In IDAPython,
execfile('<path>/cxxparser.py')
parse_file('<path>/a.cpp',[r'-I<path>\LuaJIT-2.0.5\src', '-D__NT__', '-D__X64__', '-D__EA64__'])
parse_file('<path>/malloc.c',['-target=x86_64-linux-gnu'])
JAEKI KIM Jack2
MrThreat
/ findbadlinkers.yar
Created
September 17, 2018 05:25
Bsides malware yara rule APT lnk files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule lnkfileoverRFC | |
| { | |
| strings: | |
| $header = {4c00 0000 0114 0200 0000} //lnk file header | |
| $command = "C:\\Windows\\System32\\cmd.exe" fullword ascii //cmd is precursor to findstr | |
| $command2 = {2F 00 63 00 20 00 66 00 69 00 6E 00 64 00 73 00 74 00 72} //findstr in hex | |
| $base64 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD" ascii //some base64 filler, needed to work with routine | |
| $cert = "l -decode" ascii //base64 decoder | |
| condition: | |
| filesize > 15KB and ($header at 0) and $command and $command2 and $cert and $base64 |
JohnLaTwC
/ 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29
Created
November 7, 2018 16:47
VBA XLS + Invoke-Obfuscation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| ## Sample hashes: 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29 | |
| eec6c63b87b4272a05433babad6da16c82956fe232652c4754b8d754ed036611 | |
| 2a6f540582d8761b9b3e41f9ea734f72726af969fb04742244267047d883ea78 | |
| olevba3 0.53.1 - http://decalage.info/python/oletools | |
| Flags Filename | |
| ----------- ----------------------------------------------------------------- | |
| OLE:MASIHB-- 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29 | |
| =============================================================================== |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # | |
| # ###################################################################### | |
| # Start Tor and switch the system-wide proxy settings in macOS | |
| # ---------------------------------------------------------------------- | |
| # Usage: | |
| # `./tor.sh` in Terminal, kill with ctrl + c | |
| # ---------------------------------------------------------------------- | |
| # Source: | |
| # https://kremalicious.com/simple-tor-setup-on-mac-os-x/ |
SwitHak
/ 20200114-TLP-WHITE_CVE-2020-0601.md
Last active
February 9, 2024 14:42
BlueTeam CheatSheet * CVE-2020-0601 * crypt32.dll | Last updated: 2020-01-21 1817 UTC
- Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
- The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
- The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.
- NSA description:
- NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.
ophirharpaz
/ rename_functions_by_syscalls.py
Created
February 16, 2020 09:04
This IDAPython script renames functions according to the Linux syscall (int 80h) they contain. The script assumes each syscall is invoked only once.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SYSCALL_OPCODE = '\xCD\x80' | |
| REGULAR_COMMENT = 0 # as opposed to a repeatable one | |
| def get_syscalls_addresses(): | |
| return (h for h in Heads() if SYSCALL_OPCODE == GetManyBytes(h, ItemSize(h))) | |
| def get_syscall_name_from_addr(addr): | |
| # Fetch the syscall name from IDA's automatic comment |
ophirharpaz
/ get_call_flows_from_exports.py
Created
February 22, 2020 15:19
The script generates and prints a graph of all function-call flows that start in exported functions and end in the function being pointed at in IDA. This functionality is useful when you need to trigger a function in a DLL and wish to know which exported function leads to it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| The script generates and prints a graph of all function-call flows that start in exported functions and end | |
| in the function being pointed at in IDA. | |
| This functionality is useful when you need to trigger a function in a DLL and wish to know which exported function | |
| leads to it. | |
| """ | |
| import idaapi | |
| import idautils | |
| import idc |
W3ndige
/ e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60-decoded-strings.md
Last active
November 8, 2020 15:23
Script and the decoded strings from the EKANS/Snake ransomware. Original script written by @sysopfb - I've only modified the regexp to cover all cases where decryption was used in the sample.
Script:
import re
import sys
import pefile
import struct
stvemillertime
/ XOREngine_HTTP.yar
Last active
November 19, 2021 21:27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule XOREngine_HTTP | |
| { | |
| meta: | |
| author = "smiller" | |
| description = "This looks for brute XOR of http:// in a PE." | |
| ref = "578cb44b784125ebd58ecb458d51b23d" | |
| strings: | |
| $key_01 = { 69 75 75 71 3b 2e 2e } | |
| $key_02 = { 6a 76 76 72 38 2d 2d } | |
| $key_03 = { 6b 77 77 73 39 2c 2c } |
Recent variants of Ryuk have had their code cleaned up. They removed non-referenced strings that are relics from the HERMES source code days. One interesting part of the code clean-up is a new string decoder. The string decoder is the first MD5 brute forcer that I have observed in malware. It's an interesting technique because it is a computational attack that delays execution of Ryuk before the strings are decoded in memory. The decoding of strings happens in two phases. The first phase uses a hardcoded lookup table that is to decode API names. Once the API names are decrypted, they are dynamically imported and then used to recover the original string from an MD5 hash. After the original string is discovered, each byte of the string is hashed and then the hash is MD5ed, then the hexdigest contents are appended to a string. Each byte within the appended MD5 strings is used to create a second lookup table which is then used to decrypt strings.
Example Python code of the MD5 Brutef