This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule BITS_CLSID | |
{ | |
meta: | |
description = "References to the BITS service." | |
author = "Ivan Kwiatkowski (@JusticeRage)" | |
// The BITS service seems to be used heavily by EquationGroup. | |
strings: | |
$uuid_background_copy_manager_1_5 = { 1F 77 87 F0 4F D7 1A 4C BB 8A E1 6A CA 91 24 EA } | |
$uuid_background_copy_manager_2_0 = { 12 AD 18 6D E3 BD 93 43 B3 11 09 9C 34 6E 6D F9 } | |
$uuid_background_copy_manager_2_5 = { D6 98 CA 03 5D FF B8 49 AB C6 03 DD 84 12 70 20 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from idaapi import * | |
from ida_kernwin import * | |
def to_guid(address): | |
format = "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}\n" | |
msg(format % (get_wide_dword(address), | |
get_wide_word(address + 4), | |
get_wide_word(address + 6), | |
get_wide_byte(address + 8), | |
get_wide_byte(address + 9), |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from idautils import * | |
from idc import * | |
mnemonics = dict() | |
hides = [] | |
in_nop_sled = 0 | |
curr_pos = 0 | |
sled_len = 0 | |
for seg_ea in Segments(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
This program is free software: you can redistribute it and/or modify | |
it under the terms of the GNU General Public License as published by | |
the Free Software Foundation, either version 3 of the License, or | |
(at your option) any later version. | |
This program is distributed in the hope that it will be useful, | |
but WITHOUT ANY WARRANTY; without even the implied warranty of | |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
GNU General Public License for more details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Dear fellow reverser, | |
I'm creating this Gist in the hopes that it will be indexed and that people who look up this value: 0xE7791F700 will end up here. | |
62135596800 is the number of seconds that separate the Go Epoch from the Unix epoch. You're probably looking at an inlined call like `time.Now().Unix()`. | |
Cheers, | |
@JusticeRage |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
unsigned char shellcode[] = "\xCC\x90\x90\x90\x90..."; | |
int main(int argc, char argv) | |
{ | |
auto buffer = ::VirtualAlloc(nullptr, 0x1000, MEM_COMMIT, PAGE_READWRITE); | |
memcpy(buffer, &shellcode, sizeof(shellcode)); | |
DWORD ignored; | |
::VirtualProtect(buffer, sizeof(shellcode), PAGE_EXECUTE_READ, &ignored); | |
auto f = reinterpret_cast<int32_t(*)()>(buffer); | |
f(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
got_tmilk.py - Go Type Milking | |
Written by Ivan Kwiatkowski @ Kaspersky GReAT | |
Shared under the terms of the GPLv3 license | |
""" | |
C_HEADER = """ | |
enum golang_kind : __int8 | |
{ | |
INVALID = 0x0, |