Skip to content

Instantly share code, notes, and snippets.

@wdormann
wdormann / dgram.py
Created October 8, 2024 12:18
Crash macOS Sequoia with a simple attempt to use a Unix datagram
import socket
import os
def main():
# Create a Unix Datagram (DGRAM) socket
sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
# Bind the socket to a file
socket_path = './sock'
if os.path.exists(socket_path):
@wdormann
wdormann / pathsegment.yara
Created September 11, 2024 16:43
YARA rule for detecting "path segment" variant of CVE-2024-38217 LNK stomping exploits
rule PathSegmentLNK {
strings:
$lnk_header = { 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 }
$exe_string = ".exe" nocase
$c_drive = "c:\\" nocase
condition:
$lnk_header at 0 and
for any i in (0x80..0xC0): (
uint8(i) == 0x5C and
for any j in (i+1..0xC0): (uint8(j) == 0x5C)
@wdormann
wdormann / entropy.py
Last active July 16, 2024 14:53
Get entropy of loaded things (ASLR effectiveness) in Linux
import subprocess
import re
import time
import os
from collections import defaultdict
# Function to get the kernel version
def get_kernel():
result = subprocess.Popen(['uname', '-a'], stdout=subprocess.PIPE)
output, _ = result.communicate()
@wdormann
wdormann / gist:f11dcb7d730b9da90cb22cfe20f4871e
Created June 27, 2024 15:20
Override PowerShell's "dir" alias with the CMD.EXE version
# Ensure the profile path exists
if (!(Test-Path -Path $PROFILE)) {
New-Item -Type File -Path $PROFILE -Force
}
# Define the content to add to the profile
$profileContent = @'
function Invoke-CMDDir {
$cmdArgs = @('/c', 'dir') + $args
& cmd.exe $cmdArgs
@wdormann
wdormann / drivers_hvci_on_latest.log
Created May 30, 2023 17:06
Log of attempt to load 554 x86-64 drivers from LOLDrivers on an HVCI-enabled Win11 22H2 system with a May 24, 2023 MS drivers block list
sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin
[SC] StartService FAILED 87:
The parameter is incorrect.
sc start 0067c788e1cb174f008c325ebde56c22.bin
[SC] StartService FAILED 4551:
Your organization used Device Guard to block this app. Contact your support person for more info.
@wdormann
wdormann / drivers_hvci_on.log
Created May 30, 2023 16:54
Log of attempt to load 554 x86-64 drivers from LOLDrivers on an HVCI-enabled Win11 22H2 system with an October 31, 2022 driversipolicy.p7b
sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin
[SC] StartService FAILED 87:
The parameter is incorrect.
sc start 0067c788e1cb174f008c325ebde56c22.bin
[SC] StartService FAILED 2148204812:
A certificate was explicitly revoked by its issuer.
@wdormann
wdormann / drivers_latest.log
Last active May 24, 2023 15:01
Log of attempt to load 554 x86-64 drivers from LOLDrivers on a Win11 22H2 system with a May 24, 2023 MS drivers block list
sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin
[SC] StartService FAILED 577:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
sc start 0067c788e1cb174f008c325ebde56c22.bin
[SC] StartService FAILED 4551:
Your organization used Device Guard to block this app. Contact your support person for more info.
@wdormann
wdormann / drivers.log
Created May 24, 2023 12:35
Log of attempt to load 554 x86-64 drivers from LOLDrivers on a Win11 22H2 system with an October 31, 2022 driversipolicy.p7b
sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin
[SC] StartService FAILED 577:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
sc start 0067c788e1cb174f008c325ebde56c22.bin
[SC] StartService FAILED 2148204812:
A certificate was explicitly revoked by its issuer.
@wdormann
wdormann / msgtotnef.cs
Created March 17, 2023 21:21
Convert .MSG file to TNEF file
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Aspose.Email;
namespace msgtotnef
{
class Program
@wdormann
wdormann / mandiant.xml
Last active March 9, 2023 20:46
WDAC blocking policy for Mandiant-mentioned BYOVD drivers
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy">
<VersionEx>10.0.0.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>