Willi Ballenthin williballenthin

## yet another radare2 cheatsheet.md

      
              1 file
            
          
              50 forks
            
          
              16 comments
            
          
              243 stars
            
          
                williballenthin
                / yet another radare2 cheatsheet.md
            
            
              Last active
              April 20, 2024 23:27
            
          
    radare2

load without any analysis (file header at offset 0x0): r2 -n /path/to/file

analyze all: aa
show sections: iS
list functions: afl
list imports: ii
list entrypoints: ie
seek to function: s sym.main


## macOS_savedstate.py
'''
parse SavedState artifacts extracted from OSX.

author: Willi Ballenthin (william.ballenthin@fireeye.com)
license: Apache 2.0
'''
import re
import sys
import json
import struct

## peb_parsing.md

      
              3 files
            
          
              5 forks
            
          
              0 comments
            
          
              8 stars
            
          
                williballenthin
                / peb_parsing.md
            
            
              Last active
              April 18, 2024 03:55
            
          
    manual import resolution

example from 0f5d5d07c6533bc6d991836ce79daaa1:

_0:00F20012 33 D2                   xor     edx, edx
_0:00F20014 64 8B 52 30             mov     edx, fs:[edx+30h] // TEB->PEB
_0:00F20018 8B 52 0C                mov     edx, [edx+0Ch]    // PEB->LDR_DATA
_0:00F2001B 8B 52 14                mov     edx, [edx+14h]    // LDR_DATA->InMemoryOrderLinks (_LDR_DATA_TABLE_ENTRY)
                                                              // alt: 0xC: InLoadOrderLinks
 // alt: 0x1C: InInitializationOrderLinks


## hint_calls.py
'''
IDA plugin to display the calls and strings referenced by a function as hints.

Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <william.ballenthin@fireeye.com>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils

## commands.sh
# build wine Docker image
pushd wine; docker build -t wine .; popd

# build x11 Docker image for IDA
pushd ida; docker build -t wine/ida .; popd

# demonstrate x11 forwarding works
docker run -ti --rm -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix wine/ida xclock

# interactive shell in container

## .gdbinit
set disassembly-flavor intel
set disassemble-next-line on

set history save on
set print pretty on
set pagination off
set confirm off

define xxd
dump binary memory dump.bin $arg0 $arg0+$arg1

## clicker.py
import re
import collections

import idaapi
import ida_kernwin


class button_hooks_t(ida_kernwin.View_Hooks):
    def __init__(self, v):
        '''

## deob_opaque_predicate.py
"""
search for and patch out known opaque predicates within IDA Pro workspaces.

just run the script and it will manipulate the open database.
therefore, you should probably create a backup first.
"""
import logging
from pprint import pprint

import ida_idp

## PGPy+usage.ipynb

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              5 stars
            
          
                williballenthin
                / PGPy+usage.ipynb
            
            
              Last active
              January 29, 2024 15:28
            
              
                example of using PGPy for creating and verifying digital signatures
              
          
      Sorry, something went wrong. Reload?
      Sorry, we cannot display this file.
      Sorry, this file is invalid so it cannot be displayed.
      
          Viewer requires iframe.
      
    
## functions_as_data.py
'''
Identify functions that are referenced as data.

For example, something weird is going on below::

    .text:10001833 BE 60 25 00 10          mov     esi, offset sub_10002560    <<<<
    .text:10001838 8B 45 FC                mov     eax, [ebp+var_4]
    .text:1000183B 89 5F 04                mov     [edi+4], ebx
    .text:1000183E 81 C7 18 02 00 00       add     edi, 218h
    .text:10001844 F3 A5                   rep movsd
	'''
	parse SavedState artifacts extracted from OSX.

	author: Willi Ballenthin (william.ballenthin@fireeye.com)
	license: Apache 2.0
	'''
	import re
	import sys
	import json
	import struct
	'''
	IDA plugin to display the calls and strings referenced by a function as hints.

	Installation: put this file in your %IDADIR%/plugins/ directory.
	Author: Willi Ballenthin <william.ballenthin@fireeye.com>
	Licence: Apache 2.0
	'''
	import idc
	import idaapi
	import idautils
	# build wine Docker image
	pushd wine; docker build -t wine .; popd

	# build x11 Docker image for IDA
	pushd ida; docker build -t wine/ida .; popd

	# demonstrate x11 forwarding works
	docker run -ti --rm -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix wine/ida xclock

	# interactive shell in container
	set disassembly-flavor intel
	set disassemble-next-line on

	set history save on
	set print pretty on
	set pagination off
	set confirm off

	define xxd
	dump binary memory dump.bin $arg0 $arg0+$arg1
	import re
	import collections

	import idaapi
	import ida_kernwin


	class button_hooks_t(ida_kernwin.View_Hooks):
	def __init__(self, v):
	'''
	"""
	search for and patch out known opaque predicates within IDA Pro workspaces.

	just run the script and it will manipulate the open database.
	therefore, you should probably create a backup first.
	"""
	import logging
	from pprint import pprint

	import ida_idp
	'''
	Identify functions that are referenced as data.

	For example, something weird is going on below::

	.text:10001833 BE 60 25 00 10 mov esi, offset sub_10002560 <<<<
	.text:10001838 8B 45 FC mov eax, [ebp+var_4]
	.text:1000183B 89 5F 04 mov [edi+4], ebx
	.text:1000183E 81 C7 18 02 00 00 add edi, 218h
	.text:10001844 F3 A5 rep movsd