTIFY_VALID_MASK 0x00000fff
class RDC : OVERLAPPED
{
HANDLE _M_hFile = 0;
SRWLOCK _M_lock {};
LONG _M_dwRef = 1;
union {
FILE_NOTIFY_INFORMATION _M_fni;
@rbmm
rbmm / gist:652d5d9015aadb9c600d7c60f7acecc3
Created November 8, 2023 12:45
OBJECT_ATTRIBUTES oa = { sizeof(oa) };
LSA_HANDLE PolicyHandle;
if (0 <= LsaOpenPolicy(0, &oa, POLICY_LOOKUP_NAMES, &PolicyHandle))
{
ULONG CountOfRights;
static SID EveryOne = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, { SECURITY_WORLD_RID } };
PLSA_UNICODE_STRING UserRights;
if (0 <= LsaEnumerateAccountRights(PolicyHandle, &EveryOne, &UserRights, &CountOfRights))
{
if (CountOfRights)
@rbmm
rbmm / gist:781af2f747d96c0fd06f41548671294c
Created September 21, 2023 16:26
void DumpKeyCrc(NCRYPT_KEY_HANDLE hKey)
{
ULONG cb;
UCHAR blob[0x400];
if (0 <= NCryptExportKey(hKey, 0, BCRYPT_RSAPUBLIC_BLOB, 0, blob, sizeof(blob), &cb, 0))
{
DbgPrint("crc=%08X\r\n", RtlComputeCrc32(0, blob, cb));
}
}
@rbmm
rbmm / gist:0aaa205350f959832bdcc505089c8220
Created August 31, 2023 22:01
if (HCERTSTORE hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
CERT_STORE_OPEN_EXISTING_FLAG|CERT_STORE_READONLY_FLAG|
CERT_SYSTEM_STORE_LOCAL_MACHINE, L"root"))
{
PCCERT_CONTEXT pCertContext = 0;
while (pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext))
{
UCHAR hash[20];
ULONG cb = sizeof(hash);
@rbmm
rbmm / gist:d2de710d29ef67a6fb63cd4c8392a27e
Created August 31, 2023 14:17
typedef struct KERB_SMARTCARD_CSP_INFO
{
ULONG dwCspInfoLen; // size of this structure w/ payload
ULONG MessageType; // info type, currently CertHashInfo
// payload starts, marshaled structure of MessageType
union {
PVOID ContextInformation; // Reserved
ULONG64 SpaceHolderForWow64;
};
ULONG flags; // Reserved