IDAPython CTREE
Important links
Description
The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.
peta909
/ idapython_ctree.md
Created
January 16, 2022 12:11
— forked from icecr4ck/idapython_ctree.md
Notes on CTREE usage with IDAPython
View idapython_ctree.md
peta909
/ x96shell_msgbox.asm
Created
May 8, 2021 01:47
— forked from aaaddress1/x96shell_msgbox.asm
x96 Windows Shellcode: one payload able to used in both 32-bit & 64-bit
View x96shell_msgbox.asm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; x96 shellcode (x32+x64) by aaaddress1@chroot.org | |
| ; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm | |
| section .text | |
| bits 32 | |
| _main: | |
| call entry | |
| entry: | |
| mov ax, cs | |
| sub ax, 0x23 | |
| jz retTo32b |
peta909
/ main.cpp
Created
November 14, 2020 15:46
— forked from hasherezade/main.cpp
Get PEB64 from a WOW64 process
View main.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <iostream> | |
| #include "ntdll_undoc.h" | |
| PPEB get_default_peb() | |
| { | |
| #if defined(_WIN64) | |
| return (PPEB)__readgsqword(0x60); | |
| #else |
peta909
/ Wow64Hook.cpp
Created
August 27, 2020 16:21
— forked from hoangprod/Wow64Hook.cpp
Wow64Hook example
View Wow64Hook.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #include <iostream> | |
| LPVOID lpJmpRealloc = nullptr; | |
| DWORD Backup_Eax, Handle, Address_1, New, Old, *DwSizee; | |
| const DWORD_PTR __declspec(naked) GetGateAddress() | |
| { | |
| __asm | |
| { |
peta909
/ hyperdetect.c
Created
June 27, 2020 02:23
— forked from drew-gpf/hyperdetect.c
View hyperdetect.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //this requires being able to run at kernel mode and assumes you're using MSVC | |
| //this also uses an unnamed structure for cr0_t, which is a nonstandard extension of the C language | |
| //data structure for cr0 | |
| typedef union _cr0_t | |
| { | |
| struct | |
| { | |
| uint64_t protection_enable : 1; |
peta909
/ peb_parsing.md
Created
June 26, 2019 10:32
— forked from williballenthin/peb_parsing.md
View peb_parsing.md
manual import resolution
example from 0f5d5d07c6533bc6d991836ce79daaa1:
_0:00F20012 33 D2 xor edx, edx
_0:00F20014 64 8B 52 30 mov edx, fs:[edx+30h] // TEB->PEB
_0:00F20018 8B 52 0C mov edx, [edx+0Ch] // PEB->LDR_DATA
_0:00F2001B 8B 52 14 mov edx, [edx+14h] // LDR_DATA->InMemoryOrderLinks (_LDR_DATA_TABLE_ENTRY)
// alt: 0xC: InLoadOrderLinks
// alt: 0x1C: InInitializationOrderLinks
peta909
/ hello_world_plugin.py
Created
April 26, 2019 00:47
— forked from cmatthewbrooks/hello_world_plugin.py
The simplest possible IDA plugin with multiple actions
View hello_world_plugin.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################## | |
| # | |
| # Name: hello_world_plugin.py | |
| # Auth: @cmatthewbrooks | |
| # Desc: A test plugin to learn how to make these work; Specifically, how to | |
| # have multiple actions within the same plugin. | |
| # | |
| # In plain English, IDA will look for the PLUGIN_ENTRY function which | |
| # should return a plugin object. This object can contain all the | |
| # functionality itself, or it can have multiple actions. |
peta909
/ Function_Pointers.cpp
Created
February 27, 2019 14:54
View Function_Pointers.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Function_Pointers.cpp : This file contains the 'main' function. Program execution begins and ends there. | |
| // | |
| #include "pch.h" | |
| #include <iostream> | |
| #include <string> | |
| using namespace std; | |
| int add() |
peta909
/ Class_OOP_Virtual_Functions.cpp
Created
February 27, 2019 07:04
View Class_OOP_Virtual_Functions.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "pch.h" | |
| #include <iostream> | |
| #include <string> | |
| using namespace std; | |
| //Parent Class | |
| class Animal | |
| { | |
| public: | |
| string name; |
peta909
/ Class_OOP_inheritance_DynamicMem.cpp
Last active
February 25, 2019 02:41
Demo use of OOP inheritance and use of Dynamic member to create new objects
View Class_OOP_inheritance_DynamicMem.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "pch.h" | |
| #include <iostream> | |
| #include <string> | |
| using namespace std; | |
| //Parent Class | |
| class Animal | |
| { | |
| public: | |
| string name; |
NewerOlder