import x64dbgpy
from x64dbgpy.pluginsdk import *
# clear breakpoints
x64dbg.DbgCmdExecDirect("bc")
x64dbg.DbgCmdExecDirect("bphwc")
# break at entry point
x64dbg.SetBreakpoint(x64dbg.GetMainModuleEntry())
Alexander Hanel alexander-hanel
😶
alexander-hanel
/ seclznt1.py
Created
November 16, 2017 23:23
extract pe sections and attempts to decompress them with lznt1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # extract PE sections using pefile by name and decompress them using lznt1 via Rekall | |
| # author: alexander hanel | |
| # Rekall Memory Forensics | |
| # Copyright 2014 Google Inc. All Rights Reserved. | |
| # | |
| # Author: Michael Cohen scudette@google.com. | |
| # | |
| # This program is free software; you can redistribute it and/or modify | |
| # it under the terms of the GNU General Public License as published by |
alexander-hanel
/ nuclear_bot_decoder.py
Created
November 20, 2017 15:52
IDAPython string decrytor for variants of Nuclear Bot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| from cStringIO import StringIO | |
| from collections import Counter | |
| from itertools import cycle | |
| from itertools import product | |
| MAX_INSTR = 8 | |
| """ | |
| Example |
alexander-hanel
/ yolo.py
Last active
January 17, 2020 03:40
old and new names in idc.py (in progress)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| import sys | |
| import os | |
| def load_apis(): | |
| new_old_apis = [ | |
| # start of changes for idc.py | |
| ("hasValue", "has_value"), | |
| ("byteValue", "byte_value"), | |
| ("isLoaded", "is_loaded"), |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import struct | |
| def ipconver(addr_long): | |
| return socket.inet_ntoa(struct.pack("<L", addr_long)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id = add_enum(-1, "neutrino_cmds", idaapi.decflag()) | |
| idc.add_enum_member(id, "CMD_LOADER", 0X69CDCD5D, -1) | |
| idc.add_enum_member(id, "CMD_CMD", 0x796cd5b4, -1) | |
| idc.add_enum_member(id, "CMD_RATE", 0xae839a18, -1 |
alexander-hanel
/ blobheader_parser.py
Last active
October 29, 2023 22:45
parse PUBLICKEYSTRUCT and RSAPUBKEY
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| import sys | |
| class BLOBHEADER: | |
| def __init__(self, data): | |
| self.bType = None # BYTE | |
| self.bVersion = None # BYTE | |
| self.reserved = None # WORD | |
| self.aiKeyAlg = None # ALG_ID | |
| self._parse_data(data) |
alexander-hanel
/ struct_creator.py
Last active
August 13, 2018 10:26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __author__ = 'Alexander Hanel' | |
| __date__ = '2018/02/28' | |
| __version__ = "2.0" | |
| __title__ = "struct creator" | |
| import re | |
| """ | |
| Example: |
https://docs.python.org/2/library/email.html http://blog.magiksys.net/parsing-email-using-python-content http://nerderati.com/2017/06/09/mime-encoded-words-in-email-headers/ http://nerderati.com/2016/11/04/hello-my-name-is-joel/ https://seancoates.com/blogs/utf-wtf/ buriy/python-readability#42 https://sendgrid.com/blog/fingerprinting-email-infrastructure-companies/ http://learning-python.com/cgi/showcode.py?name=class/Extras/Code/pp3e/mailtools.py http://blog.magiksys.net/sites/default/files/attachments/parsemail.py_0.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "000000010040": "PidLidAttendeeCriticalChange", | |
| "00000002001F": "PidLidWhere", | |
| "000000030102": "PidLidGlobalObjectId", | |
| "00000004000B": "PidLidIsSilent", | |
| "00000005000B": "PidLidIsRecurring", | |
| "00000006001F": "PidLidRequiredAttendees", | |
| "00000007001F": "PidLidOptionalAttendees", | |
| "00000008001F": "PidLidResourceAttendees", | |
| "00000009000B": "PidLidDelegateMail", |
OlderNewer