Skip to content

Instantly share code, notes, and snippets.

View funcnames_from_logger.py
#Recover function names from logger function calls.
#@author @Jackson_T
#@category _NEW_
#@keybinding
#@menupath
#@toolbar
import re
from ghidra.program.model.symbol import SourceType
@jthuraisamy
jthuraisamy / loaded_psp_drivers.cpp
Last active Oct 8, 2021
Loaded Security Product Drivers
View loaded_psp_drivers.cpp
#include <Windows.h>
#include <ImageHlp.h>
#include <strsafe.h>
#include "loaded_psp_drivers.h"
#include <set>
#include <string>
#include <algorithm>
#pragma comment(lib, "crypt32.lib")
@jthuraisamy
jthuraisamy / _Instructions_Reproduce.md
Created Apr 30, 2020
GhostLoader - AppDomainManager - Injection - 攻壳机动队
View _Instructions_Reproduce.md

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
View dll-proxying.py
import os.path
import pefile
print('#pragma once')
target_dll = r'target.dll'
pe = pefile.PE(target_dll)
for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
if export.name:
name = export.name.decode()
@jthuraisamy
jthuraisamy / syscalls.asm
Last active Nov 24, 2019
AV/EDR Evasion with Direct System Calls (x64)
View syscalls.asm
This file has been truncated, but you can view the full file.
.code
NtAcceptConnectPort PROC
mov rax, gs:[60h] ; Load PEB into RAX.
NtAcceptConnectPort_Check_X_X_XXXX: ; Check major version.
cmp dword ptr [rax+118h], 5
je NtAcceptConnectPort_SystemCall_5_X_XXXX
cmp dword ptr [rax+118h], 6
je NtAcceptConnectPort_Check_6_X_XXXX
@jthuraisamy
jthuraisamy / syscall.asm
Last active Nov 23, 2019
System Call Detection at Runtime (NtCreateFile example)
View syscall.asm
.code
NtCreateFile PROC
mov rax, gs:[60h]
NtCreateFile_Check_X_X_XXXX: ; Check major version.
cmp dword ptr [rax+118h], 5
je NtCreateFile_SystemCall_5_X_XXXX
cmp dword ptr [rax+118h], 6
je NtCreateFile_Check_6_X_XXXX
cmp dword ptr [rax+118h], 10
@jthuraisamy
jthuraisamy / _README.md
Last active Aug 16, 2021
GospelRoom: Data Storage in UEFI NVRAM Variables
View _README.md

GospelRoom: Data Storage in UEFI NVRAM Variables

Behaviour

Persist data in UEFI NVRAM variables.

Benefits

  1. Stealthy way to store secrets and other data in UEFI.
  2. Will survive a reimaging of the operating system.
View windows-toolkit.md

Windows Toolkit

Binary

Native Binaries

IDA Plugins Preferred Neutral Unreviewed
@jthuraisamy
jthuraisamy / highlight_calls.py
Created Apr 4, 2018
IDAPython Script to highlight function calls.
View highlight_calls.py
"""
IDAPython Script to highlight function calls.
Re-implemented by jthuraisamy (not the original author).
Install to %IDADIR%\plugins\highlight_calls.py.
Run by pressing Ctrl+Alt+H or go to Options -> Highlight Call Instructions.
"""
class HighlightHandler(idaapi.action_handler_t):
View README.md

PyExZ3 Example with HackSysExtremeVulnerableDriver

TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.

The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.

The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex