Robin David RobinDavid

Software Security Researcher working on reverse-engineering, software analysis, symbolic execution, fuzzing. Also attacking obfuscation as a hobby.

RobinDavid / tiny64.asm

Last active April 25, 2017 10:03

Tiny ELF 64 (put code into _start)

	; Credits from : http://blog.stalkr.net/2014/10/tiny-elf-3264-with-nasm.html
	; nasm -f bin -o tiny64 tiny64.asm
	BITS 64
	org 0x400000

	ehdr: ; Elf64_Ehdr
	db 0x7f, "ELF", 2, 1, 1, 0 ; e_ident
	times 8 db 0
	dw 2 ; e_type
	dw 0x3e ; e_machine

RobinDavid / chroot.sh

Created February 25, 2014 17:51

script to create an nice chroot to a given folder

	#!/bin/bash
	ROOT=$1
	mount procfs -t proc $ROOT/proc/
	mount sysfs -t sysfs
	mount -o bin /dev $ROOT/dev/
	mount -o bin /dev/pts $ROOT/dev/pts
	mount --bind /etc/resolv.conf $ROOT/etc/resolv.conf

	chroot $ROOT

RobinDavid / dll_injection.py

Created February 25, 2014 17:49

Sample ddl injection (Gray Hat Python)

	import sys
	from ctypes import *

	PAGE_READWRITE = 0x04
	PROCESS_ALL_ACCESS = ( 0x000F0000 \| 0x00100000 \| 0xFFF )
	VIRTUAL_MEM = ( 0x1000 \| 0x2000 )

	kernel32 = windll.kernel32 #Get the wanted dll

	pid = sys.argv[1] #Gather sent parameters

RobinDavid / code_injector.py

Created February 25, 2014 17:45

sample of shellcode injection into a process (Gray Hat Python)

	'''
	Example taken from Gray Hat Python
	The script inject a shellcode which tasks is to kill the given process, so that the process will not be killed by our process directly.
	'''

	import sys
	from ctypes import *

	# We set the EXECUTE access mask so that our shellcode will execute in the memory block we have allocated
	PAGE_EXECUTE_READWRITE = 0x00000040

RobinDavid / pydbg_firefox.py

Created February 25, 2014 17:39

Pydbg: sample to hook a firefox function to retrieve credentials (Gray Hat Python book)

	'''
	Example taken from Gray Hat Python (book)
	This script present a way to hook a DLL library in Firefox. For this example the script hook nspr4.dll which encrypt datas for SSL connection.

	So we will be able to get the text before it is encrypted. Moreover we catch a pattern "password" to get all login/password before they are ciphered.
	'''

	from pydbg import *
	from pydbg.defines import *
	import utils

RobinDavid / pydbg_access_violation.py

Last active April 25, 2017 10:03

Pydbg: sample hook exception (access violation)

	'''
	#This commented program is vulnerable to a buffer overflow (copy it in a separate file)
	from ctypes import *

	msvcrt = cdll.msvcrt

	raw_input("Once the debbuger is attached press any key") # Give the debugger time to attach, then hit a button

	buffer = c_char_p("AAAAA") # Create the 5-byte destination buffer

RobinDavid / pydbg_hook_printf.py

Created February 25, 2014 17:29

Pydbg: sample hook printf function of a process

	from pydbg import *
	from defines import *

	import struct
	import random
	def printf_randomizer(dbg):
	# Read in the value of the counter at ESP + 0x8 as a DWORD
	parameter_addr = dbg.context.Esp + 0x8
	counter = dbg.read_process_memory(parameter_addr,4) #will be trigger when counter=4

RobinDavid / server_adv.py

Created February 25, 2014 17:24

Another sample of python server

	#!/usr/bin/env python
	#-- encoding: utf-8 --

	import SocketServer

	class EchoRequestHandler(SocketServer.BaseRequestHandler):
	def setup(self):
	print self.client_address, 'connected!'
	self.request.send('hi ' + str(self.client_address) + '\n')

RobinDavid / pyunit_struct.py

Created February 25, 2014 17:19

Sample of a Pyunit test

	import unittest

	class Test1 (unittest.TestCase): #Define a class which extend unittest
	def runTest(self):
	self.failIf (1+1 != 2, '1+1 failed !')

	def suite():
	suite = unittest.TestSuite() #create an object testsuite
	suite.addTest(Test1())
	return suite

RobinDavid / rc4.py

Created February 24, 2014 21:16

RC4 algorithm implementation