MalwareMechanic
williballenthin
/ deob_opaque_predicate.py
Created
July 28, 2020 19:58
search for and patch out known opaque predicates within IDA Pro workspaces.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| search for and patch out known opaque predicates within IDA Pro workspaces. | |
| just run the script and it will manipulate the open database. | |
| therefore, you should probably create a backup first. | |
| """ | |
| import logging | |
| from pprint import pprint | |
| import ida_idp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;cmstp.exe /s cmstp.inf | |
| [version] | |
| Signature=$chicago$ | |
| AdvancedINF=2.5 | |
| [DefaultInstall_SingleUser] | |
| UnRegisterOCXs=UnRegisterOCXSection | |
| [UnRegisterOCXSection] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #ifdef _MSC_VER | |
| #include <intrin.h> /* for rdtscp and clflush */ | |
| #pragma optimize("gt",on) | |
| #else | |
| #include <x86intrin.h> /* for rdtscp and clflush */ | |
| #endif |
williballenthin
/ ida_match_yara.py
Last active
August 16, 2021 13:36
search for YARA matches in each function within IDA Pro.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| search for YARA matches in each function within IDA Pro. | |
| upon execution, prompts the user to provide the YARA rules file. | |
| requirements: | |
| - hexdump | |
| - yara-python | |
| author: Willi Ballenthin |
cobbr
/ Invoke-ObfuscationDetection.ps1
Last active
September 17, 2024 21:54
Detect obfuscated PowerShell through character frequency analysis.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Measure-CharacterFrequency | |
| { | |
| <# | |
| .SYNOPSIS | |
| Measures the letter / character frequency in a block of text, ignoring whitespace | |
| and PowerShell comment blocks. | |
| Author: Lee Holmes |
jaredcatkinson
/ Get-InjectedThread.ps1
Last active
December 29, 2024 12:07
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
ryhanson
/ ExcelXLL.md
Last active
November 8, 2024 14:51
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
herrcore
/ quick_ioctl_decoder.py
Created
August 14, 2016 02:53
IDA Python plugin - Decode IOCTL Codes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################################ | |
| ## | |
| ## Quick IOCTL Decoder! | |
| ## | |
| ## All credit for actual IOCTL decode logic: | |
| ## http://www.osronline.com/article.cfm?article=229 | |
| ## | |
| ## | |
| ## To install: | |
| ## Copy script into plugins directory, i.e: C:\Program Files\IDA 6.8\plugins |
SouhailHammou
/ VM.c
Created
September 22, 2015 17:00
Virtual machine with a custom instruction set.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| VM by Souhail Hammou : custom instruction set | |
| data space and stack space are customizable. | |
| Important : In calculations the VM is using unsigned values. | |
| */ | |
| #include <stdio.h> | |
| #include <stdint.h> | |
| #include <conio.h> | |
| #define TRUE 1 | |
| #define FALSE 0 |
NewerOlder