This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 00000001`80002850 gdi32!GdiReleaseDC (void) | |
| 00000001`80001200 gdi32!hGetPEBHandle (void) | |
| 00000001`80001b90 gdi32!InternalDeleteObject (void) | |
| 00000001`80004640 gdi32!pldcGet (void) | |
| 00000001`80004bb0 gdi32!bDeleteLDC (void) | |
| 00000001`800020c0 gdi32!InternalDeleteDC (void) | |
| 00000001`800029f0 gdi32!GetDeviceCaps (void) | |
| 00000001`80001370 gdi32!CombineRgn (void) | |
| 00000001`80003970 gdi32!Gdi32DllInitialize (void) | |
| 00000001`800018b0 gdi32!SetRectRgn (void) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| fffff802`17beb644 dxgkrnl!ADAPTER_DISPLAY::IsPointerVisible (void) | |
| fffff802`17beb4f4 dxgkrnl!ADAPTER_DISPLAY::MarkCommitVidPnOnModeChange (void) | |
| fffff802`17d09df4 dxgkrnl!ADAPTER_DISPLAY::GetCddAllocationHandles (void) | |
| fffff802`17d23e74 dxgkrnl!ADAPTER_DISPLAY::ReleaseAllVidPnSourceOwners (void) | |
| fffff802`17ca23a0 dxgkrnl!ADAPTER_RENDER::ResumeScheduler (void) | |
| fffff802`17cfb94c dxgkrnl!ADAPTER_DISPLAY::CreateCddAllocations (void) | |
| fffff802`17d1a01c dxgkrnl!ADAPTER_DISPLAY::UpdateOneCddPrimaryPrivateDriverData (void) | |
| fffff802`17bda040 dxgkrnl!auto_ptr<DMMVIDEOPRESENTSOURCE>::~auto_ptr<DMMVIDEOPRESENTSOURCE> (void) | |
| fffff802`17bd3208 dxgkrnl!ADAPTER_DISPLAY::GetDisplayId (void) | |
| fffff802`17cd4d80 dxgkrnl!ADAPTER_DISPLAY::DisableOverlayPlanes (void) |
joshfinley
/ Get-MitigationPolicies.ps1
Created
March 18, 2020 03:18
One-liner for getting mitigation policies for all running processes on the system
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-Process | foreach { Get-ProcessMitigation -Id $_.Id } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2: kd> uf nt!IopLoadDriver | |
| nt!IopLoadDriver: | |
| fffff800`3e510744 48895c2410 mov qword ptr [rsp+10h],rbx | |
| fffff800`3e510749 55 push rbp | |
| fffff800`3e51074a 56 push rsi | |
| fffff800`3e51074b 57 push rdi | |
| fffff800`3e51074c 4154 push r12 | |
| fffff800`3e51074e 4155 push r13 | |
| fffff800`3e510750 4156 push r14 | |
| fffff800`3e510752 4157 push r15 |
joshfinley
/ ntprefixes.txt
Created
March 17, 2020 15:17
List of NT prefixes - sourced from https://community.osr.com/discussion/72000/meaning-of-the-function-prefices
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Cc = Cache manager (???) | |
| Csr = Client Server support functions(LPC; related: CSRSS.EXE) | |
| Dbg = Debugger support functions | |
| Etw = Extended tracing ... support functions (???) | |
| Ex = Executive | |
| Fs = File system support functions | |
| Hal = Hardware abstraction layer functions | |
| Inbv = Something like: _In_itial _B_oot _V_ideo functions (???) | |
| Io = I/O manager support functions | |
| Kd = Kernel debugger support functions |
joshfinley
/ ntIoFunctions.txt
Created
March 17, 2020 15:16
Windows native I/O manager support functions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2: kd> x nt!Io* | |
| fffff800`3e820158 nt!IopStoreArcInformation (void) | |
| fffff800`3df1ee6c nt!IopCheckListForCancelableIrp (void) | |
| fffff800`3e56ebc4 nt!IopInitializeCrashDump (void) | |
| fffff800`3df74b50 nt!IoCsqRemoveIrp (void) | |
| fffff800`3e560a70 nt!IopPortAddAllocation (void) | |
| fffff800`3df164f0 nt!IoReleaseRemoveLockEx (void) | |
| fffff800`3df95750 nt!IoAllocateDriverObjectExtension (void) | |
| fffff800`3e446f34 nt!IopQueryNameInternal (void) | |
| fffff800`3ded49b0 nt!IoReportTargetDeviceChangeAsynchronous (void) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*** | |
| *gs_support.c - initialize the global buffer overrun security cookie | |
| * | |
| * Copyright (c) Microsoft Corporation. All rights reserved. | |
| * | |
| *Purpose: | |
| * Define __security_init_cookie, which is called at startup to initialize | |
| * the global buffer overrun security cookie used by the /GS compile flag. | |
| * | |
| *******************************************************************************/ |
joshfinley
/ Install-ADDC.ps1
Created
February 26, 2020 18:47
Install domain controller to windows server instance
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Install-windowsfeature AD-domain-services | |
| Import-Module ADDSDeployment | |
| Install-ADDSForest | |
| -CreateDnsDelegation:$false ` | |
| -DatabasePath "C:\Windows\NTDS" ` | |
| -DomainMode "Win2016" ` | |
| -DomainName "localwindowslab.com" ` | |
| -DomainNetbiosName "WINDOWSLAB" ` | |
| -ForestMode "Win2019" ` |
joshfinley
/ Invoke-CertUtil.ps1
Last active
February 25, 2020 15:17
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-CertUtil | |
| { | |
| [CmdletBinding(DefaultParameterSetName="PlaceNet")] | |
| Param( | |
| [Parameter(Position = 0)] | |
| [String[]] | |
| $ComputerName, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <errno.h> | |
| #include <string.h> | |
| #include <arpa/inet.h> | |
| #include <net/ethernet.h> | |
| #include <net/if.h> | |
| #include <netinet/if_ether.h> | |
| #include <netpacket/packet.h> | |
| #include <sys/ioctl.h> | |
| #include <sys/socket.h> | |
| #include <stdio.h> |