├── .github └── FUNDING.yml ├── .gitignore ├── Assembly └── learning_assembly_series │ ├── README.md │ ├── build.bat │ ├── template.asm │ ├── windbg.asm │ ├── windbg01.out │ └── windbg01.run ├── C++ Objects ├── 1_basic_class.cpp ├── 2_class_virtual_functions.cpp ├── 3_class_virtual_nonvirtual.cpp ├── 4_class_inheritance.cpp ├── 5_class_polymorphism.cpp ├── 6_multiple_inheritance.cpp ├── README.md └── binaries │ ├── 1_basic_class.exe │ ├── 2_class_virtual_functions.exe │ ├── 3_class_virtual_nonvirtual.exe │ ├── 4_class_inheritance.exe │ ├── 5_class_polymorphism.exe │ ├── 6_multiple_inheritance.exe │ └── HASHES.txt ├── Calling Conventions ├── binaries │ ├── HASHES.txt │ ├── cdecl.exe │ ├── fastcall.exe │ └── stdcall.exe ├── cdecl.c ├── fastcall.c └── stdcall.c ├── Control Structures ├── arrays.c ├── binaries │ ├── HASHES.txt │ ├── arrays.exe │ ├── environment.exe │ ├── if-statement.exe │ ├── loops.exe │ ├── nested-if.exe │ ├── pointers.exe │ ├── pointers_malloc.exe │ ├── simple_password.exe │ ├── stack-intro.exe │ ├── string_manipulation.exe │ ├── struct_members.exe │ ├── structs.exe │ └── switch.exe ├── environment.c ├── if-statement.c ├── loops.c ├── nested-if.c ├── pointers.c ├── pointers_malloc.c ├── simple_password.c ├── stack-intro.c ├── string_manipulation.cpp ├── struct_members.c ├── structs.c └── switch.c ├── Exploitation ├── basic_buffer_overflow.c ├── binaries │ ├── HASHES.txt │ ├── basic_buffer_overflow.exe │ ├── buffer_overflow_walkthrough.exe │ └── classic_stack_buffer_overflow.exe ├── buffer_overflow_walkthrough.c └── classic_stack_buffer_overflow.c ├── Exploring PE Files ├── binaries │ ├── HASHES.txt │ ├── forwarded_export.exe │ └── import_tables.exe ├── forwarded_export.c └── import_tables.c ├── README.md └── Windows Internals ├── binaries ├── HASHES.txt └── demo_peb.exe ├── demo_peb.c └── structured_exception_handling ├── README.md └── custom_seh.c /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | patreon: JoshStroschein 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # General 2 | .DS_Store 3 | .AppleDouble 4 | .LSOverride 5 | 6 | # Icon must end with two \r 7 | Icon 8 | 9 | # Thumbnails 10 | ._* 11 | 12 | # Files that might appear in the root of a volume 13 | .DocumentRevisions-V100 14 | .fseventsd 15 | .Spotlight-V100 16 | .TemporaryItems 17 | .Trashes 18 | .VolumeIcon.icns 19 | .com.apple.timemachine.donotpresent 20 | 21 | # Directories potentially created on remote AFP share 22 | .AppleDB 23 | .AppleDesktop 24 | Network Trash Folder 25 | Temporary Items 26 | .apdisk 27 | -------------------------------------------------------------------------------- /Assembly/learning_assembly_series/README.md: -------------------------------------------------------------------------------- 1 | # Learning Assembly Series 2 | 3 | These files are designed to help with following with the `PC Assembly Book` authored by Dr Paul Carter - [https://pacman128.github.io/pcasm/](https://pacman128.github.io/pcasm/). I've also created a series of videos that roughly follow the book, you can find that playlist on YouTube. 4 | 5 | ▶️ [Learning Assembly videos on YouTube](https://www.youtube.com/playlist?list=PLHJns8WZXCdvESvdr1BRjo4RHiR1Ylhw9) 6 | 7 | The following files are used to assemble programs: 8 | 9 | - **build.bat:** Provides the commands to assemble `.asm` files and compile with `cl`. This script also produces debug symbols to aid in debugging in WinDbg. 10 | - **template.asm:** A template to use to create your own assembly programs and use `build.bat` to assemble. 11 | - **windbg.asm:** A sample program used to demonstrate Time-Travel Debugging (TTD) in WinDbg. The video can be found at TBD. 12 | - **windbg01.out/run:** TTD traces from the video at TBD. 13 | 14 | -------------------------------------------------------------------------------- /Assembly/learning_assembly_series/build.bat: -------------------------------------------------------------------------------- 1 | :: This script helps to assemble and compile ASM source code using 2 | :: a driver program. If you need to assemble any additional files, 3 | :: uncomment the NASM command, providing the ASM file as input. 4 | 5 | @echo off 6 | 7 | set arg1=%1 8 | 9 | :: nasm -f win32 asm_io.asm 10 | 11 | nasm -f win32 "%arg1%.asm" 12 | 13 | :: -Zi produces debug symbols, can be used for debugging/disassembling 14 | cl -Zi -Fe"%arg1%.exe" driver.c "%arg1%.obj" asm_io.obj /link legacy_stdio_definitions.lib -------------------------------------------------------------------------------- /Assembly/learning_assembly_series/template.asm: -------------------------------------------------------------------------------- 1 | ;;; This follows along with the book by Dr Paul Carter 2 | ;;; Available at: https://pacman128.github.io/pcasm/ 3 | 4 | %include "asm_io.inc" 5 | ; 6 | ; initialized data is put in the .data segment 7 | ; 8 | segment .data 9 | 10 | ; 11 | ; uninitialized data is put in the .bss segment 12 | ; 13 | segment .bss 14 | 15 | ; 16 | ; code is put in the .text segment 17 | ; 18 | segment .text 19 | global _asm_main 20 | _asm_main: 21 | ;; PROLOGUE 22 | push ebp, 23 | mov ebp, esp 24 | ;; START WRITING YOUR CUSTOM PROGRAMS HERE. 25 | ;; If you need stack space for locals, make sure to adjust the prologue 26 | ;; i.e. sub esp, XX bytes 27 | 28 | 29 | 30 | ;; END OF CUSTOM CODE. 31 | ;; EPILOGUE 32 | mov esp, ebp 33 | pop ebp 34 | ret 35 | 36 | 37 | -------------------------------------------------------------------------------- /Assembly/learning_assembly_series/windbg.asm: -------------------------------------------------------------------------------- 1 | ;;; This follows along with the book by Dr Paul Carter 2 | ;;; Available at: https://pacman128.github.io/pcasm/ 3 | 4 | %include "asm_io.inc" 5 | ; 6 | ; initialized data is put in the .data segment 7 | ; 8 | segment .data 9 | formats db "Hello TTD :) %d",0xD,0xA,0xD,0xA,0 10 | 11 | ; 12 | ; uninitialized data is put in the .bss segment 13 | ; 14 | segment .bss 15 | 16 | ; 17 | ; code is put in the .text segment 18 | ; 19 | segment .text 20 | global _asm_main 21 | extern _printf 22 | _asm_main: 23 | push ebp, 24 | mov ebp, esp 25 | ;; START WRITING YOUR CUSTOM PROGRAMS HERE. 26 | ;; If you need stack space for locals, make sure to adjust the prologue 27 | ;; i.e. sub esp, XX bytes 28 | 29 | mov eax, 0x42 30 | xor eax, 0x32 31 | 32 | push eax 33 | push formats 34 | call _printf 35 | add esp, 8 36 | 37 | 38 | ;; END OF CUSTOM CODE. 39 | mov esp, ebp 40 | pop ebp 41 | ret 42 | 43 | 44 | -------------------------------------------------------------------------------- /Assembly/learning_assembly_series/windbg01.out: -------------------------------------------------------------------------------- 1 | Microsoft (R) TTDRecord 1.01.11 2 | Release: 1.11.202.0 3 | Copyright (C) Microsoft Corporation. All rights reserved. 4 | 5 | 6 | Initializing Time Travel Debugging for Launch of windbg.exe 7 | Time: 10/18/2023 20:21:51 8 | OS:10.0.19045 EDITION:x64 9 | 10 | SessionID: E4E900A0-981A-4B7B-8DBB-2ED01A108765 11 | 12 | (TTD::ManageTTDTrace:2753) 13 | Running windbg.exe 14 | (TTD::StartGuestProcess:1519) 15 | Group tracing GUID: 7F689987-B02E-4CB4-8072-C6DEEEC03FCE 16 | 17 | Running "C:\Program Files\WindowsApps\Microsoft.TimeTravelDebugging_1.11.202.0_x64__8wekyb3d8bbwe\x86\TTDInject.exe" /duration 0 /InjectMode EmulatorForRecording /ClientParams "48 C:\Users\James Holden\Desktop\ms-ex\windbg01.run 0 0 0 0 0 0 1 0 c06001 0" /RecordScenario 268435457 /attach 404 /SuspendedAtLaunch -TraceFileHandle 14 -GuestEventHandle 18 -ClientEventHandle 1c -ActiveEventHandle 20 -MutexHandle 24 -CommunicationBufferHandle 28 -SharedSequenceMutexHandle 2c -SharedSequenceBufferHandle 30 /TelemetryFeatureSessionId "E4E900A0-981A-4B7B-8DBB-2ED01A108765" 18 | (TTD::StartGuestProcess:1995) 19 | Microsoft (R) TTDInject 1.01.11 20 | Release: 1.11.202.0 21 | Copyright (C) Microsoft Corporation. All rights reserved. 22 | 23 | TTDLoader Params: 24 | LauncherDll = TTDRecordCPU 25 | ClientDll = TTDRecordCPU 26 | ClientEntry = InitializeNirvanaClient 27 | ClientParams= 48 C:\Users\James Holden\Desktop\ms-ex\windbg01.run 0 0 0 0 0 0 1 0 c06001 0 28 | SuspendedAtLaunch 29 | WaitForMain is on 30 | Allocated processors:32, running threads:1. 31 | Loader TTDRecordCPU.dll injected at 0x75480000 0x161000 -- .reload TTDRecordCPU.dll=0x75480000,0x161000 32 | 33 | Injection by thread is complete. 34 | RecordingEngine initialization successful. 35 | RecordVcpu initialization successful. 36 | Loader initialization successful. 37 | Guest Process is x86 binary. 38 | Guest process exited with exit code 20 39 | Simulation time of 'windbg.exe' (x86): 219ms. 40 | Tracing completed at: Thu Oct 19 01:21:52 2023 (UTC) Wed Oct 18 20:21:52 2023 (Local) 41 | 42 | Trace dumped to C:\Users\James Holden\Desktop\ms-ex\windbg01.run 43 | -------------------------------------------------------------------------------- /Assembly/learning_assembly_series/windbg01.run: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Assembly/learning_assembly_series/windbg01.run -------------------------------------------------------------------------------- /C++ Objects/1_basic_class.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | using std::cout; 5 | using std::endl; 6 | 7 | class Ex1 8 | { 9 | int var1; 10 | 11 | public: 12 | int var2 = 2; 13 | int var3 = 3; 14 | 15 | Ex1() { 16 | var1 = 1; 17 | cout << "In Constructor" << endl; 18 | } 19 | int get_var1() { 20 | return var1; 21 | } 22 | }; 23 | 24 | int main(int argc, char ** argv, char **envp) { 25 | 26 | int a = 0; 27 | Ex1 *e = new Ex1(); 28 | a = e->get_var1(); 29 | e->var2 = 99; 30 | e->var3 = 98; 31 | delete(e); 32 | } -------------------------------------------------------------------------------- /C++ Objects/2_class_virtual_functions.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | using std::cout; 5 | using std::endl; 6 | 7 | class Ex2 8 | { 9 | int var1; 10 | 11 | public: 12 | virtual int sum(int x, int y){ 13 | return x+y; 14 | } 15 | 16 | virtual void reset_values(){ 17 | var1 = 0; 18 | } 19 | }; 20 | 21 | int main(int argc, char ** argv, char **envp) { 22 | Ex2 *e = new Ex2(); 23 | e->sum(1,2); 24 | e->reset_values(); 25 | delete(e); 26 | } -------------------------------------------------------------------------------- /C++ Objects/3_class_virtual_nonvirtual.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | using std::cout; 5 | using std::endl; 6 | 7 | class Ex3 8 | { 9 | int var1; 10 | 11 | public: 12 | virtual int sum(int x, int y){ 13 | return x+y; 14 | } 15 | 16 | virtual void reset_values(){ 17 | var1 = 0; 18 | } 19 | 20 | void printHello() { 21 | cout << "hello world" << endl; 22 | } 23 | }; 24 | 25 | int main(int argc, char ** argv, char **envp) { 26 | 27 | Ex3 *e = new Ex3(); 28 | e->sum(1,2); 29 | e->reset_values(); 30 | e->printHello(); 31 | delete(e); 32 | } -------------------------------------------------------------------------------- /C++ Objects/4_class_inheritance.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | using std::cout; 5 | using std::endl; 6 | 7 | class Ex2 8 | { 9 | private: 10 | int var1; 11 | 12 | public: 13 | virtual int sum(int x, int y){ 14 | return x+y; 15 | } 16 | 17 | virtual void virtual_func1(){ 18 | cout << "Ex2->virtual_func1" << endl; 19 | } 20 | }; 21 | 22 | class Ex3: public Ex2 23 | { 24 | private: 25 | int var1; 26 | 27 | public: 28 | int subtract(int x, int y){ 29 | return x - y; 30 | } 31 | }; 32 | 33 | int main(int argc, char ** argv, char **envp) { 34 | 35 | Ex3 *e = new Ex3(); 36 | e->sum(20,22); 37 | e->subtract(10,2); 38 | e->virtual_func1(); 39 | delete(e); 40 | } -------------------------------------------------------------------------------- /C++ Objects/5_class_polymorphism.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | using std::cout; 5 | using std::endl; 6 | 7 | class Ex2 8 | { 9 | private: 10 | int var1; 11 | 12 | public: 13 | virtual int sum(int x, int y){ 14 | return x+y; 15 | } 16 | 17 | virtual void virtual_func1(){ 18 | cout << "Ex2->virtual_func1" << endl; 19 | } 20 | }; 21 | 22 | 23 | class Ex3: public Ex2 24 | { 25 | private: 26 | int var1; 27 | 28 | public: 29 | int subtract(int x, int y){ 30 | return x - y; 31 | } 32 | 33 | void virtual_func1(){ 34 | cout << "Ex3->virtual_func1" << endl; 35 | } 36 | }; 37 | 38 | int main(int argc, char ** argv, char **envp) { 39 | 40 | Ex3 *e = new Ex3(); 41 | e->virtual_func1(); 42 | delete(e); 43 | } 44 | -------------------------------------------------------------------------------- /C++ Objects/6_multiple_inheritance.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | using std::cout; 5 | using std::endl; 6 | 7 | class Ex2 8 | { 9 | private: 10 | int var1; 11 | 12 | public: 13 | virtual int sum(int x, int y){ 14 | return x+y; 15 | } 16 | 17 | virtual void virtual_func1(){ 18 | cout << "Ex2->virtual_func1" << endl; 19 | } 20 | }; 21 | 22 | class Ex4 23 | { 24 | public: 25 | virtual void virtual_func2() { 26 | cout << "Ex4->virtual_func2" << endl; 27 | } 28 | }; 29 | 30 | class Ex5: public Ex2, public Ex4 31 | { 32 | private: 33 | int var1; 34 | int var2; 35 | 36 | public: 37 | Ex5() { 38 | var1 = 1; 39 | var2 = 2; 40 | } 41 | virtual void virtual_func3() { 42 | cout << "Ex5->virtual_func3" << endl; 43 | } 44 | virtual void virtual_func2(){ 45 | cout << "Ex5->virtual_func2" << endl; 46 | } 47 | }; 48 | 49 | int main(int argc, char ** argv, char **envp) { 50 | 51 | Ex5 *e = new Ex5(); 52 | e->virtual_func1(); 53 | e->virtual_func2(); 54 | e->virtual_func3(); 55 | delete(e); 56 | } -------------------------------------------------------------------------------- /C++ Objects/README.md: -------------------------------------------------------------------------------- 1 | # C++ Objects 2 | 3 | These files help you to explore the basics of analyzing C++ objects. The focus is on identifying when objects are created, their size, and then mapping out their layout in memory. You will also explore how to identify the constructor/deconstructor, multiple inheritance and virtual functions/virtual function tables. 4 | 5 | You can see these files compiled and analyzed in the following videos on [YouTube](https://www.youtube.com/playlist?list=PLHJns8WZXCdu6kPwPpBhA0mfdB4ZuWy6M) -------------------------------------------------------------------------------- /C++ Objects/binaries/1_basic_class.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/C++ Objects/binaries/1_basic_class.exe -------------------------------------------------------------------------------- /C++ Objects/binaries/2_class_virtual_functions.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/C++ Objects/binaries/2_class_virtual_functions.exe -------------------------------------------------------------------------------- /C++ Objects/binaries/3_class_virtual_nonvirtual.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/C++ Objects/binaries/3_class_virtual_nonvirtual.exe -------------------------------------------------------------------------------- /C++ Objects/binaries/4_class_inheritance.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/C++ Objects/binaries/4_class_inheritance.exe -------------------------------------------------------------------------------- /C++ Objects/binaries/5_class_polymorphism.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/C++ Objects/binaries/5_class_polymorphism.exe -------------------------------------------------------------------------------- /C++ Objects/binaries/6_multiple_inheritance.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/C++ Objects/binaries/6_multiple_inheritance.exe -------------------------------------------------------------------------------- /C++ Objects/binaries/HASHES.txt: -------------------------------------------------------------------------------- 1 | 9010352039d3af98b39bcf04a59c850fd8ea435fea5d702cbedf8f6cb6af5299 1_basic_class.exe 2 | d1d52ec101591bb89e3ff7b8ccc1868e6a4c3573f44062cdaf7ebc06089325af 2_class_virtual_functions.exe 3 | fdf84e16cf67fed9ee4d3efe4423420ae9528825958091597d793b70abd4df9c 3_class_virtual_nonvirtual.exe 4 | 7ad14fd141a7399fe85aadbe37210fb56169382f280646da488a24c1e3ad7888 4_class_inheritance.exe 5 | 48fdeb7020ee683c6a1352b8392c0442c816584d1b15f197491c8ad836d44198 5_class_polymorphism.exe 6 | 905292e3eb45bd3e56c38143d13acd93035c0790647881842a9c7b91ec5021d3 6_multiple_inheritance.exe -------------------------------------------------------------------------------- /Calling Conventions/binaries/HASHES.txt: -------------------------------------------------------------------------------- 1 | 07db493718a6e374c3eb0699482314f8c709bfe7e795d6fe6a9ed60fee291731 cdecl.exe 2 | 8a27d8f8f78c340c372d7129f8c7f0f66663595d56e6bb3ca0c1849a6fdb23b3 fastcall.exe 3 | 6160583de50c9dacdba8ba1a2433d08b16d96fde309113bec86dd1baf14e6b1f stdcall.exe -------------------------------------------------------------------------------- /Calling Conventions/binaries/cdecl.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Calling Conventions/binaries/cdecl.exe -------------------------------------------------------------------------------- /Calling Conventions/binaries/fastcall.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Calling Conventions/binaries/fastcall.exe -------------------------------------------------------------------------------- /Calling Conventions/binaries/stdcall.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Calling Conventions/binaries/stdcall.exe -------------------------------------------------------------------------------- /Calling Conventions/cdecl.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int __cdecl demo(int a, int b, int c, int d) { 4 | return (a + b + c + d); 5 | } 6 | 7 | int main(void) { 8 | int a = 0; 9 | 10 | a =demo(1,2,3,4); 11 | } -------------------------------------------------------------------------------- /Calling Conventions/fastcall.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int __fastcall demo(int a, int b, int c, int d) { 4 | return (a + b + c + d); 5 | } 6 | 7 | int main(void) { 8 | int a = 0; 9 | 10 | a =demo(1,2,3,4); 11 | } -------------------------------------------------------------------------------- /Calling Conventions/stdcall.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int __stdcall demo(int a, int b, int c, int d) { 4 | return (a + b + c + d); 5 | } 6 | 7 | int main(void) { 8 | int a = 0; 9 | 10 | a =demo(1,2,3,4); 11 | } -------------------------------------------------------------------------------- /Control Structures/arrays.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char ** argv, char ** envp) { 4 | 5 | int x; 6 | char c_array[20]; 7 | short s_array[20]; 8 | int i_array[20] = {0}; 9 | 10 | for(x = 0; x < 20; x++) { 11 | c_array[x] = x; 12 | s_array[x] = x; 13 | i_array[x] = x; 14 | } 15 | } -------------------------------------------------------------------------------- /Control Structures/binaries/HASHES.txt: -------------------------------------------------------------------------------- 1 | 7cf078154213350dbf851e1fd377467a21f2f06e440a225c0641724a327bf754 arrays.exe 2 | 3c58fd68197a17898c22fc45077e537a14b007d21dce10affccc0f7ff8273636 environment.exe 3 | 2a481be32b79c89ccb8026e72b0897de9b7f15f62d177c0784fc166637fcbe17 if-statement.exe 4 | a31ce34d0226b209673f972b9acd8702d5247d99a72d8a2d24b5c93ec16e9d52 loops.exe 5 | 0377a6093b59733ecdbc05eb5248209f7716378b0937940cff6ca844bcd95733 nested-if.exe 6 | efc5a46a7310d8c01eadbb76e15e39548864cb0739d2bd94681952ce9718d0e5 pointers.exe 7 | 774a6db20fc657aaf0ec05f301a3ed65a7f1dd6598bbeabef5e3064e19d86881 pointers_malloc.exe 8 | 183d8c6591bd3e75b8b8bf4874811a8096f54352b9d65e147d5ca0a38db06c2d simple_password.exe 9 | b07410ab713ed7f86bbf624ecf9a1324e6248466918cee9862214da6cb18e21a stack-intro.exe 10 | 6a1b99b6c1974ed877cd2c1134e26e96b3901c263ab69be0f497d57003467070 string_manipulation.exe 11 | 2ad6a293685f69ef6d6ee8870fa01a392add56d7f5b2e299c21839dc96814820 struct_members.exe 12 | 3de7402ffc6dd7b297a3f5749649e6c45bb412e6c7f57d22f342b20135fa4de8 structs.exe 13 | 4640e36c9bd2ba0fcf98f9f8029f1f55898866bf5706ad0bccabb2285c31e02c switch.exe -------------------------------------------------------------------------------- /Control Structures/binaries/arrays.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/arrays.exe -------------------------------------------------------------------------------- /Control Structures/binaries/environment.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/environment.exe -------------------------------------------------------------------------------- /Control Structures/binaries/if-statement.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/if-statement.exe -------------------------------------------------------------------------------- /Control Structures/binaries/loops.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/loops.exe -------------------------------------------------------------------------------- /Control Structures/binaries/nested-if.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/nested-if.exe -------------------------------------------------------------------------------- /Control Structures/binaries/pointers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/pointers.exe -------------------------------------------------------------------------------- /Control Structures/binaries/pointers_malloc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/pointers_malloc.exe -------------------------------------------------------------------------------- /Control Structures/binaries/simple_password.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/simple_password.exe -------------------------------------------------------------------------------- /Control Structures/binaries/stack-intro.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/stack-intro.exe -------------------------------------------------------------------------------- /Control Structures/binaries/string_manipulation.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/string_manipulation.exe -------------------------------------------------------------------------------- /Control Structures/binaries/struct_members.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/struct_members.exe -------------------------------------------------------------------------------- /Control Structures/binaries/structs.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/structs.exe -------------------------------------------------------------------------------- /Control Structures/binaries/switch.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Control Structures/binaries/switch.exe -------------------------------------------------------------------------------- /Control Structures/environment.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char ** argv, char ** envp) { 4 | 5 | char * name = argv[0]; 6 | char * e = envp[0]; 7 | int i; 8 | 9 | printf("Program name: %s\n", name); 10 | 11 | for ( i = 1; i < argc; i++) { 12 | printf("\tArg: %s\n", argv[i]); 13 | } 14 | 15 | puts(""); 16 | 17 | while (e != NULL) { 18 | printf("\tENV: %s\n", e); 19 | envp++; 20 | e = *envp; 21 | } 22 | 23 | } -------------------------------------------------------------------------------- /Control Structures/if-statement.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | 5 | int a = 0; 6 | int b = 5; 7 | 8 | if (a > b) { 9 | puts("a is greater than b"); 10 | } else { 11 | puts("a is not greater than b"); 12 | } 13 | } -------------------------------------------------------------------------------- /Control Structures/loops.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void doWhileLoop(void) { 4 | 5 | size_t x = 99; 6 | 7 | while ( x > 0 ) { 8 | printf("%lu\n", x); 9 | x--; 10 | } 11 | } 12 | 13 | int main(void) { 14 | 15 | size_t i; 16 | 17 | for(i = 0; i < 10; i++) { 18 | printf("%lu\n",i); 19 | } 20 | 21 | doWhileLoop(); 22 | 23 | } -------------------------------------------------------------------------------- /Control Structures/nested-if.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | 5 | int x = 0; 6 | int y = 1; 7 | int z = 0; 8 | 9 | puts("Enter a number:"); 10 | scanf("%d", &z); 11 | 12 | if(x < 10) { 13 | 14 | if(z > 0) 15 | puts("x < 10 and z > 0"); 16 | else 17 | puts("x < 10 and z <= 0"); 18 | 19 | } else { 20 | 21 | if(z > 0) 22 | puts ("x >= 10 and z > 0"); 23 | else 24 | puts("x >= 10 and z < 0"); 25 | } 26 | } -------------------------------------------------------------------------------- /Control Structures/pointers.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char ** argv, char ** envp) { 4 | 5 | int i; 6 | 7 | for(i = 0; i < argc; i++) { 8 | printf("--%s\n", *argv); 9 | argv++; 10 | } 11 | } -------------------------------------------------------------------------------- /Control Structures/pointers_malloc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main (int argc, char ** argv, char ** envp) { 5 | int * x = malloc(10 * sizeof(int)); 6 | char * y = malloc(107); 7 | short * s = malloc(2 * sizeof(short)); 8 | 9 | *x = 125; 10 | *y = '!'; 11 | *s = 34; 12 | } -------------------------------------------------------------------------------- /Control Structures/simple_password.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main(int argc, char *argv[]) { 4 | 5 | if (strcmp("cyberyeti", argv[1]) == 0){ 6 | puts("You win!"); 7 | } else { 8 | puts("Try again :("); 9 | } 10 | } -------------------------------------------------------------------------------- /Control Structures/stack-intro.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void func1(int a, int b, int c) { 4 | int sum = 0; 5 | int x = 99; 6 | 7 | sum = a + b + c + x; 8 | } 9 | 10 | int main() { 11 | 12 | func1(1,2,3); 13 | } -------------------------------------------------------------------------------- /Control Structures/string_manipulation.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(void) { 5 | 6 | int iarray[10] = {0,1,2,3,4,5,6,7,8,9}; 7 | 8 | char carray[25] = "hello "; 9 | 10 | char*cptr = &carray[6]; 11 | 12 | int temp = 0; 13 | 14 | for (int i = 0; i < 5; i++) { 15 | 16 | temp = iarray[i+5]; 17 | temp += iarray[i]; 18 | 19 | cptr += sprintf(cptr,"%d ", temp); 20 | } 21 | 22 | printf("%s\n", carray); 23 | } -------------------------------------------------------------------------------- /Control Structures/struct_members.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | typedef struct TESTS 5 | { 6 | char a; 7 | int b; 8 | char c[3]; 9 | short d; 10 | int * e; 11 | float * f; 12 | } TESTS; 13 | 14 | int main(int argc, char ** argv, char ** envp) 15 | { 16 | int size = sizeof(TESTS); 17 | TESTS * t = malloc(size); 18 | t->a = 'a'; 19 | t->b = 49; 20 | t->c[0] = 'c'; 21 | t->d = 55; 22 | t->e = malloc(1 * sizeof(int)); 23 | *t->e = 77; 24 | t->f = malloc(1*sizeof(float)); 25 | *t->f = 3.1415926535; 26 | *t->f = *t->f * 2; 27 | printf("%f", *t->f); 28 | } -------------------------------------------------------------------------------- /Control Structures/structs.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | struct aligned_struct { 4 | int a; // 4 bytes Offset 0 5 | short b; // 2 bytes Offset +4 6 | char c; // 1 byte Offset +6 7 | char d; // 1 byte Offset +7 8 | }; // Total: 8 bytes 9 | 10 | struct padded_struct { 11 | char a; // 1 bytes Offset 0 12 | // 1 byte padding 13 | short b; // 2 bytes Offset 2 14 | int c; // 4 bytes Offset 4 15 | int* d; // 4 bytes Offset 8 16 | }; // Total: 12 bytes 17 | 18 | struct padded2_struct { 19 | char *p; // 4 bytes Offset 0 20 | char c; // 1 byte Offset +4 21 | // 3 bytes padding 22 | long x; // 4 bytes Offset +8 23 | }; // Total: 12 bytes 24 | 25 | int main(void) { 26 | int z = 99; 27 | 28 | struct aligned_struct as = {0}; 29 | as.a = 42; 30 | as.b = 0x1FF; 31 | as.c = 'a'; 32 | as.d = 'b'; 33 | 34 | struct aligned_struct*as2 = (struct aligned_struct*)malloc(sizeof(struct aligned_struct)); 35 | as2->a = 43; 36 | as2->b = 3; 37 | as2->c = 'c'; 38 | as2->d = 'd'; 39 | 40 | struct padded_struct*ps = (struct padded_struct*)malloc(sizeof(struct padded_struct)); 41 | ps->a = 'e'; 42 | ps->b = 0xAA; 43 | ps->c = 44; 44 | ps->d = &z; 45 | } -------------------------------------------------------------------------------- /Control Structures/switch.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void large_switch(void) { 4 | 5 | int i = 3; 6 | 7 | switch(i) { 8 | 9 | case 0: 10 | puts("You entered 0"); 11 | break; 12 | case 1: 13 | puts("You entered 1"); 14 | break; 15 | case 2: 16 | puts("You entered 2"); 17 | break; 18 | case 3: 19 | puts("You entered 3"); 20 | break; 21 | default: 22 | puts("I guess i don't care what you entered"); 23 | 24 | } 25 | } 26 | 27 | int main(void) { 28 | 29 | int i = 0; 30 | 31 | puts("Enter a value:"); 32 | scanf("%d",&i); 33 | 34 | switch(i) { 35 | 36 | case 0: 37 | puts("You entered 0"); 38 | break; 39 | case 1: 40 | puts("You entered 1"); 41 | break; 42 | case 2: 43 | puts("You entered 2"); 44 | break; 45 | 46 | } 47 | 48 | large_switch(); 49 | } -------------------------------------------------------------------------------- /Exploitation/basic_buffer_overflow.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void main(int*argc, char**argv){ 5 | 6 | char buffer[10] = {0}; 7 | int a = 100; 8 | 9 | strcpy(buffer, argv[1]); 10 | } -------------------------------------------------------------------------------- /Exploitation/binaries/HASHES.txt: -------------------------------------------------------------------------------- 1 | 4fd3ef608eef6598512bd2b6aae3c6f574297e5d00c7c626d3e386d5b7242aab basic_buffer_overflow.exe 2 | fd1e0f31004438764d6d9844b766d7f96f4e386ed572c60846ee5d11dabf44ca buffer_overflow_walkthrough.exe 3 | eadbf4f035f039b7acec6eaa9afb892c7f6579db4d8aac1c273e25f4d500722f classic_stack_buffer_overflow.exe -------------------------------------------------------------------------------- /Exploitation/binaries/basic_buffer_overflow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Exploitation/binaries/basic_buffer_overflow.exe -------------------------------------------------------------------------------- /Exploitation/binaries/buffer_overflow_walkthrough.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Exploitation/binaries/buffer_overflow_walkthrough.exe -------------------------------------------------------------------------------- /Exploitation/binaries/classic_stack_buffer_overflow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Exploitation/binaries/classic_stack_buffer_overflow.exe -------------------------------------------------------------------------------- /Exploitation/buffer_overflow_walkthrough.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char *argv[]) { 5 | int value = 5; 6 | char buffer_one[8], buffer_two[8]; 7 | 8 | strcpy(buffer_one, "one"); 9 | strcpy(buffer_two, "two"); 10 | printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two); 11 | printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one); 12 | 13 | printf("[BEFORE] value is at %p and is %d (0x%08x)\n", &value, value, value); 14 | 15 | printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1])); 16 | strcpy(buffer_two, argv[1]); /* Copy first argument into buffer_two. */ 17 | 18 | printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two); 19 | printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one); 20 | printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value); 21 | } -------------------------------------------------------------------------------- /Exploitation/classic_stack_buffer_overflow.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int check_authentication(char *password) { 6 | int auth_flag = 0; 7 | char password_buffer[250]; 8 | 9 | strcpy(password_buffer, password); 10 | 11 | if(strcmp(password_buffer, "Password1!") == 0) 12 | auth_flag = 1; 13 | 14 | return auth_flag; 15 | } 16 | 17 | int main(int argc, char *argv[]) { 18 | if(argc < 2) { 19 | printf("Usage: %s \n", argv[0]); 20 | exit(0); 21 | } 22 | if(check_authentication(argv[1])) { 23 | puts("\n*************************"); 24 | puts(" Access Granted."); 25 | puts("*************************"); 26 | } else { 27 | puts("\nAccess Denied."); 28 | } 29 | } -------------------------------------------------------------------------------- /Exploring PE Files/binaries/HASHES.txt: -------------------------------------------------------------------------------- 1 | 07dc03317762ab647820bfef2e299c738bbb8805a055e9de926dd8bf4bfecc8d forwarded_export.exe 2 | 0d3691bebdd52b9634d91ca6992864043e4c5aa8f728132c131a24aa4b8b9899 import_tables.exe -------------------------------------------------------------------------------- /Exploring PE Files/binaries/forwarded_export.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Exploring PE Files/binaries/forwarded_export.exe -------------------------------------------------------------------------------- /Exploring PE Files/binaries/import_tables.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Exploring PE Files/binaries/import_tables.exe -------------------------------------------------------------------------------- /Exploring PE Files/forwarded_export.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main(void) { 4 | SRWLOCK SRWLock; 5 | AcquireSRWLockExclusive(&SRWLock); 6 | } -------------------------------------------------------------------------------- /Exploring PE Files/import_tables.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(void) { 5 | int counter = 0; 6 | int mem_size = 0x1000; 7 | unsigned int *ptr = VirtualAlloc(NULL, mem_size, MEM_COMMIT, PAGE_READWRITE); 8 | printf("[*] Allocated memory at %p...