wdormann

## checkaslr.py
#!/usr/bin/env python

'''
Utility to check for processes running with non-ASLR-compatible components.
Run with Administrative privileges to get visibility into all processes.

(1a) psutil: https://pypi.org/project/psutil/
    Installed via PIP
-OR-
(1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls

## gist:874198c1bd29c7dd2157d9fc1d858263
com.whatsapp 1000000000
com.lenovo.anyshare.gps 1000000000
com.instagram.android 1000000000
com.zhiliaoapp.musically 500000000
com.viber.voip 500000000
wp.wattpad 100000000
vStudio.Android.Camera360 100000000
vsin.t16_funny_photo 100000000
com.yahoo.mobile.client.android.mail 100000000

## disable_discimage.reg
Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\.iso]

[-HKEY_CLASSES_ROOT\.img]

[-HKEY_CLASSES_ROOT\.vhdx]

[-HKEY_CLASSES_ROOT\.vhd]

## packet-tpkt.c.diff
--- packet-tpkt.c.orig  2019-06-21 14:47:47.831026881 +0000
+++ packet-tpkt.c       2019-06-21 15:05:31.115056289 +0000
@@ -22,6 +22,7 @@
 #include <epan/show_exception.h>
 #include "packet-tpkt.h"
+#include "packet-tls.h"
 void proto_register_tpkt(void);
 void proto_reg_handoff_tpkt(void);
@@ -42,6 +43,7 @@
 static gboolean tpkt_desegment = TRUE;

## gist:e15fbc671a0741b72264eca168a252e3
AMPAK Technology, Inc.
ASUSTek COMPUTER INC.
AzureWave Technology Inc.
BizLink (Kunshan) Co.,Ltd
Chicony Electronics Co., Ltd.
Digital Data Communications Asia Co.,Ltd
GOOD WAY IND. CO., LTD.
HUAWEI TECHNOLOGIES CO.,LTD
Hon Hai Precision Ind. Co.,Ltd.
Intel Corporate

## checksvc.py
import os
import subprocess
import ctypes

# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')

## checkaslrfiles.py
'''checkaslrfiles.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.

usage: checkaslrfiles.py <dir>
ex: checkaslr.py "C:\Program Files\"

requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''

## flash_killbit.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

## acltest.ps1
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
    Break
}

$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
    # This prints a table of ACLs
    # get-acl $path | %{ $_.Access  } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights

## disable_win10_foistware.reg
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy]
"Disabled"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
"SubscribedContent-338388Enabled"=dword:00000000
	#!/usr/bin/env python

	'''
	Utility to check for processes running with non-ASLR-compatible components.
	Run with Administrative privileges to get visibility into all processes.

	(1a) psutil: https://pypi.org/project/psutil/
	Installed via PIP
	-OR-
	(1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls
	com.whatsapp 1000000000
	com.lenovo.anyshare.gps 1000000000
	com.instagram.android 1000000000
	com.zhiliaoapp.musically 500000000
	com.viber.voip 500000000
	wp.wattpad 100000000
	vStudio.Android.Camera360 100000000
	vsin.t16_funny_photo 100000000
	com.yahoo.mobile.client.android.mail 100000000
	Windows Registry Editor Version 5.00

	[-HKEY_CLASSES_ROOT\.iso]

	[-HKEY_CLASSES_ROOT\.img]

	[-HKEY_CLASSES_ROOT\.vhdx]

	[-HKEY_CLASSES_ROOT\.vhd]
	--- packet-tpkt.c.orig 2019-06-21 14:47:47.831026881 +0000
	+++ packet-tpkt.c 2019-06-21 15:05:31.115056289 +0000
	@@ -22,6 +22,7 @@
	#include <epan/show_exception.h>
	#include "packet-tpkt.h"
	+#include "packet-tls.h"
	void proto_register_tpkt(void);
	void proto_reg_handoff_tpkt(void);
	@@ -42,6 +43,7 @@
	static gboolean tpkt_desegment = TRUE;
	AMPAK Technology, Inc.
	ASUSTek COMPUTER INC.
	AzureWave Technology Inc.
	BizLink (Kunshan) Co.,Ltd
	Chicony Electronics Co., Ltd.
	Digital Data Communications Asia Co.,Ltd
	GOOD WAY IND. CO., LTD.
	HUAWEI TECHNOLOGIES CO.,LTD
	Hon Hai Precision Ind. Co.,Ltd.
	Intel Corporate
	import os
	import subprocess
	import ctypes

	# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

	svcinfo = {}
	nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
	FNULL = open(os.devnull, 'w')
	'''checkaslrfiles.py: Check for files that opt into ASLR with /DYNAMICBASE,
	but do not have a relocation table to allow ASLR to function.

	usage: checkaslrfiles.py <dir>
	ex: checkaslr.py "C:\Program Files\"

	requires: pefile <https://github.com/erocarrera/pefile>, which should be
	installable via: pip install pefile
	'''
	Windows Registry Editor Version 5.00

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
	"Compatibility Flags"=dword:00000400
	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
	"Compatibility Flags"=dword:00000400
	[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
	"Compatibility Flags"=dword:00000400
	If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
	Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
	Break
	}

	$outfile = "acltestfile"
	set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
	Foreach ($path in $paths) {
	# This prints a table of ACLs
	# get-acl $path \| %{ $_.Access } \| ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights
	Windows Registry Editor Version 5.00

	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy]
	"Disabled"=dword:00000001

	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
	"SubscribedContent-338388Enabled"=dword:00000000