The sic from 0vercl0k

sic's Introduction

Hello, world 👋

If you made it all the way here, you might as well check out some of my projects and where I blog 😊. Oh, and if you want to say hi, come hangout on the Diary of a reverse-engineer's discord: invite!

Windows related

wtf: A distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows,
windbg-scripts: A collection of JavaScript debugger extensions for WinDbg,
kdmp-parser / udmp-parser: C++ libraries to parse Windows kernel and usermode dumps (udmp-parser-rs / kdmp-parser-rs for Rust crates),
🔮 clairvoyance: Visualize the virtual address space of a Windows process on a Hilbert curve,
symbolizer-rs: A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries,
SiC: Enumerate user mode shared memory mappings on Windows,
KEPaboo: Neutralize KEPServerEX anti-debugging techniques,
rp-bf.rs: A library to bruteforce ROP gadgets by emulating a Windows user-mode crash-dump,
Various CVE PoCs for tcpip.sys (CVE-2021-24086), http.sys (CVE-2021-31166), Hyper-V (CVE-2021-28476), Realtek's RTKVHD64.sys driver (CVE-2021-32537) and the Mozilla browser (CVE-2022-28281),
Modern Debugging with WinDbg Preview: Workshop that @hugsy and I ran during Defcon 27.

Exploitation

Paracosme: Zero-click remote memory corruption exploit that compromises ICONICS Genesis64 (Pwn2Own Miami 2022),
Longue vue: Over-the-web remote compromise exploit chain for NETGEAR DGND3700v2 devices,
Zenith: Remote kernel exploit for the TP-Link AC1750 Smart Wi-Fi Router (Pwn2Own Austin 2021),
Pwn2Own Miami 2023: Writeups/PoCs for bugs I found while preparing for Pwn2Own Miami 2023 targeting UaGateway in the OPC UA Server category,
CVE-2019-11708: Full chain for CVE-2019-11708 & CVE-2019-9810,
CVE-2019-9810: RCE exploit for Firefox on Windows.

Misc

rp: A fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM binaries,
z3-playground: A bunch of Z3-python scripts that can be used as examples, reminders, etc.
Theorem prover, symbolic execution and practical reverse-engineering: Presentation I gave in Lille, France in 2015,
teesee-calc: A simple web application that allows you to visualize and compare total compensation packages.

sic's People

Contributors

Stargazers

Watchers

sic's Issues

Fix race in IRP_MJ_DEVICE_CONTROL

The sic driver has been basically designed to handle one client at a time; the accesses to the global state are not synchronized and as a result two thread could execute the IRP_MJ_DEVICE_CONTROL callback which would probably lead to memory corruptions of some sort.

Verifier 0x2001F bugcheck.

When fixing #2 I didn't realize that acquiring the mutex bumped the IRQL to APC_LEVEL when a bunch of code expects to be running at PASSIVE; verifier detected this a:t runtime

Driver Verifier: Bugcheck initiated with Error Code: 0x2001F Error Message: 'ZwClose should only be called at IRQL = PASSIVE_LEVEL.'
KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x000000c4
                       (0x000000000002001F,0xFFFFF80209086738,0x0000000000000000,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff802`07bd86a0 cc              int     3
kd> kp
 # Child-SP          RetAddr               Call Site
00 ffff9189`5a92e638 fffff802`07cba642     nt!DbgBreakPointWithStatus
01 ffff9189`5a92e640 fffff802`07cb9d32     nt!KiBugCheckDebugBreak+0x12
02 ffff9189`5a92e6a0 fffff802`07bd0a07     nt!KeBugCheck2+0x952
03 ffff9189`5a92eda0 fffff802`09075386     nt!KeBugCheckEx+0x107
04 ffff9189`5a92ede0 fffff802`09073a89     VerifierExt!XdvInitiateBugcheck+0x3a
05 ffff9189`5a92ee20 fffff802`090539cf     VerifierExt!XdvUnifiedBugCheck+0x239
06 ffff9189`5a92ee90 fffff802`09053a16     VerifierExt!SLIC_ZwClose_entry_IrqlZwPassive+0x33
07 ffff9189`5a92eed0 fffff802`08382960     VerifierExt!ZwClose_wrapper+0x36
08 ffff9189`5a92ef20 fffff802`0b56601f     nt!VerifierZwClose+0x10
09 ffff9189`5a92ef50 fffff802`0b565b9b     sic_drv+0x601f

Recommend Projects