摘要:
You get the idea right! We are going to enumerate all the ROP-Gadgets and then chain them together to craft our API call which will in turn disable DE...
阅读全文
posted @ 2014-07-10 14:31
Daniel King
阅读(238)
推荐(0)
摘要:
0:000> bp 0012f2fc "j @ecx == 0 '';'gc'"0:000> g j代表judgement,与c++中的condition?A:B类似。如果断点处ecx是0,则停下;否则go until next breakpoint(gc).bp 0012f2fc "j (@@c...
阅读全文
posted @ 2014-07-10 13:44
Daniel King
阅读(261)
推荐(0)
摘要:
daniel@daniel-mint ~/msf/metasploit-framework $ ruby msfpayload windows/exec CMD=calc.exe NWARNING: Nokogiri was built against LibXML version 2.8.0, b...
阅读全文
posted @ 2014-07-10 10:10
Daniel King
阅读(614)
推荐(0)
摘要:
When SEH is used there is a registration process where an exception structure is created for every function as a local variable. The last field of the...
阅读全文
posted @ 2014-07-09 18:02
Daniel King
阅读(310)
推荐(0)
摘要:
daniel@daniel-mint ~/msf/metasploit-framework/tools $ ruby pattern_create.rb 2000Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2...
阅读全文
posted @ 2014-07-09 16:27
Daniel King
阅读(1328)
推荐(0)
摘要:
bp ntdll!NtOpenFile ".echo ####################;du poi(ebp+8);.echo ########################;"
阅读全文
posted @ 2014-07-09 15:34
Daniel King
阅读(156)
推荐(0)
摘要:
$ cat ascii.sh dec_count=0while [ $dec_count -lt 256 ]do echo -e "\x$(echo "ibase=10;obase=16;$dec_count" | bc)\c" dec_count=$((dec_coun...
阅读全文
posted @ 2014-07-09 10:48
Daniel King
阅读(577)
推荐(0)
摘要:
Arithmetic in bash is done with $ and double parentheses:echo "$(($num1+$num2))"Or $ and square brackets:echo "$[$num1+$num2]"You can assign from that...
阅读全文
posted @ 2014-07-09 10:21
Daniel King
阅读(177)
推荐(0)
摘要:
cat test.log | tr -d '\r' | hexdump -C | tail
阅读全文
posted @ 2014-07-09 09:55
Daniel King
阅读(897)
推荐(0)
摘要:
echo -e "xxxx\c" \c起的就是不换行的作用
阅读全文
posted @ 2014-07-02 16:43
Daniel King
阅读(213)
推荐(0)
摘要:
less -r grep pattern file.txt --color=always | less -r
阅读全文
posted @ 2014-07-02 15:43
Daniel King
阅读(283)
推荐(0)
摘要:
111 def get_payload(t)112 if t['Rop'] == :msvcrt113 print_status("Using msvcrt ROP")114 esp_align = "\x81\xc4\x54\xf2\xff\xff"115 ...
阅读全文
posted @ 2014-07-01 15:29
Daniel King
阅读(601)
推荐(0)
摘要:
cat ascii.hex | ascii2binary -b h -t us > ascii.bin x86dis -e 0 -s att -f ascii.bin echo "d8 01 77 c4 90 90 90 90" | ascii2binary -b h -t uc | x86d...
阅读全文
posted @ 2014-07-01 13:41
Daniel King
阅读(211)
推荐(0)
摘要:
daniel@daniel-mint ~/msf/metasploit-framework $ ruby msfpayload windows/exec CMD=calc.exe CWARNING: Nokogiri was built against LibXML version 2.8.0, b...
阅读全文
posted @ 2014-07-01 11:23
Daniel King
阅读(779)
推荐(0)
摘要:
0:000> u ntdll!KiFastSystemCallntdll!KiFastSystemCall:7c92eb8b 8bd4 mov edx,esp7c92eb8d 0f34 sysenterntdll!KiFastSystemCallR...
