Ricardo Ruiz ricardojoserf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if not(libisloaded('kernel32')) | |
| loadlibrary('kernel32.dll', @kernel32proto); % Cambiamos a kernel32.dll | |
| end | |
| frequency = uint32(750); | |
| duration = uint32(1000); | |
| result = calllib('kernel32', 'Beep', frequency, duration); | |
| disp(['Beep result: ', num2str(result)]); | |
| unloadlibrary('kernel32'); |
ricardojoserf
/ MessageBoxA.m
Last active
January 30, 2025 15:45
user32!MessageBoxA function in Matlab
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if not(libisloaded('user32')) | |
| loadlibrary('user32.dll', @user32proto); | |
| end | |
| hWnd = uint32(0); | |
| lpText = 'Hello from MATLAB'; | |
| lpCaption = 'MATLAB MessageBox'; | |
| uType = uint32(0); | |
| result = calllib('user32', 'MessageBoxA', hWnd, lpText, lpCaption, uType); | |
| disp(['MessageBox returned: ', num2str(result)]); |
ricardojoserf
/ ZwOpenFile_and_NtReadFile_in_C.cpp
Created
January 15, 2025 08:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <stdio.h> | |
| // Declaración de ZwOpenFile | |
| typedef NTSTATUS(NTAPI* ZwOpenFile_t)( | |
| PHANDLE FileHandle, | |
| ACCESS_MASK DesiredAccess, | |
| POBJECT_ATTRIBUTES ObjectAttributes, | |
| PIO_STATUS_BLOCK IoStatusBlock, |
ricardojoserf
/ NtOpenFile_in_DotNet.cs
Last active
January 15, 2025 08:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| class NtOpenFileExample | |
| { | |
| // Import NtOpenFile from ntdll.dll | |
| [DllImport("ntdll.dll")] | |
| private static extern int NtOpenFile( | |
| out IntPtr FileHandle, | |
| uint DesiredAccess, |
ricardojoserf
/ persistence_startupfolder_ads.ps1
Created
February 1, 2024 20:03
Create a shortcut in Startup Folder with a custom icon. It calls a .VBS which calls a .EXE, both stored using Alternate Data Streams in a .TMP file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Dir = "$($env:USERPROFILE)\Appdata\Local\temp" | |
| $File = "$($env:COMPUTERNAME).tmp" | |
| $ExeFile = "calc.exe" | |
| $Url = "http://127.0.0.1:80" | |
| $IcoFile = "microsoft-outlook.ico" | |
| $SharpADS = "SharpADS.exe" | |
| $ADSexe = "ADS.exe" | |
| $ADSico = "ADS.ico" | |
| $ADSvbs = "ADS.vbs" | |
| $LnkFile = "OutlookUpdate.lnk" |
ricardojoserf
/ disable_startuppersistence.ps1
Created
January 23, 2024 15:13
Script to delete files generated to set persistence using Startup folder using the script: https://gist.github.com/ricardojoserf/d021310080ea34c8c6187d82065dde85
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Dir="C:\ProgramData\Outlook" | |
| $ExeFile = "notmalicious.exe" | |
| $VbsFile = "CheckUpdate.vbs" | |
| $LnkFile = "Outlook.lnk" | |
| $IcoFile = "microsoft-outlook.ico" | |
| ## Unhidden and delete files from Dir | |
| cmd /c "dir /a $Dir" | |
| attrib -h $Dir\$ExeFile | |
| attrib -h $Dir\$VbsFile |
ricardojoserf
/ set_startuppersistence.ps1
Created
January 23, 2024 15:11
Script to create a .lnk file in Startup Folder with custom icon. It calls a .vbs file with a powershell encoded command which calls a .exe file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Url = "http://127.0.0.1:8080" | |
| $Dir="C:\ProgramData\Outlook" | |
| $ExeFile = "notmalicious.exe" | |
| $VbsFile = "CheckUpdate.vbs" | |
| $LnkFile = "Outlook.lnk" | |
| $IcoFile = "microsoft-outlook.ico" | |
| ## Create directory | |
| echo "Creating directory $Dir" | |
| mkdir $Dir |
ricardojoserf
/ AESEncrypt.go
Created
December 11, 2023 18:54
AES Encryption in Golang (small fix from original code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Source: https://gist.githubusercontent.com/aziza-kasenova/3aea2160cbaebc5a4ba1b9219cba612e/raw/32b3801369ce669b2b1bf89ca84d24f23b487579/AES256.go | |
| package main | |
| import ( | |
| "bytes" | |
| "crypto/aes" | |
| "crypto/cipher" | |
| "encoding/base64" | |
| "fmt" |
ricardojoserf
/ smbmap_wrapper.py
Created
December 1, 2023 12:39
Wrapper for smbmap (Python 2) - Get shares in \\IP\share format
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| ip_list_file = "" | |
| user = "" | |
| domain = "" | |
| password = "" | |
| ip_list = open(ip_list_file).read().splitlines() | |
| for ip_address in ip_list: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Script to download videos hosted in Wistia by right-clicking the video and pasting the “Copy link and thumbnail” info as the 1st parameter of this script | |
| # The 2nd parameter is optional, the video name. Working at March of 2022, it downloads the video with higher quality | |
| # Syntax: | |
| # python3 wistia_downloader.py 'copied info with right click' 'file name' | |
| # Example with the video from https://wistia.com/: | |
| # python3 wistia_downloader.py '<p><a href="https://wistia.com?wvideo=vhkqhqhzyq"><img src="https://embedwistia-a.akamaihd.net/deliveries/48f1d62d1ceddb4284ad9cf67c916235.jpg?image_play_button_size=2x&image_crop_resized=960x540&image_play_button=1&image_play_button_color=fa4fa0e0" width="400" height="225" style="width: 400px; height: 225px;"></a></p><p><a href="https://wistia.com?wvideo=vhkqhqhzyq">The video hosting platform made for B2B marketers | Wistia</a></p>' "test.mp4" | |
| import requests | |
| import json | |
| import bs4 |
NewerOlder