Nemanja Mulasmajic nmulasmajic
🕹️
nmulasmajic
/ enum_win_callbacks.py
Last active
March 5, 2021 16:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Module Name: | |
| enum_win_callbacks.py | |
| Abstract: | |
| Iterates over the nt!PspCreateProcessNotifyRoutine, | |
| nt!PspCreateThreadNotifyRoutine, and nt!PspLoadImageNotifyRoutine | |
| callback arrays. | |
| Requirements: |
nmulasmajic
/ antidebug_long_int3.cpp
Last active
March 20, 2023 18:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Module Name: | |
| * antidebug_long_int3.cpp | |
| * | |
| * Abstract: | |
| * Attempts to detect the presence of a debugger | |
| * by issuing a multi-byte int 3 and inspecting | |
| * page PTE mappings. | |
| * | |
| * Author: |
nmulasmajic
/ int3.cpp
Created
September 1, 2017 00:06
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Module Name: | |
| * int3.cpp | |
| * | |
| * Abstract: | |
| * Examines the difference in operation between a | |
| * multi-byte int 3 (0xCD 0x03) and a single-byte | |
| * int 3 (0xCC). | |
| * | |
| * Author: |
nmulasmajic
/ ReadProcessMemory.cpp
Created
July 20, 2017 23:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Module Name: | |
| * ReadProcessMemory.cpp | |
| * | |
| * Abstract: | |
| * Reads a blob of memory from the specified process. | |
| * | |
| * Author: | |
| * Nemanja (Nemi) Mulasmajic <[email protected]> | |
| * http://triplefault.io |
nmulasmajic
/ WorkingSetWatch.cpp
Last active
October 29, 2024 02:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Module Name: | |
| * WorkingSetWatch.cpp | |
| * | |
| * Abstract: | |
| * Tracks page faults that occur within the process. | |
| * | |
| * NOTE: This is not compatible with Wow64 and must be run as a 64-bit | |
| * program on x64 and a 32-bit program on x86. | |
| * |
nmulasmajic
/ find_nt_imagebase_x64.py
Last active
May 31, 2022 07:14
Discovers the base address of ntoskrnl when IDA's GDB stub is loaded by leveraging the IDT.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Module Name: | |
| find_nt_imagebase_x64.py | |
| Abstract: | |
| Discovers the base address of ntoskrnl when IDA's GDB stub is | |
| loaded by leveraging the IDT. | |
| NOTE: This is only compatible for 64-bit editions of Windows. | |