kapiushion
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /// Return, but across multiple frames. | |
| /// | |
| /// This function unwinds the given number of frames, then sets the return value provided, emulating as if this number | |
| /// of functions returned, with the last one returning the value provided in RetVal. Can be used to hook a callee when | |
| /// you don't have a convenient way to hook it directly and actually just want to stub it out with a return value. | |
| /// | |
| /// @param FramesToSkip The number of frames to skip, starting from the current frame. | |
| /// @param RetVal The value to return from the last frame. | |
| /// @param Context Context to start from, in case you want to SuperReturn from somewhere deeper. | |
| DECLSPEC_NOINLINE void SuperReturn( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| Compile with your C console project. | |
| */ | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #define __UNKNOWN_APP 0 | |
| #define __CONSOLE_APP 1 | |
| #define __GUI_APP 2 |
ThePirateWhoSmellsOfSunflowers
/ netdumper.py
Last active
July 1, 2025 14:39
This script perform a netsync attack. No SMB involved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from impacket.dcerpc.v5 import epm, rpcrt, transport, nrpc, samr | |
| from impacket.uuid import bin_to_uuidtup | |
| from impacket.crypto import SamDecryptNTLMHash | |
| from impacket.nt_errors import STATUS_MORE_ENTRIES | |
| from impacket.dcerpc.v5.rpcrt import DCERPCException | |
| from binascii import unhexlify, hexlify | |
| from random import randbytes | |
| import sys | |
| import argparse |
MEhrn00
/ bin2coff.py
Last active
October 21, 2025 16:14
Small Python script for generating COFFs with data embedded from arbitrary binary files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """bin2coff.py | |
| usage: bin2coff.py [-h] [-s SYMBOL] [-m {amd64,i386,arm,arm64}] input [output] | |
| Converts an arbitrary file into a linkable COFF. | |
| positional arguments: | |
| input Input file for generating the COFF | |
| output Output for the generated COFF (defaults to the input file name with a '.o' extension) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| extern void mylib_test(); | |
| int main() | |
| { | |
| puts("Hello, world!"); | |
| // NOTE: Your project must use at least one symbol from the static library | |
| mylib_test(); |
wizardy0ga
/ DrmProtection.C
Last active
December 25, 2024 04:38
A PoC DRM protected program for windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Description: | |
| Program is a PoC DRM implementation. The program will only execute on the windows device that it first executed | |
| on. If it's copied to another device, it will delete itself on execution. | |
| A signature is kept in the rdata section of the binary. On fisrt exection, if the signature is the default signature, | |
| DRM will be initialized. This process consists of hashing the BIOS's UUID, & replacing the default signature with this | |
| hash. When the program executes again, it will check the BIOS's UUID hash against the signature stored in the | |
| .rdata section. If the hash doesn't match, the program deletes itself. |
mgeeky
/ AddVectoredExceptionHandler.cpp
Created
October 22, 2024 22:16
Rebuilt RtlAddVectoredExceptionHandler so that it doesn't use the ntdll imported function. This way it would be more difficult than just putting a breakpoint on RtlAddVectoredExceptionHandler to log your function. To make it a little better you could inline EncodePointer which would only a few extra lines. Structs might be documented somewhere h…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <winternl.h> | |
| // Types | |
| using LdrProtectMrdata_t = void(__stdcall*)(int); | |
| using LdrProtectMrdataHeap_t = void(__thiscall*)(int); | |
| struct ExceptionRecord_t { | |
| LIST_ENTRY entry; | |
| int* unknown_intptr; |
EvanMcBroom
/ unlock_ldr.cpp
Last active
August 11, 2025 12:43
Example code that may be used in DllMain to unlock the loader lock.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Copyright (C) 2023 Evan McBroom | |
| // Originally authored October 19th, 2023. | |
| // | |
| // Geoff Chappell first documented the format of the loader lock cookie on November 26th, 2008. | |
| // His work is applied here to unlock the loader lock without knowing the original cookie that | |
| // LdrLockLoaderLock returned. This same example code may be safely used in DllMain to unlock | |
| // the loader lock and execute code that would otherwise deadlock the loader. | |
| // Sources: | |
| // - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/lockloaderlock.htm | |
| // - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/unlockloaderlock.htm |
cicero343
/ getsessionkey.py
Last active
August 19, 2024 21:14
— forked from khr0x40sh/random_session_key_calc.py
Get Session Key for encrypted traffic in PCAP (Interactive)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| This is a Python3 improved/interactive version of the script made by khr0x40sh for decrypting encrypted session keys in a PCAP file to view encrypted traffic. | |
| If you don't specify the parameters, it should ask you for the parameter values. | |
| It will check to see if pycryptodomex is installed, and if not, it will install it. | |
| It can also accept NTML hashes directly as well as passwords. |
wizardy0ga
/ main.c
Last active
December 25, 2024 00:49
Unhooking NTDLL using an unhooked text section from a suspended process, syswhispers3 style (indirect syscalls)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: | |
| wizardy0ga | |
| Date: | |
| June 2024 | |
| Arch: | |
| x64 | |
| Tested on: | |
| Windows 10 19045.4529 | |
| Compiler: |
NewerOlder