| #Extract instruction-level number features with P-code | |
| #@category PCode | |
| #@author Soufiane Fariss | |
| #@menupath | |
| #@toolbar | |
| from ghidra.program.model.pcode import HighParam, PcodeOp, PcodeOpAST | |
| from ghidra.program.model.address import AddressSet | |
| from capa.features.extractors.ghidra.insn import * | |
| from capa.features.address import AbsoluteVirtualAddress |
| AS=nasm | |
| ASFLAGS=-f elf64 -g -F dwarf | |
| LD=ld | |
| LDFLAGS=-dynamic-linker /lib64/ld-linux-x86-64.so.2 -lc -m elf_x86_64 | |
| RM=rm -rf | |
| SOURCES=$(wildcard *.asm) | |
| OBJECTS=$(SOURCES:.asm=.o) | |
| TARGET=out | |
| %.o: %.asm |
| Title | Date | Author | |
|---|---|---|---|
APC Queue Code Injection |
05 May 2021 |
Soufiane Fariss |
Injection techniques that rely on creating a remote thread in the target process to execute the shellcode might cause a huge increase in the malware confidence score which will raise a lot of suspicion among security products. Nevertheless, these techniques create a new thread, which causes a lot of overhead because of allocating new resources to get the thread up and running.
| 1. Benchmarking + Encryption + Generation = 1 unit (Payload build) | |
| 1.1 Payload generators (Study metasploit, Convenant, PoshC2, SharpShooter) | |
| 1.2 Proper Generator | |
| 2. Payload/Shellcode Execution | |
| 2.1 Invokation (Distrubtion / Dropper) | |
| 2.1.1. Marcros | |
| 2.1.2. MS HTA | |
| 2.1.3. MSB | |
| 2.1.4. WMI |
| public class RedditFormatter { | |
| private String[] input; | |
| public RedditFormatter(String[] input) { | |
| this.input = input; | |
| } | |
| public String format() { | |
| String result = String.join(" r/", this.input); | |
| System.out.println("r/" + result); |
| def SumSquareDivisisors(m, n): | |
| from math import sqrt as sq | |
| result = [] | |
| f = lambda x: x**2 | |
| for k in range(m, n+1): | |
| L = [k] | |
| for i in range(1, k//2 + 1): | |
| if k % i == 0: | |
| L.append(i) | |
| M = list(map(f, L)) |
