- https://ollama.com/blog/windows-preview
- https://www.vox.com/the-highlight/24034907/use-anger-productively-motivation-problem-solving
- https://werat.dev/blog/learning-about-debuggers/
- https://revers.engineering/beyond-process-and-object-callbacks-an-unconventional-method/
- https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection/
- https://mcyoung.xyz/2023/08/01/llvm-ir/
Alexander Hanel alexander-hanel
😶
alexander-hanel
/ example.py
Created
February 12, 2024 23:29
A hackish way to extract arguments passed to a function from hex-rays decompiler output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| ea = 0x000000140013188 | |
| name = ida_name.get_ea_name(ea) | |
| print("found") | |
| # get xrefs to function | |
| xrefs = [x for x in idautils.CodeRefsTo(ea, 0)] | |
| for func in xrefs: |
- https://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw
- https://nasbench.medium.com/a-primer-on-event-tracing-for-windows-etw-997725c082bf
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/about-event-tracing-for-drivers
- https://gist.github.com/acumenix/ff377ffada032354ad06f61526efc42e
- https://gist.github.com/Holo-Krzysztof/9600dbe63859ee5a8add1123466be187
- https://gist.github.com/mattifestation/04e8299d8bc97ef825affe733310f7bd
- https://github.com/tpn/winsdk-10/blob/master/Include/10.0.14393.0/shared/TraceLoggingProvider.h
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
from cmd or Run
powershell -Command "Start-Process cmd -Verb RunAs"
alexander-hanel
/ dll_exports.py
Last active
November 1, 2023 20:57
— forked from OALabs/dll_exports.py
Build dictionary of DLL exports (Windows API Names)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import pefile | |
| import json | |
| INTERESTING_DLLS = [ | |
| 'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll', | |
| 'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll', | |
| 'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll', | |
| 'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll', |
This is my current warmup routine. I have been doing variations of it for over 10 years. I usually row or jump rope for 5 minutes and then do the warmup which typically takes about 10 minutes. Once warmed-up I start with squats and then I do a combination of overhead press, bent-over row, bench-press or deadlifts.
- Source: Becoming a Supple Leopard 2nd Edition: The Ultimate Guide to Resolving Pain, Preventing Injury, and Optimizing Athletic Performance
- Note: No timelimit
- Source: Combination of Supple Leopard, Limber 11 (link) and McGill 3
- Note: No timelimit, focus on areas that trigger pain
Prevent distractions within slack by making the sidebar black.
Slack > Settings > Themes > Create a Custom Theme > "Copy and paste these values to share your custom theme with others"
Cut and paste the following values
#000000,#000000,#000000,#000000,#000000,#000000,#000000,#000000,#000000,#000000
alexander-hanel
/ byte2uuid.py
Last active
September 7, 2023 18:46
Converts 16 bytes to a UUID using Microsoft's Variant 2 format.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ctypes | |
| class BYTE2UUID(ctypes.Structure): | |
| """ | |
| Variant 2 UUIDs | |
| https://en.wikipedia.org/wiki/Universally_unique_identifier#Encoding | |
| """ | |
| _fields_ = [ | |
| ("time_low", ctypes.c_uint), ("time_mid", ctypes.c_ushort), ("time_hi_and_version", ctypes.c_ushort), | |
| ("clock_seq_hi_and_res", ctypes.c_char * 2), ("node", ctypes.c_char * 6) |
alexander-hanel
/ functions_to_folders.py
Created
April 10, 2023 22:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| from anytree import Node, RenderTree, find | |
| """ | |
| Author: Alexander Hanel | |
| Description: POC for displaying function names as a folder-like structure. Relies on function names being labled with a pdb. | |
| Version: 0.5 - 2023/04/10 | |
| Execution: open script in IDA, run export_layout() to save to file or export_layout() to print to command line | |
| TODO: | |
| - review how mangled names are used in IDA. I'm seeing some strange results. |
alexander-hanel
/ rc4_bn.py
Created
February 28, 2023 19:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from binaryninja import lowlevelil | |
| DEBUG = False | |
| def get_rc4_xor_instru(instr): | |
| if not instr: | |
| return False | |
| if DEBUG: | |
| print(hex(instr.address), instr) | |
| for oper in instr.operands: |
NewerOlder