- https://versprite.com/blog/security-research/windows-named-pipes-static-analysis-exploitation/
- https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf
- https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/
- https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
Alexander Hanel alexander-hanel
😶
Follow along for https://medium.com/a-journey-with-go/go-overview-of-the-compiler-4e5a153ca889
Set enviornmental variable for GOSSAFUNC
C:\Go\projects\overview>set GOSSAFUNC=maincls
Contents of overview.go
package main
alexander-hanel
/ pe_ham_brute.py
Created
November 10, 2020 17:24
Brute force XOR encrypted executables using hamming distance
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Author: | |
| Alexander Hanel | |
| Name: | |
| pe_ham_brute.py | |
| Purpose: | |
| - POC that searches for n-grams and uses them as the XOR key. | |
| - Also uses hamming distance to guess key size. Check out cryptopals Challenge 6 | |
| for more details https://cryptopals.com/sets/1/challenges/6 | |
| Example: |
alexander-hanel
/ elf_go.py
Created
October 16, 2020 21:02
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # pip3 install pygore | |
| # modified version of code from https://go-re.tk/pygore/ | |
| import glob | |
| import pygore | |
| from hashlib import md5 | |
| def go_hash(data): | |
| return md5(b','.join(data)).hexdigest() | |
| for _file in glob.glob("*"): | |
| if _file.endswith(".py") or _file.endswith(".txt"): | |
| continue |
alexander-hanel
/ nopme.py
Last active
January 16, 2024 08:02
IDAPYTHON script for patching bytes that match a regex pattern with NOPs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| import re | |
| import struct | |
| """ | |
| Example 1 | |
| .text:3500108D 60 pusha | |
| .text:3500108E 66 B8 65 4B mov ax, 4B65h | |
| .text:35001092 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ea = idaapi.get_screen_ea() | |
| cfunc = idaapi.decompile(ea) | |
| for cc, item in enumerate(cfunc.treeitems): | |
| if item.ea != BADADDR: | |
| if cfunc.treeitems.at(cc).ea == here(): | |
| print(cc) | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| import re | |
| import struct | |
| """ | |
| String Storage | |
| Example 1 | |
| .text:004344F5 8D 05 47 3E 50 00 lea eax, stru_503E47 |
alexander-hanel
/ GORE.md
Last active
April 4, 2025 10:48
Go Lang Reverse Engineering Resources/Links
- Dissecting Go Binaries
- Go: Overview of the Compiler
- Go compiler internals: adding a new statement to Go - Part 1
- Go compiler internals: adding a new statement to Go - Part 2
- Reversing GO binaries like a pro
- How a Go Program Compiles down to Machine Code
- Analyzing Golang Executables
- Go Reverse Engineering Tool Kit
- go-internals book
- [Reconstructing Program Semantics from Go Binaries](http://home.in.tum.de/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idaapi import PluginForm | |
| from PyQt5 import QtCore, QtGui, QtWidgets | |
| import sip | |
| class MyPluginFormClass(PluginForm): | |
| def OnCreate(self, form): | |
| """ | |
| Called when the widget is created | |
| """ |
alexander-hanel
/ enum_me.py
Last active
August 12, 2024 15:15
IDAPython PROCESSINFOCLASS & THREADINFOCLASS Enum Values for ZwQueryInformationProcess & ZwQueryInformationThread
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IDAPYTHON 7.4 | |
| id = idc.add_enum(-1, "PROCESSINFOCLASS", idaapi.hex_flag()) | |
| # 0x0 ProcessBasicInformation, // 0, q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION | |
| idc.add_enum_member(id, "ProcessBasicInformation", 0, -1) | |
| # 0x1 ProcessQuotaLimits, // 1, qs: QUOTA_LIMITS, QUOTA_LIMITS_EX | |
| idc.add_enum_member(id, "ProcessQuotaLimits", 1, -1) | |
| # 0x2 ProcessIoCounters, // 2, q: IO_COUNTERS | |
| idc.add_enum_member(id, "ProcessIoCounters", 2, -1) | |
| # 0x3 ProcessVmCounters, //3, q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 | |
| idc.add_enum_member(id, "ProcessVmCounters", 3, -1) |