_0:00F20012 33 D2 xor edx, edx
_0:00F20014 64 8B 52 30 mov edx, fs:[edx+30h] // TEB->PEB
_0:00F20018 8B 52 0C mov edx, [edx+0Ch] // PEB->LDR_DATA
_0:00F2001B 8B 52 14 mov edx, [edx+14h] // LDR_DATA->InMemoryOrderLinks (_LDR_DATA_TABLE_ENTRY)
// alt: 0xC: InLoadOrderLinks
// alt: 0x1C: InInitializationOrderLinks
Willi Ballenthin williballenthin
williballenthin
/ functions_as_data.py
Created
July 30, 2018 21:03
IDA Pro script to identify functions that are referenced as data.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Identify functions that are referenced as data. | |
| For example, something weird is going on below:: | |
| .text:10001833 BE 60 25 00 10 mov esi, offset sub_10002560 <<<< | |
| .text:10001838 8B 45 FC mov eax, [ebp+var_4] | |
| .text:1000183B 89 5F 04 mov [edi+4], ebx | |
| .text:1000183E 81 C7 18 02 00 00 add edi, 218h | |
| .text:10001844 F3 A5 rep movsd |
williballenthin
/ get_eip.yara
Created
July 23, 2018 22:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule get_eip | |
| { | |
| meta: | |
| author = "William Ballenthin" | |
| email = "[email protected]" | |
| license = "Apache 2.0" | |
| copyright = "FireEye, Inc" | |
| description = "Match x86 that appears to fetch $PC." | |
| strings: |
williballenthin
/ peb_parsing.md
Last active
April 18, 2024 03:55
williballenthin
/ floss-lite.py
Last active
August 16, 2021 13:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| A simplified FLOSS implementation that only supports stackstrings. | |
| requirements: | |
| - yara-python | |
| - unicorn | |
| author: Willi Ballenthin | |
| email: [email protected] |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
references:
- https://reverseengineering.stackexchange.com/questions/1597/reverse-engineering-a-visual-basic-p-code-binary
- http://web.archive.org/web/20071020232030/http://www.alex-ionescu.com/vb.pdf (ref: Alex Ionescu)
- http://web.archive.org/web/20101127044116/http://vb-decompiler.com/pcode/opcodes.php?t=1
- https://github.com/bontchev/pcodedmp
- http://www.openrce.org/blog/view/1719/Visual_Basic_6_IDC_updated
- https://pediy.com/thread-12832.htm
- https://github.com/vic4key/VB-Exe-Parser/blob/master/VB-Parser.py
- http://www.openrce.org/repositories/users/Paolo/vbpython.py
williballenthin
/ setup-pachyderm.ipynb
Last active
November 30, 2017 19:57
local deployment of pachyderm.io using minikube on a win10 system running hyper-v
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
williballenthin
/ get-windows-api.ipynb
Last active
March 18, 2023 10:46
Extract the exported symbols from a typical Windows installation
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
williballenthin
/ auto_shellcode_hashes.py
Last active
November 5, 2023 22:12
automatically resolve shellcode hashes into symbolic names using emulation, example: https://asciinema.org/a/EaHLv3yy7nGnh7mfHQ5DVy1LJ
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import logging | |
| import pefile | |
| import ucutils | |
| import unicorn | |
| import capstone | |
| import argparse |
williballenthin
/ stackstrings.yara
Last active
March 12, 2025 07:04
match x86 that appears to be stack string creation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule stack_strings | |
| { | |
| meta: | |
| author = "William Ballenthin" | |
| email = "[email protected]" | |
| license = "Apache 2.0" | |
| copyright = "FireEye, Inc" | |
| description = "Match x86 that appears to be stack string creation." | |
| strings: |