NoteZ
NoteZ copied to clipboard
jmpews
notebook base on github issue
## Prologue Somniloquy ## Refer ``` https://www.pediy.com/kssd/pediy12/141453.html ``` #### 0x01.MBR 阶段 主MBR加载 `WinNT4-master/private/ntos/boot/bootcode/mbr/i386/x86mboot.asm`. 主要作用是, 判断校验分区类型, 并加载 `WinNT4-master/private/ntos/boot/bootcode/fat/i386/fatboot.asm` 或 `WinNT4-master/private/ntos/boot/bootcode/ntfs/i386/ntfsboot.asm` 特定分区类型(only 1 sector)的 MBR 至 0x7c00 继续运行. 这里具体的流程的是首先由 BIOS 加载 `x86mboot.asm`...
## Prologue Somniloquy ## Common Command ``` # enter Virtual Mode V ``` ``` # hexdump px 0x20 @0x1234 ```
## Prologue Somniloquy ## Refer ``` https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/overview-of-windows-components ``` ## Detail **>> the major internal components of the Windows operating system**  **>> divides kernel-mode drivers into several types** 
## 恶意软件分析Blog ``` http://artemonsecurity.blogspot.com/?view=classic http://www.msreverseengineering.com/blog/ ``` ## 恶意软件分析 ``` // 分析旺旺客户端 https://mp.weixin.qq.com/s/xN5PWk2dK8XmhYiQEmj6Dw // 高质量干货分析 finfisher. https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/ // 高质量干货分析 finfisher. https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf ``` ## Windows Kernel Technique ``` http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf ```
## Prologue Somniloquy ## WinDBG Debug #### Refer ``` https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/d--da--db--dc--dd--dd--df--dp--dq--du--dw--dw--dyb--dyd--display-memor http://www.windbg.info/doc/1-common-cmds.html ```
## Prologue Somnilquy ## Refer #### Tutorial ``` https://www.fuzzysecurity.com/tutorials.html https://hshrzd.wordpress.com/2017/06/05/starting-with-windows-kernel-exploitation-part-2/ http://drops.xmd5.com/static/drops/tips-6225.html ```
## Prologue Somniliquy ## Refer ``` // get start https://rise4fun.com/z3/tutorial/guide // syscan360 paper with practical use https://www.syscan360.org/slides/2014_EN_ProgramAnalysisAndConstraintSolvers_EdgarBarbosa.pdf // cn version [2014_ZH_ProgramAnalysisAndConstraintSolvers_EdgarBarbosa.pdf](https://github.com/jmpews/NoteZ/files/1783422/2014_ZH_ProgramAnalysisAndConstraintSolvers_EdgarBarbosa.pdf) ``` ## Barf Binary Analysis **x86 -> REIL ->...
## Prologue [Detours](https://github.com/jmpews/Detours-mirror), 微软开源的 Inlinehook Framework. Somniloquy ## Build 使用 nmake 编译, 编译前使用 `Microsoft_Visual_Studio_2017\VC\Auxiliary\Build\vcvars32.bat` 初始化下 x86 的环境变量, 之后直接切入到 `src\`, nmake 即可. ## Key Function #### `DetourCreateProcessWithDllExW` 创建进程并注入 detours.dll. **step by...
## Prologue hmmmm... Somniloquy ## Reverse Tools ``` // x64dbg https://x64dbg.com/#start https://github.com/x64dbg/x64dbg // Cheat Engine http://www.cheatengine.org/ https://github.com/cheat-engine/cheat-engine/ ``` ## Game Engine ## Game Platform #### Steam ``` http://pcgamingwiki.com/wiki/User:Cyanic/Steam_DRM https://github.com/atom0s/Steamless ```...
## Prologue 记录在使用 Bochs 调试的心得 建议安装 [cmder](http://cmder.net/), 避免复杂安装 dd 等. ## References ``` http://bochs.sourceforge.net/ http://thestarman.pcministry.com/asm/bochs/bochsdbg.html http://bochs.sourceforge.net/doc/docbook/user/index.html https://www.hex-rays.com/products/ida/support/tutorials/debugging_bochs.pdf ``` ## Smnoliquy 需要先 `bximage.exe` 创建一个 img.  创建一个 bochs 的配置文件, 样例文件可以参考, 安装目录下的...