added search script

README.md

@@ -186,7 +186,7 @@ One-shot script to perform the following actions:
 - run windbg commands after attaching (if `-commands` is provided)
 - restart a given service when windbg exits (if `-service-name` is provided)
 
-The values for `-service-name` and `-process-name` are tab-completeable. 
+The values for `-service-name` and `-process-name` are tab-completeable.
 
 ```
 .\attach-process.ps1 -service-name fastbackserver -process-name fastbackserver -commands '.load pykd; bp fastbackserver!recvfrom'
@@ -196,11 +196,21 @@ The values for `-service-name` and `-process-name` are tab-completeable.
 \\tsclient\shared\osed-scripts\attach-process.ps1 -service-name 'Sync Breeze Enterprise' -process-name syncbrs
 ```
 
+This script can be run inside a while loop for maximum laziness!
+
+```
+while ($true) {\\tsclient\shared\osed-scripts\attach-process.ps1 -process-name PROCESS_NAME -commands '.load pykd; bp SOME_ADDRESS; g; !exchain' ;}
+```
+
 ## WinDbg Scripts
 
 all windbg scripts require `pykd`
 
-run `.load pykd` then `!py c:\path\to\this\repo\script.py` 
+run `.load pykd` then `!py c:\path\to\this\repo\script.py`
+
+Alternatively, you can put the scripts in `C:\python37\scripts` so they execute as `!py SCRIPT_NAME`. 
+
+Also, using `attach-process.ps1` you can add `-commands '.load pykd; g'` to always have pykd available.
 
 ### find-ppr.py
 
@@ -313,3 +323,34 @@ chars += b'\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1'
 chars += b'\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1'
 chars += b'\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF'
 ```
+
+### search.py
+
+just a wrapper around the stupid windbg search syntax
+```
+usage: search.py [-h] [-t {byte,ascii,unicode}] pattern
+
+Searches memory for the given search term
+
+positional arguments:
+  pattern               what you want to search for
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -t {byte,ascii,unicode}, --type {byte,ascii,unicode}
+                        data type to search for (default: byte)
+```
+```
+!py \\tsclient\shared\osed-scripts\search.py -t ascii fafd
+[=] running s -a 0 L?80000000 fafd
+[*] No results returned
+```
+```
+!py \\tsclient\shared\osed-scripts\search.py -t ascii ffff
+[=] running s -a 0 L?80000000 ffff
+0071290e  66 66 66 66 3a 31 32 37-2e 30 2e 30 2e 31 00 00  ffff:127.0.0.1..
+00717c5c  66 66 66 66 48 48 48 48-03 03 03 03 f6 f6 f6 f6  ffffHHHH........
+00718ddc  66 66 66 66 28 28 28 28-d9 d9 d9 d9 24 24 24 24  ffff((((....$$$$
+01763892  66 66 66 66 66 66 66 66-66 66 66 66 66 66 66 66  ffffffffffffffff
+...
+```

exploit-template.py

@@ -99,6 +99,18 @@ def get_rop_chain() -> bytes:
     return rop.chain
 
 
+def get_seh_overwrite() -> bytes:
+    total_len = 0
+    offset_to_eip = 0
+
+    seh_chain  = b'A' * (offset_to_eip - 4)
+    seh_chain += b'B' * 4  # nseh
+    seh_chain += b'C' * 4  # seh - ppr or similar
+    seh_chain += b'C' * (total_len - len(seh_chain))
+
+    return seh_chain
+
+
 def send_exploit(sock: socket.socket, buffer: bytes, read_response=False):
     sock.send(buffer)
     print(f'[+] sent {len(buffer)} bytes')

search.py

@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+import argparse
+
+import pykd
+
+
+def main(args):
+    choice_table = {"byte": "b", "ascii": "a", "unicode": "u"}
+    command = f"s -{choice_table.get(args.type)} 0 L?80000000 {args.pattern}"
+    print(f'[=] running {command}')
+    result = pykd.dbgCommand(command)
+
+    if result is None:
+        return print('[*] No results returned')
+
+    print(result)
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="Searches memory for the given search term"
+    )
+
+    parser.add_argument(
+        "-t",
+        "--type",
+        default="byte",
+        choices=["byte", "ascii", "unicode"],
+        help="data type to search for (default: byte)",
+    )
+    parser.add_argument(
+        "pattern",
+        help="what you want to search for",
+    )
+
+    args = parser.parse_args()
+
+    main(args)