c0d3inj3cT’s gists

c0d3inj3cT / locksmith_solve.py

Created May 24, 2019 12:38

Locksmith Solution - Security Fest 2019

	from pwn import *
	from z3 import *
	import re
	import time

	def get_solution(diff):
	print diff
	s = Solver()

	a = Int('a')

c0d3inj3cT / z3_solve.py

Created December 23, 2018 19:17

Friedrich's Christmas Hangover - X-MAS CTF 2018 Writeup

	#! /usr/bin/python

	from z3 import *

	# Solution for Friedrich's Christmas Hangover Challenge for X-MAS CTF 2018

	s = Solver()

	i1 = Int('i1')
	i2 = Int('i2')

c0d3inj3cT / sfmode.html

Created November 16, 2014 11:50

IE SafeMode Example


	<html>
	<title>IE SafeMode</title>
	<script language="vbscript">
	Set obj = CreateObject("Shell.Application")
	obj.ShellExecute("calc.exe");
	</script>
	</html>

c0d3inj3cT / sum.c

Created October 4, 2014 19:08

An example program to understand the Calling Convention used for 64-bit Binaries.

	#include <stdio.h>

	int sum(int, int, int, int);

	int main(int argc, char **argv)
	{
	int result = 0;
	result = sum(1,2,3,4);

	printf("The sum is: %d\n", result);

c0d3inj3cT / instrace.cpp

Last active January 4, 2021 21:13

This pintool was written to identify interesting sequence of instructions which are often used by malwares to either obfuscate the control flow, to be position independent, to identify virtual machine, to perform anti debugging tricks, usage of encryption and decryption routines.

	/*
	Instruction Tracer to identify
	interesting sequence of instructions
	in malwares.

	c0d3inj3cT
	*/

	#include <stdio.h>
	#include <iostream>

c0d3inj3cT / retn_overwrite.asm

Created January 4, 2014 10:07

This is a proof of concept to show how the debugger can be confused by overwriting the RETN instruction with its own opcode (0xc3) which will result in the debugger executing the code instead of trapping into the return address.

	; Overwrite RETN opcode
	; Control Flow Obfuscation
	; c0d3inj3cT

	include \masm32\include\masm32rt.inc

	.data
	hMod dd 0

	.code

c0d3inj3cT / vmware-detect.c

Created December 11, 2013 05:08

This code will scan the process address space of csrss.exe for the string, "MS_VM_CERT". It is the OEM String of VMWare present in the SMBIOS structures.

	/*
	Detect VMWare using OEM String in Memory
	Tested on Windows XP SP3/VMWare Workstation 7.1.0
	c0d3inj3cT
	*/

	#include <windows.h>
	#include <stdio.h>

	#define MARKER "MS_VM_CERT"

c0d3inj3cT / hookapi.asm

Last active July 27, 2022 19:43

API hooking code in Assembly from Win32/Gepys

	ESI - Function Pointer
	EDI - Buffer

	00C816F9 803E E9 CMP BYTE PTR DS:[ESI],0E9 ; check if the first instruction of API is a jump instruction
	00C816FC 75 09 JNZ SHORT 00C81707
	00C816FE 8B46 01 MOV EAX,DWORD PTR DS:[ESI+1]
	00C81701 8D4430 05 LEA EAX,DWORD PTR DS:[EAX+ESI+5]
	00C81705 EB 12 JMP SHORT 00C81719
	00C81707 8D46 05 LEA EAX,DWORD PTR DS:[ESI+5] ; point eax to the 5th byte of the function
	00C8170A A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; store 5 bytes from the function into the buffer

c0d3inj3cT / hookdetect.c

Last active January 2, 2022 04:20

This pintool was written to detect the API hooks by checking the calls to VirtualProtect() that mark the memory region of Win32 APIs as PAGE_EXECUTE_READWRITE. This method is often used in API hooking.

	/*
	Pintool to detect API hooks in a process
	c0d3inj3cT
	*/

	#include <stdio.h>
	#include <iostream>
	#include "pin.H"

	int i=0;

c0d3inj3cT / wmtimer.asm

Last active October 18, 2017 05:29

This code demonstrates the method used by the virus family, Win32/Gepys to introduce delay in execution before invoking the malicious code.

	; Below are the first few lines of code of the Window Procedure:

	00402680 55 PUSH EBP
	00402681 8BEC MOV EBP,ESP
	00402683 83E4 F8 AND ESP,FFFFFFF8
	00402686 83EC 4C SUB ESP,4C
	00402689 A1 04A04000 MOV EAX,DWORD PTR DS:[40A004]
	0040268E 33C4 XOR EAX,ESP
	00402690 894424 48 MOV DWORD PTR SS:[ESP+48],EAX
	00402694 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; window message code