x64 dumper configuration
parent
8aaef07cef
commit
26598c0e01
File diff suppressed because it is too large
Load Diff
@ -1,27 +0,0 @@
|
||||
//////////////////////////////////////////////////////////////////////////////
|
||||
//
|
||||
// Common version parameters.
|
||||
//
|
||||
// Microsoft Research Detours Package, Version 4.0.1
|
||||
//
|
||||
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
//
|
||||
|
||||
#define _USING_V110_SDK71_ 1
|
||||
#include "winver.h"
|
||||
#if 0
|
||||
#include <windows.h>
|
||||
#include <detours.h>
|
||||
#else
|
||||
#ifndef DETOURS_STRINGIFY
|
||||
#define DETOURS_STRINGIFY_(x) #x
|
||||
#define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x)
|
||||
#endif
|
||||
|
||||
#define VER_FILEFLAGSMASK 0x3fL
|
||||
#define VER_FILEFLAGS 0x0L
|
||||
#define VER_FILEOS 0x00040004L
|
||||
#define VER_FILETYPE 0x00000002L
|
||||
#define VER_FILESUBTYPE 0x00000000L
|
||||
#endif
|
||||
#define VER_DETOURS_BITS DETOURS_STRINGIFY(DETOURS_BITS)
|
@ -1,89 +0,0 @@
|
||||
//////////////////////////////////////////////////////////////////////////////
|
||||
//
|
||||
// Detours Test Program (syelog.h of syelog.lib)
|
||||
//
|
||||
// Microsoft Research Detours Package
|
||||
//
|
||||
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
//
|
||||
#pragma once
|
||||
#ifndef _SYELOGD_H_
|
||||
#define _SYELOGD_H_
|
||||
#include <stdarg.h>
|
||||
|
||||
#pragma pack(push, 1)
|
||||
#pragma warning(push)
|
||||
#pragma warning(disable: 4200)
|
||||
|
||||
//////////////////////////////////////////////////////////////////////////////
|
||||
//
|
||||
//
|
||||
#define SYELOG_PIPE_NAMEA "\\\\.\\pipe\\syelog"
|
||||
#define SYELOG_PIPE_NAMEW L"\\\\.\\pipe\\syelog"
|
||||
#ifdef UNICODE
|
||||
#define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEW
|
||||
#else
|
||||
#define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEA
|
||||
#endif
|
||||
|
||||
//////////////////////////////////////////////////////////////////////////////
|
||||
//
|
||||
#define SYELOG_MAXIMUM_MESSAGE 4086 // 4096 - sizeof(header stuff)
|
||||
|
||||
typedef struct _SYELOG_MESSAGE
|
||||
{
|
||||
USHORT nBytes;
|
||||
BYTE nFacility;
|
||||
BYTE nSeverity;
|
||||
DWORD nProcessId;
|
||||
FILETIME ftOccurance;
|
||||
BOOL fTerminate;
|
||||
CHAR szMessage[SYELOG_MAXIMUM_MESSAGE];
|
||||
} SYELOG_MESSAGE, *PSYELOG_MESSAGE;
|
||||
|
||||
|
||||
// Facility Codes.
|
||||
//
|
||||
#define SYELOG_FACILITY_KERNEL 0x10 // OS Kernel
|
||||
#define SYELOG_FACILITY_SECURITY 0x20 // OS Security
|
||||
#define SYELOG_FACILITY_LOGGING 0x30 // OS Logging-internal
|
||||
#define SYELOG_FACILITY_SERVICE 0x40 // User-mode system daemon
|
||||
#define SYELOG_FACILITY_APPLICATION 0x50 // User-mode application
|
||||
#define SYELOG_FACILITY_USER 0x60 // User self-generated.
|
||||
#define SYELOG_FACILITY_LOCAL0 0x70 // Locally defined.
|
||||
#define SYELOG_FACILITY_LOCAL1 0x71 // Locally defined.
|
||||
#define SYELOG_FACILITY_LOCAL2 0x72 // Locally defined.
|
||||
#define SYELOG_FACILITY_LOCAL3 0x73 // Locally defined.
