Skip to content

Instantly share code, notes, and snippets.

View askme765cs's full-sized avatar

askme765cs

108 followers · 103 following
View GitHub Profile
@askme765cs
askme765cs / no_strings.hpp
Created July 29, 2022 03:50 — forked from EvanMcBroom/no_strings.hpp
Encrypt Strings at Compile Time
// Copyright (C) 2022 Evan McBroom
// If you are using Visual Studio, you will need to disable the "Edit and Continue" feature.
// Prng based off of Parker Miller's
// "Multiplicative Linear Congruential Generator"
// https://en.wikipedia.org/wiki/Lehmer_random_number_generator
namespace mlcg {
constexpr uint32_t modulus() {
return 0x7fffffff;
}
@askme765cs
askme765cs / mingw-w64-x86_64.cmake
Created January 25, 2022 16:22 — forked from peterspackman/mingw-w64-x86_64.cmake
cmake toolchain file for mingw-w64 x86_64 builds on Ubuntu
# Sample toolchain file for building for Windows from an Ubuntu Linux system.
#
# Typical usage:
# *) install cross compiler: `sudo apt-get install mingw-w64`
# *) cd build
# *) cmake -DCMAKE_TOOLCHAIN_FILE=~/mingw-w64-x86_64.cmake ..
set(CMAKE_SYSTEM_NAME Windows)
set(TOOLCHAIN_PREFIX x86_64-w64-mingw32)
@askme765cs
askme765cs / env_var_spoofing_poc.cpp
Created June 4, 2021 03:10 — forked from xpn/env_var_spoofing_poc.cpp
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)
#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43
@askme765cs
askme765cs / Malicious-CHM-Guide.md
Created February 25, 2021 08:58 — forked from mgeeky/Malicious-CHM-Guide.md
CheatSheet describing how to create malicious CHM file by hand (another approach is to use Nishang's Out-Chm scriptlet).

Procedure for generating Malicious CHM file

  • Step 0: Download and install Microsoft HTML Help Workshop and Documentation
  • Step 1: Obtain a valid CHM file and unpack it using 7-zip
  • Step 2: Find an entry-point HTML file within "docs" directory and insert the following code into it's <body> section:
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
@askme765cs
askme765cs / PublishDemoClient.xml
Created February 24, 2021 02:49 — forked from rfolkes/PublishDemoClient.xml
MSBuild script to build & publish a ClickOnce application with TeamCity without any other dependencies than installing certificates on the build agents.
<Project DefaultTargets="DoPublish" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(teamcity_build_workingDir)\Trunk\BuildScripts\DemoClient\MSBuild.Community.Tasks.Targets"/>
<PropertyGroup>
<VersionFile>$(teamcity_build_workingDir)\Trunk\DemoClient\Properties\SharedAssemblyInfo.cs</VersionFile>
<ClickOnceBuildDirectory>$(teamcity_build_workingDir)\Trunk\DemoClient\bin\$(Configuration)\app.publish</ClickOnceBuildDirectory>
<ClickOnceInstallDirectory>$(teamcity_build_workingDir)\Publish\DemoClient</ClickOnceInstallDirectory>
<ClickOnceHtmFileLocation>$(teamcity_build_workingDir)\Trunk\BuildScripts\DemoClient\publish.htm</ClickOnceHtmFileLocation>
<ClickOnceBuildEngineSourceDirectory>$(teamcity_build_workingDir)\Trunk\BuildScripts\DemoClient\Engine</ClickOnceBuildEngineSourceDirectory>
@askme765cs
askme765cs / EnumCLR.c
Created January 7, 2021 02:23 — forked from G0ldenGunSec/EnumCLR.c
Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);
@askme765cs
askme765cs / avr.cfg
Created October 26, 2020 04:12 — forked from grothe6/avr.cfg
IDA config file for ATmega32U4
.ATmega32U4
SUBARCH=5
RAM=2560
ROM=32768
EEPROM=1024
; MEMORY MAP
area DATA GPWR_ 0x0000:0x0020 General Purpose Working Registers
area DATA FSR_ 0x0020:0x0060 I/O registers
@askme765cs
askme765cs / ghidra_processor_docs_downloader.py
Created May 23, 2020 02:16 — forked from ckuethe/ghidra_processor_docs_downloader.py
Ghidra Processor Documentation Downloader
#!/usr/bin/env python
# vim: tabstop=4:softtabstop=4:shiftwidth=4:expandtab:
import os
import requests
import sys
docs = {
'68000': {
'M68000PRM.pdf': 'https://www.nxp.com/files-static/archives/doc/ref_manual/M68000PRM.pdf',
@askme765cs
askme765cs / acltest.ps1
Created April 3, 2020 05:43 — forked from wdormann/acltest.ps1
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
Break
}
$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
# This prints a table of ACLs
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights
@askme765cs
askme765cs / sysmon-join.commands
Created March 31, 2020 01:44 — forked from Cyb3rWard0g/sysmon-join.commands
CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, computer_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON');
CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation') AS SEL