RubyGems - turborex - Versions diffs - 0.1.1 - Mend

turborex 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (74) hide show

checksums.yaml +7 -0
data/LICENSE +674 -0
data/README.md +38 -0
data/README.rdoc +19 -0
data/examples/alpc_client.rb +15 -0
data/examples/alpc_server.rb +14 -0
data/examples/com_client.rb +19 -0
data/examples/com_finder.rb +39 -0
data/examples/create_instance.rb +15 -0
data/examples/cstruct.rb +19 -0
data/examples/find_com_client_calls.rb +16 -0
data/examples/find_rpc_security_callback.rb +12 -0
data/examples/rpc_finder.rb +117 -0
data/examples/scan_exports.rb +5 -0
data/examples/scan_imports.rb +5 -0
data/examples/tinysdk.rb +17 -0
data/lib/turborex.rb +21 -0
data/lib/turborex/cstruct.rb +565 -0
data/lib/turborex/cstruct/struct_helper.rb +7 -0
data/lib/turborex/exception.rb +65 -0
data/lib/turborex/fuzzer.rb +204 -0
data/lib/turborex/fuzzer/containers.rb +115 -0
data/lib/turborex/fuzzer/coverage.rb +67 -0
data/lib/turborex/fuzzer/mutators.rb +25 -0
data/lib/turborex/fuzzer/seed.rb +30 -0
data/lib/turborex/monkey.rb +11 -0
data/lib/turborex/msrpc.rb +14 -0
data/lib/turborex/msrpc/decompiler.rb +244 -0
data/lib/turborex/msrpc/midl.rb +747 -0
data/lib/turborex/msrpc/ndrtype.rb +167 -0
data/lib/turborex/msrpc/rpcbase.rb +777 -0
data/lib/turborex/msrpc/rpcfinder.rb +1426 -0
data/lib/turborex/msrpc/utils.rb +70 -0
data/lib/turborex/pefile.rb +8 -0
data/lib/turborex/pefile/pe.rb +61 -0
data/lib/turborex/pefile/scanner.rb +82 -0
data/lib/turborex/utils.rb +321 -0
data/lib/turborex/windows.rb +402 -0
data/lib/turborex/windows/alpc.rb +844 -0
data/lib/turborex/windows/com.rb +266 -0
data/lib/turborex/windows/com/client.rb +84 -0
data/lib/turborex/windows/com/com_finder.rb +330 -0
data/lib/turborex/windows/com/com_registry.rb +100 -0
data/lib/turborex/windows/com/interface.rb +522 -0
data/lib/turborex/windows/com/utils.rb +210 -0
data/lib/turborex/windows/constants.rb +82 -0
data/lib/turborex/windows/process.rb +56 -0
data/lib/turborex/windows/security.rb +12 -0
data/lib/turborex/windows/security/ace.rb +76 -0
data/lib/turborex/windows/security/acl.rb +25 -0
data/lib/turborex/windows/security/security_descriptor.rb +118 -0
data/lib/turborex/windows/tinysdk.rb +89 -0
data/lib/turborex/windows/utils.rb +138 -0
data/resources/headers/alpc/ntdef.h +72 -0
data/resources/headers/alpc/ntlpcapi.h +1014 -0
data/resources/headers/rpc/common.h +162 -0
data/resources/headers/rpc/guiddef.h +191 -0
data/resources/headers/rpc/internal_ndrtypes.h +262 -0
data/resources/headers/rpc/rpc.h +10 -0
data/resources/headers/rpc/rpcdce.h +266 -0
data/resources/headers/rpc/rpcdcep.h +187 -0
data/resources/headers/rpc/rpcndr.h +39 -0
data/resources/headers/rpc/v4_x64/rpcinternals.h +154 -0
data/resources/headers/rpc/wintype.h +517 -0
data/resources/headers/tinysdk/tinysdk.h +5 -0
data/resources/headers/tinysdk/tinysdk/comdef.h +645 -0
data/resources/headers/tinysdk/tinysdk/dbghelp.h +118 -0
data/resources/headers/tinysdk/tinysdk/guiddef.h +194 -0
data/resources/headers/tinysdk/tinysdk/memoryapi.h +12 -0
data/resources/headers/tinysdk/tinysdk/poppack.h +12 -0
data/resources/headers/tinysdk/tinysdk/pshpack4.h +13 -0
data/resources/headers/tinysdk/tinysdk/winnt.h +1059 -0
data/resources/headers/tinysdk/tinysdk/wintype.h +326 -0
metadata +290 -0