|
||||
#define SYELOG_FACILITY_LOCAL4 0x74 // Locally defined.
|
||||
#define SYELOG_FACILITY_LOCAL5 0x75 // Locally defined.
|
||||
#define SYELOG_FACILITY_LOCAL6 0x76 // Locally defined.
|
||||
#define SYELOG_FACILITY_LOCAL7 0x77 // Locally defined.
|
||||
#define SYELOG_FACILITY_LOCAL8 0x78 // Locally defined.
|
||||
#define SYELOG_FACILITY_LOCAL9 0x79 // Locally defined.
|
||||
|
||||
// Severity Codes.
|
||||
//
|
||||
#define SYELOG_SEVERITY_FATAL 0x00 // System is dead.
|
||||
#define SYELOG_SEVERITY_ALERT 0x10 // Take action immediately.
|
||||
#define SYELOG_SEVERITY_CRITICAL 0x20 // Critical condition.
|
||||
#define SYELOG_SEVERITY_ERROR 0x30 // Error
|
||||
#define SYELOG_SEVERITY_WARNING 0x40 // Warning
|
||||
#define SYELOG_SEVERITY_NOTICE 0x50 // Significant condition.
|
||||
#define SYELOG_SEVERITY_INFORMATION 0x60 // Informational
|
||||
#define SYELOG_SEVERITY_AUDIT_FAIL 0x66 // Audit Failed
|
||||
#define SYELOG_SEVERITY_AUDIT_PASS 0x67 // Audit Succeeeded
|
||||
#define SYELOG_SEVERITY_DEBUG 0x70 // Debugging
|
||||
|
||||
// Logging Functions.
|
||||
//
|
||||
VOID SyelogOpen(PCSTR pszIdentifier, BYTE nFacility);
|
||||
VOID Syelog(BYTE nSeverity, PCSTR pszMsgf, ...);
|
||||
VOID SyelogV(BYTE nSeverity, PCSTR pszMsgf, va_list args);
|
||||
VOID SyelogClose(BOOL fTerminate);
|
||||
|
||||
#pragma warning(pop)
|
||||
#pragma pack(pop)
|
||||
|
||||
#endif // _SYELOGD_H_
|
||||
//
|
||||
///////////////////////////////////////////////////////////////// End of File.
|
Binary file not shown.
Binary file not shown.
@ -1,68 +0,0 @@
|
||||
// this is to poc for dumping out registry files as part 2 of the reversal
|
||||
//
|
||||
// TO-DO:
|
||||
// import detours, will need to recompile 32 bit
|
||||
// write hook functions
|
||||
// inject and write findings
|
||||
// list of functions to hook:
|
||||
// all imported from ADVAPI32
|
||||
// RegEnumValueW
|
||||
// RegDeleteValueW
|
||||
// RegDeleteKeyW
|
||||
// RegSetValueExW
|
||||
// RegCreateKeyExW
|
||||
// RegConnectRegistryW
|
||||
// RegEnumKeyExW
|
||||
// RegCloseKey
|
||||
// RegQueryValueExW
|
||||
// RegOpenKeyExW
|
||||
|
||||
#include "pch.h"
|
||||
|
||||
void perf_hook()
|
||||
{
|
||||
// example code from last ctf
|
||||
// will add code base for x64 and x32 support, as well as setup empty
|
||||
// project to do this stuff quicky?
