I hereby claim:
- I am edeca on github.
- I am edeca (https://keybase.io/edeca) on keybase.
- I have a public key ASDaV4zBSc-1Hdqt39Lrgyu7mA2gekr6ho9ax92nm3BzYAo
To claim this, I am signing this object:
David Cannings edeca
edeca
/ keybase.md
Created
February 26, 2017 21:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pysmt.shortcuts import Symbol, Plus, Equals, GE, LE, And, Int, AllDifferent, get_model | |
| from pysmt.typing import INT | |
| ######## | |
| # Author: David Cannings | |
| # Date: June 2017 | |
| # | |
| # Basic example using pysmt to solve "Suko", a puzzle printed in some | |
| # UK newspapers and available online. | |
| # |
edeca
/ paranoid-plugx-august-2017.md
Last active
September 14, 2017 05:38
List of additional Paranoid PlugX indicators
This gist contains brief details of additional "Paranoid PlugX" files, likely associated with a sophisticated attacker. NCC Group is monitoring a number of OOXML and RTF techniques our red team has been using since September 2016, which uncovered multiple malicious documents from around August 2017.
For the original Paranoid PlugX article, please see: https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/ (h/t Palo and @tlansec).
A few documents can be found which use 203.248.116.182 to obtain further malicious content.
edeca
/ pe_mitigation_check.py
Created
September 20, 2018 21:36
A simple script to check PE files for exploit mitigations (/DYNAMICBASE, /NXCOMPAT, /HIGHENTROPYVA) and anomalies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| import logging | |
| import pefile | |
| import sys | |
| from prettytable import PrettyTable | |
| ######## | |
| # Author: David Cannings @edeca | |
| # Date: September 2018 | |
| # |
edeca
/ decrypt_cpassword.py
Created
November 7, 2018 15:09
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| from base64 import b64decode | |
| from binascii import unhexlify | |
| from Crypto.Cipher import AES | |
| ######## | |
| # Author: David Cannings | |
| # Date: 7th November 2018 | |
| # | |
| # Quick and dirty cpassword decryption tool, ported to Python from the |
edeca
/ ida2yara.py
Created
October 17, 2019 12:57
Simple script to turn strings copied from IDA into Yara strings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import fileinput | |
| import re | |
| import string | |
| ######## | |
| # Author: David Cannings | |
| # | |
| # Convert IDA string output to a Yara rule, escaping as necessary | |
| # and using unicode modifiers. | |
| ######## |
edeca
/ ida_find_internal_functions.py
Last active
September 18, 2024 18:56
Find functions in IDA which are called by library functions and probably aren't user code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi | |
| from idautils import * | |
| ######## | |
| # Date: October 2019 | |
| # Author: David Cannings (@edeca) | |
| # | |
| # Rename all functions that are called by library code as "__unknown_library_function_N". | |
| # |
edeca
/ mstscax_ole.yar
Last active
January 6, 2023 02:14
Yara rule to detect documents (RTF/CDF/OOXML) using MsTscAx scripting controls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule terminal_services_scripting { | |
| meta: | |
| author = "David Cannings" | |
| description = "Microsoft Terminal Services Client Control (not safe for scripting)" | |
| ref = "https://twitter.com/joe4security/status/1221765460502421504?s=20%E2%80%9D" | |
| generated_by = "yaml2yara, see https://github.com/nccgroup/yaml2yara/" | |
| strings: | |
| // Parsers will open files without the full 'rtf' | |
| $header_rtf = "{\\rt" nocase |
edeca
/ yara_example_1.yar
Last active
January 6, 2023 02:13
Yara rule to find a string near to other strings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "math" | |
| rule example { | |
| meta: | |
| author = "David Cannings" | |
| description = "Rule example - finding a chunk of code near other known code" | |
| strings: | |
| $chunk = { AA BB CC DD } | |
| $chunk_prologue = { 11 22 33 44 } |
edeca
/ high_entropy_pe_rules.yar
Created
January 2, 2022 14:46
Variations on Yara rules by @greglesnewich
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Original rule from: https://gist.github.com/g-les/0745a9d6cd7f4abb3083a8dee1eaf984 | |
| Two variations on the original rule by @greglesnewich. | |
| Conversation on Twitter at: https://twitter.com/edeca/status/1477650229709225990 | |
| */ |
OlderNewer