data/lib/turborex/windows/com/utils.rb ADDED

@@ -0,0 +1,210 @@
+module TurboRex
+  class Windows < Metasm::WinOS
+    module COM
+      module Utils
+        def self.marshal_interface(object, mshctx=MSHCTX_DIFFERENTMACHINE, mshlflags=MSHLFLAGS_NORMAL)
+          iid = object.iid
+          _iid = "{#{iid}}"
+          pstr_iid = Win32API.alloc_c_ary('OLECHAR', _iid.chars.push(0).map{|c|c.ord})
+          iid = Win32API.alloc_c_struct('CLSID')
+          Win32API.clsidfromstring(pstr_iid, iid)
+          istream = create_istream
+          hr = Win32API.comarshalinterface(istream.this, iid, object.this, mshctx, 0, mshlflags)
+          return false unless TinySDK.nt_success?(hr)
+          istream
+        end
+        def self.marshal_interface_to_string(object, mshctx=MSHCTX_DIFFERENTMACHINE, mshlflags=MSHLFLAGS_NORMAL)
+          # https://thrysoee.dk/InsideCOM+/ch15c.htm
+          istream = marshal_interface(object, mshctx, mshlflags)
+          return false unless istream
+          phglobal = Win32API.alloc_c_ptr('HGLOBAL')
+          size = Win32API.alloc_c_ptr('ULONG')
+          iid = object.iid
+          _iid = "{#{iid}}"
+          pstr_iid = Win32API.alloc_c_ary('OLECHAR', _iid.chars.push(0).map{|c|c.ord})
+          iid = Win32API.alloc_c_struct('CLSID')
+          Win32API.clsidfromstring(pstr_iid, iid)
+          hr = Win32API.cogetmarshalsizemax(size, iid, object.this, mshctx, 0, mshlflags)
+          return false unless TinySDK.nt_success?(hr)
+          Win32API.gethglobalfromstream(istream.this, phglobal)
+          addr = Win32API.globallock(phglobal[0])
+          objref = Win32API.memory_read(addr, size[0])
+          Win32API.globalunlock(phglobal[0])
+          istream.Release
+          objref
+        end
+        def self.unmarshal_interface(stream, riid, interface=nil)
+          riid =~ /\{.+\}/ ? _iid = riid : _iid = "{#{riid}}"
+          pstr_iid = Win32API.alloc_c_ary('OLECHAR', _iid.chars.push(0).map{|c|c.ord})
+          iid = Win32API.alloc_c_struct('CLSID')
+          ppv = Win32API.alloc_c_ptr('PVOID')
+          Win32API.clsidfromstring(pstr_iid, iid)
+          hr = Win32API.counmarshalinterface(stream.this, iid, ppv)
+          raise hr.to_s unless TinySDK.nt_success?(hr)
+          pthis = ppv[0]
+          return pthis unless interface
+          interface.this = pthis
+          interface
+        end
+        def self.unmarshal_interface_from_string(objref, riid, interface=nil)
+          istream = create_istream
+          return false unless istream
+          buf = Win32API.alloc_c_ary('BYTE', objref.bytesize)
+          buf.str = objref
+          hr = istream.Write(buf, objref.bytesize, 0)
+          return false unless TinySDK.nt_success?(hr)
+          # WTF? Why dlibMove won't work?
+          # dlibMove = Win32API.alloc_c_struct('LARGE_INTEGER')
+          # dlibMove.QuadPart = 0
+          # istream.Seek(dlibMove, 0, 0)
+          istream.Seek(0, 0, 0)
+          phglobal = Win32API.alloc_c_ptr('HGLOBAL')
+          Win32API.gethglobalfromstream(istream.this, phglobal)
+          addr = Win32API.globallock(phglobal[0])
+          objref = Win32API.memory_read(addr, 292)
+          unmarshal_interface(istream, riid, interface)
+        end
+        def self.create_istream
+          ppstm = Win32API.alloc_c_ptr('LPSTREAM')
+          hr = Win32API.createstreamonhglobal(0, 1, ppstm)
+          return false unless TinySDK.nt_success?(hr)
+          istream = Interface::IStream.new
+          istream.this = ppstm[0]
+          istream
+        end
+        def self.create_istorage(name, mode=STGM_SHARE_EXCLUSIVE|STGM_CREATE|STGM_READWRITE)
+          wname = Win32API.alloc_c_ary('WCHAR', name.chars.map{|c|c.unpack('C').first}.push(0))
+          ppstgOpen = Win32API.alloc_c_ptr('LPSTORAGE')
+          hr = Win32API.stgcreatedocfile(wname, mode, 0, ppstgOpen)
+          return false unless TinySDK.nt_success?(hr)
+          istorage = Interface::IStorage.new
+          istorage.this = ppstgOpen[0]
+          istorage
+        end
+        def self.clsid_to_raw(clsid)
+          pstr_clsid = INTERNAL_APIPROXY.alloc_c_ary('OLECHAR', "{#{clsid}}".chars.push(0).map{|c|c.ord})
