Skip to content

Instantly share code, notes, and snippets.

@analyticsearch
analyticsearch / IsDebuggerPresentModification.cpp
Created February 15, 2024 21:54 — forked from WKL-Sec/IsDebuggerPresentModification.cpp
This C++ code performs an integrity check on the `IsDebuggerPresent` API function in `KERNELBASE.dll` to detect any unauthorized modifications, a technique useful for evading debugging and analysis in cybersecurity operations.
// White Knight Labs - Offensive Development Course
// Anti-Debug Patch Check - KERNELBASE!IsDebuggerPresent function
#include <iostream>
#include <Windows.h>
// Define the expected bytes of the KERNELBASE!IsDebuggerPresent function.
// This array represents the specific sequence of bytes we expect to find at the
// beginning of the IsDebuggerPresent function in a non-modified state.
const unsigned char expectedBytes[] = {0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x0F, 0xB6, 0x40, 0x02, 0xC3};
/*
TaskManagerSecret
Author: @splinter_code
This is a very ugly POC for a very unreliable UAC bypass through some UI hacks.
The core of this hack is stealing and using a token containing the UIAccess flag set.
A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
From there it uses a task manager "feature" to run a new High IL cmd.exe.
This has been developed only for fun and shouldn't be used due to its high unreliability.
/*
* Rust basic Process injection using OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread
* API dynamic resolution and shellcode XOR encoded
*/
#[allow(non_camel_case_types)]
type HANDLE = *mut u64;
#[allow(non_camel_case_types)]
type LPVOID = *mut u64;
#[allow(non_camel_case_types)]
type DWORD = u32;
@analyticsearch
analyticsearch / check_vulnerabledrivers.ps1
Created May 20, 2023 06:56 — forked from api0cradle/check_vulnerabledrivers.ps1
A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io
# Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list
# Author: Oddvar Moe - @oddvar.moe
$drivers = get-childitem -Path c:\windows\system32\drivers
$web_client = new-object system.net.webclient
$loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json
Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count)
foreach ($lol in $loldrivers.KnownVulnerableSamples)
{
GET /beta/deviceLocalCredentials/[DEVICE-ID]?$select=credentials HTTP/1.1
ocp-client-version: 1.0
client-request-id: 96cbfa59-dbfc-4a92-b261-7f77bd8f4b9b
ocp-client-name: Get-LapsAADPassword Windows LAPS Cmdlet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22621; en-US) PowerShell/5.1.22621.963 Invoke-MgGraphRequest
SdkVersion: graph-powershell/1.26.0, Graph-dotnet-1.25.1
FeatureFlag: 00000047
Cache-Control: no-store, no-cache
Authorization: Bearer [AAD-JWT-HERE]
Accept-Encoding: gzip
@analyticsearch
analyticsearch / LAPSDecrypt.cs
Created April 19, 2023 01:03 — forked from xpn/LAPSDecrypt.cs
Quick POC looking at how encryption works for LAPS (v2)
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;
# Get the DLL file path from user input
$dllPath = Read-Host "Enter the DLL file path"
# Get all running processes
$processes = Get-Process
# Loop through each process
foreach ($process in $processes) {
$processName = $process.ProcessName
@analyticsearch
analyticsearch / Program.cs
Created March 3, 2023 01:04 — forked from susMdT/Program.cs
haha funny jit go brrrr
using System;
using System.Runtime.CompilerServices;
using System.Reflection;
using System.Reflection.Emit;
namespace FunkyJit
{
class Program
{
public static void Nothing() { Console.WriteLine(); }
static void Main(string[] args)
#include "stdafx.h"
#include <process.h>
using namespace Microsoft::WRL;
HMODULE g_currentModule;
BOOL APIENTRY DllMain(HMODULE module, DWORD reason, LPVOID reserved)
{
switch (reason)
"""
Transform a binary file into a C header file.
The binary file is splitted into 16 char strings and rebuild at execution time.
The function buildsc() must be called in your main to rebuild the binary file into the sc C variable.
The length is set in the sc_length variable.
Be carefull, try to avoid compiler code optimization as it will remove all these modifications in the final binary.
"""