williballenthin’s gists

williballenthin / ida_enum_xrefs.py

Last active October 30, 2025 11:38

find references to enum members in IDA Pro

	import ida_typeinf
	import ida_funcs
	import ida_xref
	import idautils

	enum_name = "_FILE_INFORMATION_CLASS"

	til = ida_typeinf.get_idati()
	tif = til.get_named_type(enum_name)

williballenthin / gist:ff8f6cac32ae4cd70239d543fdb09eac

Created October 27, 2025 15:06

triage decompile_function for IDA MCP

	import os
	import sys

	if sys.version_info < (3, 11):
	raise RuntimeError("Python 3.11 or higher is required for the MCP plugin")

	import json
	import struct
	import threading
	import http.server

williballenthin / curl_opt.h

Last active April 3, 2025 09:35

curl options as a C enum (via https://docwiki.embarcadero.com/Libraries/Athens/en/System.Curl.CURLoption and Gemini)

	/**
	* @brief Enumeration of options for curl_easy_setopt() based on libcurl.
	*
	* Note: The explicit integer values match those used by libcurl.
	* Options without explicit values increment from the previous one.
	*/
	typedef enum {
	/* Options expecting a long */
	CURLOPT_PORT = 3,
	CURLOPT_TIMEOUT = 13,

williballenthin / gist:56d52e110f8652a303bdc6ab55c3d1b1

Created October 4, 2023 07:39

export ssh-agent details in fish shell

	eval (ssh-agent -c)
	set -Ux SSH_AUTH_SOCK $SSH_AUTH_SOCK
	set -Ux SSH_AGENT_PID $SSH_AGENT_PID

williballenthin / DotnetStartupHook.yar

Last active January 4, 2023 08:23

#100DaysOfYara (2023)

	import "dotnet"

	rule DotnetStartupHook {
	meta:
	description = "might be a .NET startup hook module"
	author = "William Ballenthin <[email protected]>"
	strings:
	$a1 = "StartupHook"
	$a2 = "Initialize"
	condition:

williballenthin / decoding_routines.py

Created May 18, 2022 17:34

use FLOSS as a library to identify potential decoding routines

	# decoding_routines.py
	#
	# An example of using FLOSS as a library to identify potential decoding routines.
	# It will print an ordered list of function addresses and their "score",
	# ranked from most likely to least likely to be a decoding routine.
	#
	# Usage:
	#
	# $ python decoding_routines.py /path/to/input.exe
	# 0x401000: 0.99

williballenthin / compare-viv-analysis.py

Created August 26, 2021 18:06

compare vivisect analysis comparison across versions

	#!/usr/bin/env python3
	'''
	compare vivisect analysis comparison across versions.

	pip install devtools[pygments] pydantic viv-utils termcolor
	'''
	import sys
	import time
	import os.path
	import logging

williballenthin / caps-vim.ahk

Created June 25, 2021 16:10

remap CapsLock-H/J/K/L to arrows and similar via AutoHotKey

	#NoEnv
	#Warn
	SendMode Input
	SetWorkingDir %A_ScriptDir%

	SetCapsLockState AlwaysOff
	CapsLock::Send {esc}
	CapsLock & j::Send {Down}
	CapsLock & k::Send {Up}
	CapsLock & h::Send {Left}

williballenthin / mmap-readlines.py

Created January 28, 2021 19:41

enumerate the lines of a (utf-8) file incrementally via mmap

	import mmap

	def lines(m):
	line = m.readline()
	while line:
	yield line.decode("utf-8").rstrip("\n")
	line = m.readline()

	def filelines(path):
	with open(path, "rb") as f:

williballenthin / sort-jsonl-by-key.py

Created January 27, 2021 22:25

sort the given jsonl file by the given key, writing the output to STDOUT.

	"""
	sort the given jsonl document (distinct json documents separated by newline)
	by the given key, writing the output to STDOUT.

	example:

	python sort-jsonl-by-key.py log.jsonl "timestamp"

	this does require reading the entire document into memory, first.
	a future revision could maybe use a mmap to avoid keeping things in memory.

Willi Ballenthin williballenthin