Satoshi Tanda tandasat
tandasat
/ list_first_instruction.py
Created
June 26, 2021 23:13
IDA script to show the first instruction of the all functions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idautils import * | |
| from idaapi import * | |
| from idc import * | |
| for funcea in Functions(): | |
| functionName = get_func_name(funcea) | |
| for (startea, endea) in Chunks(funcea): | |
| print(f"{startea:08x} {GetDisasm(startea)} : {functionName}") |
tandasat
/ dump_vmcs.js
Last active
November 28, 2023 19:09
Deprecated: see https://github.com/tandasat/hvext
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "use strict"; | |
| // This script implements the !dump_vmcs command that displays values of the all | |
| // fields in the current VMCS. The processor must be in VMX-root operation with | |
| // an active VMCS. | |
| // | |
| // As a reference, there are some other implementations of the same concept. The | |
| // author is now aware of those two at least. Check them out as it may fit your | |
| // need better. | |
| // - https://github.com/ergot86/crap/blob/main/hyperv_stuff.js (Windbg JavaScript) |
tandasat
/ GetPhysicalMemoryRanges.c
Last active
April 29, 2023 14:56
Part of snapshot taking code in C
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @brief Returns an array of physical memory address ranges on the system. | |
| * | |
| * @param This - The pointer to the platform API interface. | |
| * @param RangeCount - The pointer to receive the number of entries in the returned | |
| * pointer on success. | |
| * @return The pointer to the array of ranges on success. This must be freed with | |
| * Freed with FREE_CONTIGUOUS_PAGES. On failure, NULL. | |
| */ | |
| STATIC |
tandasat
/ !dump_ept.txt
Last active
June 21, 2023 00:23
EPT setup dumped on Windows 10.0.22621.1848 using hvext: https://github.com/tandasat/hvext
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kd> !dump_ept | |
| Current EPT pointer 0x11b8bc09e | |
| GPA PA Flags | |
| 0x0 - 0x1000 -> Identity ------WR | |
| 0x1000 - 0x2000 -> Identity ---U--WR | |
| 0x3000 - 0x9f000 -> Identity ---U--WR | |
| 0x9f000 - 0x100000 -> Identity ------WR | |
| 0x100000 - 0xa46000 -> Identity ---U--WR | |
| 0xa47000 - 0x4c00000 -> Identity ---U--WR | |
| 0x5000000 - 0xa201000 -> Identity ---U--WR |
tandasat
/ parse_drtm_log.patch
Created
February 7, 2024 15:44
A patch for https://github.com/microsoft/TSS.MSR/tree/main to parse DRTM TPM logs (WBCL)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/PCPTool.v11/exe/SDKSample.cpp b/PCPTool.v11/exe/SDKSample.cpp | |
| index edcc966..984690f 100644 | |
| --- a/PCPTool.v11/exe/SDKSample.cpp | |
| +++ b/PCPTool.v11/exe/SDKSample.cpp | |
| @@ -1813,7 +1813,7 @@ log can be used to calculate the PCRs in the TPM. | |
| { | |
| goto Cleanup; | |
| } | |
| - if(FAILED(hr = Tbsi_Get_TCG_Log(hContext, NULL, &cbLog))) | |
| + if(FAILED(hr = Tbsi_Get_TCG_Log_Ex(TBS_TCGLOG_DRTM_CURRENT, NULL, &cbLog))) |
tandasat
/ hvci_vpid1.log
Created
February 9, 2024 16:51
VMCS configurations for NTOS w/ HVCI (VPID=1), Secure Kernel (VPID=2), and a child partition w/o HVCI (VPID=3)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kd> !dump_vmcs | |
| 0x0000000000000001 Virtual-processor identifier (VPID) | |
| ***** FAILED ***** Posted-interrupt notification vector | |
| 0x0000000000000000 EPTP index | |
| ***** FAILED ***** HLAT prefix size | |
| ***** FAILED ***** Last PID-pointer | |
| 0x000000000000002b Guest ES selector | |
| 0x0000000000000010 Guest CS selector | |
| 0x0000000000000018 Guest SS selector | |
| 0x000000000000002b Guest DS selector |
OlderNewer