阅读全文
posted @ 2014-06-30 13:41
Daniel King
阅读(1007)
推荐(0)
摘要:
Ctrl+Page Down (forward) and Ctrl+Page Up (backward). http://unix.stackexchange.com/a/67963
阅读全文
posted @ 2014-06-27 16:52
Daniel King
阅读(191)
推荐(0)
摘要:
src_dir=$(pwd)/All_hdst_dir=$(pwd)/Alldiff_dir=$(pwd)/diffif [ ! -d $diff_dir ]then mkdir $diff_dirfifor src_full_entry in $src_dir/*do src_cat_entry=...
阅读全文
posted @ 2014-06-27 16:21
Daniel King
阅读(171)
推荐(0)
摘要:
表2.常用的限定符代码/语法说明*重复零次或更多次+重复一次或更多次?重复零次或一次{n}重复n次{n,}重复n次或更多次{n,m}重复n到m次其中,* + ?容易混淆,可以借用0与1的关系来助记* 代表重复多于0 * 1次+ 代表重复多于0 + 1次?代表重复0或者1次
阅读全文
posted @ 2014-06-27 16:18
Daniel King
阅读(742)
推荐(0)
摘要:
find . -name "*.result.zip" | xargs -n 1 unzip - -P password -d ../ext_logs
阅读全文
posted @ 2014-06-19 12:45
Daniel King
阅读(335)
推荐(0)
摘要:
/*---------------------------------------------------------------*//*--- High-level IR description ---*//*--------------...
阅读全文
posted @ 2014-06-18 15:31
Daniel King
阅读(2802)
推荐(2)
摘要:
1. 两难将libvex从Linux移植到Windows,移植工作聚集于Cross-Compiler,而不是预料的Cross-Platform。VC++ Compiler到目前为止只支持C89标准,而这个标准规定,变量必须在代码块(即通过大括号包围起来的代码块)的最前面声明,参考http://sta...
阅读全文
posted @ 2014-06-18 11:44
Daniel King
阅读(787)
推荐(0)
摘要:
daniel@daniel-mint ~/vex $ bash gen.sh 0x10 0x1F case 10: case 11: case 12: case 13: case 14: case 15: case 16: case 17: case 18: ...
阅读全文
posted @ 2014-06-17 13:50
Daniel King
阅读(171)
推荐(0)
摘要:
VEX IR是一种更加接近于compiler使用的中间语言/中间表示,它是不依赖于特定体系架构的。1. Code Blockscode blocks是VEX处理代码的一个单元,使用IRSB结构体表示:/* Code blocks, which in proper compiler terminolo...
阅读全文
posted @ 2014-06-16 17:22
Daniel King
阅读(4490)
推荐(0)
摘要:
参考:http://stackoverflow.com/a/53668/941650Why not use tabs (introduced in Vim 7)? You can switch between tabs with :tabn and :tabp, With :tabe you ca...
阅读全文
posted @ 2014-06-16 14:01
Daniel King
阅读(267)
推荐(0)
摘要:
用户态用户态有四类组件,这四类组件都是以进程形式存在的,也就是说,它们都有自己的进程地址空间(其实就是一套页表)。1. System Support Processes这些是固化的进程,也就是说是操作系统结合在一起的进程。比如logon process(winlogon.exe),Session m...
阅读全文
posted @ 2014-06-11 17:39
Daniel King
阅读(4586)
推荐(1)
摘要:
参考:http://blog.csdn.net/broadview2006/article/details/4171397里面的内容出自简而言之,Windows并没有将运行在Ring 0的代码全部视为内核,而是区分为Kernel和Executive,Executive可以理解为“管理层”的意思,解释...
阅读全文
posted @ 2014-06-11 14:27
Daniel King
阅读(5657)
推荐(0)
摘要:
processhacker-code-5632\1.x\trunk\NProcessHacker\hook.htypedef struct _PH_HOOK{ PVOID Function; PVOID Target; BOOLEAN Hooked; CHAR Bytes[5...
阅读全文
posted @ 2014-06-11 13:33
Daniel King
阅读(666)
推荐(0)
摘要:
Types of IOIRP Buffer Management首先区分一下page的内存与nonpaged的内存,内存如果用页管理,就难免面对被swap out的命运;但是如果用nonpaged管理,就会一直存在在物理内存中。一般来说,内核以及驱动承担繁重的工作,因此常用nonpaged内存,以保...
