Skip to content

Instantly share code, notes, and snippets.

View Cr4sh's full-sized avatar
๐ŸŒด

Dmytro Oleksiuk Cr4sh

๐ŸŒด
2k followers · 31 following
View GitHub Profile
@Cr4sh
Cr4sh / Intel_NUC_Skylake_SMM_vulns_report.md
Created March 1, 2026 20:07
Claude experiments: Skylake based Intel NUC SW SMI vulnerabilities discovery

Intel NUC Skylake โ€” SMM / SMI Handler Security Audit

Executive Summary

This report documents a security audit of the SMM (System Management Mode) SMI handlers present in the UEFI firmware image from an Intel NUC (Skylake generation). The firmware is an AMI Aptio V BIOS with clearly named modules. Analysis was performed using IDA Pro with MCP integration (ida-pro-mcp + idasql).

Overall Risk Assessment: CRITICAL

The firmware contains 8 CRITICAL and 3 MEDIUM severity findings (11 total) across 20 SW SMI handler registrations in 11 modules. Three distinct attack surfaces enable arbitrary SMRAM writes:

@Cr4sh
Cr4sh / HP_Dragonfly_SMM_vulns_report.md
Last active March 1, 2026 17:35
Claude experiments: HP Elite Dragonfly SW SMI vulnerabilities discovery

HP Elite Dragonfly โ€” SMM SMI Handler Security Audit

Executive Summary

This report documents a comprehensive audit of SMM (System Management Mode) SMI handlers in the HP Elite Dragonfly laptop EFI firmware image. Using IDA Pro with efiXplorer plugin, the analysis identified ~341 unique module entry points across a 32MB flash image (72,501 functions). The firmware uses Intel Framework SMM Dispatch protocols (not PI SMM Dispatch2), plus PCH-specific dispatch protocols โ€” an older but still common architecture.

Key Findings:

  • 15+ unique SMM modules identified, with 10 SW SMI numbers mapped
  • 1 MEDIUM design concern found in Module 0405 (BIOS flash management) related to shared buffer size validation
  • No CRITICAL pointer injection or arbitrary read/write vulnerabilities found โ€” a significant improvement over the Intel S1200 baseline
@Cr4sh
Cr4sh / Intel_S1200_SMM_vulns_report.md
Created March 1, 2026 14:53
Claude experiments: Intel S1200 SW SMI vulnerabilities discovery

Intel S1200 Motherboard - SMM SMI Handler Security Audit

Target: Intel S1200 Motherboard EFI Flash Image Tool: IDA Pro with efiXplorer plugin Date: 2026-03-01 Analyst: Claude (automated reverse engineering via IDA Pro MCP + idasql)

Table of Contents

@Cr4sh
Cr4sh / aes.asm
Last active February 14, 2026 14:20
OpenREIL tests
0000000000003320 <_aes128_encrypt>:
3320: 55 pushq %rbp
3321: 48 89 e5 movq %rsp, %rbp
3324: 41 57 pushq %r15
3326: 41 56 pushq %r14
3328: 41 55 pushq %r13
332a: 41 54 pushq %r12
332c: 53 pushq %rbx
332d: 48 81 ec f8 00 00 00 subq $248, %rsp
3334: 48 89 f0 movq %rsi, %rax
@Cr4sh
Cr4sh / mini-openclaw.py
Created February 12, 2026 02:29 — forked from dabit3/mini-openclaw.py
Mini Openclaw in 400 lines
#!/usr/bin/env python3
# mini-openclaw.py - A minimal OpenClaw clone
# Run: uv run --with anthropic --with schedule python mini-openclaw.py
import anthropic
import subprocess
import json
import os
import re
import threading
@Cr4sh
Cr4sh / SyscallProvider.md
Created May 27, 2025 07:35 — forked from Kristal-g/SyscallProvider.md

Syscall Provider

Background

SyscallProvider is a feature available from Windows 11 22H2, that allows for inline hooking of syscalls.
This unfinished research was done on Windows 11 22H2. The feature is fully undocumented at the moment and it looks like it's locked to Microsoft-signed drivers.
All of the information here was gathered by manual reverse engineering of securekernel.exe, skci.dll and ntoskrnl.exe.
The kernel exports three functions to work with the new feature: PsRegisterSyscallProvider, PsQuerySyscallProviderInformation, PsUnregisterSyscallProvider.
This writeup will explore how this feature is initialized, how it works internally, and how to interact with it and use it.

@Cr4sh
Cr4sh / dll.cpp
Created May 25, 2025 09:43
COM based UAC bypass by R.B.C (g3tsyst3m)
#include "pch.h"
#include <shlobj.h>
#include <atlbase.h>
#include <shellapi.h>
#pragma comment(lib, "shell32.lib")
const wchar_t* CLSID_CMSTPLUA = L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}";
const wchar_t* IID_ICMLuaUtil = L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}";
@Cr4sh
Cr4sh / guide-change-imei-snapdragon.md
Created October 16, 2024 18:31 — forked from Proxy13/guide-change-imei-snapdragon.md
[GUIDE] How to change IMEI on Snapdragon devices

[GUIDE] How to change IMEI on Snapdragon devices

FOR EDUCATIONAL PURPOSE ONLY, CHANGING IMEI IS ILLEGAL IN MOST COUNTRIES, MAKE SURE YOU CONVINCE YOUR ACTIONS BEFORE DOING THIS.

I DON'T RESPONSIBLE IF YOUR DEVICE IS BROKEN OR THE IMEI IS NOT CHANGED CAUSED BY YOU DIDN'T FOLLOW THE STEPS CAREFULLY OR HAVING A DIFFERENT EFS PARTITION SCHEME.

This guide was tested on Google Pixel 3, different device may also have a different EFS partition scheme, please make sure you adjust it with this guide. Other Google Pixel devices may use this guide without adjusting.

Prerequisites:

@Cr4sh
Cr4sh / gist:0e04de6889ce9fc657f1ea0ccdb42119
Created October 18, 2023 10:16
Windows Secure Kernel r/e hints and tips
To find SKPROCESS Policy offset:
__int64 __fastcall SkpspFindPolicy(__int64 a1, __int64 a2, int a3, __int64 a4, __int64 a5)
{
v5 = a4;
v6 = a3;
v7 = a2;
v8 = a1;
v12 = 0i64;
v9 = a1 + 0x1B8; // <--
@Cr4sh
Cr4sh / adder.c
Last active October 4, 2023 20:52
LiteX demo module
#include <stdlib.h>
#include <stdbool.h>
#include <irq.h>
#include <libbase/uart.h>
#include <libbase/console.h>
#include <generated/csr.h>
#include "adder.h"