Skip to content

Instantly share code, notes, and snippets.

wdormann / gist:c11750585c5c0eda2b09438ca30271ab
Created Oct 20, 2017
Win10 BSOD after importing EMET profile
View gist:c11750585c5c0eda2b09438ca30271ab
Microsoft (R) Windows Debugger Version 10.0.17016.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\test\Documents\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
wdormann / EG_popular.xml
Created Oct 20, 2017
EG profile converted from EMET, which causes Win10 BSOD
View EG_popular.xml
wdormann / enable_bottom-up_ASLR.reg
Created Nov 16, 2017
Enable both Mandatory ASLR *and* Bottom-up ASLR system-wide
View enable_bottom-up_ASLR.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
wdormann / win10_applocker_no_foistware.xml
Created Dec 31, 2017
Prevent automatic installation of foistware on Windows 10 versions using AppLocker
View win10_applocker_no_foistware.xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="a1baec9b-3250-44fe-865d-41c9397dcfcd" Name="Microsoft.Windows.ContentDeliveryManager, from Microsoft Corporation" Description="Block foistware?" UserOrGroupSid="S-1-1-0" Action="Deny">
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ContentDeliveryManager" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
wdormann / gist:e15fbc671a0741b72264eca168a252e3
Created Mar 29, 2019
Vendor MACs targeted by ASUS attack
View gist:e15fbc671a0741b72264eca168a252e3
AMPAK Technology, Inc.
AzureWave Technology Inc.
BizLink (Kunshan) Co.,Ltd
Chicony Electronics Co., Ltd.
Digital Data Communications Asia Co.,Ltd
Hon Hai Precision Ind. Co.,Ltd.
Intel Corporate
wdormann / flash_killbit.reg
Last active May 29, 2019
Disable Flash ActiveX in all Windows versions (including 10)
View flash_killbit.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
wdormann / packet-tpkt.c.diff
Created Jun 21, 2019
Patch Wireshark 3.0.2 to hook TPKT dissector into TLS decryption
View packet-tpkt.c.diff
--- packet-tpkt.c.orig 2019-06-21 14:47:47.831026881 +0000
+++ packet-tpkt.c 2019-06-21 15:05:31.115056289 +0000
@@ -22,6 +22,7 @@
#include <epan/show_exception.h>
#include "packet-tpkt.h"
+#include "packet-tls.h"
void proto_register_tpkt(void);
void proto_reg_handoff_tpkt(void);
@@ -42,6 +43,7 @@
static gboolean tpkt_desegment = TRUE;
wdormann /
Last active Nov 10, 2019
Check for insecure services on Windows
import os
import subprocess
import ctypes
# See:
svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')
wdormann / disable_win10_foistware.reg
Created Jan 2, 2018
Attempt at disabling Windows 10 automatic installation of 3rd-party foistware
View disable_win10_foistware.reg
Windows Registry Editor Version 5.00
wdormann /
Last active Apr 20, 2020
Check for running processes on Windows that have components that do not utilize ASLR
#!/usr/bin/env python
Utility to check for processes running with non-ASLR-compatible components.
Run with Administrative privileges to get visibility into all processes.
(1a) psutil:
Installed via PIP
(1b) Sysinternals ListDLLs:
You can’t perform that action at this time.