gavz
/ PinTrace.cpp
Created
May 7, 2024 10:33
— forked from GitMirar/PinTrace.cpp
Pintool for API call tracing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * PinTrace | |
| * | |
| * API call trace tool built with intel pin (https://software.intel.com/en-us/articles/pin-a-binary-instrumentation-tool-downloads). | |
| * | |
| * CC by mirar@chaosmail.org | |
| * | |
| * This module can either be run in audit mode (-a flag) or provided with a config file (-c path/to/config). | |
| * | |
| * The config format is as follows: |
gavz
/ win32_hook.h
Created
May 3, 2024 22:14
— forked from ghorsington/win32_hook.h
EAT and IAT hook
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * EAT-based hooking for x86/x64. | |
| * | |
| * Big thanks to ez (https://github.com/ezdiy/) for making this! | |
| * | |
| * Creates "hooks" by modifying the module's export address table. | |
| * The procedure works in three main parts: | |
| * | |
| * 1. Reading the module's PE file and getting all exported functions. | |
| * 2. Finding the right function to "hook" by simple address lookup |
gavz
/ winfork.c
Created
May 3, 2024 22:14
— forked from juntalis/winfork.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * fork.c | |
| * Experimental fork() on Windows. Requires NT 6 subsystem or | |
| * newer. | |
| * | |
| * Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org> | |
| * | |
| * Permission to use, copy, modify, and/or distribute this software for any | |
| * purpose with or without fee is hereby granted, provided that the above | |
| * copyright notice and this permission notice appear in all copies. |
gavz
/ signBypass.cpp
Created
May 3, 2024 22:14
— forked from aaaddress1/signBypass.cpp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // iThome 2020 Demo: Signature Patcher for Explorer | |
| // author: aaaddress1@chroot.org | |
| #include <iostream> | |
| #include <Windows.h> | |
| int main() { | |
| DWORD explorer_pid; | |
| GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", NULL), &explorer_pid); | |
| if (HANDLE token = OpenProcess(PROCESS_ALL_ACCESS, FALSE, explorer_pid)) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // VEH Montior by aaaddress1@chroot.org | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #pragma warning( disable : 4996 ) | |
| LONG __stdcall TrapFilter(PEXCEPTION_POINTERS pexinf) { | |
| if (pexinf->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION && ((DWORD)pexinf->ExceptionRecord->ExceptionAddress & 0x80000000)) | |
| pexinf->ContextRecord->Eip = pexinf->ContextRecord->Eip ^ 0x80000000; | |
| else if (pexinf->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP) | |
| return EXCEPTION_CONTINUE_SEARCH; |
gavz
/ http_download.h
Created
May 3, 2024 22:13
— forked from aaaddress1/http_download.h
using WinHTTP to obtain binary data (MSVC)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // using WinHTTP to obtain binary data (MSVC) | |
| // by aaaddress1@chroot.org | |
| #include <vector> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <Winhttp.h> | |
| #pragma comment(lib, "winhttp") | |
| using namespace std; | |
| vector<char>* httpRecv(const wchar_t url[]) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // memcpy 32bit by aaaddress1@chroot.org | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| int main(void) { | |
| int dummy(0x41414242); | |
| char buf[8] = {0}; | |
| ((void(cdecl *)(DWORD, DWORD, DWORD))"\x8B\x7C\x24\x04\x8B\x74\x24\x08\x8B\x4C\x24\x0C\xF3\xA4\xC3")((size_t)buf, (size_t)&dummy, sizeof(dummy)); | |
| puts(buf); |
gavz
/ wow64_read64Env.cpp
Created
May 3, 2024 22:12
— forked from aaaddress1/wow64_read64Env.cpp
fetch current EXE path from 64 bit PEB->Ldr (In 32 bit mode)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // fetch current EXE path from 64 bit PEB->Ldr (In 32 bit mode) | |
| // by aaaddress1@chroot.org | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| typedef struct _PEB_LDR_DATA64 | |
| { | |
| ULONG Length; | |
| BOOLEAN Initialized; | |
| ULONG64 SsHandle; |
gavz
/ wow64Mem_Forensics.cpp
Created
May 3, 2024 22:12
— forked from aaaddress1/wow64Mem_Forensics.cpp
get 64 bit windows API address in pure 32 bit mode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // get 64 bit Windows API in pure 32 bit mode! | |
| // it's necessary to disable all the compiler optimization if you're using MSVC. | |
| // more detail check out ReWolf's amazing trick: blog.rewolf.pl/blog/?p=102 | |
| // by aaaddress1@chroot.org | |
| #include <iostream> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| // ref: raw.githubusercontent.com/rwfpl/rewolf-wow64ext/master/src/wow64ext.h | |
| #include "wow64ext.h" |
gavz
/ x96_shellcode.py
Created
May 3, 2024 22:12
— forked from aaaddress1/x96_shellcode.py
Python Script to Generate x96 Windows Shellcode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # x96_shellcode.py | |
| # ref: gist.github.com/aaaddress1/3c0ae754f8a40024881343a085954049 | |
| # by aaaddress1@chroot.org | |
| ''' | |
| entry: | |
| call $+5 | |
| mov ax, cs | |
| sub ax, 23h | |
| je retTo32b | |
| nop |