ntddk

#!/bin/sh

curl https://raw.githubusercontent.com/akameco/sana-voice/master/sana-voice-list.json > sana-voice-list.json
cat sana-voice-list.json | jq -r '.[].link' | while read line; do wget -nc $line; done

(while true; do ls -la | awk '$0~/mp3/{print $9}' | shuf -n 1 | xargs -Iargs cvlc --quiet --no-repeat args 2>/dev/null vlc://quit; done)&

ntddk

PyExZ3 Example with HackSysExtremeVulnerableDriver

TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.

The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.

The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex

ntddk

#!/usr/bin/env python
# coding: utf-8
import pykd
for i in pykd.dbgCommand('dps srv!SrvTransaction2DispatchTable').split('\n'):
    if len(i) > 0 and '00000000' not in i and 'srv!' not in i: # addr addr symbol
            print 'Doublepulsar hook detected: ' + i

ntddk

// https://twitter.com/msuiche

int threadMain()
{
  unsigned int i; // edi@1
  _DWORD *v1; // eax@2
  void *v2; // esi@7
  char v4; // [sp+13h] [bp-2Dh]@0
  char v5; // [sp+14h] [bp-2Ch]@1
  void *Memory; // [sp+18h] [bp-28h]@1

ntddk

{
    "editor.fontSize": 12,
    "editor.renderWhitespace": "all",
    "editor.wordWrap": "on",
    "editor.renderControlCharacters": true,
    "editor.cursorBlinking": "solid",
    "window.reopenFolders": "all",
    "window.openFilesInNewWindow": "off",
    "window.openFoldersInNewWindow": "off",
    "files.insertFinalNewline": true,

ntddk

Windows Server 2016をデスクトップOSとして使う

インストール用USBメモリの設定

• install.wimがFAT32に収まりきらないので分割
• diskpart

list disk
select disk xxx
clean
convert gpt
create part primary

ntddk

from PyPDF2.generic import (
    DictionaryObject,
    NumberObject,
    FloatObject,
    NameObject,
    TextStringObject,
    ArrayObject
)

# x1, y1 starts in bottom left corner

ntddk

LxpSyscall_WRITEV                 PAGE  00000001C00546A0 00000190 00000048 00000020 R . . . . . .
LxpSyscall_WRITE                  PAGE  00000001C0054590 00000103 00000048 00000020 R . . . . . .
LxpSyscall_WAIT4                  PAGE  00000001C0054520 00000061 00000038 00000018 R . . . . . .
LxpSyscall_VFORK                  PAGE  00000001C00544F0 0000002F 00000028 00000004 R . . . . . .
LxpSyscall_UTIMES                 PAGE  00000001C0054400 000000E4 00000078 00000000 R . . . . . .
LxpSyscall_UTIMENSAT              PAGE  00000001C0054190 00000268 00000098 00000000 R . . . . . .
LxpSyscall_UTIME                  PAGE  00000001C00540F0 0000009A 00000068 00000000 R . . . . . .
LxpSyscall_UNSHARE                PAGE  00000001C0054090 00000055 00000028 00000000 R . . . . . .
LxpSyscall_UNLINKAT               PAGE  00000001C0054080 00000010 00000028 00000000 R . . . . . .
LxpSyscall_UNLINK                 PAGE  00000001C0054060 0000001A 00000028 00000000 R . . . . . .

ntddk

演習：サンドボックスをつくってみよう

c2.exe（QEMU検知あり）またはc2safe.exe（QEMU検知なし）を解析し，以下の情報を半自動的に抽出するしくみをつくってください：

• 接続するURL一覧
• 受信したコマンド
• 実行されたコマンドハンドラのダンプ
• 実行されなかったコマンドハンドラのダンプ

Google is your friend.

ntddk

OSS

• いずれも要PTCアカウント

PokemonGo-Map

• 現在世界で最も開発が盛んなOSSのひとつ
• 付近のポケモンをGoogleマップに表示
  • 座標は起動時オプション決め打ちなので動的に変えられるようにしたい

Pokemap

• PokemonGo-MapのAndroid版