This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a = 0 | |
s = 1 | |
d = 2 | |
f = 3 | |
h = 4 | |
g = 5 | |
z = 6 | |
x = 7 | |
c = 8 | |
v = 9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
syscall = 0 | |
exit = 1 | |
fork = 2 | |
read = 3 | |
write = 4 | |
open = 5 | |
close = 6 | |
wait4 = 7 | |
link = 9 | |
unlink = 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python2.7 | |
# -*- coding: utf-8 -*- | |
''' | |
Defaults Monitor - tool to sniff defaults keys and values using unified log | |
to launch use standard python 2.7, eg python2.7 ./defsmon.py | |
''' | |
import os |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import pathlib | |
import logging | |
from agent.importer import add | |
class Scanner(object): | |
def __init__(self, directories, model, sysroot='/', block_list=None): | |
self.directories = map(pathlib.Path, directories) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from ctypes import CDLL, c_int, c_double | |
from Quartz import CGMainDisplayID | |
main_display_id = CGMainDisplayID() | |
CoreDisplay = CDLL("/System/Library/Frameworks/CoreDisplay.framework/CoreDisplay") | |
CoreDisplay.CoreDisplay_Display_SetUserBrightness.argtypes = [c_int, c_double] | |
CoreDisplay.CoreDisplay_Display_GetUserBrightness.argtypes = [c_int] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from Foundation import NSBundle | |
import objc | |
BIT_WIDTH = 32 | |
INT_MAX = 2**(BIT_WIDTH-1)-1 | |
MobileKeyBag = NSBundle.bundleWithPath_('/System/Library/PrivateFrameworks/MobileKeyBag.framework') | |
objc.loadBundleFunctions(MobileKeyBag, globals(), [('MKBDeviceGetGracePeriod', '@@')]) | |
grace = MKBDeviceGetGracePeriod({}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python2.7 | |
# -*- coding: utf-8 -*- | |
import Foundation | |
import AppKit | |
import WebKit | |
import Quartz | |
import ctypes | |
from PyObjCTools import AppHelper | |
from objc import _objc, nil, super, pyobjc_unicode, registerMetaDataForSelector |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python2.7 | |
# -*- coding: utf-8 -*- | |
import os | |
import sys | |
import subprocess | |
import shutil | |
import time | |
python_bin = "/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python" | |
last_bundle_path = subprocess.check_output(['mdfind', "kMDItemCFBundleIdentifier == com.malwarebytes.mbam.frontend.launcher"]).strip("\n") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env perl | |
# Files that was born at the near same time | |
# Usage: perl files_born.pl file_path [5s|m|h|d] | |
use IPC::Open2; | |
my $file = shift; | |
my $interval = shift // "1m"; | |
my $attr = "kMDItemFSCreationDate"; | |
my $c_date = `mdls -raw -name $attr "$file"`; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# doesn't requires private data on | |
log show --style syslog --predicate 'process == "taskgated" && eventMessage CONTAINS[c] "no system signature"' --info --debug --last 1d | |
log show --style syslog --predicate 'eventMessage CONTAINS[c] "MalwareFileNameFullOrPart"' --info --debug --last 1d | |
log show --style syslog --predicate 'process == "kernel" && eventMessage CONTAINS[c] "Security policy would not allow process"' --info --debug --last 1d | |
# requires private data on | |
log show --style syslog --predicate 'process == "CoreServicesUIAgent" && eventMessage CONTAINS[c] "bundle="' --info --debug --last 1d | |
log show --style syslog --predicate 'subsystem == "com.apple.launchservices" && category == "code-evaluation"' --info --debug --last 1d |