Skip to content

Instantly share code, notes, and snippets.

wdormann /
Last active Apr 20, 2020
Check for running processes on Windows that have components that do not utilize ASLR
#!/usr/bin/env python
Utility to check for processes running with non-ASLR-compatible components.
Run with Administrative privileges to get visibility into all processes.
(1a) psutil:
Installed via PIP
(1b) Sysinternals ListDLLs:
wdormann / gist:874198c1bd29c7dd2157d9fc1d858263
Last active Jun 21, 2020
List of Android apps that include - potentially vulnerable to CVE-2019-11932. Sorted by install count.
View gist:874198c1bd29c7dd2157d9fc1d858263
This file has been truncated, but you can view the full file.
com.whatsapp 1000000000
com.lenovo.anyshare.gps 1000000000 1000000000
com.zhiliaoapp.musically 500000000
com.viber.voip 500000000
wp.wattpad 100000000
vStudio.Android.Camera360 100000000
vsin.t16_funny_photo 100000000 100000000
wdormann / disable_discimage.reg
Created Aug 29, 2019
Disable Windows Explorer file associations for Disc Image Mount (ISO, IMG, VHD, VHDX)
View disable_discimage.reg
Windows Registry Editor Version 5.00
wdormann / packet-tpkt.c.diff
Created Jun 21, 2019
Patch Wireshark 3.0.2 to hook TPKT dissector into TLS decryption
View packet-tpkt.c.diff
--- packet-tpkt.c.orig 2019-06-21 14:47:47.831026881 +0000
+++ packet-tpkt.c 2019-06-21 15:05:31.115056289 +0000
@@ -22,6 +22,7 @@
#include <epan/show_exception.h>
#include "packet-tpkt.h"
+#include "packet-tls.h"
void proto_register_tpkt(void);
void proto_reg_handoff_tpkt(void);
@@ -42,6 +43,7 @@
static gboolean tpkt_desegment = TRUE;
wdormann / gist:e15fbc671a0741b72264eca168a252e3
Created Mar 29, 2019
Vendor MACs targeted by ASUS attack
View gist:e15fbc671a0741b72264eca168a252e3
AMPAK Technology, Inc.
AzureWave Technology Inc.
BizLink (Kunshan) Co.,Ltd
Chicony Electronics Co., Ltd.
Digital Data Communications Asia Co.,Ltd
Hon Hai Precision Ind. Co.,Ltd.
Intel Corporate
wdormann /
Last active Nov 10, 2019
Check for insecure services on Windows
import os
import subprocess
import ctypes
# See:
svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')
wdormann /
Last active Jul 28, 2020
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
''' Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.
usage: <dir>
ex: "C:\Program Files\"
requires: pefile <>, which should be
installable via: pip install pefile
wdormann / flash_killbit.reg
Last active May 29, 2019
Disable Flash ActiveX in all Windows versions (including 10)
View flash_killbit.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
wdormann / acltest.ps1
Created May 1, 2018
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
View acltest.ps1
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
# This prints a table of ACLs
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights
wdormann / disable_win10_foistware.reg
Created Jan 2, 2018
Attempt at disabling Windows 10 automatic installation of 3rd-party foistware
View disable_win10_foistware.reg
Windows Registry Editor Version 5.00
You can’t perform that action at this time.