Skip to content

Instantly share code, notes, and snippets.

@wumb0
wumb0 / PatchExtract.ps1
Last active January 14, 2025 07:47
extract microsoft MSU files
<#
____ _ _
| _ \ __ _| |_ ___| |__
| |_) / _` | __/ __| '_ \
| __/ (_| | || (__| | | |
|_| \__,_|\__\___|_| |_|
_____ _ _
| ____|_ _| |_ _ __ __ _ ___| |_
| _| \ \/ / __| '__/ _` |/ __| __|
@wumb0
wumb0 / delta_patch.py
Last active January 14, 2025 07:46
a script for applying MS patch deltas
import base64
import hashlib
import zlib
from ctypes import (
CDLL,
POINTER,
LittleEndianStructure,
c_size_t,
c_ubyte,
c_uint64,
param (
[string]$DesktopDeploymentCab,
[string]$PsfFile,
[string]$OutPath,
[switch]$Verbose = $false
)
mkdir -Force $OutPath | Out-Null
$OutPath = Resolve-Path $OutPath
$oldpath = $env:PATH
#include <iostream>
#include <set>
#include <string>
#include <vector>
#include <utility>
#include <iterator>
#include <algorithm>
#include <cstdio>
#include <cstdarg>
#include <cstdlib>
@wumb0
wumb0 / drcov-3-to-2.py
Last active October 25, 2023 06:50
convert a drcov version 3 file to drcov version 2 for lighthouse
"""
drcov version 3 isn't supported by lighthouse :(
convert drcov version 3 with module table version 5 to drcov version 2
with module table version 2 so lighthouse will eat it!
"""
import sys
import re
@wumb0
wumb0 / CodeCoverage.cpp
Last active November 6, 2022 21:29
slightly modified lighthouse coverage PIN tool, updated build script to work with PIN 3.21
#include <iostream>
#include <set>
#include <string>
#include <vector>
#include <utility>
#include <iterator>
#include <algorithm>
#include <cstdio>
#include <cstdarg>
#include <cstdlib>
@wumb0
wumb0 / frida-drcov.py
Last active February 8, 2022 18:14
more optimized frida drcov script for lighthouse that monitors windows targets for new threads and modules
#!/usr/bin/env python
from __future__ import print_function
import argparse
import json
import os
import sys
import threading
import functools
@wumb0
wumb0 / asmul8r.py
Created November 29, 2020 18:33
command line assembly emulator that allows you to quickly see the results of instructions
# requires keystone-engine, capstone, prompt_toolkit, and pygments
import keystone as ks
import unicorn as uc
import math
import sys
from pygments.lexers.asm import NasmLexer
from pygments.styles import get_style_by_name
from prompt_toolkit.shortcuts import prompt
@wumb0
wumb0 / asmconsole.py
Last active May 16, 2020 00:06
assembler in a loop
'''asm console via keystone for python 2.7
pip install keystone-engine
python asmconsole.py -a ARM -m LITTLE_ENDIAN -f escape -b 0x000086e4
Little endian arm print escape codes and make base address 0x000086e4
'''
from __future__ import print_function
import keystone
import argparse
from sys import exit
@wumb0
wumb0 / MonitorMalware.ps1
Last active May 16, 2020 00:05
WMI consumer and filter that trigger on a windows defender malware alert with details
$argss = @{Name="MonitorMalwareFilt";QueryLanguage="WQL";Query="select * from __instancecreationevent within 5 where targetinstance isa 'Malware'";EventNamespace="root\Microsoft\SecurityClient"}
$filt = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $argss
$argss = @{Name="MonitorMalwareCons";CommandLineTemplate="msg * Malware: %TargetInstance.ThreatName% from %TargetInstance.User% at %TargetInstance.Path% (Severity: %TargetInstance.SeverityID%)"}
$cons = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $argss
$argss = @{Filter=$filt;Consumer=$cons}
Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $argss