I hereby claim:
- I am fariss on github.
- I am fariss (https://keybase.io/fariss) on keybase.
- I have a public key ASC846tysSlsPA5shFdF78Lv9qfw-8ObJnVEmWi58azD6go
To claim this, I am signing this object:
fariss
/ keybase.md
Created
October 21, 2025 17:18
fariss
/ extract_insn_number_features_via_pcode_script.py
Last active
March 15, 2024 13:41
Just a POC on an idea
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Extract instruction-level number features with P-code | |
| #@category PCode | |
| #@author Soufiane Fariss | |
| #@menupath | |
| #@toolbar | |
| from ghidra.program.model.pcode import HighParam, PcodeOp, PcodeOpAST | |
| from ghidra.program.model.address import AddressSet | |
| from capa.features.extractors.ghidra.insn import * | |
| from capa.features.address import AbsoluteVirtualAddress |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AS=nasm | |
| ASFLAGS=-f elf64 -g -F dwarf | |
| LD=ld | |
| LDFLAGS=-dynamic-linker /lib64/ld-linux-x86-64.so.2 -lc -m elf_x86_64 | |
| RM=rm -rf | |
| SOURCES=$(wildcard *.asm) | |
| OBJECTS=$(SOURCES:.asm=.o) | |
| TARGET=out | |
| %.o: %.asm |
fariss
/ APC-inject.md
Last active
November 26, 2023 04:35
| Title | Date | Author | |
|---|---|---|---|
APC Queue Code Injection |
05 May 2021 |
Soufiane Fariss |
Injection techniques that rely on creating a remote thread in the target process to execute the shellcode might cause a huge increase in the malware confidence score which will raise a lot of suspicion among security products. Nevertheless, these techniques create a new thread, which causes a lot of overhead because of allocating new resources to get the thread up and running.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Benchmarking + Encryption + Generation = 1 unit (Payload build) | |
| 1.1 Payload generators (Study metasploit, Convenant, PoshC2, SharpShooter) | |
| 1.2 Proper Generator | |
| 2. Payload/Shellcode Execution | |
| 2.1 Invokation (Distrubtion / Dropper) | |
| 2.1.1. Marcros | |
| 2.1.2. MS HTA | |
| 2.1.3. MSB | |
| 2.1.4. WMI |
fariss
/ RedditFormatter.java
Last active
February 14, 2020 08:05
Literally, just turns your sentences into subreddits. That's about it!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class RedditFormatter { | |
| private String[] input; | |
| public RedditFormatter(String[] input) { | |
| this.input = input; | |
| } | |
| public String format() { | |
| String result = String.join(" r/", this.input); | |
| System.out.println("r/" + result); |
fariss
/ SumSquareDivisors.py
Last active
March 1, 2018 02:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def SumSquareDivisisors(m, n): | |
| from math import sqrt as sq | |
| result = [] | |
| f = lambda x: x**2 | |
| for k in range(m, n+1): | |
| L = [k] | |
| for i in range(1, k//2 + 1): | |
| if k % i == 0: | |
| L.append(i) | |
| M = list(map(f, L)) |