• file operation monitoring
• process creation monitoring
• dynamic library and kernel extension monitoring
• network traffic monitoring
• Mandatory Access Control (MAC) policy monitoring, etc.

• Please turn off macOS System Integrity Protection (SIP) check if you don't have a valid kernel certificate
• Use the command "sudo chown -R root:wheel kemon.kext" to change the owner of the Kemon driver
• Use the command "sudo kextload kemon.kext" to install the Kemon driver
• Use the command "sudo kextunload kemon.kext" to uninstall the Kemon driver

git clone https://github.com/esmog/nodexp

python2.7 nodexp -h

python2.7 nodexp.py --url="http://nodegoat.herokuapp.com/contributions" --pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"
python2.7 nodexp.py --url="http://nodegoat.herokuapp.com/contributions" --pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" --tech=blind

python2.7 nodexp.py --url="http://192.168.64.30/?name=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"
python2.7 nodexp.py --url="http://192.168.64.30/?name=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" --tech=blind

• Python 2.7
• Metasploit Framework
• msfvenom
• Kali Linux (or any other Linux distro with Metasploit Framework installed)

• Download and run the Node.js files for both GET and POST cases from here
• Visit Nodegoat or install Nodegoat to your local machine!

• Python 2.7

• Dimitris Antonaropoulos - esmog

python3 subscraper.py example.com
python3 subscraper.py -t 5 -o csv example.com

  -s              Only use internet to find subdomains
  -b              Only use DNS brute forcing to find subdomains
  -o OUTFILE      Define output file type: csv/txt (Default: None)
  -t MAX_THREADS  Max threads (Default: 10)
  -w SUBLIST      Custom subdomain wordlist

• BurpSuite Professional v2.0.0beta or greater from PortSwigger

go get -u -v github.com/fatih/color
go get -u -v github.com/integrii/flaggy
go get -u -v github.com/tidwall/gjson
go get -u -v github.com/grokify/html-strip-tags-go

# macOS binary
make darwin

# Linux binary
make linux

# Windows binary
make windows

# Build releases
make all

$ go run Gurp.go -h
Gurp - Interact with Burp API  Flags:
    -h --help  Displays help with available flag, subcommand, and positional value parameters.
    -t --target  Burp Address. Default 127.0.0.1
    -p --port  Burp API Port. Default 1337
    -U --username  Username for an authenticated scan
    -P --password  Password for an authenticated scan
    -s --scan  URLs to scan
    -S --scan-id  Scanned URL identifier
    -M --metrics  Provides metrics for a given task
    -D --description  Provides description for a given issue
    -d --description-names  Returns vulnerability names from PortSwigger
    -I --issues  Provides issues for a given task
    -e --export  Export issues json.
    -k --key  Api Key
    -v --version  Gurp version

• Create a scan

go run Gurp.go -s "localhost.com/WebGoat/attack"
 [+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
 [i] INFO Setting up scanner...
 [+] SUCCESS: Scanning localhost.com/WebGoat/attack over 8.

• Get Scan Metrics

go run Gurp.go -S 8 -M
 [+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
 [!] ALERT Retrieving Metrics from task 8
          [i] INFO: Scan status succeeded
          [i] INFO: 181 Requests made
          [i] INFO: 0 Requests queued
          [i] INFO: 6 Audit items completed
          [i] INFO: 0 Audit items waiting
          [i] INFO: 20058 Audit requests made
          [i] INFO: 2 Audit network errors
          [i] INFO: 5 Issue events

• Get Issues from scan

go run Gurp.go -S 8 -I
 [+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
 [!] ALERT: Retrieving Issues from task 8
         [i] INFO: Frameable response (potential Clickjacking)
         [*] HIGH: Cleartext submission of password
         [*] LOW: Password field with autocomplete enabled
         [*] MEDIUM: Host header poisoning
         [i] INFO: Path-relative style sheet import

• Export Issues' json

go run Gurp.go -S 8 -e /tmp
 [+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
 [!] ALERT: Retrieving Issues from task 8
         [i] INFO: Frameable response (potential Clickjacking)
         [*] HIGH: Cleartext submission of password
         [*] LOW: Password field with autocomplete enabled
         [*] MEDIUM: Host header poisoning
         [i] INFO: Path-relative style sheet import
 [!] ALERT: Exporting raw json to /tmp

• Launch an authenticated scan with user/password

go run Gurp.go -s test.com -U admin -P 1234
 [+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
 [i] INFO Setting up scanner using credentials admin:1234
 [+] SUCCESS: Scanning test.com over 13.

