bluedragon1221

https://www.youtube.com/watch?v=QlzoegSuIzg

The Three Parts

To build a minimal linux distro, we need three parts:

1. The Kernel
2. Userspace (busybox)
3. Bootloader (syslinux)

When the system boots, it loads the kernel, which loads busybox.

itewqq

1. Disable or uninstall the official C/C++ plugin.
2. Install the clangd plugin.
3. Build the kernel with clang:

/path/to/kernel_source$ make CC=clang defconfig
/path/to/kernel_source$ make CC=clang -j16

4. Generate the compile_commands.json:

/path/to/kernel_source$ python ./scripts/clang-tools/gen_compile_commands.py

NyaMisty

How to Use

1. In Ghidra's Project Tool, Go to Tools -> Import Tool..., select mistyCodeBrowser.tool
2. Dragging file onto the new CodeBrowser_1 in ToolChest

daaximus

typedef struct _ioctl_t
{
	const char* ioctl_name;
	uint64_t ctl_code;
} ioctl_t;

// This would likely be better used in some unordered map. This is just a temporary data structure for testing resolution.
//
// Results from NtDeviceIoControlFile hook:
// utweb.exe (14916)   ::  NtDeviceIoControlFile( 0x65c (\Device\Afd), 0x694, 0x0000000000000000, 0x0000000000000000, 0x00000000044DEE90, 0x12024 (IOCTL_AFD_SELECT), 0x0000000004A3FC18, 0x34, 0x0000000004A3FC18, 0x34 )

GavinRay97

# Requirements:
#   clang - The classes/structs you want to dump must be used in code at least once, not just defined.
#   MSVC  - The classes/structs you want to dump must have "MEOW" in the name for "reportSingleClass" to work.
# Usage:
#   $ make dump_vtables file=test.cpp
dump_vtables:
  clang -cc1 -fdump-record-layouts -emit-llvm  $(file) > clang-vtable-layout-$(file).txt
  clang -cc1 -fdump-vtable-layouts -emit-llvm  $(file) > clang-record-layout-$(file).txt
  g++ -fdump-lang-class=$(file).txt $(file)
  cl.exe $(file) /d1reportSingleClassLayoutMEOW > msvc-single-class-vtable-layout-$(file).txt

stecman

This is a technique for extracting all imported modules from a packaged Python application as .pyc files, then decompiling them. The target program needs to be run from scratch, but no debugging symbols are necessary (assuming an unmodified build of Python is being used).

This was originally performed on 64-bit Linux with a Python 3.6 target. The Python scripts have since been updated to handle pyc files for Python 2.7 - 3.9.

Theory

In Python we can leverage the fact that any module import involving a .py* file will eventually arrive as ready-to-execute Python code object at this function:

PyObject* PyEval_EvalCode(PyObject *co, PyObject *globals, PyObject *locals);

icecr4ck

IDA Microcode notes

References

• Ilfak's presentation at Recon 2018
• Microcode in pictures
• Hex-Rays Microcode API vs. Obfuscating Compiler
• Scripts vds10, vds11, vds12 and vds13 from Hex-Rays SDK

Implementation

yamnikov-oleg

Source: man syscall

Architecture calling conventions

Every architecture has its own way of invoking and passing arguments to the kernel. The details for various architectures are listed in the two tables below.

The first table lists the instruction used to transition to kernel mode, (which might not be the fastest or best way to transition to

ejoubaud

// Based on http://stackoverflow.com/a/10520017/1307721 and http://stackoverflow.com/a/16022728/1307721

Podium = {};

Podium.keydown = function(k) {
    var oEvent = document.createEvent('KeyboardEvent');

    // Chromium Hack
    Object.defineProperty(oEvent, 'keyCode', {
                get : function() {