N3mes1s / duplicated EquationDrug EQGRP-Lost_In_Translation

Last active April 16, 2017 20:47

	61110BEA272972903985D5D5E452802C 515374423B8B132258BD91ACF6F29168DCC267A3F45ECB9D1FE18EE3A253195B https://www.virustotal.com/it/file/515374423B8B132258BD91ACF6F29168DCC267A3F45ECB9D1FE18EE3A253195B/analysis/ windows\Resources\Df\Uploads\i386-winnt\DoubleFeatureDll.dll.unfinalized
	0D81F9972863C6D8C90100A73B0600AB F7A886EE10EE6F9C6BE48C20F370514BE62A3FD2DA828B0DFF44FF3D485FF5C5 https://www.virustotal.com/it/file/F7A886EE10EE6F9C6BE48C20F370514BE62A3FD2DA828B0DFF44FF3D485FF5C5/analysis/ windows\Resources\DmGz\Uploads\i386\winnt\ntfltmgr.sys
	E14AB6E6AE835792979FF50E647B89C8 12C082F74C0916A0E926488642236DE3A12072A18D29C97BEAD15BB301F4B3F8 https://www.virustotal.com/it/file/12C082F74C0916A0E926488642236DE3A12072A18D29C97BEAD15BB301F4B3F8/analysis/ windows\Resources\DSky\Uploads\i386\winnt\tdi6.sys
	997BA8C988340A1C644CF9A5F67E4177 94C4733EEBF19013DF3B42D76C11ED5D153A56BDAB57E1C748E07CC7DA38F3BA https://www.virustotal.com/it/file/94C4733EEBF19013DF3B42D76C11ED5D153A56BDAB57E1C748E07CC7DA38F3BA/analysis/ windows\Resou

N3mes1s / MsWinZonesCacheCounterMutexA

Created May 12, 2017 21:49

	$createdNew = $False;
	$mutex = New-Object -TypeName System.Threading.Mutex($true, "MsWinZonesCacheCounterMutexA", [ref]$createdNew);

N3mes1s / msbuildQueueAPC.csproj

Created August 30, 2017 14:50

MSBuild => CSC.exe Shellcode Inject using QueueUserAPC

	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes c# code. -->
	<-- x86 -->
	<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
	<!- x64 -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
	<Target Name="Hello">
	<ClassExample />
	</Target>
	<UsingTask

N3mes1s / DataDrivenTest.wsc

Created November 7, 2017 06:57

Authoring Tests in Scripting Languages

	<?xml version="1.0" ?>
	<!-- Te.exe DataDrivenTest.wsc -->
	<!-- C:\Program Files (x86)\Windows Kits\10\Testing\Runtimes\TAEF > ./TE.exe DataDrivenTest.wsc -->
	<!-- Test Authoring and Execution Framework v5.8k for x64 -->
	<!-- StartGroup: VBSampleTests::TestOne -->
	<!-- Calling TestOne -->
	<!-- EndGroup: VBSampleTests::TestOne [Passed] -->
	<!-- Summary: Total=1, Passed=1, Failed=0, Blocked=0, Not Run=0, Skipped=0 -->
	<?component error="true" debug="true"?>
	<package>

N3mes1s / findstr-LaunchINFSection.ps1

Created March 9, 2018 08:11

Locate LaunchINFSection inside a pe using findstr.exe and Get-Exports

	<#
	You need to import module Get-Exports in the same powershell session
	https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-Exports.ps1
	#>
	#Import-Module .\Get-Exports.ps1
	$dir = @("C:\\Windows\\System32\\","C:\\Windows\\SYSWOW64\\")
	$export = "LaunchINFSection"
	For ($i=0; $i -lt $dir.Length; $i++) {
	Get-ChildItem $dir[$i] -Recurse \| Where-Object {
	$_.extension -eq ".dll"} \| % {

N3mes1s / detect-threadSuspendps1

Created April 10, 2018 18:35

Detect Process that open another process's thread with THREAD_SUSPEND_RESUME access right

	# mandatory https://github.com/zacbrown/PowerKrabsEtw for PowerKrabsEtw module

	import-module .\PowerKrabsEtw
	$trace = New-KrabsEtwUserTrace
	$provider = New-KrabsEtwUserProvider -ProviderName "Microsoft-Windows-Kernel-Audit-API-Calls"
	$filter = New-KrabsEtwCallbackFilter -EventId 6
	Set-KrabsEtwCallbackFilter -UserProvider $provider -Filter $filter
	Set-KrabsEtwUserProvider -Trace $trace -Provider $provider
	Start-KrabsEtwUserTrace -Trace $trace \| Where-Object { ($_.EtwProcessId -ne $_.TargetProcessId) -and ($_.DesiredAccess -bAnd 0x0002) }

N3mes1s / Detect-SquiblyTwo.ps1

Created April 18, 2018 22:21

detect squiblytwo using wmic original filename, format in cmdline and dll loading

	### ref: https://twitter.com/dez_/status/986614411711442944

	Write-Host "Current Pid: " $Pid
	(Get-Process -Id $pid).priorityclass = "RealTime"
	$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 0.0001 WHERE TargetInstance ISA "Win32_Process"'

	$action = {
	$e = $Event.SourceEventArgs.NewEvent.TargetInstance
	$fmt = 'ProcessStarted: (ID={0,5}, Parent={1,5}, cmdline={2}, ExecutablePath="{3}, Name={4}")'
	$msg = $fmt -f $e.ProcessId, $e.ParentProcessId, $e.CommandLine, $e.ExecutablePath, $e.Name

N3mes1s / Report3.md

Created April 30, 2018 09:54 — forked from aniketp/Report3.md

Report 3: Creating a stand-alone test program using atf-c(3) for Kyua

Report 3: Kyua test program for mkdir(2)

Explicit System Call Testing

The test application would trigger all Syscalls one by one, evaluating that the audit record contains all the expected parameters, e.g the arguments, valid argument types, return values etc. The testing will be done for various success and failure modes, with cross checking for appropriate error codes in case of failure mode.

Repository

AuditTestSuite

The Problem

N3mes1s / dotnet-runtime-etw.py

Created May 7, 2019 12:38 — forked from countercept/dotnet-runtime-etw.py

A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.

	import time
	import etw
	import etw.evntrace
	import sys
	import argparse
	import threading


	class RundownDotNetETW(etw.ETW):
	def __init__(self, verbose, high_risk_only):

N3mes1s / rpc_dump_rs5.txt

Created May 13, 2019 07:25 — forked from masthoon/rpc_dump_rs5.txt

RPC interfaces RS5

	--------------------------------------------------------------------------------
	<WinProcess "smss.exe" pid 368 at 0x5306908L>
	64
	[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
	--------------------------------------------------------------------------------
	<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
	64

	Interfaces :
	Endpoints :

Giuseppe Massaro N3mes1s

Report 3: Kyua test program for mkdir(2)

Explicit System Call Testing

Repository

The Problem