Zhang M1suzu
mattypiper
/ armemu.py
Created
June 2, 2016 03:37
ARM Assembly, Emulation, Disassembly using Keystone, Unicorn, and Capstone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import sys | |
| from keystone import * | |
| from unicorn import * | |
| from unicorn.arm_const import * | |
| from capstone import * | |
| from capstone.arm import * | |
| from capstone.x86 import * |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def getGUID(ea): | |
| data1 = idc.GetManyBytes(ea,4) | |
| data1 = struct.unpack("<I",data1)[0] | |
| #print "%08x" % (data1) | |
| ea += 4 | |
| data2 = idc.GetManyBytes(ea,2) | |
| data2 = struct.unpack("<H",data2)[0] | |
| #print "%04x" % (data2) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 2 | |
| function New-ADPayload { | |
| <# | |
| .SYNOPSIS | |
| Stores PowerShell logic in the mSMQSignCertificates of the specified -TriggerAccount and generates | |
| a one-line launcher. | |
| Author: @harmj0y |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # rename functions loading addresses using nm | |
| import idaapi | |
| import idc | |
| from subprocess import Popen, PIPE | |
| def make_func(addr): | |
| idc.MakeCode(addr) | |
| idc.MakeFunction(addr) |
williballenthin
/ add_segment.py
Last active
December 27, 2019 01:59
Add a segment to an IDA .idb from a file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| IDAPython plugin that adds the contents of a file as a new segment in an existing idb. | |
| Prompts the user for: | |
| - file path | |
| - segment name | |
| - segment starting offset | |
| Useful for reversing engineering packed software and shellcode. | |
| Author: Willi Ballenthin <[email protected]> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Wladimir van der Laan 2016. This document is in the public domain. | |
| BLATSTING reverse-engineering notes. Based on files from the EQGRP free dump, | |
| more specifically in Firewall/BLATSTING/BLATSTING_201381/LP/lpconfig. | |
| In https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html, | |
| BLATSTING is described as "A firewall software implant that is used with EGREGIOUSBLUNDER | |
| (Fortigate) and ELIGIBLEBACHELOR (TOPSEC)". | |
| If true, it's interesting how this implant can target both vendors. Presumably they both use the same Linux |
williballenthin
/ yara_fn.py
Last active
December 4, 2020 05:25
generate a yara rule that matches the basic blocks of the current function in IDA Pro
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| IDAPython script that generates a YARA rule to match against the | |
| basic blocks of the current function. It masks out relocation bytes | |
| and ignores jump instructions (given that we're already trying to | |
| match compiler-specific bytes, this is of arguable benefit). | |
| If python-yara is installed, the IDAPython script also validates that | |
| the generated rule matches at least one segment in the current file. | |
| author: Willi Ballenthin <[email protected]> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| ROP Analyze | |
| Written by St4rk | |
| The code is a total mess and I don't know python (it's one of many reasons | |
| that I decided to use python here, to learn) | |
| Feel free to modify and do whatever you want | |
| ''' | |
| # imports |
in7egral
/ dump_MAC_policies_name.py
Created
September 5, 2016 13:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idc import * | |
| from idaapi import * | |
| def getSysctlSegment(): | |
| addr = 0 | |
| seg = SegByName("__sysctl_set") | |
| if seg != BADADDR: | |
| addr = SegByBase(seg) | |
| return addr |
laxa
/ greeting.py
Created
September 6, 2016 16:00
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| from libformatstr import FormatStr | |
| from pwn import * | |
| import binascii | |
| import struct | |
| import time | |
| def p32(addr): |