PEDiffGen

A simple PE subtraction utility.

PEDiffGen.exe <pe1> <pe2> <output>

The above command generates the result of pe1 - pe2 in memory (as in, matching up with virtual addresses). This can be applied onto an in-memory image easily:

  for (size_t i = 0; i < diff_size; i += 0x1000)
  {
    const auto curr = diff + i;
    const auto chunk_size = std::min((size_t)(diff_size - i), (size_t)0x1000);
    if (std::all_of(curr, curr + chunk_size, [](uint8_t c) { return !!c; }))
      continue;
    uint8_t page[0x1000];
    std::transform(curr, curr + chunk_size, dll_base + i, page, [](uint8_t a, uint8_t b) { return a + b; });
    unprotect_memcpy(dll_base + i, page, chunk_size);
  }

It is recommended that you compress the subtraction result as most of it is zeros. After compression, this should produce one of the smallest possible footprints compared to other diffing methods.

License

PEDiffGen - A PE file subtraction tool
Copyright (C) 2021  namazso <[email protected]>

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.

YARP - Yet Another Robot Platform

YARP __ __ ___ ____ ____ \ \/ // || _ \ | _ \ \ // /| || |/ / | |/ / / // ___ || _ \ | _/ /_//_/ |_||_| \_\|_| ===================

445 Dec 18, 2022

Just another short video app (not tiktok) but 3 in 1.

Short videos app - India Another short videos app for Hindi audience. Made with 3 different apis: Moj app Josh app Chingari app Authetication No authe

2 Jan 6, 2022

Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

RemotePotato0 Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. RemotePotato0 is an exploit that allows you to escalate

1.1k Dec 28, 2022

YACHT: Yet Another C++ Helper Template

YACHT: Yet Another C++ Helper Template A template for C++ projects. Welcome to your YACHT! Because why build a boat from scratch, when you can enjoy a

11 Apr 2, 2022

Han: ANother SOLOminer

HAN Han: ANother SOLOminer WARNING: you may have to wait longer than the current age of the universe to find a valid block. Introduction HAN is a solo

9 Nov 6, 2022

Yet another matrix client. Click packaging for locally running on Ubuntu Touch

Cinny Click Packaging Cinny is a Matrix client focusing primarily on simple, elegant and secure interface. License Cinny source package licensed under

6 Nov 15, 2022

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

514 Jan 3, 2023

"Sigma File Manager" is a free, open-source, quickly evolving, modern file manager (explorer / finder) app for Windows, MacOS, and Linux.

1.1k Dec 31, 2022

Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).