• Connect to Burp using API Key

go run Gurp.go -k "APIKEY" -d | grep -i SQL
         [2] SQL injection
         [3] SQL injection (second order)
         [35] Client-side SQL injection (DOM-based)
         [36] Client-side SQL injection (reflected DOM-based)
         [37] Client-side SQL injection (stored DOM-based)
         [68] SQL statement in request parameter

• Burpsuite
• Java

• Burpsuite 1.7.36
• Windows 10
• xubuntu 18.04
• Kali Linux 2018

• Decrypt AES Encrypted traffic on proxy tab
• Decrypt AES Encrypted traffic on proxy, scanner, repeater and intruder

• Require AES Encryption Key (Can be obtained by reversing mobile app)
• Require AES Encryption Initialize Vector (Can be obtained by reversing mobile app)
• Request Parameter (Leave blank in case of whole request body)
• Response Parameter (Leave blank in case of whole response body)
• Character Separated with space for obfuscation on request/response
• URL/Host of target to filter request and response

Download jar file from Release and add in burpsuite

cd C:\path\to\XenoScan
buildmsvc2017.bat

1. Create project/make files for your target IDE/compiler.
2. Remove the ScannerTargetWindows.cpp and ScannerTargetWindows.h files from the project.
3. Implement the ScannerTarget interface for your platform.
4. Add your implementation to the project.
5. ???? profit

• Integral types*:
  • int8_t
  • uint8_t
  • int16_t
  • uint16_t
  • int32_t
  • uint32_t
  • int64_t
  • uint64_t
• float
• double
• ascii strings
• wide strings
• Custom data structures (think C++struct)
  • Can consist of any combination integral and decimal types

• Equal to
• Greater than
• Greater than or equal to
• Less than
• Less than or equal to
• Ranges (min <= check <= max)

• std::map
• std::list
• Any class with a virtual-function table

git clone https://github.com/DarkSpiritz/DarkSpiritz.git

sudo python installer.py

python main.py

• Real Time Updating of Configuration
• Never a need to restart the program even when adding plugins or editing them.
• Easy to use UX
• Multi-functionality

1. Determining similar executable malware samples (PE/PE+) according to the import table (imphash) and group them by different colors (pay attention to the second column from output). Thus, colors matter!
   
2. Determining whether executable malware samples are packed or not packed according to the following rules:
   

        2a. Two or more sections with Entropy > 7.0 or < 1.0 ==> Packed.
   
        2b. One one section with Entropy > 7.0 or two sections with SizeOfRawData ==> Likely packed.
   
        2c. None section with Entropy > 7.0 or SizeOfRawData ==> not packed.

3. Determining whether the malware samples contain overlay.
   
4. Determining the .text section entropy.
   

        Malwoverview.py only examines PE/PE+ files, skipping everything else.  

5. Checking each malware sample against Virus Total.

1. Python version 2.7.x.
   

   $ apt-get install python

2. Python-magic.
   To install python-magic package you can execute the following command:
   

   $ pip install python-magic

   Or compiling it from the github repository:
   

   $ git clone https://github.com/ahupp/python-magic
   $ cd python-magic/
   $ python setup.py build
   $ python setup.py install

   As there are serious problems about existing two versions of python-magic package, my recommendation is to install it from github (second procedure above) and copy the magic.py file to the SAME directory of malwoverview tool.
   
