alexander-hanel

def median(values):
    n = len(values)

    if n % 2 == 1:
        return values[n // 2]

    return (values[n // 2 - 1] + values[n // 2]) / 2


def quartiles(values):

alexander-hanel

Every project needs a list of articles that I will not read until I fail enough to be motivated to read them.

A month in the laboratory can often save an hour in the library.

Ghidra-MCP

• https://github.com/bethington/ghidra-mcp
• // Will be using Ghidra because Binja Headless and IDA Pro are too expensive for home projects.

clearbluejar/pyghidra-mcp

• https://clearbluejar.github.io/posts/supercharging-ghidra-using-local-llms/

alexander-hanel

Notable links on Intel's Shadow-Stack or CET Mitigations

• Analyzing the Windows kernelshadow stack mitigation
• Intel CET In Action
• Complex Shadow-Stack Updates
• R.I.P ROP: CET Internals in Windows 20H1
• Exploit Development: Investigating Kernel Mode Shadow Stacks on Windows
• What keeps kernel shadow stack effective against kernel exploits?

alexander-hanel

Current working URL

• https://hex-rays.com/blog/tag/igors-tip-of-the-week/

#01: Lesser-known keyboards shorcuts in IDA

• CTRL+Enter to close a window
• hold down ALT to display shortcut options
• ALT-X to save database

source

alexander-hanel

Quick notes on pyproject.toml

Folder Structure

my-project
├── pyproject.toml
└── src
    └── my-project
 └── my_module.py

alexander-hanel

• https://ollama.com/blog/windows-preview
• https://www.vox.com/the-highlight/24034907/use-anger-productively-motivation-problem-solving
• https://werat.dev/blog/learning-about-debuggers/
• https://revers.engineering/beyond-process-and-object-callbacks-an-unconventional-method/
• https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection/
• https://mcyoung.xyz/2023/08/01/llvm-ir/

alexander-hanel

import idautils
ea = 0x000000140013188
name = ida_name.get_ea_name(ea)
print("found")

# get xrefs to function 
xrefs = [x for x in idautils.CodeRefsTo(ea, 0)]

for func in xrefs:

alexander-hanel

ETW References

• https://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw
• https://nasbench.medium.com/a-primer-on-event-tracing-for-windows-etw-997725c082bf
• https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/about-event-tracing-for-drivers
• https://gist.github.com/acumenix/ff377ffada032354ad06f61526efc42e
• https://gist.github.com/Holo-Krzysztof/9600dbe63859ee5a8add1123466be187
• https://gist.github.com/mattifestation/04e8299d8bc97ef825affe733310f7bd
• https://github.com/tpn/winsdk-10/blob/master/Include/10.0.14393.0/shared/TraceLoggingProvider.h
• https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
• https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7

alexander-hanel

from cmd or Run

powershell -Command "Start-Process cmd -Verb RunAs"

alexander-hanel

import os
import pefile
import json 

INTERESTING_DLLS = [
    'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll',
    'gdi32.dll',    'msvcrt.dll',   'netapi32.dll', 'ntdll.dll',
    'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll',    'shell32.dll',
    'shlwapi.dll',  'srsvc.dll',    'urlmon.dll',   'user32.dll',