Sean Wilson idiom
idiom
/ reactor.yara
Created
February 2, 2024 00:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "dotnet" | |
| rule net_reactor_obfuscated { | |
| strings: | |
| $s1 = "#GUlD" fullword | |
| $s2 = "#GUID" fullword | |
| $s3 = "#Blop" fullword | |
| $s4 = "#Blob" fullword | |
| condition: | |
| dotnet.is_dotnet and all of them | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| enum XLoaderStrings | |
| { | |
| USERNAME = 0x0, | |
| LOCALAPPDATA = 0x1, | |
| USERPROFILE = 0x2, | |
| APPDATA = 0x3, | |
| TEMP = 0x4, | |
| ProgramFiles = 0x5, | |
| CommonProgramFiles =0x6, | |
| ALLUSERSPROFILE = 0x7, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ida_kernwin | |
| registered_actions = ida_kernwin.get_registered_actions() | |
| for action_name in registered_actions: | |
| print(f'name: {action_name}') | |
| print(f'label: {ida_kernwin.get_action_label(action_name)}') | |
| print(f'icon: {ida_kernwin.get_action_icon(action_name)}') | |
| print(f'tooltip: {ida_kernwin.get_action_tooltip(action_name)}') | |
| print(f'state: {ida_kernwin.get_action_state(action_name)}') |
idiom
/ add_bookmark.py
Created
April 20, 2021 21:36
Add bookmark in Ida and optionally check if it is a duplicate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def add_bookmark(offset, comment, check_duplicate=True): | |
| """ | |
| :param offset: | |
| :param comment: | |
| :param check_duplicate: | |
| :return: | |
| """ | |
| for bslot in range(0, 1024, 1): | |
| slotval = idc.get_bookmark(bslot) |
idiom
/ nim_lang_re_notes.md
Last active
November 14, 2022 07:02
nim lang Reverse Engineering and Analysis
idiom
/ bookmarks.md
Last active
November 19, 2020 22:25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| """ | |
| NTCreateFile DesiredAccess Masks | |
| 0x120189 | |
| 0x100181 | |
| 0x12019f | |
| 0x1200a0 |
idiom
/ gist:7bf970f704c2f5e9b2cec825ded91df6
Last active
November 5, 2020 14:04
Ida 7.4 Python 3 Error
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| `C:\Program Files\IDA Pro 7.4\python\3\idc.py:5121: SyntaxWarning: "is not" with a literal. Did you mean "!="? | |
| if newtype is not '':` | |
| --- FIX --- | |
| To resolve the above error change line 5121 to | |
| `if newtype is not None:` | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule cve_2017_8759{ | |
| meta: | |
| sample = "0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684" | |
| strings: | |
| $header = "{\\rt" | |
| $wsdl = "7700730064006C003D006800740074007000" | |
| condition: | |
| $header in (0..50) and $wsdl | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function B(C){ | |
| var D = new ActiveXObject("CDO.Message"); | |
| var E = D.BodyPart; | |
| E.ContentTransferEncoding = "base64"; | |
| E.Charset = "windows-1251"; | |
| var F = E.GetEncodedContentStream(); | |
| F.WriteText(C); | |
| F.Flush(); | |
| F = E.GetDecodedContentStream(); | |
| F.Charset = "utf-8"; |
NewerOlder