- User mode debugging (easy).
- Symbols available.
- Attack surface: mostly Gen-1 VMs, device emulation, x86 emulation (for MMIO accesses).
- Attach to running process with WinDbg.
Duncan Ogilvie mrexodia
❤️
hugsy
/ offbyonesec-sync-binja.py
Created
February 16, 2024 21:27
Scripts written during Off by One Security stream
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Port to binary ninja of the script written during the Off-by-One Security stream | |
| # (https://youtu.be/FnIQTL9w-Ow) to synchronize GEF with Binary Ninja | |
| # Requires `rpyc` and `pygments` | |
| # | |
| # In IDA, first download and load https://gist.githubusercontent.com/hugsy/714e0038d5d0b1deb7fad1907928252f/raw/87bd608a859c1699f9fc2fb556394d618747bdc8/binja_rpyc_snippet.py | |
| # | |
| # @_hugsy_ | |
| # | |
| import rpyc |
anthonyprintup
/ ida.hpp
Created
September 12, 2023 14:26
A compile-time byte pattern matcher designed to match IDA patterns.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Created by Anthony Printup on 4/21/2023. | |
| #pragma once | |
| #include <algorithm> | |
| #include <bitset> | |
| #include <cstdint> | |
| #include <exception> | |
| #include <functional> | |
| #include <ranges> |
Washi1337
/ TinySharp.cs
Last active
April 18, 2024 12:32
A program to emit a tiny .NET binary program printing Hello World to the standard output. Blog post: https://blog.washi.dev/posts/tinysharp/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Text; | |
| using AsmResolver; | |
| using AsmResolver.DotNet; | |
| using AsmResolver.DotNet.Builder.Metadata.Blob; | |
| using AsmResolver.DotNet.Builder.Metadata.Strings; | |
| using AsmResolver.DotNet.Code.Cil; | |
| using AsmResolver.DotNet.Signatures; | |
| using AsmResolver.IO; | |
| using AsmResolver.PE; | |
| using AsmResolver.PE.DotNet.Builder; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Author: Sean Pesce | |
| // | |
| // Manual implementations of the CONCAT operations produced by the Ghidra decompiler. | |
| // These definitions are helpful for compiling re-implementations of native code using | |
| // decompiler output (e.g., with gcc). | |
| // | |
| // Note that these implementations would be outperformed by minimal C preprocessor macros | |
| // that replicate the same logic. | |
mmozeiko
/ !README.md
Last active
May 5, 2024 00:02
Download MSVC compiler/linker & Windows SDK without installing full Visual Studio
This downloads standalone 64-bit MSVC compiler, linker & other tools, also headers/libraries from Windows SDK into portable folder, without installing Visual Studio. Has bare minimum components - no UWP/Store/WindowsRT stuff, just files & tools for 64-bit native desktop app development.
Run python.exe portable-msvc.py and it will download output into msvc folder. By default it will download latest available MSVC & Windows SDK - currently v14.32.17.2 and v10.0.22621.0.
You can list available versions with python.exe portable-msvc.py --show-versions and then pass versions you want with --msvc-version and --sdk-version arguments.
To use cl.exe/link.exe from output folder, first run setup.bat - after that PATH/INCLUDE/LIB env variables will be setup to use all the tools as usual. You can also use clang-cl.exe with these includes & libraries.
To use clang-cl.exe without running setup.bat, pass extra /winsysroot msvc argument (msvc is folder name where output is stored).
edygert
/ AMSIScriptContentRetrieval.ps1
Created
April 21, 2022 19:25
— forked from mattifestation/AMSIScriptContentRetrieval.ps1
PoC code used to demonstrate extracting script contents using the AMSI ETW provider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Script author: Matt Graeber (@mattifestation) | |
| # logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
| # Do your malicious things here that would be logged by AMSI | |
| # logman stop AMSITrace -ets | |
| $OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
| $OSArch = $OSArchProperty.OSArchitecture | |
| $OSPointerSize = 32 | |
| if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
ek0
/ test_x86.cc
Last active
February 1, 2023 22:20
Various functions to test different lifting/disassembly/decompilation from static analysis tools.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // adder.cpp : This file contains the 'main' function. Program execution begins and ends there. | |
| // | |
| #include <iostream> | |
| #include <cstdint> | |
| #include <intrin.h> | |
| //#include <mmintrin.h> | |
| //#include <emmintrin.h> | |
| uint64_t add(uint64_t a, uint64_t b) |
NewerOlder