+          pclsid = INTERNAL_APIPROXY.alloc_c_ptr('CLSID')
+          return unless INTERNAL_APIPROXY.clsidfromstring(pstr_clsid, pclsid).nil?
+          pclsid
+        end
+        def self.dll_get_class_object(rclsid, dll, interface=Interface::IClassFactory.new)
+          _api_proxy = TurboRex::Windows::COM::INTERNAL_APIPROXY.dup
+          _api_proxy.new_api_c <<-EOS, dll
+            HRESULT DllGetClassObject(
+              REFCLSID rclsid,
+              REFIID   riid,
+              LPVOID   *ppv
+            );
+          EOS
+          rclsid = clsid_to_raw(rclsid)
+          riid = clsid_to_raw(interface.iid)
+          ppv = _api_proxy.alloc_c_ptr('PVOID')
+          unless hr = _api_proxy.dllgetclassobject(rclsid, riid, ppv)
+            interface.this = ppv[0]
+            return interface
+          end
+          raise "Failed to call DllGetClassObject(): #{TinySDK.format_hex_ntstatus(hr, hex_str: true)}"
+        end
+        def get_disptbl_count(proxy_file_info)
+          pcif_stub_vtbl_list = to_ptr(@memory.get_page(proxy_file_info.pStubVtblList, @ptr_len))
+          if_stub_vtbl = TurboRex::Windows::COM::INTERNAL_APIPROXY.alloc_c_struct('CInterfaceStubVtbl')
+          if_stub_vtbl.str = @memory.get_page(pcif_stub_vtbl_list, if_stub_vtbl.sizeof)
+          return if_stub_vtbl.header.DispatchTableCount
+        end
+        def get_proxy_file_info(iid)
+          # TODO: Replace to call CoGetPSClsid()
+          require 'win32/registry'
+          Win32::Registry::HKEY_CLASSES_ROOT.open("Interface\\{#{iid}}") do |reg|
+            psclsid32_key = reg.open('ProxyStubClsid32')
+            ps_clsid = psclsid32_key.read('').last
+            psclsid32_key.close
+            Win32::Registry::HKEY_CLASSES_ROOT.open("CLSID\\#{ps_clsid}") do |reg_clsid|
+              inproc32_key = reg_clsid.open('InprocServer32')
+              dll_path = inproc32_key.read_s_expand('')
+              inproc32_key.close
+              return internal_get_proxyfile(dll_path, ps_clsid.delete('{}'))
+            end
+          end
+        end
+        # Note: The interface stub should be standard.
+        def get_pid_by_std_objref(interface)
+          objref = TurboRex::Windows::Win32API.decode_c_struct('OBJREF', interface.marshal_to_string)
+          objref.u_standard.std.ipid.Data2
+        end
+        def internal_get_proxyfile(path, clsid)
+          _api_proxy = TurboRex::Windows::COM::INTERNAL_APIPROXY.dup
+          _api_proxy.new_api_c <<-EOS, path
+            void RPC_ENTRY GetProxyDllInfo( const ProxyFileInfo*** pInfo, const CLSID ** pId );
+            HRESULT DllGetClassObject(
+              REFCLSID rclsid,
+              REFIID   riid,
+              LPVOID   *ppv
+            );
+          EOS
+          begin
+            ppproxy_fileinfo = _api_proxy.alloc_c_ptr('PVOID')
+            proxy_file_info = _api_proxy.alloc_c_struct('ProxyFileInfo')
+            ppclsid = _api_proxy.alloc_c_ptr('PVOID')
+            _api_proxy.getproxydllinfo(ppproxy_fileinfo, ppclsid)
+            pproxy_file_info = to_ptr(@memory.get_page(to_ptr(ppproxy_fileinfo.str), @ptr_len))
+            proxy_file_info.str = @memory.get_page(pproxy_file_info, proxy_file_info.sizeof)
+          rescue NoMethodError # GetProxyDllInfo() is not exported
+            ipsfactory = Interface::IPSFactoryBuffer.new
+            Utils.dll_get_class_object(clsid, path, ipsfactory)
+            cstd_psfactory = _api_proxy.alloc_c_struct('CStdPSFactoryBuffer')
+            cstd_psfactory.str =  @memory.get_page(ipsfactory.this, cstd_psfactory.sizeof)
+            pproxy_file_info = to_ptr(@memory.get_page(cstd_psfactory.pProxyFileList, @ptr_len))
+            proxy_file_info = _api_proxy.alloc_c_struct('ProxyFileInfo')
+            proxy_file_info.str = @memory.get_page(pproxy_file_info, proxy_file_info.sizeof)
+            ipsfactory.Release
+          end
+          proxy_file_info
+        end
+        def to_ptr(raw)
+          format = case @ptr_len
+          when 8
+            'Q'
+          when 4
+            'L'
+          end
+          raw.unpack(format).first
+        end
+      end
+    end
+  end
+end

