Skip to content

Instantly share code, notes, and snippets.

View Cr4sh's full-sized avatar
๐ŸŒด

Dmytro Oleksiuk Cr4sh

๐ŸŒด
View GitHub Profile
@Cr4sh
Cr4sh / expl_msr_ko.py
Created July 1, 2020 23:32
msr.ko Linux kernel lockdown bypass PoC
import sys, os, mmap, subprocess
from struct import pack, unpack
from ctypes import *
IA32_SYSENTER_ESP = 0x175
IA32_SYSENTER_EIP = 0x176
class PyObj(Structure):
_fields_ = [( 'ob_refcnt', c_size_t ),
@Cr4sh
Cr4sh / at_commands_grammar.json
Last active June 12, 2020 06:58
AT commands fuzzer grammar file
{
"AT_CMD_GRAMMARS": {
"+CGSN": {
"struct": ["cmd"],
"cmd": "+CGSN"
},
"+CIND": {
"struct": ["cmd"],
@Cr4sh
Cr4sh / at_fuzzer.py
Last active June 12, 2020 06:59
AT commands fuzzer based on ATFuzzer code base
#!/usr/bin/env python2
'''
********************************************************************************
AT commands fuzzer based on ATFuzzer code base.
* https://github.com/Imtiazkarimik23/ATFuzzer
* https://relentless-warrior.github.io/wp-content/uploads/2019/11/atfuzz.pdf
@Cr4sh
Cr4sh / UAC-TokenMagic.ps1
Created August 14, 2019 23:41
UAC Token Magic
function UAC-TokenMagic {
<#
.SYNOPSIS
Based on James Forshaw's three part post on UAC, linked below, and possibly a technique
used by the CIA!
Essentially we duplicate the token of an elevated process, lower it's mandatory
integrity level, use it to create a new restricted token, impersonate it and
use the Secondary Logon service to spawn a new process with High IL. Like
playing hide-and-go-seek with tokens! ;))
@Cr4sh
Cr4sh / Masquerade-PEB.ps1
Created August 14, 2019 23:39
Masquerade PEB
function Masquerade-PEB {
<#
.SYNOPSIS
Masquerade-PEB uses NtQueryInformationProcess to get a handle to powershell's
PEB. From there itreplaces a number of UNICODE_STRING structs in memory to
give powershell the appearance of a different process. Specifically, the
function will overwrite powershell's "ImagePathName" & "CommandLine" in
_RTL_USER_PROCESS_PARAMETERS and the "FullDllName" & "BaseDllName" in the
_LDR_DATA_TABLE_ENTRY linked list.
@Cr4sh
Cr4sh / socks_proxy.py
Created July 24, 2019 21:38
Simple SOCKS5 server on Python
import sys, os, select, socket
from struct import pack, unpack
from socketserver import ThreadingMixIn, TCPServer, StreamRequestHandler
from optparse import OptionParser, make_option
from config import Conf
BUFF_SIZE = 0x1000
# UPnP Port Mapper
import os
import sys
import re
import urllib2
from xml import sax
from xml.sax import handler
from xml.sax.handler import feature_namespaces
import socket
@Cr4sh
Cr4sh / diag_msg.py
Created May 21, 2019 04:15
Debug messages monitor for Qualcomm cellular modems
#!/usr/bin/env python
###############################################################
#
# Debug messages monitor for Qualcomm cellular modems.
#
# This program talks to the baseband firmware over the
# diag protocol serial port.
#
# Written by:
@Cr4sh
Cr4sh / diag_msg.log
Created May 21, 2019 04:14
diag_msg.py log file example
[+] Opening /dev/ttyUSB1
[+] Device model: 9607.gen
[+] Revision: 100
[20.05.19/23:39:56] [0000] wmgrcore.c(274) : wmgr_reset_old_data: Client: 6, duration:917, reservation_time: 3656507, result: 2, collision_type: 0
[20.05.19/23:39:56] [000e] wtr2965_trx_wcdma_rx_class.cpp(779) : wtr2965_trx_wcdma_rx_class::set_port path 0, band 4,port 22
[20.05.19/23:39:56] [000e] wtr2965_trx_wcdma_rx_class.cpp(4097) : wtr2965_RX_gain: valid=0, st0=0, st1=1, st2=3, st3=4
[20.05.19/23:39:56] [005d] mcpm_resrc_modem_blk.c(991) : Reg Val: 65536; : Expected val: 65536; waitcount: 0; ID: 0x2
[20.05.19/23:39:56] [005d] mcpm_resrc_modem_blk.c(1749) : MCPM_MODEM_BLK: Committed MEM_SLP_CNTL 0x2, Reg states mem_slp: 0x200->0x20300 clamps: io 0x15->0x40 mem 0x1->0x2
[20.05.19/23:39:56] [000e] wtr2965_trx_wcdma_rx_class.cpp(534) : wtr2965_trx_wcdma_rx_class::set_chan is successful for RFM_DEVICE_0
@Cr4sh
Cr4sh / DmaHvBackdoor.c
Last active May 24, 2025 00:25
Hyper-V backdoor for UEFI
/*
*********************************************************************
Part of UEFI DXE driver code that injects Hyper-V VM exit handler
backdoor into the Device Guard enabled Windows 10 Enterprise.
Execution starts from new_ExitBootServices() -- a hook handler
for EFI_BOOT_SERVICES.ExitBootServices() which being called by
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)