Skip to content

Instantly share code, notes, and snippets.

View Cr4sh's full-sized avatar
๐ŸŒด

Dmytro Oleksiuk Cr4sh

๐ŸŒด
1.9k followers · 30 following
View GitHub Profile
@Kristal-g
Kristal-g / SyscallProvider.md
Created May 12, 2025 09:02

Syscall Provider

Background

SyscallProvider is a feature available from Windows 11 22H2, that allows for inline hooking of syscalls.
This unfinished research was done on Windows 11 22H2. The feature is fully undocumented at the moment and it looks like it's locked to Microsoft-signed drivers.
All of the information here was gathered by manual reverse engineering of securekernel.exe, skci.dll and ntoskrnl.exe.
The kernel exports three functions to work with the new feature: PsRegisterSyscallProvider, PsQuerySyscallProviderInformation, PsUnregisterSyscallProvider.
This writeup will explore how this feature is initialized, how it works internally, and how to interact with it and use it.

@Proxy13
Proxy13 / guide-change-imei-snapdragon.md
Created September 27, 2023 09:02
[GUIDE] How to change IMEI on Snapdragon devices

[GUIDE] How to change IMEI on Snapdragon devices

FOR EDUCATIONAL PURPOSE ONLY, CHANGING IMEI IS ILLEGAL IN MOST COUNTRIES, MAKE SURE YOU CONVINCE YOUR ACTIONS BEFORE DOING THIS.

I DON'T RESPONSIBLE IF YOUR DEVICE IS BROKEN OR THE IMEI IS NOT CHANGED CAUSED BY YOU DIDN'T FOLLOW THE STEPS CAREFULLY OR HAVING A DIFFERENT EFS PARTITION SCHEME.

This guide was tested on Google Pixel 3, different device may also have a different EFS partition scheme, please make sure you adjust it with this guide. Other Google Pixel devices may use this guide without adjusting.

Prerequisites:

@steven-michaud
steven-michaud / ThirdPartyKexts.md
Last active May 21, 2025 05:48
Running Third Party Kernel Extensions on Virtualization Framework macOS Guest VMs

Running Third Party Kernel Extensions on Virtualization Framework macOS Guest VMs

As of macOS 12 (Monterey), Apple's Virtualization framework has nice support for macOS guest virtual machines, but with severe limitations: For example you can't install a macOS guest on Intel Macs, install guests with newer versions of macOS than the host, copy and paste between the host and the guest, or install third party kernel extensions in the guest. As usual for Apple, the functionality they do support is nicely implemented, but they've left out so much that the result is only marginally useful -- at least compared to

@VVX7
VVX7 / blasty-vs-pkexec.c
Created January 25, 2022 22:51
CVE-2021-4034
/*
* blasty-vs-pkexec.c -- by blasty <[email protected]>
* ------------------------------------------------
* PoC for CVE-2021-4034, shout out to Qualys
*
* ctf quality exploit
*
* bla bla irresponsible disclosure
*
* -- blasty // 2022-01-25
@JamesHagerman
JamesHagerman / stslte-notes.md
Last active March 17, 2024 20:37
My notes about running srsLTE

srsLTE notes

These are notes I've taken while rying to get srslte up and running. This is messy, sorry...

Working solution - LimeSDR + SoapySDR + srsLTE

Dependencies:

sudo apt install tree vim git g++ make cmake pkg-config libpython-dev python-numpy swig libi2c-dev libusb-1.0-0-dev libfftw3-dev libmbedtls-dev libboost-program-options-dev libconfig++-dev libsctp-dev gnuradio
@eiselekd
eiselekd / enableDCI.txt
Last active December 13, 2024 10:01
Enable DCI debugging on Gigabyte-BKi5HA-7200
Enable DCI debugging on Gigabyte-BKi5HA-7200
--------------------------------------------
The Gigabyte-BKi5HA-7200 (Kabylake i5-7200 processor) can be debugged with only a USB debug cable, a
special cable that crosses only the data signals and has the power signals
removed. You can buy these cables at i.e. https://www.datapro.net/products/usb-3-0-super-speed-a-a-debugging-cable.html
The hurdle you have to overcome before you can access DCI however is that you
need to set some bits in hardware that first enable DCI and also enable the debug port so that DCI can control the cores.
There are lots of guides in howto patch the BIOS but only these two really describes all the steps using only freely accessible tools:
@aweibell
aweibell / mounting.sh
Last active September 14, 2024 13:39
Mount zfs from luks-encrypted drive when booting from Ubuntu Live CD
#!/usr/bin/env bash
echo "Select disk:"
select CHOICE_DISK in $(ls /dev/disk/by-id/ | grep -v "\-part");
do
echo "Selected ${CHOICE_DISK}"
break
done
@Cr4sh
Cr4sh / ami_smi_dump.py
Last active August 9, 2024 13:41
Extract SW SMI handlers information from SMRAM dump of Skylake based AMI Aptio V firmware
'''
###########################################################################
Extract SW SMI handlers information from SMRAM dump of Skylake based
AMI Aptio V firmware.
To use full capabilities of this tool you need to install UEFIDump
(https://github.com/LongSoft/UEFITool/releases/tag/A32), ida-efiutils
(https://github.com/snare/ida-efiutils) and edit corresponding variables
below.
@cyphunk
cyphunk / ios_security_notes.md
Last active May 28, 2018 00:58
notes from iOS security documentation that I used to write https://deadhacker.com/2016/03/25/the-terrorists-phone/

Notation iOS 9

This homebrewed notation I typically use when evaluating secure boot designs of embedded devices. It doesn't apply accurately for the iOS review, hides the key-wrapping schema for example. But it's enough to keep track of storage location of secrets and some interdependency.

pfk                  = 256bit per_file_key
@Cr4sh
Cr4sh / gist:fe910f0d1b0559efd43d
Created September 3, 2014 19:55
Dynamically finding sys_call_table on Linux x86_64 systems
void **find_sys_call_table(void *kernel_addr, int kernel_size)
{
/*
Check for the system_call_fastpath() signature, hand-written piece of
assembly code from arch/x86/kernel/entry_64.S:
ja badsys
mov rcx, r10
call sys_call_table[rax * 8]
mov [rsp + 20h], rax