Brian Baskin Rurik

## boxstarter_oalabs_x86vm.ps1
Set-ExecutionPolicy Unrestricted;
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1'));
get-boxstarter -Force;
Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1';

## win_vm_kerneldbg.md

      
              1 file
            
          
              4 forks
            
          
              2 comments
            
          
              8 stars
            
          
                cji
                / win_vm_kerneldbg.md
            
            
              Last active
              April 30, 2021 13:07
            
              
                Steps to successfully debug the Windows kernel between 2 VMWare VMs
              
          
    Open the debugger VM's .vmx file.
delete the existing serial0 lines (used for printing, not needed)
add these lines:
serial0.present = "TRUE"
serial0.pipe.endPoint = "client"
serial0.fileType = "pipe"
serial0.yieldOnMsrRead = "TRUE"
serial0.tryNoRxLoss = "FALSE"
serial0.startConnected = "TRUE"


## asm_find_math.py
# Automatically find XOR/SHL/SHR routines from an executable
# Uses IDAW (text IDA)
# @bbaskin - brian @ thebaskins.com
# While other, more powerful scripts like FindCrypt find known
# algorithms this is used to find custom encoding or modified
# encryption routines

"""
Script results:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

## parse_windows_timestamp.py
def parse_windows_timestamp(hex_str):
    """
    @type hex_str: str
    @param hex_str: A string that contains a hex encoded QWORD (8 bytes) that are a Windows timestamp.
    @rtype: str
    @return: A string that contains an ISO formatted timestamp.
    """
    import struct, binascii
    from datetime import datetime
    return datetime.utcfromtimestamp(float(struct.unpack_from("<Q", binascii.unhexlify(hex_str.replace(" ", "")))[0]) * 1e-7 - 11644473600).isoformat("T")
	Set-ExecutionPolicy Unrestricted;
	iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1'));
	get-boxstarter -Force;
	Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1';
	# Automatically find XOR/SHL/SHR routines from an executable
	# Uses IDAW (text IDA)
	# @bbaskin - brian @ thebaskins.com
	# While other, more powerful scripts like FindCrypt find known
	# algorithms this is used to find custom encoding or modified
	# encryption routines

	"""
	Script results:
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
	def parse_windows_timestamp(hex_str):
	"""
	@type hex_str: str
	@param hex_str: A string that contains a hex encoded QWORD (8 bytes) that are a Windows timestamp.
	@rtype: str
	@return: A string that contains an ISO formatted timestamp.
	"""
	import struct, binascii
	from datetime import datetime
	return datetime.utcfromtimestamp(float(struct.unpack_from("<Q", binascii.unhexlify(hex_str.replace(" ", "")))[0]) * 1e-7 - 11644473600).isoformat("T")