Skip to content

Instantly share code, notes, and snippets.

View valkheim's full-sized avatar
🔥
ORUGKIDHMFWWKCQ=

valkheim

🔥
ORUGKIDHMFWWKCQ=
43 followers · 399 following
View GitHub Profile
@valkheim
valkheim / ntoskrnl-2004.exe.h
Created April 11, 2021 20:55
/*
This file has been generated by IDA.
It contains local type definitions from
the type library 'ntoskrnl.exe'
*/
#define __int8 char
#define __int16 short
#define __int32 int
#define __int64 long long
@valkheim
valkheim / CVE-2021-3493
Created April 29, 2021 18:42
CVE-2021-3493 - overlayfs pe
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <err.h>
#include <errno.h>
#include <sched.h>
#include <sys/types.h>
@valkheim
valkheim / windows_service_cmd.c
Created May 10, 2021 17:45
/*
https://github.com/sagishahar/lpeworkshop
$ sudo apt install gcc-mingw-w64
$ x86_64-w64-mingw32-gcc windows_service.c -o lpe.exe
*/
#include <windows.h>
#include <stdio.h>
#define SLEEP_TIME 5000
@valkheim
valkheim / Download-AppxFromStore.ps1
Last active November 14, 2022 23:22
<#
Update 2021-05-22
https://raw.githubusercontent.com/MattiasC85/Scripts/master/OSD/Download-AppxFromStore.ps1
https://github.com/microsoftfeedback/WinDbg-Feedback/issues/19
https://www.microsoft.com/en-us/p/windbg-preview/9pgjgd53tn86
Update 2020-02-18
Thanks @BruceDawson0xB for pointing out the flaw in the regex pattern. if %tmp% began with a lowercase char the script would fail.
@valkheim
valkheim / IDTClient.c
Created June 4, 2021 14:49 — forked from Barakat/IDTClient.c
Windows x86 Interrupt Descriptor Table (IDT) hooking driver
//
// Windows x86 Interrupt Descriptor Table (IDT) hook test
//
// Barakat Soror (https://twitter.com/barakatsoror)
//
#include <Windows.h>
int main(void)
{
@valkheim
valkheim / download_pdb_database.py
Created July 9, 2021 07:01 — forked from lucasg/download_pdb_database.py
Download pdb and PE files from microsoft symbol store
import os
import re
import sys
import logging
import argparse
import subprocess
import requests
@valkheim
valkheim / ioctl_decoding.py
Last active August 5, 2021 14:51
IOCTL decoding
"""
IOCTL decoding into an IOCTL dataclass
See also:
* https://www.osronline.com/article.cfm%5Earticle=229.htm
* http://www.ioctls.net/
* https://github.com/h0mbre/ioctl.py
* https://github.com/nccgroup/DriverBuddy/blob/master/DriverBuddy/ioctl.py
* https://social.technet.microsoft.com/wiki/contents/articles/24653.decoding-io-control-codes-ioctl-fsctl-and-deviceiocodes-with-table-of-known-values.aspx
@valkheim
valkheim / gist:6efc6d61ad06e36832b973c0b12cdf85
Created October 31, 2021 21:16
prepare_kernel.sh
KERNEL=4.10.3
NPROC=$(nproc)
HERE=$(dirname $(readlink -f "$0"))
function log
{
printf "[+] $1\n"
}
@valkheim
valkheim / sections.txt
Created November 11, 2021 00:05
Quick glance at ELF sections during a pwn debug session
[*] ELF sections summary:
+-------+--------------------+----------+-------+-------+-----------------+
| index | name | vaddr | size | perms | type |
+-------+--------------------+----------+-------+-------+-----------------+
| 0x0 | | 0x0 | 0x0 | --- | SHT_NULL |
| 0x1 | .interp | 0x400238 | 0x1c | r-- | SHT_PROGBITS |
| 0x2 | .note.ABI-tag | 0x400254 | 0x20 | r-- | SHT_NOTE |
| 0x3 | .note.gnu.build-id | 0x400274 | 0x24 | r-- | SHT_NOTE |
| 0x4 | .gnu.hash | 0x400298 | 0x38 | r-- | SHT_GNU_HASH |
| 0x5 | .dynsym | 0x4002d0 | 0xf0 | r-- | SHT_DYNSYM |
@valkheim
valkheim / string_trie_search.cpp
Created January 27, 2022 11:55
class Trie {
public:
Trie() {
memset(children, 0, sizeof(children));
valid = false;
}
void insert(string word) {
// from trie root
auto node = this;