| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #define MAX_OFFSET 2176 /* range 1..2176 */ | |
| #define MAX_LEN 65536 /* range 2..65536 */ | |
| typedef struct match_t { | |
| size_t index; |
| #ifndef LDE_H | |
| #define LDE_H | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <dbgeng.h> | |
| #pragma comment(lib, "dbgeng.lib") |
| #include "lde.h" | |
| LDE::LDE() { | |
| CHAR path[MAX_PATH]; | |
| ctrl = NULL; | |
| clnt = NULL; | |
| // create a debugging client |
| /** | |
| Copyright © 2019-2020 Odzhan. All Rights Reserved. | |
| Redistribution and use in source and binary forms, with or without | |
| modification, are permitted provided that the following conditions are | |
| met: | |
| 1. Redistributions of source code must retain the above copyright | |
| notice, this list of conditions and the following disclaimer. |
| // | |
| // A simple PoC for the blog post : Encoding Null Bytes Faster With Escape Sequences | |
| // https://modexp.wordpress.com/2020/06/26/shellcode-encoding-null-bytes-faster/ | |
| // | |
| // odzhan, june 2020 | |
| // | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> |
I want to use lsasrv!LsaProtectMemory() inside the LSASS process to encrypt a block of memory and return the ciphertext. It's part of the LsapLsasrvIfTable interface in lsasrv.dll, but unless I'm mistaken can only be accessed by another LSA extension using the lsasrv!QueryLsaInterface() function. The following text is some basic information about the internal structures.
LsapLsasrvIfTable:
dq offset LsaProtectMemory
dq offset LsaUnprotectMemory
dq offset LsaIFreeReturnBuffer
| The following is a list of user-mode API that can sometimes be hooked by an EDR. It's not an extensive list by any means. | |
| ntdll!NtAllocateVirtualMemory | |
| ntdll!ZwFreeVirtualMemory | |
| ntdll!NtMapViewOfSection | |
| ntdll!NtOpenProcess | |
| ntdll!NtUnmapViewOfSection | |
| ntdll!NtWriteVirtualMemory | |
| ntdll!NtProtectVirtualMemory | |
| ntdll!NtLoadDriver |
|  | |
| An Automation Object for Dynamic DLL Calls | |
| Here's an OLE automation object for dynamically declaring and accessing functions in external DLLs | |
| November 01, 1998 URL:http://www.drdobbs.com/windows/an-automation-object-for-dynamic-dll-cal/210200078 Jeff Stong has been developing DOS, Windows, and Windows NT based applications for 10 years. Jeff can be contacted at [email protected]. | |
| You can access external DLLs from Visual Basic by using the Declare statement to declare the name of the function you want to call and the DLL that it resides in. VBScript, however, doesn't support the Declare statement. This article presents an OLE automation object that lets VBScript (or any other environment that can access automation objects) dynamically declare and access functions in external DLLs. | |
| Using the DynamicWrapper Object |
| // | |
| // Charm 256-bit hash ripped from: https://github.com/jedisct1/charm | |
| // | |
| #include <stdint.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #define XOODOO_ROUNDS 12 |
| // Compiles with Visual Studio 2008 for Windows | |
| // This C example is designed as more of a guide than a library to be plugged into an application | |
| // That module required a couple of major re-writes and is available upon request | |
| // The Basic example has tips to the direction you should take | |
| // This will work with connections on port 587 that upgrade a plain text session to an encrypted session with STARTTLS as covered here. | |
| // TLSclient.c - SSPI Schannel gmail TLS connection example | |
| #define SECURITY_WIN32 |