DanielRTeixeira

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[
		//x86 only. C:\Windows\Syswow64\regsvr32.exe /s /u /i:file.sct scrobj.dll

tophertimzen

; Topher Timzen
; Messing around with PE backdooring for CTP/OSCE and wanted to make a new thread inside of process to avoid synchronization issues. 
; Tons of NULL as I used this in a PE directly, no need to avoid them.
; nasm CreateThread.asm -o CreateThread.raw; xxd -p CreateThread.raw | tr -d '\n'

[BITS 32] 

[SECTION .text]
global _start

williballenthin

references:

• https://reverseengineering.stackexchange.com/questions/1597/reverse-engineering-a-visual-basic-p-code-binary
• http://web.archive.org/web/20071020232030/http://www.alex-ionescu.com/vb.pdf (ref: Alex Ionescu)
• http://web.archive.org/web/20101127044116/http://vb-decompiler.com/pcode/opcodes.php?t=1
• https://github.com/bontchev/pcodedmp
• http://www.openrce.org/blog/view/1719/Visual_Basic_6_IDC_updated
• https://pediy.com/thread-12832.htm
• https://github.com/vic4key/VB-Exe-Parser/blob/master/VB-Parser.py
• http://www.openrce.org/repositories/users/Paolo/vbpython.py

countercept

import time
import etw
import etw.evntrace
import sys
import argparse
import threading


class RundownDotNetETW(etw.ETW):
    def __init__(self, verbose, high_risk_only):

mattifestation

[
    {
        "ProviderGUID":  "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a",
        "ProviderName":  "AccEventTool",
        "ProviderGroupGUID":  "4f50731a-89cf-4782-b3e0-dce8c90476ba",
        "AssociatedFilenames":  [
                                    "accevent.exe",
                                    "inspect.exe",
                                    "narrator.exe",
                                    "srh.dll"

cmatthewbrooks

##############################################################################
#
# Name: hello_world_plugin.py
# Auth: @cmatthewbrooks
# Desc: A test plugin to learn how to make these work; Specifically, how to
#       have multiple actions within the same plugin.
#
#       In plain English, IDA will look for the PLUGIN_ENTRY function which
#       should return a plugin object. This object can contain all the 
#       functionality itself, or it can have multiple actions.

lucasg

import ida_bytes
import binascii

def get_guid(address):
   
    data1 = ida_bytes.get_dword(address)
    data2 = ida_bytes.get_word(address + 4)
    data3 = ida_bytes.get_word(address + 6)
    data4 = ida_bytes.get_bytes(address + 8, 8)

icecr4ck

IDA Microcode notes

References

• Ilfak's presentation at Recon 2018
• Microcode in pictures
• Hex-Rays Microcode API vs. Obfuscating Compiler
• Scripts vds10, vds11, vds12 and vds13 from Hex-Rays SDK

Implementation

MattPD

Program Analysis Resources

(draft; work in progress)

See also:

• Compilers
  • correctness
• Program analysis:
• Dynamic analysis - instrumentation, translation, sanitizers

icecr4ck

IDAPython cheatsheet

Important links

• Porting IDAPython plugins to IDA 7.4
• Hex-Rays IDAPython official documentation

Basic commands

Get informations on the binary