This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# MS SCEP & SE quarantined files decrypter | |
# This script is a fork from quarantine.py from the cuckoosandbox project. | |
# Also thanks to Jon Glass (https://jon.glass/quarantines-junk/) | |
# Usage: quarantine.py <encryptedfile> | |
# | |
# Copyright (C) 2015 KillerInstinct, Optiv, Inc. ([email protected]) | |
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org | |
# See the file 'docs/LICENSE' for copying permission. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Write-Host -NoNewline " " | |
Write-Host -NoNewline " _______ _______ ___ _______ _______ _______ " | |
Write-Host -NoNewline " | || _ || | | _ || _ || | " | |
Write-Host -NoNewline " | _ || |_| || | | |_| || |_| || _____| " | |
Write-Host -NoNewline " | | | || || | | || || |_____ " | |
Write-Host -NoNewline " | |_| || || |___ | || _ | |_____ | " | |
Write-Host -NoNewline " | || _ || || _ || |_| | _____| | " | |
Write-Host -NoNewline " |_______||__| |__||_______||__| |__||_______||_______| " | |
Write-Host -NoNewline " " | |
Write-Host -NoNewline " " |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Set-ExecutionPolicy Unrestricted; | |
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1')); | |
get-boxstarter -Force; | |
Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/env python | |
########################################################################################## | |
## | |
## RC4 Crypto | |
## | |
########################################################################################## | |
def rc4crypt(key, data): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import json | |
# fn_name = "wsprintfW" | |
# api_hash = 0x0B6D391AE | |
export_db = {} | |
def get_api_hash(fn_name): | |
result = 0x2b | |
for c in fn_name: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import pefile | |
import json | |
INTERESTING_DLLS = [ | |
'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll', | |
'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll', | |
'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll', | |
'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll', |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{"exports": ["A_SHAFinal", "A_SHAInit", "A_SHAUpdate", "AbortSystemShutdownA", "AbortSystemShutdownW", "AccessCheck", "AccessCheckAndAuditAlarmA", "AccessCheckAndAuditAlarmW", "AccessCheckByType", "AccessCheckByTypeAndAuditAlarmA", "AccessCheckByTypeAndAuditAlarmW", "AccessCheckByTypeResultList", "AccessCheckByTypeResultListAndAuditAlarmA", "AccessCheckByTypeResultListAndAuditAlarmByHandleA", "AccessCheckByTypeResultListAndAuditAlarmByHandleW", "AccessCheckByTypeResultListAndAuditAlarmW", "AddAccessAllowedAce", "AddAccessAllowedAceEx", "AddAccessAllowedObjectAce", "AddAccessDeniedAce", "AddAccessDeniedAceEx", "AddAccessDeniedObjectAce", "AddAce", "AddAuditAccessAce", "AddAuditAccessAceEx", "AddAuditAccessObjectAce", "AddConditionalAce", "AddMandatoryAce", "AddUsersToEncryptedFile", "AddUsersToEncryptedFileEx", "AdjustTokenGroups", "AdjustTokenPrivileges", "AllocateAndInitializeSid", "AllocateLocallyUniqueId", "AreAllAccessesGranted", "AreAnyAccessesGranted", "AuditComputeEffectivePolicyBySid", "AuditComputeEf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import idaapi, idc, idautils | |
class DecryptorError(Exception): | |
pass | |
def rc4crypt(key, data): | |
x = 0 | |
box = range(256) |