• Stars
    star
    691
  • Rank 65,435 (Top 2 %)
  • Language
    C++
  • License
    GNU Affero Genera...
  • Created almost 8 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A memory scanning evasion technique

gargoyle title

gargoyle infographic

Building gargoyle

gargoyle is only implemented for 32-bit Windows (64-bit Windows on Windows is fine). You must have the following installed:

  • Visual Studio: 2017 Community is tested, but it may work for other versions.
  • Netwide Assembler v2.12.02 x64 is tested, but it may work for other versions. Make sure nasm.exe is on your path.

Clone gargoyle:

git clone https://github.com/JLospinoso/gargoyle.git

Open Gargoyle.sln, build, and run. There is some harness code in main.cpp that configures the following three components:

  • gargoyle stack trampoline, stack, and configuration (read/write memory on the heap)
  • gargoyle position independent code (PIC) that receives the ROP gadget/stack trampoline and runs arbitrary code
  • A ROP gadget. If you have mshtml.dll, gargoyle will load it into memory and use it. If it is not available, you will have to tell gargoyle to allocate its own (3-byte) ROP gadget on the heap:
// main.cpp
auto use_mshtml{ true };
auto gadget_memory = get_gadget(use_mshtml, gadget_pic_path);

Every 15 seconds, gargoyle will pop up a message box. When you click ok, gargoyle sets up the tail calls to mark itself non-executable and to wait for the timer. For fun, use Sysinternals's excellent VMMap tool to examine when gargoyle's PIC is executable. If a message box is active, gargoyle will be executable. If it is not, gargoyle should not be executable. The PIC's address is printed to stdout just before the harness calls into the PIC.

More information

See the blog post available at lospi.net for more information.

Also feel free to hop on gitter: Join the chat at https://gitter.im/grgyl/Lobby

More Repositories

1

ccc

Companion Code for C++ Crash Course
C++
304
star
2

beamgun

A rogue-USB-device defeat program for Windows.
C#
186
star
3

memcachedump

Use your Shodan API Key to dump all the contents of exposed memcached servers.
Python
144
star
4

cpp-implant

A simple implant showcasing modern C++
C++
86
star
5

unfurl

An Entropy-Based Link Vulnerability Tool
Python
54
star
6

abrade

A fast Web API scraper written in C++ and built on Boost ASIO
C++
44
star
7

matterbot

A native Mattermost/Slack bot framework
C++
40
star
8

doh

A Privacy-Conscious, DNS-over-HTTP-Enabled, Blacklist-Incorporating SOCKS5 Proxy
C
26
star
9

rivestment

A game of MD5 Collisions
JavaScript
7
star
10

x86CallingConventions

Common x86 Calling Conventions - Code for blog
C++
6
star
11

cmf-cce-talk

C++
6
star
12

ReverseEngineering

https://jlospinoso.github.io/developing/software/software%20engineering/reverse%20engineering/assembly/2015/03/06/reversing-with-ida.html
C
6
star
13

lut

.NET utilities for common statistical manipulations of generics and more
C#
3
star
14

docker-libpoco

Dockerfile for building a base image containing Poco Project libraries. http://pocoproject.org
3
star
15

jlospinoso.github.io

Personal blog of Josh Lospinoso
JavaScript
3
star
16

covid-airlines

Datasets for blog post about mashing CDC and air travel data to show correlations between infections at the state level.
Python
3
star
17

twitter-subliminal

Encode subliminal messages using only Twitter's Streaming API and retweets.
C++
2
star
18

facewash

A user script for deleting/unliking/hiding posts from Facebook.
JavaScript
2
star
19

LambdasCpp11

Code to get you started using Lambdas in C++11
C++
2
star
20

underhandedc-2015

My submission to the Underhanded C Contest of 2015
C
2
star
21

dailyc

A simple, batch multimedia messaging and email service
Java
2
star
22

bsides2018

Slides for BSidesNOVA 2018 presentation
2
star
23

uvi-sunburn

Supplementary data and scripts for "The Impact of Ultraviolet Radiation on Sunburn-related Search Activity," pending publication in Dermatology Online Journal
Python
2
star
24

snuckme

https://jlospinoso.github.io/node/javascript/security/cryptography/privacy/2017/02/20/snuckme-cert-query.html
HTML
2
star
25

cppbuild

Boost, Cmake, and Openssl in a container
Dockerfile
1
star
26

cppbuildx86

Dockerfile
1
star
27

arduino

My explorational arduino projects
C++
1
star