hasherezade hasherezade
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <tlhelp32.h> | |
| #include <iostream> | |
| #include <peconv.h> // include libPeConv header | |
| DWORD get_hex_number(char *param) | |
| { | |
| DWORD checksum = 0; | |
| if (sscanf(param, "%X", &checksum) == 0) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <peconv.h> | |
| unsigned char encoded_val[0x34] = { | |
| 0x44, 0x29, 0x36, 0x0A, 0x29, 0x0F, 0x05, 0x1B, 0x65, 0x26, 0x10, 0x04, | |
| 0x2B, 0x68, 0x30, 0x2F, 0x00, 0x33, 0x2F, 0x05, 0x1A, 0x1F, 0x0F, 0x38, | |
| 0x02, 0x18, 0x42, 0x02, 0x33, 0x1A, 0x28, 0x04, 0x2A, 0x47, 0x3F, 0x04, | |
| 0x26, 0x64, 0x66, 0x4D, 0x10, 0x37, 0x3E, 0x28, 0x3E, 0x77, 0x1C, 0x3F, | |
| 0x7E, 0x36, 0x34, 0x2A |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <peconv.h> | |
| #define EXE_PATH "Z:\\flare\\m.dll" | |
| __int64 (__fastcall *ini_ctx)(BYTE *ctx, BYTE *key, int key_size) = nullptr; | |
| __int64 (__fastcall *decrypt_buf)(BYTE *ctx, BYTE *in_buf, BYTE *out_buf, unsigned int size) = nullptr; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <iostream> | |
| #include <cstdlib> | |
| #include <cstdio> | |
| #include <ctime> | |
| void decipher(DWORD* v, BYTE *k) | |
| { | |
| unsigned int num_rounds = 32; | |
| unsigned int i; |
hasherezade
/ guard_flags.h
Last active
August 14, 2019 21:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #pragma once | |
| #define IMAGE_GUARD_CF_INSTRUMENTED 0x00000100 // Module performs control flow integrity checks using system-supplied support | |
| #define IMAGE_GUARD_CFW_INSTRUMENTED 0x00000200 // Module performs control flow and write integrity checks | |
| #define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT 0x00000400 // Module contains valid control flow target metadata | |
| #define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800 // Module does not make use of the /GS security cookie | |
| #define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT 0x00001000 // Module supports read only delay load IAT | |
| #define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION 0x00002000 // Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected | |
| #define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000 // Module contains suppressed export information. This also infers that the address taken |
hasherezade
/ str_decoder.cpp
Last active
December 20, 2018 18:11
Decoder for the obfuscated strings from malware: ef0cb0a1a29bcdf2b36622f72734aec8d38326fc8f7270f78bd956e706a5fd57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <Windows.h> | |
| char* decode_string(const char *a1) | |
| { | |
| const BYTE *enc_str = (BYTE*)a1; | |
| signed int enc_len = strlen(a1); | |
| BYTE *v4; | |
| int v5; |
hasherezade
/ extracted_list.txt
Last active
October 30, 2018 17:56
TrickBot string decoder (c3737aaf6b613a7c7d5e0c6d3c0d60a2)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1 : 1\ | |
| 2 : 1 | |
| 3 : DIAL | |
| 4 : NAT status | |
| 5 : failed | |
| 6 : client is behind NAT | |
| 7 : client is not behind NAT | |
| 8 : DNSBL | |
| 9 : listed | |
| 10 : not listed |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Sample "Hello World" driver | |
| // creates a HelloDev, that expects one IOCTL | |
| #include <ntddk.h> | |
| #define HELLO_DRV_IOCTL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS) | |
| #define DOS_DEV_NAME L"\\DosDevices\\HelloDev" | |
| #define DEV_NAME L"\\Device\\HelloDev" |
hasherezade
/ output.txt
Last active
June 20, 2018 18:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Region Addr: 00A50000 | |
| Full Size : 00007000 | |
| --- | |
| ---ALLOC AND INFO--- | |
| nextAddr: 00A50000 | |
| info: | |
| AllocBase: 00A50000 | |
| BaseAddress: 00A50000 | |
| RegionSize: 1000 | |
| RegionState: 1000 : MEM_COMMIT |
hasherezade
/ run_elevated.cpp
Last active
November 11, 2019 12:21
Run elevated via rundll32.exe (NOTE: it is NOT a stealthy UAC bypass!)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| The role of this snippet is to enforce a user to elevate a process, | |
| simply by flooding them with repeatitive requests till they agree. | |
| I do NOT recommend it as a UAC bypass technique as it is very noisy! | |
| */ | |
| #include <stdio.h> | |
| #include <Windows.h> | |
| char mutex_name[] = "elev_mutex"; |