Skip to content

Instantly share code, notes, and snippets.

View FrankSpierings's full-sized avatar

Frank Spierings FrankSpierings

52 followers · 1 following
View GitHub Profile
@FrankSpierings
FrankSpierings / README.md
Last active October 10, 2024 08:28
Understanding potatoes
@FrankSpierings
FrankSpierings / README.md
Created October 4, 2024 05:54
Notes on the excellent tooling NtObjectManager of James Forshaw, regarding RPC.
@FrankSpierings
FrankSpierings / CVE-2024-4367-example.html
Created September 18, 2024 16:06
CVE-2024-4367 Example
<!DOCTYPE html>
<html lang="en">
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/pdf.js/4.1.392/pdf.min.mjs" type="module"></script>
</head>
<body>
<h1>CVE-2024-4367</h1>
<div id="pdf-viewer"></div>
@FrankSpierings
FrankSpierings / frida-inject-webview-javascript-interface.js
Created August 31, 2024 12:53
Override Android WebView to include a custom JavaScript handler
Java.perform(() => {
// Register a new WebAppInterface Javascript environment
const WebView = Java.use('android.webkit.WebView');
const WebAppInterface = Java.registerClass({
name: 'com.evil.WebAppInterface',
fields: {
mContext: 'android.content.Context',
},
methods: {
$init: [{
@FrankSpierings
FrankSpierings / create_apk.sh
Last active August 31, 2024 14:05
Create an Android application on the command line, without Android Studio
# From the current working directory...
mkdir -p app/src/main/res/values
mkdir -p app/src/main/res/layout
mkdir -p app/src/main/java/com/example/helloworld
cat > app/src/main/AndroidManifest.xml << _EOF
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.helloworld">
@FrankSpierings
FrankSpierings / find-appids-ios.sh
Created July 30, 2024 06:56
Shell script to find names and identifiers on a rooted IOS phone
for app in /var/containers/Bundle/Application/*; do
guid=$(basename "$app")
name=$(plutil $app/*.app/Info.plist | grep CFBundleIdentifier)
echo "$name => $guid"
done
@FrankSpierings
FrankSpierings / Android.MASTG-TEST-0006.frida.js
Created July 29, 2024 09:34
Android - MASTG-TEST-0006 - Frida help script
Java.perform(function() {
var TextView = Java.use("android.widget.TextView");
// Constants for InputType flags
var TYPE_CLASS_TEXT = 0x00000001;
var TYPE_CLASS_NUMBER = 0x00000002;
var TYPE_CLASS_PHONE = 0x00000003;
var TYPE_CLASS_DATETIME = 0x00000004;
var TYPE_TEXT_VARIATION_PASSWORD = 0x00000080;
@FrankSpierings
FrankSpierings / demangle.js
Created July 26, 2024 15:29
Simple gcc demangler (thanks Claude)
function demangle(mangledName, options = {}) {
const { nameOnly = false } = options;
let index = 0;
function parseNumber() {
let num = '';
while (index < mangledName.length && /\d/.test(mangledName[index])) {
num += mangledName[index++];
}
return parseInt(num, 10);
@FrankSpierings
FrankSpierings / aesinfo-mod.js
Created July 24, 2024 14:23
Modded version of the Frida script from dzonerzy/aesinfo
// Thanks @dzonerzy/aesinfo
Java.perform(function() {
var use_single_byte = false;
var complete_bytes = new Array();
var index = 0;
var secretKeySpecDef = Java.use('javax.crypto.spec.SecretKeySpec');
@FrankSpierings
FrankSpierings / frida-redirect-txt-all.ini.js
Last active July 12, 2024 13:20
Frida sample that applies structs and intercepts calls to NtCreateFile and changes all .txt to c:/windows/win.ini
const fieldTypes = {
int8: { size: 1, read: 'readS8', write: 'writeS8', align: 1 },
uint8: { size: 1, read: 'readU8', write: 'writeU8', align: 1 },
int16: { size: 2, read: 'readS16', write: 'writeS16', align: 2 },
uint16: { size: 2, read: 'readU16', write: 'writeU16', align: 2 },
int32: { size: 4, read: 'readS32', write: 'writeS32', align: 4 },
uint32: { size: 4, read: 'readU32', write: 'writeU32', align: 4 },
int64: { size: 8, read: 'readS64', write: 'writeS64', align: 8 },
uint64: { size: 8, read: 'readU64', write: 'writeU64', align: 8 },
float: { size: 4, read: 'readFloat', write: 'writeFloat', align: 4 },