πŸ”’
There are new articles available, click to refresh the page.
Today β€” 27 May 2022KitPloit - PenTest & Hacking Tools

Ransomware-Simulator - Ransomware Simulator Written In Golang


The goal of this repository is to provide a simple, harmless way to check your AV's protection on ransomware.

This tool simulates typical ransomware behaviour, such as:

  • Staging from a Word document macro
  • Deleting Volume Shadow Copies
  • Encrypting documents (embedded and dropped by the simulator into a new folder)
  • Dropping a ransomware note to the user's desktop

The ransomware simulator takes no action that actually encrypts pre-existing files on the device, or deletes Volume Shadow Copies. However, any AV products looking for such behaviour should still hopefully trigger.

Each step, as listed above, can also be disabled via a command line flag. This allows you to check responses to later steps as well, even if an AV already detects earlier steps.


Usage

Run command:
Run Ransomware Simulator

Usage:
ransomware-simulator run [flags]

Flags:
--dir string Directory where files that will be encrypted should be staged (default "./encrypted-files")
--disable-file-encryption Don't simulate document encryption
--disable-macro-simulation Don't simulate start from a macro by building the following process chain: winword.exe -> cmd.exe -> ransomware-simulator.exe
--disable-note-drop Don't drop pseudo ransomware note
--disable-shadow-copy-deletion Don't simulate volume shadow copy deletion
-h, --help help for run
--note-location string Ransomware note location (default "C:\\Users\\neo\\Desktop\\ransomware-simulator-note.txt")



Yesterday β€” 26 May 2022KitPloit - PenTest & Hacking Tools

Pocsploit - A Lightweight, Flexible And Novel Open Source Poc Verification Framework


pocsploit is a lightweight, flexible and novel open source poc verification framework

Pain points of the POC framework in the market

  1. There are too many params, I don't know how to get started, but only some of them are commonly used.
  2. YAML poc framework(like nuclei & xray) is not flexible enough. the conversion cost is very high when writing poc. Sometimes it's hard when encountering non-http protocols. (only hex can be used)
  3. Sometimes POC has false positives, which can be avoided by accurate fingerprint matching.
  4. It is heavily dependent on the framework. Poc in pocsploit can be used in the framework and can also be used alone.

Advantages of pocsploit

  1. Lighter, does not depend on the framework, a single poc can run
  2. Easier to rewrite Poc
  3. More flexible (compared to nuclei, xray, goby, etc.)
  4. Fewer false positives, providing fingerprint prerequisite judgment, you can first judge whether the site has the fingerprint of a certain component, and then perform POC verification, which is more accurate
  5. There are many ways to use, providing poc / exp
  6. Detailed vulnerability information display
  7. Poc ecological sustainability: I will continue to update the Poc to modules/, and welcome everyone to join us Contribute Poc

Encountered code/poc issues, please Submit issue

Poc Statistics

cve cnnvd others
345 7 102

Usage

Install requirements

pip3 install -r requirements.txt
  • poc to verify single website
python3 pocsploit.py -iS "http://xxxx/" -r "modules/" -t 100 --poc
  • specific poc
python3 pocslpoit.py -iS "http://xxxxx" -r "modules/vulnerabilities/thinkphp/thinkphp-5022-rce.py" --poc
  • exp to exploit many websites (with urls in a file)
python3 pocslpoit.py -iF "urls.txt" -r "modules/vulnerabilities/" --exp
  • Turn on fingerprint pre-verification, verify the fingerprint first, and then enter the poc verification after matching
python3 pocslpoit.py -iS "http://xxxxx" -r "modules/vulnerabilities/thinkphp/thinkphp-5022-rce.py" --poc --fp
  • Output to file & console quiet mode
python3 pocslpoit.py -iS "http://xxxx" -r "modules/vulnerabilities/" --poc -o result/result.log -q
  • Other Usage
python3 pocsploit.py --help



others

OOB

Please config conf/config.py

P.S. How to build your own DNSLog,please visit Hyuga-DNSLog

  • DNSLOG_URI: DNSLog Address
  • DNSLOG_TOKEN: Token
  • DNSLOG_IDENTIFY: your identity


FindFunc - Advanced Filtering/Finding of Functions in IDA Pro


FindFunc is an IDA Pro plugin to find code functions that contain a certain assembly or byte pattern, reference a certain name or string, or conform to various other constraints. This is not a competitor to tools like Diaphora or BinNavi, but it is ideal to find a known function in a new binary for cases where classical bindiffing fails.


Filtering with Rules

The main functionality of FindFunc is letting the user specify a set of "Rules" or constraints that a code function in IDA Pro has to satisfy. FF will then find and list all functions that satisfy ALL rules (so currently all Rules are in an AND-conjunction). Exception: Rules can be "inverted" to be negative matches. Such rules thus conform to "AND NOT".

