- Windowsがインストールされたマシン(Windows 10で動作確認済)
- Android SDKをインストールする
- KingoRootをインストールする
- Fx0をUSBケーブルでマシンにつなぐ
- KingoRootを起動し,「ROOT」をクリック
- 待つ
- adb shellから
su
する
su
するkd> .for(r $t0=0; @$t0<dwo(nt!KiServiceLimit); r $t0=@$t0+1){.printf "%y\n", nt!KiServiceTable+(dwo(nt!KiServiceTable+@$t0*4)>>4)} | |
fffff801`85aa38c4 | |
fffff801`85b3cc10 | |
nt!NtAcceptConnectPort (fffff801`75f238ac) | |
nt!NtMapUserPhysicalPagesScatter (fffff801`760afb54) | |
nt!NtWaitForSingleObject (fffff801`75e52d20) | |
fffff801`85ba51a0 | |
nt!NtReadFile (fffff801`75eb42f0) | |
nt!NtDeviceIoControlFile (fffff801`75e56740) | |
nt!NtWriteFile (fffff801`75e9e770) |
// お題 | |
// http://togetter.com/li/92612 | |
// FizzBuzzを30バイトで | |
// my code | |
// 1. | |
//main(_){printf(_%15?_%3?_%5?"%d\n":"Buzz\n":"Fizz\n":"FizzBuzz\n",_);main(++_);} | |
// 80bytes | |
// 2. | |
main(_){printf(_%3?_%5?"%d":0:"Fizz",_);puts(_%5?"":"Buzz");main(++_);} |
#!/usr/bin/env python | |
# coding: utf-8 | |
import pykd | |
for i in pykd.dbgCommand('dps srv!SrvTransaction2DispatchTable').split('\n'): | |
if len(i) > 0 and '00000000' not in i and 'srv!' not in i: # addr addr symbol | |
print 'Doublepulsar hook detected: ' + i |
TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.
The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.
The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler
function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex
PS C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64> ./livekd | |
LiveKd v5.40 - Execute kd/windbg on a live system | |
Sysinternals - www.sysinternals.com | |
Copyright (C) 2000-2015 Mark Russinovich and Ken Johnson | |
Launching C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\kd.exe: | |
Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64 | |
Copyright (c) Microsoft Corporation. All rights reserved. |
Microsoft (R) COFF/PE Dumper Version 12.00.30501.0 | |
Copyright (C) Microsoft Corporation. All rights reserved. | |
Dump of file C:\Users\Administrator\Desktop\win32k.sys | |
File Type: EXECUTABLE IMAGE | |
Section contains the following exports for WIN32K.SYS |
% | |
% From jarticle.sty 16-Mar-88 | |
% ------------------------------------------------------------------------- | |
% No page number | |
\pagestyle{empty} | |
% Page layout | |
% | |
%\paperwidth 210mm |
#!/bin/sh | |
curl https://raw.githubusercontent.com/akameco/sana-voice/master/sana-voice-list.json > sana-voice-list.json | |
cat sana-voice-list.json | jq -r '.[].link' | while read line; do wget -nc $line; done | |
(while true; do ls -la | awk '$0~/mp3/{print $9}' | shuf -n 1 | xargs -Iargs cvlc --quiet --no-repeat args 2>/dev/null vlc://quit; done)& |