test.py
with open("test.txt", "w") as outfile:
outfile.write("Hello!")IDAPYTHON script Example
C:\Users\this\Desktop>"C:\Program Files\IDA 7.1\idat.exe" -Stest.py test.idb
Alexander Hanel alexander-hanel
😶
alexander-hanel
/ tiny_nuke_new_decoder.py
Last active
April 8, 2019 17:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def hexdump(src, length=16): | |
| FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)]) | |
| lines = [] | |
| for c in xrange(0, len(src), length): | |
| chars = src[c:c+length] | |
| hex = ' '.join(["%02x" % ord(x) for x in chars]) | |
| printable = ''.join(["%s" % ((ord(x) <= 127 and FILTER[ord(x)]) or '.') for x in chars]) | |
| lines.append("%04x %-*s %s\n" % (c, length*3, hex, printable)) | |
| return ''.join(lines) | |
alexander-hanel
/ bindiff5-win-patch.bat
Last active
December 24, 2020 02:04
bindiff5-win-patch.bat bindiff5.msi (see comments at the bottom)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| ( | |
| echo -----BEGIN CERTIFICATE----- | |
| echo 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgAEAP7/DAAGAAAAAAAAAAEAAAABAAAA | |
| echo AQAAAAAAAAAAEAAAAgAAAAEAAAD+////AAAAAAAAAAD///////////////////// | |
| echo //////////////////////////////////////////////////////////////// | |
| echo //////////////////////////////////////////////////////////////// | |
| echo //////////////////////////////////////////////////////////////// | |
| echo //////////////////////////////////////////////////////////////// | |
| echo //////////////////////////////////////////////////////////////// |
alexander-hanel
/ cmd.md
Last active
February 25, 2019 03:01
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import subprocess | |
| import glob | |
| import pefile | |
| IMAGE_FILE_MACHINE_I386 = 0x014c | |
| IMAGE_FILE_MACHINE_AMD64 = 0x8664 | |
| paths = glob.glob("*") | |
| ida_path = os.path.join(r'C:\Program Files\IDA 7.0',"idat.exe") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import datetime | |
| import glob | |
| import hashlib | |
| import os | |
| import pefile | |
| import sys | |
| def rename_timestamp(file_path): | |
| try: | |
| data = open(file_path, "rb").read() |
alexander-hanel
/ find_xor_funcs.py
Created
February 6, 2019 17:28
Find XOR functions and print address, bytes and instructions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| func_dict = {} | |
| XOR_COUNT = 2 | |
| FUNC_LEN = 35 | |
| for func in idautils.Functions(): | |
| flags = idc.get_func_attr(func, FUNCATTR_FLAGS) | |
| if flags & FUNC_LIB or flags & FUNC_THUNK: | |
| continue | |
| dism_addr = list(idautils.FuncItems(func)) | |
| for line in dism_addr: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pefile | |
| import sys | |
| import datetime | |
| import zlib | |
| """ | |
| Author: Alexander Hanel | |
| Summary: Most common pefile usage examples | |
| Date: 20181226 | |
| """ |
from PyQt5 import QtWidgets, QtGui
class ListViewDemoDialog(QtWidgets.QDialog):
def __init__(self):
super(ListViewDemoDialog, self).__init__()
# create a layout to place controllers (called widgets) on
layout = QtWidgets.QVBoxLayout()
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import base64 | |
| import sys | |
| import re | |
| import gzip | |
| import StringIO | |
| import hexdump as h | |
| from capstone import * | |
| # old code from https://bitbucket.org/snippets/Alexander_Hanel/onboA/p0wnedshell-shellcode-extractor |
alexander-hanel
/ yara_ida_search.py
Last active
June 14, 2020 08:43
Minimum Yara Search for IDAPYTHON
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import yara | |
| import operator | |
| import idautils | |
| SEARCH_CASE = 4 | |
| SEARCH_REGEX = 8 | |
| SEARCH_NOBRK = 16 | |
| SEARCH_NOSHOW = 32 | |
| SEARCH_UNICODE = 64 | |
| SEARCH_IDENT = 128 |