Skip to content

Instantly share code, notes, and snippets.

View odzhan's full-sized avatar

odzhan

View GitHub Profile
@X-C3LL
X-C3LL / hookdetector.vba
Created December 7, 2020 22:31
VBA Macro to detect EDR Hooks (It's just a PoC)
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)
'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
Dim address As LongPtr
@animetosho
animetosho / gf2p8affineqb-articles.md
Last active November 18, 2025 00:51
A list of articles documenting uses of the GF2P8AFFINE instruction

Unexpected Uses for the Galois Field Affine Transformation Instruction

Intel added the Galois Field instruction set (GFNI) extensions to their Sunny Cove and Tremont cores. What’s particularly interesting is that GFNI is the only new SIMD extension that came with SSE and VEX/AVX encodings (in addition to EVEX/AVX512), to allow it to be supported on all future Intel cores, including those which don’t support AVX512 (such as the Atom line, as well as Celeron/Pentium branded “big” cores).

I suspect GFNI was aimed at accelerating SM4 encryption, however, one of the instructions can be used for many other purposes. The extension includes three instructions, but of particular interest here is the Affine Transformation (GF2P8AFFINEQB), aka bit-matrix multiply, instruction.

There have been various articles which discuss out-of-band

@animetosho
animetosho / galois-field-affine-uses.md
Last active November 14, 2025 00:44
A list of “out-of-band” uses for the GF2P8AFFINEQB instruction I haven’t seen documented elsewhere

Count Leading/Trailing Zero Bits (Byte-wise)

Counting the trailing zero bit count (TZCNT) can be done by isolating the lowest bit, then depositing this into the appropriate locations for the count. The leading zero bit count (LZCNT) can be done by reversing bits, then computing the TZCNT.

__m128i _mm_tzcnt_epi8(__m128i a) {
	// isolate lowest bit
	a = _mm_andnot_si128(_mm_add_epi8(a, _mm_set1_epi8(0xff)), a);
	// convert lowest bit to index
@t-mat
t-mat / dx11-screen-capture.cpp
Created August 28, 2020 09:36
[WIN32] DX11 DXGI Screen capture sample
// WIN32/C++17: DX11 DXGI Screen capture sample
//
// References:
// - https://github.com/microsoftarchive/msdn-code-gallery-microsoft/tree/master/Official%20Windows%20Platform%20Sample/DXGI%20desktop%20duplication%20sample
// - https://github.com/microsoft/DirectXTex/blob/master/ScreenGrab/ScreenGrab11.cpp
// - https://docs.microsoft.com/en-us/windows/win32/direct3ddxgi/desktop-dup-api
//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <atlbase.h>
@monoxgas
monoxgas / main.cpp
Created February 12, 2020 19:27
Adapative DLL Hijacking - Stability Hooking
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
DWORD WINAPI Thread(LPVOID lpParam) {
// Insert evil stuff
ExitProcess(0);
@onyb
onyb / curve.py
Created January 9, 2020 23:21
secp256k1 Python workshop code
from dataclasses import dataclass
from field import FieldElement, PrimeGaloisField
@dataclass
class EllipticCurve:
a: int
b: int
@TheWover
TheWover / AMSIScanBufferBypass.cs
Last active October 5, 2021 11:20
Working full program for AMSIScanBufferBypass from Cyber Ark: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/
using System;
using System.Runtime.InteropServices;
namespace AMSIBypass2
{
class Program
{
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);
@mattifestation
mattifestation / CorruptCLRGlobal.ps1
Created December 7, 2018 12:45
A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
function Subvert-CLRAntiMalware {
<#
.SYNOPSIS
A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.
.DESCRIPTION
clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.
@clarkezone
clarkezone / RoHelper.cpp
Created September 17, 2018 02:28
Dynamically using WinRT avoiding statically linking windowsapp.lib and thus breaking compatibility with win7
class RoHelper
{
public:
RoHelper() : mWinRtAvailable(false)
{
if (!IsWindows10OrGreater())
{
return;
}
@TheKevinWang
TheKevinWang / CompileInMemory.cs
Last active October 23, 2024 04:43
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ However, this will still execute csc.exe and drop a dll to %temp% https://twitter.com/Laughing_Mantis/status/991018563296157696
using System;
using System.Collections.Generic;
using System.Text;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.IO;
using System.Reflection;
namespace InMemoryCompiler
{
class Program