Skip to content

Instantly share code, notes, and snippets.

View peta909's full-sized avatar
🏠
Working from home

Mark Lim peta909

🏠
Working from home
32 followers · 5 following
View GitHub Profile
@peta909
peta909 / gist:e4203e368dbb401aeab82f8dc6d0f1b3
Created May 15, 2025 04:24 — forked from wxsBSD/gist:4ec929a0eb07d8e3feeccc49e0d9aa2a
Counting string matches in YARA with awk

Counting number of times strings match in YARA with awk...

wxs@wxs-mbp yara % cat rules/test.yara
rule a { strings: $a = "FreeBSD" nocase  $b = "usage: " condition: any of them }
wxs@wxs-mbp yara % ./yara -s rules/test.yara /bin/ls
a /bin/ls
0xb8e1:$a: FreeBSD
0xb9a1:$a: FreeBSD
0xb9f1:$a: FreeBSD
@peta909
peta909 / ida_mc_notes.md
Created December 22, 2024 12:57 — forked from icecr4ck/ida_mc_notes.md
Some notes about the IDA Microcode (intermediate language).
@peta909
peta909 / PE PACKER
Created October 19, 2023 12:22 — forked from securitygab/PE PACKER
A simple x86 packer that uses APLib,
#########################################
# Created by @kuroi_dotsh - KuroiSH #
# Website: https://dengisan.nl/ #
# E-mail: [email protected] #
#########################################
;
; The executable is stored in the final section, so that it does not need
; relocations (as we can simply load it over our own headers and pad with
; virtualsize to keep our module running).
@peta909
peta909 / idapython_ctree.md
Created January 16, 2022 12:11 — forked from icecr4ck/idapython_ctree.md
Notes on CTREE usage with IDAPython

IDAPython CTREE

Important links

Description

The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.

@peta909
peta909 / x96shell_msgbox.asm
Created May 8, 2021 01:47 — forked from aaaddress1/x96shell_msgbox.asm
x96 Windows Shellcode: one payload able to used in both 32-bit & 64-bit
; x96 shellcode (x32+x64) by [email protected]
; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm
section .text
bits 32
_main:
call entry
entry:
mov ax, cs
sub ax, 0x23
jz retTo32b
@peta909
peta909 / main.cpp
Created November 14, 2020 15:46 — forked from hasherezade/main.cpp
Get PEB64 from a WOW64 process
#include <Windows.h>
#include <iostream>
#include "ntdll_undoc.h"
PPEB get_default_peb()
{
#if defined(_WIN64)
return (PPEB)__readgsqword(0x60);
#else
@peta909
peta909 / Wow64Hook.cpp
Created August 27, 2020 16:21 — forked from hoangprod/Wow64Hook.cpp
Wow64Hook example
#include "stdafx.h"
#include <iostream>
LPVOID lpJmpRealloc = nullptr;
DWORD Backup_Eax, Handle, Address_1, New, Old, *DwSizee;
const DWORD_PTR __declspec(naked) GetGateAddress()
{
__asm
{
@peta909
peta909 / hyperdetect.c
Created June 27, 2020 02:23 — forked from drew-gpf/hyperdetect.c
//this requires being able to run at kernel mode and assumes you're using MSVC
//this also uses an unnamed structure for cr0_t, which is a nonstandard extension of the C language
//data structure for cr0
typedef union _cr0_t
{
struct
{
uint64_t protection_enable : 1;
@peta909
peta909 / peb_parsing.md
Created June 26, 2019 10:32 — forked from williballenthin/peb_parsing.md

manual import resolution

example from 0f5d5d07c6533bc6d991836ce79daaa1:

_0:00F20012 33 D2                   xor     edx, edx
_0:00F20014 64 8B 52 30             mov     edx, fs:[edx+30h] // TEB->PEB
_0:00F20018 8B 52 0C                mov     edx, [edx+0Ch]    // PEB->LDR_DATA
_0:00F2001B 8B 52 14                mov     edx, [edx+14h]    // LDR_DATA->InMemoryOrderLinks (_LDR_DATA_TABLE_ENTRY)
                                                              // alt: 0xC: InLoadOrderLinks
 // alt: 0x1C: InInitializationOrderLinks
@peta909
peta909 / hello_world_plugin.py
Created April 26, 2019 00:47 — forked from cmatthewbrooks/hello_world_plugin.py
The simplest possible IDA plugin with multiple actions
##############################################################################
#
# Name: hello_world_plugin.py
# Auth: @cmatthewbrooks
# Desc: A test plugin to learn how to make these work; Specifically, how to
# have multiple actions within the same plugin.
#
# In plain English, IDA will look for the PLUGIN_ENTRY function which
# should return a plugin object. This object can contain all the
# functionality itself, or it can have multiple actions.