Archive for February, 2010

Converting shellcode to executable files using InlineEgg

Posted in Pentesting with tags , on 9 February, 2010 by __fastcall

I like small utils, gadget ones, this article can be found at Breaking Code blog does not have that important functionality but it’s really cute!.

EDITED at 10/2/2010 in order to prevent any misunderstandings. Thanks goes to a visitor’s comment which alerted me about how to write the reposts in order not to look like as my own.

There is URL where you can convert a shellcode directly to an executable. The guy in Breaking Code blog wrote this quick Python script using CORE’s InlineEgg package. According to the author it may be buggy

Enjoy! :)


What is IRQL?

Posted in Windows API with tags on 9 February, 2010 by __fastcall

I remember 2 years ago I read an article in phrack 65 written  by ivanlef0u. It used the word IRQL it was the first time I was hearing that word and tried to find out what it means. Today looking at my RSS I found this article describing what IRQL really is. The article is written by Jake Oshins and published in “A hole in my head” blog and can be found here

Computers have many things within them that can interrupt a processor.  These include timers, I/O devices, other processors, internal processor performance counters, etc.  All processors have an instruction for disabling interrupts, somehow, but that instruction (cli in x64 processors) isn’t selective about which interrupts it disables.

The people who built DEC’s VMS operating system also helped design the processors that DEC used, and many of them came to Microsoft and designed Windows NT, which was the basis for modern versions of Windows, including Windows XP and Windows 7.  These guys wanted a way to disable (very quickly) just some of the interrupts in the system.  They considered it useful to hold off interrupts from some sources while servicing interrupts from other sources.

They also realized that, just as you must acquire locks in the same order everywhere in your code to avoid deadlocks, you must also service interrupts with the same relative priority every time.  It doesn’t work if the clock interrupts are sometimes more important than the IDE controller’s interrupts and sometimes they aren’t.

Interrupts are frequently called “Interrupt ReQuests” and the priority of a specific IRQ is its Level.  These letters, all run together, are IRQL. Continue reading

Matching pool tags in Windows drivers

Posted in Uncategorized on 9 February, 2010 by __fastcall

I love small posts especially those notes that could help you when banging your head at the wall after facing a strange error on Windows API. When MSDN mentions nothing your last hope is to be in your notes. Original link can be found here.

This is a note to myself, mainly. If the PROTECTED_POOL flag is set on a pool tag, freeing it will require the use of the same tag as when allocating it. For all other purposes the tag will be ignored when freeing.

Microsoft states for the Tag parameter in ExAllocatePoolWithTag:

Specifies the pool tag for the allocated memory. Specify the pool tag as a character literal of up to four characters delimited by single quotation marks (for example, ‘Tag1′). The string is usually specified in reverse order (for example, ‘1gaT’). The ASCII value of each character in the tag must be between 0 and 127. Every allocation code path should use a unique pool tag to ensure that debuggers and verifiers identify a distinct allocated block.

Presumably most tags used by system components themselves will have that flag set, but to be honest I haven’t checked the pooltag.txt lately ;)

// Oliver

Ruby, Nmap XML, and Databases

Posted in Pentesting with tags on 9 February, 2010 by __fastcall

Ok it’s been a while. I found a very useful article when performing large nmap scans. Original article  here

So I had a requirement to take some output from nmap scans, shove it into a database and then be able to run some queries on that data.

Wait, isn’t there something that already does that?!

Actually PBNJ and will do this but uses (eeeek!) perl to do it. I wanted to do it in Ruby.
Continue reading