3. Pefile and colorama packages:
   

   $ pip install pefile
   $ pip install colorama
   $ pip install simple-json
   $ pip install requests

  $ python malwoverview -d <directory> -f <fullpath> -i <0|1> -b <0|1> -v <0|1> -a <0|1> -p <0|1> -s <0|1> -x <0|1>

<directory> -d is the folder containing malware samples. 
<fullpath>  -f specifies the full path to a file. Shows general information about the file (any filetype).
    (optional)  -b 1 forces light gray background (for black terminals). It does not work with -f option.
    (optional)  -i 1 show imports and exports (it is used with -f option).
    (optional)  -x 1 extracts overlay (it is used with -f option).
    (optional)  -v 1 queries Virus Total database for positives and totals (any filetype).
    (optional)  -a 1 (optional) query Hybrid Analysis database for general report.Thus, you need to edit the 
                      malwoverview.py and insert your HA API and respective secret.
    (optional)  -s 1 shows antivirus reports from the main players. This option is used with 
                     -f option (any filetype). 
    (optional)  -p 1 use this option if you have a public Virus Total API. It forces a one minute wait 
                     every 4 malware samples, but allows obtaining a complete evaluation of the malware repository..


    If you use Virus Total option, so it is necessary to edit the malwoverview.py and insert your VT API. 

    Remember that public VT API only allows 4 searches per second (as shown at the image above). Therefore, if you 
    are willing to wait some minutes, so you can use the -p option, which forces a one minute wait every 4 malware 
    samples, but allows obtaining a complete evaluation of the repository.


    *ATENTION: if the directory contains many malware samples, so malwoverview.py could take some time. :)

  This version:

        * Adds the -a option for getting the Hybrid Analysis summary report.
        * Adds the -i option for listing imported and exported functions. Therefore, imported/exported function 
          report was decoupled for a separated option.  

  This version:

        * Adds the -p option for public Virus Total API.

  This version includes:

        * evaluates a single file (any filetype)
        * shows PE sessions.
        * shows imported functions.
        * shows exported function.
        * extracts overlay.
        * shows AV report from the main players. (any filetype)

  This version:

        * Adds the VT checking feature.

  Malwoverview is a tool to perform a first triage of malware samples in a directory and group them according 
  to their import functions (imphash) using colors. This version:

        * Shows the imphash information classified by color. 
        * Checks whether malware samples are packed.  
        * Checks whether malware samples have overlay. 
        * Shows the entropy of the malware samples. 

1. This project is not produced, endorsed, or monitored by the Windows debugger team. While the debugger team welcomes feedback about their API and front ends (windbg, kd, et al), they have no connection with this project. Do not file bugs or feedback to the debugger team concerning this project.
   
2. This is not a funded project: it has no official resources allocated to it, and is only worked on by volunteers. Do not take any production dependency on this project unless you are willing to support it completely yourself. Feel free to file Issues and submit Pull Requests, but understand that with the limited volunteer resources, it may be a while before your submissions are handled.
   
3. This is an experimental project: it is not fully baked, and you should expect breaking changes to be made often.
   

• Using the built-in scripting language is arcane, limited, difficult to get right, and difficult to get help with.
• DScript is kind of neat, but virtually unknown, and it lacks a REPL, and it's too low-level.
• Writing a full-blown debugger extension DLL is very powerful, but it's a significant investment—way too expensive for solving quick, "one-off" problems as you debug random, real-world problems. Despite the cost, there are a large number of debugger extensions in existence. I think there should not be nearly so many; I think the only reason there are so many is because there aren't viable alternatives.
• Existing attempts at providing a better interface (such as PowerDbg) are based on "scraping" and text parsing, which is hugely limiting (not to mention idealogically annoying) and thus are not able to fulfill the promise of a truly better interface (they are only marginally better, at best).
• Existing attempts to provide an easier way to write a debugger extension are merely a stop-gap addressing the pain of developing a debugger extension; they don't really solve the larger problem. (for instance, two major shortcomings are: they are still too low-level (you have to deal with the dbgeng COM API), and there's no REPL)
• The debugger team has recently introduce Javascript scripting. Javascript is a much better (and more well-defined) language than the old windbg scripting language, but I think that PowerShell has some advantages, the largest of which is that nobody really uses a Javascript shell--PowerShell is much better as a combined shell and scripting language.

