From c8b9c18faf57d6c17fe3716c53b6841615a8c245 Mon Sep 17 00:00:00 2001 From: winterrdog Date: Thu, 2 Mar 2023 16:44:54 +0300 Subject: [PATCH 1/3] ignore development environment artifacts --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..600d2d3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vscode \ No newline at end of file From 47f8901d7ee96f8cad0216020b924df87cde1945 Mon Sep 17 00:00:00 2001 From: winterrdog Date: Thu, 2 Mar 2023 16:45:58 +0300 Subject: [PATCH 2/3] ease `crc32b` hash generation --- Hell'sHall/Hell'sHall/gen_crc32b_hashes.py | 55 ++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100755 Hell'sHall/Hell'sHall/gen_crc32b_hashes.py diff --git a/Hell'sHall/Hell'sHall/gen_crc32b_hashes.py b/Hell'sHall/Hell'sHall/gen_crc32b_hashes.py new file mode 100755 index 0000000..aab5eee --- /dev/null +++ b/Hell'sHall/Hell'sHall/gen_crc32b_hashes.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 +import sys + +POLYNOMIAL = 0xedb88320 +INIT_MASK = 0xffffffff + + +def crc32_chksum(in_str: str) -> str: + crc = INIT_MASK + + for each_byte in in_str.encode(): + crc ^= each_byte + + for _ in range(8): + mask = INIT_MASK if (crc & 1) else 0x0 + crc = (crc >> 1) ^ (POLYNOMIAL & mask) + + crc ^= INIT_MASK + + return "".join(("0x", hex(crc)[2:].upper())) + + +def main(): + try: + ntdll_funcs = sys.argv[1].split(',') + ntdll_func_dict = { + ntdll_func: crc32_chksum(ntdll_func) + for ntdll_func in ntdll_funcs + } + + out = "" + for fn_name, fn_crc32_hash in ntdll_func_dict.items(): + out = "\n".join( + (out, f"#define {fn_name}_CRC32b \t{fn_crc32_hash}")) + + print(out) + except Exception: + err_msg = f"""[-] Please provide the "ntdll" functions. + Usage: {sys.argv[0]} "func1,func2,func3,..." + + e.g. + {sys.argv[0]} "NtCreateThreadEx" + {sys.argv[0]} "NtCreateThreadEx,NtCreateSection" + {sys.argv[0]} "NtCreateThreadEx,NtAllocateVirtualMemory,NtProtectVirtualMemory" + """ + + print(err_msg) + sys.exit(1) + + +if __name__ == "__main__": + # unit test + # assert (crc32_chksum("NtCreateThreadEx") == "0x2073465A") + + main() From f09a2d500ae039eb99f7f781447906e6f32d357f Mon Sep 17 00:00:00 2001 From: winterrdog Date: Thu, 2 Mar 2023 17:01:54 +0300 Subject: [PATCH 3/3] `strip` whitespace chacters from function names --- Hell'sHall/Hell'sHall/gen_crc32b_hashes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Hell'sHall/Hell'sHall/gen_crc32b_hashes.py b/Hell'sHall/Hell'sHall/gen_crc32b_hashes.py index aab5eee..15f5ca3 100755 --- a/Hell'sHall/Hell'sHall/gen_crc32b_hashes.py +++ b/Hell'sHall/Hell'sHall/gen_crc32b_hashes.py @@ -24,7 +24,7 @@ def main(): try: ntdll_funcs = sys.argv[1].split(',') ntdll_func_dict = { - ntdll_func: crc32_chksum(ntdll_func) + ntdll_func: crc32_chksum(ntdll_func.strip()) for ntdll_func in ntdll_funcs }