PE Injection/Impersonation:
hasherezade hasherezade
hasherezade
/ Program.cs
Last active
July 27, 2021 06:48
A simple app to decode #PurpleFoxEK stegano payloads
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Drawing; | |
| using System.IO; | |
| namespace PurpleFoxPNGDec | |
| { | |
| internal class Program | |
| { | |
| public static int getPrintableLen(byte[] array) | |
| { |
hasherezade
/ winupdate64.dll.tag
Created
July 27, 2021 06:31
Tag file from tracing a VMProtect-protected NuggetPhantom component
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 71941;kernel32.LoadLibraryA | |
| Arg[0] = ptr 0x000000d19111f670 -> "kernel32.dll" | |
| cdb3d;kernel32.GetModuleFileNameW | |
| cdb3d;kernel32.CreateFileW | |
| Arg[0] = ptr 0x000000d19111f280 -> L"C:\Users\tester\Desktop\winupdate64.dll" | |
| Arg[1] = 0x0000000080000000 = 2147483648 | |
| Arg[2] = 0x0000000000000003 = 3 | |
| Arg[3] = 0 | |
| Arg[4] = 0x0000000000000003 = 3 |
hasherezade
/ GzipSimpleHttpServer.py
Last active
January 18, 2023 14:11
— forked from bkeating/GzipSimpleHttpServer.py
Python's SimpleHttpServer, but w/Gzip support. 🤙
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| """Simple HTTP Server. | |
| This module builds on BaseHTTPServer by implementing the standard GET | |
| and HEAD requests in a fairly straightforward manner. | |
| """ | |
| __version__ = "0.7" |
hasherezade
/ main.cpp
Created
July 17, 2021 16:35
A native way to enumerate processes (alternative to: EnumProcesses, CreateToolhelp32Snapshot - Process32First - Process32Next)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <iostream> | |
| #include "ntddk.h" | |
| bool enum_processes() | |
| { | |
| ULONG retLen = 0; | |
| // check length: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| set -e | |
| test -d _hollows_hunter \ | |
| || git clone --recurse-submodules https://github.com/hasherezade/hollows_hunter _hollows_hunter | |
| cd _hollows_hunter | |
| cmake . \ | |
| -DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc \ |
hasherezade
/ uac_bypass.c
Created
July 14, 2020 00:11
— forked from Cr4sh/uac_bypass.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void TestCopy() | |
| { | |
| BOOL cond = FALSE; | |
| IFileOperation *FileOperation1 = NULL; | |
| IShellItem *isrc = NULL, *idst = NULL; | |
| BIND_OPTS3 bop; | |
| SHELLEXECUTEINFOW shexec; | |
| HRESULT r; | |
| do { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #IDA script to print all referenced strings along with their references | |
| import idautils | |
| sc = idautils.Strings() | |
| for s in sc: | |
| curr_str = str(s) | |
| str_offset = s.ea | |
| for xref in idautils.XrefsTo(s.ea): | |
| func = idaapi.get_func(xref.frm) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <tlhelp32.h> | |
| #include <iostream> | |
| #include <peconv.h> // include libPeConv header (https://github.com/hasherezade/libpeconv) | |
| #include <paramkit.h> // include ParamKit header (https://github.com/hasherezade/paramkit) | |
| using namespace paramkit; | |
| #define PARAM_CHECKSUM "checks" | |
| #define PARAM_CHECKSUM_FUNC "cfunc" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <tlhelp32.h> | |
| #include <iostream> | |
| #include <peconv.h> // include libPeConv header | |
| DWORD get_hex_number(char *param) | |
| { | |
| DWORD checksum = 0; | |
| if (sscanf(param, "%X", &checksum) == 0) { |