| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
- idb2pat
- Python
- Analysis
- x64
- commandline
- idapython
- Ransomware
- TensorFlow
- error
- MySQL
- data distribution
- ida
- hex-rays
- javascript
- pytest
- ida pro
- open office xml
- NumPy Unicode Error
- 포인터 매핑
- Rat
- debugging
- malware
- ecma
- svn update
- mock.patch
- error fix
- h5py.File
- idapro
- why error
- Injection
- Today
- Total
목록Computer Science (79)
13 Security Lab
123456789101112131415161718192021222324int Adjust_Privilege_Func(){ int v0; int v1; int v2; int v4; char v5; int v6; int v7; v0 = 0; v1 = GetCurrentProcess(0x20); if ( OpenProcessToken(v1, v2, &v7) ) { v4 = 1; if ( LookupPrivilegeValueW(0, L"SeDebugPrivilege", &v5) )// if Process has "SeDebugPrivilege" { v6 = 2; v0 = AdjustTokenPrivileges(v7, 0, &v4, 16, 0, 0);// Enable SeDebugPrivilege } CloseH..
출처 : http://blog.daum.net/aswip/8429343 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 #include #include #include // for IsUserAnAdmin() function.#pragma comment(lib, "shell32.lib") // for IsUserAnAdmin() function. BOOL GetProcessElevation(TOKEN_ELEVATION_TYPE *pElevationType, BOOL *pIsAdmin)..
System 권한여부체크 1234567891011121314151617181920212223242526272829signed int __thiscall Check_ProcessSID(void *this){ Flag = 0; hToken = 0; if ( OpenProcessToken(this, 8, &hToken) ) { v5 = 0x44; if ( CreateWellKnownSid(22, 0, &SystemSID_INFO, &v5) )// 22 : WinLocalSystemSid { v7 = 0; GetTokenInformation(hToken, 1, 0); if ( GetLastError() == 122 ) { LocalMem_Var = HeapAlloc(dword_405048); // Get loc..
Processes User mode Kernel mode NtTerminateProcess PsTerminateProcess/PspTerminateProcess NtOpenProcess PsLookupProcessByProcessId, ObOpenObjectByPointer Threads User mode Kernel mode NtTerminateThread PspTerminateThreadByPointer NtOpenThread PsLookupThreadByThreadId, ObOpenObjectByPointer NtGetContextThread PsGetContextThread NtSetContextThread PsSetContextThread Virtual memory User mode Kernel..
[API Referenc] Win32 matched Native API
Process Win32 Native API OpenProcess NtOpenProcess TerminateProcess NtTerminateProcess CreateProcess NtCreateProcess(Ex)/NtCreateUserProcess, RtlCreateUserProcess GetProcessId NtQueryInformationProcess (ProcessBasicInformation) ExitProcess RtlExitUserProcess (Windows Vista and later) GetPriorityClass NtQueryInformationProcess (ProcessPriorityClass) SetPriorityClass NtSetInformationProcess (Proce..
SHFileOperation Constants
SHFileOperation wFunc Type: UINT A value that indicates which operation to perform. One of the following values: FO_COPY Copy the files specified in the pFrom member to the location specified in the pTo member. FO_DELETE Delete the files specified in pFrom. FO_MOVE Move the files specified in pFrom to the location specified in pTo. FO_RENAME Rename the file specified in pFrom. You cannot use thi..
# SHGetFolderPath 출처 : http://msdn.microsoft.com/library/en-us/shellcc/platform/shell/reference/enums/csidl.asp CSIDL values provide a unique system-independent way to identify special folders used frequently by applications, but which may not have the same name or location on any given system. For example, the system folder may be "C:\Windows" on one system and "C:\Winnt" on another. These cons..
권한 설정 해줄 파일에 대해 쉘에서 아래 명령어를 통해 권한 획득 후 진행 takeown /f "path” && icacls "path” /grant administrators:F
gethostbyname
input : url output: ip DNS Query로 Url에 해당하는 IP를 얻음
MoveFileEx
MoveFileEx 함수 "MOVEFILE_DELAY_UNTIL_REBOOT" 파일 이름 변경이나 삭제를 컴퓨터가 재시작할 때 까지 지연시킬 수 있는 유용한 옵션 If dwFlags specifies MOVEFILE_DELAY_UNTIL_REBOOT and lpNewFileName is NULL, MoveFileEx registers the lpExistingFileName file to be deleted when the system restarts. If lpExistingFileName refers to a directory, the system removes the directory at restart only if the directory is empty. 재부팅 후 삭제