Skip to content

Instantly share code, notes, and snippets.

@wdormann
wdormann / gist:c11750585c5c0eda2b09438ca30271ab
Created Oct 20, 2017
Win10 BSOD after importing EMET profile
View gist:c11750585c5c0eda2b09438ca30271ab
Microsoft (R) Windows Debugger Version 10.0.17016.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\test\Documents\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
@wdormann
wdormann / EG_popular.xml
Created Oct 20, 2017
EG profile converted from EMET, which causes Win10 BSOD
View EG_popular.xml
@wdormann
wdormann / enable_bottom-up_ASLR.reg
Created Nov 16, 2017
Enable both Mandatory ASLR *and* Bottom-up ASLR system-wide
View enable_bottom-up_ASLR.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00
@wdormann
wdormann / win10_applocker_no_foistware.xml
Created Dec 31, 2017
Prevent automatic installation of foistware on Windows 10 versions using AppLocker
View win10_applocker_no_foistware.xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="a1baec9b-3250-44fe-865d-41c9397dcfcd" Name="Microsoft.Windows.ContentDeliveryManager, from Microsoft Corporation" Description="Block foistware?" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ContentDeliveryManager" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
@wdormann
wdormann / gist:e15fbc671a0741b72264eca168a252e3
Created Mar 29, 2019
Vendor MACs targeted by ASUS attack
View gist:e15fbc671a0741b72264eca168a252e3
AMPAK Technology, Inc.
ASUSTek COMPUTER INC.
AzureWave Technology Inc.
BizLink (Kunshan) Co.,Ltd
Chicony Electronics Co., Ltd.
Digital Data Communications Asia Co.,Ltd
GOOD WAY IND. CO., LTD.
HUAWEI TECHNOLOGIES CO.,LTD
Hon Hai Precision Ind. Co.,Ltd.
Intel Corporate
@wdormann
wdormann / flash_killbit.reg
Last active May 29, 2019
Disable Flash ActiveX in all Windows versions (including 10)
View flash_killbit.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
@wdormann
wdormann / packet-tpkt.c.diff
Created Jun 21, 2019
Patch Wireshark 3.0.2 to hook TPKT dissector into TLS decryption
View packet-tpkt.c.diff
--- packet-tpkt.c.orig 2019-06-21 14:47:47.831026881 +0000
+++ packet-tpkt.c 2019-06-21 15:05:31.115056289 +0000
@@ -22,6 +22,7 @@
#include <epan/show_exception.h>
#include "packet-tpkt.h"
+#include "packet-tls.h"
void proto_register_tpkt(void);
void proto_reg_handoff_tpkt(void);
@@ -42,6 +43,7 @@
static gboolean tpkt_desegment = TRUE;
@wdormann
wdormann / checksvc.py
Last active Nov 10, 2019
Check for insecure services on Windows
View checksvc.py
import os
import subprocess
import ctypes
# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')
@wdormann
wdormann / disable_win10_foistware.reg
Created Jan 2, 2018
Attempt at disabling Windows 10 automatic installation of 3rd-party foistware
View disable_win10_foistware.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy]
"Disabled"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
"SubscribedContent-338388Enabled"=dword:00000000
@wdormann
wdormann / checkaslr.py
Last active Apr 20, 2020
Check for running processes on Windows that have components that do not utilize ASLR
View checkaslr.py
#!/usr/bin/env python
'''
Utility to check for processes running with non-ASLR-compatible components.
Run with Administrative privileges to get visibility into all processes.
(1a) psutil: https://pypi.org/project/psutil/
Installed via PIP
-OR-
(1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls
You can’t perform that action at this time.