Willi Ballenthin williballenthin
williballenthin
/ deob_opaque_predicate.py
Created
July 28, 2020 19:58
search for and patch out known opaque predicates within IDA Pro workspaces.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| search for and patch out known opaque predicates within IDA Pro workspaces. | |
| just run the script and it will manipulate the open database. | |
| therefore, you should probably create a backup first. | |
| """ | |
| import logging | |
| from pprint import pprint | |
| import ida_idp |
williballenthin
/ TxR.bt
Created
November 22, 2019 20:49
010 Editor template for parsing Windows Registry TxR (.regtrans-ms) files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //------------------------------------------------ | |
| //--- 010 Editor v8.0.1 Binary Template | |
| // | |
| // File: Transactional Registry Transaction Logs (.TxR) | |
| // Authors: Willi Ballenthin <[email protected]> | |
| // Version: 0.1 | |
| // Reference: https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html | |
| //------------------------------------------------ | |
| LittleEndian(); |
williballenthin
/ degraded_actix_server.rs
Created
October 22, 2019 19:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use log::{info}; | |
| use actix; | |
| use actix_web::{ | |
| http, middleware, server, App, HttpRequest, HttpResponse, | |
| }; | |
| /// These are the possible states that the server can be requested to run. | |
| #[derive(Debug)] | |
| enum ServerState { | |
| /// Stop the server. |
williballenthin
/ macOS_savedstate.py
Last active
January 25, 2025 05:05
parse macOS savedState files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| parse SavedState artifacts extracted from OSX. | |
| author: Willi Ballenthin ([email protected]) | |
| license: Apache 2.0 | |
| ''' | |
| import re | |
| import sys | |
| import json | |
| import struct |
williballenthin
/ macOS_keychain.py
Last active
February 7, 2025 10:37
bling.py - extract keys from macOS keychains.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| bling.py - extract keys from macOS keychains. | |
| installation: | |
| pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome | |
| usage: | |
| python bling.py /path/to/keychain-db <password> ./path/to/output/directory |
williballenthin
/ macOS_ARD_filesystem_cache.py
Last active
October 10, 2019 16:19
parse the Apple ARD filesystem.cache file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| author: Willi Ballenthin | |
| email: [email protected] | |
| license: Apache 2.0 | |
| ''' | |
| import sys | |
| import struct | |
| import collections | |
williballenthin
/ macOS_stickies.py
Last active
June 24, 2022 15:32
extract entries from the osx sticky database
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| parse osx sticky databases. | |
| author: Willi Ballenthin <[email protected]> | |
| license: Apache 2.0 | |
| usage: | |
| $ python extract_stickies.py /path/to/input.bin /path/to/output/directory/ | |
| ''' |
williballenthin
/ bplist.py
Last active
April 1, 2020 19:05
parse SavedState artifacts extracted from OSX.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| derived from plistlib.py -- a tool to generate and parse MacOSX .plist files. | |
| edited by: Willi Ballenthin ([email protected]) | |
| changes: | |
| - remove all but the binary plist parser | |
| - add support for UID fields, see https://bugs.python.org/issue26707 | |
| """ |
williballenthin
/ functions_as_data.py
Created
July 30, 2018 21:03
IDA Pro script to identify functions that are referenced as data.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Identify functions that are referenced as data. | |
| For example, something weird is going on below:: | |
| .text:10001833 BE 60 25 00 10 mov esi, offset sub_10002560 <<<< | |
| .text:10001838 8B 45 FC mov eax, [ebp+var_4] | |
| .text:1000183B 89 5F 04 mov [edi+4], ebx | |
| .text:1000183E 81 C7 18 02 00 00 add edi, 218h | |
| .text:10001844 F3 A5 rep movsd |