| #!/usr/bin/env python3 | |
| """bin2coff.py | |
| usage: bin2coff.py [-h] [-s SYMBOL] [-m {amd64,i386,arm,arm64}] input [output] | |
| Converts an arbitrary file into a linkable COFF. | |
| positional arguments: | |
| input Input file for generating the COFF | |
| output Output for the generated COFF (defaults to the input file name with a '.o' extension) |
| from typing import List | |
| from capstone import * | |
| from capstone.x86 import * | |
| from unicorn import * | |
| from unicorn.x86_const import * | |
| from pefile import PE | |
| class Emulator(): |
| #!/usr/bin/env python | |
| # coding: utf-8 | |
| """ | |
| Modified for JtR by Dhiru Kholia in July, 2016 | |
| Copyright (c) 2015 Will Bond <will@wbond.net> | |
| Permission is hereby granted, free of charge, to any person obtaining a copy of | |
| this software and associated documentation files (the "Software"), to deal in |
| #include <phnt_windows.h> | |
| #include <phnt.h> | |
| #include <stdio.h> | |
| #define PHNT_VERSION PHNT_WIN7 | |
| BOOL IsSuccess(NTSTATUS Status, LPCWSTR Where) | |
| { | |
| if (!NT_SUCCESS(Status)) | |
| wprintf_s(L"%s faild with 0x%0.8x", Where, Status); |
| #include <Windows.h> | |
| #include <intrin.h> | |
| #include <string> | |
| #include <TlHelp32.h> | |
| #include <psapi.h> | |
| DWORD WINAPI Thread(LPVOID lpParam) { | |
| // Insert evil stuff | |
| ExitProcess(0); |
I previously wrote about how to use macro metaprogramming to simplify using string literals in position independent code (PIC). The results are summarized in the below code snippet and the article can be read on GitHub.
void f() {
// Example 1: The Pic idiom for instantiating a string
char picString1[]{ 'a', 'b', 'c' };
| // | |
| // An implementation of GetModuleHandle and GetProcAddress that works with manually mapped modules, forwarded exports, | |
| // without a CRT standard library, and uses no Windows API or dependencies. | |
| // | |
| // Author: Bill Demirkapi | |
| // License: MIT, appended at the bottom of this document if you care about licensing and want to credit me in your own project. | |
| // | |
| #include <Windows.h> | |
| #include <winternl.h> |
TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.
The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.
The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex
| struct RTL_PROTECTED_ACCESS { | |
| DWORD DominateMask; | |
| DWORD DeniedProcessAccess; | |
| DWORD DeniedThreadAccess; | |
| }; | |
| bool RtlTestProtectedAccess(_PS_PROTECTION Requester, _PS_PROTECTION Target) | |
| { | |
| if ( Target.Type == 0 ) | |
| return true; |
| using NtApiDotNet; | |
| using NtApiDotNet.Ndr.Marshal; | |
| using NtApiDotNet.Win32; | |
| using NtApiDotNet.Win32.Rpc.Transport; | |
| using NtApiDotNet.Win32.Security.Authentication; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server; | |
| using NtApiDotNet.Win32.Security.Authentication.Logon; | |
| using System; |