Matt Hand matterpreter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Instantiate the object | |
| $clsid = '{A845DCD6-BB08-4F37-9BA5-AAC66F5ADDCE}' | |
| $obj = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID($clsid)) | |
| # Get the address of the IUnknown vtable | |
| Add-Type -AssemblyName 'System.Runtime.InteropServices' | |
| $iunk = [System.Runtime.InteropServices.Marshal]::GetIUnknownForObject($obj) | |
| $vtable = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($iunk) | |
| # Locate the in-proc server and get it's base address |
matterpreter
/ Count-PInvokes.ipynb
Created
February 24, 2022 20:17
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
matterpreter
/ RpcParser.java
Last active
March 9, 2022 00:21
Ghidra RPC procedure identification script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Locate RPC procecures inside of server code | |
| //@author Matt Hand (@matterpreter) based on original work by Sektor7 Labs (@reenz0h) | |
| //@category Functions | |
| //@keybinding | |
| //@menupath | |
| //@toolbar | |
| import ghidra.app.script.GhidraScript; | |
| import ghidra.program.model.block.*; | |
| import ghidra.program.model.symbol.*; |
matterpreter
/ FindTargetImports.cs
Last active
November 28, 2022 04:43
Search all PE files in a directory for ones which import a specific DLL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Concurrent; | |
| using System.Collections.Generic; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Threading.Tasks; | |
| using PeNet; | |
| using PeNet.Header.Pe; |
matterpreter
/ CallTreeToJSON.py
Last active
June 4, 2024 23:58
Convert Ghidra Call Trees to JSON for Neo4j Ingestion
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #@author matterpreter | |
| #@category | |
| #@keybinding | |
| #@menupath | |
| #@toolbar | |
| ### | |
| # To import to Neo4j: | |
| # CREATE CONSTRAINT function_name ON (n:Function) ASSERT n.name IS UNIQUE | |
| # |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| lkd> dt -b nt!_EPROCESS | |
| +0x000 Pcb : _KPROCESS | |
| +0x000 Header : _DISPATCHER_HEADER | |
| +0x000 Lock : Int4B | |
| +0x000 LockNV : Int4B | |
| +0x000 Type : UChar | |
| +0x001 Signalling : UChar | |
| +0x002 Size : UChar | |
| +0x003 Reserved1 : UChar | |
| +0x000 TimerType : UChar |
matterpreter
/ NtMonitor.py
Last active
February 27, 2024 09:38
Frida script to spawn a process and monitor Native API calls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import frida | |
| import sys | |
| def on_message(message, data): | |
| if message['type'] == 'send': | |
| print(message['payload']) | |
| elif message['type'] == 'error': | |
| print(message['stack']) | |
| else: | |
| print(message) |
matterpreter
/ CyrillicSwap.cs
Created
April 21, 2020 13:35
Swap Latin characters to Cyrillic lookalikes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static void CyrillicSwap(string latinString) | |
| { | |
| Console.OutputEncoding = Encoding.UTF8; | |
| Dictionary<string, string> CyrDict = new Dictionary<string, string>() | |
| { | |
| {"a", "а"}, // \u0430 | |
| {"c", "с"}, // \u0441 | |
| {"e", "е"}, // \u0435 | |
| {"o", "о"}, // \u043e | |
| {"p", "р"}, // \u0440 |
matterpreter
/ IRP Structure
Last active
August 9, 2022 18:38
(Semi)Full IRP Structure in Win10 1903
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0: kd> dt -b nt!_IRP | |
| +0x000 Type : Int2B | |
| +0x002 Size : Uint2B | |
| +0x004 AllocationProcessorNumber : Uint2B | |
| +0x006 Reserved : Uint2B | |
| +0x008 MdlAddress : Ptr64 | |
| +0x010 Flags : Uint4B | |
| +0x018 AssociatedIrp : <anonymous-tag> | |
| +0x000 MasterIrp : Ptr64 | |
| +0x000 IrpCount : Int4B |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Thanks @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace ShellcodeLoader | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
NewerOlder