On a recent CTF machine, I had to exploit the Windows 11 ThemeBleed vulnerability (https://github.com/gabe-k/themebleed) for which at that time only one PoC existed that only ran under Windows. This was a pain for me because I hadn’t installed the required VPN on Windows. And as I’m interested in learning new stuff, I decided to dive into this. It can’t be too hard, right? TL;DR https://github.com/Jnnshschl/CVE-2023-38146/ 1 2 3 4 5 6 7 8 9 10 11 git clone https://github....

I recently discovered some alternatives to GetModuleHandle and GetProcAddress that can be used when you need to avoid the original functions due to anticheat or antivirus software. Use this to store the FNV1A hahses stealthy: https://jnns.de/posts/cpp-compile-time-hashing-fnv1a/ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 struct LIST_ENTRY { struct LIST_ENTRY* Flink; struct LIST_ENTRY* Blink; }; struct LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; void* DllBase; void* EntryPoint; size_t SizeOfImage; unsigned short FullDllNameLength; unsigned short FullDllNameMaximumLength; wchar_t* FullDllNameBuffer; unsigned short BaseDllNameLength; unsigned short BaseDllNameMaximumLength; wchar_t* BaseDllNameBuffer; unsigned long Flags; unsigned short LoadCount; unsigned short TlsIndex; union { LIST_ENTRY HashLinks; struct { void* SectionPointer; unsigned long CheckSum; }; }; union { unsigned long TimeDateStamp; void* LoadedImports; }; void* EntryPointActivationContext; void* PatchInformation; LIST_ENTRY ForwarderLinks; LIST_ENTRY ServiceTagLinks; LIST_ENTRY StaticLinks; }; /// <summary> /// Returns a pointer to the current PEB....

I encountered a situation where I wanted to run the old World of Warcraft (version 3.3.5a) over Remote Desktop Protocol (RDP) on my laptop and was presented with this error message: https://github.com/Jnnshschl/WowRdpPatcher I thought it would be worth a try to disable the error message because newer versions of World of Warcraft can run over RDP without a problem, and typically, it’s not an issue for other games either. So, I fired up Ghidra and searched for the error message string and possible RDP checks....

This blog post is aimed at manipulating the PEB’s LoaderDataModule lists in Windows. These lists catalog all loaded libraries within a process, providing an avenue for detecting our loaded module. Notably, the current implementation is tailored for x86 architecture, with future plans for x64 compatibility. Microsoft Windows PEB Documentation Disclaimer This is strictly intended for educational purposes and does not endorse the development of malicious software. Windows Structs To streamline development, comprehensive Windows structs have been sourced from undocumented....

The issue was that I lost my PIN for the display and couldn’t find a way to bypass it. According to the KT-LCD3 documentation, there’s a method to copy all display values from another display without entering the PIN. You just need to send a specific UART packet to achieve this. All you need are a computer and a USB to UART dongle, like this one: https://github.com/Jnnshschl/KTLCD3Reset Download the latest exe (or compile it yourself) from the releases page and wire the UART dongle to the display’s UART interface like this:...