• a managed "object model" (usable from C# if you wished), which is higher-level than the dbgeng COM API,
• a PowerShell "navigation provider", which exposes aspects of a debugging target as a hierarchical namespace (so you can "cd" to a particular thread, type "dir" to see the stack, "cd" into a frame, do another "dir" to see locals/registers/etc.),
• cmdlets for manipulating the target,
• a custom PowerShell host which allows better control of the debugger CLI experience, as well as providing features not available in the standard powershell.exe host (namely, support for text colorization using ANSI escape codes (a la ISO/IEC 6429))

• Color: support for text colorization using ANSI escape codes (a la ISO/IEC 6429)
• Custom formatting engine: Don't like .ps1xml stuff? Me neither. In addition to standard table, list, and custom views, you can define "single-line" views which are very handy for customizing symbol value displays.
• Custom symbol value conversion: For most variables, the default conversion and display are good. But sometimes, you'd like the debugger to do a little more work for you. The symbol value conversion feature allows, for instance, STL collection objects to be transformed into .NET collection objects that are much easier to deal with.
• Derived type detection: For when your variable is an IFoo, but the actual object is a FooImpl.
• Rich type information: exposed for your programmatic pleasure.
• Q: Does it work in WinDbg? I will only use WinDbg. A: Yes--load up the DbgShellExt.dll extension DLL, and then run "!dbgshell" to pop open a DbgShell console.

• Getting Started with DbgShell
  
• Color
  
• Custom formatting engine
  
• Custom symbol value conversion
  
• Derived type detection
  
• Rich type information
  
• Hacking on DbgShell
  
• DbgEngWrapper
  

sudo apt update && sudo apt install build-essential python-dev virtualenvwrapper
git clone https://github.com/angr/heaphopper.git && cd ./heaphopper
mkvirtualenv -ppython2 heaphopper
pip install -e .

build-essential python-dev virtualenvwrapper

ana angr cle claripy IPython psutil pyelftools pyyaml

# Gen zoo of permutations
heaphopper.py gen -c analysis.yaml

#  Trace instance
make -C tests
heaphopper.py  trace -c tests/how2heap_fastbin_dup/analysis.yaml -b tests/how2heap_fastbin_dup/fastbin_dup.bin

# Gen PoC
heaphopper.py poc -c tests/how2heap_fastbin_dup/analysis.yaml -r tests/how2heap_fastbin_dup/fastbin_dup.bin-result.yaml -d tests/how2heap_fastbin_dup/fastbin_dup.bin-desc.yaml -s tests/how2heap_fastbin_dup/fastbin_dup.c -b tests/how2heap_fastbin_dup/fastbin_dup.bin

# Tests
cd tests
# Show source
cat how2heap_fastbin_dup/fastbin_dup.c
# Run tests
./run_tests.py
# Show PoC source
cat pocs/malloc_non_heap/fastbin_dup.bin/poc_0_0.c
# Run PoC
./run_poc.sh pocs/malloc_non_heap/fastbin_dup.bin/bin/poc_0_0.bin

@inproceedings {heaphopper,
author = {Eckert, Moritz and Bianchi, Antonio and Wang, Ruoyu and Shoshitaishvili, Yan and Kruegel, Christopher and Vigna, Giovanni},
title = {HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/eckert},
publisher = {{USENIX} Association},
}

1. dex-reader/writer: Read/write the Dalvik Executable (.dex) file. It has a light weight API similar with ASM.
2. d2j-dex2jar: Convert .dex file to .class files (zipped as jar)
3. smali/baksmali: disassemble dex to smali files and assemble dex from smali files. different implementation to smali/baksmali, same syntax, but we support escape in type desc "Lcom/dex2jar\t\u1234;"
4. other tools: d2j-decrypt-string

sh d2j-dex2jar.sh -f ~/path/to/apk_to_decompile.apk

$ git clone https://github.com/m4ll0k/Atlas.git atlas
$ cd atlas
$ python atlas.py

$ python atlas.py --url http://site.com/index.php?id=Price_ASC --payload="-1234 AND 4321=4321-- AAAA" --dbms=mysql --random-agent -v

1. Run SQLMap:

$ python sqlmap.py -u 'http://site.com/index.php?id=Price_ASC' --dbs --random-agent -v 3

$ python atlas.py --url 'http://site.com/index.php?id=Price_ASC' --payload="') AND 8716=4837 AND ('yajr'='yajr" --random-agent -v

$ python sqlmap.py -u 'http://site.com/index.php?id=Price_ASC' --dbs --random-agent -v 3 --tamper=versionedkeywords,...

