Skip to content

Instantly share code, notes, and snippets.

View jthuraisamy's full-sized avatar

Jackson T. jthuraisamy

601 followers · 10 following
View GitHub Profile
@jthuraisamy
jthuraisamy / funcnames_from_logger.py
Last active July 13, 2020 01:48
#Recover function names from logger function calls.
#@author @Jackson_T
#@category _NEW_
#@keybinding
#@menupath
#@toolbar
import re
from ghidra.program.model.symbol import SourceType
@jthuraisamy
jthuraisamy / loaded_psp_drivers.cpp
Last active October 15, 2023 03:01
Loaded Security Product Drivers
#include <Windows.h>
#include <ImageHlp.h>
#include <strsafe.h>
#include "loaded_psp_drivers.h"
#include <set>
#include <string>
#include <algorithm>
#pragma comment(lib, "crypt32.lib")
@jthuraisamy
jthuraisamy / _Instructions_Reproduce.md
Created April 30, 2020 06:28
GhostLoader - AppDomainManager - Injection - 攻壳机动队

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
@jthuraisamy
jthuraisamy / dll-proxying.py
Created December 18, 2019 15:44
import os.path
import pefile
print('#pragma once')
target_dll = r'target.dll'
pe = pefile.PE(target_dll)
for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
if export.name:
name = export.name.decode()
@jthuraisamy
jthuraisamy / syscalls.asm
Last active November 24, 2019 22:18
AV/EDR Evasion with Direct System Calls (x64)
This file has been truncated, but you can view the full file.
.code
NtAcceptConnectPort PROC
mov rax, gs:[60h] ; Load PEB into RAX.
NtAcceptConnectPort_Check_X_X_XXXX: ; Check major version.
cmp dword ptr [rax+118h], 5
je NtAcceptConnectPort_SystemCall_5_X_XXXX
cmp dword ptr [rax+118h], 6
je NtAcceptConnectPort_Check_6_X_XXXX
cmp dword ptr [rax+118h], 10
@jthuraisamy
jthuraisamy / syscall.asm
Last active November 23, 2019 18:33
System Call Detection at Runtime (NtCreateFile example)
.code
NtCreateFile PROC
mov rax, gs:[60h]
NtCreateFile_Check_X_X_XXXX: ; Check major version.
cmp dword ptr [rax+118h], 5
je NtCreateFile_SystemCall_5_X_XXXX
cmp dword ptr [rax+118h], 6
je NtCreateFile_Check_6_X_XXXX
cmp dword ptr [rax+118h], 10
@jthuraisamy
jthuraisamy / _README.md
Last active October 11, 2024 15:48
GospelRoom: Data Storage in UEFI NVRAM Variables

GospelRoom: Data Storage in UEFI NVRAM Variables

Behaviour

Persist data in UEFI NVRAM variables.

Benefits

  1. Stealthy way to store secrets and other data in UEFI.
  2. Will survive a reimaging of the operating system.
@jthuraisamy
jthuraisamy / windows-toolkit.md
Last active April 12, 2022 20:00
Windows Toolkit

Windows Toolkit

Binary

Native Binaries

IDA Plugins Preferred Neutral Unreviewed
@jthuraisamy
jthuraisamy / highlight_calls.py
Created April 4, 2018 01:39
IDAPython Script to highlight function calls.
"""
IDAPython Script to highlight function calls.
Re-implemented by jthuraisamy (not the original author).
Install to %IDADIR%\plugins\highlight_calls.py.
Run by pressing Ctrl+Alt+H or go to Options -> Highlight Call Instructions.
"""
class HighlightHandler(idaapi.action_handler_t):
@jthuraisamy
jthuraisamy / README.md
Last active April 16, 2023 06:06

PyExZ3 Example with HackSysExtremeVulnerableDriver

TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.

The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.

The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex