OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] Multi-Languages OPcodes DB

From: Jerome Athias (jerome.athiasfree.fr)
Date: Fri Aug 26 2005 - 04:37:04 CDT


Hi,

as you probably all know, Windows DLLs have different base addresses
across Windows/SP/languages
so i think it could be usefull to try to build a multi-lang opcodes
database, isn't it?
so, i have done VERY QUICKLY a little package based on a .BAT and some
tools :

Files included in the package:

* OPCODES_LIST.bat : (horrible) Main batch file
MD5: c43d4167f7352c211a97f8cf21cd0458
SHA1: eb2f62912c9311351540dfc0237000e7bf090070

* Psinfo.exe : tool from sysinternals.com to retrieve windows system
informations ans the list of installed hotfixs (trying also to use the
Windows 2003 "wmic qfe" command) (could be long...)
MD5: 2c18e62e9902b0a258e6a64ab812f02c
SHA1: 0188d8836ba6a2a198abcfee9ae730b4ce0521aa

pdh.dll
MD5: 8542b31187bd1035a2311324c23e66b1
SHA1: ecc77cd54061745273af9750c55c1434c24bcd74

* reg.exe : tool present on XP but not on all 2000... used to retrieve
the OS language (languages codes list included in the bat)
MD5: 5bc49b61651edbc0a80d2de16d7f422c
SHA1: 7a778b97bf7b68247e0b212a81c952118c1ba45a

* Findjmp2.exe : tool by Class101 to retrieve the opcodes in memory
(DLLs searched : KERNEL32.DLL, NTDLL.DLL, USER32.DLL, SHELL32.DLL,
GDI32.DLL, WS2_32.DLL, WS2HELP.DLL)
(registers searched : EAX, EBX, ECX, EDX, ESI, EDI, ESP, EBP)
MD5: 3909e20cb55ea82b01a3b593d0cc59b6
SHA1: 174169d18b039fcd11ee1507d0a7f8e4230ed717

* LISTDLLS.exe : tool from sysinternals.com used to retrieve the
versions of DLLs
MD5: bb5f0e1d03f4e32261bb0964fc3b0e9d
SHA1: c6081622207ec53f6400a6312a87cf350333996b

* mycrc.exe : tool by Luigi Auriemma to check files checksums (MD5,
SHA1, ...)
MD5: 5473219dd371630c1e7d7e7fa1ddd53f
SHA1: 37c71403ed231dd9cb9a6e97c869e7275372ba12

* grep.exe : used to parse a litlle bit the output
MD5: 9e05a9c264c8a908a8e79450fcbff047
SHA1: 0ab5c2b1c3c637cbe82564d6d9ed34a78c901cb7

* uniq.exe : used to parse a litlle bit the output

PLEASE NOTE :

1) we can do better and more simple!!!, so if you want: JUST DO IT and
please don't flame!
2) the output is far to be clean! but could be easily parsed with a
simple script...

For guy who want to help; please send me the resulting
"OPCODES_LIST.TXT" file
(PLEASE REMOVE ALL PERSONNAL DATA IN THE FILE! ;).
Then i'll try to check all the files and start to build something, of
course publicly available.

The package is available for download at:

http://www.athias.fr/OPCODES_LIST.RAR
MD5: c4a7d4eba31afafb67ef488dda7cf19e
SHA1: c99a98741a8365fe6872a2347d0b05891188c584

Please let me know missing things...

Thank you.
/JA

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/