HackSys Team hacksysteam

## list-modules-import.py
import sys
import pefile
import glob

if len(sys.argv) < 2:
    print "{0} <dll name>".format(sys.argv[0])
    sys.exit(-1)

target_dll = sys.argv[1]
system_path = "C:\\Windows\\System32\\*"

## dump-exports.py
import os
import sys
import pefile

if __name__ == "__main__":
    filename = sys.argv[1]
    pe = pefile.PE(filename, fast_load=True)
    pe.parse_data_directories(directories=pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"])

    print "Dumping exports for: {0}".format(os.path.basename(filename))

## token_stealing_11.raw
kd>  ed 0x8570b5e8+f8 878013e0

## token_stealing_10.raw
kd> dt nt!_EX_FAST_REF 0x8570b5e8+f8
   +0x000 Object           : 0x953b6037 Void
   +0x000 RefCnt           : 0y111
   +0x000 Value            : 0x953b6037

## token_stealing_9.raw
kd> dt nt!_EPROCESS 0x8570b5e8
   +0x000 Pcb              : _KPROCESS
   +0x098 ProcessLock      : _EX_PUSH_LOCK
   . . .
   +0x0f4 ObjectTable      : 0x953b8570 _HANDLE_TABLE
   +0x0f8 Token            : _EX_FAST_REF
   +0x0fc WorkingSetPage   : 0xb2b3
   +0x100 AddressCreationLock : _EX_PUSH_LOCK
    . . .

## token_stealing_8.raw
kd> dt nt!_KAPC_STATE 0x83dcd020+0x40
   +0x000 ApcListHead      : [2] _LIST_ENTRY [ 0x83dcd060 - 0x83dcd060 ]
   +0x010 Process          : 0x8570b5e8 _KPROCESS
   +0x014 KernelApcInProgress : 0 ''
   +0x015 KernelApcPending : 0 ''
   +0x016 UserApcPending   : 0 ''

## token_stealing_7.raw
kd> dt nt!_KTHREAD 0x83dcd020
   +0x000 Header           : _DISPATCHER_HEADER
    . . .
   +0x03c SystemThread     : 0y1
   +0x03c Reserved         : 0y000000000000000000 (0)
   +0x03c MiscFlags        : 0n8193
   +0x040 ApcState         : _KAPC_STATE
   +0x040 ApcStateFill     : [23]  "`???"
   +0x057 Priority         : 12 ''
    . . .

## token_stealing_6.raw
kd> dt nt!_KPRCB 82770c00+0x120
   +0x000 MinorVersion     : 1
   +0x002 MajorVersion     : 1
   +0x004 CurrentThread    : 0x83dcd020 _KTHREAD
   +0x008 NextThread       : (null)
   +0x00c IdleThread       : 0x8277a380 _KTHREAD
   +0x010 LegacyNumber     : 0 ''
   +0x011 NestingLevel     : 0 ''
     . . .
   +0x3620 ExtendedState    : 0x807bf000 _XSAVE_AREA

## token_stealing_5.raw
kd> dt nt!_KPCR 82770c00
   +0x000 NtTib            : _NT_TIB
   +0x000 Used_ExceptionList : 0x88a573ac _EXCEPTION_REGISTRATION_RECORD
    . . .
   +0x0d8 Spare1           : 0 ''
   +0x0dc KernelReserved2  : [17] 0
   +0x120 PrcbData         : _KPRCB

## token_stealing_4.raw
kd> .process /i 8570b5e8
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
826c0110 cc              int     3
kd> dg @fs
                                  P Si Gr Pr Lo
	import sys
	import pefile
	import glob

	if len(sys.argv) < 2:
	print "{0} <dll name>".format(sys.argv[0])
	sys.exit(-1)

	target_dll = sys.argv[1]
	system_path = "C:\\Windows\\System32\\*"
	import os
	import sys
	import pefile

	if __name__ == "__main__":
	filename = sys.argv[1]
	pe = pefile.PE(filename, fast_load=True)
	pe.parse_data_directories(directories=pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"])

	print "Dumping exports for: {0}".format(os.path.basename(filename))
	kd> dt nt!_EX_FAST_REF 0x8570b5e8+f8
	+0x000 Object : 0x953b6037 Void
	+0x000 RefCnt : 0y111
	+0x000 Value : 0x953b6037
	kd> dt nt!_EPROCESS 0x8570b5e8
	+0x000 Pcb : _KPROCESS
	+0x098 ProcessLock : _EX_PUSH_LOCK
	. . .
	+0x0f4 ObjectTable : 0x953b8570 _HANDLE_TABLE
	+0x0f8 Token : _EX_FAST_REF
	+0x0fc WorkingSetPage : 0xb2b3
	+0x100 AddressCreationLock : _EX_PUSH_LOCK
	. . .
	kd> dt nt!_KAPC_STATE 0x83dcd020+0x40
	+0x000 ApcListHead : [2] _LIST_ENTRY [ 0x83dcd060 - 0x83dcd060 ]
	+0x010 Process : 0x8570b5e8 _KPROCESS
	+0x014 KernelApcInProgress : 0 ''
	+0x015 KernelApcPending : 0 ''
	+0x016 UserApcPending : 0 ''
	kd> dt nt!_KTHREAD 0x83dcd020
	+0x000 Header : _DISPATCHER_HEADER
	. . .
	+0x03c SystemThread : 0y1
	+0x03c Reserved : 0y000000000000000000 (0)
	+0x03c MiscFlags : 0n8193
	+0x040 ApcState : _KAPC_STATE
	+0x040 ApcStateFill : [23] "`???"
	+0x057 Priority : 12 ''
	. . .
	kd> dt nt!_KPRCB 82770c00+0x120
	+0x000 MinorVersion : 1
	+0x002 MajorVersion : 1
	+0x004 CurrentThread : 0x83dcd020 _KTHREAD
	+0x008 NextThread : (null)
	+0x00c IdleThread : 0x8277a380 _KTHREAD
	+0x010 LegacyNumber : 0 ''
	+0x011 NestingLevel : 0 ''
	. . .
	+0x3620 ExtendedState : 0x807bf000 _XSAVE_AREA
	kd> dt nt!_KPCR 82770c00
	+0x000 NtTib : _NT_TIB
	+0x000 Used_ExceptionList : 0x88a573ac _EXCEPTION_REGISTRATION_RECORD
	. . .
	+0x0d8 Spare1 : 0 ''
	+0x0dc KernelReserved2 : [17] 0
	+0x120 PrcbData : _KPRCB
	kd> .process /i 8570b5e8
	You need to continue execution (press 'g' <enter>) for the context
	to be switched. When the debugger breaks in again, you will be in
	the new process context.
	kd> g
	Break instruction exception - code 80000003 (first chance)
	nt!RtlpBreakWithStatusInstruction:
	826c0110 cc int 3
	kd> dg @fs
	P Si Gr Pr Lo