data/lib/turborex/windows/constants.rb ADDED

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+module TurboRex
+  class Windows < Metasm::WinOS
+    module Constants
+      # Impersonation Level
+      SecurityAnonymous = 0
+      SecurityIdentification = 1
+      SecurityImpersonation = 2
+      SecurityDelegation = 3
+      # Security Descriptor Control
+      SE_OWNER_DEFAULTED  =             0x0001
+      SE_GROUP_DEFAULTED  =             0x0002
+      SE_DACL_PRESENT     =             0x0004
+      SE_DACL_DEFAULTED   =             0x0008
+      SE_SACL_PRESENT     =             0x0010
+      SE_SACL_DEFAULTED   =             0x0020
+      SE_DACL_AUTO_INHERIT_REQ  =       0x0100
+      SE_SACL_AUTO_INHERIT_REQ  =       0x0200
+      SE_DACL_AUTO_INHERITED  =         0x0400
+      SE_SACL_AUTO_INHERITED  =         0x0800
+      SE_DACL_PROTECTED  =              0x1000
+      SE_SACL_PROTECTED  =              0x2000
+      SE_RM_CONTROL_VALID =             0x4000
+      SE_SELF_RELATIVE = 0x8000
+      ## ACE Type
+      ACCESS_MIN_MS_ACE_TYPE  =                0x0
+      ACCESS_ALLOWED_ACE_TYPE =                0x0
+      ACCESS_DENIED_ACE_TYPE  =                0x1
+      SYSTEM_AUDIT_ACE_TYPE   =                0x2
+      SYSTEM_ALARM_ACE_TYPE   =                0x3
+      ACCESS_MAX_MS_V2_ACE_TYPE =              0x3
+      ACCESS_ALLOWED_COMPOUND_ACE_TYPE =       0x4
+      ACCESS_MAX_MS_V3_ACE_TYPE =              0x4
+      ACCESS_MIN_MS_OBJECT_ACE_TYPE  =         0x5
+      ACCESS_ALLOWED_OBJECT_ACE_TYPE  =        0x5
+      ACCESS_DENIED_OBJECT_ACE_TYPE  =         0x6
+      SYSTEM_AUDIT_OBJECT_ACE_TYPE =           0x7
+      SYSTEM_ALARM_OBJECT_ACE_TYPE =           0x8
+      ACCESS_MAX_MS_OBJECT_ACE_TYPE  =         0x8
+      ACCESS_MAX_MS_V4_ACE_TYPE  =             0x8
+      ACCESS_MAX_MS_ACE_TYPE =                 0x8
+      ACCESS_ALLOWED_CALLBACK_ACE_TYPE =       0x9
+      ACCESS_DENIED_CALLBACK_ACE_TYPE  =       0xA
+      ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE = 0xB
+      ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE =  0xC
+      SYSTEM_AUDIT_CALLBACK_ACE_TYPE =         0xD
+      SYSTEM_ALARM_CALLBACK_ACE_TYPE =         0xE
+      SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE  = 0xF
+      SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE  = 0x10
+      SYSTEM_MANDATORY_LABEL_ACE_TYPE =        0x11
+      SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE =     0x12
+      SYSTEM_SCOPED_POLICY_ID_ACE_TYPE =       0x13
+      SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE =    0x14
