Skip to content

Instantly share code, notes, and snippets.

View Rurik's full-sized avatar

Brian Baskin Rurik

227 followers · 23 following
View GitHub Profile
@Rurik
Rurik / asm_find_math_binaryninja.py
Created April 16, 2025 21:19
def op_to_hex(op):
if hasattr(op, 'text'):
op_text = op.text
if op.type == InstructionTextTokenType.IntegerToken:
# If integer token, use its value directly
return f'0x{op.value:02X}'
# If it's a text representation of a number
if op_text.isdigit():
return f'0x{int(op_text):02X}'
@Rurik
Rurik / multibyte_xor_py3.py
Last active October 10, 2024 16:42
multibyte_xor - Python3
def multibyte_xor(data, key): # Python 3
from itertools import cycle
return ''.join(chr(x ^ y) for x, y in zip(data, cycle(key)))
@Rurik
Rurik / slack_twitter_follow.py
Created June 27, 2018 16:55
Tracks a public Twitter List and posts updates to a given Slack channel
### Tracks a public Twitter List and posts updates to a given Slack channel
### Example: https://i.imgur.com/RMQB27N.png
import datetime
import time
import twitter
from slackclient import SlackClient
slack_bot_id = '<FILL OUT>'
slack_channel = '<FILL OUT>'
@Rurik
Rurik / parse_procmon_filters.py
Last active December 5, 2021 16:55
Quick tool to find and extract filters from Procmon configuration files
# Procmon Rule Parser v0.02
# Brian Baskin - @bbaskin
# Reads default rules from an exported Procmon Configuration (.PMC) or Procmon Filter (.PMF) file
# Example output:
"""
12:09:59-bbaskin@~/Development/Noriben$ python parse_procmon_filters.py -f ProcmonConfiguration.pmc
[Exclude] Process Name is Procmon64.exe
[Exclude] Operation is QueryStandardInformationFile
[Exclude] Operation is RegOpenKey
[Exclude] Operation is NotifyChangeDirectory
@Rurik
Rurik / Noriben_06_Feb_17__14_33_33_281000.txt
Last active February 6, 2017 19:52
Noriben 1.7.0 Example Output (ZA)
-=] Sandbox Analysis Report generated by Noriben v1.7.0
-=] Developed by Brian Baskin: brian @@ thebaskins.com @bbaskin
-=] The latest release can be found at https://github.com/Rurik/Noriben
-=] Analysis time: 61.84 seconds
Processes Created:
==================
[CreateProcess] python.exe:2420 > "C:\malware\hehda.exe" [Child PID: 1764]
[CreateProcess] hehda.exe:1764 > "%WinDir%\system32\cmd.exe" [Child PID: 692]
@Rurik
Rurik / apricorn_keep_alive.py
Created July 7, 2015 16:32
Apricorn Padlock Keep-Alive
import os
import time
while True:
os.mkdir('F:\\A')
time.sleep(10)
os.rmdir('F:\\A')
@Rurik
Rurik / gist:4402ab9a7a1b3fbc14d7
Created October 23, 2014 18:18
### Keybase proof
I hereby claim:
* I am Rurik on github.
* I am bbaskin (https://keybase.io/bbaskin) on keybase.
* I have a public key whose fingerprint is AFD8 C071 A2CE E394 D226 4F19 8732 1B4E 326D FD20
To claim this, I am signing this object:
@Rurik
Rurik / getNETversion.py
Created September 30, 2014 14:48
Determine the .NET version used to compile a .NET executable.
def get_NET_version(data):
"""
Code to extract .NET compiled version.
typedef struct t_MetaData_Header {
DWORD Signature; // BSJB
WORD MajorVersion;
WORD MinorVersion;
DWORD Unknown1;
DWORD VersionSize;
PBYTE VersionString;
@Rurik
Rurik / asm_find_math.py
Last active September 16, 2023 17:17
Detect subroutines that may have encryption/encoding routines by finding XOR and shift routines.
# Automatically find XOR/SHL/SHR routines from an executable
# Uses IDAW (text IDA)
# @bbaskin - brian @ thebaskins.com
# While other, more powerful scripts like FindCrypt find known
# algorithms this is used to find custom encoding or modified
# encryption routines
"""
Script results:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
@Rurik
Rurik / cmdhere.reg
Created May 21, 2014 20:54
Registry key for Explorer right-click command prompt
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AllFilesystemObjects\shell\Command Prompt Here\command]
@="cmd.exe /k cd \"%L\""