_0:00F20012 33 D2 xor edx, edx
_0:00F20014 64 8B 52 30 mov edx, fs:[edx+30h] // TEB->PEB
_0:00F20018 8B 52 0C mov edx, [edx+0Ch] // PEB->LDR_DATA
_0:00F2001B 8B 52 14 mov edx, [edx+14h] // LDR_DATA->InMemoryOrderLinks (_LDR_DATA_TABLE_ENTRY)
// alt: 0xC: InLoadOrderLinks
// alt: 0x1C: InInitializationOrderLinks
Willi Ballenthin williballenthin
williballenthin
/ get_eip.yara
Created
July 23, 2018 22:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule get_eip | |
| { | |
| meta: | |
| author = "William Ballenthin" | |
| email = "[email protected]" | |
| license = "Apache 2.0" | |
| copyright = "FireEye, Inc" | |
| description = "Match x86 that appears to fetch $PC." | |
| strings: |
williballenthin
/ peb_parsing.md
Last active
April 18, 2024 03:55
williballenthin
/ floss-lite.py
Last active
August 16, 2021 13:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| A simplified FLOSS implementation that only supports stackstrings. | |
| requirements: | |
| - yara-python | |
| - unicorn | |
| author: Willi Ballenthin | |
| email: [email protected] |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
references:
- https://reverseengineering.stackexchange.com/questions/1597/reverse-engineering-a-visual-basic-p-code-binary
- http://web.archive.org/web/20071020232030/http://www.alex-ionescu.com/vb.pdf (ref: Alex Ionescu)
- http://web.archive.org/web/20101127044116/http://vb-decompiler.com/pcode/opcodes.php?t=1
- https://github.com/bontchev/pcodedmp
- http://www.openrce.org/blog/view/1719/Visual_Basic_6_IDC_updated
- https://pediy.com/thread-12832.htm
- https://github.com/vic4key/VB-Exe-Parser/blob/master/VB-Parser.py
- http://www.openrce.org/repositories/users/Paolo/vbpython.py
williballenthin
/ setup-pachyderm.ipynb
Last active
November 30, 2017 19:57
local deployment of pachyderm.io using minikube on a win10 system running hyper-v
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
williballenthin
/ get-windows-api.ipynb
Last active
March 18, 2023 10:46
Extract the exported symbols from a typical Windows installation
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
williballenthin
/ auto_shellcode_hashes.py
Last active
November 5, 2023 22:12
automatically resolve shellcode hashes into symbolic names using emulation, example: https://asciinema.org/a/EaHLv3yy7nGnh7mfHQ5DVy1LJ
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import logging | |
| import pefile | |
| import ucutils | |
| import unicorn | |
| import capstone | |
| import argparse |
williballenthin
/ stackstrings.yara
Last active
March 12, 2025 07:04
match x86 that appears to be stack string creation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule stack_strings | |
| { | |
| meta: | |
| author = "William Ballenthin" | |
| email = "[email protected]" | |
| license = "Apache 2.0" | |
| copyright = "FireEye, Inc" | |
| description = "Match x86 that appears to be stack string creation." | |
| strings: |
williballenthin
/ ida_match_yara.py
Last active
August 16, 2021 13:36
search for YARA matches in each function within IDA Pro.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| search for YARA matches in each function within IDA Pro. | |
| upon execution, prompts the user to provide the YARA rules file. | |
| requirements: | |
| - hexdump | |
| - yara-python | |
| author: Willi Ballenthin |