start new:
tmux
start new with session name:
tmux new -s myname
using System; | |
using System.IO; | |
using System.Diagnostics; | |
using System.Windows.Forms; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
//KeyStroke Mouse Clicks Code | |
/* | |
* https://code.google.com/p/klog-sharp/ | |
*/ |
#include <stdio.h> | |
#include <windows.h> | |
#include <psapi.h> | |
#include <iostream> | |
#include <string> | |
#include <vector> | |
#include "pe_sieve_api.h" | |
#pragma comment(lib, "pe-sieve.lib") |
_ _____ ___ __ __ ___ ____ ____ _____ ____ _____ _____ _ __ __ | |
/ \|_ _/ _ \| \/ |_ _/ ___| | _ \| ____| _ \ |_ _| ____| / \ | \/ | | |
/ _ \ | || | | | |\/| || | | | |_) | _| | | | | | | | _| / _ \ | |\/| | | |
/ ___ \| || |_| | | | || | |___ | _ <| |___| |_| | | | | |___ / ___ \| | | | | |
/_/ \_\_| \___/|_| |_|___\____| |_| \_\_____|____/ |_| |_____/_/ \_\_| |_| | |
[********BEGIN TEST*******] Data Compressed T1002 has 3 Test(s) |
.NET and COM: The Complete Interoperability Guide | |
@War: The Rise of the Military-Internet Complex | |
21st Century C: C Tips from the New School | |
3D Math Primer for Graphics and Game Development (Wordware Game Math Library) | |
A Guide to Claims-Based Identity and Access Control (Microsoft patterns & practices) | |
A Guide to Kernel Exploitation: Attacking the Core | |
A More Beautiful Question: The Power of Inquiry to Spark Breakthrough Ideas | |
A Primer of Analytic Number Theory: From Pythagoras to Riemann | |
Absolute FreeBSD, 2nd Edition: The Complete Guide to FreeBSD | |
Advanced C and C++ Compiling |
#!/usr/bin/env python | |
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. | |
# | |
# This software is provided under under a slightly modified version | |
# of the Apache Software License. See the accompanying LICENSE file | |
# for more information. | |
# | |
# A similar approach to smbexec but executing commands through WMI. | |
# Main advantage here is it runs under the user (has to be Admin) | |
# account, not SYSTEM, plus, it doesn't generate noisy messages |
I was recently interested in reversing some older Cisco IOS images. Those images come in the form of a single binary blob, without any sort of ELF, Mach-o, or PE header to describe the binary.
While I am using Cisco IOS Images in this example, the same process should apply to other Raw Binary Firmware Images.
That makes importing this type of firmware file difficult, as Ghidra doesn't have any idea what type of ISA it needs to disassemble and decompile for.
The following are a few things I learned while trying to get the Cisco IOS image in a reversible state within Ghidra.
First I had to extract the image. The first 112 bytes of the firmware I received from the vendor are some sort of Cisco proprietary header that is not useful for our purpose. We need to extract the bzip2 archive that we are interested in. The easist way to do that is binwalk:
1. Download the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases | |
2. Get Mimikatz PE Loader from https://gist.github.com/pljoel/42dae5e56a86a43612bea6961cb59d1a | |
3. use @pljoel katz.cs cs file and uncomment the building lines available on Delivery.Program.Main() & comment Exec() line of code. | |
4. Build it to generate file.b64, copy its content and replace Package.file string available on payload.txt file. | |
6. Make sure payloadPath var is properly set on "TestAssemblyLoader.cs" | |
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled | |
' by @_xpn_ | |
' | |
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro | |
Const EXTENDED_STARTUPINFO_PRESENT = &H80000 | |
Const HEAP_ZERO_MEMORY = &H8& | |
Const SW_HIDE = &H0& | |
Const MAX_PATH = 260 | |
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007 |