Follow along for https://medium.com/a-journey-with-go/go-overview-of-the-compiler-4e5a153ca889
Set enviornmental variable for GOSSAFUNC
C:\Go\projects\overview>set GOSSAFUNC=maincls
Contents of overview.go
package main
Alexander Hanel alexander-hanel
😶
alexander-hanel
/ nopme.py
Last active
January 16, 2024 08:02
IDAPYTHON script for patching bytes that match a regex pattern with NOPs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| import re | |
| import struct | |
| """ | |
| Example 1 | |
| .text:3500108D 60 pusha | |
| .text:3500108E 66 B8 65 4B mov ax, 4B65h | |
| .text:35001092 |
alexander-hanel
/ elf_go.py
Created
October 16, 2020 21:02
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # pip3 install pygore | |
| # modified version of code from https://go-re.tk/pygore/ | |
| import glob | |
| import pygore | |
| from hashlib import md5 | |
| def go_hash(data): | |
| return md5(b','.join(data)).hexdigest() | |
| for _file in glob.glob("*"): | |
| if _file.endswith(".py") or _file.endswith(".txt"): | |
| continue |
alexander-hanel
/ pe_ham_brute.py
Created
November 10, 2020 17:24
Brute force XOR encrypted executables using hamming distance
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Author: | |
| Alexander Hanel | |
| Name: | |
| pe_ham_brute.py | |
| Purpose: | |
| - POC that searches for n-grams and uses them as the XOR key. | |
| - Also uses hamming distance to guess key size. Check out cryptopals Challenge 6 | |
| for more details https://cryptopals.com/sets/1/challenges/6 | |
| Example: |
- https://versprite.com/blog/security-research/windows-named-pipes-static-analysis-exploitation/
- https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf
- https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/
- https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DEBUG = True | |
| def get_basic_block(ea): | |
| """get basic blocks of address""" | |
| f = idaapi.get_func(ea) | |
| fc = idaapi.FlowChart(f) | |
| for block in fc: | |
| if block.start_ea <= ea: | |
| if block.end_ea > ea: | |
| return block.start_ea, block.end_ea |
alexander-hanel
/ go_functab.py
Created
April 26, 2021 18:03
redefine functions for go lang. Kind of sucks but it works.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| func_tab = idc.get_name_ea_simple("functab") | |
| for ea in idautils.DataRefsTo(func_tab): | |
| offset = idc.get_qword(ea) | |
| ida_bytes.del_items(offset) | |
| ida_auto.auto_wait() | |
| idc.create_insn(offset) | |
| ida_auto.auto_wait() | |
alexander-hanel
/ export.py
Created
August 2, 2021 16:56
x64dbg Address Export to IDA for Import Rebuilding
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idaapi import * | |
| import idautils | |
| import idc | |
| class X64DBG_ADDR_TO_IDA: | |
| def __init__(self): | |
| self.fileName = ida_kernwin.ask_file(0, "*.*", 'X64DBG Address Exported') | |
| self.content = [] | |
| self.getFile() | |
| self.renameAddr() |
alexander-hanel
/ ctypes_from_buffer.py
Last active
September 3, 2021 16:27
ctypes from buffer example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class COFFSYMBOLTABLE(ctypes.Structure): | |
| """ | |
| Described in [PE-COFF] 5.4. Coff Symbol Table | |
| """ | |
| _pack_ = 1 | |
| _fields_ = [ | |
| ("zeroes", ctypes.c_uint), ("offset", ctypes.c_uint), ("value", ctypes.c_uint), | |
| ("section_number", ctypes.c_short), ("type", ctypes.c_ushort), ("storage_class", ctypes.c_ubyte), | |
| ("number_aux_symbols", ctypes.c_ubyte) | |
| ] |