schrodyn’s gists

v-p-b / exchange-ssrf-fileleak.py

Last active December 7, 2023 20:13

ZDI-CAN-22101 / ZDI-23-1581 - Exchange SSRF PoC exploit with response retrieval for Burp Suite

	# -- coding: utf-8 --

	from burp import IBurpExtender
	from burp import IHttpListener
	import json


	# ZDI-CAN-22101 / ZDI-23-1581 - Exchange SSRF PoC exploit with response retrieval for Burp Suite
	# by buherator, original research by Piotr Bazydło (@chudypb)
	#

Dump-GUY / GetStringHeapObjects.ps1

Created November 13, 2023 14:08

	# Recovering strings objects from .NET Heap
	# Using clrMD "Microsoft.Diagnostics.Runtime.dll" - https://github.com/microsoft/clrmd
	# Use 32-bit PowerShell to investigate 32-bit process and 64-bit PowerShell to investigate 64-bit process

	[System.Reflection.Assembly]::LoadFile([System.IO.Path]::GetFullPath("Microsoft.Diagnostics.Runtime.dll")) \| Out-Null
	$processID = (Get-Process -Name "TestStrings_confused").Id
	$dataTarget = [Microsoft.Diagnostics.Runtime.DataTarget]::AttachToProcess($processID, $false)
	$clrInfo = $dataTarget.ClrVersions[0]
	$clrRuntime = $clrInfo.CreateRuntime()
	$objects = $clrRuntime.Heap.EnumerateObjects().Where{$_.Type.IsString}

BushidoUK / Israel_Palestine_Hacktivism_OSINT

Created October 8, 2023 15:26

Israel_Palestine_Hacktivism_OSINT

	Twitter Accounts
	https://twitter.com/ReVolution44Tm
	https://twitter.com/barbbyofficial
	https://twitter.com/Team_insane_pk1
	https://twitter.com/anonymusweare
	https://twitter.com/PalCyberNews
	https://twitter.com/AnonAnonymous

	Telegram Channels
	https://t.me/s/CyberAv3ngers

duffney / readingList.md

Last active December 3, 2023 22:54

Duffney's Reading List

Reading

oopsmishap / pxor_string_decrypt_wip.py

Last active November 26, 2023 22:19

WIP: pxor string via janky emulation

	import time
	from typing import List
	import pefile
	from capstone import *
	from capstone.x86 import *
	import re
	import struct

	# SAMPLE_PATH = 'bin/enc_string_test.bin32'
	SAMPLE_PATH = 'bin/2cd2f077ca597ad0ef234a357ea71558d5e039da9df9958d0b8bd0efa92e74c9.bin32'

yardenshafir / vulnerable_drivers_hvci_bypass

Created May 22, 2023 16:17

Vulnerable drivers from loldrivers.io that load with HVCI blocklist version 25314

g-les / next_data.py

Created May 10, 2023 13:29

Binja Snippet to Jump Around Data

bv.navigate(bv.view, bv.get_next_data_var_start_after(here))

msuiche / ruleAPTSnake.yar

Last active May 16, 2024 17:16

	/*
	Hunting Russian Intelligence “Snake” Malware

	The Snake implant is considered the most sophisticated cyber espionage tool designed and used by
	Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive
	targets.
	*/

	rule Windows_Snake_Malware {
	meta:

nasbench / pwsh_dirty_words.yml

Last active March 19, 2025 19:57

List of suspicious strings used by PowerShell `SuspiciousContentChecker` function

	# Source: System.Management.Automation.dll
	# This list is used to determin if a ScriptBlock contains potential suspicious content
	# If a match is found an automatic 4104 with a "warning" level is generated.
	# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
	- "Add-Type"
	- "AddSecurityPackage"
	- "AdjustTokenPrivileges"
	- "AllocHGlobal"
	- "BindingFlags"
	- "Bypass"

DeathsPirate / 3cxInfectionHunter.ps1

Created March 30, 2023 08:21

	# Search for ffmpeg.dll in the C drive
	$ffmpegFiles = Get-ChildItem -Path "C:\" -Recurse -Filter "ffmpeg.dll" -ErrorAction SilentlyContinue

	# Initialize an array to store the hash results
	$hashResults = @()

	# The target hash to compare with
	$targetHash = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
	$found = $false
	# Calculate the SHA256 hash for each file