View windows-toolkit.md
Windows Toolkit
Binary
Native Binaries
IDA Plugins | Preferred | Neutral | Unreviewed |
---|
View peb_parsing.md
manual import resolution
example from 0f5d5d07c6533bc6d991836ce79daaa1:
_0:00F20012 33 D2 xor edx, edx
_0:00F20014 64 8B 52 30 mov edx, fs:[edx+30h] // TEB->PEB
_0:00F20018 8B 52 0C mov edx, [edx+0Ch] // PEB->LDR_DATA
_0:00F2001B 8B 52 14 mov edx, [edx+14h] // LDR_DATA->InMemoryOrderLinks (_LDR_DATA_TABLE_ENTRY)
// alt: 0xC: InLoadOrderLinks
// alt: 0x1C: InInitializationOrderLinks
View vb-ref.md
references:
- https://reverseengineering.stackexchange.com/questions/1597/reverse-engineering-a-visual-basic-p-code-binary
- http://web.archive.org/web/20071020232030/http://www.alex-ionescu.com/vb.pdf (ref: Alex Ionescu)
- http://web.archive.org/web/20101127044116/http://vb-decompiler.com/pcode/opcodes.php?t=1
- https://github.com/bontchev/pcodedmp
- http://www.openrce.org/blog/view/1719/Visual_Basic_6_IDC_updated
- https://pediy.com/thread-12832.htm
- https://github.com/vic4key/VB-Exe-Parser/blob/master/VB-Parser.py
- http://www.openrce.org/repositories/users/Paolo/vbpython.py
View main.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <iostream> | |
#include "ntdll_undoc.h" | |
PPEB get_default_peb() | |
{ | |
#if defined(_WIN64) | |
return (PPEB)__readgsqword(0x60); | |
#else |
View cheat_sheet.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GDB commands by function - simple guide | |
--------------------------------------- | |
More important commands have a (*) by them. | |
Startup | |
% gdb -help print startup help, show switches | |
*% gdb object normal debug | |
*% gdb object core core debug (must specify core file) | |
%% gdb object pid attach to running process | |
% gdb use file command to load object |
View gist:0f4f269e93a2b85958d8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from zipfile import ZipFile | |
def unpack_zip(zipfile='', path_from_local=''): | |
filepath = path_from_local+zipfile | |
extract_path = filepath.strip('.zip')+'/' | |
parent_archive = ZipFile(filepath) | |
parent_archive.extractall(extract_path) | |
namelist = parent_archive.namelist() | |
parent_archive.close() | |
for name in namelist: |