Skip to content

Instantly share code, notes, and snippets.

View winterknife's full-sized avatar
🎯
Focusing

winterknife winterknife

🎯
Focusing
178 followers · 891 following
View GitHub Profile
@EvanMcBroom
EvanMcBroom / unlock_ldr.cpp
Last active August 11, 2025 12:43
Example code that may be used in DllMain to unlock the loader lock.
// Copyright (C) 2023 Evan McBroom
// Originally authored October 19th, 2023.
//
// Geoff Chappell first documented the format of the loader lock cookie on November 26th, 2008.
// His work is applied here to unlock the loader lock without knowing the original cookie that
// LdrLockLoaderLock returned. This same example code may be safely used in DllMain to unlock
// the loader lock and execute code that would otherwise deadlock the loader.
// Sources:
// - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/lockloaderlock.htm
// - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/unlockloaderlock.htm
@daaximus
daaximus / create_iso.cpp
Last active July 17, 2025 05:15
create iso using imapi
#include <string>
#include <atlbase.h>
#include <imapi2fs.h>
void create_iso( std::wstring_view src, std::wstring_view iso_path )
{
HRESULT hr;
IFileSystemImage* fsimg;
IFsiDirectoryItem* fsdir;
IFileSystemImageResult* fsresult;
@EvanMcBroom
EvanMcBroom / encrypting-strings-at-compile-time.md
Last active October 25, 2025 04:54
Encrypting Strings at Compile Time

Encrypting Strings at Compile Time

Thank you to SpecterOps for supporting this research and to Duane and Matt for proofreading and editing! Crossposted on the SpecterOps Blog.

TLDR: You may use this header file for reliable compile time string encryption without needing any additional dependencies.

Programmers of DRM software, security products, or other sensitive code bases are commonly required to minimize the amount of human readable strings in binary output files. The goal of the minimization is to hinder others from reverse engineering their proprietary technology.

Common approaches that are taken to meet this requirement often add an additional maintenance burden to the developer and are prone to error. These approaches will be presented along with t

@usualsuspect
usualsuspect / daxin_decrypt_embedded.py
Created March 1, 2022 13:17
Code to decrypt embedded driver in Daxin malware sample
#!/usr/bin/env python3
#
# Algorithm used by Daxin to decrypt embedded driver
# Uses slightly modified RC4 (see comment in rc4() below)
#
# Constants fitting for sample
# b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427
#
@EvanMcBroom
EvanMcBroom / sms-crypto-unobfuscate-string.c
Last active January 24, 2024 23:48
SCCM Credential Recovery for Network Access Accounts
/*
* Research by Evan McBroom and Chris Thompson (@_Mayyhem)
* Roger Zander made security recommendations for SCCM based on the claim that NAA credentials could be recovered.
* Source: https://rzander.azurewebsites.net/network-access-accounts-are-evil/
* Roger stated that recover was "possible with a few lines of code" but did not provide any code. Here is working code.
*/
#include <Windows.h>
#include <stdio.h>
@daaximus
daaximus / ioctl_names.cpp
Last active October 12, 2025 03:46
Most IOCTLs mapped to their code names
typedef struct _ioctl_t
{
const char* ioctl_name;
uint64_t ctl_code;
} ioctl_t;
// This would likely be better used in some unordered map. This is just a temporary data structure for testing resolution.
//
// Results from NtDeviceIoControlFile hook:
// utweb.exe (14916) :: NtDeviceIoControlFile( 0x65c (\Device\Afd), 0x694, 0x0000000000000000, 0x0000000000000000, 0x00000000044DEE90, 0x12024 (IOCTL_AFD_SELECT), 0x0000000004A3FC18, 0x34, 0x0000000004A3FC18, 0x34 )
@EvanMcBroom
EvanMcBroom / pic-and-string-literals-2.md
Last active July 2, 2025 19:16
Pic and String Literals Part 2

PIC and String Literals Part 2

I previously wrote about how to use macro metaprogramming to simplify using string literals in position independent code (PIC). The results are summarized in the below code snippet and the article can be read on GitHub.

void f() {
    // Example 1: The Pic idiom for instantiating a string
    char picString1[]{ 'a', 'b', 'c' };
@EvanMcBroom
EvanMcBroom / no_strings.hpp
Last active October 22, 2025 06:45
Encrypt Strings at Compile Time
// Copyright (C) 2022 Evan McBroom
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
@mrexodia
mrexodia / LowUtilities.cpp
Last active September 26, 2025 19:42 — forked from D4stiny/LowUtilities.cpp
A dependency-less implementation of GetModuleHandle and GetProcAddress.
//
// An implementation of GetModuleHandle and GetProcAddress that works with manually mapped modules, forwarded exports,
// without a CRT standard library, and uses no Windows API or dependencies.
//
// Author: Bill Demirkapi
// License: MIT, appended at the bottom of this document if you care about licensing and want to credit me in your own project.
//
#include <Windows.h>
#include <winternl.h>
@D4stiny
D4stiny / LowUtilities.cpp
Last active June 20, 2025 06:48
A dependency-less implementation of GetModuleHandle and GetProcAddress.
//
// An implementation of GetModuleHandle and GetProcAddress that works with manually mapped modules, forwarded exports,
// without a CRT standard library, and uses no Windows API or dependencies.
//
// Author: Bill Demirkapi
// License: MIT, appended at the bottom of this document if you care about licensing and want to credit me in your own project.
//
#include <Windows.h>
#include <winternl.h>