Willi Ballenthin williballenthin

## fls_with_find.sh
find . -printf "0|%p|%i|%m|%U|%G|%s|%A@|%T@|%C@|0\n"

## skype-irc-adapter.py
#!/usr/bin/python

# TODOs
# Add support for:
#  - WHOIS/WHO/WHOWAS
#  - AWAY
#  - creating chats
#  - TOPIC (setting)

import logging

## decode_DateCreated.py
import sys
from datetime import datetime
import struct

buf = sys.stdin.read().rstrip("\r\n")
y, mo, w, d, h, mi, s, _ = struct.unpack("<HHHHHHHH", buf)
print datetime(y, mo, d, h, mi, s).isoformat("T") + "Z"

## gist:8514312
    Git/INDXParse - [master●] » python list_mft.py /evidence/case001/CMFT --prefix "C:" --format "{{ record.inode }}, {{ prefix }}{{ record.path }}, {{ record.is_active }}, {{ record.standard_information.accessed }}, {{ record.filename_information.created }}, {{ record.size }}" | head
    0, C:\$MFT, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 181895168
    1, C:\$MFTMirr, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 4096
    2, C:\$LogFile, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 67108864
    3, C:\$Volume, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 0
    4, C:\$AttrDef, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 2560
    5, C:, 1, 2012-03-19 13:18:46.741314, 2005-04-30 21:04:47.484373, 0
    6, C:\$Bitmap, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 2442136
    7, C:\$Boot, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 8192
    8, C:\$BadClus, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373

## rip-with-templates.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                williballenthin
                / rip-with-templates.md
            
            
              Last active
              August 29, 2015 13:58
            
              
                Example output from RegRipper with user defined template support.
              
          
    By default, rip.pl continues to use a default tempate
In subsequent examples, the template name is "legacy".
» perl rip.pl -r samples/XP/system -p appcompatcache                           
Launching appcompatcache v.20130425
appcompatcache v.20130425
(System) Parse files from System hive Shim Cache


## flare-on-6__extract_buffer.py
from idaapi import *

GEN_REG = 0x1
MEM_REF = 0x2
BASE_INDEX = 0x3
BASE_INDEX_DISP = 0x4
IMMED = 0x5

def doone(ea):
    xrefs = []

## flare-on-6__solve_sc.py
"""
The shellcode in Challege 6 compares the string in RDI
against a bunch of conditions. This script extracts the
conditions and solves the constraints, yielding the
expected string.
"""
from idaapi import *
from williutils import *


## fuse-filter-by-ctime.py
#!/usr/bin/env python

from __future__ import with_statement

import datetime
from errno import EACCES
from os.path import realpath
from sys import argv, exit
from threading import Lock

## amcache_py_examples.md

      
              1 file
            
          
              0 forks
            
          
              1 comment
            
          
              15 stars
            
          
                williballenthin
                / amcache_py_examples.md
            
            
              Last active
              February 13, 2021 15:34
            
              
                Examples of amcache.py
              
          
    amcache.py

Download location

https://github.com/williballenthin/python-registry/blob/master/samples/amcache.py
Usage


## mutablenamedtuple.py
"""
mutablenamedtuple is like collections.namedtuple, but the fields
may be modified. This makes it basically a record type.

Desired usage:
    F = mutablenamedtuple("F", ["foo", "bar", "baz"])
    f = F(1, bar=2, baz=3)
    f.baz = 9
    print(f)
    --> "F(foo=1, bar=2, baz=9)"
	#!/usr/bin/python

	# TODOs
	# Add support for:
	# - WHOIS/WHO/WHOWAS
	# - AWAY
	# - creating chats
	# - TOPIC (setting)

	import logging
	import sys
	from datetime import datetime
	import struct

	buf = sys.stdin.read().rstrip("\r\n")
	y, mo, w, d, h, mi, s, _ = struct.unpack("<HHHHHHHH", buf)
	print datetime(y, mo, d, h, mi, s).isoformat("T") + "Z"
	Git/INDXParse - [master●] » python list_mft.py /evidence/case001/CMFT --prefix "C:" --format "{{ record.inode }}, {{ prefix }}{{ record.path }}, {{ record.is_active }}, {{ record.standard_information.accessed }}, {{ record.filename_information.created }}, {{ record.size }}" \| head
	0, C:\$MFT, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 181895168
	1, C:\$MFTMirr, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 4096
	2, C:\$LogFile, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 67108864
	3, C:\$Volume, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 0
	4, C:\$AttrDef, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 2560
	5, C:, 1, 2012-03-19 13:18:46.741314, 2005-04-30 21:04:47.484373, 0
	6, C:\$Bitmap, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 2442136
	7, C:\$Boot, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373, 8192
	8, C:\$BadClus, 1, 2005-04-30 21:04:47.484373, 2005-04-30 21:04:47.484373
	from idaapi import *

	GEN_REG = 0x1
	MEM_REF = 0x2
	BASE_INDEX = 0x3
	BASE_INDEX_DISP = 0x4
	IMMED = 0x5

	def doone(ea):
	xrefs = []
	"""
	The shellcode in Challege 6 compares the string in RDI
	against a bunch of conditions. This script extracts the
	conditions and solves the constraints, yielding the
	expected string.
	"""
	from idaapi import *
	from williutils import *
	#!/usr/bin/env python

	from __future__ import with_statement

	import datetime
	from errno import EACCES
	from os.path import realpath
	from sys import argv, exit
	from threading import Lock
	"""
	mutablenamedtuple is like collections.namedtuple, but the fields
	may be modified. This makes it basically a record type.

	Desired usage:
	F = mutablenamedtuple("F", ["foo", "bar", "baz"])
	f = F(1, bar=2, baz=3)
	f.baz = 9
	print(f)
	--> "F(foo=1, bar=2, baz=9)"