wdormann wdormann
wdormann
/ gist:c11750585c5c0eda2b09438ca30271ab
Created
October 20, 2017 13:10
Win10 BSOD after importing EMET profile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Microsoft (R) Windows Debugger Version 10.0.17016.1000 AMD64 | |
| Copyright (c) Microsoft Corporation. All rights reserved. | |
| Loading Dump File [C:\Users\test\Documents\MEMORY.DMP] | |
| Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available. | |
| Symbol search path is: srv* | |
| Executable search path is: |
wdormann
/ EG_popular.xml
Created
October 20, 2017 13:29
EG profile converted from EMET, which causes Win10 BSOD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <MitigationPolicy> | |
| <SystemConfig> | |
| <DEP Enable="true" EmulateAtlThunks="false" /> | |
| <ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="true" HighEntropy="false" /> | |
| <StrictHandle Enable="false" /> | |
| <SystemCalls DisableWin32kSystemCalls="false" Audit="false" /> | |
| <ExtensionPoints DisableExtensionPoints="false" /> | |
| <DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" Audit="false" /> | |
| <ControlFlowGuard Enable="false" SuppressExports="false" StrictControlFlowGuard="false" /> |
wdormann
/ win10_applocker_no_foistware.xml
Created
December 31, 2017 22:48
Prevent automatic installation of foistware on Windows 10 versions using AppLocker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <AppLockerPolicy Version="1"> | |
| <RuleCollection Type="Appx" EnforcementMode="Enabled"> | |
| <FilePublisherRule Id="a1baec9b-3250-44fe-865d-41c9397dcfcd" Name="Microsoft.Windows.ContentDeliveryManager, from Microsoft Corporation" Description="Block foistware?" UserOrGroupSid="S-1-1-0" Action="Deny"> | |
| <Conditions> | |
| <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ContentDeliveryManager" BinaryName="*"> | |
| <BinaryVersionRange LowSection="*" HighSection="*" /> | |
| </FilePublisherCondition> | |
| </Conditions> | |
| </FilePublisherRule> | |
| </RuleCollection> |
wdormann
/ gist:e15fbc671a0741b72264eca168a252e3
Created
March 29, 2019 12:24
Vendor MACs targeted by ASUS attack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AMPAK Technology, Inc. | |
| ASUSTek COMPUTER INC. | |
| AzureWave Technology Inc. | |
| BizLink (Kunshan) Co.,Ltd | |
| Chicony Electronics Co., Ltd. | |
| Digital Data Communications Asia Co.,Ltd | |
| GOOD WAY IND. CO., LTD. | |
| HUAWEI TECHNOLOGIES CO.,LTD | |
| Hon Hai Precision Ind. Co.,Ltd. | |
| Intel Corporate |
wdormann
/ packet-tpkt.c.diff
Created
June 21, 2019 15:17
Patch Wireshark 3.0.2 to hook TPKT dissector into TLS decryption
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- packet-tpkt.c.orig 2019-06-21 14:47:47.831026881 +0000 | |
| +++ packet-tpkt.c 2019-06-21 15:05:31.115056289 +0000 | |
| @@ -22,6 +22,7 @@ | |
| #include <epan/show_exception.h> | |
| #include "packet-tpkt.h" | |
| +#include "packet-tls.h" | |
| void proto_register_tpkt(void); | |
| void proto_reg_handoff_tpkt(void); | |
| @@ -42,6 +43,7 @@ | |
| static gboolean tpkt_desegment = TRUE; |
wdormann
/ checkaslr.py
Last active
April 20, 2020 18:16
Check for running processes on Windows that have components that do not utilize ASLR
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ''' | |
| Utility to check for processes running with non-ASLR-compatible components. | |
| Run with Administrative privileges to get visibility into all processes. | |
| (1a) psutil: https://pypi.org/project/psutil/ | |
| Installed via PIP | |
| -OR- | |
| (1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls |
wdormann
/ gist:874198c1bd29c7dd2157d9fc1d858263
Last active
June 21, 2020 07:04
List of Android apps that include libpl_droidsonroids_gif.so - potentially vulnerable to CVE-2019-11932. Sorted by install count.
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| com.whatsapp 1000000000 | |
| com.lenovo.anyshare.gps 1000000000 | |
| com.instagram.android 1000000000 | |
| com.zhiliaoapp.musically 500000000 | |
| com.viber.voip 500000000 | |
| wp.wattpad 100000000 | |
| vStudio.Android.Camera360 100000000 | |
| vsin.t16_funny_photo 100000000 | |
| com.yahoo.mobile.client.android.mail 100000000 | |
| com.xvideostudio.videoeditor 100000000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Don't use this version! | |
| # Try https://gist.github.com/wdormann/8afe4edf605627ee4f203861b6cc3a1c instead | |
| # | |
| # Utility for listing SYSTEM-privileged scheduled tasks on Windows | |
| # Tasks that come with Windows 10 are not included. | |
| # Admin privileges are required to list all scheduled tasks. | |
| import csv | |
| import subprocess | |
| import tempfile |
wdormann
/ privileged.py
Last active
April 30, 2021 13:07
List privileged services that don't come with Windows 10 - deprecated
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # DON'T USE THIS VERSION! | |
| # Try https://gist.github.com/wdormann/89ed779933fe205fb52ecf3eacf5ff40 instead | |
| import os | |
| import subprocess | |
| # See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/ | |
| svcinfo = {} | |
| FNULL = open(os.devnull, 'w') |
wdormann
/ flash_killbit.reg
Last active
June 1, 2021 15:03
Disable Flash ActiveX in all Windows versions (including 10)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
| "Compatibility Flags"=dword:00000400 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
| "Compatibility Flags"=dword:00000400 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
| "Compatibility Flags"=dword:00000400 |
OlderNewer