Standard escape codes are prefixed with Escape:
- Ctrl-Key:
^[ - Octal:
\033 - Unicode:
\u001b - Hexadecimal:
\x1B - Decimal:
27
View GitHub Profile
mgeeky
/ ExpandDefenderSig.ps1
Created
November 21, 2024 23:37
— forked from dezhub/ExpandDefenderSig.ps1
Decompresses Windows Defender AV signatures for exploration purposes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Expand-DefenderAVSignatureDB { | |
| <# | |
| .SYNOPSIS | |
| Decompresses a Windows Defender AV signature database (.VDM file). | |
| .DESCRIPTION | |
| Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed. |
mgeeky
/ binding.gyp
Created
November 21, 2024 20:55
— forked from NickNaso/binding.gyp
N-API register module (the new way)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "targets": [ | |
| { | |
| "target_name": "hello", | |
| "sources": [ "hello.cc" ] | |
| } | |
| ] | |
| } |
mgeeky
/ AddVectoredExceptionHandler.cpp
Created
October 22, 2024 22:16
Rebuilt RtlAddVectoredExceptionHandler so that it doesn't use the ntdll imported function. This way it would be more difficult than just putting a breakpoint on RtlAddVectoredExceptionHandler to log your function. To make it a little better you could inline EncodePointer which would only a few extra lines. Structs might be documented somewhere h…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <winternl.h> | |
| // Types | |
| using LdrProtectMrdata_t = void(__stdcall*)(int); | |
| using LdrProtectMrdataHeap_t = void(__thiscall*)(int); | |
| struct ExceptionRecord_t { | |
| LIST_ENTRY entry; | |
| int* unknown_intptr; |
mgeeky
/ ldrloaddll_hook.c
Created
October 20, 2024 10:39
— forked from bats3c/ldrloaddll_hook.c
Hook LdrLoadDll to whitelist DLLs being loaded into a process
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <winternl.h> | |
| #define dwAllowDllCount 1 | |
| CHAR cAllowDlls[dwAllowDllCount][MAX_PATH] = { | |
| "W:\\allowed.dll" | |
| }; | |
| VOID HookLoadDll(LPVOID lpAddr); |
mgeeky
/ jscript.ps1
Created
October 12, 2024 19:35
— forked from gabemarshall/jscript.ps1
Executing JScript from Powershell via .NET reflection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript'); | |
| $js = 'var js = new ActiveXObject("WScript.Shell");js.Run("calc");' | |
| [Microsoft.JScript.Eval]::JScriptEvaluate($js,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()); |
mgeeky
/ shellcode.js
Created
October 11, 2024 08:44
— forked from Ridter/shellcode.js
Execute ShellCode Via Jscript.NET
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import System; | |
| import System.Runtime.InteropServices; | |
| import System.Reflection; | |
| import System.Reflection.Emit; | |
| import System.Runtime; | |
| import System.Text; | |
| //C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js | |
| //C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js | |
mgeeky
/ Program.cs
Created
August 24, 2024 12:34
— forked from susMdT/Program.cs
haha funny jit go brrrr
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.CompilerServices; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| namespace FunkyJit | |
| { | |
| class Program | |
| { | |
| public static void Nothing() { Console.WriteLine(); } | |
| static void Main(string[] args) |
mgeeky
/ vdm_lua_extract.py
Created
March 25, 2024 18:54
— forked from HackingLZ/vdm_lua_extract.py
VDM Lua Extractor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Original script and research by commial | |
| ### https://github.com/commial/experiments/tree/master/windows-defender | |
| ### Set LUADec_Path to binary | |
| ### https://github.com/viruscamp/luadec | |
| import struct | |
| import argparse | |
| import sys | |
| import os | |
| import io | |
| import subprocess |
mgeeky
/ DInjectQueuerAPC.cs
Created
June 27, 2023 22:40
— forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |