This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2: kd> x nt!Io* | |
fffff800`3e820158 nt!IopStoreArcInformation (void) | |
fffff800`3df1ee6c nt!IopCheckListForCancelableIrp (void) | |
fffff800`3e56ebc4 nt!IopInitializeCrashDump (void) | |
fffff800`3df74b50 nt!IoCsqRemoveIrp (void) | |
fffff800`3e560a70 nt!IopPortAddAllocation (void) | |
fffff800`3df164f0 nt!IoReleaseRemoveLockEx (void) | |
fffff800`3df95750 nt!IoAllocateDriverObjectExtension (void) | |
fffff800`3e446f34 nt!IopQueryNameInternal (void) | |
fffff800`3ded49b0 nt!IoReportTargetDeviceChangeAsynchronous (void) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Cc = Cache manager (???) | |
Csr = Client Server support functions(LPC; related: CSRSS.EXE) | |
Dbg = Debugger support functions | |
Etw = Extended tracing ... support functions (???) | |
Ex = Executive | |
Fs = File system support functions | |
Hal = Hardware abstraction layer functions | |
Inbv = Something like: _In_itial _B_oot _V_ideo functions (???) | |
Io = I/O manager support functions | |
Kd = Kernel debugger support functions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2: kd> uf nt!IopLoadDriver | |
nt!IopLoadDriver: | |
fffff800`3e510744 48895c2410 mov qword ptr [rsp+10h],rbx | |
fffff800`3e510749 55 push rbp | |
fffff800`3e51074a 56 push rsi | |
fffff800`3e51074b 57 push rdi | |
fffff800`3e51074c 4154 push r12 | |
fffff800`3e51074e 4155 push r13 | |
fffff800`3e510750 4156 push r14 | |
fffff800`3e510752 4157 push r15 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Get-Process | foreach { Get-ProcessMitigation -Id $_.Id } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fffff802`17beb644 dxgkrnl!ADAPTER_DISPLAY::IsPointerVisible (void) | |
fffff802`17beb4f4 dxgkrnl!ADAPTER_DISPLAY::MarkCommitVidPnOnModeChange (void) | |
fffff802`17d09df4 dxgkrnl!ADAPTER_DISPLAY::GetCddAllocationHandles (void) | |
fffff802`17d23e74 dxgkrnl!ADAPTER_DISPLAY::ReleaseAllVidPnSourceOwners (void) | |
fffff802`17ca23a0 dxgkrnl!ADAPTER_RENDER::ResumeScheduler (void) | |
fffff802`17cfb94c dxgkrnl!ADAPTER_DISPLAY::CreateCddAllocations (void) | |
fffff802`17d1a01c dxgkrnl!ADAPTER_DISPLAY::UpdateOneCddPrimaryPrivateDriverData (void) | |
fffff802`17bda040 dxgkrnl!auto_ptr<DMMVIDEOPRESENTSOURCE>::~auto_ptr<DMMVIDEOPRESENTSOURCE> (void) | |
fffff802`17bd3208 dxgkrnl!ADAPTER_DISPLAY::GetDisplayId (void) | |
fffff802`17cd4d80 dxgkrnl!ADAPTER_DISPLAY::DisableOverlayPlanes (void) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
00000001`80002850 gdi32!GdiReleaseDC (void) | |
00000001`80001200 gdi32!hGetPEBHandle (void) | |
00000001`80001b90 gdi32!InternalDeleteObject (void) | |
00000001`80004640 gdi32!pldcGet (void) | |
00000001`80004bb0 gdi32!bDeleteLDC (void) | |
00000001`800020c0 gdi32!InternalDeleteDC (void) | |
00000001`800029f0 gdi32!GetDeviceCaps (void) | |
00000001`80001370 gdi32!CombineRgn (void) | |
00000001`80003970 gdi32!Gdi32DllInitialize (void) | |
00000001`800018b0 gdi32!SetRectRgn (void) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_CURRENT_USER\Software\Classes\Launcher.SystemSettings] | |
@="Open" | |
[HKEY_CURRENT_USER\Software\Classes\Launcher.SystemSettings\Shell] | |
[HKEY_CURRENT_USER\Software\Classes\Launcher.SystemSettings\Shell\Open] | |
@="Open" | |
"MuiVerb"="@appresolver.dll,-8501" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Source: https://github.com/hoangprod/DanSpecial/blob/master/DanSpecial/Gigabytes.h | |
unsigned char rawData[26192] = { | |
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, | |
0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
0xD8, 0x00, 0x00, 0x00, 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, | |
0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, 0x69, 0x73, 0x20, 0x70, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; <callisto.asm> - Callisto source | |
; Copyright (c) 2020 by Josh Finley. | |
; | |
; This file demonstrates a MASM-64 remote acess trojan. | |
; | |
; The author assumes no responsibility for any damage caused by this | |
; program, incidental or otherwise. This program is intended for | |
; research purposes only. | |
; | |
; References: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? ) | |
# @0xSha | |
# (C) 2020 0xSha.io | |
# Advisory : https://www.solarwinds.com/securityadvisory | |
# Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip | |
# Details : https://kb.cert.org/vuls/id/843464 | |
# C:\inetpub\SolarWinds\bin\OrionWeb.DLL | |
# According to SolarWinds.Orion.Web.HttpModules |