[pull] capemon from kevoreilly:capemon#150
Open
pull[bot] wants to merge 306 commits into
Open
Conversation
The code is kinda ugly with goto, but it's about as clean as I can get it to re-use existing log formatter in cases where exceptions may occur / sanity checks fail.
…a2d4e1c831808d0a791608db40cd1e4df598e5fee4bac1b239d4f8194f8e2d4a (fixes #100)
…e-mode Improve standalone mode
…ssion/yara option patch=<address>:<bytes>
Untested :) While capemon had some RVA hook capabilities before, they were used for DLLs (which has been replaced and seems to be no longer used). This commit adds RVA hooking capabilities for executables. The DLL RVA hooks "sanity check" the DLL using a timestamp, however I've opted to use a quick code scan of the functions first few bytes. I've also added in a NtQueryVirtualMemory version of "IsBadReadPtr" to handle sanity checking a bit more strictly than the existing function in capemon (is_valid_address_range). The hooked function itself is inspired from the code over at https://github.com/KingKDot/Exorcism, just ported into a hook/loq that capemon likes. Please do check out his github if you're curious of this hooks usefulness.
…t/capemon into KillerInstinct-hook_FindFixAndRun
…HOOK_EXE, fallback option HOOK_EXERVA
Remove debug output for initialized com hooks.
Fix COM hooks
…645297a0a423564f99b9f474b0df234d6613d04df48a94cb67f541b8eb829d1)
…through registers
Completes the TLS 1.3 traffic-secret extraction that was scaffolded in 84d5f71 but left unimplemented, adds in-process TLS 1.2/1.3 coverage for WinHTTP/.NET samples that use Schannel-CNG directly (bypassing ncryptsslp.dll), and fixes a concurrent-write race in LogTls where FILE_SHARE_READ-only sharing mode prevented multi-process key capture.
…F-16 boundary-aware graceful truncation
Replace the per-thread g_stage_root / g_client_random_root / g_tls13_client_random_root linked lists (and their SRWLOCKs and get/add/del helpers introduced in 0c6e76e) with plain __declspec(thread) variables. Same per-thread semantics, no manual lookup or locking, no leaked entries on thread exit (the OS reclaims TLS automatically). - t_stage replaces ThreadTLS13Stage / tls_stage_* - t_client_random (+ t_client_random_valid) replaces ThreadClientRandom / tls_client_random_* - t_tls13_client_random (+ t_tls13_client_random_valid) replaces ThreadTLS13ClientRandom / tls13_client_random_* Preserves upstream semantics: - SslHashHandshake (TLS 1.2) stashes client_random only if one has not already been captured for the thread (was `if (R == NULL)`), and resets t_stage to 0 on every ClientHello. - BCryptHashData (TLS 1.3) remains unchanged behaviorally: always HexEncodes the current ClientHello's client_random (was unconditional HexEncode after get-or-create). Drops the never-written ServerRandomRepr field from ThreadRandom. Validated live on a CAPE host: TLS 1.2 master_secret and the full TLS 1.3 secret set (CLIENT/SERVER_HANDSHAKE_TRAFFIC_SECRET, CLIENT/SERVER_TRAFFIC_SECRET_0, EXPORTER_SECRET) are captured identically to the lookup-table version against the same baseline samples. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… hook type fails (e.g. GetCommandLineA/W - fixes #134), improve hook_api() code structure
… "&src" & "&dst" (e.g. action0=dumpimage:&src) for instruction parsing, GetOperand() supporting function
…perly tested this
Improve TLS 1.3/1.2 Key Capture & Scylla ATL-Removal Build Cleanup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.1)
Can you help keep this open source service alive? 💖 Please sponsor : )