ra2003

## README.md

      
              4 files
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                ra2003
                / README.md
            
            
              Created
              July 20, 2021 14:39
                — forked from ntddk/README.md
            
          
    PyExZ3 Example with HackSysExtremeVulnerableDriver

TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.
The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.
The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex

  
## gist:6908784fa3e2c810ddebabf37bc3f807
PS C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64> ./livekd

LiveKd v5.40 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2015 Mark Russinovich and Ken Johnson

Launching C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\kd.exe:

Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

## pyvenvex.py
#
# Copyright (C) 2013-2020 Vinay Sajip. New BSD License.
#
import os
import os.path
from subprocess import Popen, PIPE
import sys
from threading import Thread
from urllib.parse import urlparse
from urllib.request import urlretrieve

## chess.py
"""CONVENTIONS:
positions are done row-column from the bottom left and are both numbers. This corresponds to the alpha-number system in traditional chess while being computationally useful. they are specified as tuples
"""
import itertools
WHITE = "white"
BLACK = "black"


## checkDuplicates.py
# checkDuplicates.py
# Python 2.7.6

"""
Given a folder, walk through all files within the folder and subfolders
and get list of all files that are duplicates
The md5 checcksum for each file will determine the duplicates
"""

import os

## duplicates_finder.py
# dupFinder.py
import os, sys, stat
import hashlib

def findDup(parentFolder):
    # Dups in format {hash:[names]}
    dups = {}
    for dirName, subdirs, fileList in os.walk(parentFolder):
        print('Scanning %s...' % dirName)
        for filename in fileList:

## config.json
{
    "listeners": {
        "*:8081": {
            "pass": "applications/hello-x64"
        }
    },
    "applications": {
        "hello-x64": {
            "type": "asm",
            "executable": "/path/to/hello"

## mohttpd.asm
;
; My Own HTTP Daemon
; A web server for i386 Linux because I was bored
; Copyright (C) 2012 Neill Corlett
;
; This program is free software: you can redistribute it and/or modify it under
; the terms of the GNU General Public License as published by the Free Software
; Foundation, either version 3 of the License, or (at your option) any later
; version.
;

## guide-to-x86_64.txt
x86-64 (also known as just x64 and/or AMD64) is the 64-bit version of the x86/IA32 instruction set. Below is our overview of its features that are relevant to CS107. There is more extensive coverage on these topics in Chapter 3 of the B&O textbook. See also our x86-64 sheet for a compact one-page reference.

Registers
The table below lists the commonly used registers (sixteen general-purpose plus two special). Each register is 64 bits wide; the lower 32-, 16- and 8-bit portions are selectable by a pseudo-register name. Some registers are designated for a certain purpose, such as %rsp being used as the stack pointer or %rax for the return value from a function. Other registers are all-purpose, but have a conventional use depending on whether caller-saved or callee-saved. If the function binky calls winky, we refer to binky as the caller and winky as the callee. For example, the registers used for the first 6 arguments and return value are all caller-saved. The callee can freely use those registers, overwriting

## build.sh
#!/bin/bash

set -e # Exit on error

DEVICE=$1
[ -z "${DEVICE}" ] && echo "Usage $0 /dev/sdX" && exit 1

udevadm info -n ${DEVICE} -q property
echo "Selected device is ${DEVICE}"
read -p "[Press enter to continue or CTRL+C to stop]"
	PS C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64> ./livekd

	LiveKd v5.40 - Execute kd/windbg on a live system
	Sysinternals - www.sysinternals.com
	Copyright (C) 2000-2015 Mark Russinovich and Ken Johnson

	Launching C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\kd.exe:

	Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
	Copyright (c) Microsoft Corporation. All rights reserved.
	#
	# Copyright (C) 2013-2020 Vinay Sajip. New BSD License.
	#
	import os
	import os.path
	from subprocess import Popen, PIPE
	import sys
	from threading import Thread
	from urllib.parse import urlparse
	from urllib.request import urlretrieve
	"""CONVENTIONS:
	positions are done row-column from the bottom left and are both numbers. This corresponds to the alpha-number system in traditional chess while being computationally useful. they are specified as tuples
	"""
	import itertools
	WHITE = "white"
	BLACK = "black"
	# checkDuplicates.py
	# Python 2.7.6

	"""
	Given a folder, walk through all files within the folder and subfolders
	and get list of all files that are duplicates
	The md5 checcksum for each file will determine the duplicates
	"""

	import os
	# dupFinder.py
	import os, sys, stat
	import hashlib

	def findDup(parentFolder):
	# Dups in format {hash:[names]}
	dups = {}
	for dirName, subdirs, fileList in os.walk(parentFolder):
	print('Scanning %s...' % dirName)
	for filename in fileList:
	{
	"listeners": {
	"*:8081": {
	"pass": "applications/hello-x64"
	}
	},
	"applications": {
	"hello-x64": {
	"type": "asm",
	"executable": "/path/to/hello"
	;
	; My Own HTTP Daemon
	; A web server for i386 Linux because I was bored
	; Copyright (C) 2012 Neill Corlett
	;
	; This program is free software: you can redistribute it and/or modify it under
	; the terms of the GNU General Public License as published by the Free Software
	; Foundation, either version 3 of the License, or (at your option) any later
	; version.
	;
	x86-64 (also known as just x64 and/or AMD64) is the 64-bit version of the x86/IA32 instruction set. Below is our overview of its features that are relevant to CS107. There is more extensive coverage on these topics in Chapter 3 of the B&O textbook. See also our x86-64 sheet for a compact one-page reference.

	Registers
	The table below lists the commonly used registers (sixteen general-purpose plus two special). Each register is 64 bits wide; the lower 32-, 16- and 8-bit portions are selectable by a pseudo-register name. Some registers are designated for a certain purpose, such as %rsp being used as the stack pointer or %rax for the return value from a function. Other registers are all-purpose, but have a conventional use depending on whether caller-saved or callee-saved. If the function binky calls winky, we refer to binky as the caller and winky as the callee. For example, the registers used for the first 6 arguments and return value are all caller-saved. The callee can freely use those registers, overwriting
	#!/bin/bash

	set -e # Exit on error

	DEVICE=$1
	[ -z "${DEVICE}" ] && echo "Usage $0 /dev/sdX" && exit 1

	udevadm info -n ${DEVICE} -q property
	echo "Selected device is ${DEVICE}"
	read -p "[Press enter to continue or CTRL+C to stop]"