Willi Ballenthin williballenthin
williballenthin
/ ida_match_yara.py
Last active
August 16, 2021 13:36
search for YARA matches in each function within IDA Pro.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| search for YARA matches in each function within IDA Pro. | |
| upon execution, prompts the user to provide the YARA rules file. | |
| requirements: | |
| - hexdump | |
| - yara-python | |
| author: Willi Ballenthin |
williballenthin
/ analyzer.py
Last active
September 24, 2020 15:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import logging | |
| import binascii | |
| import collections | |
| import pefile | |
| import hexdump | |
| import unicorn | |
| import keystone | |
| import capstone |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| set disassembly-flavor intel | |
| set disassemble-next-line on | |
| set history save on | |
| set print pretty on | |
| set pagination off | |
| set confirm off | |
| define xxd | |
| dump binary memory dump.bin $arg0 $arg0+$arg1 |
williballenthin
/ capstone-test.clj
Last active
July 29, 2017 03:25
demo of using capstone from clojure
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (ns capstone-clj.core-test | |
| (:require [clojure.test :refer :all]) | |
| (:import [capstone.Capstone])) | |
| (deftest basic-capstone | |
| " | |
| this is the example from: | |
| http://www.capstone-engine.org/lang_java.html | |
| " | |
| (testing "basic capstone" |
williballenthin
/ cortex-benchmarking.ipynb
Last active
May 19, 2017 09:00
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
williballenthin
/ Microsoft-Windows-Sysmon-schema.txt
Last active
April 23, 2023 18:57
example events from sysmon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # generate via: wevtutil gp Microsoft-Windows-Sysmon /getevents /getmessage | |
| name: Microsoft-Windows-Sysmon | |
| guid: 5770385f-c22a-43e0-bf4c-06f5698ffbd9 | |
| helpLink: | |
| resourceFileName: C:\Windows\Sysmon.exe | |
| messageFileName: C:\Windows\Sysmon.exe | |
| message: | |
| channels: | |
| channel: |
williballenthin
/ om-next-query-tests.clj
Created
January 30, 2017 20:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (def tests [{:name "one top level prop" | |
| :model {:top-level-prop "A"} | |
| :query [:top-level-prop] | |
| :expected {:top-level-prop "A"}} | |
| {:name "pluck one top level prop" | |
| :model {:top-level-prop "A" :other-prop "B"} | |
| ;; even though there are two props at the top level, | |
| ;; we are only asking for one. | |
| :query [:top-level-prop] |
williballenthin
/ memdumppe.py
Last active
March 31, 2021 20:14
Dump some PE file features from memory images.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| Dump some PE file features from memory images. | |
| author: Willi Ballenthin | |
| email: [email protected] | |
| website: https://gist.github.com/williballenthin/cbc102d561e2eb647f7aec3c3753ba55 | |
| ''' | |
| import os | |
| import sys |
williballenthin
/ rename_sub_functions.py
Last active
December 27, 2019 01:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idc | |
| import idaapi | |
| import idautils | |
| def rename_sub_functions(fva, prefix): | |
| sub_funcs = set([]) | |
| for f in idautils.Functions(): | |
| for xref in idautils.XrefsTo(f): | |
| subf = idaapi.get_func(xref.frm) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| Carve PE files from binary data. | |
| Write them into the current directy named after their hash. | |
| Example:: | |
| $ python carvepe.py unallocated.bin | |
| INFO:__main__:found pe at 0x0, length: 0xd8000 | |
| INFO:__main__:writing pe file to 273ed32b617fd79ed1b88ebd4521a441.bin |