leechristensen

These commands demonstrate how you can extract RPC server information from Windows binary. This data is embed inside of any Windows RPC server binary and includes general information about the RPC server and the methods it exposes(including parameter counts and type/struct info).

Run all these commands in a PowerShell window.

Install NtObjectManager

In a PowerShell window, install NtObjectManager:

Install-Module NtObjectManager -Scope CurrentUser

leechristensen

/*
 * This is free and unencumbered software released into the public domain.
 *
 * Anyone is free to copy, modify, publish, use, compile, sell, or
 * distribute this software, either in source code form or as a compiled
 * binary, for any purpose, commercial or non-commercial, and by any
 * means.
 *
 * In jurisdictions that recognize copyright laws, the author or authors
 * of this software dedicate any and all copyright interest in the

leechristensen

// Dumps the bytes at the mouse cursor's position as a GUID string
//
// Usage: 
// 1. Click on the GUID's "Data1" field in Ida 
// 2. Run the script (File -> Script File...,  or hit Alt+F7)
// 3. When you load the script, it'll display the GUID in Ida's output window.
//    After it's loaded, you can run it again anytime by executing the
//    function `get_guid_at_cursor()` in Ida's IDC REPL prompt.

#include <idc.idc>

leechristensen

function Test-NtlmVersion {
    [CmdletBinding()]
    Param(
        [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True, Mandatory = $True)]
        [ValidateNotNullOrEmpty()]
        [String]
        $IpAddress,

        [Parameter(Position = 1, Mandatory = $True)]
        [ValidateNotNullOrEmpty()]

leechristensen

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.extensions import ExtensionType
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
import base64
import pyasn1

leechristensen

Install-Module NtObjectManager
Import-Module NtObjectManager

$Servers =  Get-RpcServer -Path C:\Windows\system32\efssvc.dll `
            -DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll'
$EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' }
$client = Get-RpcClient -Server $EfsInterace

$client.Connect()

leechristensen

# Find loaded kernel drivers that register callbacks
# Requirements: NtObjectManager (https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)

function Get-DriversWithCallbacks {
    [CmdletBinding()]
    Param()

    Get-NtKernelModule | ForEach-Object {
        $ModulePath = $_.FullPathName
        $FilePath = $null

leechristensen

DllShortName	Dll	Export	MethodReturnType	Method	DeclaringType	Assembly
""		""	_CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl)	CertDuplicateCertificateContext(_CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* )	<Module>	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll
""		""	_CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl)	CertEnumCertificatesInStore(System.Void* , _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* )	<Module>	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll
""		""	_CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl)	CertFindCert

leechristensen

<#
Author: Lee Christensen (@tifkin_)  
License: BSD 3-Clause  
Required Dependencies: None  

Usage Example:
    1. On a Linux or OS X machine with ldapsearch installed, run the following replacing "DC=domain,DC=local" with the DN of the organization's domain:
   
        ldapsearch -o ldif-wrap=no -h dc.domain.local -p 389 -D '[email protected]' -w P@ssw0rd -E 'pr=1000/noprompt' -E '!1.2.840.113556.1.4.801=::MAMCAQc=' -b 'CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local' > ldap_dump.txt

leechristensen

# Download from TLGMetadataParser.psm1 from https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658
PS C:\> Import-Module TLGMetadataParser.psm1

PS C:\> $Info = Get-TraceLoggingMetadata -Path C:\Windows\system32\MicrosoftAccountTokenProvider.dll

PS C:\> $Info.Providers

ProviderGUID                         ProviderName                  ProviderGroupGUID                   
------------                         ------------                  -----------------                   
05f02597-fe85-4e67-8542-69567ab8fd4f MSAClientTraceLoggingProvider 4f50731a-89cf-4782-b3e0-dce8c90476ba