The ollydbg2-python from 0vercl0k

Hello, world 👋

If you made it all the way here, you might as well check out some of my projects and where I blog 😊. Oh, and if you want to say hi, come hangout on the Diary of a reverse-engineer's discord: invite!

Windows related

wtf: A distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows,
windbg-scripts: A collection of JavaScript debugger extensions for WinDbg,
kdmp-parser / udmp-parser: C++ libraries to parse Windows kernel and usermode dumps (udmp-parser-rs / kdmp-parser-rs for Rust crates),
🔮 clairvoyance: Visualize the virtual address space of a Windows process on a Hilbert curve,
symbolizer: A fast execution trace symbolizer for Windows,
SiC: Enumerate user mode shared memory mappings on Windows,
KEPaboo: Neutralize KEPServerEX anti-debugging techniques,
rp-bf.rs: A library to bruteforce ROP gadgets by emulating a Windows user-mode crash-dump,
Various CVE PoCs for tcpip.sys (CVE-2021-24086), http.sys (CVE-2021-31166), Hyper-V (CVE-2021-28476), Realtek's RTKVHD64.sys driver (CVE-2021-32537) and the Mozilla browser (CVE-2022-28281),
Modern Debugging with WinDbg Preview: Workshop that @hugsy and I ran during Defcon 27.

Exploitation

Paracosme: Zero-click remote memory corruption exploit that compromises ICONICS Genesis64 (Pwn2Own Miami 2022),
Longue vue: Over-the-web remote compromise exploit chain for NETGEAR DGND3700v2 devices,
Zenith: Remote kernel exploit for the TP-Link AC1750 Smart Wi-Fi Router (Pwn2Own Austin 2021),
Pwn2Own Miami 2023: Writeups/PoCs for bugs I found while preparing for Pwn2Own Miami 2023 targeting UaGateway in the OPC UA Server category,
CVE-2019-11708: Full chain for CVE-2019-11708 & CVE-2019-9810,
CVE-2019-9810: RCE exploit for Firefox on Windows.

Misc

rp: A fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM binaries,
z3-playground: A bunch of Z3-python scripts that can be used as examples, reminders, etc.
Theorem prover, symbolic execution and practical reverse-engineering: Presentation I gave in Lille, France in 2015,
teesee-calc: A simple web application that allows you to visualize and compare total compensation packages.

Run__ function finish before breakpoint

_Code:_

bp = SoftwareBreakpoint(0x128B401) 
print "BreakPoint Address=%X" % bp.address
display_global_registers()
Run__()
display_global_registers()
print "CheckForDebugEvent=%s" % CheckForDebugEvent()
print "isDebuggeeFinished=%s" % IsDebuggeeFinished()

_Output:_
File 'xxxxxxxxxxxxxxxxxxxxxxxxxxx.exe'
New process (ID 00001AE4) created
014F03AE Main thread (ID 000007C8) created
76E30000 Unload hidden module 76E30000
76C30000 Unload hidden module 76C30000
76E30000 Unload hidden module 76E30000
76F50000 Unload hidden module 76F50000
01230000 Module 'xxxxxxxxxxxxxxxxxxxxxxxxxxx.exe'
01299794 Module contains TLS callback(s)
70670000 Module 'C:\Windows\system32\WINMM.dll'
71E20000 Module 'C:\Windows\system32\webio.dll'
Invalid Image Export Directory, or system update is pending
71E80000 Module 'C:\Windows\system32\WINHTTP.dll'
72550000 Module 'C:\Windows\system32\Secur32.dll'
725B0000 Module 'C:\Windows\system32\version.DLL'
726A0000 Module 'C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll'
72F70000 Module 'C:\Windows\SysWOW64\SYSFER.DLL'
74C40000 Module 'C:\Windows\syswow64\CRYPTBASE.dll'
74C50000 Module 'C:\Windows\syswow64\SspiCli.dll'
74CB0000 Module 'C:\Windows\syswow64\WINTRUST.dll'
74CE0000 Module 'C:\Windows\syswow64\OLEAUT32.dll'
Code size is extended to include all sections marked as CODE
Code sections '.text' and '.orpc' will be merged to a single memory block
74D70000 Module 'C:\Windows\syswow64\ADVAPI32.dll'
74E70000 Module 'C:\Windows\syswow64\profapi.dll'
Invalid or compressed Image Export Directory
74E80000 Module 'C:\Windows\syswow64\shlwapi.DLL'
74EE0000 Module 'C:\Windows\syswow64\NSI.dll'
74EF0000 Module 'C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll'
74F00000 Module 'C:\Windows\syswow64\PSAPI.DLL'
74FA0000 Module 'C:\Windows\syswow64\ole32.dll'
Code sections '.text' and '.orpc' will be merged to a single memory block
75100000 Module 'C:\Windows\syswow64\msvcrt.dll'
751B0000 Module 'C:\Windows\syswow64\WININET.dll'
Code size in header is 00168800, extended to end of section '.wpp_sf'
Code sections '.text' and '.orpc' will be merged to a single memory block
Code sections '.orpc' and '.wpp_sf' will be merged to a single memory block
75370000 Module 'C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll'
75380000 Module 'C:\Windows\SysWOW64\sechost.dll'
753A0000 Module 'C:\Windows\syswow64\LPK.dll'
753B0000 Module 'C:\Windows\syswow64\normaliz.DLL'
75420000 Module 'C:\Windows\syswow64\USERENV.dll'
Code size is extended to include all sections marked as CODE
Code sections '.text' and '.orpc' will be merged to a single memory block
75440000 Module 'C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll'
75450000 Module 'C:\Windows\syswow64\MSASN1.dll'
754D0000 Module 'C:\Windows\syswow64\CRYPT32.dll'
755F0000 Module 'C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll'
75600000 Module 'C:\Windows\syswow64\user32.DLL'
75700000 Module 'C:\Windows\syswow64\iertutil.dll'
Code size is extended to include all sections marked as CODE
Code sections '.text' and '.wpp_sf' will be merged to a single memory block
75990000 Module 'C:\Windows\syswow64\WS2_32.dll'
759D0000 Module 'C:\Windows\syswow64\KERNELBASE.dll'
76670000 Module 'C:\Windows\syswow64\USP10.dll'
76840000 Module 'C:\Windows\syswow64\RPCRT4.dll'
Code size is extended to include all sections marked as CODE
76930000 Module 'C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll'
76C30000 Module 'C:\Windows\syswow64\kernel32.dll'
76DA0000 Module 'C:\Windows\syswow64\GDI32.dll'
77230000 Module 'C:\Windows\SysWOW64\ntdll.dll'
Code size is extended to include all sections marked as CODE
72FE0000 Module <Mod_72FE> (anonymous)
Not an 80x86 executable
72FF0000 Module <Mod_72FF> (anonymous)
Not an 80x86 executable
73050000 Module <Mod_7305> (anonymous)
Not an 80x86 executable
77050000 Module <Mod_7705> (anonymous)
Not an 80x86 executable
014F03AE Entry point of main module
74E10000 Module 'C:\Windows\system32\IMM32.DLL'
76B60000 Module 'C:\Windows\syswow64\MSCTF.dll'
[python-loader] Trying to execute the script located here: 'test.py'..
BreakPoint Address=128B401
EAX: 0x76c43378, ECX: 0x00000000
EDX: 0x014f03ae, EBX: 0x7efde000
ESP: 0x0041fe9c, EBP: 0x0041fea4
ESI: 0x00000000, EDI: 0x00000000
EIP: 0x014f03ae
75A20000 Module 'C:\Windows\syswow64\SHELL32.dll'
EAX: 0x76c43378, ECX: 0x00000000
EDX: 0x014f03ae, EBX: 0x7efde000
ESP: 0x0041fe9c, EBP: 0x0041fea4
ESI: 0x00000000, EDI: 0x00000000
EIP: 0x014f03ae
CheckForDebugEvent=0
isDebuggeeFinished=False
[python-loader] Execution is done!
75480000 Module 'C:\Windows\syswow64\WLDAP32.dll'
71080000 Module 'C:\Windows\system32\ntmarta.dll'
77282E65 New thread 2. (ID 00001784) created
75900000 Module 'C:\Windows\syswow64\CLBCatQ.DLL'
77283E85 New thread 3. (ID 00002028) created
72490000 Module 'C:\Windows\system32\CRYPTSP.dll'
72350000 Module 'C:\Windows\system32\rsaenh.dll'
72570000 Module 'C:\Windows\system32\RpcRtRemote.dll'
77283E85 New thread 4. (ID 00001014) created
74FCD864 New thread 5. (ID 00002398) created
74FCD864 New thread 6. (ID 0000226C) created
6F000000 Module 'C:\Windows\system32\uxtheme.dll'
76710000 Module 'C:\Windows\SysWOW64\urlmon.dll'
Code sections '.text' and '.wpp_sf' will be merged to a single memory block
77200000 Module 'C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll'
68CD0000 Module 'C:\Program Files (x86)\Internet Explorer\ieproxy.dll'
Code sections '.text' and '.orpc' will be merged to a single memory block
6EFE0000 Module 'C:\Windows\system32\dwmapi.dll'
71550000 Module 'C:\Windows\system32\bcrypt.dll'
71570000 Module 'C:\Windows\system32\ncrypt.dll'
69400000 Module 'C:\Windows\system32\RstrtMgr.dll'
71510000 Module 'C:\Windows\SysWOW64\bcryptprimitives.dll'
693B0000 Module 'C:\Windows\system32\VssTrace.DLL'
71830000 Module 'C:\Windows\system32\ATL.DLL'
660C0000 Module 'C:\Windows\system32\VSSAPI.DLL'
693C0000 Module 'C:\Windows\system32\SPP.dll'
693F0000 Module 'C:\Windows\system32\srclient.dll'
043B0000 Module C:\Windows\SysWOW64\ole32.dll - failed to initialize
01248D60 New thread 7. (ID 00001D80) created
759DC42D VC service exception: Thread 00001D80 is named 'RecoveryComponentIO' - passed to application
0128B401 Breakpoint at software_removal_tool.0128B401

0vercl0k / ollydbg2-python Goto Github PK

ollydbg2-python's Introduction

Hello, world 👋

Windows related

Exploitation

Misc

ollydbg2-python's People

Contributors

Stargazers

Watchers

Forkers

ollydbg2-python's Issues

Recommend Projects

Recommend Topics

Recommend Org