Skip to content

Instantly share code, notes, and snippets.

View swwwolf's full-sized avatar

swwwolf swwwolf

244 followers · 9 following
View GitHub Profile
@swwwolf
swwwolf / shellcode.asm
Created January 28, 2018 09:53
1: kd> u ffff818a`4f400000 L20
ffff818a`4f400000 65488b142588010000 mov rdx,qword ptr gs:[188h]
ffff818a`4f400009 4c8b82b8000000 mov r8,qword ptr [rdx+0B8h]
ffff818a`4f400010 4d8b88e8020000 mov r9,qword ptr [r8+2E8h]
ffff818a`4f400017 498b09 mov rcx,qword ptr [r9]
ffff818a`4f40001a 488b51f8 mov rdx,qword ptr [rcx-8]
ffff818a`4f40001e 3400 xor al,0
ffff818a`4f400020 4883fa04 cmp rdx,4
ffff818a`4f400024 7407 je ffff818a`4f40002d
ffff818a`4f400026 3400 xor al,0
@swwwolf
swwwolf / Protection.c
Created January 28, 2018 08:27
kd> dt nt!_PS_PROTECTED_TYPE
PsProtectedTypeNone = 0n0
PsProtectedTypeProtectedLight = 0n1
PsProtectedTypeProtected = 0n2
PsProtectedTypeMax = 0n3
kd> dt nt!_PS_PROTECTED_SIGNER
PsProtectedSignerNone = 0n0
PsProtectedSignerAuthenticode = 0n1
PsProtectedSignerCodeGen = 0n2
@swwwolf
swwwolf / _OBJECT_HEADER.c
Created January 27, 2018 08:47
struct _OBJECT_HEADER [sizeof = 56] {
data +0x00 [sizeof=8] __int64 PointerCount
data +0x08 [sizeof=8] __int64 HandleCount
data +0x08 [sizeof=8] void* NextToFree
data +0x10 [sizeof=8] _EX_PUSH_LOCK Lock
data +0x18 [sizeof=1] unsigned char TypeIndex
data +0x19 [sizeof=1] unsigned char TraceFlags
data +0x19 [sizeof=1] unsigned char DbgRefTrace : 1
data +0x19 [sizeof=1] unsigned char DbgTracePermanent : 1
data +0x1a [sizeof=1] unsigned char InfoMask
@swwwolf
swwwolf / diffstruct.cmd
Last active November 5, 2017 11:46
Using llvm-pdbutil to dump and compare type definition(s)
::https://llvm.org/docs/CommandGuide/llvm-pdbutil.html
@echo off
:main
setlocal enableextensions
if [%1]==[] goto usage
if [%2]==[] goto usage
if [%3]==[] goto usage
if [%4]==[] goto usage
set vstudio="C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\Common7\IDE\devenv.exe"
set first_pdb=%1
@swwwolf
swwwolf / OBJECT_CALLBACK_ENTRY_COMMON.cpp
Created November 5, 2017 11:00
typedef struct _OBJECT_CALLBACK_ENTRY_COMMON {
LIST_ENTRY CallbackList;
OB_OPERATION Operations;
ULONG Active;
PVOID Handle;
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
} OBJECT_CALLBACK_ENTRY_COMMON, *POBJECT_CALLBACK_ENTRY_COMMON;
@swwwolf
swwwolf / KiSetupForInstrumentationReturn.asm
Created April 10, 2016 06:59
KiSetupForInstrumentationReturn proc near
mov rax, gs:188h ; Get current thread
mov rdx, [rax+0B8h] ; Thread->Process
mov r8, [rdx+2C8h] ; Process->Pcb.InstrumentationCallback
test r8, r8
jnz CallbackPresent
Exit:
retn
@swwwolf
swwwolf / NtSetInformationProcess_Nirvana.cpp
Last active June 20, 2022 15:59
#include <Ntifs.h>
typedef enum _PROCESS_INFORMATION_CLASS {
ProcessMemoryPriority,
ProcessMemoryExhaustionInfo,
ProcessAppMemoryInfo,
ProcessInPrivateInfo,
ProcessEDPStateInfo,
ProcessInformationClassMax
} PROCESS_INFORMATION_CLASS;
@swwwolf
swwwolf / NoInternetProxy.asm
Created April 24, 2015 08:46
if ( !RegOpenKeyExW(v1, L"Software\\Microsoft\\Symbol Server", 0, 0x20019u, &hKey) )
{
cbData = REG_DWORD;
Type = REG_DWORD;
v14 = RegQueryValueExW(hKey, L"NoInternetProxy", 0i64, &Type, Data, &cbData);
v15 = g_NoProxy;
if ( !v14 )
v15 = *(_DWORD *)Data;
g_NoProxy = v15;
RegCloseKey(hKey);
@swwwolf
swwwolf / symsrv_dll_no_proxy.asm
Last active August 29, 2015 14:19
if ( g_NoProxy )
goto set_no_proxy_parameters;
pszProxyW = Str1;
if ( Str1 )
{
if ( !wcscmp(Str1, L"SymSrvDirectProxy") )
{
set_no_proxy_parameters:
v6 = v21;
dwAccessType = 1;
@swwwolf
swwwolf / visual_commander_cpplint_py.cs
Last active October 29, 2016 13:15
Invoking external tool from the Visual Commander
using EnvDTE;
using EnvDTE80;
public class E : VisualCommanderExt.IExtension
{
public void SetSite(EnvDTE80.DTE2 DTE_, Microsoft.VisualStudio.Shell.Package package)
{
DTE = DTE_;
events = DTE.Events;
documentEvents = events.DocumentEvents;