FF will schedule the rules in a smart order to minimize processing time. Feature overview:

  • Currently 6 Rules available, see below
  • Code matching respects Addressing-Size-Prefix and Operand-Size-Prefix
  • Aware of function chunks
  • Smart scheduling of rules for performance
  • Saving/Loading rules from/to file in simple ascii format
  • Several independent Tabs for experimentation
  • Copying rules between Tabs via clipboard (same format as file format)
  • Saving entire session (all tabs) to file
  • Advanced copying of instruction bytes (all, opcodes only, all except immediates)

Button "Search Functions" clears existing results and starts a fresh search, "Refine Results" considers only results of the previous search.

Advanced Binary Copying

A secondary feature of FF is the option to copy binary representation of instructions with the following options:

  • copy all -> copy all bytes to the clipboard
  • copy without immediates -> blank out (AA ?? BB) any immediate values in the instruction bytes
  • opcode only -> will blank out everything except the actual opcode(s) of the instruction (and prefixes)

See "advanced copying" section below for details. This feature nicely complements the Byte Pattern rule!

Building and Installation

FindFunc is an IDA Pro python plugin without external package dependencies. It can be installed by downloading the repository and copying file findfuncmain.py and folder findfunc to your IDA Pro plugin directory. No building is required.

Requirements: IDA Pro 7.x (7.6+) with python3 environment. FindFunc is designed for x86/x64 architecture only. It has been tested with IDA 7.6/7.7, python 3.9 and IDAPython 7.4.0 on Windows 10.

Available Rules

Currently the following six rules are available. They are sorted here from heavy to light with regard to performance impact. With large databases it is a good idea to first cut down the candidate-functions with a cheap rule, before doing heavy matching via e.g. Code Rules. FF will automatically schedule rules in a smart way.

Code Pattern

Rule for filtering function based on them containing a given assembly code snippet. This is NOT a text-search for IDAs textual disassembly representation, but rather performs advanced matching of the underlying instruction. The snippet may contain many consecutive instructions, one per line. Function chunks are supported. Supports special wildcard matching, in addition to literal assembly:

  • "pass" -> matches any instruction with any operands
  • "mov* any,any" -> matches instructions with mnemonic "mov*" (e.g. mov, movzx, ...) and any two arguments.
  • "mov eax, r32" -> matches any instruction with mnemonic "mov", first operand register eax and second operand any 32-bit register.
    • Analogue: r for any register, r8/r16/r32/r64 for register of a specific width, "imm" for any immediate
  • "mov r64, imm" -> matches any move of a constant to a 64bit register
  • "any r64,r64" -> matches any operation between two 64bit registers
  • mov -> matches any instruction of mov mnemonic

more examples:

mov r64, [r32 * 8 + 0x100]
mov r, [r * 8 - 0x100]
mov r64, [r32 * 8 + imm]
pass
mov r, word [eax + r32 * 8 - 0x100]
any r64, r64
push imm
push any

Gotchas: Be careful when copying over assembly from IDA. IDA mingles local variable names and other information into the instruction which leads to matching failure. Also, labels are not supported ("call sub_123456").

Note that Code Patterns is the most expensive Rule, and if only Code Rules are present FF has no option but to disassemble the entire database. This can take up to several minutes for very large binaries. See notes on performance below.

Immediate Value (Constant)

The function must contain the given immediate at least once in any position. An immediate value is a value fixed in the binary representation of the instruction. Examples for instructions matching immediate value 0x100:

mov eax, 0x100
mov eax, [0x100]
and al, [eax + ebx*8 + 0x100]
push 0x100

Note: IDA performs extensive matching of any size and any position of the immediate. If you know it to be of a specific width of 4 or 8 bytes, a byte pattern can be a little faster.

Byte Pattern

The function must contain the given byte pattern at least once. The pattern is of the same format as IDAs binary search, and thus supports wildcards - the perfect match for the advanced-copy feature!

Examples:

11 22 33 44 aa bb cc
11 22 33 ?? ?? bb cc -> ?? can be any byte

Note: Pattern matching is quiet fast and a good candidate to cut down matches quickly!

String Reference

The function must reference the given string at least once. The string is matched according to pythons 'fnmatch' module, and thus supports wildcard-like matching. Matching is performed case-insensitive. Strings of the following formats are considered: [idaapi.STRTYPE_C, idaapi.STRTYPE_C_16] (this can be changed in the Config class).

Examples:

  • "TestString" -> function must reference the exact string (casing ignored) at least once
  • "TestStr*" -> function must reference a string starting with 'TestStr (e.g. TestString, TestStrong) at least once (casing ignored)

Note: String matching is fast and a good choice to cut down candidates quickly!

Name Reference

The function must reference the given name/label at least once. The name/label is matched according to pythons 'fnmatch' module, and thus supports wildcard-like matching. Matching is performed case-insensitive.

Examples:

  • "memset" -> function must reference a location named "memset" at least once
  • "mem*" -> function must reference a location starting with "mem" (memset, memcpy, memcmp) at least once

Note: Name matching is very fast and ideal to cut down candidates quickly!

