Cr4sh
/ gist:0e04de6889ce9fc657f1ea0ccdb42119
Created
October 18, 2023 10:16
Windows Secure Kernel r/e hints and tips
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| To find SKPROCESS Policy offset: | |
| __int64 __fastcall SkpspFindPolicy(__int64 a1, __int64 a2, int a3, __int64 a4, __int64 a5) | |
| { | |
| v5 = a4; | |
| v6 = a3; | |
| v7 = a2; | |
| v8 = a1; | |
| v12 = 0i64; | |
| v9 = a1 + 0x1B8; // <-- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdlib.h> | |
| #include <stdbool.h> | |
| #include <irq.h> | |
| #include <libbase/uart.h> | |
| #include <libbase/console.h> | |
| #include <generated/csr.h> | |
| #include "adder.h" |
Cr4sh
/ smm_backdoor_hyper_v.py
Created
June 16, 2021 19:37
Example program that uses SMM backdoor to deploy Hyper-V backdoor (see https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorHv)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, time, platform, ctypes | |
| from struct import pack, unpack | |
| from optparse import OptionParser, make_option | |
| import smm_backdoor as bd | |
| # how many seconds to wait for VM exit occur | |
| VM_EXIT_WAIT = 3 |
Cr4sh
/ smm_backdoor_privesc_win.py
Created
June 16, 2021 19:34
Example program that uses SMM backdoor for local privileges escalation under the Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes, ctypes.wintypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| # MSR register used by swapgs | |
| IA32_KERNEL_GS_BASE = 0xc0000102 |
Cr4sh
/ smm_backdoor_privesc_linux.py
Last active
June 18, 2021 19:43
Example program that uses SMM backdoor for local privileges escalation under the Linux
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| try: | |
| import capstone |
Cr4sh
/ kforge.cpp
Created
May 15, 2021 03:22
Performing arbitrary kernel function calls on HVCI enabled systems with thread context hijacking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| // vulnerable driver device name | |
| #define EXPL_DEVICE_PATH "\\\\.\\Global\\RTCore64" | |
| // vulnerable driver service and file name | |
| #define EXPL_DRIVER_NAME "RTCore64.sys" | |
| #define EXPL_SERVICE_NAME "RTCore64" | |
| // vulnerable driver IOCTL codes |
Cr4sh
/ output.txt
Last active
April 18, 2021 15:46
List of UEFI protocols, interfaces and loaded DXE drivers obtained with DMA attack tools
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ./uefi.py | |
| [+] Scanning memory range 0x76000000:0xa0000000 | |
| [+] Waiting for PCI-E link... | |
| [+] PCI-E link with target is up | |
| [+] Looking for DXE driver PE image... | |
| [+] PE image is at 0x77866000 | |
| [+] PE image is at 0x77871000 | |
| [+] PROTOCOL_ENTRY address is 0x76bfaa98 | |
| [+] Registered UEFI protocols and interfaces: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys, os, mmap, subprocess | |
| from struct import pack, unpack | |
| from ctypes import * | |
| IA32_SYSENTER_ESP = 0x175 | |
| IA32_SYSENTER_EIP = 0x176 | |
| class PyObj(Structure): | |
| _fields_ = [( 'ob_refcnt', c_size_t ), |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "AT_CMD_GRAMMARS": { | |
| "+CGSN": { | |
| "struct": ["cmd"], | |
| "cmd": "+CGSN" | |
| }, | |
| "+CIND": { | |
| "struct": ["cmd"], |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| ******************************************************************************** | |
| AT commands fuzzer based on ATFuzzer code base. | |
| * https://github.com/Imtiazkarimik23/ATFuzzer | |
| * https://relentless-warrior.github.io/wp-content/uploads/2019/11/atfuzz.pdf |
NewerOlder