Willi Ballenthin williballenthin
williballenthin
/ auto_shellcode_hashes.py
Last active
November 5, 2023 22:12
automatically resolve shellcode hashes into symbolic names using emulation, example: https://asciinema.org/a/EaHLv3yy7nGnh7mfHQ5DVy1LJ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import logging | |
| import pefile | |
| import ucutils | |
| import unicorn | |
| import capstone | |
| import argparse |
williballenthin
/ stackstrings.yara
Last active
March 12, 2025 07:04
match x86 that appears to be stack string creation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule stack_strings | |
| { | |
| meta: | |
| author = "William Ballenthin" | |
| email = "william.ballenthin@fireeye.com" | |
| license = "Apache 2.0" | |
| copyright = "FireEye, Inc" | |
| description = "Match x86 that appears to be stack string creation." | |
| strings: |
williballenthin
/ ida_match_yara.py
Last active
August 16, 2021 13:36
search for YARA matches in each function within IDA Pro.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| search for YARA matches in each function within IDA Pro. | |
| upon execution, prompts the user to provide the YARA rules file. | |
| requirements: | |
| - hexdump | |
| - yara-python | |
| author: Willi Ballenthin |
williballenthin
/ analyzer.py
Last active
September 24, 2020 15:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import logging | |
| import binascii | |
| import collections | |
| import pefile | |
| import hexdump | |
| import unicorn | |
| import keystone | |
| import capstone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| set disassembly-flavor intel | |
| set disassemble-next-line on | |
| set history save on | |
| set print pretty on | |
| set pagination off | |
| set confirm off | |
| define xxd | |
| dump binary memory dump.bin $arg0 $arg0+$arg1 |
williballenthin
/ capstone-test.clj
Last active
July 29, 2017 03:25
demo of using capstone from clojure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (ns capstone-clj.core-test | |
| (:require [clojure.test :refer :all]) | |
| (:import [capstone.Capstone])) | |
| (deftest basic-capstone | |
| " | |
| this is the example from: | |
| http://www.capstone-engine.org/lang_java.html | |
| " | |
| (testing "basic capstone" |
williballenthin
/ cortex-benchmarking.ipynb
Last active
May 19, 2017 09:00
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
williballenthin
/ Microsoft-Windows-Sysmon-schema.txt
Last active
April 23, 2023 18:57
example events from sysmon
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # generate via: wevtutil gp Microsoft-Windows-Sysmon /getevents /getmessage | |
| name: Microsoft-Windows-Sysmon | |
| guid: 5770385f-c22a-43e0-bf4c-06f5698ffbd9 | |
| helpLink: | |
| resourceFileName: C:\Windows\Sysmon.exe | |
| messageFileName: C:\Windows\Sysmon.exe | |
| message: | |
| channels: | |
| channel: |
williballenthin
/ om-next-query-tests.clj
Created
January 30, 2017 20:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (def tests [{:name "one top level prop" | |
| :model {:top-level-prop "A"} | |
| :query [:top-level-prop] | |
| :expected {:top-level-prop "A"}} | |
| {:name "pluck one top level prop" | |
| :model {:top-level-prop "A" :other-prop "B"} | |
| ;; even though there are two props at the top level, | |
| ;; we are only asking for one. | |
| :query [:top-level-prop] |
williballenthin
/ memdumppe.py
Last active
March 31, 2021 20:14
Dump some PE file features from memory images.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| Dump some PE file features from memory images. | |
| author: Willi Ballenthin | |
| email: william.ballenthin@fireeye.com | |
| website: https://gist.github.com/williballenthin/cbc102d561e2eb647f7aec3c3753ba55 | |
| ''' | |
| import os | |
| import sys |