Alexander Hanel alexander-hanel
😶
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using Microsoft.Diagnostics.Tracing; | |
| using Microsoft.Diagnostics.Tracing.Session; | |
| using Microsoft.Diagnostics.Tracing.Parsers; | |
| using System.IO; | |
| using System.Collections.Generic; | |
| using System.Reflection; | |
| using Newtonsoft.Json; |
(draft; work in progress)
See also:
- Compilers
- Program analysis:
- Dynamic analysis - instrumentation, translation, sanitizers
icecr4ck
/ ida_mc_notes.md
Last active
May 3, 2024 09:25
Some notes about the IDA Microcode (intermediate language).
- Ilfak's presentation at Recon 2018
- Microcode in pictures
- Hex-Rays Microcode API vs. Obfuscating Compiler
- Scripts vds10, vds11, vds12 and vds13 from Hex-Rays SDK
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ida_bytes | |
| import binascii | |
| def get_guid(address): | |
| data1 = ida_bytes.get_dword(address) | |
| data2 = ida_bytes.get_word(address + 4) | |
| data3 = ida_bytes.get_word(address + 6) | |
| data4 = ida_bytes.get_bytes(address + 8, 8) |
cmatthewbrooks
/ hello_world_plugin.py
Created
April 25, 2019 12:41
The simplest possible IDA plugin with multiple actions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################## | |
| # | |
| # Name: hello_world_plugin.py | |
| # Auth: @cmatthewbrooks | |
| # Desc: A test plugin to learn how to make these work; Specifically, how to | |
| # have multiple actions within the same plugin. | |
| # | |
| # In plain English, IDA will look for the PLUGIN_ENTRY function which | |
| # should return a plugin object. This object can contain all the | |
| # functionality itself, or it can have multiple actions. |
mattifestation
/ NiftyETWProviders.json
Created
December 21, 2018 19:27
ETW providers you never knew existed...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a", | |
| "ProviderName": "AccEventTool", | |
| "ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba", | |
| "AssociatedFilenames": [ | |
| "accevent.exe", | |
| "inspect.exe", | |
| "narrator.exe", | |
| "srh.dll" |
countercept
/ dotnet-runtime-etw.py
Last active
August 22, 2023 16:02
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
references:
- https://reverseengineering.stackexchange.com/questions/1597/reverse-engineering-a-visual-basic-p-code-binary
- http://web.archive.org/web/20071020232030/http://www.alex-ionescu.com/vb.pdf (ref: Alex Ionescu)
- http://web.archive.org/web/20101127044116/http://vb-decompiler.com/pcode/opcodes.php?t=1
- https://github.com/bontchev/pcodedmp
- http://www.openrce.org/blog/view/1719/Visual_Basic_6_IDC_updated
- https://pediy.com/thread-12832.htm
- https://github.com/vic4key/VB-Exe-Parser/blob/master/VB-Parser.py
- http://www.openrce.org/repositories/users/Paolo/vbpython.py
tophertimzen
/ CreateThread.asm
Last active
June 14, 2022 00:45
Make a new Thread with Windows PEB -> Function Hash Resolver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Topher Timzen | |
| ; Messing around with PE backdooring for CTP/OSCE and wanted to make a new thread inside of process to avoid synchronization issues. | |
| ; Tons of NULL as I used this in a PE directly, no need to avoid them. | |
| ; nasm CreateThread.asm -o CreateThread.raw; xxd -p CreateThread.raw | tr -d '\n' | |
| [BITS 32] | |
| [SECTION .text] | |
| global _start |