GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
Jackson T. jthuraisamy
jthuraisamy
/ funcnames_from_logger.py
Last active
July 13, 2020 01:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Recover function names from logger function calls. | |
| #@author @Jackson_T | |
| #@category _NEW_ | |
| #@keybinding | |
| #@menupath | |
| #@toolbar | |
| import re | |
| from ghidra.program.model.symbol import SourceType |
jthuraisamy
/ loaded_psp_drivers.cpp
Last active
October 15, 2023 03:01
Loaded Security Product Drivers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <ImageHlp.h> | |
| #include <strsafe.h> | |
| #include "loaded_psp_drivers.h" | |
| #include <set> | |
| #include <string> | |
| #include <algorithm> | |
| #pragma comment(lib, "crypt32.lib") |
jthuraisamy
/ _Instructions_Reproduce.md
Created
April 30, 2020 06:28
GhostLoader - AppDomainManager - Injection - 攻壳机动队
jthuraisamy
/ dll-proxying.py
Created
December 18, 2019 15:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os.path | |
| import pefile | |
| print('#pragma once') | |
| target_dll = r'target.dll' | |
| pe = pefile.PE(target_dll) | |
| for export in pe.DIRECTORY_ENTRY_EXPORT.symbols: | |
| if export.name: | |
| name = export.name.decode() |
jthuraisamy
/ syscalls.asm
Last active
November 24, 2019 22:18
AV/EDR Evasion with Direct System Calls (x64)
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .code | |
| NtAcceptConnectPort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAcceptConnectPort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAcceptConnectPort_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAcceptConnectPort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 |
jthuraisamy
/ syscall.asm
Last active
November 23, 2019 18:33
System Call Detection at Runtime (NtCreateFile example)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .code | |
| NtCreateFile PROC | |
| mov rax, gs:[60h] | |
| NtCreateFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 |
jthuraisamy
/ _README.md
Last active
August 17, 2023 13:09
GospelRoom: Data Storage in UEFI NVRAM Variables
| IDA Plugins | Preferred | Neutral | Unreviewed |
|---|
jthuraisamy
/ highlight_calls.py
Created
April 4, 2018 01:39
IDAPython Script to highlight function calls.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| IDAPython Script to highlight function calls. | |
| Re-implemented by jthuraisamy (not the original author). | |
| Install to %IDADIR%\plugins\highlight_calls.py. | |
| Run by pressing Ctrl+Alt+H or go to Options -> Highlight Call Instructions. | |
| """ | |
| class HighlightHandler(idaapi.action_handler_t): |
jthuraisamy
/ README.md
Last active
April 16, 2023 06:06
PyExZ3 Example with HackSysExtremeVulnerableDriver
TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.
The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.
The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex
NewerOlder