+      SYSTEM_ACCESS_FILTER_ACE_TYPE =          0x15
+      ACCESS_MAX_MS_V5_ACE_TYPE =              0x15
+      # ACE Flag
+      OBJECT_INHERIT_ACE  =              0x1
+      CONTAINER_INHERIT_ACE =            0x2
+      NO_PROPAGATE_INHERIT_ACE =         0x4
+      INHERIT_ONLY_ACE =                 0x8
+      INHERITED_ACE  =                   0x10
+      VALID_INHERIT_FLAGS =              0x1F
+      CRITICAL_ACE_FLAG =                0x20
+      SUCCESSFUL_ACCESS_ACE_FLAG =       0x40
+      FAILED_ACCESS_ACE_FLAG =           0x80
+      TRUST_PROTECTED_FILTER_ACE_FLAG =  0x40
+      # UnOfficial
+      MAX_BUCKETS_NUM = 0x17
+    end
+  end
+end

data/lib/turborex/windows/process.rb ADDED

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module TurboRex
+  class Windows < Metasm::WinOS
+    class Process < Metasm::WinOS::Process
+      def disassembler
+        return @disassembler if @disassembler
+        case self.cpusz
+        when 32
+          @disassembler = Metasm::Shellcode.decode(self.memory, Metasm::Ia32.new).disassembler
+        when 64
+          @disassembler = Metasm::Shellcode.decode(self.memory, Metasm::X86_64.new).disassembler
+        end
+      end
+      def load_symbol_table(libname)
+        initialize_sym_handler
+        unless lib = modules.find { |m| m.path =~ Regexp.new(libname, true) }
+          return false
+        end
+        if Win32API.symloadmoduleex(self.handle, 0, libname, 0, lib.addr, lib.size, 0, 0) == 0 &&
+           Win32API.getlasterror != 0
+            return false
+        end
+        # module_info = Win32API.alloc_c_struct('IMAGEHLP_MODULE64')
+        # module_info.SizeOfStruct = module_info.sizeof
+        # unless Win32API.symgetmoduleinfo64(self.handle, lib.addr, module_info) == 1
+        #   return false
+        # end
+        true
+      end
+      def close_handle
+        Metasm::WinAPI.closehandle(handle)
+      end
+      private
+      def initialize_sym_handler
+        return true if @sym_handler_initialized
+        Win32API.syminitialize(self.handle, 0, false)
+        Win32API.symsetoptions(Win32API.symgetoptions |
+                               Win32API::SYMOPT_DEFERRED_LOADS |
+                               Win32API::SYMOPT_NO_PROMPTS # | Win32API::SYMOPT_DEBUG
+                               )
+        sympath = ENV.fetch('_NT_SYMBOL_PATH') { 'srv*C:\\symbols*https://msdl.microsoft.com/download/symbols;' }
+        Win32API.symsetsearchpath(self.handle, sympath.dup)
+        @sym_handler_initialized = true
+      end
+    end
+  end
+end

