Skip to content

Instantly share code, notes, and snippets.

View Wenzel's full-sized avatar

Mathieu Tarral Wenzel

542 followers · 182 following
View GitHub Profile
@Wenzel
Wenzel / build Rekall python3
Last active November 10, 2023 00:42
A shell script to build a Python3 version of Rekall
#!/bin/bash
set -e
# create virtualenv
virtualenv -p python3 venv
# activate venv
source venv/bin/activate
# clone pyff4 python3 (rekall dependency, not available on Pypi)
@Wenzel
Wenzel / Dockerfile libguestfs file bug
Created August 2, 2017 13:35
FROM ubuntu:16.04
# set non interactive only during build
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && \
apt-get install -y \
python3-guestfs python3-docopt wget ipython3 linux-image-generic
WORKDIR /root
@Wenzel
Wenzel / auto_config.py
Created November 22, 2017 22:30
import os
import sys
import stat
import logging
import libvirt
from tempfile import TemporaryDirectory, NamedTemporaryFile
from rekall import plugins, session
def extract_config(ram_dump):
home = os.getenv('HOME')
@Wenzel
Wenzel / test_libvmi.py
Last active June 8, 2022 10:08
#!/usr/bin/env python3
import sys
import libvirt
import logging
from auto_config import get_windows_config
from libvmi import Libvmi, VMIOS, VMIConfig
if __name__ == '__main__':
logger = logging.getLogger()
@Wenzel
Wenzel / grub.conf
Created January 18, 2018 06:05
/etc/default/grub configuration file to get Xen output on a serial cable
GRUB_CMDLINE_LINUX="earlyprintk=xen"
GRUB_CMDLINE_XEN_DEFAULT="com1=115200,8n1 console=com1 loglvl=all guest_lvl=all"
GRUB_TERMINAL="serial"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
@Wenzel
Wenzel / build.log
Created January 20, 2018 12:23
qca
# kdesrc-build running: 'make' '-j8'
# from directory: /work/build/kdesupport/qca
[ 2%] Generating qca_core.moc
[ 2%] Generating __/include/QtCrypto/moc_qca_safetimer.cpp
[ 0%] Generating qca_cert.moc
[ 2%] Generating qca_keystore.moc
[ 2%] Generating qca_default.moc
[ 2%] Generating qca_publickey.moc
[ 3%] Generating qca_safetimer.moc
[ 3%] Generating qca_securelayer.moc
@Wenzel
Wenzel / build.log
Created January 20, 2018 16:23
qca
[ 39%] Generating moc_ringwatch.cpp
[ 40%] Generating moc_mykeystorelist.cpp
[ 40%] Generating moc_mymessagecontext.cpp
Scanning dependencies of target qca-gnupg
[ 41%] Building CXX object plugins/qca-gnupg/CMakeFiles/qca-gnupg.dir/qca-gnupg.cpp.o
In file included from /usr/include/c++/7.2.1/x86_64-pc-linux-gnu/bits/os_defines.h:39:0,
from /usr/include/c++/7.2.1/x86_64-pc-linux-gnu/bits/c++config.h:533,
from /usr/include/c++/7.2.1/type_traits:38,
from /usr/include/qt/QtCore/qglobal.h:45,
from /usr/include/qt/QtCore/qchar.h:43,
@Wenzel
Wenzel / packer.log
Created April 20, 2018 13:08
PACKER_LOG=1 ./packer build windows_7.json
2018/04/20 16:00:26 [INFO] Packer version: 1.2.2
2018/04/20 16:00:26 Packer Target OS/Arch: linux amd64
2018/04/20 16:00:26 Built with Go Version: go1.10
2018/04/20 16:00:26 Detected home directory from env var: /home/tarrma
2018/04/20 16:00:26 Using internal plugin for amazon-chroot
2018/04/20 16:00:26 Using internal plugin for file
2018/04/20 16:00:26 Using internal plugin for lxc
2018/04/20 16:00:26 Using internal plugin for oracle-classic
2018/04/20 16:00:26 Using internal plugin for triton
2018/04/20 16:00:26 Using internal plugin for cloudstack
@Wenzel
Wenzel / bug_resume.c
Last active May 29, 2018 10:10
vmi_resume_vm does not resume VM execution as expected, maybe because a MOV-TO-CR3 event is still in the event buffer waiting to be processed
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/mman.h>
#include <stdio.h>
#include <inttypes.h>
#include <signal.h>
#include <unistd.h>
@Wenzel
Wenzel / memdump.py
Created June 4, 2018 13:16
Create a memory dump using libvirt API
#!/usr/bin/env python3
"""MemDump.
Usage:
memdump.py [options] <vm_name>
Options:
-h --help Show this screen.
"""