hasherezade hasherezade
hasherezade
/ ida_disasm_curr.py
Created
September 29, 2025 22:53
IDA script - disasm current function
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Walk current function and print its disassembly | |
| import ida_funcs | |
| import ida_kernwin | |
| import idautils | |
| import ida_lines | |
| import idc | |
| def print_func_disasm(ea=None): | |
| """ | |
| Walks from the beginning to the end of the function containing `ea` |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kernel32;LoadLibraryW;1 | |
| kernel32;LoadLibraryA;1 | |
| kernel32;GetProcAddress;2 | |
| advapi32;RegQueryValueW;3 | |
| advapi32;RegOpenKeyExW;5 | |
| advapi32;RegQueryValueExW;6 | |
| kernel32;CreateFileW;6 | |
| kernel32;VirtualProtect;4 | |
| wininet;InternetCrackUrlA;4 | |
| wininet;InternetOpenA;5 |
hasherezade
/ delta_patch.py
Created
October 30, 2024 14:53
— forked from wumb0/delta_patch.py
a script for applying MS patch deltas
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import base64 | |
| import hashlib | |
| import zlib | |
| from ctypes import ( | |
| CDLL, | |
| POINTER, | |
| LittleEndianStructure, | |
| c_size_t, | |
| c_ubyte, | |
| c_uint64, |
hasherezade
/ aplib_decompress.py
Created
August 23, 2024 13:42
Decompressor for headless APLib blobs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import malduck | |
| import sys | |
| import argparse | |
| def main(): | |
| parser = argparse.ArgumentParser(description="APLib unpacker") | |
| parser.add_argument('--inpath', dest="inpath", default=None, help="APLib compressed blob", | |
| required=True) |
hasherezade
/ AllocateLargePool.c
Created
July 26, 2024 02:44
— forked from hugsy/AllocateLargePool.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "ntdll.lib") | |
| #define SystemBigPoolInformation 0x42 | |
| #define ThreadNameInformation 0x26 | |
| #define DATA_TO_COPY "AAAAAAAAAAAAABBBBBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDDDDDD" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| HANDLE find_thread(HANDLE hProcess, DWORD thAccess, bool guiOnly) | |
| { | |
| DWORD targetPid = GetProcessId(hProcess); | |
| HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); | |
| THREADENTRY32 thEntry = { sizeof(THREADENTRY32) }; | |
| GUITHREADINFO gui = { 0 }; | |
| gui.cbSize = sizeof(GUITHREADINFO); | |
| bool isGUIProcess = false; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "syscall" | |
| "unsafe" | |
| ) | |
| var ( | |
| peSieveDll = syscall.NewLazyDLL("pe-sieve64.dll") |
hasherezade
/ LZDecompress.cpp
Created
February 23, 2022 22:47
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <Windows.h> | |
| #pragma comment(lib,"LZ32.lib") | |
| bool decompress(LPSTR infile, LPSTR outfile) | |
| { | |
| INT hin, hout = 0; | |
| OFSTRUCT ofin = { 0 }; | |
| OFSTRUCT ofout = { 0 }; |
hasherezade
/ mal_unpack_runner.py
Last active
January 28, 2022 21:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys, os, subprocess | |
| import pefile | |
| from pathlib import Path | |
| def mal_unp_res_to_str(returncode): | |
| if returncode == (-1): | |
| return "ERROR" | |
| if returncode == 0: |
hasherezade
/ quick-disable-windows-defender.bat
Created
November 10, 2021 19:18
— forked from shadyeip/quick-disable-windows-defender.bat
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!! | |
| rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference | |
| rem To also disable Windows Defender Security Center include this | |
| rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f | |
| rem 1 - Disable Real-time protection | |
| reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f |
NewerOlder