Alexander Hanel alexander-hanel
😶
OALabs
/ revil_strings.py
Created
January 26, 2020 22:13
Decrypt REvil ransomware strings with IDA Python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi, idc, idautils | |
| class DecryptorError(Exception): | |
| pass | |
| def rc4crypt(key, data): | |
| x = 0 | |
| box = range(256) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using Microsoft.Diagnostics.Tracing; | |
| using Microsoft.Diagnostics.Tracing.Session; | |
| using Microsoft.Diagnostics.Tracing.Parsers; | |
| using System.IO; | |
| using System.Collections.Generic; | |
| using System.Reflection; | |
| using Newtonsoft.Json; |
(draft; work in progress)
See also:
- Compilers
- Program analysis:
- Dynamic analysis - instrumentation, translation, sanitizers
icecr4ck
/ ida_mc_notes.md
Last active
April 29, 2025 08:21
Some notes about the IDA Microcode (intermediate language).
- Ilfak's presentation at Recon 2018
- Microcode in pictures
- Hex-Rays Microcode API vs. Obfuscating Compiler
- Scripts vds10, vds11, vds12 and vds13 from Hex-Rays SDK
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ida_bytes | |
| import binascii | |
| def get_guid(address): | |
| data1 = ida_bytes.get_dword(address) | |
| data2 = ida_bytes.get_word(address + 4) | |
| data3 = ida_bytes.get_word(address + 6) | |
| data4 = ida_bytes.get_bytes(address + 8, 8) |
cmatthewbrooks
/ hello_world_plugin.py
Created
April 25, 2019 12:41
The simplest possible IDA plugin with multiple actions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################## | |
| # | |
| # Name: hello_world_plugin.py | |
| # Auth: @cmatthewbrooks | |
| # Desc: A test plugin to learn how to make these work; Specifically, how to | |
| # have multiple actions within the same plugin. | |
| # | |
| # In plain English, IDA will look for the PLUGIN_ENTRY function which | |
| # should return a plugin object. This object can contain all the | |
| # functionality itself, or it can have multiple actions. |
mattifestation
/ NiftyETWProviders.json
Created
December 21, 2018 19:27
ETW providers you never knew existed...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a", | |
| "ProviderName": "AccEventTool", | |
| "ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba", | |
| "AssociatedFilenames": [ | |
| "accevent.exe", | |
| "inspect.exe", | |
| "narrator.exe", | |
| "srh.dll" |
countercept
/ dotnet-runtime-etw.py
Last active
August 22, 2023 16:02
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
references:
- https://reverseengineering.stackexchange.com/questions/1597/reverse-engineering-a-visual-basic-p-code-binary
- http://web.archive.org/web/20071020232030/http://www.alex-ionescu.com/vb.pdf (ref: Alex Ionescu)
- http://web.archive.org/web/20101127044116/http://vb-decompiler.com/pcode/opcodes.php?t=1
- https://github.com/bontchev/pcodedmp
- http://www.openrce.org/blog/view/1719/Visual_Basic_6_IDC_updated
- https://pediy.com/thread-12832.htm
- https://github.com/vic4key/VB-Exe-Parser/blob/master/VB-Parser.py
- http://www.openrce.org/repositories/users/Paolo/vbpython.py