26 строки
1.7 KiB
Plaintext
26 строки
1.7 KiB
Plaintext
OPCDE Keynote - commands and steps:
|
|
|
|
1. Explore built-in registers - @$curthread, @$curprocess, @$cursession...
|
|
Print process array in decimal: dx @$cursession.Processes, d
|
|
|
|
2. Find explorer.exe and its signature level:
|
|
dx @$cursession.Processes.Where(p => p.Name == "explorer.exe").KernelObject.SignatureLevel & 0xF
|
|
|
|
3. Print signature level for all processes:
|
|
dx -r2 @$cursession.Processes.Select(p => p.KernelObject.SignatureLevel)
|
|
|
|
4. Use anonymous type to print more information for each process, use -r2 to show 2 levels, use -g for grid view, order by signature level:
|
|
dx -r2 @$cursession.Processes.Select(p => new {Name = p.Name, PID = p.Id, SignatureLevel = p.KernelObject.SignatureLevel & 0xF}).OrderBy(p => p.SignatureLevel)
|
|
|
|
5. Conditional Breakpoint - use bp /w to break on nt!NtWriteFile only when writing thread is impersonating:
|
|
bp /w "@$curthread.KernelObject.ClientSecurity.ImpersonationData != 0" nt!NtWriteFile
|
|
|
|
6. When breakpoint is hit, use anonymous type to print process name, thread ID, impersonation token authentication ID and name of file that's written into, and keep running:
|
|
bp /w "@$curthread.KernelObject.ClientSecurity.ImpersonationData != 0" nt!NtWriteFile "dx new { ProcName = @$curprocess.Name, ThreadId = @$curthread.Id,
|
|
AuthId = ((nt!_TOKEN*)(@$curthread.KernelObject.ClientSecurity.ImpersonationToken & ~0xF))->AuthenticationId.LowPart,
|
|
FileName = @$curprocess.Io.Handles[@rcx].Object.UnderlyingObject.FileName}; g"
|
|
|
|
Bonus - How to choose number of items printed from an array:
|
|
Only show first 10 items: dx @$cursession.Processes, 10
|
|
Show 9999 items: dx @$cursession.Processes, 9999
|
|
Show all items in array: dx @$cursession.Processes, [@$cursession.Processes.Count()] |