Willi Ballenthin issues

Results 231 issues of


Willi Ballenthin

process injection techniques from https://github.com/odzhan/injection

https://github.com/odzhan/injection ![image](https://user-images.githubusercontent.com/156560/95006936-fc54a000-05c6-11eb-8992-48c03335274e.png)

rule idea

bunch of FN in our current rules

- [ ] free user process memory - [x] read data from Internet - [x] copy file - [x] crypto - [x] allocate user process RWX memory https://github.com/vivisect/vivisect/issues/296 - [x]...

bug

MAEC 5.0 uses malware-label-ov instead of malware-category-ov

bug

use gh actions to generate a table-of-contents linking to all rules from the readme

this will make it easy to find rules and jump to their definitions.

enhancement

XMLSyntaxError: error parsing attribute name

``` INFO:evtxtract.carvers:Unknown exception processing record at 0x423129920 Traceback (most recent call last): File "evtxtract/carvers.py", line 175, in extract_chunk_records File "evtxtract/utils.py", line 48, in get_eid File "evtxtract/utils.py", line 18, in to_lxml...

consider integration with fox-it/dissect.cstruct for structure declarations

https://github.com/fox-it/dissect.cstruct is a project the implements a parser for a subset of C for structure declaration (and parsing). it looks pretty natural to use. i wonder if we could use...

when emulation fails due to invalid_read, explain where

in the output produced by `run_speakeasy`, i see a line like the following, which seems to indicate the end of emulation: ``` 0x18000abef: 'kernel32.GetTickCount()' -> 0x5265cc8 export.Foo: Caught error: invalid_read...

good first issue

emit code coverage trace log for import into external tools

it would be useful to see what instructions speakeasy has emulated (via `run_speakeasy`), such as via the https://github.com/gaasedelen/lighthouse IDA Pro plugin. add an option to this script that emits a...

unicorn gdbstub

https://docs.rs/crate/gdbstub/0.2.0