Skip to content

Instantly share code, notes, and snippets.

View wizardy0ga's full-sized avatar
😄

WizardYoga wizardy0ga

😄
View GitHub Profile
@wizardy0ga
wizardy0ga / TLSCallbacks.c
Created September 17, 2025 04:24
A demonstration of how TLS callbacks are implemented in windows at a bare minimum.
# include <Windows.h>
// --- 1. Tell compiler to include the TLS directory in the program
# pragma comment( linker, "/INCLUDE:_tls_used" )
// --- 2. Tell compiler to include TLSCallback variable
# pragma comment( linker, "/INCLUDE:TLSCallback" )
// --- 3. Define a prototype for the tls callback function. This is the function to be executed prior to main.
VOID TlsCallbackFunc( PVOID hModule, DWORD dwReason, PVOID pContext );
@wizardy0ga
wizardy0ga / pe-extractor.py
Created September 17, 2025 02:54
A small PoC script for extracting windows pe metadata with python
import win32con
import win32gui
import icoextract
import os
def extract_metadata(filepath, icon_output_path=None):
"""Extract metadata from a Windows executable file using win32api."""
metadata = {}
@wizardy0ga
wizardy0ga / print.c
Created August 23, 2025 19:31
A simple macro for printing to console on win32 applications w/o a c runtime. Can also be used for standard win32 apps
// CRT independant printing function
# define print(msg, ...) \
if (1) { \
LPSTR Buf = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024); \
if (Buf) { \
int len = wsprintfA(Buf, msg "\n", __func__, __VA_ARGS__); \
WriteConsoleA(GetStdHandle(STD_OUTPUT_HANDLE), Buf, len, 0, 0); \
HeapFree(GetProcessHeap(), 0x00, Buf); \
} \
}
@wizardy0ga
wizardy0ga / LoadPe.c
Created June 14, 2025 04:11
Load a portable executable in the local process & execute it
/*
@brief
Load a PE in memory and execute it in the address space of this process
@author
wizardy0ga
@usage:
LoadPe.exe <path to exe>
@wizardy0ga
wizardy0ga / Win32Hash.h
Created February 14, 2025 13:57
A header file library template to support function resolution via API hashing on windows
#pragma once
#include <windows.h>
#include <stdio.h>
#define SEED_HASH 8888
#define KERNEL32_HASH 0xA52DE12A
#define LOAD_LIBRARY_HASH 0xF4DAB6A4
typedef struct _UNICODE_STRING_
{
@wizardy0ga
wizardy0ga / NtChunkAllocate.C
Created December 3, 2024 00:58
Writing a payload into memory via chunking within the NT API
/*
Description:
Copies a payload into memory using a chunking method using NTAPI calls. This assists with breaking up memory scanning routines by EDRs.
A reserved / readonly page will be left at the top of the allocation. Each page below this memory page will contain the payload.
| Page 1 | 4096 bytes | Reserved | R
| Page 2 | 4096 bytes | Commited | RX
| Page 3 | 4096 bytes | Commited | RX
| Page ... | 4096 bytes | Commited | RX
@wizardy0ga
wizardy0ga / ChunkToMemory.c
Created December 2, 2024 14:03
Copying data into memory through chunking
/*
Description:
Copies a payload into memory using a chunking method. This assists with breaking up memory scanning routines by EDRs.
A reserved / readonly page will be left at the top of the allocation. Each page below this memory page will contain the payload.
| Page 1 | 4096 bytes | Reserved | R
| Page 2 | 4096 bytes | Commited | RX
| Page 3 | 4096 bytes | Commited | RX
| Page ... | 4096 bytes | Commited | RX
@wizardy0ga
wizardy0ga / DrmProtection.C
Last active December 25, 2024 04:38
A PoC DRM protected program for windows
/*
Description:
Program is a PoC DRM implementation. The program will only execute on the windows device that it first executed
on. If it's copied to another device, it will delete itself on execution.
A signature is kept in the rdata section of the binary. On fisrt exection, if the signature is the default signature,
DRM will be initialized. This process consists of hashing the BIOS's UUID, & replacing the default signature with this
hash. When the program executes again, it will check the BIOS's UUID hash against the signature stored in the
.rdata section. If the hash doesn't match, the program deletes itself.
@wizardy0ga
wizardy0ga / SelfDeleteWin32.c
Last active April 11, 2025 02:03
Force a windows executable to delete itself by modifying the default data stream name & removing the file via SetFileInformationByHandle API
#include <windows.h>
#include <winternl.h>
#define STREAM_NAME L":XanWudS"
BOOL SelfDelete()
{
HANDLE hFile = INVALID_HANDLE_VALUE;
PWSTR szImageName = NULL;
FILE_DISPOSITION_INFO DisposalInfo = { .DeleteFile = TRUE };
@wizardy0ga
wizardy0ga / AmsiBypassDll.c
Last active November 3, 2024 01:10
Demonstration of an AMSI bypass via DLL injection into a powershell process
#include "pch.h"
#include <Windows.h>
#include <stdio.h>
#define RET 0xC3
#define INT3 0xCC
#define JE 0x74
#define JNE 0x75
#define MOV 0xB8