Moustafa Saleh mesaleh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| unsigned char shell[79] = { | |
| 0x33, 0xD2, 0x52, 0x68, 0x4D, 0x30, 0x53, 0x41, 0x54, 0x52, 0x64, 0x8B, | |
| 0x72, 0x30, 0xB2, 0x21, 0x4A, 0x8B, 0x74, 0x32, 0xEC, 0x8B, 0x74, 0x32, | |
| 0xEC, 0xAD, 0x8B, 0x30, 0x8B, 0x7E, 0x18, 0x8B, 0x5F, 0x3C, 0x8B, 0x5C, | |
| 0x3B, 0x78, 0x03, 0xD3, 0x8B, 0x34, 0x3A, 0x03, 0xF7, 0x8B, 0x4C, 0x3B, | |
| 0x24, 0x03, 0xCF, 0x33, 0xD2, 0x0F, 0xB7, 0x2C, 0x51, 0x42, 0xAD, 0x81, | |
| 0x3C, 0x38, 0x46, 0x61, 0x74, 0x61, 0x75, 0xF1, 0x8B, 0x74, 0x3B, 0x1C, | |
| 0x03, 0xF7, 0x03, 0x3C, 0xAE, 0xFF, 0xD7 | |
| }; |
mesaleh
/ getImports_snippet.cpp
Created
April 18, 2015 02:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| template <class T> // T: PIMAGE_THUNK_DATA64 or PIMAGE_THUNK_DATA32 | |
| vector<string> PE::getModuleAPIs(T pThunk, PIMAGE_SECTION_HEADER IT) | |
| { | |
| vector<string> APIs; | |
| // check if IMAGE_THUNK_DATA is within the section of Import directory, otherwise, most likely the file is packed or manualy manipulated. | |
| if (((DWORD)pThunk < ((DWORD)LoadAddr + IT->PointerToRawData)) || ((DWORD)pThunk >((DWORD)LoadAddr + IT->PointerToRawData + IT->SizeOfRawData))) { | |
| Suspicious |= SUSPICIOUS_IMPORTS; | |
| } |
mesaleh
/ test_dll.c
Created
April 18, 2015 01:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Moustafa Saleh ([email protected]) | |
| * | |
| * Test DLL | |
| * Compile: | |
| * GCC: gcc test_dll.c -o test_dll_gcc.dll -shared -Wl,--out-implib,test_dll_gcc.a -DBUILDING_TEST_DLL | |
| * CL: cl test_dll.c kernel32.lib user32.lib /LD /D BUILDING_TEST_DLL | |
| */ | |
| #include <windows.h> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Moustafa Saleh ([email protected]) | |
| * | |
| * Compile: | |
| * gcc test.c -o test.exe -L. -l:test_dll_gcc.a | |
| * cl test.c test_dll.lib | |
| */ | |
| __declspec(dllimport) void __stdcall bar(); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct _STRING { | |
| USHORT Length; | |
| USHORT MaximumLength; | |
| PCHAR Buffer; | |
| } STRING, OEM_STRING, *PSTRING; |
mesaleh
/ ZwDelayExecution1.cpp
Last active
June 7, 2021 10:22
Used in my blog http://moustafasaleh.blogspot.com/2015/03/using-windows-native-apis-with-cl-and.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| http://moustafasaleh.blogspot.com/ (@msaleh83) | |
| Example of dynamically linking ZwDelayExecution Windows internal API | |
| compile: | |
| cl ZwDelayExecution1.cpp kernel32.lib user32.lib | |
| gcc ZwDelayExecution1.cpp -o ZwDelayExecution1.exe | |
| */ | |
| #define UNICODE |
mesaleh
/ ZwDelayExecution2.cpp
Last active
August 29, 2015 14:17
Used in my blog http://moustafasaleh.blogspot.com/2015/03/using-windows-native-apis-with-cl-and.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| http://moustafasaleh.blogspot.com/ (@msaleh83) | |
| Example of using ZwDelayExecution Windows internal API by importing ntdll.lib | |
| compile: | |
| cl ZwDelayExecution2.cpp kernel32.lib ntdll.lib user32.lib | |
| gcc ZwDelayExecution2.cpp -o ZwDelayExecution1.exe -lntdll | |
| */ | |
| #define UNICODE |
mesaleh
/ peid_vul1.c
Last active
August 29, 2015 14:14
Used for my blog entry to describe PEiD vulnerability
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // getting the exact size of the section | |
| int getMinSectionSize() | |
| { | |
| int size = min(VirtualSize, SizeOfRawData) | |
| // ** if PointerToRawData is negative, overflow will happen here. | |
| int bound = file_size - PointerToRawData | |
| if (size <= bound) return size; | |
| else size = bound; |
mesaleh
/ peid_vul2.c
Last active
August 29, 2015 14:14
Used for my blog entry to describe PEiD vulnerability
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| int size = getMinSectionSize() | |
| // ** overflow can happen here too | |
| int bound = size + PointerToRawData; | |
| if (bound <= file_size) ACCEPTED; | |
| else INVALID_FILE; | |