Willi Ballenthin williballenthin
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AskText QLabel#counterlabel | |
| { | |
| color: grey; | |
| } | |
| AskText QLabel#counterlabel[invalid=true] | |
| { | |
| color: red; | |
| } |
williballenthin
/ deob_opaque_predicate.py
Created
July 28, 2020 19:58
search for and patch out known opaque predicates within IDA Pro workspaces.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| search for and patch out known opaque predicates within IDA Pro workspaces. | |
| just run the script and it will manipulate the open database. | |
| therefore, you should probably create a backup first. | |
| """ | |
| import logging | |
| from pprint import pprint | |
| import ida_idp |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| import collections | |
| import idaapi | |
| import ida_kernwin | |
| class button_hooks_t(ida_kernwin.View_Hooks): | |
| def __init__(self, v): | |
| ''' |
williballenthin
/ TxR.bt
Created
November 22, 2019 20:49
010 Editor template for parsing Windows Registry TxR (.regtrans-ms) files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //------------------------------------------------ | |
| //--- 010 Editor v8.0.1 Binary Template | |
| // | |
| // File: Transactional Registry Transaction Logs (.TxR) | |
| // Authors: Willi Ballenthin <[email protected]> | |
| // Version: 0.1 | |
| // Reference: https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html | |
| //------------------------------------------------ | |
| LittleEndian(); |
williballenthin
/ degraded_actix_server.rs
Created
October 22, 2019 19:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use log::{info}; | |
| use actix; | |
| use actix_web::{ | |
| http, middleware, server, App, HttpRequest, HttpResponse, | |
| }; | |
| /// These are the possible states that the server can be requested to run. | |
| #[derive(Debug)] | |
| enum ServerState { | |
| /// Stop the server. |
williballenthin
/ macOS_savedstate.py
Last active
January 25, 2025 05:05
parse macOS savedState files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| parse SavedState artifacts extracted from OSX. | |
| author: Willi Ballenthin ([email protected]) | |
| license: Apache 2.0 | |
| ''' | |
| import re | |
| import sys | |
| import json | |
| import struct |
williballenthin
/ macOS_keychain.py
Last active
February 7, 2025 10:37
bling.py - extract keys from macOS keychains.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| bling.py - extract keys from macOS keychains. | |
| installation: | |
| pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome | |
| usage: | |
| python bling.py /path/to/keychain-db <password> ./path/to/output/directory |
williballenthin
/ macOS_ARD_filesystem_cache.py
Last active
October 10, 2019 16:19
parse the Apple ARD filesystem.cache file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| author: Willi Ballenthin | |
| email: [email protected] | |
| license: Apache 2.0 | |
| ''' | |
| import sys | |
| import struct | |
| import collections | |
williballenthin
/ macOS_stickies.py
Last active
June 24, 2022 15:32
extract entries from the osx sticky database
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| parse osx sticky databases. | |
| author: Willi Ballenthin <[email protected]> | |
| license: Apache 2.0 | |
| usage: | |
| $ python extract_stickies.py /path/to/input.bin /path/to/output/directory/ | |
| ''' |
williballenthin
/ bplist.py
Last active
April 1, 2020 19:05
parse SavedState artifacts extracted from OSX.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| derived from plistlib.py -- a tool to generate and parse MacOSX .plist files. | |
| edited by: Willi Ballenthin ([email protected]) | |
| changes: | |
| - remove all but the binary plist parser | |
| - add support for UID fields, see https://bugs.python.org/issue26707 | |
| """ |