test.py
with open("test.txt", "w") as outfile:
outfile.write("Hello!")IDAPYTHON script Example
C:\Users\this\Desktop>"C:\Program Files\IDA 7.1\idat.exe" -Stest.py test.idb
Alexander Hanel alexander-hanel
😶
alexander-hanel
/ cmd.md
Last active
February 25, 2019 03:01
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import subprocess | |
| import glob | |
| import pefile | |
| IMAGE_FILE_MACHINE_I386 = 0x014c | |
| IMAGE_FILE_MACHINE_AMD64 = 0x8664 | |
| paths = glob.glob("*") | |
| ida_path = os.path.join(r'C:\Program Files\IDA 7.0',"idat.exe") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import datetime | |
| import glob | |
| import hashlib | |
| import os | |
| import pefile | |
| import sys | |
| def rename_timestamp(file_path): | |
| try: | |
| data = open(file_path, "rb").read() |
alexander-hanel
/ find_xor_funcs.py
Created
February 6, 2019 17:28
Find XOR functions and print address, bytes and instructions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| func_dict = {} | |
| XOR_COUNT = 2 | |
| FUNC_LEN = 35 | |
| for func in idautils.Functions(): | |
| flags = idc.get_func_attr(func, FUNCATTR_FLAGS) | |
| if flags & FUNC_LIB or flags & FUNC_THUNK: | |
| continue | |
| dism_addr = list(idautils.FuncItems(func)) | |
| for line in dism_addr: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pefile | |
| import sys | |
| import datetime | |
| import zlib | |
| """ | |
| Author: Alexander Hanel | |
| Summary: Most common pefile usage examples | |
| Date: 20181226 | |
| """ |
from PyQt5 import QtWidgets, QtGui
class ListViewDemoDialog(QtWidgets.QDialog):
def __init__(self):
super(ListViewDemoDialog, self).__init__()
# create a layout to place controllers (called widgets) on
layout = QtWidgets.QVBoxLayout()
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import base64 | |
| import sys | |
| import re | |
| import gzip | |
| import StringIO | |
| import hexdump as h | |
| from capstone import * | |
| # old code from https://bitbucket.org/snippets/Alexander_Hanel/onboA/p0wnedshell-shellcode-extractor |
alexander-hanel
/ yara_ida_search.py
Last active
June 14, 2020 08:43
Minimum Yara Search for IDAPYTHON
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import yara | |
| import operator | |
| import idautils | |
| SEARCH_CASE = 4 | |
| SEARCH_REGEX = 8 | |
| SEARCH_NOBRK = 16 | |
| SEARCH_NOSHOW = 32 | |
| SEARCH_UNICODE = 64 | |
| SEARCH_IDENT = 128 |
alexander-hanel
/ idanal.py
Created
September 26, 2018 14:44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ida_yara | |
| import idautils | |
| def is_lib(ea): | |
| flags = idc.get_func_attr(ea, FUNCATTR_FLAGS) | |
| if flags & FUNC_LIB: | |
| return True | |
| else: | |
| return False |
alexander-hanel
/ rtd.py
Created
September 24, 2018 21:29
a simple recursive traversal disassembly using capstone and pefile. Only follows code execution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import re | |
| import pefile | |
| import string | |
| import struct | |
| from capstool import CapsTool | |
| from capstone import * | |
| from capstone.x86 import * | |
| BCC = ["je", "jne", "js", "jns", "jp", "jnp", "jo", "jno", "jl", "jle", "jg", |