Skip to content

Instantly share code, notes, and snippets.

@matterpreter
matterpreter / find_iunknown_vtable.ps1
Created June 22, 2024 14:53
COM server vtable finder
# Instantiate the object
$clsid = '{A845DCD6-BB08-4F37-9BA5-AAC66F5ADDCE}'
$obj = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID($clsid))
# Get the address of the IUnknown vtable
Add-Type -AssemblyName 'System.Runtime.InteropServices'
$iunk = [System.Runtime.InteropServices.Marshal]::GetIUnknownForObject($obj)
$vtable = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($iunk)
# Locate the in-proc server and get it's base address
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@matterpreter
matterpreter / RpcParser.java
Last active March 9, 2022 00:21
Ghidra RPC procedure identification script
//Locate RPC procecures inside of server code
//@author Matt Hand (@matterpreter) based on original work by Sektor7 Labs (@reenz0h)
//@category Functions
//@keybinding
//@menupath
//@toolbar
import ghidra.app.script.GhidraScript;
import ghidra.program.model.block.*;
import ghidra.program.model.symbol.*;
@matterpreter
matterpreter / FindTargetImports.cs
Last active November 28, 2022 04:43
Search all PE files in a directory for ones which import a specific DLL
using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using PeNet;
using PeNet.Header.Pe;
@matterpreter
matterpreter / CallTreeToJSON.py
Last active June 4, 2024 23:58
Convert Ghidra Call Trees to JSON for Neo4j Ingestion
#@author matterpreter
#@category
#@keybinding
#@menupath
#@toolbar
###
# To import to Neo4j:
# CREATE CONSTRAINT function_name ON (n:Function) ASSERT n.name IS UNIQUE
#
@matterpreter
matterpreter / 20H2_EPROCESS.log
Created December 10, 2020 14:32
Win10 20H2 EPROCESS
lkd> dt -b nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x000 Lock : Int4B
+0x000 LockNV : Int4B
+0x000 Type : UChar
+0x001 Signalling : UChar
+0x002 Size : UChar
+0x003 Reserved1 : UChar
+0x000 TimerType : UChar
@matterpreter
matterpreter / NtMonitor.py
Last active February 27, 2024 09:38
Frida script to spawn a process and monitor Native API calls
import frida
import sys
def on_message(message, data):
if message['type'] == 'send':
print(message['payload'])
elif message['type'] == 'error':
print(message['stack'])
else:
print(message)
@matterpreter
matterpreter / CyrillicSwap.cs
Created April 21, 2020 13:35
Swap Latin characters to Cyrillic lookalikes
public static void CyrillicSwap(string latinString)
{
Console.OutputEncoding = Encoding.UTF8;
Dictionary<string, string> CyrDict = new Dictionary<string, string>()
{
{"a", "а"}, // \u0430
{"c", "с"}, // \u0441
{"e", "е"}, // \u0435
{"o", "о"}, // \u043e
{"p", "р"}, // \u0440
@matterpreter
matterpreter / IRP Structure
Last active August 9, 2022 18:38
(Semi)Full IRP Structure in Win10 1903
0: kd> dt -b nt!_IRP
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 AllocationProcessorNumber : Uint2B
+0x006 Reserved : Uint2B
+0x008 MdlAddress : Ptr64
+0x010 Flags : Uint4B
+0x018 AssociatedIrp : <anonymous-tag>
+0x000 MasterIrp : Ptr64
+0x000 IrpCount : Int4B
@matterpreter
matterpreter / x64ShellcodeLoader.cs
Created November 21, 2019 18:26
x64 C# Shellcode Loader
//Thanks @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs
using System;
using System.Runtime.InteropServices;
namespace ShellcodeLoader
{
class Program
{
static void Main(string[] args)
{