"Type", 0x2
"Directory", 0x3
"SymbolicLink", 0x4
"Token", 0x5
"Job", 0x6
"Process", 0x7
"Thread", 0x8
daaximus
/ symcache.ps1
Last active
January 17, 2025 21:26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # probably exists in a better form; but script is useful for caching OS modules based on major OS version/build and file | |
| # hash. intended to make life easier, ymmv. | |
| # | |
| # .\symcache.ps1 -src "C:\Windows\System32\drivers" -dst "X:\Windows\drivers" | |
| # ^^ This will copy and organize the bins in the subdirectory and recurse through all subdirectories, and then download | |
| # the symbols if they are available. | |
| # | |
| # - daax | |
| param( |
daaximus
/ memeloggerv2.cpp
Last active
January 16, 2025 06:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Compiled with LLVM clang-cl in VS2022, latest-working draft c/++ | |
| // no ifs ands or buts keylogger (@https://x.com/vxunderground/status/1879395134321954958) | |
| // updated with RYO if-else construct | |
| // v1 using ternary+logical-and+comma: https://gist.github.com/daaximus/1f6125f0e7da3072bc7e8a403245ef1b | |
| // | |
| #define _CRT_SECURE_NO_WARNINGS | |
| #include <cstdint> | |
| #include <windows.h> | |
| #include <stdio.h> |
daaximus
/ valorant_gamer_capture3000.cpp
Last active
June 9, 2024 20:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <gdiplus.h> | |
| #include <string> | |
| #include <iostream> | |
| #include <fstream> | |
| using namespace Gdiplus; | |
| #pragma comment (lib,"Gdiplus.lib") | |
| int get_encoder_clsid( const WCHAR* format, CLSID* clsid ) |
daaximus
/ dump_exports_ntoskrnl_example.py
Created
May 9, 2023 01:21
Dump all exports and their prototypes if available (IDAPython)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| import idaapi | |
| import idc | |
| def get_func_prototype(ea): | |
| tinfo = idaapi.tinfo_t() | |
| if idaapi.get_tinfo(tinfo, ea): | |
| return idaapi.print_tinfo("", 0, 0, idaapi.PRTYPE_1LINE, tinfo, "", "") | |
| else: | |
| return None |
daaximus
/ nop_flush_rsb.py
Created
April 24, 2023 01:43
IDA Python Script (7.7) to nop FLUSH_RSB sequences
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi | |
| import idc | |
| import idautils | |
| import ida_auto | |
| import ida_bytes | |
| def is_call_instruction(ea): | |
| return 'call' in idc.generate_disasm_line(ea, idc.GENDSM_FORCE_CODE) | |
| def is_rsp_add_instruction(ea): |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0000:0000=Device | |
| 0000:0002=USB Implementer Forum Mass Storage | |
| 0000:3825=USB Mouse | |
| 0000:7777=USB Flash Drive | |
| 0001:0001=Gaming Optical Mouse5 | |
| 0001:142b=Arbiter Systems, Inc. | |
| 0001:7778=Fry's Electronics Counterfeit flash drive [Kingston] | |
| 0002:0002=Ingram passport00 | |
| 0002:7007=Ingram HPRT XT300 | |
| 0009:21e7=Sagemcom |
daaximus
/ winobjidx.md
Last active
February 24, 2023 04:12
Windows 10/11 Object Type Names & Indexes
daaximus
/ idapython_ctree.md
Created
October 20, 2022 19:20
— forked from trietptm/idapython_ctree.md
Notes on CTREE usage with IDAPython
The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <string> | |
| #include <atlbase.h> | |
| #include <imapi2fs.h> | |
| void create_iso( std::wstring_view src, std::wstring_view iso_path ) | |
| { | |
| HRESULT hr; | |
| IFileSystemImage* fsimg; | |
| IFsiDirectoryItem* fsdir; | |
| IFileSystemImageResult* fsresult; |
daaximus
/ ioctl_names.cpp
Last active
February 8, 2025 21:16
Most IOCTLs mapped to their code names
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct _ioctl_t | |
| { | |
| const char* ioctl_name; | |
| uint64_t ctl_code; | |
| } ioctl_t; | |
| // This would likely be better used in some unordered map. This is just a temporary data structure for testing resolution. | |
| // | |
| // Results from NtDeviceIoControlFile hook: | |
| // utweb.exe (14916) :: NtDeviceIoControlFile( 0x65c (\Device\Afd), 0x694, 0x0000000000000000, 0x0000000000000000, 0x00000000044DEE90, 0x12024 (IOCTL_AFD_SELECT), 0x0000000004A3FC18, 0x34, 0x0000000004A3FC18, 0x34 ) |