_0:00F20012 33 D2 xor edx, edx
_0:00F20014 64 8B 52 30 mov edx, fs:[edx+30h] // TEB->PEB
_0:00F20018 8B 52 0C mov edx, [edx+0Ch] // PEB->LDR_DATA
_0:00F2001B 8B 52 14 mov edx, [edx+14h] // LDR_DATA->InMemoryOrderLinks (_LDR_DATA_TABLE_ENTRY)
// alt: 0xC: InLoadOrderLinks
// alt: 0x1C: InInitializationOrderLinks
Willi Ballenthin williballenthin
williballenthin
/ macOS_stickies.py
Last active
June 24, 2022 15:32
extract entries from the osx sticky database
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| parse osx sticky databases. | |
| author: Willi Ballenthin <[email protected]> | |
| license: Apache 2.0 | |
| usage: | |
| $ python extract_stickies.py /path/to/input.bin /path/to/output/directory/ | |
| ''' |
williballenthin
/ bplist.py
Last active
April 1, 2020 19:05
parse SavedState artifacts extracted from OSX.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| derived from plistlib.py -- a tool to generate and parse MacOSX .plist files. | |
| edited by: Willi Ballenthin ([email protected]) | |
| changes: | |
| - remove all but the binary plist parser | |
| - add support for UID fields, see https://bugs.python.org/issue26707 | |
| """ |
williballenthin
/ functions_as_data.py
Created
July 30, 2018 21:03
IDA Pro script to identify functions that are referenced as data.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Identify functions that are referenced as data. | |
| For example, something weird is going on below:: | |
| .text:10001833 BE 60 25 00 10 mov esi, offset sub_10002560 <<<< | |
| .text:10001838 8B 45 FC mov eax, [ebp+var_4] | |
| .text:1000183B 89 5F 04 mov [edi+4], ebx | |
| .text:1000183E 81 C7 18 02 00 00 add edi, 218h | |
| .text:10001844 F3 A5 rep movsd |
williballenthin
/ get_eip.yara
Created
July 23, 2018 22:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule get_eip | |
| { | |
| meta: | |
| author = "William Ballenthin" | |
| email = "[email protected]" | |
| license = "Apache 2.0" | |
| copyright = "FireEye, Inc" | |
| description = "Match x86 that appears to fetch $PC." | |
| strings: |
williballenthin
/ peb_parsing.md
Last active
April 18, 2024 03:55
williballenthin
/ floss-lite.py
Last active
August 16, 2021 13:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| A simplified FLOSS implementation that only supports stackstrings. | |
| requirements: | |
| - yara-python | |
| - unicorn | |
| author: Willi Ballenthin | |
| email: william.ballenthin@fireeye.com |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
references:
- https://reverseengineering.stackexchange.com/questions/1597/reverse-engineering-a-visual-basic-p-code-binary
- http://web.archive.org/web/20071020232030/http://www.alex-ionescu.com/vb.pdf (ref: Alex Ionescu)
- http://web.archive.org/web/20101127044116/http://vb-decompiler.com/pcode/opcodes.php?t=1
- https://github.com/bontchev/pcodedmp
- http://www.openrce.org/blog/view/1719/Visual_Basic_6_IDC_updated
- https://pediy.com/thread-12832.htm
- https://github.com/vic4key/VB-Exe-Parser/blob/master/VB-Parser.py
- http://www.openrce.org/repositories/users/Paolo/vbpython.py
williballenthin
/ setup-pachyderm.ipynb
Last active
November 30, 2017 19:57
local deployment of pachyderm.io using minikube on a win10 system running hyper-v
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
williballenthin
/ get-windows-api.ipynb
Last active
March 18, 2023 10:46
Extract the exported symbols from a typical Windows installation
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.