Skip to content

Instantly share code, notes, and snippets.

#Recover function names from logger function calls.
#@author @Jackson_T
#@category _NEW_
import re
from ghidra.program.model.symbol import SourceType
jthuraisamy / loaded_psp_drivers.cpp
Last active Sep 18, 2022
Loaded Security Product Drivers
View loaded_psp_drivers.cpp
#include <Windows.h>
#include <ImageHlp.h>
#include <strsafe.h>
#include "loaded_psp_drivers.h"
#include <set>
#include <string>
#include <algorithm>
#pragma comment(lib, "crypt32.lib")
jthuraisamy /
Created Apr 30, 2020
GhostLoader - AppDomainManager - Injection - 攻壳机动队

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
import os.path
import pefile
print('#pragma once')
target_dll = r'target.dll'
pe = pefile.PE(target_dll)
for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
name =
jthuraisamy / syscalls.asm
Last active Nov 24, 2019
AV/EDR Evasion with Direct System Calls (x64)
View syscalls.asm
This file has been truncated, but you can view the full file.
NtAcceptConnectPort PROC
mov rax, gs:[60h] ; Load PEB into RAX.
NtAcceptConnectPort_Check_X_X_XXXX: ; Check major version.
cmp dword ptr [rax+118h], 5
je NtAcceptConnectPort_SystemCall_5_X_XXXX
cmp dword ptr [rax+118h], 6
je NtAcceptConnectPort_Check_6_X_XXXX
jthuraisamy / syscall.asm
Last active Nov 23, 2019
System Call Detection at Runtime (NtCreateFile example)
View syscall.asm
NtCreateFile PROC
mov rax, gs:[60h]
NtCreateFile_Check_X_X_XXXX: ; Check major version.
cmp dword ptr [rax+118h], 5
je NtCreateFile_SystemCall_5_X_XXXX
cmp dword ptr [rax+118h], 6
je NtCreateFile_Check_6_X_XXXX
cmp dword ptr [rax+118h], 10
jthuraisamy /
Last active Jul 13, 2022
GospelRoom: Data Storage in UEFI NVRAM Variables

GospelRoom: Data Storage in UEFI NVRAM Variables


Persist data in UEFI NVRAM variables.


  1. Stealthy way to store secrets and other data in UEFI.
  2. Will survive a reimaging of the operating system.

Windows Toolkit


Native Binaries

IDA Plugins Preferred Neutral Unreviewed
jthuraisamy /
Created Apr 4, 2018
IDAPython Script to highlight function calls.
IDAPython Script to highlight function calls.
Re-implemented by jthuraisamy (not the original author).
Install to %IDADIR%\plugins\
Run by pressing Ctrl+Alt+H or go to Options -> Highlight Call Instructions.
class HighlightHandler(idaapi.action_handler_t):

PyExZ3 Example with HackSysExtremeVulnerableDriver

TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.

The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.

The code in is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex