Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 |
Tags
- 백준
- ollama3.1
- 웹해킹
- reversing
- reversing ollama
- webhacking.kr문제풀이
- web
- 코로나바이러스
- 해킹문제
- jango
- 장고
- 파이썬
- dreamhack
- 파이썬웹
- ghidra mcp
- 해커
- 해킹
- 바이러스
- reversing mcp
- 장고vscode
- vscode
- Django
- 코로나
- djangovscode
- ollama mcp
- ghidra llm
- ghidra
- ghidra ollama mcp
- ghidra ollama
- 리버싱
Archives
- Today
- Total
Kilkat
[script] CFG 패턴을 통한 CFG 탐지 스크립트 (Ghidra) 본문
from ghidra.program.model.symbol import RefType
from ghidra.program.model.listing import CodeUnit
from ghidra.util.task import ConsoleTaskMonitor
from ghidra.program.model.address import Address
from ghidra.program.model.lang import OperandType
listing = currentProgram.getListing()
monitor = ConsoleTaskMonitor()
print("[*] Scanning for potential CFG validation patterns...")
for func in listing.getFunctions(True):
instructions = list(listing.getInstructions(func.getBody(), True))
for i in range(len(instructions) - 2):
ins1 = instructions[i]
ins2 = instructions[i + 1]
ins3 = instructions[i + 2]
# Pattern 1: mov rcx, reg / mov rax, qword ptr [addr] / call rax
if (
ins1.getMnemonicString().lower() == "mov" and
ins1.getOpObjects(0)[0].toString().lower() == "rcx" and
ins2.getMnemonicString().lower() == "mov" and
ins2.getOpObjects(0)[0].toString().lower() == "rax" and
OperandType.isAddress(ins2.getOperandType(1)) and
ins3.getMnemonicString().lower() == "call" and
ins3.getOpObjects(0)[0].toString().lower() == "rax"
):
print("[+] Potential CFG validator:")
print(" Function: {} at {}".format(func.getName(), func.getEntryPoint()))
print(" Pattern: {} ; {} ; {}".format(ins1, ins2, ins3))
print("---")
# Pattern 2: mov reg, reg / call qword ptr [addr] (direct dispatch)
if (
ins1.getMnemonicString().lower() == "mov" and
ins2.getMnemonicString().lower() == "call" and
OperandType.isAddress(ins2.getOperandType(0))
):
call_op = ins2.getOpObjects(0)[0]
if isinstance(call_op, Address):
ref_data = listing.getDataAt(call_op)
if ref_data:
print("[?] Indirect call possibly related to CFG dispatch:")
print(" Function: {} at {}".format(func.getName(), func.getEntryPoint()))
print(" Pattern: {} ; {}".format(ins1, ins2))
print("---")
print("[*] Scan complete.")
최근 known dll을 대상으로 cfg를 우회하여 shell code를 실행하는 PoC를 진행하고 싶어서 급하게 급조한 스크립트
ntdll.dll을 대상으로 사용해보니 주소들이 잘 뽑히는 것 같음
자세한 내용은 아래 블로그 참조 (Control Flow Hijacking via Data Pointers)
Control Flow Hijacking via Data Pointers
When performing process injection, one of the most important IOCs that make up behavioural signatures is passing execution to our shellcode. Whilst there are multiple techniques to doing so and this is certainly nothing purely “new” - in this post I wa
www.legacyy.xyz
'Programming > python' 카테고리의 다른 글
| TOCTOU PoC (0) | 2025.01.15 |
|---|---|
| 백준 4344번 python (0) | 2021.03.17 |
| 백준 2941번 python (0) | 2021.03.17 |
| 백준 2741번 python (0) | 2021.03.17 |
| 백준 2577번 python (0) | 2021.03.17 |
Comments