Most commons are cdecl, stdcall, fastcall
In function calls, parameters are pushed onto the stack from right to left.
int func(int x, int y, int z, int m, int k);
int a, b, c, d, e, ret;
. NoThrowForwardIt
DtxdF
/ resources.md
Created
March 2, 2021 00:33
— forked from x0nu11byt3/resources.md
A curated list of Assembly Language / Reversing / Malware Analysis -resources
I've transformed this gist into a git repository.
Whenever you research a certain vulnerability ask yourself these questions and please answer them for us
Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)
fr0gger
/ sunburst_glossary.csv
Last active
September 12, 2021 16:48
Sunburst/Solorigate glossary to keep track of used terms
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name | Description | |
|---|---|---|
| Solarwinds | Compromised company used to spread the Sunburst malware through the Orion platform. | |
| Orion Platform | Compromised platform used to deliver the Sunburst malware in a supply chain attack. | |
| Sunspot | Malware name attributed by CrowdStrike and used to insert the Sunburst backdoor. | |
| Sunburst | Malware name attributed by FireEye and inserted in the Orion platform. AKA Solorigate. | |
| Solorigate | Malware name attributed by Microsoft and inserted in the Orion platform. AKA Sunburst. | |
| Teardrop | Additional payload delivered by the Sunburst backdoor used to deploy a custom Cobalt Strike Beacon. | |
| Raindrop | Loader which delivers a payload of Cobalt Strike. Similar to Teardrop. | |
| Beacon | Malware name used by FireEye to define custom Cobalt Strike payload. | |
| GoldMax | Written in Go GoldMax acts as command-and-control backdoor for the actor. AKA Sunshuttle. |
X-C3LL
/ hookdetector.vba
Created
December 7, 2020 22:31
VBA Macro to detect EDR Hooks (It's just a PoC)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
jfmaes
/ DInjectQueuerAPC.cs
Created
November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
devanshbatham
/ sslextract.py
Created
November 9, 2020 10:57
sslExtract : Extract DNS records from IP addresses
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from multiprocessing.pool import ThreadPool | |
| from time import time as timer | |
| from urllib.request import urlopen | |
| import sys | |
| import re | |
| import os.path | |
| start = timer() |
aaronsdevera
/ gatherURLscan.py
Created
October 31, 2020 22:49
Script to gather scans from urlscan.io, and save screenshots for ML model training data: https://twitter.com/aaronsdevera/status/1322399067725426690
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import csv | |
| import os | |
| def printLog(msg,kind): | |
| msgType = '[+]' | |
| if kind == 1: | |
| msgType = '[!]' |
muff-in
/ resources.md
Last active
October 30, 2025 15:30
A curated list of Assembly Language / Reversing / Malware Analysis / Game Hacking-resources
NewerOlder