Daniel Gibson DanielGibson

## vbox_osx_howto.txt
* On a Mac/other OSX VM, get El Capitan in AppStore
* Similar for High Sierra, see https://gist.github.com/agentsim/00cc38c693e7d0e1b36a2080870d955b#gistcomment-2214881
  for the changed script.
  You might have to reboot your Mac after Downloading High Sierra in the AppStore,
  in case the first hdiutil attach ... step fails.
* (Create install ISO with following script:)

	#!/bin/bash

	# Mount the Installer image

## guess_libstdcpp_ver.c
/*
 * Try to find out the libstdc++.so.6 version on the (x86 or x86_64) Linux
 * system this is executed on.
 * (you could then use that information to decide whether to use LD_PRELOAD
 *  or LD_LIBRARY_PATH to make a C++ program launched from here use a newer
 *  version of libstdc++.so.6 that you provide)
 *
 * (C) 2017 Daniel Gibson
 *
 * LICENSE

## energy.sh
#!/bin/bash

export LC_ALL=C
VAL=`cat /sys/class/powercap/intel-rapl:0/energy_uj`

while true ; do
	# yes, this is probably not super-precise due to just using sleep and not measuring the time..
	sleep 1
	NEWVAL=`cat /sys/class/powercap/intel-rapl:0/energy_uj`
	DIFF=$(($NEWVAL-$VAL))

## pulsar_kb_ledcontrol.c
/* Based on https://github.com/torvalds/linux/blob/master/samples/hidraw/hid-example.c
 *
 * This is for "0416:b23c Winbond Electronics Corp. PCMK TKL"
 * USB VID 0x0416, PID 0xb23c, using a Winbond/Nuvoton Chip (NUC121SC2AE),
 * sometimes also identified as Winbond "Gaming Keyboard",
 * My actual device is a Pulsar PCMK TKL Barebone in ISO layout, but reportedly
 * there are other devices with the same USB ID, like "KT108" or some from "WIANXP"
 * that *might* use the same protocol, see also https://usb-ids.gowdy.us/read/UD/0416/b23c
 *
 * -------------------------

## colormap.h
// the Quake2 standard colormap/palette
static unsigned char colormap[256][3] = {
  {0, 0, 0}, {15, 15, 15}, {31, 31, 31}, {47, 47, 47}, {63, 63, 63}, {75, 75, 75},
  {91, 91, 91}, {107, 107, 107}, {123, 123, 123}, {139, 139, 139}, {155, 155, 155}, {171, 171, 171},
  {187, 187, 187}, {203, 203, 203}, {219, 219, 219}, {235, 235, 235}, {99, 75, 35}, {91, 67, 31},
  {83, 63, 31}, {79, 59, 27}, {71, 55, 27}, {63, 47, 23}, {59, 43, 23}, {51, 39, 19},
  {47, 35, 19}, {43, 31, 19}, {39, 27, 15}, {35, 23, 15}, {27, 19, 11}, {23, 15, 11},
  {19, 15, 7}, {15, 11, 7}, {95, 95, 111}, {91, 91, 103}, {91, 83, 95}, {87, 79, 91},
  {83, 75, 83}, {79, 71, 75}, {71, 63, 67}, {63, 59, 59}, {59, 55, 55}, {51, 47, 47},
  {47, 43, 43}, {39, 39, 39}, {35, 35, 35}, {27, 27, 27}, {23, 23, 23}, {19, 19, 19},

## XPlatformSockets.h
// Crossplatform-Sockets-API ("XSA"), abstracting the differences between
// UNIX Sockets (from Linux, *BSD, OSX, ...) and Winsock (WSA)

/*
 * (C) 2017-2021 Daniel Gibson
 *
 * License:
 *  This software is dual-licensed to the public domain and under the following
 *  license: you are granted a perpetual, irrevocable license to copy, modify,
 *  publish, and distribute this file as you see fit.

