wdormann wdormann
wdormann
/ CVE-2021-21224.html
Last active
October 31, 2022 22:01
Sample ARM64 PoC for CVE-2021-21224
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| function gc() { | |
| for (var i = 0; i < 0x80000; ++i) { | |
| var a = new ArrayBuffer(); | |
| } | |
| } | |
| let shellcode = [ | |
| // Move x18 to x28 (TEB) |
wdormann
/ gist:f9552721166aaf2234b62e56f92a023f
Created
November 5, 2022 12:59
Turn off SmartScreen to avoid Windows 11 22H2 lack of prompting/scanning when opening files directly from ZIPs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer] | |
| "SmartScreenEnabled"="Off" |
wdormann
/ suspendvms.ps1
Created
November 28, 2022 14:15
Suspend running VMs, for use in Windows shutdown script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @(& "C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" list | Select-String -Pattern ".vmx") | %{&"C:\Program Files (x86)\VMware\VMware Workstation\vmrun" suspend $_} |
wdormann
/ disable_win10_foistware.reg
Created
January 2, 2018 23:15
Attempt at disabling Windows 10 automatic installation of 3rd-party foistware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy] | |
| "Disabled"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager] | |
| "SubscribedContent-338388Enabled"=dword:00000000 | |
wdormann
/ privileged.ps1
Last active
February 21, 2023 22:06
List privileged services that don't come with Windows 10 VMware guest
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $win10_builtin = @('AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service', | |
| 'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense', | |
| 'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService', | |
| 'TrustedInstaller', 'UevAgentService', 'vds', 'VSS', 'wbengine', 'WinDefend', 'wmiApSrv', | |
| 'WSearch', 'XboxNetApiSvc', 'XboxGipSvc', 'XblGameSave', 'XblAuthManager', 'WwanSvc', 'wuauserv', | |
| 'WwanSvc', 'wuauserv', 'WpnService', 'WPDBusEnum', 'WpcMonSvc', 'WManSvc', 'wlidsvc', 'WlanSvc', | |
| 'wisvc', 'Winmgmt', 'WiaRpc', 'WerSvc', 'wercplsupport', 'WdiSystemHost', 'WbioSrvc', 'WalletService', | |
| 'WaaSMedicSvc', 'vmvss', 'vmicvss', 'vmicvmsession', 'vmicshutdown', 'vmicrdv', 'vmickvpexchange', | |
| 'vmicheartbeat', 'vmicguestinterface', 'VaultSvc', 'UsoSvc', 'UserManager', 'UmRdpService', | |
| 'TroubleshootingSvc', 'TrkWks', 'TokenBroker', 'Themes', 'TabletInputService', |
wdormann
/ rewrite.py
Created
March 9, 2023 17:43
mitmproxy rewrite rule to allow user to use personal login for Microsoft as opposed to org-controlled oauth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##################################################### | |
| ## Content rewriting script for mitmproxy 4 | |
| ## Other versions of mitmproxy may not be compatible | |
| ##################################################### | |
| # | |
| # BEGIN LICENSE # | |
| # | |
| # CERT Tapioca | |
| # | |
| # Copyright 2018 Carnegie Mellon University. All Rights Reserved. |
wdormann
/ mandiant.xml
Last active
March 9, 2023 20:46
WDAC blocking policy for Mandiant-mentioned BYOVD drivers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Audit Mode</Option> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| using Aspose.Email; | |
| namespace msgtotnef | |
| { | |
| class Program |
wdormann
/ drivers.log
Created
May 24, 2023 12:35
Log of attempt to load 554 x86-64 drivers from LOLDrivers on a Win11 22H2 system with an October 31, 2022 driversipolicy.p7b
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 577: | |
| Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 2148204812: | |
| A certificate was explicitly revoked by its issuer. |
wdormann
/ drivers_latest.log
Last active
May 24, 2023 15:01
Log of attempt to load 554 x86-64 drivers from LOLDrivers on a Win11 22H2 system with a May 24, 2023 MS drivers block list
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 577: | |
| Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 4551: | |
| Your organization used Device Guard to block this app. Contact your support person for more info. |