odzhan
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // adapted from : https://gist.github.com/daaximus/a48b0a991b31e8841b68dbbc480a0a5a | |
| // | |
| #define UNICODE | |
| #include <windows.h> | |
| #include <imapi2fs.h> | |
| #include <shlwapi.h> | |
| #include <objbase.h> | |
| #include <oleauto.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Base-N encoding based on assembly code by Qkumba | |
| // | |
| #include <stdint.h> | |
| #define ROTR32(v,n)(((v)>>(n))|((v)<<(32-(n)))) | |
| #define ROTL32(v,n)(((v)<<(n))|((v)>>(32-(n)))) | |
| #define ROTR64(v,n)(((v)>>(n))|((v)<<(64-(n)))) | |
| #define ROTL64(v,n)(((v)<<(n))|((v)>>(64-(n)))) |
odzhan
/ call_api_arm64.asm
Last active
October 31, 2022 22:05
Invoke Win32 API for Windows on ARM64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| area .drectve, drectve | |
| export call_api | |
| ; The following are 64-Bit offsets. | |
| TEB_ProcessEnvironmentBlock equ 0x00000060 | |
| TEB_LastErrorValue equ 0x00000068 | |
| PEB_Ldr equ 0x00000018 | |
| PEB_LDR_DATA_InLoadOrderModuleList equ 0x00000010 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| Compile with MSVC : cl /EHsc d3dpack.cpp | |
| C:\d3dpack e C:\windows\system32\cmd.exe cmd.packed | |
| Direct 3D Compression Example. | |
| SHA256("C:\windows\system32\cmd.exe") : b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 | |
| Compressing "C:\windows\system32\cmd.exe" -> "cmd.packed" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| Compile with MSVC : cl /EHsc ark.cpp /I <path_to_libarchive> | |
| */ | |
| #include <cstdio> | |
| #include <cstdint> | |
| #include <cstdlib> | |
| #include <cstring> |
odzhan
/ BaseThreadInitThunk.cpp
Last active
April 12, 2025 09:06
Locating kernel32!BaseThreadInitThunk in NTDLL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Every new thread starts with ntdll!RtlUserThreadStart and it typically calls kernel32!BaseThreadInitThunk | |
| // | |
| // Some applications like Mozilla Firefox and Microsoft Edge will replace this with their own function for hooking purposes. | |
| // The following code shows how to find it without using debugging symbols. | |
| // | |
| // @modexpblog | |
| // | |
| #define PHNT_VERSION PHNT_VISTA |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Non-standard implementation of Base-32 and Base-64 encoding to reduce entropy of data. | |
| // Example results: | |
| // | |
| // Base-32 -> 1024 bytes : Before: 7.798637, After: 4.989102 | |
| // Base-64 -> 1024 bytes : Before: 7.805048, After: 5.971653 | |
| // | |
| // The lower values after encoding show a reduction in entropy. | |
| // |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // How to locate the WOW64 Callback Table in ntdll.dll | |
| // | |
| // @modexpblog | |
| // | |
| #define PHNT_VERSION PHNT_VISTA | |
| #include <phnt_windows.h> | |
| #include <phnt.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define PHNT_VERSION PHNT_WIN8 | |
| #include <phnt_windows.h> | |
| #include <phnt.h> | |
| #include <cstdio> | |
| #include <cstdint> | |
| #include <cstdlib> | |
| #include <cstring> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| This is free and unencumbered software released into the public domain. | |
| Anyone is free to copy, modify, publish, use, compile, sell, or | |
| distribute this software, either in source code form or as a compiled | |
| binary, for any purpose, commercial or non-commercial, and by any | |
| means. | |
| In jurisdictions that recognize copyright laws, the author or authors | |
| of this software dedicate any and all copyright interest in the |