reverse engineering and binary exploitation

Exploits/Binaries/Alarm Reset.md

@@ -0,0 +1,11 @@
+# Resetting Alarms
+
+Like [shakuganz wrote in his blog](https://shakuganz.com/2021/07/14/hackthebox-hunting-write-up/) an alarm can be reset to  a higher value to go off later
+
+```
+push 0x3c                  ; set duration for arg1 of alarm()
+pop ebx
+push 0x1b                  ; alarm systemcall
+pop eax
+int 0x80
+```

Exploits/Binaries/Egg Hunting.md

@@ -0,0 +1,30 @@
+# Egg Hunting
+
+Egg Hunting can be applied if only a few chars are possible to use as shellcode.  
+A tag or egg is an already identified group of bytes in the binary the egg hunter  
+is trying to find.
+
+## Accessing Virtual Address Space
+
+Like [shakuganz](https://shakuganz.com/2021/07/14/hackthebox-hunting-write-up/) wrote about, ccessing unallocated memory can be done in the following way 
+```python
+mem_addr = 0x5FFFFFFF
+
+if access(mem_addr, 0) == 0x2f:
+    jump_to_next_page()
+elif value_at(mem_addr) != egg:
+    mem_addr += 1
+else:
+    print(mem_addr)
+```
+
+
+## Tools
+
+Egg hunter can be found in pwntools' `pwnlib.shellcraft`
+
+
+## Resources
+
+* [hick.org](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf)
+* [Chaudhary's blog](https://medium.com/@chaudharyaditya/slae-0x3-egg-hunter-shellcode-6fe367be2776)

Exploits/Binaries/Extract Opcode.md

@@ -0,0 +1,9 @@
+# Extracting Opcode
+
+## Extracting from ELF File
+
+Extracting opcode from an ELF file can be done via the following way
+
+```sh
+objdump -d ./payload|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
+```

Exploits/Binaries/References.md

@@ -0,0 +1,8 @@
+# Binary Exploitation References
+
+## Assembler
+* [Online x86/x64 assembler](https://defuse.ca/online-x86-assembler.htm)
+
+## Syscalls 
+
+* http://asm.sourceforge.net/intro/hello.html

Exploits/Binaries/Syscalls.md

@@ -0,0 +1,27 @@
+# Syscalls
+
+## General
+
+* [Syscalls in different OSs](http://asm.sourceforge.net/intro/hello.html)
+
+## Linux Syscalls
+
+* First point of contact is `/usr/include/asm/unistd_32.h` and `/usr/include/asm/unistd_64.h`
+
+Manfiles are 
+```
+2 syscall
+2 syscalls
+```
+
+### 32-Bit
+
+* [paolostivanin's syscall-table-32bit](https://github.com/paolostivanin/syscall-table-32bit.git) also contains the link to [the overview](https://syscalls32.paolostivanin.com/)
+
+### 64-Bit
+
+* [Filippo.io's x64 syscall table](https://filippo.io/linux-syscall-table/)
+
+### Others As Well
+
+* [googlesource.com](https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md)

Exploits/Binaries/gdb CheatSheet.md

@@ -0,0 +1,8 @@
+# GDB CheatSheet
+
+## Cast a register value
+
+* Cast the content of a register to char
+```sh
+p *(char **)$rax
+```

Miscellaneous/Sigma Rules.md

@@ -1,30 +0,0 @@
-# Sigma Rules
-
-An abstracted yaml configuration setup which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...
-* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)
-
-
-## Fields
-
-A minimal configuration should contain at least the following fields
-* title
-* id
-* status
-* description
-* logsource
-* detection
-
-Additional fields may be
-* falsePostivives
-* levels
-* tags
-
-## Transform Modifiers
-
-A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.
-
-## Tools
-
-* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
-* [pySigma](https://github.com/SigmaHQ/pySigma)
-* [Uncoder.io](https://uncoder.io/)

Miscellaneous/Threat Intelligence/Sigma Rules.md

@@ -0,0 +1,48 @@
+# Sigma Rules
+
+An abstracted yaml configuration setup as an universal notation format which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...
+
+* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)
+
+Specify IOC or troubleshooting issues in a data format that can be shared and versionized.  
+This specified configuration can be translated to multiple different tools as specific queries.
+
+* [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide)
+
+## Fields
+
+A minimal configuration should contain at least the following fields
+* title
+* id (UUID)
+* status
+* description
+* logsource
+* detection
+* condition
+
+Additional fields may be
+* falsePositives
+* levels
+* tags
+
+[![Sigma Fields](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)
+
+## Filters
+
+Filter can be used to specify detection
+```sh
+File|endswith
+CommandLine|contains
+CommandLine|startswith
+```
+
+## Transform Modifiers
+
+A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.
+
+## Tools
+
+* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
+* [pySigma](https://github.com/SigmaHQ/pySigma)
+* [Uncoder.io](https://uncoder.io/)
+* [Sigmac](https://github.com/SigmaHQ/sigma/tree/8bb3379b6807610d61d29db1d76f5af4840b8208/tools)

Reverse Engineering/References.md

@@ -10,3 +10,9 @@
 
 [scdbg](https://github.com/dzzie/SCDBG.git)
 
+## Automated Solver
+
+* [angr](https://docs.angr.io) is a binary analysis tool and comes with an automated solver
+```sh
+pip install angr
+```