Skip to content

Instantly share code, notes, and snippets.

View udgover's full-sized avatar

udgover

26 followers · 15 following
View GitHub Profile
@udgover
udgover / demo_export.py
Created March 22, 2013 17:26
Teaser demo module for DFF based on articles http://www.digital-forensic.org/en/blog/2013/dff-extract-needle-haystack-part-1-graphical-way/ and http://www.digital-forensic.org/en/blog/2013/dff-and-python-scripting/
from dff.api.types.libtypes import Parameter, Argument, typeId, Variant, VMap, VList
from dff.api.module.module import Module
from dff.api.module.script import Script
from dff.api.events.libevents import EventHandler
from dff.api.filters.libfilters import Filter
from dff.api.vfs.libvfs import ABSOLUTE_ATTR_NAME
class DemoExport(Script, EventHandler):
def __init__(self):
@udgover
udgover / tcpip_vtypes.py
Created October 4, 2019 12:00
Adds correct EPROCESS offset in TCP_ENDPOINT struct for Win10 17134
class Win10Tcpip(obj.ProfileModification):
before = ['Win8Tcpip']
conditions = {'os': lambda x: x == 'windows',
'memory_model': lambda x: x == '32bit',
'major': lambda x : x == 6,
'minor': lambda x : x >= 4}
def modification(self, profile):
profile.merge_overlay({
'_ADDRINFO' : [ None, {
'Local' : [ 0x0, ['pointer', ['_LOCAL_ADDRESS']]],
@udgover
udgover / encrypted_archive.py
Created June 2, 2020 11:44
Examples to deal with PyEasyArchive encrypted archives reading and writing
import libarchive.public
import libarchive.constants
import libarchive.adapters.archive_read
import hashlib
import os
import shutil
# from https://stackoverflow.com/a/1094933
def sizeof_fmt(num, suffix='B'):
@udgover
udgover / gist:8467dbcb6da04617937328ba16b65936
Created July 7, 2020 10:00
keybase.md
### Keybase proof
I hereby claim:
* I am udgover on github.
* I am udgover (https://keybase.io/udgover) on keybase.
* I have a public key ASAKRK3L9kp37lPEU6GPOaDhetnLfSJz3Yb_kU5Ek-065Qo
To claim this, I am signing this object: