Skip to content

Instantly share code, notes, and snippets.

View ek0's full-sized avatar

Jessy Campos ek0

24 followers · 18 following
View GitHub Profile
@ek0
ek0 / get_object_name.cc
Created February 21, 2022 21:29
Get object name for handle
// Returns an OBJECT_NAME_INFORMATION object pointed by name
// Caller must free `name` after usage
UNICODE_STRING* GetObjectNameInformation(HANDLE object_handle)
{
ULONG length = 0;
UNICODE_STRING* obj = (UNICODE_STRING*)malloc(sizeof(UNICODE_STRING));
NTSTATUS(*myNtQueryObject)(HANDLE, ObjectInfoClass, UNICODE_STRING*, uint32_t, PULONG) = (NTSTATUS(*)(HANDLE, ObjectInfoClass, UNICODE_STRING*, uint32_t, PULONG))GetProcAddress(GetModuleHandle("ntdll"), "NtQueryObject");
NTSTATUS status = myNtQueryObject(object_handle, ObjectNameInformation, obj, sizeof(UNICODE_STRING), &length);
if (!NT_SUCCESS(status) && (status == 0xc0000004 || status == 0x80000005))
{
@ek0
ek0 / test_x86.cc
Last active February 1, 2023 22:20
Various functions to test different lifting/disassembly/decompilation from static analysis tools.
// adder.cpp : This file contains the 'main' function. Program execution begins and ends there.
//
#include <iostream>
#include <cstdint>
#include <intrin.h>
//#include <mmintrin.h>
//#include <emmintrin.h>
uint64_t add(uint64_t a, uint64_t b)
@ek0
ek0 / Create-REFolder.ps1
Created March 28, 2020 22:35
param([Parameter(Mandatory=$true)] [String]$File)
# PATH of your RE projects.
$re_path = "D:\RE\"
$temp_filename = Split-Path $File -leaf
if(-not (Test-Path ($re_path + $temp_filename + "\") -PathType Container))
{
# Add subfolder
}
else
@ek0
ek0 / dump_page.cpp
Created February 28, 2020 23:28
void DumpPages(void* address)
{
MEMORY_BASIC_INFORMATION mem_info;
FILE* desc = nullptr;
FILE* bin = nullptr;
char module_name[MAX_PATH] = { 0 };
char desc_filename_buffer[MAX_PATH] = { 0 };
char bin_filename_buffer[MAX_PATH] = { 0 };
char buffer[0x1000] = { 0 };
snprintf(desc_filename_buffer, MAX_PATH, "desc_%#016" PRIx64 ".txt", address);
@ek0
ek0 / guid.py
Created February 25, 2020 00:38
import ctypes
import ctypes.wintypes
class GUID(ctypes.Structure):
_fields_ = [("Data1", ctypes.wintypes.DWORD),
("Data2", ctypes.wintypes.WORD),
("Data3", ctypes.wintypes.WORD),
("Data4", ctypes.c_ubyte * 8)]
def __repr__(self):
return "{0:08X}-{1:04X}-{2:04X}-{3:02X}{4:02X}-{5:02X}{6:02X}{7:02X}{8:02X}{9:02X}{10:02X}".format(self.Data1,
@ek0
ek0 / qbdi_test.cpp
Created October 29, 2019 00:15
QBDI tests
#include <iostream>
#include <iomanip>
#include <QBDI.h>
int Test(int a, int b)
{
return a + b;
}
@ek0
ek0 / ida7_utils.py
Last active October 28, 2019 00:31
Small re-implementation of removed functions
def crefs_from(address = here()):
current = ida_xref.get_first_cref_from(address)
while current != ida_idaapi.BADADDR:
yield current
current = ida_xref.get_next_cref_from(address, current)
def crefs_to(address = here()):
current = ida_xref.get_first_cref_to(address)
while current != ida_idaapi.BADADDR:
yield current
@ek0
ek0 / list.c
Created July 18, 2019 12:40
inline void InitializeListHead(LIST_ENTRY* list_head)
{
list_head->Flink = list_head;
list_head->Blink = list_head;
}
inline int IsListEmpty(LIST_ENTRY* list_head)
{
return list_head->Flink == list_head;
}
@ek0
ek0 / user.css
Last active July 2, 2019 17:40
IDA Pro Theme
/* NOTE: This is an autogenerated file; please do not edit. */
CustomIDAMemo
{
qproperty-line-fg-default: white;
qproperty-line-fg-regular-comment: #0E8F1D;
qproperty-line-fg-insn: #B6B6B6;
qproperty-line-fg-dummy-data-name: #CA0003;
qproperty-line-fg-regular-data-name: #C50003;
qproperty-line-fg-demangled-name: #0DA9FF;
@ek0
ek0 / ida_utils.py
Created June 3, 2019 17:45
useful IDAPython functions
def get_arg_1(call_address):
""" Returns the arg 1 initialization address given a call to a function """
addr = call_address
while GetOpnd(addr, 0) != "rcx":
addr = PrevHead(addr)
return addr