Skip to content

Instantly share code, notes, and snippets.

@RistBS
RistBS / ntIoFunctions.txt
Created October 31, 2023 19:59 — forked from joshfinley/ntIoFunctions.txt
Windows native I/O manager support functions
2: kd> x nt!Io*
fffff800`3e820158 nt!IopStoreArcInformation (void)
fffff800`3df1ee6c nt!IopCheckListForCancelableIrp (void)
fffff800`3e56ebc4 nt!IopInitializeCrashDump (void)
fffff800`3df74b50 nt!IoCsqRemoveIrp (void)
fffff800`3e560a70 nt!IopPortAddAllocation (void)
fffff800`3df164f0 nt!IoReleaseRemoveLockEx (void)
fffff800`3df95750 nt!IoAllocateDriverObjectExtension (void)
fffff800`3e446f34 nt!IopQueryNameInternal (void)
fffff800`3ded49b0 nt!IoReportTargetDeviceChangeAsynchronous (void)
/*!
*
* ROGUE
*
* GuidePoint Security LLC
*
* Threat and Attack Simulation Team
*
!*/
import asyncio
import qtinter
import ipaddress
from PyQt5.QtWidgets import *
from PyQt5.QtCore import *
from PyQt5.QtGui import *
class ExportPayloadDialog( QObject ):
"""
@RistBS
RistBS / shellcode_exec_workerfactory.c
Last active July 30, 2024 16:31
Just another shellcode execution technique :)
#include <Windows.h>
#include <stdio.h>
#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
typedef struct _UNICODE_STRING {
@RistBS
RistBS / wow64.cpp
Created April 19, 2023 22:54 — forked from odzhan/wow64.cpp
WOW64 Callbacks
//
// How to locate the WOW64 Callback Table in ntdll.dll
//
// @modexpblog
//
#define PHNT_VERSION PHNT_VISTA
#include <phnt_windows.h>
#include <phnt.h>
@RistBS
RistBS / Entry.c
Created March 29, 2023 16:46 — forked from realoriginal/Entry.c
TLDR: How a socks proxy client is written to tunnel connections from a 'teamserver' to an agent.
/*!
*
* RPROXICMP
*
* GuidePoint Security LLC
*
* Threat and Attack Simulation Team
*
!*/