Skip to content

Instantly share code, notes, and snippets.


Royce Williams roycewilliams

Block or report user

Report or block roycewilliams

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
wdormann /
Last active Jan 24, 2020
Check for running processes on Windows that have components that do not utilize ASLR
#!/usr/bin/env python
Utility to check for processes running with non-ASLR-compatible components.
Run with Administrative privileges to get visibility into all processes.
(1a) psutil:
Installed via PIP
(1b) Sysinternals ListDLLs:
IanColdwater / twittermute.txt
Last active Jan 26, 2020
Here are some terms to mute on Twitter to clean your timeline up a bit.
View twittermute.txt
Mute these words in your settings here:
Sc00bz / bs-speke.txt
Last active Jan 21, 2020
BS-SPEKE is an augmented PAKE
View bs-speke.txt
BS-SPEKE is a modified B-SPEKE with blind salt (OPRF). Modified B-SPEKE is a
similar change from SPEKE as from SPAKE2 to SPAKE2+ to make it augmented. Doing
this saves a scalar point multiply vs original B-SPEKE with blind salt. BS-SPEKE
is the best augmented PAKE that I know of. Only problem is there are no proofs,
but it's not hard to take the SPEKE proof, add the OPAQUE proof for OPRF, and
it's obvious that the augmented change makes it augmented. So if anyone knows
how to formally state that in a proof, that would be awesome to have.
m33x /
Created Dec 9, 2019
Reverses the Hashcat $HEX output format - defaults to utf-8 encoding
#!/usr/bin/env python
# -*- coding: utf-8 -*-
:author: Maximilian Golla
:version: 0.0.1, 2019-12-09
:description: Reverses the Hashcat $HEX output format - defaults to utf-8 encoding
:info: Works with Python 2.7 and Python 3.6
View Kill-Ransomware.ps1
# Ransomware Killer v0.1 by Thomas Patzke <>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
# Kill all parent processes from detected vssadmin process
$p = $EventArgs.NewEvent.TargetInstance
while ($p) {
$ppid = $p.ParentProcessID
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
Write-Host $p.ProcessID
epixoip /
Created Nov 5, 2019
Brute force field delimiters in a text file
#!/usr/bin/env perl
use strict;
use warnings;
my @delims = ( 9, 11, 28, 29, 30, 31, 32 .. 47, 58 .. 64, 91 .. 96, 123 .. 126 );
my $file = $ARGV[0] || die "Usage: $0 <filename>\n";
open (my $fh, "<", $file) || die "Unable to open $file: $!\n";
williballenthin /
Last active Dec 27, 2019
parse macOS savedState files
parse SavedState artifacts extracted from OSX.
author: Willi Ballenthin (
license: Apache 2.0
import re
import sys
import json
import struct
View 2019_vbulletin_0day_info.txt
I have done some preliminary research into this bug and so far it does not seem like a backdoor. Just some really weird logic when handling routes, and rendering templates.
As to why widgetConfig[code] executes via a POST request, it is because of the following code located in /includes/vb5/frontend/applicationlight.php
$serverData = array_merge($_GET, $_POST);
if (!empty($this->application['handler']) AND method_exists($this, $this->application['handler']))
$app = $this->application['handler'];
tomnomnom / passwords.txt
Last active Jan 10, 2020
MySQL Docker Passwords pulled from Dockerfile and docker-compose.yml files
View passwords.txt
wdormann / disable_discimage.reg
Created Aug 29, 2019
Disable Windows Explorer file associations for Disc Image Mount (ISO, IMG, VHD, VHDX)
View disable_discimage.reg
Windows Registry Editor Version 5.00
You can’t perform that action at this time.