start new:
tmux
start new with session name:
tmux new -s myname
barberj
/ tmux_cheatsheet.markdown
Last active
May 11, 2023 07:31
— forked from henrik/tmux_cheatsheet.markdown
add move pane into new window. change window commands to some of my aliases
makelariss
/ popshellslikeitsafriday.py
Last active
December 17, 2021 05:31
NT AUTHORITY\SYSTEM through Named Pipe Impersonation using Python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: UTF-8 -*- | |
| from ctypes.wintypes import * | |
| from ctypes import * | |
| from enum import IntEnum | |
| # These libraries have the APIs we need | |
| kernel32 = WinDLL('kernel32', use_last_error=True) | |
| advapi32 = WinDLL('advapi32', use_last_error=True) | |
| psapi = WinDLL('psapi.dll', use_last_error=True) |
alxbl
/ wke-amp-lpe.py
Last active
November 25, 2021 07:33
WKE - Local Privilege Escalation using System Mechanics's AMP.sys driver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import random | |
| import binascii | |
| import struct | |
| import os | |
| from ctypes import * | |
| from ctypes.wintypes import * | |
| # Shorthands for some ctypes stuff. |
icecr4ck
/ idapython_ctree.md
Last active
September 8, 2025 01:56
Notes on CTREE usage with IDAPython
The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.
Sometimes there's some inconsistency between local types and structs view.
Typically, you can see the type in the "Structures" view are zero-lengthed, which should normally be the same size as local type's one.
When this happens, you'll not be able to rename the structure fields in HexRay Decompiler's view, and both hotkey N and right-clicking the item won't show the rename popup.
After reverse engineering the hexx64.dll, I found that IDA tries to do the following things:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| Compression using undocumented API in rdpbase.dll | |
| RDPCompressEx supports four algorithms : MPPC-8K, MPPC-64K, NCRUSH and XCRUSH. | |
| This code supports all except NCRUSH. | |
| The MPPC compression ratio is very similar to LZSS, so this could be quite useful for shellcode trying to evade detection. | |
| NCRUSH compression appears to work but fails for decompression. |