## OMG.md

      
              2 files
            
          
              1 fork
            
          
              1 comment
            
          
              3 stars
            
          
                DanielGibson
                / OMG.md
            
            
              Last active
              January 31, 2024 17:52
            
              
                ULTRA-SOPHISTICATED 0DAY APT SUPERMALWARE PROXY EXE
              
          
    Inspired by our understanding of what CVE-2024-23940 does
(see https://medium.com/@s1kr10s/av-when-a-friend-becomes-an-enemy-55f41aba42b1)
HORST, the 1337est of hackers, infamous for having hacked THE DIALER back in 1998,
has developed the next generation of that attack, and kindly gave me permission to demonstrate it here!
It turns out that you can't just write Proxy-DLLs that pass on function calls to original DLLs and also do evil things,
but you can also create a Proxy Executable that calls the original exe and also does evil things!
Usage


## sdl2test.c
/*
 * SDL2 mousebutton test
 *
 * build with:
 * $ gcc $(sdl2-config --cflags) -o sdl2test sdl2test.c $(sdl2-config --libs)
 */
#include <stdio.h>
#include <SDL.h>
#include <errno.h>
	* On a Mac/other OSX VM, get El Capitan in AppStore
	* Similar for High Sierra, see https://gist.github.com/agentsim/00cc38c693e7d0e1b36a2080870d955b#gistcomment-2214881
	for the changed script.
	You might have to reboot your Mac after Downloading High Sierra in the AppStore,
	in case the first hdiutil attach ... step fails.
	* (Create install ISO with following script:)

	#!/bin/bash

	# Mount the Installer image
	/*
	* Try to find out the libstdc++.so.6 version on the (x86 or x86_64) Linux
	* system this is executed on.
	* (you could then use that information to decide whether to use LD_PRELOAD
	* or LD_LIBRARY_PATH to make a C++ program launched from here use a newer
	* version of libstdc++.so.6 that you provide)
	*
	* (C) 2017 Daniel Gibson
	*
	* LICENSE
	#!/bin/bash

	export LC_ALL=C
	VAL=`cat /sys/class/powercap/intel-rapl:0/energy_uj`

	while true ; do
	# yes, this is probably not super-precise due to just using sleep and not measuring the time..
	sleep 1
	NEWVAL=`cat /sys/class/powercap/intel-rapl:0/energy_uj`
	DIFF=$(($NEWVAL-$VAL))
	/* Based on https://github.com/torvalds/linux/blob/master/samples/hidraw/hid-example.c
	*
	* This is for "0416:b23c Winbond Electronics Corp. PCMK TKL"
	* USB VID 0x0416, PID 0xb23c, using a Winbond/Nuvoton Chip (NUC121SC2AE),
	* sometimes also identified as Winbond "Gaming Keyboard",
	* My actual device is a Pulsar PCMK TKL Barebone in ISO layout, but reportedly
	* there are other devices with the same USB ID, like "KT108" or some from "WIANXP"
	* that might use the same protocol, see also https://usb-ids.gowdy.us/read/UD/0416/b23c
	*
	* -------------------------
	// the Quake2 standard colormap/palette
	static unsigned char colormap[256][3] = {
	{0, 0, 0}, {15, 15, 15}, {31, 31, 31}, {47, 47, 47}, {63, 63, 63}, {75, 75, 75},
	{91, 91, 91}, {107, 107, 107}, {123, 123, 123}, {139, 139, 139}, {155, 155, 155}, {171, 171, 171},
	{187, 187, 187}, {203, 203, 203}, {219, 219, 219}, {235, 235, 235}, {99, 75, 35}, {91, 67, 31},
	{83, 63, 31}, {79, 59, 27}, {71, 55, 27}, {63, 47, 23}, {59, 43, 23}, {51, 39, 19},
	{47, 35, 19}, {43, 31, 19}, {39, 27, 15}, {35, 23, 15}, {27, 19, 11}, {23, 15, 11},
	{19, 15, 7}, {15, 11, 7}, {95, 95, 111}, {91, 91, 103}, {91, 83, 95}, {87, 79, 91},
	{83, 75, 83}, {79, 71, 75}, {71, 63, 67}, {63, 59, 59}, {59, 55, 55}, {51, 47, 47},
	{47, 43, 43}, {39, 39, 39}, {35, 35, 35}, {27, 27, 27}, {23, 23, 23}, {19, 19, 19},
	// Crossplatform-Sockets-API ("XSA"), abstracting the differences between
	// UNIX Sockets (from Linux, *BSD, OSX, ...) and Winsock (WSA)

	/*
	* (C) 2017-2021 Daniel Gibson
	*
	* License:
	* This software is dual-licensed to the public domain and under the following
	* license: you are granted a perpetual, irrevocable license to copy, modify,
	* publish, and distribute this file as you see fit.
	/*
	* SDL2 mousebutton test
	*
	* build with:
	* $ gcc $(sdl2-config --cflags) -o sdl2test sdl2test.c $(sdl2-config --libs)
	*/
	#include <stdio.h>
	#include <SDL.h>
	#include <errno.h>