Skip to content

Instantly share code, notes, and snippets.

@williballenthin
williballenthin / compare-viv-analysis.py
Created Aug 26, 2021
compare vivisect analysis comparison across versions
View compare-viv-analysis.py
#!/usr/bin/env python3
'''
compare vivisect analysis comparison across versions.
pip install devtools[pygments] pydantic viv-utils termcolor
'''
import sys
import time
import os.path
import logging
@williballenthin
williballenthin / caps-vim.ahk
Created Jun 25, 2021
remap CapsLock-H/J/K/L to arrows and similar via AutoHotKey
View caps-vim.ahk
#NoEnv
#Warn
SendMode Input
SetWorkingDir %A_ScriptDir%
SetCapsLockState AlwaysOff
CapsLock::Send {esc}
CapsLock & j::Send {Down}
CapsLock & k::Send {Up}
CapsLock & h::Send {Left}
@williballenthin
williballenthin / mmap-readlines.py
Created Jan 28, 2021
enumerate the lines of a (utf-8) file incrementally via mmap
View mmap-readlines.py
import mmap
def lines(m):
line = m.readline()
while line:
yield line.decode("utf-8").rstrip("\n")
line = m.readline()
def filelines(path):
with open(path, "rb") as f:
@williballenthin
williballenthin / sort-jsonl-by-key.py
Created Jan 27, 2021
sort the given jsonl file by the given key, writing the output to STDOUT.
View sort-jsonl-by-key.py
"""
sort the given jsonl document (distinct json documents separated by newline)
by the given key, writing the output to STDOUT.
example:
python sort-jsonl-by-key.py log.jsonl "timestamp"
this does require reading the entire document into memory, first.
a future revision could maybe use a mmap to avoid keeping things in memory.
View contents of DarkHalo.zip.txt
2c4a910a1299cdae2a4e55988a2f102e ./APT_Backdoor_SUNBURST/019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
b91ce2fa41029f6955bff20079468448 ./APT_Backdoor_SUNBURST/32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
e18a6a21eb44e77ca8d739a72209c370 ./APT_Backdoor_SUNBURST/a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
9ac181cb35f27e860d59e8d2a6309d35 ./APT_Backdoor_SUNBURST/ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1
846e27a652a5e1bfbd0ddd38a16dc865 ./APT_Backdoor_SUNBURST/ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
3e329a4c9030b26ba152fb602a1d5893 ./APT_Backdoor_SUNBURST/d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
393702fab1c5d09d9f94e8a63114746d ./APT_Dropper_Win64_TEARDROP/6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d
56ceb6d0011d87b6e4d7023d7ef85676 ./APT_Webshell_SUPERNOVA/c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
b32892d699c39949e9b648d6b72fe5cf
@williballenthin
williballenthin / _kaitai-examples.md
Last active Aug 18, 2020
parsing some test data with kaitai
View _kaitai-examples.md

here i'm parsing some test data with kaitai to see what it can extract.

this is the dumper that i'm using:

import binascii
import tabulate

PRIMATIVE_TYPES = (str, bytes, int)
View theme.css
AskText QLabel#counterlabel
{
color: grey;
}
AskText QLabel#counterlabel[invalid=true]
{
color: red;
}
@williballenthin
williballenthin / deob_opaque_predicate.py
Created Jul 28, 2020
search for and patch out known opaque predicates within IDA Pro workspaces.
View deob_opaque_predicate.py
"""
search for and patch out known opaque predicates within IDA Pro workspaces.
just run the script and it will manipulate the open database.
therefore, you should probably create a backup first.
"""
import logging
from pprint import pprint
import ida_idp
@williballenthin
williballenthin / clicker.py
Last active Jan 2, 2020
respond to button clicks in IDA Pro
View clicker.py
import re
import collections
import idaapi
import ida_kernwin
class button_hooks_t(ida_kernwin.View_Hooks):
def __init__(self, v):
'''
@williballenthin
williballenthin / TxR.bt
Created Nov 22, 2019
010 Editor template for parsing Windows Registry TxR (.regtrans-ms) files
View TxR.bt
//------------------------------------------------
//--- 010 Editor v8.0.1 Binary Template
//
// File: Transactional Registry Transaction Logs (.TxR)
// Authors: Willi Ballenthin <william.ballenthin@fireeye.com>
// Version: 0.1
// Reference: https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html
//------------------------------------------------
LittleEndian();