wizardy0ga
/ TLSCallbacks.c
Created
September 17, 2025 04:24
A demonstration of how TLS callbacks are implemented in windows at a bare minimum.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # include <Windows.h> | |
| // --- 1. Tell compiler to include the TLS directory in the program | |
| # pragma comment( linker, "/INCLUDE:_tls_used" ) | |
| // --- 2. Tell compiler to include TLSCallback variable | |
| # pragma comment( linker, "/INCLUDE:TLSCallback" ) | |
| // --- 3. Define a prototype for the tls callback function. This is the function to be executed prior to main. | |
| VOID TlsCallbackFunc( PVOID hModule, DWORD dwReason, PVOID pContext ); |
wizardy0ga
/ pe-extractor.py
Created
September 17, 2025 02:54
A small PoC script for extracting windows pe metadata with python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import win32con | |
| import win32gui | |
| import icoextract | |
| import os | |
| def extract_metadata(filepath, icon_output_path=None): | |
| """Extract metadata from a Windows executable file using win32api.""" | |
| metadata = {} |
wizardy0ga
/ print.c
Created
August 23, 2025 19:31
A simple macro for printing to console on win32 applications w/o a c runtime. Can also be used for standard win32 apps
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // CRT independant printing function | |
| # define print(msg, ...) \ | |
| if (1) { \ | |
| LPSTR Buf = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024); \ | |
| if (Buf) { \ | |
| int len = wsprintfA(Buf, msg "\n", __func__, __VA_ARGS__); \ | |
| WriteConsoleA(GetStdHandle(STD_OUTPUT_HANDLE), Buf, len, 0, 0); \ | |
| HeapFree(GetProcessHeap(), 0x00, Buf); \ | |
| } \ | |
| } |
wizardy0ga
/ LoadPe.c
Created
June 14, 2025 04:11
Load a portable executable in the local process & execute it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| @brief | |
| Load a PE in memory and execute it in the address space of this process | |
| @author | |
| wizardy0ga | |
| @usage: | |
| LoadPe.exe <path to exe> |
wizardy0ga
/ Win32Hash.h
Created
February 14, 2025 13:57
A header file library template to support function resolution via API hashing on windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #pragma once | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #define SEED_HASH 8888 | |
| #define KERNEL32_HASH 0xA52DE12A | |
| #define LOAD_LIBRARY_HASH 0xF4DAB6A4 | |
| typedef struct _UNICODE_STRING_ | |
| { |
wizardy0ga
/ NtChunkAllocate.C
Created
December 3, 2024 00:58
Writing a payload into memory via chunking within the NT API
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Description: | |
| Copies a payload into memory using a chunking method using NTAPI calls. This assists with breaking up memory scanning routines by EDRs. | |
| A reserved / readonly page will be left at the top of the allocation. Each page below this memory page will contain the payload. | |
| | Page 1 | 4096 bytes | Reserved | R | |
| | Page 2 | 4096 bytes | Commited | RX | |
| | Page 3 | 4096 bytes | Commited | RX | |
| | Page ... | 4096 bytes | Commited | RX |
wizardy0ga
/ ChunkToMemory.c
Created
December 2, 2024 14:03
Copying data into memory through chunking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Description: | |
| Copies a payload into memory using a chunking method. This assists with breaking up memory scanning routines by EDRs. | |
| A reserved / readonly page will be left at the top of the allocation. Each page below this memory page will contain the payload. | |
| | Page 1 | 4096 bytes | Reserved | R | |
| | Page 2 | 4096 bytes | Commited | RX | |
| | Page 3 | 4096 bytes | Commited | RX | |
| | Page ... | 4096 bytes | Commited | RX | |
wizardy0ga
/ DrmProtection.C
Last active
December 25, 2024 04:38
A PoC DRM protected program for windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Description: | |
| Program is a PoC DRM implementation. The program will only execute on the windows device that it first executed | |
| on. If it's copied to another device, it will delete itself on execution. | |
| A signature is kept in the rdata section of the binary. On fisrt exection, if the signature is the default signature, | |
| DRM will be initialized. This process consists of hashing the BIOS's UUID, & replacing the default signature with this | |
| hash. When the program executes again, it will check the BIOS's UUID hash against the signature stored in the | |
| .rdata section. If the hash doesn't match, the program deletes itself. |
wizardy0ga
/ SelfDeleteWin32.c
Last active
April 11, 2025 02:03
Force a windows executable to delete itself by modifying the default data stream name & removing the file via SetFileInformationByHandle API
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <winternl.h> | |
| #define STREAM_NAME L":XanWudS" | |
| BOOL SelfDelete() | |
| { | |
| HANDLE hFile = INVALID_HANDLE_VALUE; | |
| PWSTR szImageName = NULL; | |
| FILE_DISPOSITION_INFO DisposalInfo = { .DeleteFile = TRUE }; |
wizardy0ga
/ AmsiBypassDll.c
Last active
November 3, 2024 01:10
Demonstration of an AMSI bypass via DLL injection into a powershell process
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "pch.h" | |
| #include <Windows.h> | |
| #include <stdio.h> | |
| #define RET 0xC3 | |
| #define INT3 0xCC | |
| #define JE 0x74 | |
| #define JNE 0x75 | |
| #define MOV 0xB8 |
NewerOlder