A small tool to view real-world ActivityPub objects as JSON! Enter a URL
or username from Mastodon or a similar service below, and we'll send a
request with
the right
Accept
header
to the server to view the underlying object.
{
"@context": [
"https://www.w3.org/ns/activitystreams",
{
"ostatus": "http://ostatus.org#",
"atomUri": "ostatus:atomUri",
"inReplyToAtomUri": "ostatus:inReplyToAtomUri",
"conversation": "ostatus:conversation",
"sensitive": "as:sensitive",
"toot": "http://joinmastodon.org/ns#",
"votersCount": "toot:votersCount",
"litepub": "http://litepub.social/ns#",
"directMessage": "litepub:directMessage",
"Hashtag": "as:Hashtag"
}
],
"id": "https://infosec.exchange/users/acrypthash/statuses/112155934848471132",
"type": "Note",
"summary": null,
"inReplyTo": null,
"published": "2024-03-25T10:49:11Z",
"url": "https://infosec.exchange/@acrypthash/112155934848471132",
"attributedTo": "https://infosec.exchange/users/acrypthash",
"to": [
"https://www.w3.org/ns/activitystreams#Public"
],
"cc": [
"https://infosec.exchange/users/acrypthash/followers"
],
"sensitive": false,
"atomUri": "https://infosec.exchange/users/acrypthash/statuses/112155934848471132",
"inReplyToAtomUri": null,
"conversation": "tag:infosec.exchange,2024-03-25:objectId=144943306:objectType=Conversation",
"content": "<p>// start a second copy of or process in a suspended state so we can set up our callback safely<br />\tif (!CreateProcessA(NULL, file_path, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {<br />\t\tprintf("C() failed, error: %d\\n", GetLastError());<br />\t}</p><p>\t// overwrite the g_ptr_table in the child process with the already initialized one<br />\tif (!WriteProcessMemory(pi.hProcess, &g_ptr_table, &g_ptr_table, sizeof(PTR_TABLE), NULL)) {<br />\t\tprintf("Write 1 failed, error: %d\\n", GetLastError());<br />\t}</p><p>\t// ntdll pointer are encoded using the system pointer cookie located at SharedUserData!Cookie<br />\tLPVOID callback_ptr = encode_system_ptr(&LdrGetProcedureAddressCallback);</p><p>\t// set ntdll!AvrfpAPILookupCallbackRoutine to our encoded callback address<br />\tif (!WriteProcessMemory(pi.hProcess, (LPVOID)(avrfp_address + 8), &callback_ptr, sizeof(ULONG_PTR), NULL)) {<br />\t\tprintf("Write 2 failed, error: %d\\n", GetLastError());<br />\t}</p><p>\t// set ntdll!AvrfpAPILookupCallbacksEnabled to TRUE<br />\tuint8_t bool_true = 1;</p><p>\tif (!WriteProcessMemory(pi.hProcess, (LPVOID)avrfp_address, &bool_true, 1, NULL)) {<br />\t\tprintf("Write 3 failed, error: %d\\n", GetLastError());<br />\t}</p><p>\t// resume the process<br />\tResumeThread(pi.hThread);</p><p>DLL proxying and side loading is a fun time :D </p><p><a href=\"https://infosec.exchange/tags/security\" class=\"mention hashtag\" rel=\"tag\">#<span>security</span></a> <a href=\"https://infosec.exchange/tags/cpp\" class=\"mention hashtag\" rel=\"tag\">#<span>cpp</span></a> <a href=\"https://infosec.exchange/tags/codeisn\" class=\"mention hashtag\" rel=\"tag\">#<span>codeisn</span></a>'tmine <a href=\"https://infosec.exchange/tags/DLL\" class=\"mention hashtag\" rel=\"tag\">#<span>DLL</span></a> <a href=\"https://infosec.exchange/tags/peb\" class=\"mention hashtag\" rel=\"tag\">#<span>peb</span></a></p>",
"contentMap": {
"en": "<p>// start a second copy of or process in a suspended state so we can set up our callback safely<br />\tif (!CreateProcessA(NULL, file_path, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {<br />\t\tprintf("C() failed, error: %d\\n", GetLastError());<br />\t}</p><p>\t// overwrite the g_ptr_table in the child process with the already initialized one<br />\tif (!WriteProcessMemory(pi.hProcess, &g_ptr_table, &g_ptr_table, sizeof(PTR_TABLE), NULL)) {<br />\t\tprintf("Write 1 failed, error: %d\\n", GetLastError());<br />\t}</p><p>\t// ntdll pointer are encoded using the system pointer cookie located at SharedUserData!Cookie<br />\tLPVOID callback_ptr = encode_system_ptr(&LdrGetProcedureAddressCallback);</p><p>\t// set ntdll!AvrfpAPILookupCallbackRoutine to our encoded callback address<br />\tif (!WriteProcessMemory(pi.hProcess, (LPVOID)(avrfp_address + 8), &callback_ptr, sizeof(ULONG_PTR), NULL)) {<br />\t\tprintf("Write 2 failed, error: %d\\n", GetLastError());<br />\t}</p><p>\t// set ntdll!AvrfpAPILookupCallbacksEnabled to TRUE<br />\tuint8_t bool_true = 1;</p><p>\tif (!WriteProcessMemory(pi.hProcess, (LPVOID)avrfp_address, &bool_true, 1, NULL)) {<br />\t\tprintf("Write 3 failed, error: %d\\n", GetLastError());<br />\t}</p><p>\t// resume the process<br />\tResumeThread(pi.hThread);</p><p>DLL proxying and side loading is a fun time :D </p><p><a href=\"https://infosec.exchange/tags/security\" class=\"mention hashtag\" rel=\"tag\">#<span>security</span></a> <a href=\"https://infosec.exchange/tags/cpp\" class=\"mention hashtag\" rel=\"tag\">#<span>cpp</span></a> <a href=\"https://infosec.exchange/tags/codeisn\" class=\"mention hashtag\" rel=\"tag\">#<span>codeisn</span></a>'tmine <a href=\"https://infosec.exchange/tags/DLL\" class=\"mention hashtag\" rel=\"tag\">#<span>DLL</span></a> <a href=\"https://infosec.exchange/tags/peb\" class=\"mention hashtag\" rel=\"tag\">#<span>peb</span></a></p>"
},
"attachment": [],
"tag": [
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/security",
"name": "#security"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/cpp",
"name": "#cpp"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/codeisn",
"name": "#codeisn"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/dll",
"name": "#dll"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/peb",
"name": "#peb"
}
],
"replies": {
"id": "https://infosec.exchange/users/acrypthash/statuses/112155934848471132/replies",
"type": "Collection",
"first": {
"type": "CollectionPage",
"next": "https://infosec.exchange/users/acrypthash/statuses/112155934848471132/replies?only_other_accounts=true&page=true",
"partOf": "https://infosec.exchange/users/acrypthash/statuses/112155934848471132/replies",
"items": []
}
},
"likes": {
"id": "https://infosec.exchange/users/acrypthash/statuses/112155934848471132/likes",
"type": "Collection",
"totalItems": 0
},
"shares": {
"id": "https://infosec.exchange/users/acrypthash/statuses/112155934848471132/shares",
"type": "Collection",
"totalItems": 0
}
}