1. You can checkout this git repo and its submodules

git clone https://github.com/farrokhi/dnsdiag.git
cd dnsdiag
pip3 install -r requirements.txt

2. You can alternatively install the package using pip:

pip3 install dnsdiag

% ./dnsping.py -c 3 -t AAAA -s 8.8.8.8 dnsdiag.org
dnsping.py DNS: 8.8.8.8:53, hostname: dnsdiag.org, rdatatype: AAAA
4 bytes from 8.8.8.8: seq=0   time=123.509 ms
4 bytes from 8.8.8.8: seq=1   time=115.726 ms
4 bytes from 8.8.8.8: seq=2   time=117.351 ms

--- 8.8.8.8 dnsping statistics ---
3 requests transmitted, 3 responses received,   0% lost
min=115.726 ms, avg=118.862 ms, max=123.509 ms, stddev=4.105 ms

% ./dnstraceroute.py --expert -C -t A -s 8.8.4.4 facebook.com
dnstraceroute.py DNS: 8.8.4.4:53, hostname: facebook.com, rdatatype: A
1 192.168.0.1 (192.168.0.1) 1 ms
2 192.168.28.177 (192.168.28.177) 4 ms
3 192.168.0.1 (192.168.0.1) 693 ms
4 172.19.4.17 (172.19.4.17) 3 ms
5 google-public-dns-b.google.com (8.8.4.4) 8 ms

=== Expert Hints ===
 [*] public DNS server is next to a private IP address (possible hijacking)

% ./dnseval.py -t AAAA -f public-servers.txt -c10 yahoo.com
server           avg(ms)     min(ms)     max(ms)     stddev(ms)  lost(%)  ttl     flags
------------------------------------------------------------------------------------------------------
8.8.8.8          270.791     215.599     307.498     40.630      %0       298     QR -- -- RD RA -- --
8.8.4.4          222.955     171.753     307.251     60.481      %10      291     QR -- -- RD RA -- --
ns.ripe.net      174.855     160.949     187.458     10.099      %0       289     QR -- -- RD RA -- --
4.2.2.1          172.798     163.892     189.918     7.823       %0       287     QR -- -- RD RA -- --
4.2.2.2          178.594     169.158     184.696     5.067       %0       285     QR -- -- RD RA -- --
4.2.2.3          153.574     138.509     173.439     12.015      %0       284     QR -- -- RD RA -- --
4.2.2.4          153.182     141.023     162.323     6.700       %0       282     QR -- -- RD RA -- --
4.2.2.5          154.840     141.557     163.889     7.195       %0       281     QR -- -- RD RA -- --
209.244.0.3      156.270     147.320     161.365     3.958       %0       279     QR -- -- RD RA -- --
209.244.0.4      159.329     151.283     163.726     3.958       %0       278     QR -- -- RD RA -- --
195.46.39.39     171.098     163.612     181.147     5.067       %0       276     QR -- -- RD RA -- --
195.46.39.40     175.335     160.920     185.618     8.726       %0       274     QR -- -- RD RA -- --

• twitter: @farrokhi
• github: github.com/farrokhi
• website: farrokhi.net

• Whois
• Bind DNS tools
• Dnsrecon
• Raccoon
• DNS-Cracker
• Firewalk

• Nmap - Network Mapper
• Masscan
• SSLScan
• Amap

• Hping3
• Nping
• Scapy
• Hexinject
• Ncat
• Socat

• ARPSpoof
• Bettercap
• MITMProxy
• EvilGINX2

• 0d1n
• Wapiti3
• Recon-NG
• PHPSploit
• Photon
• XSSer
• Commix
• SQLMap
• Payloadmask
• AbernathY-XSS

