Rich Warren rxwx
rxwx
/ winget-fix-alt.ps1
Last active
February 19, 2025 14:38
Install winget in Windows Sandbox (fix)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # fix wmi | |
| winmgmt /resetrepository | |
| Restart-Service Winmgmt | |
| Get-CimInstance -Namespace root/cimv2 -ClassName Win32_PingStatus -Filter "Address='www.microsoft.com'" | |
| # alternative method: set high bandwidth limit for Delivery Optimization | |
| reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d 0 /f | |
| reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadModeProvider" /t REG_DWORD /d 8 /f | |
| reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadRateBackgroundBps" /t REG_DWORD /d 4294967295 /f | |
| reg add "HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadRateBackgroundBpsProvider" /t REG_DWORD /d 8 /f |
rxwx
/ encrypt_dpapi_blob.py
Created
August 29, 2024 10:46
Encrypt a DPAPI blob with arbitrary master key (using Python)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Crypto.Cipher import AES, DES3 | |
| from Crypto.Hash import HMAC, SHA1, SHA512, SHA256 | |
| from Crypto.Util.Padding import pad | |
| from io import BytesIO | |
| import argparse | |
| import string | |
| import base64 | |
| import uuid | |
| import os |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <stdio.h> | |
| #include "VEH.h" | |
| #include "ntos.h" | |
| #include "ntrtl.h" | |
| //#include "peb.h" | |
| #include "ntldr.h" | |
| #include "hwbp.h" | |
| #include "base\helpers.h" |
rxwx
/ AmsiContextHook.cpp
Created
November 30, 2023 17:04
Bypass AMSI on Windows 11 by hooking the AMSI context VTable on the heap with a ROP gadget. Look ma, no code patches!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <Psapi.h> | |
| #include <metahost.h> | |
| #include <comutil.h> | |
| #include <mscoree.h> | |
| #include "patch_info.h" | |
| #include "base\helpers.h" | |
| /** | |
| * For the debug build we want: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <iostream> | |
| #include <fstream> | |
| #include <amsi.h> | |
| #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) | |
| #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) | |
| // https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/ | |
| typedef struct tagHAMSICONTEXT { |
rxwx
/ dump_beacon_datastore.py
Last active
September 25, 2023 19:34
Dump items (BOFs, assemblies, files etc.) from the CobaltStrike 4.9+ beacon datastore (stored with BeaconDataStoreProtectItem / data-store load)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ctypes import wintypes | |
| import argparse | |
| import ctypes | |
| import yara | |
| import hexdump | |
| """ | |
| .text:0000000180010840 ; char __fastcall BeaconDataStoreUnprotectItem(unsigned __int64) | |
| .text:0000000180010840 BeaconDataStoreUnprotectItem proc near ; CODE XREF: sub_1800100F8+9E↑p | |
| .text:0000000180010840 ; sub_1800102E8+AD↑p |
rxwx
/ trac-decode.py
Created
September 7, 2023 17:54
Decode "Obscured" Check Point Trac.config files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import io | |
| import sys | |
| import string | |
| KEY_STR = 'ModifiedFwPropertySheetWithOKTheSheetIDS_LDAP_AU_PROPERTIESNULL0FW_WP_OBJECTS' | |
| def get_byte(x): | |
| c = ord(chr(x).lower()) | |
| if ((c - 0x30) & 255) < 10: | |
| retval = c - 0x30 |
rxwx
/ GetSxsPath.cs
Created
July 3, 2023 12:43
Determine redirection path for SxS DotLocal DLL Hijacking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using static GetSxsPath.NativeMethods; | |
| namespace GetSxsPath | |
| { | |
| internal class NativeMethods |
rxwx
/ Generator.cs
Created
November 11, 2022 18:58
Generate ApprovedApplication BinaryFormatter payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Globalization; | |
| using System.IO; | |
| using System.Reflection; | |
| using System.Runtime.Serialization.Formatters.Binary; | |
| using System.Threading; | |
| using Microsoft.Exchange.Data.Directory.SystemConfiguration; | |
| namespace ApprovedAppGenerator | |
| { |
rxwx
/ loadBundle.js
Last active
December 18, 2024 01:45
Mach-O Loader in Node.js (work in progress)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const ffi = require('ffi-napi'); | |
| const ref = require("ref-napi"); | |
| const Struct = require("ref-struct-di")(ref); | |
| const fs = require('fs') | |
| const ArrayType = require('ref-array-napi') | |
| var Union = require('ref-union-napi'); | |
| /* | |
| Dependencies: | |
| $ npm install ffi-napi |
NewerOlder