pedumper: A new tool for dumping PE files

Chihiro Hasegawa — Wed, 14 Dec 2022 22:21:11 +0000

Summary

I have published a new tool for dumping PE files in the target memory on Windows🎉
The tool name is pedumper. Here is a link for the tool.
https://github.com/owlinux1000/pedumper

Installation

You can easily install pedumper by pip.

pip install pedumper

How to use

pedumper is a very simple interface as follows. You have to pass an argument which is a PID of the target process.

If the tool can find a valid PE file, the file is saved on the disk. The filename is used by the memory address.

How to create `pedumper`?

When I create this tool, I have to learn two things.

1. `ctypes`

ctypes is a standard library of python. To use this library, we can execute Win32 API on Python like this.

def read_process_memory(hProcess: int, offset: int, size: ctypes.c_size_t) -> bytes:
    buf = ctypes.create_string_buffer(size)
    ctypes.windll.kernel32.ReadProcessMemory(
        ctypes.cast(hProcess, ctypes.c_void_p),
        ctypes.cast(offset, ctypes.c_void_p),
        ctypes.cast(buf, ctypes.c_wchar_p),
        size,
        None,
    )

2. Memory Basic Information of Windows

On Windows, a memory of the process is defined by MEMORY_BASIC_INFORMAION structure. Here is a definition from Microsoft Official document. I have learned some fileds of the structure through implementing pedumper.

typedef struct _MEMORY_BASIC_INFORMATION {
  PVOID  BaseAddress;
  PVOID  AllocationBase;
  DWORD  AllocationProtect;
  WORD   PartitionId;
  SIZE_T RegionSize;
  DWORD  State;
  DWORD  Protect;
  DWORD  Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;

Conclusion

I introduced pedumper created by myself. If you are interested in the tool, please use it and tell me feedback😄

A new tool for recon Office365 users

Chihiro Hasegawa — Thu, 19 May 2022 12:59:52 +0000

A few days ago, I created a tool called o365discover to reconnaissance Office 365 users for penetration testing. Using this tool, you can easily check whether a lot of users exist or not on Office 365. Off course, I know there are some similar and famous tools like o365creeper. However, most of these tools are slow because they does not support parallel execution. Therefore, I have implemented paralell execution by goroutine of golang. However, I'm not familiar with golang. Please feel free to advise me!

Next, It's time to explain how to use. However, the way to use is very simple. If the given username does not exist, this tool does not display any result. This tool displays only valid usernames.

$ o365discover -u valid@example.com
valid@example.com
$ o365discover -u invalid@example.com # nothing
$ o365discover -f emails.txt

Finally, You can download the binary from this URL
https://github.com/owlinux1000/o365discover/releases/tag/v1.0.1

Also you can install with go command.
go install github.com/owlinux1000/o365discover@latest

Please try it!

Note

This tool is offered with no warranty and is to be used at your own risk and discretion.

Forem: Chihiro Hasegawa