Most commons are cdecl, stdcall, fastcall
In function calls, parameters are pushed onto the stack/registers from right to left.
int func(int x, int y, int z, int m, int k);
int a, b, c, d, e, ret;
ilbaroni
ilbaroni
/ emulator-extended-x64.py
Created
May 4, 2022 10:26
— forked from Barakat/emulator-extended-x64.py
Emulating x64 machine code using Unicorn (A CPU scriptable emulator)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!python3 | |
| # -*- coding: utf-8 -*- | |
| # pip install unicorn | |
| import unicorn | |
| import unicorn.x86_const | |
| import struct | |
| def required_mapping_size(size): | |
| page_size = 4096 |
ilbaroni
/ pyspark-geoip2.py
Created
March 24, 2022 14:56
— forked from geekmoss/pyspark-geoip2.py
PySpark Geoip2 udf for get country & least specific region
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pyspark import SparkContext, SparkFiles | |
| from pyspark.sql import SparkSession | |
| from pyspark.sql.types import * | |
| from pyspark.sql.functions import DataFrame, udf, col | |
| from geoip2 import database | |
| from geoip2.errors import AddressNotFoundError | |
| from geoip2.models import City | |
| sc = SparkContext() | |
| spark = SparkSession(sc) |
ilbaroni
/ Ghidra-OSX-Launcher-Script.scpt
Created
December 28, 2021 19:50
— forked from yifanlu/Ghidra-OSX-Launcher-Script.scpt
Ghidra.app launcher for OSX
ilbaroni
/ pandas.py
Created
November 12, 2021 12:12
— forked from rjurney/pandas.py
Load Gzipped JSON Lines generated by Spark into Pandas
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pandas as pd | |
| import numpy as np | |
| import glob | |
| pd.set_option('display.max_columns', 500) | |
| all_files = glob.glob('../data/patent_applications/2019-04-07.jsonl.gz/part-*.json.gz') | |
| li = [] | |
| for filename in all_files: |
ilbaroni
/ callcon.md
Created
October 25, 2021 11:10
— forked from sucremad/callcon.md
Function Call Conventions
ilbaroni
/ anonymize_idb.py
Created
October 23, 2021 00:38
— forked from NeatMonster/anonymize_idb.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ida_netnode | |
| """ | |
| You can also switch the shell into IDC mode and enter del_user_info(). | |
| You can also edit your `~/ida-x/cfg/ida.cfg` and set `STORE_USER_INFO` to `NO`. | |
| """ | |
| # This will replace the original user blob with the evaluation version blob. | |
| ORIGINAL_USER = \ |
ilbaroni
/ trick_str.cpp
Created
October 22, 2021 23:58
— forked from hasherezade/trick_str.cpp
Small utility do deobfuscate TrickBot strings
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include "peconv.h" | |
| /* | |
| Requires a path to the original trick bot module: 0a7da84873f2a4fe0fcc58c88bbbe39d | |
| */ | |
| #define OFFSET_DECODE_LIST 0x10ab0 //decode_from_the_list |
ilbaroni
/ EtwpCreateEtwThread.rs
Created
August 6, 2021 22:21
— forked from Nexact/EtwpCreateEtwThread.rs
Classic Windows process injection written in Rust using EtwpCreateEtwThread & a XOR routine to decrypt shellcode.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #![windows_subsystem = "windows"] | |
| extern crate libc; | |
| use std::os::raw::{c_void, c_int}; | |
| use std::{ptr, thread, time}; | |
| #[link(name = "kernel32")] | |
| #[link(name = "user32")] | |
| extern "stdcall" { | |
| pub fn LoadLibraryA(lpFileName: *const u8) -> *const usize; | |
| pub fn GetProcAddress(hModule: *const usize, lpProcName: *const u8) -> *const usize; |
ilbaroni
/ python_rsa_example.py
Created
June 14, 2021 18:06
— forked from hotpotcookie/python_rsa_example.py
RSA Encryption/Decryption with python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Inspired from https://medium.com/@ismailakkila/black-hat-python-encrypt-and-decrypt-with-rsa-cryptography-bd6df84d65bc | |
| # Updated to use python3 bytes and pathlib | |
| import zlib | |
| import base64 | |
| from Crypto.PublicKey import RSA | |
| from Crypto.Cipher import PKCS1_OAEP | |
| from pathlib import Path | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| advapi32.dll!A_SHAFinal -> 0xF4E238A7 | |
| advapi32.dll!A_SHAInit -> 0xDA327198 | |
| advapi32.dll!A_SHAUpdate -> 0xD0B4D215 | |
| advapi32.dll!AbortSystemShutdownA -> 0xC0D2ED81 | |
| advapi32.dll!AbortSystemShutdownW -> 0xD395D051 | |
| advapi32.dll!AccessCheck -> 0xF9ABFC27 | |
| advapi32.dll!AccessCheckAndAuditAlarmA -> 0xDB243296 | |
| advapi32.dll!AccessCheckAndAuditAlarmW -> 0xC8630F46 | |
| advapi32.dll!AccessCheckByType -> 0xDC6520A8 | |
| advapi32.dll!AccessCheckByTypeAndAuditAlarmA -> 0xD0023DC7 |