wizardy0ga
/ print.c
Created
August 23, 2025 19:31
A simple macro for printing to console on win32 applications w/o a c runtime. Can also be used for standard win32 apps
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // CRT independant printing function | |
| # define print(msg, ...) \ | |
| if (1) { \ | |
| LPSTR Buf = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024); \ | |
| if (Buf) { \ | |
| int len = wsprintfA(Buf, msg "\n", __func__, __VA_ARGS__); \ | |
| WriteConsoleA(GetStdHandle(STD_OUTPUT_HANDLE), Buf, len, 0, 0); \ | |
| HeapFree(GetProcessHeap(), 0x00, Buf); \ | |
| } \ | |
| } |
wizardy0ga
/ LoadPe.c
Created
June 14, 2025 04:11
Load a portable executable in the local process & execute it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| @brief | |
| Load a PE in memory and execute it in the address space of this process | |
| @author | |
| wizardy0ga | |
| @usage: | |
| LoadPe.exe <path to exe> |
wizardy0ga
/ Win32Hash.h
Created
February 14, 2025 13:57
A header file library template to support function resolution via API hashing on windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #pragma once | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #define SEED_HASH 8888 | |
| #define KERNEL32_HASH 0xA52DE12A | |
| #define LOAD_LIBRARY_HASH 0xF4DAB6A4 | |
| typedef struct _UNICODE_STRING_ | |
| { |
wizardy0ga
/ NtChunkAllocate.C
Created
December 3, 2024 00:58
Writing a payload into memory via chunking within the NT API
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Description: | |
| Copies a payload into memory using a chunking method using NTAPI calls. This assists with breaking up memory scanning routines by EDRs. | |
| A reserved / readonly page will be left at the top of the allocation. Each page below this memory page will contain the payload. | |
| | Page 1 | 4096 bytes | Reserved | R | |
| | Page 2 | 4096 bytes | Commited | RX | |
| | Page 3 | 4096 bytes | Commited | RX | |
| | Page ... | 4096 bytes | Commited | RX |
wizardy0ga
/ ChunkToMemory.c
Created
December 2, 2024 14:03
Copying data into memory through chunking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Description: | |
| Copies a payload into memory using a chunking method. This assists with breaking up memory scanning routines by EDRs. | |
| A reserved / readonly page will be left at the top of the allocation. Each page below this memory page will contain the payload. | |
| | Page 1 | 4096 bytes | Reserved | R | |
| | Page 2 | 4096 bytes | Commited | RX | |
| | Page 3 | 4096 bytes | Commited | RX | |
| | Page ... | 4096 bytes | Commited | RX | |
wizardy0ga
/ DrmProtection.C
Last active
December 25, 2024 04:38
A PoC DRM protected program for windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Description: | |
| Program is a PoC DRM implementation. The program will only execute on the windows device that it first executed | |
| on. If it's copied to another device, it will delete itself on execution. | |
| A signature is kept in the rdata section of the binary. On fisrt exection, if the signature is the default signature, | |
| DRM will be initialized. This process consists of hashing the BIOS's UUID, & replacing the default signature with this | |
| hash. When the program executes again, it will check the BIOS's UUID hash against the signature stored in the | |
| .rdata section. If the hash doesn't match, the program deletes itself. |
wizardy0ga
/ SelfDeleteWin32.c
Last active
April 11, 2025 02:03
Force a windows executable to delete itself by modifying the default data stream name & removing the file via SetFileInformationByHandle API
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <winternl.h> | |
| #define STREAM_NAME L":XanWudS" | |
| BOOL SelfDelete() | |
| { | |
| HANDLE hFile = INVALID_HANDLE_VALUE; | |
| PWSTR szImageName = NULL; | |
| FILE_DISPOSITION_INFO DisposalInfo = { .DeleteFile = TRUE }; |
wizardy0ga
/ AmsiBypassDll.c
Last active
November 3, 2024 01:10
Demonstration of an AMSI bypass via DLL injection into a powershell process
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "pch.h" | |
| #include <Windows.h> | |
| #include <stdio.h> | |
| #define RET 0xC3 | |
| #define INT3 0xCC | |
| #define JE 0x74 | |
| #define JNE 0x75 | |
| #define MOV 0xB8 |
wizardy0ga
/ AmsiBypassViaBytePatch.c
Last active
November 22, 2024 20:15
A bypass for AMSI using byte patching
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Description: | |
| Bypasses AMSI by patching the functions in memory with single byte patches. Some amsi functions | |
| will validate parameters & jump to a failure routine if the validation failes. By flipping this check, | |
| the functions can be forced to fail which blind the anti-malware scan interface. | |
| Author: | |
| wizardy0ga | |
| Date: |
wizardy0ga
/ GetProcAddress.c
Last active
December 10, 2024 02:17
Custom GetProcAddress function. Avoid listing 'GetProcAddress' in the address table.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Description: | |
| A simplified version of GetProcAddress. Posting here for reference later. | |
| Author: | |
| WizardY0ga | |
| Mitre: | |
| T1027.007 - Obfuscated Files or Information: Dynamic API Resolution | |
| Date: | |
| October 2024 |
NewerOlder