Skip to content

Instantly share code, notes, and snippets.

Willi Ballenthin williballenthin

Block or report user

Report or block williballenthin

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@williballenthin
williballenthin / bling.py
Created May 22, 2019
bling.py - extract keys from macOS keychains.
View bling.py
#!/usr/bin/env python3
'''
bling.py - extract keys from macOS keychains.
installation:
pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome
usage:
python bling.py /path/to/keychain-db <password> ./path/to/output/directory
@williballenthin
williballenthin / parse_filesystem_cache.py
Created May 2, 2019
parse the Apple ARD filesystem.cache file
View parse_filesystem_cache.py
'''
author: Willi Ballenthin
email: william.ballenthin@fireeye.com
'''
import sys
import struct
import collections
Header = collections.namedtuple('Header', [
@williballenthin
williballenthin / extract_stickies.py
Last active Apr 15, 2019
extract entries from the osx sticky database
View extract_stickies.py
'''
parse osx sticky databases.
author: Willi Ballenthin <william.ballenthin@fireeye.com>
usage:
$ python extract_stickies.py /path/to/input.bin /path/to/output/directory/
'''
@williballenthin
williballenthin / bplist.py
Last active Apr 8, 2019
parse SavedState artifacts extracted from OSX.
View bplist.py
"""
derived from plistlib.py -- a tool to generate and parse MacOSX .plist files.
edited by: Willi Ballenthin (william.ballenthin@fireeye.com)
changes:
- remove all but the binary plist parser
- add support for UID fields, see https://bugs.python.org/issue26707
"""
@williballenthin
williballenthin / functions_as_data.py
Created Jul 30, 2018
IDA Pro script to identify functions that are referenced as data.
View functions_as_data.py
'''
Identify functions that are referenced as data.
For example, something weird is going on below::
.text:10001833 BE 60 25 00 10 mov esi, offset sub_10002560 <<<<
.text:10001838 8B 45 FC mov eax, [ebp+var_4]
.text:1000183B 89 5F 04 mov [edi+4], ebx
.text:1000183E 81 C7 18 02 00 00 add edi, 218h
.text:10001844 F3 A5 rep movsd
View get_eip.yara
rule get_eip
{
meta:
author = "William Ballenthin"
email = "william.ballenthin@fireeye.com"
license = "Apache 2.0"
copyright = "FireEye, Inc"
description = "Match x86 that appears to fetch $PC."
strings:
View peb_parsing.md

manual import resolution

example from 0f5d5d07c6533bc6d991836ce79daaa1:

_0:00F20012 33 D2                   xor     edx, edx
_0:00F20014 64 8B 52 30             mov     edx, fs:[edx+30h] // TEB->PEB
_0:00F20018 8B 52 0C                mov     edx, [edx+0Ch]    // PEB->LDR_DATA
_0:00F2001B 8B 52 14                mov     edx, [edx+14h]    // LDR_DATA->InMemoryOrderLinks (_LDR_DATA_TABLE_ENTRY)
                                                              // alt: 0xC: InLoadOrderLinks
                                                              // alt: 0x1C: InInitializationOrderLinks
View floss-lite.py
#!/usr/bin/env python3
'''
A simplified FLOSS implementation that only supports stackstrings.
requirements:
- yara-python
- unicorn
author: Willi Ballenthin
email: william.ballenthin@fireeye.com
@williballenthin
williballenthin / vamp.ipynb
Created Mar 28, 2018
function signatures in vivisect
View vamp.ipynb
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
You can’t perform that action at this time.