Skip to content

Instantly share code, notes, and snippets.

View rbmm's full-sized avatar

rbmm rbmm

250 followers · 0 following
View GitHub Profile
@rbmm
rbmm / gist:d1020b728793824d57a5a3102c3fa459
Created May 21, 2025 13:19
void GetCentennialNotepadAppExecutionAliasPath(PWSTR path, int cch)
{
PWSTR pszPath = 0;
SHGetKnownFolderPath(FOLDERID_LocalAppData, 0, 0, &pszPath);
StringCchCatW(path, cch, pszPath);
StringCchCatW(path, cch, L"\\Microsoft\\WindowsApps\\Microsoft.WindowsNotepad_8wekyb3d8bbwe\\notepad.exe");
if (pszPath) CoTaskMemFree(pszPath);
}
@rbmm
rbmm / gist:aef5c8344a8b2686cd7398ade0db0fdd
Created April 27, 2025 01:35
#include "stdafx.h"
NTSTATUS CreatePipePair(_Out_ PHANDLE phServerPipe,
_Out_ PHANDLE phClientPipe,
_In_ ULONG ClientOptions = FILE_SYNCHRONOUS_IO_NONALERT,
_In_ ULONG ServerOptions = 0)
{
HANDLE hFile;
IO_STATUS_BLOCK iosb;
@rbmm
rbmm / gist:2b6a788b5d767520c09878e7028a2d8e
Created February 18, 2025 17:39
PsSetCreateProcessNotifyRoutineEx=0
PsSetLoadImageNotifyRoutine=0
00001 17:38:07 + 13ac(sc.exe) 00007FFEEDED0000{1a000} u \Device\HarddiskVolume9\Windows\System32\kernel.appcore.dll
(::)C:\WINDOWS\SYSTEM32\kernel.appcore.dll
00002 17:38:07 + 13ac(sc.exe) 00007FFEEFB20000{a9000} u \Device\HarddiskVolume9\Windows\System32\msvcrt.dll
(::)C:\WINDOWS\System32\msvcrt.dll
1 13ac exit [1]13ac(sc.exe) ================
00003 17:38:07 b58(cmd.exe) 00007FFEEDED0000{1a000} u \Device\HarddiskVolume9\Windows\System32\kernel.appcore.dll
(::)C:\WINDOWS\SYSTEM32\kernel.appcore.dll
@rbmm
rbmm / gist:aeb4d3ed288995fcdee6d72763057c56
Created February 18, 2025 16:47
EXTERN_C_START
NTSYSAPI
NTSTATUS
NTAPI
RtlPrepareForProcessCloning();
NTSYSAPI
NTSTATUS
NTAPI
@rbmm
rbmm / gist:3d09b53bc3d85523c1a91a326969d06b
Created February 10, 2025 14:09
#include <ntnls.h>
NTSTATUS MakeProcessUTF8(PVOID hmod, PVOID BaseAddress, SIZE_T ViewSize)
{
UINT AnsiCodePage = GetACP();
PIMAGE_NT_HEADERS pinth;
NTSTATUS status = RtlImageNtHeaderEx(0, BaseAddress, ViewSize, &pinth);
if (0 > status)
{
@rbmm
rbmm / gist:b0bcd7eb381b84b7616100d79719595b
Created February 10, 2025 14:05
#define RTL_USER_PROC_UTF8_PROCESS 0x08000000
NTSTATUS SetPtocessUtf8(HANDLE hProcess)
{
PROCESS_BASIC_INFORMATION pbi;
_RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
ULONG Flags;
NTSTATUS status;
0 <= (status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), 0)) &&
@rbmm
rbmm / gist:ffc9125a8f1d3e2536071fa8cd7486b4
Last active February 6, 2025 17:15
struct IDriverInstallStatusNotify
{
virtual HRESULT STDMETHODCALLTYPE Notify(ULONG s)
{
__debugbreak();
DbgPrint("Notify(%x)\n", s);
return S_OK;
}
};
@rbmm
rbmm / gist:4ce18b4fe82f9c5d8187f00658c9dc13
Created February 5, 2025 21:26
1>------ Build started: Project: prepare, Configuration: Release x64 ------
1>stdafx.cpp
1>Note: including file: C:\Users\Harry\Documents\GitHub\SC_DEMO\prepare\stdafx.h
1>Note: including file: C:\Users\Harry\Documents\GitHub\SC_DEMO\pnth\pch.h
1>Note: including file: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km\crt\stdlib.h
1>Note: including file: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\km\crt\crtdefs.h
1>Note: including file: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\shared\specstrings.h
1>Note: including file: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\shared\sal.h
1>Note: including file: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\shared\concurrencysal.h
1>Note: including file: C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\shared\specstrings_strict.h
@rbmm
rbmm / gist:81698ebfc26bccb2ff76b026d8c19a95
Created February 1, 2025 17:41
enum class PREFERRED_APP_MODE {
Default,
AllowDark,
ForceDark,
ForceLight,
Max
};
EXTERN_C_START
@rbmm
rbmm / gist:4af7fd2e8c25f4033dcdc41e87c6ca2c
Created January 29, 2025 01:11
RtlGuardIsValidStackPointer
FFFFF802CD3BD900 test rdx,rdx
FFFFF802CD3BD903 je FFFFF802CD3BD95F v
FFFFF802CD3BD905 mov rax,qword ptr [rdx+1478h] // <-- LowLimit from GetCurrentThreadStackLimits
FFFFF802CD3BD90C mov qword ptr [rsp+20h],rax
FFFFF802CD3BD911 mov rax,qword ptr [rdx+8] // <-- NT_TIB::StackBase
FFFFF802CD3BD915 mov qword ptr [rsp+10h],rax
FFFFF802CD3BD91A mov rax,qword ptr [rdx+10h] // <-- NT_TIB::StackLimit
FFFFF802CD3BD91E mov qword ptr [rsp+18h],rax
FFFFF802CD3BD923 mov rdx,rax