Willi Ballenthin

icon indicating a website link http://www.williballenthin.com/ icon indicating an email [email protected]

icon company @mandiant icon location /usr/bin/nethack

Results 256 issues of Willi Ballenthin

are "global stackstrings" seen in the wild?

3 comment

malware that uses a stackstrings-like technique to initialize a global string will not be detected by the stackstrings extractor, since we currently inspect only the active stack frame. the decoding...

question

failing test: test-decode-wrapped-decoder::Windows::64bit

bug

failing test: test-decode-wrapped-decoder::Windows::32bit

bug

consider implementing floss via the speakeasy emulator

https://github.com/fireeye/speakeasy/

failure to extract strings on unpacked sample

e4732a029fdd3aaebd689481f7e0a57e

dotnet: how to represent getter/setters

12 comment

dotnet may emit accessor/mutators (getter/setters) for some fields rather than direct field access. how do we recognize and emit these features?

question
dotnet

dotnet: consider emitting references to types

7 comment

methods interact with various types, including both primitive objects (u8) and classes. sometimes we see method/property access to the classes, which can be represented by things like `API` (and maybe...

enhancement
question
dotnet

flirt: consider using rizin/sigdb signatures

2 comment

https://github.com/rizinorg/sigdb

enhancement

how to bundle TreeSitter bindings

1 comment

_Originally posted by @williballenthin in https://github.com/mandiant/capa/pull/1080#discussion_r912047439_ ideally, we want to be able to install capa simply by doing `pip install flare-capa` and/or fetching the standalone executable from github (generated via...

readme: add link to v4 blog post