a10ncoder
a10ncoder
/ memBruteforce.cpp
Created
October 14, 2021 10:38
— forked from aaaddress1/memBruteforce.cpp
Windows 32-bit Shellcode Design without TEB & fs:30h
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // memBruteforce.cpp by [email protected] | |
| // brute search loaded moudules in memory | |
| // rewrite from https://www.exploit-db.com/exploits/45293 | |
| #include <Windows.h> | |
| #include <iostream> | |
| #pragma warning(disable:4996) | |
| bool isMemExist(size_t addr) { | |
| int retv; | |
| __asm { |
a10ncoder
/ crude_ioctl_fuzzer.py
Created
September 15, 2021 08:17
— forked from uf0o/crude_ioctl_fuzzer.py
A crude IOCTL fuzzer for windows driver testing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import random | |
| import sys | |
| import io | |
| from ctypes import windll, POINTER, byref | |
| from ctypes.wintypes import LPVOID, DWORD, LPCSTR, LPSTR, BOOL, HANDLE | |
| DeviceIoControl = windll.kernel32.DeviceIoControl | |
| CreateFileA = windll.kernel32.CreateFileA | |
| CloseHandle = windll.kernel32.CloseHandle |
a10ncoder
/ info.txt
Created
June 17, 2021 08:15
— forked from hook-s3c/info.txt
Disable Powershell logging
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Logs are held by default in the user profile: | |
| \AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt | |
| this directory also hosts per-application logs | |
| -------------------------------------------------------------- | |
| Disable Logging... | |
| remove-module psreadline |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Text; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.ComponentModel; | |
| using System.Linq; | |
| using System.Net; | |
| using System.Net.Sockets; |
a10ncoder
/ mem-loader.asm
Created
February 7, 2020 11:28
— forked from zznop/mem-loader.asm
Fun little loader shellcode that executes an ELF in-memory using an anonymous file descriptor (inspired by https://x-c3ll.github.io/posts/fileless-memfd_create/)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | |
| ;;; | |
| ;;; Copyright (C), zznop, [email protected] | |
| ;;; | |
| ;;; This software may be modified and distributed under the terms | |
| ;;; of the MIT license. See the LICENSE file for details. | |
| ;;; | |
| ;;; DESCRIPTION | |
| ;;; | |
| ;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF |
a10ncoder
/ inject.c
Created
May 9, 2018 07:34
— forked from hfiref0x/inject.c
Process Doppelgänging
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Ref = src | |
| // https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf | |
| // | |
| // Credits: | |
| // Vyacheslav Rusakov @swwwolf | |
| // Tom Bonner @thomas_bonner | |
| // | |
| #include <Windows.h> |
a10ncoder
/ PsCallImageNotifyRoutines.c
Created
May 8, 2017 12:38
— forked from swwwolf/PsCallImageNotifyRoutines.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NTSTATUS | |
| MmLoadSystemImage(IN PUNICODE_STRING ImageFileName, | |
| IN PUNICODE_STRING NamePrefix OPTIONAL, | |
| IN PUNICODE_STRING LoadedBaseName OPTIONAL, | |
| IN ULONG LoadFlags, | |
| OUT PVOID *ImageHandle, | |
| OUT PVOID *ImageBaseAddress) { | |
| // ... | |
| if ( PsImageNotifyEnabled ) { | |
| IMAGE_INFO ImageInfo; |