here i'm parsing some test data with kaitai to see what it can extract.
this is the dumper that i'm using:
import binascii
import tabulate
PRIMATIVE_TYPES = (str, bytes, int)
Willi Ballenthin williballenthin
williballenthin
/ contents of DarkHalo.zip.txt
Created
January 5, 2021 17:42
https://vx-underground.org/samples/Exotic/DarkHalo/DarkHalo.zip fef5888cd57b22831e93ced80b00f771
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2c4a910a1299cdae2a4e55988a2f102e ./APT_Backdoor_SUNBURST/019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 | |
| b91ce2fa41029f6955bff20079468448 ./APT_Backdoor_SUNBURST/32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 | |
| e18a6a21eb44e77ca8d739a72209c370 ./APT_Backdoor_SUNBURST/a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc | |
| 9ac181cb35f27e860d59e8d2a6309d35 ./APT_Backdoor_SUNBURST/ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1 | |
| 846e27a652a5e1bfbd0ddd38a16dc865 ./APT_Backdoor_SUNBURST/ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 | |
| 3e329a4c9030b26ba152fb602a1d5893 ./APT_Backdoor_SUNBURST/d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af | |
| 393702fab1c5d09d9f94e8a63114746d ./APT_Dropper_Win64_TEARDROP/6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d | |
| 56ceb6d0011d87b6e4d7023d7ef85676 ./APT_Webshell_SUPERNOVA/c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 | |
| b32892d699c39949e9b648d6b72fe5cf |
williballenthin
/ _kaitai-examples.md
Last active
August 18, 2020 22:00
parsing some test data with kaitai
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AskText QLabel#counterlabel | |
| { | |
| color: grey; | |
| } | |
| AskText QLabel#counterlabel[invalid=true] | |
| { | |
| color: red; | |
| } |
williballenthin
/ deob_opaque_predicate.py
Created
July 28, 2020 19:58
search for and patch out known opaque predicates within IDA Pro workspaces.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| search for and patch out known opaque predicates within IDA Pro workspaces. | |
| just run the script and it will manipulate the open database. | |
| therefore, you should probably create a backup first. | |
| """ | |
| import logging | |
| from pprint import pprint | |
| import ida_idp |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| import collections | |
| import idaapi | |
| import ida_kernwin | |
| class button_hooks_t(ida_kernwin.View_Hooks): | |
| def __init__(self, v): | |
| ''' |
williballenthin
/ TxR.bt
Created
November 22, 2019 20:49
010 Editor template for parsing Windows Registry TxR (.regtrans-ms) files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //------------------------------------------------ | |
| //--- 010 Editor v8.0.1 Binary Template | |
| // | |
| // File: Transactional Registry Transaction Logs (.TxR) | |
| // Authors: Willi Ballenthin <[email protected]> | |
| // Version: 0.1 | |
| // Reference: https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html | |
| //------------------------------------------------ | |
| LittleEndian(); |
williballenthin
/ degraded_actix_server.rs
Created
October 22, 2019 19:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use log::{info}; | |
| use actix; | |
| use actix_web::{ | |
| http, middleware, server, App, HttpRequest, HttpResponse, | |
| }; | |
| /// These are the possible states that the server can be requested to run. | |
| #[derive(Debug)] | |
| enum ServerState { | |
| /// Stop the server. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| parse SavedState artifacts extracted from OSX. | |
| author: Willi Ballenthin ([email protected]) | |
| license: Apache 2.0 | |
| ''' | |
| import re | |
| import sys | |
| import json | |
| import struct |
williballenthin
/ macOS_keychain.py
Last active
February 7, 2025 10:37
bling.py - extract keys from macOS keychains.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| bling.py - extract keys from macOS keychains. | |
| installation: | |
| pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome | |
| usage: | |
| python bling.py /path/to/keychain-db <password> ./path/to/output/directory |
williballenthin
/ macOS_ARD_filesystem_cache.py
Last active
October 10, 2019 16:19
parse the Apple ARD filesystem.cache file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| author: Willi Ballenthin | |
| email: [email protected] | |
| license: Apache 2.0 | |
| ''' | |
| import sys | |
| import struct | |
| import collections | |