Skip to content

Instantly share code, notes, and snippets.

View strictlymike's full-sized avatar

strictlymike

66 followers · 35 following
View GitHub Profile
@strictlymike
strictlymike / py3_interface_encapsulation_example.py
Created July 6, 2023 14:33
# Copyright 2023 Google LLC.
# SPDX-License-Identifier: Apache-2.0
# This snippet of Py3 code shows a way to pass a restricted object to a callee,
# so as to prevent the callee from wandering outside the walled garden of callbacks
# specified by a given mixin. It does not secure the original instance from tampering,
# but it removes all doubt about which methods are expected to be accessed and used
# by the callee.
#
# This assumes the lifetime of the original instance will exceed that of the
@strictlymike
strictlymike / top3mz.yara
Created November 22, 2021 20:38
Top 3 PE headers through offset 0x3B (not rigorous, mostly Win10)
rule top3mz {
meta:
author = "Michael Bailey (@mykill)"
strings:
// More precision than with just IMAGE_DOS_SIGNATURE, at a risk of losing some valid hits
$imghdr_mz_01 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } // 905 mal + 4,157 system32 and 35,983 Windows\ overall (Win10)
$imghdr_mz_02 = { 4d 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } // 385 under Windows\ (recursive)
$imghdr_mz_03 = { 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } // 15 mal + 2 system32
condition:
any of ($imghdr_mz_*)
@strictlymike
strictlymike / pwtopmost.c
Created November 21, 2019 18:15
Prevent Windows 10 from stealing the focus from the zip file password dialog
/* Prevent Windows 10 file transfer dialog ("0% complete") from stealing focus
* from "Password needed" dialog when copying files out of a password-protected
* zip file. */
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "user32")
#define MY_EVENT_MIN EVENT_OBJECT_CREATE
@strictlymike
strictlymike / getpdb.py
Last active October 14, 2018 19:49
import sys
import pefile
import struct
import httplib
import os.path
import argparse
# from urllib.parse import urlparse # Python 3
import urlparse
# PDB downloading adapted from:
@strictlymike
strictlymike / inspect.cpp
Created April 22, 2017 15:09
Automated performance monitoring application diagnostics
/**
* @file
* A rough sketch of providing diagnostic information about to the state of an
* application relevant to diagnosing prolonged high CPU. When prolonged high
* CPU occurs, the high-level question that must be answered is:
*
* 1. What is the application doing?
* and,
* 2. Why aren't CPU throttling controls working? (if applicable)
*
@strictlymike
strictlymike / trigger.c
Created April 22, 2017 15:07
Automated performance monitoring diagnostics trigger
/**
* @file
* High CPU utilization in a particular process. Herein, Single-CPU
* %utilization for both threads and processes is calculated as:
*
* 100 * kernel + user
* %u1 = -------------------
* elapsed
*
* For multi-threaded applications, this figure can exceed 100% with regard to
@strictlymike
strictlymike / ptray2.cs
Created August 29, 2016 22:07
Enhanced quick and dirty copy-pasta process tracing systray app for the curious and paranoid
using System;
using System.Diagnostics;
using System.Drawing;
using System.Management;
using System.Text.RegularExpressions;
using System.Windows.Forms;
namespace MyTrayApp
{
public class SysTrayApp : Form
@strictlymike
strictlymike / pt.cs
Created August 24, 2016 14:47
Quick and dirty copy-pasta process tracing systray app for the curious and paranoid
using System;
using System.Diagnostics;
using System.Drawing;
using System.Management;
using System.Windows.Forms;
namespace MyTrayApp
{
public class SysTrayApp : Form
{