• Hydra
• Ncrack
• John The Ripper
• CRUNCH

• VMP Evil AP
• Aircrack-NG Tools
• Cowpatty
• MDK3
• Reaver

• MetaSploit Framework
• RouterSploit Framework
• Getsploit
• OWASP ZSC
• Rop-TOOL

docker run -it --rm -v $(pwd)/web:/web \
       strm/tor-hiddenservice-nginx generate <pattern>

docker run -d --restart=always --name hiddensite -v $(pwd)/web:/web \
       strm/tor-hiddenservice-nginx 

docker pull strm/tor-hiddenservice-nginx

$docker run -it --rm -v $(pwd)/web:/web strm/tor-hiddenservice-nginx generate ^strm
[+] Generating the address with mask: ^strm
[+] Found matching domain after 137072 tries: strmfyygjp5st54g.onion
[+] Generating nginx configuration for site  strmfyygjp5st54g.onion
[+] Creating www folder
[+] Generating index.html template

docker run -d --restart=always --name hiddensite \
       -v $(pwd)/web:/web strm/tor-hiddenservice-nginx

• 403 error on nginx, check your directory permissions and folder permissions. Nginx run as "hidden" user, his UID is 666, just check if you give this user access to the /web/www folder (in the case the folder mapped to it).

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

./summarize.py data/log

• Software bug (for example, a bug in your hypervisor or disassembler),
• Hardware bug (a bug in your CPU), or
• Undocumented instruction (an instruction that exists in the processor, but is not acknowledged by the manufacturer)

sudo apt-get install libcapstone3 libcapstone-dev
sudo pip install capstone

make

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

--len
 search for length differences in all instructions (instructions that
 executed differently than the disassembler expected, or did not
 exist when the disassembler expected them to

--dis
 search for length differences in valid instructions (instructions that
 executed differently than the disassembler expected)

--unk
 search for unknown instructions (instructions that the disassembler doesn't
 know about but successfully execute)

--ill
 the inverse of --unk, search for invalid disassemblies (instructions that do
 not successfully execute but that the disassembler acknowledges)

--tick
 periodically write the current instruction to disk

--save
 save search progress on exit

--resume
 resume search from last saved state

--sync
 write search results to disk as they are found

--low-mem
 do not store results in memory

-b
 mode: brute force

-r
 mode: randomized fuzzing

-t
 mode: tunneled fuzzing

-d
 mode: externally directed fuzzing

-R
 raw output mode

-T
 text output mode

-x
 write periodic progress to stderr

-0
 allow null dereference (requires sudo)

-D
 allow duplicate prefixes

-N
 no nx bit support

-s seed
 in random search, seed value

-B brute_depth
 in brute search, maximum search depth

-P max_prefix
 maximum number of prefixes to search

-i instruction
 instruction at which to start search (inclusive)

-e instruction
 instruction at which to end search (exclusive)

-c core
 core on which to perform search

-X blacklist
 blacklist the specified instruction

-j jobs
 number of simultaneous jobs to run

-l range_bytes
 number of base instruction bytes in each sub range

• Random searching generates random instructions to test; it generally produces results quickly, but is unable to find complex hidden instructions and bugs.
• Brute force searching tries instructions incrementally, up to a user-specified length; in almost all situations, it performs worse than random searching.
• Driven or mutation driven searching is designed to create new, increasingly complex instructions through genetic algorithms; while promising, this approach was never fully realized, and is left as a stub for future research.
• Tunneling is the approach described in the presentation and white paper, and in almost all cases provides the best trade-off between thoroughness and speed.

• sudo
  For best results, the tool should be run as the root user. This is necessary so that the process can map into memory a page at address 0, which requires root permissions. This page prevents many instructions from seg-faulting on memory accesses, which allows a more accurate fault analysis.
  
• Prefixes
  The primary limitation for the depth of an instruction search is the number of prefix bytes to explore, with each additional prefix byte increasing the search space by around a factor of 10. Limit prefix bytes with the -P flag.
  
• Colors
  The interface for the sifter is designed for a 256 color terminal. While the details vary greatly depending on your terminal, this can roughly be accomplished with:
  

   export TERM='xterm-256color'

• GUI
  The interface assumes the terminal is of at least a certain size; if the interface is not rendering properly, try increasing the terminal size; this can often be accomplished by decreasing the terminal font size.
  In some cases, it may be desirable or necessary to run the tool without the graphical front end. This can be done by running the injector directly:
  

   sudo ./injector -P1 -t -0

  To filter the results of a direct injector invocation, grep can be used. For example,
  

   sudo ./injector -P1 -r -0 | grep '\.r' | grep -v sigill

  searches for instructions for which the processor and disassembler disagreed on the instruction length (grep '.r'), but the instruction successfully executed (grep -v sigill).
  
