Skip to content

Instantly share code, notes, and snippets.

Avatar
🔥
Coding

Upayan slaeryan

🔥
Coding
View GitHub Profile
@slaeryan
slaeryan / EtwTi_Provider_Manifest_20H2.xml
Created Apr 21, 2021
Ripped from EtwExplorer by Pavel Yosifovich
View EtwTi_Provider_Manifest_20H2.xml
<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events">
<instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">
<events>
<provider name="Microsoft-Windows-Threat-Intelligence" guid="{f4e1897c-bb5d-5668-f1d8-040f4d8dd344}" resourceFileName="Microsoft-Windows-Threat-Intelligence" messageFileName="Microsoft-Windows-Threat-Intelligence" symbol="MicrosoftWindowsThreatIntelligence" source="Xml">
<keywords>
<keyword name="KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL)" mask="0x1" />
<keyword name="KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL_KERNEL_CALLER" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL_KERNEL_CALLER)" mask="0x2" />
<keyword name="KERNEL_THREATINT_KEYWORD_ALLOCVM_REMOTE" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_ALLOCVM
@slaeryan
slaeryan / DriverSiPolicy_20H2.xml
Last active Mar 28, 2021
C:\Windows\System32\CodeIntegrity\driversipolicy.p7b recovered with the help of PS script made by Matthew Graeber. Link: https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e
View DriverSiPolicy_20H2.xml
<?xml version="1.0" encoding="UTF-8"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.19014.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
View StealthNtdll.h
#pragma once
#include <Windows.h>
// Macros
// ------------------------------------------------------------------------
#define STATUS_SUCCESS 0x00000000
#define STATUS_IMAGE_NOT_AT_BASE 0x40000003
View GetOSVersion.h
#pragma once
#include <Windows.h>
// Ref: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_shared_data/index.htm
#define KUSER_SHARED_DATA 0x7ffe0000
#define MAJOR_VERSION_OFFSET 0x026C
#define MINOR_VERSION_OFFSET 0x0270
#define BUILD_NUMBER_OFFSET 0x0260
View Executioner.cs
using System;
using System.Runtime.InteropServices;
namespace Executioner
{
[ComVisible(true)]
public class Executioner
{
// API functions
// ------------------------------------------------------------------------
View bin2hex.py
import binascii
import sys
import re
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Missing file path")
sys.exit(0)
@slaeryan
slaeryan / sinkhole_cb.ps1
Last active Mar 28, 2021
Credit goes to @TTimzen
View sinkhole_cb.ps1
<#
.SYNOPSIS
This script will disable the Carbon Black sensor (cb.exe). This will prevent live response and prevent any logs from being sent to the server. This triggers an alert on Carbon Black if 'tamper protection' is enabled.
.DESCRIPTION
Sink hole Carbon Black sensor
.NOTES
FIle Name : Sinkhole-Carbon-Black-Sensor.ps1
Requires : Powershell V2
#>
View aepinjection.cpp
// Compile with MinGW:
// x86_64-w64-mingw32-g++ aepinjection.cpp -o injector.exe -lntdll -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#pragma comment(lib, "ntdll")
int main() {
View dllmain.cpp
#include <Windows.h>
#include <string>
#include <stdio.h>
#pragma comment(lib, "User32.lib")
#pragma comment(lib, "Advapi32.lib")
DWORD threadID;
//extern "C" to prevent C++ name mangling
View sir_injection_64.cpp
#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h> // debugging
HANDLE getThreadHandle(DWORD pid) {
HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (h != INVALID_HANDLE_VALUE) {
THREADENTRY32 te;
te.dwSize = sizeof(te);
if (Thread32First(h, &te)) {