whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

reverse engineering and binary exploitation

This commit is contained in:
Stefan Friese 2023-01-16 19:02:44 +01:00
parent 638dc6c8ed
commit 9f09057a86
9 changed files with 147 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Exploits/Binaries/Alarm Reset.md Normal file
View File

@ -0,0 +1,11 @@
# Resetting Alarms
Like [shakuganz wrote in his blog](https://shakuganz.com/2021/07/14/hackthebox-hunting-write-up/) an alarm can be reset to a higher value to go off later
```
push 0x3c ; set duration for arg1 of alarm()
pop ebx
push 0x1b ; alarm systemcall
pop eax
int 0x80
```

30
Exploits/Binaries/Egg Hunting.md Normal file
View File

@ -0,0 +1,30 @@
# Egg Hunting
Egg Hunting can be applied if only a few chars are possible to use as shellcode.
A tag or egg is an already identified group of bytes in the binary the egg hunter
is trying to find.
## Accessing Virtual Address Space
Like [shakuganz](https://shakuganz.com/2021/07/14/hackthebox-hunting-write-up/) wrote about, ccessing unallocated memory can be done in the following way
```python
mem_addr = 0x5FFFFFFF
if access(mem_addr, 0) == 0x2f:
jump_to_next_page()
elif value_at(mem_addr) != egg:
mem_addr += 1
else:
print(mem_addr)
```
## Tools
Egg hunter can be found in pwntools' `pwnlib.shellcraft`
## Resources
* [hick.org](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf)
* [Chaudhary's blog](https://medium.com/@chaudharyaditya/slae-0x3-egg-hunter-shellcode-6fe367be2776)

9
Exploits/Binaries/Extract Opcode.md Normal file
View File

@ -0,0 +1,9 @@
# Extracting Opcode
## Extracting from ELF File
Extracting opcode from an ELF file can be done via the following way
```sh
objdump -d ./payload|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
```

8
Exploits/Binaries/References.md Normal file
View File

@ -0,0 +1,8 @@
# Binary Exploitation References
## Assembler
* [Online x86/x64 assembler](https://defuse.ca/online-x86-assembler.htm)
## Syscalls
* http://asm.sourceforge.net/intro/hello.html

27
Exploits/Binaries/Syscalls.md Normal file
View File

@ -0,0 +1,27 @@
# Syscalls
## General
* [Syscalls in different OSs](http://asm.sourceforge.net/intro/hello.html)
## Linux Syscalls
* First point of contact is `/usr/include/asm/unistd_32.h` and `/usr/include/asm/unistd_64.h`
Manfiles are
```
2 syscall
2 syscalls
```
### 32-Bit
* [paolostivanin's syscall-table-32bit](https://github.com/paolostivanin/syscall-table-32bit.git) also contains the link to [the overview](https://syscalls32.paolostivanin.com/)
### 64-Bit
* [Filippo.io's x64 syscall table](https://filippo.io/linux-syscall-table/)
### Others As Well
* [googlesource.com](https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md)

8
Exploits/Binaries/gdb CheatSheet.md Normal file
View File

@ -0,0 +1,8 @@
# GDB CheatSheet
## Cast a register value
* Cast the content of a register to char
```sh
p *(char **)$rax
```

30
Miscellaneous/Sigma Rules.md
View File

@ -1,30 +0,0 @@
# Sigma Rules
An abstracted yaml configuration setup which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...
* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)
## Fields
A minimal configuration should contain at least the following fields
* title
* id
* status
* description
* logsource
* detection
Additional fields may be
* falsePostivives
* levels
* tags
## Transform Modifiers
A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.
## Tools
* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
* [pySigma](https://github.com/SigmaHQ/pySigma)
* [Uncoder.io](https://uncoder.io/)

48
Miscellaneous/Threat Intelligence/Sigma Rules.md Normal file
View File

@ -0,0 +1,48 @@
# Sigma Rules
An abstracted yaml configuration setup as an universal notation format which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...
* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)
Specify IOC or troubleshooting issues in a data format that can be shared and versionized.
This specified configuration can be translated to multiple different tools as specific queries.
* [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide)
## Fields
A minimal configuration should contain at least the following fields
* title
* id (UUID)
* status
* description
* logsource
* detection
* condition
Additional fields may be
* falsePositives
* levels
* tags
[![Sigma Fields](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)
## Filters
Filter can be used to specify detection
```sh
File|endswith
CommandLine|contains
CommandLine|startswith
```
## Transform Modifiers
A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.
## Tools
* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
* [pySigma](https://github.com/SigmaHQ/pySigma)
* [Uncoder.io](https://uncoder.io/)
* [Sigmac](https://github.com/SigmaHQ/sigma/tree/8bb3379b6807610d61d29db1d76f5af4840b8208/tools)

6
Reverse Engineering/References.md
View File

@ -10,3 +10,9 @@
[scdbg](https://github.com/dzzie/SCDBG.git) [scdbg](https://github.com/dzzie/SCDBG.git)
## Automated Solver
* [angr](https://docs.angr.io) is a binary analysis tool and comes with an automated solver
```sh
pip install angr
```