• Targeted fuzzing
  In many cases, it is valuable to direct the fuzzer to a specific target. For example, if you suspect that an emulator has flaws around repeated 'lock' prefixes (0xf0), you could direct the fuzzer to search this region of the instruction space with the -i and -e flags:
  

   sudo ./sifter.py --unk --dis --len --sync --tick -- -t -i f0f0 -e f0f1 -D -P15

• Legacy systems
  For scanning much older systems (i586 class processors, low memory systems), pass the --low-mem flag to the sifter and the -N flag to the injector:
  

   sudo ./sifter.py --unk --dis --len --sync --tick --low-mem -- -P1 -t -N

  If you observe your scans completing too quickly (for example, a scan completes in seconds), it is typically because these flags are required for the processor you are scanning.
  
• 32 vs. 64 bit
  By default, sandsifter is built to target the bitness of the host operating system. However, some instructions have different behaviors when run in a 32 bit process compared to when run in a 64 bit process. To explore these scenarios, it is sometimes valuable to run a 32 bit sandsifter on a 64 bit system.
  To build a 32 bit sandsifter on a 64 bit system, Capstone must be installed as 32 bit; the instructions for this can be found at http://www.capstone-engine.org/.
  Then sandsifter must be built for a 32 bit architecture:
  

   make CFLAGS=-m32

  With this, the 32 bit instruction space can be explored on a 64 bit system.
  

• A discussion of the techniques and results can be found in the Black Hat presentation.
• Technical details are described in the whitepaper.
• Slides from the Black Hat presentation are here.

• -e Enumerates all loaded CLR Runtimes and created AppDomains.
• -d <#> Inject only into <#>-th AppDomain. If no number or zero is specified, assembly is injected into every AppDomain.
• -i <namespace>.<className> Create an instance of class <className> from namespace <namespace>.

• clrinject-cli.exe -p victim.exe -e

  (Enumerate Runtimes and AppDomains from victim.exe)

• clrinject-cli.exe -p 1234 -a "C:\Path\To\invader.exe" -d 2

  (Inject invader.exe into second AppDomain from process with id 1234)

• clrinject-cli.exe -p victim.exe -a "C:\Path\To\invader.dll" -i "Invader.Invader"

  (Create instance of Invader inside every AppDomain in victim.exe)

• clrinject-cli64.exe -p victim64.exe -a "C:\Path\To\invader64.exe"

  (Inject x64 assembly into x64 process)

using System;
using System.Reflection;

using Microsoft.PowerShell;
using System.Management.Automation.Host;

namespace Invader
{
    class Invader
    {
        static void Main(string[] args)
        {
            try
            {
                var powerShellAssembly = typeof(ConsoleShell).Assembly;
                var consoleHostType = powerShellAssembly.GetType("Microsoft.PowerShell.ConsoleHost");
                var consoleHost = consoleHostType.GetProperty("SingletonInstance", BindingFlags.Static | BindingFlags.NonPublic).GetValue(null);

                var ui = (PSHostUserInterface)consoleHostType.GetProperty("UI").GetValue(consoleHost);
                ui.RawUI.ForegroundColor = ConsoleColor.Green;
            }
            catch (Exception e)
            {
                Console.WriteLine(e.ToString());
            }
        }
    }
}

clrinject-cli64.exe -p powershell.exe -a "C:\Path\To\invader64.exe"

• Windows: notepad.exe or notepad++.exe
• Linux: gedit
• Mac: /Applications/TextEdit.app or /Applications/TextWrangler.app

• Windows (7/10) C:\Users\[username]\Documents\Fiddler2\Scripts\
  
• Ubuntu /home/[username]/Fiddler2/Scripts/
  
• Mac /Users/[username]/Fiddler2/Scripts/
  

• Windows

• Linux (tested on Ubuntu 16.04)

• URI (full or partial URI match)
• IP (Single IP address or IP range)
• SourceCode (Response Body)
• Headers (any value within a Response's Headers)