Thomas M thomasxm
thomasxm
/ gist:44526271daf29d353a457d3ed99dd365
Created
August 25, 2024 17:26
New multi-stage memory guard technique
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| f61f84711cd7d4390885a6dd6796c4644a72535a49b3b3a41415f6c29c12b151 |
thomasxm
/ gist:aa08c7fcaec93a298fdd7db6bef27c34
Created
August 25, 2024 16:23
Advantages of using this new technique
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| bd20507242752040a12a7e0a85383e8b79413b9950389b6372fb6e3c4de8faf1 |
thomasxm
/ gist:5586faee798a174cb97287496240c51c
Created
August 25, 2024 16:18
New memory guard and code execution technique variation gist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| a429920c992dd4c868f24d35eaa7f978bc3f79bc1cf24c36f3d0d719ebba27b4 |
thomasxm
/ gist:b5e37c0dc0547c2eb4e6a3d9d039f5f3
Created
July 27, 2024 21:13
gist:e75187cee7250f9f2c0e1473a3d707d456af716f54c418f62ad9f3c9414fa121
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| e75187cee7250f9f2c0e1473a3d707d456af716f54c418f62ad9f3c9414fa121 |
thomasxm
/ mask.cpp
Created
July 3, 2024 13:27
— forked from odzhan/mask.cpp
Obfuscation with byte substitution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Simple obfuscation using byte substitution | |
| // | |
| #include <cstdio> | |
| #include <cstdint> | |
| #include <cstdlib> | |
| #include <cstring> | |
| #include <cmath> |
thomasxm
/ BaseThreadInitThunk.cpp
Created
June 29, 2024 20:02
— forked from odzhan/BaseThreadInitThunk.cpp
Locating kernel32!BaseThreadInitThunk in NTDLL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Every new thread starts with ntdll!RtlUserThreadStart and it typically calls kernel32!BaseThreadInitThunk | |
| // | |
| // Some applications like Mozilla Firefox and Microsoft Edge will replace this with their own function for hooking purposes. | |
| // The following code shows how to find it without using debugging symbols. | |
| // | |
| // @modexpblog | |
| // | |
| #define PHNT_VERSION PHNT_VISTA |
thomasxm
/ BaseThreadInitThunk.cpp
Created
June 29, 2024 20:02
— forked from odzhan/BaseThreadInitThunk.cpp
Locating kernel32!BaseThreadInitThunk in NTDLL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Every new thread starts with ntdll!RtlUserThreadStart and it typically calls kernel32!BaseThreadInitThunk | |
| // | |
| // Some applications like Mozilla Firefox and Microsoft Edge will replace this with their own function for hooking purposes. | |
| // The following code shows how to find it without using debugging symbols. | |
| // | |
| // @modexpblog | |
| // | |
| #define PHNT_VERSION PHNT_VISTA |
thomasxm
/ patchless_amsi.h
Created
June 28, 2024 15:23
— forked from CCob/patchless_amsi.h
In-Process Patchless AMSI Bypass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef PATCHLESS_AMSI_H | |
| #define PATCHLESS_AMSI_H | |
| #include <windows.h> | |
| static const int AMSI_RESULT_CLEAN = 0; | |
| PVOID g_amsiScanBufferPtr = nullptr; | |
| unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <WinSock2.h> // must preceed #include <windows.h> | |
| #include <WS2tcpip.h> | |
| #include <windows.h> | |
| #include <winnt.h> | |
| #include <winternl.h> | |
| #include <stddef.h> | |
| #include <stdio.h> | |
| #define htons(A) ((((WORD)(A) & 0xff00) >> 8) | (((WORD)(A) & 0x00ff) << 8)) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <WinSock2.h> // must preceed #include <windows.h> | |
| #include <WS2tcpip.h> | |
| #include <windows.h> | |
| #include <winnt.h> | |
| #include <winternl.h> | |
| #include <stddef.h> | |
| #include <stdio.h> | |
| #define htons(A) ((((WORD)(A) & 0xff00) >> 8) | (((WORD)(A) & 0x00ff) << 8)) |
NewerOlder