\n", ptr); 9 | 10 | for (counter = 0; counter < 10; counter++){ 11 | ptr[counter] = counter; 12 | printf("[-] Data at address %p -> %d\n", &ptr[counter], counter); 13 | } 14 | 15 | VirtualFree(ptr, mem_size, MEM_DECOMMIT); 16 | printf("[*] Memory freed... :)"); 17 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Learning Reverse Engineering 2 | 3 | This repository contains several programs designed to help you in learning reverse engineering and malware anlaysis. The type of program is organized by concept it is focused, you can see this through the root folder structure. Source code along with compiled binaries are provided in each directory. 4 | 5 | I discuss many of these programs through online videos and courses and you may find the following helpful: 6 | 7 | - Getting Started with x86 Assembly - [YouTube Playlist](https://www.youtube.com/playlist?list=PLHJns8WZXCdvESvdr1BRjo4RHiR1Ylhw9) 8 | 9 | - Getting Started with Reverse Engineering - [YouTube Playlist](https://www.youtube.com/playlist?list=PLHJns8WZXCdvaD7-xR7e5FJNW_6H9w-wC) and full courses on [Pluralsight](https://www.pluralsight.com/courses/reverse-engineering-getting-started) 10 | 11 | - Analyzing C++ objects in Ghidra - [YouTube playlist](https://www.youtube.com/playlist?list=PLHJns8WZXCdu6kPwPpBhA0mfdB4ZuWy6M) 12 | 13 | - Analyzing C Structures in IDA Pro - [YouTube playlist](https://www.youtube.com/playlist?list=PLHJns8WZXCdu7zDObGl7oEO0APWOEnDNT) 14 | 15 | - Essential Elements of the Portable Executable (PE) file - [YouTube playlist](https://www.youtube.com/playlist?list=PLHJns8WZXCdstHnLaxcz-CO74fO4Q88_8) 16 | 17 | ## Other Tools You May Find Helpful 18 | 19 | - [sclauncher](https://github.com/jstrosch/sclauncher): A shellcode launcher and debugging tool 20 | 21 | ## Compiling the Source Code 22 | 23 | These programs are intended to be compiled with the C/C++ compiler from Microsoft. You can use the `Developer Command Prompt` after installing the free/community version to compile using `cl`. An example of this command would be: 24 | 25 | ```cl ``` 26 | 27 | This should produce two files: `.obj` and `.exe` using the name of the input file. You can typically ignore the `.obj` file, the `.exe` is what you will analyze. Please note, occassionally specific compiler flags are used to obtain desired affects in the resulting binary. These compiler flags will be identified in the related videos or noted in the README in the specific folder. -------------------------------------------------------------------------------- /Windows Internals/binaries/HASHES.txt: -------------------------------------------------------------------------------- 1 | 7539edd3d627d8627d3dcd0399ea2133a52c4f446dd45e1a7f8b1871e4a4672b demo_peb.exe -------------------------------------------------------------------------------- /Windows Internals/binaries/demo_peb.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Windows Internals/binaries/demo_peb.exe -------------------------------------------------------------------------------- /Windows Internals/demo_peb.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(void) { 5 | char* fmt_address = "0x%08x\n"; 6 | DWORD dwNtdllBase = 0x0; 7 | HINSTANCE dwLoadLibrary = 0x0; 8 | 9 | __asm 10 | { 11 | 12 | xor ebx, ebx ; // clear ebx 13 | mov ebx, fs:[ 0x30 ] ; // get a pointer to the PEB: https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx 14 | 15 | push ebx 16 | push ebx 17 | push fmt_address 18 | call printf 19 | add esp, 8 20 | pop ebx 21 | 22 | mov ebx, [ ebx + 0x0C ] ; // get PEB->Ldr - https://msdn.microsoft.com/en-us/library/windows/desktop/aa813708(v=vs.85).aspx 23 | mov ebx, [ ebx + 0x1C ] ; // get PEB->Ldr.InInitializationOrderModuleList.Flink (1st entry) 24 | mov ebx, [ ebx + 0x08 ] ; // get the entries base address 25 | 26 | mov dwNtdllBase, ebx 27 | } 28 | 29 | dwLoadLibrary = LoadLibrary(TEXT("ntdll")); 30 | 31 | printf("0x%08x <--> 0x%08x\n", dwNtdllBase, dwLoadLibrary); 32 | } -------------------------------------------------------------------------------- /Windows Internals/structured_exception_handling/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jstrosch/learning-reverse-engineering/413c73b92e483aa87bb1a7fec1c328c58543d04c/Windows Internals/structured_exception_handling/README.md -------------------------------------------------------------------------------- /Windows Internals/structured_exception_handling/custom_seh.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void ExceptionHandler(EXCEPTION_RECORD * er); 5 | 6 | int main(int*argc, char**argv) { 7 | 8 | __asm { 9 | mov eax, ExceptionHandler 10 | push eax 11 | push fs:[0] 12 | mov fs:[0], esp 13 | xor eax, eax 14 | mov [eax], 0 15 | } 16 | printf("after exception..."); 17 | ExitProcess(0); 18 | } 19 | 20 | void ExceptionHandler(EXCEPTION_RECORD * er) { 21 | puts("In exception handler :)"); 22 | printf("exception address: %p\n", er->ExceptionAddress); 23 | PVOID* ret_addy = er->ExceptionAddress; 24 | __asm { 25 | mov eax, ret_addy 26 | add eax, 3 27 | push eax 28 | ret 29 | } 30 | } --------------------------------------------------------------------------------