|
||||
#if 0
|
||||
using LoadStr_t = int(*)(HINSTANCE, UINT, LPSTR, int);
|
||||
uint64_t loadstr_addr;
|
||||
|
||||
// perform hooking
|
||||
loadstr_addr = (uint64_t)GetProcAddress(GetModuleHandleA("User32.dll"), "LoadStringA");
|
||||
|
||||
DetourTransactionBegin();
|
||||
DetourUpdateThread(GetCurrentThread());
|
||||
DetourAttach(&(PVOID&)loadstr_addr, hk_loadstr);
|
||||
DetourTransactionCommit();
|
||||
#endif
|
||||
}
|
||||
|
||||
void thread_main()
|
||||
{
|
||||
// setup console
|
||||
//
|
||||
AllocConsole();
|
||||
freopen("CONIN$", "r", stdin);
|
||||
freopen("CONOUT$", "w", stdout);
|
||||
freopen("CONOUT$", "w", stderr);
|
||||
SetConsoleTitleA("Log");
|
||||
}
|
||||
|
||||
BOOL APIENTRY DllMain(HMODULE hModule,
|
||||
DWORD ul_reason_for_call,
|
||||
LPVOID lpReserved
|
||||
)
|
||||
{
|
||||
switch (ul_reason_for_call)
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
CreateThread(0, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(thread_main), 0, 0, 0);
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
@ -0,0 +1,111 @@
|
||||
// this is to poc for dumping out registry files as part 2 of the reversal
|
||||
//
|
||||
// TO-DO:
|
||||
// import detours, will need to recompile 32 bit
|
||||
// write hook functions
|
||||
// inject and write findings
|
||||
// list of functions to hook:
|
||||
// all imported from ADVAPI32
|
||||
// RegEnumValueW
|
||||
// RegDeleteValueW
|
||||
// RegDeleteKeyW
|
||||
// RegSetValueExW
|
||||
// RegCreateKeyExW
|
||||
// RegConnectRegistryW
|
||||
// RegEnumKeyExW
|
||||
// RegCloseKey
|
||||
// RegQueryValueExW
|
||||
// RegOpenKeyExW
|
||||
|
||||
#include "pch.h"
|
||||
|
||||
namespace RegHooks
|
||||
{
|
||||
// hook for RegEnumValueW
|
||||
//
|
||||
LSTATUS hk_reg_enum_valuew(
|
||||
HKEY hKey,
|
||||
DWORD dwIndex,
|
||||
LPWSTR lpValueName,
|
||||
LPDWORD lpcchValueName,
|
||||
LPDWORD lpReserved,
|
||||
LPDWORD lpType,
|
||||
LPBYTE lpData,
|
||||
LPDWORD lpcbData
|
||||
)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
namespace DetourExample
|
||||
{
|
||||
using LoadStr_t = int(*)(HINSTANCE, UINT, LPSTR, int);
|
||||
uint64_t loadstr_addr;
|
||||
|
||||
int __stdcall hk_loadstr(HINSTANCE hInstance, UINT uID, LPSTR lpBuffer, int cchBufferMax)
|
||||
{
|
||||
auto original = ((LoadStr_t)(loadstr_addr))(hInstance, uID, lpBuffer, cchBufferMax);
|
||||
return original;
|
||||
}
|
||||
|
||||
// only to serve as a temp example, do not call
|
||||
void example_hook()
|
||||
{
|
||||
// perform hooking
|
||||
loadstr_addr = (uint64_t)GetProcAddress(GetModuleHandleA("User32.dll"), "LoadStringA");
|
||||
DetourTransactionBegin();
|
||||
DetourUpdateThread(GetCurrentThread());
|
||||
DetourAttach(&(PVOID&)loadstr_addr, hk_loadstr);
|
||||
DetourTransactionCommit();
|
||||
}
|
||||
}
|
||||
|
||||
namespace DetourHelper
|
||||
{
|
||||
// places a hook
|
||||
void perf_hook()
|
||||
{
|
||||
// example code from last ctf
|
||||
// will add code base for x64 and x32 support, as well as setup empty
|
||||
// project to do this stuff quicky?
|
||||
}
|
||||
|
||||
// removes a hook
|
||||
void undo_hook()
|
||||
{
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void thread_main()
|
||||
{
|
||||
// setup console
|
||||
//
|
||||
AllocConsole();
|
||||
freopen("CONIN$", "r", stdin);
|
||||
freopen("CONOUT$", "w", stdout);
|
||||
freopen("CONOUT$", "w", stderr);
|
||||
SetConsoleTitleA("Log");
|
||||
|
||||
}
|
||||
|
||||
BOOL APIENTRY DllMain(HMODULE hModule,
|
||||
DWORD ul_reason_for_call,
|
||||
LPVOID lpReserved
|
||||
)
|
||||
{
|
||||
switch (ul_reason_for_call)
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
CreateThread(0, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(thread_main), 0, 0, 0);
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
Loading…
Reference in New Issue