This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Diagnostics; | |
using Microsoft.Diagnostics.Tracing; | |
using Microsoft.Diagnostics.Tracing.Session; | |
using Microsoft.Diagnostics.Tracing.Parsers; | |
using System.IO; | |
using System.Collections.Generic; | |
using System.Reflection; | |
using Newtonsoft.Json; |
(draft; work in progress)
See also:
- Compilers
- Program analysis:
- Dynamic analysis - instrumentation, translation, sanitizers
- Ilfak's presentation at Recon 2018
- Microcode in pictures
- Hex-Rays Microcode API vs. Obfuscating Compiler
- Scripts vds10, vds11, vds12 and vds13 from Hex-Rays SDK
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import ida_bytes | |
import binascii | |
def get_guid(address): | |
data1 = ida_bytes.get_dword(address) | |
data2 = ida_bytes.get_word(address + 4) | |
data3 = ida_bytes.get_word(address + 6) | |
data4 = ida_bytes.get_bytes(address + 8, 8) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################## | |
# | |
# Name: hello_world_plugin.py | |
# Auth: @cmatthewbrooks | |
# Desc: A test plugin to learn how to make these work; Specifically, how to | |
# have multiple actions within the same plugin. | |
# | |
# In plain English, IDA will look for the PLUGIN_ENTRY function which | |
# should return a plugin object. This object can contain all the | |
# functionality itself, or it can have multiple actions. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ | |
{ | |
"ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a", | |
"ProviderName": "AccEventTool", | |
"ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba", | |
"AssociatedFilenames": [ | |
"accevent.exe", | |
"inspect.exe", | |
"narrator.exe", | |
"srh.dll" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import time | |
import etw | |
import etw.evntrace | |
import sys | |
import argparse | |
import threading | |
class RundownDotNetETW(etw.ETW): | |
def __init__(self, verbose, high_risk_only): |
references:
- https://reverseengineering.stackexchange.com/questions/1597/reverse-engineering-a-visual-basic-p-code-binary
- http://web.archive.org/web/20071020232030/http://www.alex-ionescu.com/vb.pdf (ref: Alex Ionescu)
- http://web.archive.org/web/20101127044116/http://vb-decompiler.com/pcode/opcodes.php?t=1
- https://github.com/bontchev/pcodedmp
- http://www.openrce.org/blog/view/1719/Visual_Basic_6_IDC_updated
- https://pediy.com/thread-12832.htm
- https://github.com/vic4key/VB-Exe-Parser/blob/master/VB-Parser.py
- http://www.openrce.org/repositories/users/Paolo/vbpython.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; Topher Timzen | |
; Messing around with PE backdooring for CTP/OSCE and wanted to make a new thread inside of process to avoid synchronization issues. | |
; Tons of NULL as I used this in a PE directly, no need to avoid them. | |
; nasm CreateThread.asm -o CreateThread.raw; xxd -p CreateThread.raw | tr -d '\n' | |
[BITS 32] | |
[SECTION .text] | |
global _start |