Version: 2.0-draft1 Date: 2026-02-10 Status: Draft Authors: OpenREIL Contributors
Cr4sh
/ mini-openclaw.py
Created
February 12, 2026 02:29
— forked from dabit3/mini-openclaw.py
Mini Openclaw in 400 lines
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # mini-openclaw.py - A minimal OpenClaw clone | |
| # Run: uv run --with anthropic --with schedule python mini-openclaw.py | |
| import anthropic | |
| import subprocess | |
| import json | |
| import os | |
| import re | |
| import threading |
Cr4sh
/ SyscallProvider.md
Created
May 27, 2025 07:35
— forked from Kristal-g/SyscallProvider.md
SyscallProvider is a feature available from Windows 11 22H2, that allows for inline hooking of syscalls.
This unfinished research was done on Windows 11 22H2. The feature is fully undocumented at the moment and it looks like it's locked to Microsoft-signed drivers.
All of the information here was gathered by manual reverse engineering of securekernel.exe, skci.dll and ntoskrnl.exe.
The kernel exports three functions to work with the new feature: PsRegisterSyscallProvider, PsQuerySyscallProviderInformation, PsUnregisterSyscallProvider.
This writeup will explore how this feature is initialized, how it works internally, and how to interact with it and use it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "pch.h" | |
| #include <shlobj.h> | |
| #include <atlbase.h> | |
| #include <shellapi.h> | |
| #pragma comment(lib, "shell32.lib") | |
| const wchar_t* CLSID_CMSTPLUA = L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"; | |
| const wchar_t* IID_ICMLuaUtil = L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}"; |
Cr4sh
/ guide-change-imei-snapdragon.md
Created
October 16, 2024 18:31
— forked from Proxy13/guide-change-imei-snapdragon.md
[GUIDE] How to change IMEI on Snapdragon devices
FOR EDUCATIONAL PURPOSE ONLY, CHANGING IMEI IS ILLEGAL IN MOST COUNTRIES, MAKE SURE YOU CONVINCE YOUR ACTIONS BEFORE DOING THIS.
I DON'T RESPONSIBLE IF YOUR DEVICE IS BROKEN OR THE IMEI IS NOT CHANGED CAUSED BY YOU DIDN'T FOLLOW THE STEPS CAREFULLY OR HAVING A DIFFERENT EFS PARTITION SCHEME.
This guide was tested on Google Pixel 3, different device may also have a different EFS partition scheme, please make sure you adjust it with this guide. Other Google Pixel devices may use this guide without adjusting.
Cr4sh
/ gist:0e04de6889ce9fc657f1ea0ccdb42119
Created
October 18, 2023 10:16
Windows Secure Kernel r/e hints and tips
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| To find SKPROCESS Policy offset: | |
| __int64 __fastcall SkpspFindPolicy(__int64 a1, __int64 a2, int a3, __int64 a4, __int64 a5) | |
| { | |
| v5 = a4; | |
| v6 = a3; | |
| v7 = a2; | |
| v8 = a1; | |
| v12 = 0i64; | |
| v9 = a1 + 0x1B8; // <-- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdlib.h> | |
| #include <stdbool.h> | |
| #include <irq.h> | |
| #include <libbase/uart.h> | |
| #include <libbase/console.h> | |
| #include <generated/csr.h> | |
| #include "adder.h" |
Cr4sh
/ smm_backdoor_hyper_v.py
Created
June 16, 2021 19:37
Example program that uses SMM backdoor to deploy Hyper-V backdoor (see https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorHv)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, time, platform, ctypes | |
| from struct import pack, unpack | |
| from optparse import OptionParser, make_option | |
| import smm_backdoor as bd | |
| # how many seconds to wait for VM exit occur | |
| VM_EXIT_WAIT = 3 |
Cr4sh
/ smm_backdoor_privesc_win.py
Created
June 16, 2021 19:34
Example program that uses SMM backdoor for local privileges escalation under the Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes, ctypes.wintypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| # MSR register used by swapgs | |
| IA32_KERNEL_GS_BASE = 0xc0000102 |
Cr4sh
/ smm_backdoor_privesc_linux.py
Last active
May 22, 2024 02:17
Example program that uses SMM backdoor for local privileges escalation under the Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| try: | |
| import capstone |
NewerOlder