Willi Ballenthin williballenthin
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| Carve PE files from binary data. | |
| Write them into the current directy named after their hash. | |
| Example:: | |
| $ python carvepe.py unallocated.bin | |
| INFO:__main__:found pe at 0x0, length: 0xd8000 | |
| INFO:__main__:writing pe file to 273ed32b617fd79ed1b88ebd4521a441.bin |
williballenthin
/ realign_pe_sections.py
Last active
November 17, 2023 13:07
Realign the sections of a PE file with invalid FileAlignment.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| some documentation | |
| author: Willi Ballenthin | |
| email: willi.ballenthin@gmail.com | |
| website: https://gist.github.com/williballenthin/d43cbc98fa127211c9099f46d2e73d2c | |
| ''' | |
| import sys | |
| import logging | |
| from collections import namedtuple |
williballenthin
/ auto_shellcode_hashes.py
Last active
November 5, 2023 22:12
automatically resolve shellcode hashes into symbolic names using emulation, example: https://asciinema.org/a/EaHLv3yy7nGnh7mfHQ5DVy1LJ
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import logging | |
| import pefile | |
| import ucutils | |
| import unicorn | |
| import capstone | |
| import argparse |
williballenthin
/ gist:56d52e110f8652a303bdc6ab55c3d1b1
Created
October 4, 2023 07:39
export ssh-agent details in fish shell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| eval (ssh-agent -c) | |
| set -Ux SSH_AUTH_SOCK $SSH_AUTH_SOCK | |
| set -Ux SSH_AGENT_PID $SSH_AGENT_PID |
williballenthin
/ stackstrings.yara
Last active
July 6, 2023 10:07
match x86 that appears to be stack string creation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule stack_strings | |
| { | |
| meta: | |
| author = "William Ballenthin" | |
| email = "william.ballenthin@fireeye.com" | |
| license = "Apache 2.0" | |
| copyright = "FireEye, Inc" | |
| description = "Match x86 that appears to be stack string creation." | |
| strings: |
williballenthin
/ Microsoft-Windows-Sysmon-schema.txt
Last active
April 23, 2023 18:57
example events from sysmon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # generate via: wevtutil gp Microsoft-Windows-Sysmon /getevents /getmessage | |
| name: Microsoft-Windows-Sysmon | |
| guid: 5770385f-c22a-43e0-bf4c-06f5698ffbd9 | |
| helpLink: | |
| resourceFileName: C:\Windows\Sysmon.exe | |
| messageFileName: C:\Windows\Sysmon.exe | |
| message: | |
| channels: | |
| channel: |
williballenthin
/ get-windows-api.ipynb
Last active
March 18, 2023 10:46
Extract the exported symbols from a typical Windows installation
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
williballenthin
/ flare-on-6__extract_buffer.py
Last active
February 25, 2023 17:26
IDAPython script to extract contents of global byte array in the FLARE-On Challenge #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idaapi import * | |
| GEN_REG = 0x1 | |
| MEM_REF = 0x2 | |
| BASE_INDEX = 0x3 | |
| BASE_INDEX_DISP = 0x4 | |
| IMMED = 0x5 | |
| def doone(ea): | |
| xrefs = [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "dotnet" | |
| rule DotnetStartupHook { | |
| meta: | |
| description = "might be a .NET startup hook module" | |
| author = "William Ballenthin <william.ballenthin@mandiant.com>" | |
| strings: | |
| $a1 = "StartupHook" | |
| $a2 = "Initialize" | |
| condition: |
williballenthin
/ macOS_keychain.py
Last active
November 19, 2022 12:13
bling.py - extract keys from macOS keychains.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| bling.py - extract keys from macOS keychains. | |
| installation: | |
| pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome | |
| usage: | |
| python bling.py /path/to/keychain-db <password> ./path/to/output/directory |