GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → JLospinoso → Gargoyle

JLospinoso / Gargoyle

Licence: agpl-3.0
A memory scanning evasion technique

Programming Languages

assembly
5116 projects

Labels

securityx86

Projects that are alternatives of or similar to Gargoyle

Plasma
Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.
Stars: ✭ 2,956 (+590.65%)
Mutual labels:  x86
Sse2neon
A translator from Intel SSE intrinsics to Arm/Aarch64 NEON implementation
Stars: ✭ 316 (-26.17%)
Mutual labels:  x86
Mini C
Dr Strangehack, or: how to write a self-hosting C compiler in 10 hours
Stars: ✭ 372 (-13.08%)
Mutual labels:  x86
Limine
x86/x86_64 BIOS Bootloader
Stars: ✭ 288 (-32.71%)
Mutual labels:  x86
Kernel Zig
💾 hobby x86 kernel zig
Stars: ✭ 301 (-29.67%)
Mutual labels:  x86
Toaruos
A completely-from-scratch hobby operating system: bootloader, kernel, drivers, C library, and userspace including a composited graphical UI, dynamic linker, syntax-highlighting text editor, network stack, etc.
Stars: ✭ 4,687 (+995.09%)
Mutual labels:  x86
Mirage
kernel-mode Anti-Anti-Debug plugin. based on intel vt-x && ept technology
Stars: ✭ 272 (-36.45%)
Mutual labels:  x86
Dosbox Staging
DOS/x86 emulator focusing on ease of use
Stars: ✭ 412 (-3.74%)
Mutual labels:  x86
Reverse Engineering Tutorial
A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit ARM & 64-bit ARM architectures.
Stars: ✭ 5,763 (+1246.5%)
Mutual labels:  x86
Ghost
Ghost, a micro-kernel based hobby operating system for the x86 architecture.
Stars: ✭ 353 (-17.52%)
Mutual labels:  x86
Lbforth
Self-hosting metacompiled Forth, bootstrapping from a few lines of C; targets Linux, Windows, ARM, RISC-V, 68000, PDP-11, asm.js.
Stars: ✭ 293 (-31.54%)
Mutual labels:  x86
Pillman
Pillman boot sector game, a yellow thing eats pills and is chased by monsters.
Stars: ✭ 298 (-30.37%)
Mutual labels:  x86
Mnist Android Tensorflow
Handwritten digits classification from MNIST with TensorFlow on Android; Featuring Tutorial!
Stars: ✭ 328 (-23.36%)
Mutual labels:  x86
Xbook2
xbook2是一个基于x86处理器的32位操作系统,实现了大量的基础功能,可以拿来学习操作系统知识。
Stars: ✭ 273 (-36.21%)
Mutual labels:  x86
Labeless
Labeless is a multipurpose IDA Pro plugin system for labels/comments synchronization with a debugger backend, with complex memory dumping and interactive Python scripting capabilities.
Stars: ✭ 378 (-11.68%)
Mutual labels:  x86
Maxine Vm
Maxine VM: A meta-circular research VM
Stars: ✭ 274 (-35.98%)
Mutual labels:  x86
X86 Bare Metal Examples
Dozens of minimal operating systems to learn x86 system programming. Tested on Ubuntu 17.10 host in QEMU 2.10 and real hardware. Userland cheat at: https://github.com/cirosantilli/linux-kernel-module-cheat#userland-assembly ARM baremetal setup at: https://github.com/cirosantilli/linux-kernel-module-cheat#baremetal-setup 学习x86系统编程的数十个最小操作系统。 已在QE…
Stars: ✭ 3,985 (+831.07%)
Mutual labels:  x86
Winrepl
x86 and x64 assembly "read-eval-print loop" shell for Windows
Stars: ✭ 424 (-0.93%)
Mutual labels:  x86
Y86
A Y86 pipeline CPU simulator in JavaScript.
Stars: ✭ 404 (-5.61%)
Mutual labels:  x86
Easy Linux Pwn
A set of Linux binary exploitation tasks for beginners on various architectures
Stars: ✭ 353 (-17.52%)
Mutual labels:  x86
View All Similar Projects ➔

gargoyle title

gargoyle infographic

Building gargoyle

gargoyle is only implemented for 32-bit Windows (64-bit Windows on Windows is fine). You must have the following installed:

  • Visual Studio: 2017 Community is tested, but it may work for other versions.
  • Netwide Assembler v2.12.02 x64 is tested, but it may work for other versions. Make sure nasm.exe is on your path.

Clone gargoyle:

git clone https://github.com/JLospinoso/gargoyle.git

Open Gargoyle.sln, build, and run. There is some harness code in main.cpp that configures the following three components:

  • gargoyle stack trampoline, stack, and configuration (read/write memory on the heap)
  • gargoyle position independent code (PIC) that receives the ROP gadget/stack trampoline and runs arbitrary code
  • A ROP gadget. If you have mshtml.dll, gargoyle will load it into memory and use it. If it is not available, you will have to tell gargoyle to allocate its own (3-byte) ROP gadget on the heap:
// main.cpp
auto use_mshtml{ true };
auto gadget_memory = get_gadget(use_mshtml, gadget_pic_path);

Every 15 seconds, gargoyle will pop up a message box. When you click ok, gargoyle sets up the tail calls to mark itself non-executable and to wait for the timer. For fun, use Sysinternals's excellent VMMap tool to examine when gargoyle's PIC is executable. If a message box is active, gargoyle will be executable. If it is not, gargoyle should not be executable. The PIC's address is printed to stdout just before the harness calls into the PIC.

More information

See the blog post available at lospi.net for more information.

Also feel free to hop on gitter: Join the chat at https://gitter.im/grgyl/Lobby

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].