The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.
peta909
/ Wow64Hook.cpp
Created
August 27, 2020 16:21
— forked from hoangprod/Wow64Hook.cpp
Wow64Hook example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #include <iostream> | |
| LPVOID lpJmpRealloc = nullptr; | |
| DWORD Backup_Eax, Handle, Address_1, New, Old, *DwSizee; | |
| const DWORD_PTR __declspec(naked) GetGateAddress() | |
| { | |
| __asm | |
| { |
peta909
/ main.cpp
Created
November 14, 2020 15:46
— forked from hasherezade/main.cpp
Get PEB64 from a WOW64 process
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <iostream> | |
| #include "ntdll_undoc.h" | |
| PPEB get_default_peb() | |
| { | |
| #if defined(_WIN64) | |
| return (PPEB)__readgsqword(0x60); | |
| #else |
peta909
/ x96shell_msgbox.asm
Created
May 8, 2021 01:47
— forked from aaaddress1/x96shell_msgbox.asm
x96 Windows Shellcode: one payload able to used in both 32-bit & 64-bit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; x96 shellcode (x32+x64) by [email protected] | |
| ; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm | |
| section .text | |
| bits 32 | |
| _main: | |
| call entry | |
| entry: | |
| mov ax, cs | |
| sub ax, 0x23 | |
| jz retTo32b |
peta909
/ idapython_ctree.md
Created
January 16, 2022 12:11
— forked from icecr4ck/idapython_ctree.md
Notes on CTREE usage with IDAPython
peta909
/ PE PACKER
Created
October 19, 2023 12:22
— forked from securitygab/PE PACKER
A simple x86 packer that uses APLib,
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ######################################### | |
| # Created by @kuroi_dotsh - KuroiSH # | |
| # Website: https://dengisan.nl/ # | |
| # E-mail: [email protected] # | |
| ######################################### | |
| ; | |
| ; The executable is stored in the final section, so that it does not need | |
| ; relocations (as we can simply load it over our own headers and pad with | |
| ; virtualsize to keep our module running). |
peta909
/ ida_mc_notes.md
Created
December 22, 2024 12:57
— forked from icecr4ck/ida_mc_notes.md
Some notes about the IDA Microcode (intermediate language).
- Ilfak's presentation at Recon 2018
- Microcode in pictures
- Hex-Rays Microcode API vs. Obfuscating Compiler
- Scripts vds10, vds11, vds12 and vds13 from Hex-Rays SDK
peta909
/ gist:e4203e368dbb401aeab82f8dc6d0f1b3
Created
May 15, 2025 04:24
— forked from wxsBSD/gist:4ec929a0eb07d8e3feeccc49e0d9aa2a
Counting string matches in YARA with awk
Counting number of times strings match in YARA with awk...
wxs@wxs-mbp yara % cat rules/test.yara
rule a { strings: $a = "FreeBSD" nocase $b = "usage: " condition: any of them }
wxs@wxs-mbp yara % ./yara -s rules/test.yara /bin/ls
a /bin/ls
0xb8e1:$a: FreeBSD
0xb9a1:$a: FreeBSD
0xb9f1:$a: FreeBSD
OlderNewer