Skip to content

Instantly share code, notes, and snippets.

View alexander-hanel's full-sized avatar
😶

Alexander Hanel alexander-hanel

😶
130 followers · 82 following
View GitHub Profile
@oopsmishap
oopsmishap / _jmp_deobfuscator.md
Last active February 27, 2024 05:48
IDA Jmp Deobfuscation Script
@vjayajv
vjayajv / api_logger.py
Created October 11, 2023 18:54
Log to stdout and an API
# api_logger.py
import logging
import json
import requests
import sys
import os
import argparse
@kconner
kconner / macOS Internals.md
Last active April 22, 2024 21:28
macOS Internals

macOS Internals

Understand your Mac and iPhone more deeply by tracing the evolution of Mac OS X from prelease to Swift. John Siracusa delivers the details.

Starting Points

How to use this gist

You've got two main options:

@jymcheong
jymcheong / EtwpTest.cs
Created August 6, 2021 12:48 — forked from TheWover/EtwpTest.cs
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace EtwpTest
{
class Program
{
static void Main(string[] args)
{
@Auscitte
Auscitte / pefileseh.py
Last active April 4, 2023 09:15
Reading exception directory with pefile
""" Extends Ero Carrera's pefile with the functionality for parsing exception tables (SEH support).
Beginning from version 2021.9.3, this functionality has been integrated into pefile, so you will
need pefileseh.py only if you use an older version of pefile.
Only x64 and IA64 architectures are supported.
Classes defined in this module:
* StructureWithBitfields
* ExceptionsDirEntryData
@Cyb3rWard0g
Cyb3rWard0g / COMPlus_ETWEnabled_detection_notes.md
Last active November 23, 2023 20:05

Initial Notes:

  • The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
  • CLRConfig will look for configurations in the following places in the following order:
    • Look at environment variables (prepending COMPlus_ to the name)
    • Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
    • Look at the framework registry keys HKLM\Software\Microsoft\.NETFramework)
  • These can be set in the following ways:
    • Setting the environment variable COMPlus_:
  • Windows
@trietptm
trietptm / idapython_ctree.md
Created May 1, 2020 13:56 — forked from icecr4ck/idapython_ctree.md
Notes on CTREE usage with IDAPython

IDAPython CTREE

Important links

Description

The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.

@psifertex
psifertex / 1_Snippet_Instructions.txt
Last active April 9, 2024 11:10
my current collection of snippets
Welcome to Jordan's grab-bag of common Binary Ninja Snippets.
These snippest are meant to run with the Binary Ninja Snippets Plugin
(http://github.com/Vector35/snippets) though they can all also be pasted
directly into the python console or turned into stand-alone plugins if needed.
To install the entire collection at once, just install the Snippets plugin via
the plugin manager (CMD/CTL-SHIFT-M), confirm the Snippet Editor works
(Tool/Snippets/Snippet Editor), and unzip this bundle (Download ZIP above) into
your Snippets folder.
@NyaMisty
NyaMisty / _IDAPython-Snippets.md
Last active July 31, 2023 07:13
IDAPython snippets

This gist contains lots of my written IDAPython snippets.

@OALabs
OALabs / revil_strings.py
Created January 26, 2020 22:13
Decrypt REvil ransomware strings with IDA Python
import idaapi, idc, idautils
class DecryptorError(Exception):
pass
def rc4crypt(key, data):
x = 0
box = range(256)