阅读全文
posted @ 2014-06-10 17:30
Daniel King
阅读(302)
推荐(0)
摘要:
Types of Device DriversWindows可能会有User-mode的驱动,但是我们只关注Kernel-Mode的驱动。WDM DriversWDM是一种驱动模型,是比较常用的驱动模型。WDM可以分为以下几类:Bus Drivers负责检测到连接到该总线的设备的与PnP/Power...
阅读全文
posted @ 2014-06-09 16:57
Daniel King
阅读(333)
推荐(0)
摘要:
Windows IO System是由一些executive components组成,这些component可以认为是ntoskrnl.exe中相对独立的一些module。整个IO System是由IRP数据包驱动的, IRP(IO Request Packet)是IO请求数据包,是多个IO系统组...
阅读全文
posted @ 2014-06-09 16:10
Daniel King
阅读(220)
推荐(0)
摘要:
make 2>&1 | grep error -C 10 -n
阅读全文
posted @ 2014-06-08 14:56
Daniel King
阅读(165)
推荐(0)
摘要:
cat maps | sed -e "s/\([0-9a-f]\{8\}\)-\([0-9a-f]\{8\}\)/0x\1 0x\2/" | awk '{printf("\033[0;33m[%8d Page]\033[0m \033[0;35m[%8d KB]\033[0m %s\n", (str...
阅读全文
posted @ 2014-06-05 13:27
Daniel King
阅读(544)
推荐(0)
摘要:
element_type * px; // contained pointer boost::detail::shared_count pn; // reference counter 两个重要的成员:px, 保存被包裹的指针pn, 保存引用计数...
阅读全文
posted @ 2014-06-05 10:27
Daniel King
阅读(339)
推荐(0)
摘要:
Windows提供Heap相关的API,可以创建多个Heap。但是Linux下只有一个意义上的Heap,就是Data Segment,由brk/sbrk系统调用来调整其大小。参考:http://man7.org/linux/man-pages/man2/sbrk.2.html
阅读全文
posted @ 2014-06-03 17:58
Daniel King
阅读(164)
推荐(0)
摘要:
主要成员 union _Bxty { // storage for small buffer or pointer to larger one _Elem _Buf[_BUF_SIZE]; _Elem *_Ptr; } _Bx; size_type _Mysize; // current l...
阅读全文
posted @ 2014-06-03 17:38
Daniel King
阅读(1088)
推荐(0)
摘要:
a_file=$1a_step=$2b_file=$3b_step=$4a_start=1let a_end=$a_start+$a_stepb_start=1let b_end=$b_start+$b_stepa_lines=$(wc -l $a_file | awk '{print $1}')b...
阅读全文
posted @ 2014-06-03 14:39
Daniel King
阅读(211)
推荐(0)
摘要:
cat /proc/$(pgrep helloworld)/status | grep Vm
阅读全文
posted @ 2014-06-03 10:47
Daniel King
阅读(161)
推荐(0)
摘要:
参考:http://www.if-not-true-then-false.com/2010/install-virtualbox-with-yum-on-fedora-centos-red-hat-rhel/如果需要wget设置proxy,参考:http://www.satwe.com/archiv...
阅读全文
posted @ 2014-05-30 11:48
Daniel King
阅读(163)
推荐(0)
摘要:
使用echo或者printf时,可以添加输出文本的颜色设置echo -e "Maximum \e[1;31m" $max_threads "\e[0mthreads allowed!" >> $term_dir/summary或者printf("\033[;34mfile\033[0m")awk 参...
阅读全文
posted @ 2014-05-30 10:29
Daniel King
阅读(658)
推荐(0)
摘要:
suchmod a+w /etc/sudoersvim /etc/sudoers[找到root ALL=(ALL) ALL这行]复制出新的一行,并且将root改为daniel(当前用户名)chmod 0440 /etc/sudoersexit
阅读全文
posted @ 2014-05-30 10:23
Daniel King
阅读(211)
推荐(0)
浙公网安备 33010602011771号