Skip to content

Instantly share code, notes, and snippets.

View EvanMcBroom's full-sized avatar

Evan McBroom EvanMcBroom

234 followers · 257 following
View GitHub Profile
@mattifestation
mattifestation / WmiEventConsumerClassDerivation.ps1
Last active November 15, 2023 18:21
function New-ActiveScriptEventConsumerClass {
<#
.SYNOPSIS
Creates an ActiveScriptEventConsumer WMI class in the namespace of your choosing.
.DESCRIPTION
New-ActiveScriptEventConsumerClass creates a clone of the ActiveScriptEventConsumer WMI event consumer class using the class name and namespace name of your choosing.
@arkadiyt
arkadiyt / cryptopals_set_8.md
Last active April 11, 2025 22:48
Cryptopals Set 8

Cryptopals is a set of cryptographic challenges, originally published here: https://cryptopals.com

Set 8 of the challenges was never published publicly, until late March 2018. However the cryptopals website was not updated to include the challenges. This gist compiles the 8th set of the Cryptopals challenges.

title link
57. Diffie-Hellman Revisited: Small Subgroup Confinement https://toadstyle.org/cryptopals/513b590b41d19eff3a0aa028023349fd.txt
58. Pollard's Method for Catching Kangaroos https://toadstyle.org/cryptopals/3e17c7b35fcf491d08c989081ed18c9a.txt
59. Elliptic Curve Diffie-Hellman and Invalid-Curve Attacks https://toadstyle.org/cryptopals/a0833e607878a80fdc0808f889c721b1.txt
@mohanpedala
mohanpedala / bash_strict_mode.md
Last active May 19, 2026 07:42
set -e, -u, -o, -x pipefail explanation
@mattifestation
mattifestation / TLGMetadataParser.psm1
Last active May 5, 2026 22:33
Retrieves TraceLogging metadata from a file.
#requires -version 5
<#
The things you find on Google searching for specific GUIDs...
Known Keyword friendly names:
"UTC:::CATEGORYDEFINITION.MS.CRITICALDATA":"140737488355328"
"UTC:::CATEGORYDEFINITION.MS.MEASURES":"70368744177664"
"UTC:::CATEGORYDEFINITION.MS.TELEMETRY":"35184372088832"
"UTC:::CATEGORYDEFINITION.MSWLAN.CRITICALDATA":"2147483648"
@masthoon
masthoon / rpc_dump_rs5.txt
Created January 15, 2019 06:49
RPC interfaces RS5
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
64
Interfaces :
Endpoints :
@olamotte
olamotte / Binary SD to human readable DACL
Created January 12, 2020 16:45
Windows Registry conversion from binary Security Descriptor to SDDL DACL
#Example: Which users can access the SMB Session information on a Windows 10 computer (NetCease status)
#Retrieve the binary value
$acl=Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity -Name SrvsvcSessionInfo
#Use WMI helper to obtain a converter
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
#Do the conversion to SDDL
$outsddl = $converter.BinarySDToSDDL($acl.SrvsvcSessionInfo)
@monoxgas
monoxgas / main.cpp
Created February 12, 2020 22:19
Adaptive DLL Hijacking - Patching LoadLibrary Return
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
BOOL PatchTheRet(HMODULE realModule) {
// Get primary module info
@micjabbour
micjabbour / CMakeLists.txt
Last active December 8, 2025 18:35
Suppress Windows Error Reporting crash dialogs
cmake_minimum_required(VERSION 3.2)
project(suppress_wer)
option(USE_DEBUGGER_BASED_SOLUTION "Uses a debugger-based solution instead of SetErrorMode. See suppress_wer_debugger.cpp for details" OFF)
if(USE_DEBUGGER_BASED_SOLUTION)
add_executable(suppress_wer suppress_wer_debugger.cpp)
else()
add_executable(suppress_wer suppress_wer_set_error_mode.cpp)
endif()
@GavinRay97
GavinRay97 / Makefile
Last active December 28, 2025 16:28
Dump C/C++ vtable & record layout information (clang + msvc + gcc)
# Requirements:
# clang - The classes/structs you want to dump must be used in code at least once, not just defined.
# MSVC - The classes/structs you want to dump must have "MEOW" in the name for "reportSingleClass" to work.
# Usage:
# $ make dump_vtables file=test.cpp
dump_vtables:
clang -cc1 -fdump-record-layouts -emit-llvm $(file) > clang-vtable-layout-$(file).txt
clang -cc1 -fdump-vtable-layouts -emit-llvm $(file) > clang-record-layout-$(file).txt
g++ -fdump-lang-class=$(file).txt $(file)
cl.exe $(file) /d1reportSingleClassLayoutMEOW > msvc-single-class-vtable-layout-$(file).txt
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.