Und3rf10w
/ IRP Structure
Created
November 4, 2021 14:02
— forked from matterpreter/IRP Structure
(Semi)Full IRP Structure in Win10 1903
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0: kd> dt -b nt!_IRP | |
| +0x000 Type : Int2B | |
| +0x002 Size : Uint2B | |
| +0x004 AllocationProcessorNumber : Uint2B | |
| +0x006 Reserved : Uint2B | |
| +0x008 MdlAddress : Ptr64 | |
| +0x010 Flags : Uint4B | |
| +0x018 AssociatedIrp : <anonymous-tag> | |
| +0x000 MasterIrp : Ptr64 | |
| +0x000 IrpCount : Int4B |
Und3rf10w
/ HowToDetectTechniqueX_Demos.ps1
Created
September 6, 2019 22:38
— forked from mattifestation/HowToDetectTechniqueX_Demos.ps1
Demo code from my DerbyCon talk: "How do I detect technique X in Windows?" Applied Methodology to Definitively Answer this Question
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region Attack validations | |
| wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe | |
| Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe | |
| $CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator | |
| Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' } | |
| $CimSession | Remove-CimSession | |
| winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword |
Und3rf10w
/ introspection-query.graphql
Created
August 14, 2019 22:45
— forked from craigbeck/introspection-query.graphql
Introspection query for GraphQL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| query IntrospectionQuery { | |
| __schema { | |
| queryType { name } | |
| mutationType { name } | |
| subscriptionType { name } | |
| types { | |
| ...FullType | |
| } | |
| directives { |
Und3rf10w
/ Get-Doppelgangers.ps1
Created
December 31, 2017 17:28
— forked from dezhub/Get-Doppelgangers.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Doppelgangers | |
| { | |
| <# | |
| .SYNOPSIS | |
| Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging' | |
| Author: Joe Desimone (@dez_) | |
| License: BSD 3-Clause | |
Und3rf10w
/ Injectable.cpp
Created
December 19, 2017 14:19
— forked from anonymous/Injectable.cpp
Simple UserMode Hook Example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| FARPROC fpCreateProcessW; | |
| BYTE bSavedByte; | |
| // Blog Post Here: | |
| // https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108 | |
| // tasklist | findstr explore.exe |