search

SpikySabra / Kernel-Cactus

It's pointy and it hurts!
GNU General Public License v3.0
121 stars 21 forks source link

Usage of the OffsetExtract.py #1

Closed aaaddress1 closed 1 year ago

aaaddress1 commented 1 year ago

Hi there! Thanks for the amazing project (also, the blog post!)

I try to reproduce this project, but I don't know how to use your python script to extract those offsets inside Kernel. (I have install r2 & add it into PATH enviroment)

$  python offsetExtract.py -i NtosKrnl.exe
[!] ERROR : The specified input NtosKrnl.exe is neither a file nor a directory.
SpikySabra commented 1 year ago

Hey @aaaddress1 ! Thank you for your kind words. sounds like a pythonic problem rather then the debugger. Would you kindly share the full path of the file? it seems more like a problem with the path provided.

aaaddress1 commented 1 year ago

oh thanks for the prompt reply. I mean, actually I don't get what should I gave into the python script offsetExtract.py as input (*.exe)?

Is there any guide about this? Even on the blog post I cannot find how to use it

SpikySabra commented 1 year ago

@aaaddress1 you actually gave the correct input. It should be : offsetExtract.py -i ntosktnl.exe as you had done. Radare debugger should be in environment variables under PATH so that r2 is available from CMD. The only difference I see is that you have probably used this on Linux while we have made the tool using Windows . I would suggest attempting to do the same on windows. In the mean while I'll try to recreate the issue on Linux.

aaaddress1 commented 1 year ago

oh, nope. I did this on Windows by an UAC elevated console image

aaaddress1 commented 1 year ago

I try to use the command in your python script directly: r2 -c iE -qq C:\Windows\System32\ntoskrnl.exe image

seems like r2 works well by command

aaaddress1 commented 1 year ago

image ugh... I found the solution.

we should give the argument C:\Windows\System32\ntoskrnl.exe instead of only ntoskrnl.exe because os.path.isfile() will not search file name in each %PATH% directories.

SpikySabra commented 1 year ago

@aaaddress1 We are happy to hear you got it working. it seems as if in CMD / Powershell this issue does not re-produce. would you kindly share if the same issue exists on CMD? Thank you !

aaaddress1 commented 1 year ago

ugh, which kind of issue? could you explan it more clearly?

SpikySabra commented 1 year ago

@aaaddress1 well, as long as ntoskrnl.exe is in the same working directory, a full path is usually not needed. In case you haven't been running from the same directory, indeed there is no issue, in case it was the same working directory, it might be an issue with running it from a third party cli. Just trying to validate that no fix is needed