herrcore herrcore
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pefile | |
| import re | |
| import sys | |
| def extract_code_section(pe): | |
| code_section = None | |
| for section in pe.sections: | |
| if section.Name.startswith(b'.text'): | |
| code_section = section | |
| break |
herrcore
/ pemulator.py
Last active
October 25, 2024 22:35
Simple class for loading a PE file in Unicorn
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from typing import List | |
| from capstone import * | |
| from capstone.x86 import * | |
| from unicorn import * | |
| from unicorn.x86_const import * | |
| from pefile import PE | |
| class Emulator(): |
herrcore
/ lumma_cf.py
Last active
September 21, 2024 06:10
Lumma Stealer Deobfuscation (IDA Python)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import idautils | |
| import idc | |
| import ida_bytes | |
| import ida_ua | |
| import ida_funcs | |
| import ida_idp | |
| from idautils import DecodeInstruction | |
| import struct | |
| jump_instructions = [ |
herrcore
/ XProtect.yara
Created
February 27, 2024 02:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "hash" | |
| private rule Macho | |
| { | |
| meta: | |
| description = "private rule to match Mach-O binaries" | |
| condition: | |
| uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| union PE_BASE { | |
| PVOID baseAddress; | |
| IMAGE_DOS_HEADER *mz; | |
| IMAGE_NT_HEADERS *pe; | |
| }; | |
| union PE_BASE64 { | |
| PVOID baseAddress; | |
| IMAGE_DOS_HEADER *mz; | |
| IMAGE_NT_HEADERS64 *pe; |
herrcore
/ ida_bb_extractor.py
Created
April 28, 2022 20:46
Extract function and basic block info from IDA to be used as "known good" data for testing other tools
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################## | |
| # | |
| # To be run from IDA batch mode: | |
| # | |
| # "c:\Program Files\IDA Pro 7.5\ida.exe" -c -A -S"c:\Users\admin\Documents\scripts\binary_map.py" z:\tmp\pe\pe.trickbot.x86 | |
| # | |
| # | |
| # | |
| # | |
| ############################################################################## |
herrcore
/ karama.yara
Created
November 22, 2021 18:16
Yara rule generated with Binlex from our live stream https://youtu.be/hgz5gZB3DxE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule malware_karama_0 { | |
| meta: | |
| descrption = "Karma Ransomware" | |
| strings: | |
| $name = "KARMA" ascii wide nocase | |
| $trait_0 = {33 f6 0f b7 41 ?? 83 c1 02 8b d0 66 85 c0 75 da} | |
| $trait_1 = {0f b7 d0 66 83 fa 5c 74 10} | |
| condition: | |
| uint16(0) == 0x5a4d and | |
| uint32(uint32(0x3c)) == 0x00004550 and |
herrcore
/ emotet_strings.py
Last active
November 30, 2022 02:43
IDA Python script for Emotet String decryption ref:EEB13CD51FAA7C23D9A40241D03BEB239626FBF3EFE1DBBFA3994FC10DEA0827
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi, idc, idautils | |
| import struct | |
| def xor_decrypt(data, key): | |
| out = [] | |
| for i in range(len(data)): | |
| out.append(data[i] ^ key[i%len(key)]) | |
| return bytes(out) | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| enum langid_country | |
| { | |
| Afrikaans = 0x36, | |
| Afrikaans_South_Africa = 0x436, | |
| Albanian = 0x1c, | |
| Albanian_Albania = 0x41c, | |
| Alsatian = 0x84, | |
| Alsatian_France = 0x484, | |
| Amharic = 0x5e, | |
| Amharic_Ethiopia = 0x45e, |
herrcore
/ PEB_UNIVERSAL.h
Created
October 21, 2021 21:43
Process Environment Block (PEB) Universal Struct - Fix broken IDA struct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| struct PEB_UNIVERSAL | |
| { | |
| BOOLEAN InheritedAddressSpace; //0x0000 | |
| BOOLEAN ReadImageFileExecOptions; //0x0001 | |
| BOOLEAN BeingDebugged; //0x0002 | |
| BYTE byte3; | |
| HANDLE Mutant; //0x0004 | |
| void* ImageBaseAddress; //0x0008 | |
| PEB_LDR_DATA* Ldr; //0x000C | |
| RTL_USER_PROCESS_PARAMETERS* ProcessParameters; //0x0010 |
NewerOlder