wdormann wdormann
wdormann
/ find_retpoline_gadgets_auto.py
Created
October 29, 2025 13:21
ROP tools don't do great on finding gadgets that end in a retpoline. This finds such gadgets.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| find_retpoline_gadgets_auto.py | |
| Find "retpoline-style" gadgets in an uncompressed vmlinux by looking for | |
| call/jmp rel32 instructions that target retpoline thunks (e.g. | |
| __x86_indirect_thunk_rax, __x86_return_thunk). The script will attempt to | |
| auto-compute the KASLR slide using /proc/kallsyms and the symbols inside the | |
| vmlinux ELF. You can also pass an explicit --slide to override. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import os | |
| def main(): | |
| # Create a Unix Datagram (DGRAM) socket | |
| sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM) | |
| # Bind the socket to a file | |
| socket_path = './sock' | |
| if os.path.exists(socket_path): |
wdormann
/ pathsegment.yara
Created
September 11, 2024 16:43
YARA rule for detecting "path segment" variant of CVE-2024-38217 LNK stomping exploits
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule PathSegmentLNK { | |
| strings: | |
| $lnk_header = { 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 } | |
| $exe_string = ".exe" nocase | |
| $c_drive = "c:\\" nocase | |
| condition: | |
| $lnk_header at 0 and | |
| for any i in (0x80..0xC0): ( | |
| uint8(i) == 0x5C and | |
| for any j in (i+1..0xC0): (uint8(j) == 0x5C) |
wdormann
/ entropy.py
Last active
July 16, 2024 14:53
Get entropy of loaded things (ASLR effectiveness) in Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| import re | |
| import time | |
| import os | |
| from collections import defaultdict | |
| # Function to get the kernel version | |
| def get_kernel(): | |
| result = subprocess.Popen(['uname', '-a'], stdout=subprocess.PIPE) | |
| output, _ = result.communicate() |
wdormann
/ gist:f11dcb7d730b9da90cb22cfe20f4871e
Created
June 27, 2024 15:20
Override PowerShell's "dir" alias with the CMD.EXE version
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ensure the profile path exists | |
| if (!(Test-Path -Path $PROFILE)) { | |
| New-Item -Type File -Path $PROFILE -Force | |
| } | |
| # Define the content to add to the profile | |
| $profileContent = @' | |
| function Invoke-CMDDir { | |
| $cmdArgs = @('/c', 'dir') + $args | |
| & cmd.exe $cmdArgs |
wdormann
/ drivers_hvci_on_latest.log
Created
May 30, 2023 17:06
Log of attempt to load 554 x86-64 drivers from LOLDrivers on an HVCI-enabled Win11 22H2 system with a May 24, 2023 MS drivers block list
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 87: | |
| The parameter is incorrect. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 4551: | |
| Your organization used Device Guard to block this app. Contact your support person for more info. |
wdormann
/ drivers_hvci_on.log
Created
May 30, 2023 16:54
Log of attempt to load 554 x86-64 drivers from LOLDrivers on an HVCI-enabled Win11 22H2 system with an October 31, 2022 driversipolicy.p7b
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 87: | |
| The parameter is incorrect. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 2148204812: | |
| A certificate was explicitly revoked by its issuer. |
wdormann
/ drivers_latest.log
Last active
May 24, 2023 15:01
Log of attempt to load 554 x86-64 drivers from LOLDrivers on a Win11 22H2 system with a May 24, 2023 MS drivers block list
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 577: | |
| Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 4551: | |
| Your organization used Device Guard to block this app. Contact your support person for more info. |
wdormann
/ drivers.log
Created
May 24, 2023 12:35
Log of attempt to load 554 x86-64 drivers from LOLDrivers on a Win11 22H2 system with an October 31, 2022 driversipolicy.p7b
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 577: | |
| Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 2148204812: | |
| A certificate was explicitly revoked by its issuer. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| using Aspose.Email; | |
| namespace msgtotnef | |
| { | |
| class Program |
NewerOlder