Posts Tagged: windows

Here is a really small Go reverse shell (30-ish lines of code that includes comments). Environment setup: Download/install Go from here. If you use Windows, you may want to download/install the TDM-GCC compiler from here as well. Code: First, we need to define what libraries we need: import “net” import “fmt” import “bufio” import “os/exec”… Read Article →

Below is a basic example on how to use the detours library to hook APIs. #include <stdio.h> #include <windows.h> #include <detours.h> // API that we want to hook DWORD (WINAPI * Real_SleepEx)(DWORD dwMilliseconds, BOOL bAlertable) = SleepEx; // This function will be called *before* the API. // We will modify one of the parameters //… Read Article →

If you want to do web app security testing using either Chrome or Chromium, you may want to disable a few security options so you can actually go through your test cases. You can use the same command line parameters for both of them: /usr/bin/chromium –disable-web-security –disable-xss-auditor –ignore-certificate-errors –user-data-dir=/pentesting/web/temp/data –proxy-server= This works for both Linux… Read Article →

In this post we’ll have a closer look at .NET serialization/deserialization attacks. We’ll have a .NET (C#) vulnerable code as an example (inspired by James’s work) and we will walk through it to see where the issue lies. using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Diagnostics; using System.Xml; using System.Xml.Serialization; using… Read Article →

For 64-bit executables/PE files, there are a couple of changes in the PE header offsets. Don’t consider the size of the OptionalHeader as 0x74, instead use the “SizeOfOptionalHeader” from the _IMAGE_FILE_HEADER. There is no longer a BaseOfData field, instead ImageBase is 8 bytes long. More details on _IMAGE_OPTIONAL_HEADER64 you can found here.

Here are some detailed instructions on how to install pydbg. In its most basic form, you need the following to execute a program: from pydbg import * from pydbg.defines import * def exception_handle(dbg):     print(dbg.dump_context()) raw_input(“Press enter to continue…”)     return DBG_EXCEPTION_NOT_HANDLED def debug(exe_path, params):     dbg = pydbg()     pid… Read Article →

Set the Windows VM for debugging:     bcdedit /debug on     bcdedit /dbgsettings serial debugport:1 baudrate:115200 In the VM settings, associate a pipe to the COM1 port: \\.\\pipe\debugk (windows) or /tmp/debugk (linux)   Here is a list of some useful windbg commands: lm – list modules !address <addr> – show details about addr !peb… Read Article →

This is a python script for Immunity debugger that sets breakpoints on “interesting” APIs. Here is the list of APIs (in no particular order): “ZwRaiseHardError” “bind” “listen” “socket” “DeviceIoControl” “ZwCreateFile” “ZwCreateSection” “ZwQueryInformationFile” “ZwQueryAttributesFile” “ZwCreateUserProcess” “ZwOpenKeyEx” “ZwOpenKey” “ResumeThread” “CopyFileA” “CopyFileExW” “CopyFileW” “CreateDirectoryA” “CreateDirectoryW” “CreateMutexA” “CreateMutexW” “CreateFileA” “CreateFileW” “CreateProcessA” “CreateProcessW” “CreateProcessInternalA” “CreateRemoteThread” “WinExec” “OpenProcess” “Sleep” “IsDebuggerPresent” “WriteProcessMemory” “_write” “ZwWriteFile”… Read Article →

As suggested by Intel in their Intel Analysis of Speculative Execution Side Channels  whitepaper, the recommended mitigation for Spectre (CVE-2017-5753) is to use the LFENCE instruction (“LFENCE does not execute until all prior instructions have completed locally, and no later instruction begins execution until LFENCE completes”). This will stop the bounds check bypass method that relies… Read Article →

Scroll To Top