This is not a real blog, but just a place where I can annotate some solutions, workarounds, tutorials, thoughts, tips and tricks. My idea is to share these information that could be useful also to others. I didn't want to put any effort to create this single-page site, this is why it's so ugly and simple.
#1 Resize disk in gnome boxes

10/03/2018

Right-click on a VM, open the properties and there you can resize the disk. However, at least Windows, will show a disk size equal to 20GB by default and even if you change the disk size nothing seems to happen. You need to use the partition tool of Windows to resize the disk, in fact there will be an empty space unused.
#2 Share files and folders with virtual machines (e.g. gnome-boxes)

10/03/2018

Some virtual machines don't provide a way to share folders. In general you need to install some add-ons. An easy solution is to use a mini-ftp server. You can use python on the host machine running python -m pyftpdlib -w inside the folder you want to share (-w is for the writing permission). Then, you can easily access that folder from the guest machine with a ftp client or directly with the file explorer.
#3 Emulate quad-core ARM Cortex-A9 Raspberry Pi2 through QEMU

24/05/2018

Following this tutorial you can emulate the Raspberry Pi 2 on Linux, but keep in mind that it will not be really fast.
First of all, download the official Raspbian image. If you're not interested in the desktop environment, I suggest to download the stretch lite version. Then unzip the image and convert into the qcow format:
$ unzip raspbian_stretch_lite.zip raspbian_stretch_lite.img
$ qemu-img convert -f raw -O qcow2 raspbian_stretch_lite.img raspbian_stretch.qcow

Then, download the kernel-qemu-4.4.1-vexpress and vexpress-v2p-ca9.dtb clicking the links or from this repository.
Put all the files in the same folder and run the following command to start the emulator with raspbian:
$ sudo qemu-system-arm -m 1024M -M vexpress-a9 -cpu cortex-a9 -kernel kernel-qemu-4.4.1-vexpress -no-reboot -dtb vexpress-v2p-ca15-tc1.dtb -sd ./raspbian-stretch.qcow -append "root=/dev/mmcblk0p2 rw rootfstype=ext4" -net nic -net user,hostfwd=tcp::2222-:22 -smp cpus=4,maxcpus=4
The emulator should boot the raspbian image, remember that the user is pi and the password raspberry by default.
You can enable the ssh service with systemctl enable ssh or using the raspi-config commands.

Expand the image size

At this point we need to resize the image, because the raspberry has few memory available by default (i.e. we can't install too many applications, etc.).
  1. Expand the virtual size of the image using:
    $ qemu-img resize raspbian_stretch.qcow +10G
  2. Boot raspbian and inside the emulator use fdisk to manage the partitions:
    $ fdisk /dev/sda
    Display the partitions using the p command. Note the beginning of the second partition block of the output (call this value INITP). Delete the second partition with the d command then 2. If you again display the partitions it has disappeared. Create a new partition with n then p then 2. There fdisk provides a value for the starting block. This must match the value that you have identified earlier (INITP). The following value is the end block that is the largest possible to fill all the space If you display the information again you will see that your new partition has a end higher so that means that the partition is larger. Back up the information with w command. Restart the machine.
  3. Enlarge the filesystem. Once again connected, your partition is not increasing ! The partition has been resized well but not the filesystem ! And this is our last step. It is very simple, you just need to run $ resize2fs /dev/sda2. You can check the result running $ df -h before and after resize2fs.
#4 Find kernel start address on Android

05/06/2018

In order to find the kernel start address of an Android (64-bit) device, first of all you need to extract and decompress the kernel from the boot.img. At this point you can run the following command:
for addr in $(xxd -p kernel | tr "\n" " " | sed "s/ //g" | sed "s/c0ffffff/c0ffffff\n/g" | grep -o '.\{16\}$'); do echo ${addr:14:2}${addr:12:2}${addr:10:2}${addr:8:2}${addr:6:2}${addr:4:2}${addr:2:2}${addr:0:2}; done | sort
This one-line command extracts all the hard-coded 64-bit addresses (sed "s/c0ffffff/c0ffffff\n/g" | grep -o '.\{16\}$'), then convert these addresses from little-endian to big-endian, sort and print them. In the first lines you will have the smaller addresses, one of them should be the start address of the kernel.
#5 Find string cross-references in binary image

14/06/2018

Sometimes there is the need to find the cross-references to a string in a binary. First of all, we need to know what is the address of the string. This is possible running the following command:
$ offset=$(strings --radix=x binary | awk '/Your string/{print "0x"$1}'); printf "0x%x\n" $(($offset + $START_ADDRESS))
Then, you can look inside the decompiled binary (e.g. with objectdump) where the string's address is referenced. Note that often there isn't the "direct" address, but the base address of the rodata section is stored in a register and then the string's address is calculated adding the offset.
#6 Mirror/Send all the traffic to the clients of a wireless access point (acts like an hub)

28/06/2018

Sometimes you may need to view the traffic of other clients connected to a wireless access point. In other word, you need to have a situation where every client (or maybe just you) can view the traffic of the others, like if they were directly connected through an hub. This can be achieved with iptables, because it can mirror the traffic to a specific client.
Look at this example:
# iptables -A PREROUTING -t mangle -s 11.12.13.0/24 -j TEE --gateway 11.12.13.14
# iptables -A PREROUTING -t mangle -d 11.12.13.0/24 -j TEE --gateway 11.12.13.14
In this way, all the traffic of the subnet 11.12.13.0/24 (of the wifi accesspoint) is mirrored to a specific client (i.e. 11.12.13.14). A workaround to mirror the traffic also to other clients, or all the clients of the subnet, is to repeat the previous two lines for each client you want to mirror the traffic to.
#7 Port scanner with netcat and bash

28/05/2020

This is a simple bash function that implements a TCP port scanner based on netcat. I wrote it because I was connected to a machine without nmap installed on it and without enough privileges to install it.
$ scan() { for port in $(seq 1 65535); do (nc -vz -w 1 $1 $port 2>&1| grep succeeded &); done }
$ scan 127.0.0.1
#8 List processes in a Windows memory dump only with ripgrep (yes, without volatility)

26/03/2021

Volatility is a great tool for memory forensics. However, you can just grep the process list with one line! In this way you don't need to know the memory layout. I'm using ripgrep, but you can use also a normal grep with perl regular expression support. All the processes information are strings (including the pid) and the keyword to look for is 'Win32_Process'.
$ rg -abo "Win32_Process.{9}Win32_Process.*\x00\x00\x00\x00" memorydump_test.raw | sed "s/\x00\x00*$//g" | sed "s/\x00\x00\x57/\tW/g" | sed "s/\x00\x00/=/g"