Function Size

The size of the function must be within the given limit: "min <= functionsize <= max". Data is entered as a string of the form "min,max". The size of a function includes all of its chunks.

Note: Function size matching is very fast and ideal to cut down candidates quickly!

Keyboard Shortcuts & GUI

For ease of use FF can be used via the following keyboard shortcuts:

  • Ctrl+Alt+F -> launch/show TabWidget (main GUI)
    • Or View->FindFunc
  • Ctrl+F -> start search with currently enabled rules
  • Ctrl+R -> refine existing results with currently enabled rules
  • Rules
    • Ctrl+C -> copy selected rules to clipboard
    • Ctrl+V -> paste rules from clipboard into current tab (appends)
    • Ctrl+S -> save selected rules to file
    • Ctrl+L -> load selected rules from file (appends)
    • Ctrl+A -> select all rules
    • Del -> delete selected rules
  • Save Session
    • Ctrl+Shift+S -> Save session to file
    • Ctrl+Shift+L -> Load session from file

Further GUI usage

  • Rules can be edited by double-clicking the Data column
  • Rules can be inverted (negative match) by double-clicking the invert-match column
  • Rules can be enabled/disabled by double-clicking the enabled-column
  • Tabs can be renamed by double-clicking them
  • Sorting is supported both for Rule-List and Result-List
  • Double-click Result item to jump to it in IDA
    • function name: jump to function start
    • any other column: jump to match of last matched rule
  • Checkbox Profile: Outputs profiling information for the search
  • Checkbox Debug: Dumps detailed debugging output for code rule matching - only use it if few functions make it to the code checking rule, otherwise it might take very long!

Advanced Binary Copy

Frequently we want to search for binary patterns of assembly, but without hardcoded addresses and values (immediates), or even only the actual opcodes of the instruction. FindFunc makes this easy by adding three copy options to the disassembly-popupmenu:

Copy all bytes

Copies all instruction bytes as hex-string to clipboard, for use in a Byte-Pattern-Rule (or IDAs binary search).

B8 44332211      mov eax,11223344
68 00000001 push 1000000
66:894424 70 mov word ptr ss:[esp+70],ax

will be copied as

b8 44 33 22 11 68 00 00 00 01 66 89 44 24 70

Copy only non-immediate bytes

Copies instruction bytes for given instruction, masking out any immediate values. Example:

B8 44332211      mov eax,11223344
68 00000001 push 1000000
66:894424 70 mov word ptr ss:[esp+70],ax

will be copied as

b8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 66 89 44 24 ??

Copy only opcodes

Copy all instruction bytes as hex-string to clipboard, masking out any bytes that are not the actual opcode (including sib, modrm, but keeping legacy prefixes).

B8 44332211      mov eax,11223344
68 00000001 push 1000000
66:894424 70 mov word ptr ss:[esp+70],ax

will be copied as

b8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 66 89 ?? ?? ??

Note: This is a "best effort" using IDAs API, thus there may be few cases where it only works partially. For a 100% correct solution we would have to ship a dedicated x86 disasm library.

Similar results can be achieved with Code Pattern Rules, but this might be faster, both for user interaction and the actual search.

Copy disasm

Copies selected disassembly to clipboard, as it appears in IDA.

Performance

A brief word on performance:

  1. name, string, funcsize are almost free in all cases
  2. bytepattern is almost free for patterns length > 2
  3. immediate is difficult: We can use idaapi search, or we can disassemble the entire database and search ourselves - we may have to do this anyways if we are looking for code patterns. BUT: scanning for code patterns is in fact much cheaper than scanning for an immediate. An api-search for all matches is relatively costly - about 1/8 as costly as disassembling the entire database. So: If we cut down matches with cheap rules first, then we greatly profit from disassembling the remaining functions and looking for the immediate ourselves, especially if a code-rule is present anyways. However: If no cheap options exist and we have to disassemble large parts of the database anyways (due to presence of code pattern rules), then using one immediate rule as a pre-filter can greatly pay off. api-searching ONE immediate is roughly equivalent to 1/8 searching for any number of code-pattern rules - although this also depends on many different factors...
  4. code pattern are the most expensive by far, however checking one pattern vs checking many is very similar.

Todo (unordered):

  • jcc pseudo-mnemonic
  • Allow named locations in CodeRules ('call memset')
  • 'ignore all following operands' option
  • Rule for parameters to API calls inside function
  • Rule for parent/callsite/child function requirements
  • Rule for function parameters
  • Regex-rule
  • string/name: casing option
  • automatically convert immediate rules to byte pattern if applicable?
  • settings: case sensitivity, string types, range, ...
  • Hexray rules?
  • OR combination of rules
  • Pythonification of code ;)
  • Parallelization
  • Automatic generation of rules to identify a function?


  • There are no more articles
❌