Skip to content

Instantly share code, notes, and snippets.

Yuma Kurogome ntddk

Block or report user

Report or block ntddk

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@ntddk
ntddk / sana.sh
Last active May 25, 2019
さなボタン連打してたら一日が終わった
View sana.sh
#!/bin/sh
curl https://raw.githubusercontent.com/akameco/sana-voice/master/sana-voice-list.json > sana-voice-list.json
cat sana-voice-list.json | jq -r '.[].link' | while read line; do wget -nc $line; done
(while true; do ls -la | awk '$0~/mp3/{print $9}' | shuf -n 1 | xargs -Iargs cvlc --quiet --no-repeat args 2>/dev/null vlc://quit; done)&
View README.md

PyExZ3 Example with HackSysExtremeVulnerableDriver

TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.

The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.

The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex

@ntddk
ntddk / windbg_detect_doublepulsar_smb.py
Created May 31, 2017
windbg-doublepulsar-detection-script
View windbg_detect_doublepulsar_smb.py
#!/usr/bin/env python
# coding: utf-8
import pykd
for i in pykd.dbgCommand('dps srv!SrvTransaction2DispatchTable').split('\n'):
if len(i) > 0 and '00000000' not in i and 'srv!' not in i: # addr addr symbol
print 'Doublepulsar hook detected: ' + i
@ntddk
ntddk / WannaCry-SMB.c
Created May 15, 2017 — forked from msuiche/WannaCry-SMB.c
WannaCry - DOUBLEPULSAR references
View WannaCry-SMB.c
// https://twitter.com/msuiche
int threadMain()
{
unsigned int i; // edi@1
_DWORD *v1; // eax@2
void *v2; // esi@7
char v4; // [sp+13h] [bp-2Dh]@0
char v5; // [sp+14h] [bp-2Ch]@1
void *Memory; // [sp+18h] [bp-28h]@1
View gist:d4d7c29aeda6768ed393824266f5a9be
{
"editor.fontSize": 12,
"editor.renderWhitespace": "all",
"editor.wordWrap": "on",
"editor.renderControlCharacters": true,
"editor.cursorBlinking": "solid",
"window.reopenFolders": "all",
"window.openFilesInNewWindow": "off",
"window.openFoldersInNewWindow": "off",
"files.insertFinalNewline": true,
@ntddk
ntddk / windows_server_2016_as_a_desktop_os.md
Created Mar 13, 2017
Windows Server 2016をデスクトップOSとして使う
View windows_server_2016_as_a_desktop_os.md

Windows Server 2016をデスクトップOSとして使う

インストール用USBメモリの設定

  • install.wimがFAT32に収まりきらないので分割
  • diskpart
list disk
select disk xxx
clean
convert gpt
create part primary
View PyPDF2Highlight.py
from PyPDF2.generic import (
DictionaryObject,
NumberObject,
FloatObject,
NameObject,
TextStringObject,
ArrayObject
)
# x1, y1 starts in bottom left corner
View LxpSyscall.log
LxpSyscall_WRITEV PAGE 00000001C00546A0 00000190 00000048 00000020 R . . . . . .
LxpSyscall_WRITE PAGE 00000001C0054590 00000103 00000048 00000020 R . . . . . .
LxpSyscall_WAIT4 PAGE 00000001C0054520 00000061 00000038 00000018 R . . . . . .
LxpSyscall_VFORK PAGE 00000001C00544F0 0000002F 00000028 00000004 R . . . . . .
LxpSyscall_UTIMES PAGE 00000001C0054400 000000E4 00000078 00000000 R . . . . . .
LxpSyscall_UTIMENSAT PAGE 00000001C0054190 00000268 00000098 00000000 R . . . . . .
LxpSyscall_UTIME PAGE 00000001C00540F0 0000009A 00000068 00000000 R . . . . . .
LxpSyscall_UNSHARE PAGE 00000001C0054090 00000055 00000028 00000000 R . . . . . .
LxpSyscall_UNLINKAT PAGE 00000001C0054080 00000010 00000028 00000000 R . . . . . .
LxpSyscall_UNLINK PAGE 00000001C0054060 0000001A 00000028 00000000 R . . . . . .
View qemu-2.3.50_MBA.diff
This file has been truncated, but you can view the full file.
diff -ur qemu-2.3.50/.git/HEAD MBA/.git/HEAD
--- qemu-2.3.50/.git/HEAD 2016-09-27 18:30:53.604095151 +0900
+++ MBA/.git/HEAD 2016-09-25 02:24:12.509891377 +0900
@@ -1 +1 @@
-e1a5476354d396773e4c555f126d752d4ae58fa9
+ref: refs/heads/master
diff -ur qemu-2.3.50/.git/config MBA/.git/config
--- qemu-2.3.50/.git/config 2016-09-27 18:27:15.160089279 +0900
+++ MBA/.git/config 2016-09-25 02:24:12.557891378 +0900
View ex02.md

演習:サンドボックスをつくってみよう

c2.exe(QEMU検知あり)またはc2safe.exe(QEMU検知なし)を解析し,以下の情報を半自動的に抽出するしくみをつくってください:

  • 接続するURL一覧
  • 受信したコマンド
  • 実行されたコマンドハンドラのダンプ
  • 実行されなかったコマンドハンドラのダンプ

Google is your friend.

You can’t perform that action at this time.