Skip to content

Instantly share code, notes, and snippets.

View williballenthin's full-sized avatar

Willi Ballenthin williballenthin

972 followers · 62 following
View GitHub Profile
@williballenthin
williballenthin / deob_opaque_predicate.py
Created July 28, 2020 19:58
search for and patch out known opaque predicates within IDA Pro workspaces.
"""
search for and patch out known opaque predicates within IDA Pro workspaces.
just run the script and it will manipulate the open database.
therefore, you should probably create a backup first.
"""
import logging
from pprint import pprint
import ida_idp
@williballenthin
williballenthin / clicker.py
Last active March 5, 2024 14:32
respond to button clicks in IDA Pro
import re
import collections
import idaapi
import ida_kernwin
class button_hooks_t(ida_kernwin.View_Hooks):
def __init__(self, v):
'''
@williballenthin
williballenthin / TxR.bt
Created November 22, 2019 20:49
010 Editor template for parsing Windows Registry TxR (.regtrans-ms) files
//------------------------------------------------
//--- 010 Editor v8.0.1 Binary Template
//
// File: Transactional Registry Transaction Logs (.TxR)
// Authors: Willi Ballenthin <william.ballenthin@fireeye.com>
// Version: 0.1
// Reference: https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html
//------------------------------------------------
LittleEndian();
@williballenthin
williballenthin / degraded_actix_server.rs
Created October 22, 2019 19:21
use log::{info};
use actix;
use actix_web::{
http, middleware, server, App, HttpRequest, HttpResponse,
};
/// These are the possible states that the server can be requested to run.
#[derive(Debug)]
enum ServerState {
/// Stop the server.
@williballenthin
williballenthin / macOS_savedstate.py
Last active April 20, 2024 21:13
parse macOS savedState files
'''
parse SavedState artifacts extracted from OSX.
author: Willi Ballenthin (william.ballenthin@fireeye.com)
license: Apache 2.0
'''
import re
import sys
import json
import struct
@williballenthin
williballenthin / macOS_keychain.py
Last active November 19, 2022 12:13
bling.py - extract keys from macOS keychains.
#!/usr/bin/env python3
'''
bling.py - extract keys from macOS keychains.
installation:
pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome
usage:
python bling.py /path/to/keychain-db <password> ./path/to/output/directory
@williballenthin
williballenthin / macOS_ARD_filesystem_cache.py
Last active October 10, 2019 16:19
parse the Apple ARD filesystem.cache file
'''
author: Willi Ballenthin
email: william.ballenthin@fireeye.com
license: Apache 2.0
'''
import sys
import struct
import collections
@williballenthin
williballenthin / macOS_stickies.py
Last active June 24, 2022 15:32
extract entries from the osx sticky database
'''
parse osx sticky databases.
author: Willi Ballenthin <william.ballenthin@fireeye.com>
license: Apache 2.0
usage:
$ python extract_stickies.py /path/to/input.bin /path/to/output/directory/
'''
@williballenthin
williballenthin / bplist.py
Last active April 1, 2020 19:05
parse SavedState artifacts extracted from OSX.
"""
derived from plistlib.py -- a tool to generate and parse MacOSX .plist files.
edited by: Willi Ballenthin (william.ballenthin@fireeye.com)
changes:
- remove all but the binary plist parser
- add support for UID fields, see https://bugs.python.org/issue26707
"""
@williballenthin
williballenthin / functions_as_data.py
Created July 30, 2018 21:03
IDA Pro script to identify functions that are referenced as data.
'''
Identify functions that are referenced as data.
For example, something weird is going on below::
.text:10001833 BE 60 25 00 10 mov esi, offset sub_10002560 <<<<
.text:10001838 8B 45 FC mov eax, [ebp+var_4]
.text:1000183B 89 5F 04 mov [edi+4], ebx
.text:1000183E 81 C7 18 02 00 00 add edi, 218h
.text:10001844 F3 A5 rep movsd