This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2 | |
''' | |
Carve PE files from binary data. | |
Write them into the current directy named after their hash. | |
Example:: | |
$ python carvepe.py unallocated.bin | |
INFO:__main__:found pe at 0x0, length: 0xd8000 | |
INFO:__main__:writing pe file to 273ed32b617fd79ed1b88ebd4521a441.bin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2 | |
''' | |
some documentation | |
author: Willi Ballenthin | |
email: willi.ballenthin@gmail.com | |
website: https://gist.github.com/williballenthin/d43cbc98fa127211c9099f46d2e73d2c | |
''' | |
import sys | |
import logging | |
from collections import namedtuple |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import sys | |
import logging | |
import pefile | |
import ucutils | |
import unicorn | |
import capstone | |
import argparse |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
eval (ssh-agent -c) | |
set -Ux SSH_AUTH_SOCK $SSH_AUTH_SOCK | |
set -Ux SSH_AGENT_PID $SSH_AGENT_PID |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule stack_strings | |
{ | |
meta: | |
author = "William Ballenthin" | |
email = "william.ballenthin@fireeye.com" | |
license = "Apache 2.0" | |
copyright = "FireEye, Inc" | |
description = "Match x86 that appears to be stack string creation." | |
strings: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# generate via: wevtutil gp Microsoft-Windows-Sysmon /getevents /getmessage | |
name: Microsoft-Windows-Sysmon | |
guid: 5770385f-c22a-43e0-bf4c-06f5698ffbd9 | |
helpLink: | |
resourceFileName: C:\Windows\Sysmon.exe | |
messageFileName: C:\Windows\Sysmon.exe | |
message: | |
channels: | |
channel: |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from idaapi import * | |
GEN_REG = 0x1 | |
MEM_REF = 0x2 | |
BASE_INDEX = 0x3 | |
BASE_INDEX_DISP = 0x4 | |
IMMED = 0x5 | |
def doone(ea): | |
xrefs = [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "dotnet" | |
rule DotnetStartupHook { | |
meta: | |
description = "might be a .NET startup hook module" | |
author = "William Ballenthin <william.ballenthin@mandiant.com>" | |
strings: | |
$a1 = "StartupHook" | |
$a2 = "Initialize" | |
condition: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
''' | |
bling.py - extract keys from macOS keychains. | |
installation: | |
pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome | |
usage: | |
python bling.py /path/to/keychain-db <password> ./path/to/output/directory |