data/lib/turborex/windows/security.rb ADDED

@@ -0,0 +1,12 @@
+warn "\033[33m[-]Warning: This module doesn't currently work on non-Windows os.\033[0m" unless OS.windows?
+module TurboRex
+  class Windows < Metasm::WinOS
+    module Security
+      include TurboRex::Windows::Constants
+      require 'turborex/windows/security/ace.rb'
+      require 'turborex/windows/security/acl.rb'
+      require 'turborex/windows/security/security_descriptor.rb'
+    end
+  end
+end

data/lib/turborex/windows/security/ace.rb ADDED

@@ -0,0 +1,76 @@
+module TurboRex
+  class Windows < Metasm::WinOS
+    module Security
+      class ACE
+        attr_reader :type
+        attr_reader :flags
+        def initialize(type, flags)
+          @type = type
+          @flags = flags
+        end
+        def self.from_raw(raw)
+          ace_header = TurboRex::Windows::Win32API.decode_c_struct('ACE_HEADER', raw)
+          sid_offset = ace_header.sizeof + 4
+          type = ace_header.AceType
+          flags = ace_header.AceFlags
+          mask = raw[ace_header.sizeof, 4].unpack('V').first
+          sid = TurboRex::Windows::Win32API.decode_c_struct('SID', raw, sid_offset)
+          ppszsid = TurboRex::Windows::Win32API.alloc_c_ptr('LPSTR')
+          if TurboRex::Windows::Win32API.convertsidtostringsida(sid, ppszsid) == 0
+            raise "Unable to call ConvertSidToStringSidA. GetLastError returns: #{TurboRex::Windows::Win32API.getlasterror}"
+          end
+          sz_sid = TurboRex::Windows::Win32API.memory_read_strz(ppszsid[0])
+          case type
+          when TurboRex::Windows::Constants::ACCESS_DENIED_ACE_TYPE
+            AccessDeniedACE.new(mask, sz_sid, flags)
+          when TurboRex::Windows::Constants::ACCESS_ALLOWED_ACE_TYPE
+            AccessAllowedACE.new(mask, sz_sid, flags)
+          end
+        end
+      end
+      class AccessAllowedACE < ACE
+        attr_reader :mask
+        attr_reader :sid
+        attr_reader :short
+        def initialize(mask, sid, flags, type=TurboRex::Windows::Constants::ACCESS_ALLOWED_ACE_TYPE)
+          @mask = mask
+          @sid = sid
+          @short = :allowed
+          super(type, flags)
+        end
+      end
+      class AccessDeniedACE < ACE
+        attr_reader :mask
+        attr_reader :sid
+        attr_reader :short
+        def initialize(mask, sid, flags, type=TurboRex::Windows::Constants::ACCESS_DENIED_ACE_TYPE)
+          @mask = mask
+          @sid = sid
+          @short = :denied
+          super(type, flags)
+        end
+      end
+      class SystemAuditAce < ACE
+        attr_reader :mask
+        attr_reader :sid
+        attr_reader :short
+        def initialize(mask, sid, flags, type=TurboRex::Windows::Constants::SYSTEM_AUDIT_ACE_TYPE)
+          @mask = mask
+          @sid = sid
+          @short = :audit
+          super(type, flags)
+        end
+      end
+    end
+  end
+end

data/lib/turborex/windows/security/acl.rb ADDED

@@ -0,0 +1,25 @@
+require 'turborex/windows/security/ace.rb'
+module TurboRex
+  class Windows < Metasm::WinOS
+    module Security
+      class ACL
+        class DACL < ACL
+          attr_reader :revision
+          attr_reader :count
+          attr_reader :ace_list
+          def initialize(revision, count, ace_list=[])
+            @revision = revision
+            @count = count
+            @ace_list = ace_list.freeze
+          end
+          def self.from_raw(raw)
+            raise NotImplementedError
+          end
+        end
+      end
+    end
+  end
+end