Skip to content

Instantly share code, notes, and snippets.

wdormann / gist:e15fbc671a0741b72264eca168a252e3
Created Mar 29, 2019
Vendor MACs targeted by ASUS attack
View gist:e15fbc671a0741b72264eca168a252e3
AMPAK Technology, Inc.
AzureWave Technology Inc.
BizLink (Kunshan) Co.,Ltd
Chicony Electronics Co., Ltd.
Digital Data Communications Asia Co.,Ltd
Hon Hai Precision Ind. Co.,Ltd.
Intel Corporate
wdormann /
Last active Jan 22, 2019
Check for insecure services on Windows
import os
import subprocess
import ctypes
# See:
svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')
wdormann /
Last active Mar 23, 2019
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
''' Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.
usage: <dir>
ex: "C:\Program Files\"
requires: pefile <>, which should be
installable via: pip install pefile
wdormann / flash_killbit.reg
Last active Aug 4, 2018
Disable Flash ActiveX in all Windows versions (including 10)
View flash_killbit.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
wdormann / acltest.ps1
Created May 1, 2018
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
View acltest.ps1
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
# This prints a table of ACLs
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights
wdormann / disable_win10_foistware.reg
Created Jan 2, 2018
Attempt at disabling Windows 10 automatic installation of 3rd-party foistware
View disable_win10_foistware.reg
Windows Registry Editor Version 5.00
wdormann / win10_applocker_no_foistware.xml
Created Dec 31, 2017
Prevent automatic installation of foistware on Windows 10 versions using AppLocker
View win10_applocker_no_foistware.xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="a1baec9b-3250-44fe-865d-41c9397dcfcd" Name="Microsoft.Windows.ContentDeliveryManager, from Microsoft Corporation" Description="Block foistware?" UserOrGroupSid="S-1-1-0" Action="Deny">
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ContentDeliveryManager" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
wdormann / enable_bottom-up_ASLR.reg
Created Nov 16, 2017
Enable both Mandatory ASLR *and* Bottom-up ASLR system-wide
View enable_bottom-up_ASLR.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
wdormann / EG_popular.xml
Created Oct 20, 2017
EG profile converted from EMET, which causes Win10 BSOD
View EG_popular.xml
wdormann / gist:c11750585c5c0eda2b09438ca30271ab
Created Oct 20, 2017
Win10 BSOD after importing EMET profile
View gist:c11750585c5c0eda2b09438ca30271ab
Microsoft (R) Windows Debugger Version 10.0.17016.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\test\Documents\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
You can’t perform that action at this time.