Skip to content

Instantly share code, notes, and snippets.

View davehull's full-sized avatar

Dave Hull davehull

263 followers · 71 following
View GitHub Profile
@davehull
davehull / davehull.sh
Created May 3, 2011 05:17 — forked from errzey/davehull.sh
Example script to show how to do an intelligent merge-sort in parallel
#!/bin/bash
# determines number of proccessors, splits a large file into sizes that
# can be consumed by n-1 sort processes (where n is the number of processors)
#
# After the file has been split up properly, it will run a sort on each split
# file in parallel. Once all processes have completed, a merge sort is executed.
#
# mthomas@n2o:~/words [100%] $ du -h big
# 1.7G big
@davehull
davehull / meta-outliers.py
Created September 12, 2011 03:56
This script takes output from The Sleuth Kit's fls command (specifically fls -arp), calculates the average metadata address for all files per directory, calculates the standard deviation for each directory, then returns a list of files with outlier metada
#!/usr/bin/env python
#
# script name: meta-outliers.py
#
# In the spirit of release early, release often, here's a script
# that's part of a larger project I'm working on.
#
# What does it do?
# Parses the output from the Sleuth Kit's fls command.
# More specifically fls -arp run against a disk image or dev.
@davehull
davehull / get_meta.py
Created December 11, 2011 23:37
This Python function builds a dictionary from the lines of a bodyfile as produced by The Sleuth Kit's fls command
def get_meta(bodyfile):
fname_skip_cnt = bad_line = total_lines = 0
meta = {}
fi = open(bodyfile, 'rb')
for line in fi:
total_lines += 1
try:
md5,ppath,inode,mode,uid,gid,size,atime,mtime,ctime,crtime = line.rstrip().split("|")
except:
@davehull
davehull / uid_dist.py
Created December 12, 2011 01:16
This Python function analyzes the distribution of uids on a per directory basis.
Give this method the output of git://gist.github.com/1464048.git and it will go through the list
and calculate the distribution of uids on a per directory basis. It could be easily modified to do
the same for gids and permissions.
This may be useful to find malicious files in a file system that have unusual uids, say for instance
in a directory like /usr/lib where everything is normally uid 0, an attacker may have an archive that
drops files in the directory with different uids. Yes, I've seen this before.
def get_uid_freq_by_dir(items):
for path_name, file_name in items:
@davehull
davehull / get_meta_by_dir.py
Created December 12, 2011 01:23
Convert dictionary of file system metadata to a sorted list of dictionaries.
Takes the unsorted Python dictionary of file system metadata created by
git://gist.github.com/1463512.git and converts it to a sorted list of dictionaries containing
files and their metadata elements.
def get_meta_by_dir(dictionary):
# Sort the dictionary, return a list of dictionaries
items = [(pname, fname) for pname, fname in dictionary.items()]
items.sort()
return items
@davehull
davehull / Resolve-KnownFolderGUID
Last active January 30, 2024 10:16
Need to resolve a Windows "known folder guid" to it's human-readable value?
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True,Position=0)]
[String]$GUID
)
function Resolve-KnownFolderGuid {
Param(
[Parameter(Mandatory=$True,Position=0)]
[String]$GUID
@davehull
davehull / Resolve-WindowsGUID.ps1
Last active July 12, 2024 22:28
Useful for resolving some Windows GUIDs to human friendly values
<#
.SYNOPSIS
Resolves many Windows GUIDs to human friendly values.
.DESCRIPTION
Resolve-WindowsGUID.ps1 takes a GUID from a Windows system and attempts
to return a human friendly value from either a static list or from a
dynamically generated list of LogProvider GUIDs. There are undoubtedly
other GUIDs in use throughout Windows that will not fall into either of
these sets. If you encounter a GUID that you can't resolve via this
@davehull
davehull / XOR-Decrypt.ps1
Last active August 29, 2015 14:20
MCCS1C4
<#
.SYNOPSIS
XOR-Decrypt.ps1 takes a hexadecimal encoded string and uses the English
alpha and numeric characters as a key space, XORing the string with
each single character and returning a XOR decrypted string.
.PARAMETER hexString
A required argument -- the hexadecimal encoded string to be decoded.
.PARAMETER AllResults
An optional switch that causes the script to return the all decrypted
objects, by default the script will only return the object with the
@davehull
davehull / XOR-Encrypt.ps1
Created May 6, 2015 05:37
MCCS1C5
<#
.SYNOPSIS
XOR-Encrypt.ps1 takes a string of text to be encrypted and a key. Each
byte of the input string will be XOR'd with a byte from the key. If
the key is not as long as the input string, the key will repeat.
.PARAMETER String
A required parameter, the string to be encoded.
.PARAMETER key
A required parameter, the key that the string will be XOR'd with.
.EXAMPLE
@davehull
davehull / XOR Brutr Output
Last active March 30, 2022 14:15
eatoin shrdlu: XOR Encryption and Hamming Distance
I've been playing around with Matasano Crypto Challenges for my own edification.
It's been fun and insightful. I've learned a number of new things and enjoyed
doing so. If you're a mediocre programmer like me and have an interest in crypto,
I highly recommend checking out the challenges -- http://cryptopals.com/.
A few of the exercises in set 1 have you playing around with XOR for encryption.
You create a script that can brute force single key decryption and if you're
ambitious you'll write a function that will examine letter frequencies of the
output and score the results, returning the one that is most likely to be
English. I wrote multiple scoring functions for this, one that counts English