Search the Community

efiXplorer – IDA plugin for UEFI firmware analysis and reverse engineering automation Supported versions of Hex-Rays products: every time we focus on the last versions of IDA and Decompiler because trying to use the most recent features from new SDK releases. That means we tested only on recent versions of Hex-Rays products and do not guarantee stable work on previous generations. Why not IDApython: all code developed in C++ because it’s a more stable and performant way to support a complex plugin and get the full power of the most recent SDK’s features. Supported Platforms: Win, Linux, and OSX (x86/x64). Changelog v4.1 [new feature] Improved SMI handlers recognition to support: SxSmiHandler, IoTrapSmiHandler, UsbSmiHandler and etc. [new feature] Improved child SW SMI handlers recognition and now annotated as ChildSwSmiHandler. [new feature] Added visual representation for NVRAM variables and additional context in JSON report: address, service name, var name and var GUID. [bug fix] Numerous improvements and bug fixes in code analyzer and firmware image loader Moving to support of IDA SDK v7.7 [hide][Hidden Content]]

ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, utilizing a technique to flush an EDR’s hook out the system DLLs running in the process’s memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in C:\Windows\System32\. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. In order to do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges. Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid being detected by non-userland hooked-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid being detected an any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions. ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialisation vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without an issue because the process we load into will look for those export functions and not worry about DLLMain being there. During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things: Code signs the Loader: Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist) ScareCrow creates these certificates by using a go package version of the tool limelighter to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option. Spoof the attributes of the loader: This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen this file name will map to the associated attributes for that file name, ensuring that the right values are assigned. Changelog v4.1 New Features Added -outpath to put the final Payload/Loader in a specific path once it’s compiled Bug Fixes Fixed bug with the binary loaders that caused an occasional crash Fixed duplicate import when -console is called with other options Fixed issue with msiexec loader’s with Jscript file extensions Fixed typos in README [hide][Hidden Content]]

Abelssoft Doku Downloader Plus – with this program you can easily access to thousands of exciting documentaries from popular media centers such as ARD, ZDF and more. Even YouTube is on board! Features Every day hundreds of new documentaries • Who wants to always look the same? The documentary Downloader provides you every day hundreds of new documentaries from over 10 different categories. See documentaries or download • No matter where you look at you the next document – the documentary Downloader does it all. Take a look at a document directly in the program or to invite them to you as the video down. [Hidden Content] [hide][Hidden Content]]

[+] Added WinServer ASPX API [+] Bypass Mod_Security [+] Included Encoded & Decoded version [+] Bug fixes and other minor improvements [hide][Hidden Content]]

Chromepass – Hacking Chrome Saved Passwords Chromepass is a python-based console application that generates a windows executable with the following features: Decrypt Chrome saved passwords Send a file with the login/password combinations remotely (email or reverse-http) Custom icon Completely undetectable by AntiVirus Engines AV Detection! The new client build methodology, practically ensures a 0% detection rate, even without AV-evasion tactics. If this becomes false in the future, some methods will be implemented to improve AV evasion. An example of the latest scans (note: within 10-12 hours we go from 0-2 detections to 32 detections so run the analysis on your own builds): [Hidden Content] Changelog v4.1 Fixed dependency issues Recreated the server (in rust) [hide][Hidden Content]]

Multi language options, multi currency option, 4 different payment gateways social media login & sharing, the most advanced product posting & presentation. [Hidden Content] [hide][Hidden Content]]

phpSocial is a Social Network Platform similar with Facebook, allowing users to interact with each other by live chatting, sending messages, comments, like, share photos, life events and so much more. Demo: [Hidden Content] [HIDE][Hidden Content]]

XeroChat, a multichannel marketing application, is an ultimate white-label SaaS software with an all-in-one solution for your business to grow. It offers all-powerful tools like Facebook Marketing (Messenger BOT, Comment BOT, Auto Comment Tools, etc.), E-commerce in Messenger, Social Media Posting (Facebook, YouTube, Twitter, LinkedIn, Pinterest, Reddit, Blogger, WordPress, etc.), SMS Marketing (Twilio, Plivo, Clickatell, Nexmo, AfricasTalking, Msg91, SemySMS, RouteSMS, Custom HTTP GET API integration.), Email Marketing (SMTP, Mailgun, Sendgrid, Mandrill, etc.), Search Marketing, Comparison Marketing, Analytical Marketing & many other features. Therefore, XeroChat is the best choice for your daily marketing solutions.. Demo: [Hidden Content] [HIDE][Hidden Content]]

Project SECURITY is a powerful website security app that will protect your website from hackers, attacks and other threats. It will protect your website from SQLi Attacks (SQL Injections), XSS Vulnerabilities, Proxy Visitors, VPN Visitors, TOR Visitors, Spam and many other types of threats. Demo: [Hidden Content] [HIDE][Hidden Content]]