Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 06:30:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/reversing/reversing-tools-basic-methods/blobrunner.md

234 lines
7.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{% hint style="success" %}
AWS Hacking'i öğrenin ve pratik yapın:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Eğitim AWS Kırmızı Takım Uzmanı (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
GCP Hacking'i öğrenin ve pratik yapın: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Eğitim GCP Kırmızı Takım Uzmanı (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>HackTricks'i Destekleyin</summary>
* [**abonelik planlarını**](https://github.com/sponsors/carlospolop) kontrol edin!
* **Bize katılın** 💬 [**Discord grubuna**](https://discord.gg/hRep4RUj7f) veya [**telegram grubuna**](https://t.me/peass) veya **bizi** **Twitter'da** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)** takip edin.**
* **Hacking ipuçlarını paylaşmak için** [**HackTricks**](https://github.com/carlospolop/hacktricks) ve [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github reposuna PR gönderin.
</details>
{% endhint %}
[orijinal kod](https://github.com/OALabs/BlobRunner) içindeki tek değiştirilmiş satır 10. satırdır. Derlemek için sadece **Visual Studio Code'da bir C/C++ projesi oluşturun, kodu kopyalayıp yapıştırın ve derleyin**.
```c
#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#ifdef _WIN64
#include <WinBase.h>
#endif
// Define bool
#pragma warning(disable:4996)
#define true 1
#define false 0
const char* _version = "0.0.5";
const char* _banner = " __________.__ ___. __________\n"
" \\______ \\ | ____\\_ |__\\______ \\__ __ ____ ____ ___________ \n"
" | | _/ | / _ \\| __ \\| _/ | \\/ \\ / \\_/ __ \\_ __ \\ \n"
" | | \\ |_( <_> ) \\_\\ \\ | \\ | / | \\ | \\ ___/| | \\/ \n"
" |______ /____/\\____/|___ /____|_ /____/|___| /___| /\\___ >__| \n"
" \\/ \\/ \\/ \\/ \\/ \\/ \n\n"
" %s \n\n";
void banner() {
system("cls");
printf(_banner, _version);
return;
}
LPVOID process_file(char* inputfile_name, bool jit, int offset, bool debug) {
LPVOID lpvBase;
FILE* file;
unsigned long fileLen;
char* buffer;
DWORD dummy;
file = fopen(inputfile_name, "rb");
if (!file) {
printf(" [!] Error: Unable to open %s\n", inputfile_name);
return (LPVOID)NULL;
}
printf(" [*] Reading file...\n");
fseek(file, 0, SEEK_END);
fileLen = ftell(file); //Get Length
printf(" [*] File Size: 0x%04x\n", fileLen);
fseek(file, 0, SEEK_SET); //Reset
fileLen += 1;
buffer = (char*)malloc(fileLen); //Create Buffer
fread(buffer, fileLen, 1, file);
fclose(file);
printf(" [*] Allocating Memory...");
lpvBase = VirtualAlloc(NULL, fileLen, 0x3000, 0x40);
printf(".Allocated!\n");
printf(" [*] |-Base: 0x%08x\n", (int)(size_t)lpvBase);
printf(" [*] Copying input data...\n");
CopyMemory(lpvBase, buffer, fileLen);
return lpvBase;
}
void execute(LPVOID base, int offset, bool nopause, bool jit, bool debug)
{
LPVOID shell_entry;
#ifdef _WIN64
DWORD thread_id;
HANDLE thread_handle;
const char msg[] = " [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\n";
#else
const char msg[] = " [*] Navigate to the EP and set a breakpoint. Then press any key to jump to the shellcode.\n";
#endif
shell_entry = (LPVOID)((UINT_PTR)base + offset);
#ifdef _WIN64
printf(" [*] Creating Suspended Thread...\n");
thread_handle = CreateThread(
NULL, // Attributes
0, // Stack size (Default)
shell_entry, // Thread EP
NULL, // Arguments
0x4, // Create Suspended
&thread_id); // Thread identifier
if (thread_handle == NULL) {
printf(" [!] Error Creating thread...");
return;
}
printf(" [*] Created Thread: [%d]\n", thread_id);
printf(" [*] Thread Entry: 0x%016x\n", (int)(size_t)shell_entry);
#endif
if (nopause == false) {
printf("%s", msg);
getchar();
}
else
{
if (jit == true) {
// Force an exception by making the first byte not executable.
// This will cause
DWORD oldp;
printf(" [*] Removing EXECUTE access to trigger exception...\n");
VirtualProtect(shell_entry, 1 , PAGE_READWRITE, &oldp);
}
}
#ifdef _WIN64
printf(" [*] Resuming Thread..\n");
ResumeThread(thread_handle);
#else
printf(" [*] Entry: 0x%08x\n", (int)(size_t)shell_entry);
printf(" [*] Jumping to shellcode\n");
__asm jmp shell_entry;
#endif
}
void print_help() {
printf(" [!] Error: No file!\n\n");
printf(" Required args: <inputfile>\n\n");
printf(" Optional Args:\n");
printf(" --offset <offset> The offset to jump into.\n");
printf(" --nopause Don't pause before jumping to shellcode. Danger!!! \n");
printf(" --jit Forces an exception by removing the EXECUTE permission from the alloacted memory.\n");
printf(" --debug Verbose logging.\n");
printf(" --version Print version and exit.\n\n");
}
int main(int argc, char* argv[])
{
LPVOID base;
int i;
int offset = 0;
bool nopause = false;
bool debug = false;
bool jit = false;
char* nptr;
banner();
if (argc < 2) {
print_help();
return -1;
}
printf(" [*] Using file: %s \n", argv[1]);
for (i = 2; i < argc; i++) {
if (strcmp(argv[i], "--offset") == 0) {
printf(" [*] Parsing offset...\n");
i = i + 1;
if (strncmp(argv[i], "0x", 2) == 0) {
offset = strtol(argv[i], &nptr, 16);
}
else {
offset = strtol(argv[i], &nptr, 10);
}
}
else if (strcmp(argv[i], "--nopause") == 0) {
nopause = true;
}
else if (strcmp(argv[i], "--jit") == 0) {
jit = true;
nopause = true;
}
else if (strcmp(argv[i], "--debug") == 0) {
debug = true;
}
else if (strcmp(argv[i], "--version") == 0) {
printf("Version: %s", _version);
}
else {
printf("[!] Warning: Unknown arg: %s\n", argv[i]);
}
}
base = process_file(argv[1], jit, offset, debug);
if (base == NULL) {
printf(" [!] Exiting...");
return -1;
}
printf(" [*] Using offset: 0x%08x\n", offset);
execute(base, offset, nopause, jit, debug);
printf("Pausing - Press any key to quit.\n");
getchar();
return 0;
}
```
{% hint style="success" %}
AWS Hacking'i öğrenin ve pratik yapın:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Eğitim AWS Kırmızı Takım Uzmanı (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
GCP Hacking'i öğrenin ve pratik yapın: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Eğitim GCP Kırmızı Takım Uzmanı (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>HackTricks'i Destekleyin</summary>
* [**abonelik planlarını**](https://github.com/sponsors/carlospolop) kontrol edin!
* **Bize katılın** 💬 [**Discord grubuna**](https://discord.gg/hRep4RUj7f) veya [**telegram grubuna**](https://t.me/peass) veya **bizi** **Twitter'da** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)** takip edin.**
* **Hacking ipuçlarını paylaşmak için** [**HackTricks**](https://github.com/carlospolop/hacktricks) ve [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github reposuna PR gönderin.
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink