test.py
with open("test.txt", "w") as outfile:
outfile.write("Hello!")IDAPYTHON script Example
C:\Users\this\Desktop>"C:\Program Files\IDA 7.1\idat.exe" -Stest.py test.idb
Alexander Hanel alexander-hanel
😶
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pefile | |
| import sys | |
| import datetime | |
| import zlib | |
| """ | |
| Author: Alexander Hanel | |
| Summary: Most common pefile usage examples | |
| Date: 20181226 | |
| """ |
alexander-hanel
/ find_xor_funcs.py
Created
February 6, 2019 17:28
Find XOR functions and print address, bytes and instructions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| func_dict = {} | |
| XOR_COUNT = 2 | |
| FUNC_LEN = 35 | |
| for func in idautils.Functions(): | |
| flags = idc.get_func_attr(func, FUNCATTR_FLAGS) | |
| if flags & FUNC_LIB or flags & FUNC_THUNK: | |
| continue | |
| dism_addr = list(idautils.FuncItems(func)) | |
| for line in dism_addr: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import datetime | |
| import glob | |
| import hashlib | |
| import os | |
| import pefile | |
| import sys | |
| def rename_timestamp(file_path): | |
| try: | |
| data = open(file_path, "rb").read() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import subprocess | |
| import glob | |
| import pefile | |
| IMAGE_FILE_MACHINE_I386 = 0x014c | |
| IMAGE_FILE_MACHINE_AMD64 = 0x8664 | |
| paths = glob.glob("*") | |
| ida_path = os.path.join(r'C:\Program Files\IDA 7.0',"idat.exe") |
alexander-hanel
/ cmd.md
Last active
February 25, 2019 03:01
alexander-hanel
/ bindiff5-win-patch.bat
Last active
December 24, 2020 02:04
bindiff5-win-patch.bat bindiff5.msi (see comments at the bottom)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| ( | |
| echo -----BEGIN CERTIFICATE----- | |
| echo 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgAEAP7/DAAGAAAAAAAAAAEAAAABAAAA | |
| echo AQAAAAAAAAAAEAAAAgAAAAEAAAD+////AAAAAAAAAAD///////////////////// | |
| echo //////////////////////////////////////////////////////////////// | |
| echo //////////////////////////////////////////////////////////////// | |
| echo //////////////////////////////////////////////////////////////// | |
| echo //////////////////////////////////////////////////////////////// | |
| echo //////////////////////////////////////////////////////////////// |
alexander-hanel
/ tiny_nuke_new_decoder.py
Last active
April 8, 2019 17:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def hexdump(src, length=16): | |
| FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)]) | |
| lines = [] | |
| for c in xrange(0, len(src), length): | |
| chars = src[c:c+length] | |
| hex = ' '.join(["%02x" % ord(x) for x in chars]) | |
| printable = ''.join(["%s" % ((ord(x) <= 127 and FILTER[ord(x)]) or '.') for x in chars]) | |
| lines.append("%04x %-*s %s\n" % (c, length*3, hex, printable)) | |
| return ''.join(lines) | |
alexander-hanel
/ rename_func.py
Created
April 9, 2019 16:02
rename function based off of comment in operand
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def rrename(): | |
| func = idaapi.get_func(here()).startEA | |
| idc.set_name(func, idc.get_cmt(idc.get_operand_value(here(),1), True) + "_", SN_CHECK) |
alexander-hanel
/ get_comments.py
Created
May 9, 2019 17:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| comments = {} | |
| for func in idautils.Functions(): | |
| flags = idc.get_func_attr(func, FUNCATTR_FLAGS) # skip library & thunk functions | |
| if flags & FUNC_LIB or flags & FUNC_THUNK: | |
| continue | |
| dism_addr = list(idautils.FuncItems(func)) | |
| for ea in dism_addr: | |
| temp = idc.get_cmt(ea, 0) | |
| if temp: |
alexander-hanel
/ init_helper.py
Last active
May 13, 2020 01:47
Find usage of XOR, XOR blocks, size of the XOR loop and dynamic calls.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| import operator | |
| JMPS = [eval("idaapi."+name) for name in dir(idaapi) if "NN_j" in name] | |
| def get_riat_func(): | |
| gpa = idc.get_name_ea_simple("GetProcAddress") | |
| func_gpa = {} | |
| for tt in idautils.XrefsTo(gpa, 0): | |
| if tt.type != 3: # Data_Read: |