Skip to content

Instantly share code, notes, and snippets.

View sunnyc7's full-sized avatar

Sunny Chakraborty sunnyc7

46 followers · 165 following
  • NJ
View GitHub Profile
@sunnyc7
sunnyc7 / jqwerty.c
Created February 21, 2024 19:01 — forked from odzhan/jqwerty.c
Jacky Qwerty/29A Compression Algorithm
//
// Jacky Qwerty/29A compression algorithm, by Matt Mahoney
// modified by odzhan
// 2019-12-07
//
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <time.h>
@sunnyc7
sunnyc7 / WmiEventConsumerClassDerivation.ps1
Created November 15, 2023 18:21 — forked from mattifestation/WmiEventConsumerClassDerivation.ps1
function New-ActiveScriptEventConsumerClass {
<#
.SYNOPSIS
Creates an ActiveScriptEventConsumer WMI class in the namespace of your choosing.
.DESCRIPTION
New-ActiveScriptEventConsumerClass creates a clone of the ActiveScriptEventConsumer WMI event consumer class using the class name and namespace name of your choosing.
@sunnyc7
sunnyc7 / SysmonEventGUIDParser.ps1
Created November 15, 2023 18:19 — forked from mattifestation/SysmonEventGUIDParser.ps1
Extracts fields from sysmon process and logon GUIDs
# Author: Matthew Graeber (@mattifestation)
$Epoch = Get-Date '01/01/1970'
# Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/
$StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName
$TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone)
# Parse out all the LogonGUID fields for sysmon ProcessCreate events
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object {
@sunnyc7
sunnyc7 / NTInsiderDownloader.ps1
Created November 3, 2023 20:38
If you like NTInsider from OSR Systems, but don't like clicking things
# If you like reading NT Insider but don't like clicking.
$savePDFTo = "$env:TEMP\NTInsider"
$uri = "https://www.google.com/search?q=site:insider.osr.com+filetype:pdf+inurl:pdf&sca_esv=579237292&rlz=1C1CHBF_enUS1055US1055&sxsrf=AM9HkKlzAaBYLDpNc_IsOEqzno14_5ICyw:1699043261820&filter=0&biw=2327&bih=1210&dpr=1.1"
$res = Invoke-WebRequest -UseBasicParsing -Uri $uri
$pdf = $res.Links | where {$_ -match "PDF" -and $_ -match "insider.osr.com"}
foreach ($f in $pdf) {
$filtered = $f.href | where {$_ -match 'http://insider.osr.com/'}
$pdfURL = (($filtered -split '&')[0] -split '=')[1]
@sunnyc7
sunnyc7 / DumpHex.c
Created July 13, 2023 18:06 — forked from ccbrown/DumpHex.c
Compact C Hex Dump Function w/ASCII
#include <stdio.h>
void DumpHex(const void* data, size_t size) {
char ascii[17];
size_t i, j;
ascii[16] = '\0';
for (i = 0; i < size; ++i) {
printf("%02X ", ((unsigned char*)data)[i]);
if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') {
ascii[i % 16] = ((unsigned char*)data)[i];
@sunnyc7
sunnyc7 / env_var_spoofing_poc.cpp
Created February 25, 2023 02:19 — forked from xpn/env_var_spoofing_poc.cpp
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)
#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43
@sunnyc7
sunnyc7 / checkaslrfiles.py
Created December 29, 2021 21:32 — forked from wdormann/checkaslrfiles.py
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
'''checkaslrfiles.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.
usage: checkaslrfiles.py <dir>
ex: checkaslr.py "C:\Program Files\"
requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''
@sunnyc7
sunnyc7 / latency.txt
Created November 3, 2021 21:08 — forked from jboner/latency.txt
Latency Numbers Every Programmer Should Know
Latency Comparison Numbers (~2012)
----------------------------------
L1 cache reference 0.5 ns
Branch mispredict 5 ns
L2 cache reference 7 ns 14x L1 cache
Mutex lock/unlock 25 ns
Main memory reference 100 ns 20x L2 cache, 200x L1 cache
Compress 1K bytes with Zippy 3,000 ns 3 us
Send 1K bytes over 1 Gbps network 10,000 ns 10 us
Read 4K randomly from SSD* 150,000 ns 150 us ~1GB/sec SSD
@sunnyc7
sunnyc7 / DefaultWindows_Audit.xml
Created July 29, 2021 00:41 — forked from mgraeber-rc/DefaultWindows_Audit.xml
Modified default window-only audit WDAC with WHQL rules removed
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.1.0</VersionEx>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
@sunnyc7
sunnyc7 / CIPolicyParser.ps1
Created July 21, 2021 10:29 — forked from mattifestation/CIPolicyParser.ps1
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
# Ensure System.Security assembly is loaded.
Add-Type -AssemblyName System.Security
function ConvertTo-CIPolicy {
<#
.SYNOPSIS
Converts a binary file that contains a Code Integrity policy into XML format.
Author: Matthew Graeber (@mattifestation)