Skip to content

Instantly share code, notes, and snippets.

@herrcore
herrcore / windows_defender_unquarantine.py
Created April 19, 2021 06:05 — forked from OALabs/windows_defender_unquarantine.py
Extract quarantine files from Windows Defender | System Center Endpoint Protection | Microsoft Security Essentials
# MS SCEP & SE quarantined files decrypter
# This script is a fork from quarantine.py from the cuckoosandbox project.
# Also thanks to Jon Glass (https://jon.glass/quarantines-junk/)
# Usage: quarantine.py <encryptedfile>
#
# Copyright (C) 2015 KillerInstinct, Optiv, Inc. ([email protected])
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
@herrcore
herrcore / oalabs_x86vm.ps1
Created April 19, 2021 06:04 — forked from OALabs/oalabs_x86vm.ps1
Boxstarter package for OALABS x86 Malware Analysis VM
Write-Host -NoNewline " "
Write-Host -NoNewline " _______ _______ ___ _______ _______ _______ "
Write-Host -NoNewline " | || _ || | | _ || _ || | "
Write-Host -NoNewline " | _ || |_| || | | |_| || |_| || _____| "
Write-Host -NoNewline " | | | || || | | || || |_____ "
Write-Host -NoNewline " | |_| || || |___ | || _ | |_____ | "
Write-Host -NoNewline " | || _ || || _ || |_| | _____| | "
Write-Host -NoNewline " |_______||__| |__||_______||__| |__||_______||_______| "
Write-Host -NoNewline " "
Write-Host -NoNewline " "
@herrcore
herrcore / wallpaper.bmp
Created April 19, 2021 06:04 — forked from OALabs/wallpaper.bmp
wallpaper.bmp
@herrcore
herrcore / boxstarter_oalabs_x86vm.ps1
Created April 19, 2021 06:03 — forked from OALabs/boxstarter_oalabs_x86vm.ps1
Boxstarter - One click malware analysis tools installer for 32bit VM
Set-ExecutionPolicy Unrestricted;
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1'));
get-boxstarter -Force;
Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1';
@herrcore
herrcore / rc4.py
Created April 19, 2021 06:03 — forked from OALabs/rc4.py
RC4 Crypto Python Module (probably stolen from stack overflow but it's been so long I can't remember)
#! /usr/bin/env python
##########################################################################################
##
## RC4 Crypto
##
##########################################################################################
def rc4crypt(key, data):
@herrcore
herrcore / revil_import_builder.py
Created April 19, 2021 06:03 — forked from OALabs/revil_import_builder.py
IDA Python script to decipher and label REvil imports
import json
# fn_name = "wsprintfW"
# api_hash = 0x0B6D391AE
export_db = {}
def get_api_hash(fn_name):
result = 0x2b
for c in fn_name:
@herrcore
herrcore / dll_exports.py
Created April 19, 2021 06:03 — forked from OALabs/dll_exports.py
Build dictionary of DLL exports (Windows API Names)
import os
import pefile
import json
INTERESTING_DLLS = [
'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll',
'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll',
'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll',
'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll',
@herrcore
herrcore / exports.json
Created April 19, 2021 06:03 — forked from OALabs/exports.json
Common DLL exports (Windows API Names)
{"exports": ["A_SHAFinal", "A_SHAInit", "A_SHAUpdate", "AbortSystemShutdownA", "AbortSystemShutdownW", "AccessCheck", "AccessCheckAndAuditAlarmA", "AccessCheckAndAuditAlarmW", "AccessCheckByType", "AccessCheckByTypeAndAuditAlarmA", "AccessCheckByTypeAndAuditAlarmW", "AccessCheckByTypeResultList", "AccessCheckByTypeResultListAndAuditAlarmA", "AccessCheckByTypeResultListAndAuditAlarmByHandleA", "AccessCheckByTypeResultListAndAuditAlarmByHandleW", "AccessCheckByTypeResultListAndAuditAlarmW", "AddAccessAllowedAce", "AddAccessAllowedAceEx", "AddAccessAllowedObjectAce", "AddAccessDeniedAce", "AddAccessDeniedAceEx", "AddAccessDeniedObjectAce", "AddAce", "AddAuditAccessAce", "AddAuditAccessAceEx", "AddAuditAccessObjectAce", "AddConditionalAce", "AddMandatoryAce", "AddUsersToEncryptedFile", "AddUsersToEncryptedFileEx", "AdjustTokenGroups", "AdjustTokenPrivileges", "AllocateAndInitializeSid", "AllocateLocallyUniqueId", "AreAllAccessesGranted", "AreAnyAccessesGranted", "AuditComputeEffectivePolicyBySid", "AuditComputeEf
@herrcore
herrcore / revil_strings.py
Created April 19, 2021 06:02 — forked from OALabs/revil_strings.py
Decrypt REvil ransomware strings with IDA Python
import idaapi, idc, idautils
class DecryptorError(Exception):
pass
def rc4crypt(key, data):
x = 0
box = range(256)
@herrcore
herrcore / strings.py
Last active July 17, 2020 00:49 — forked from williballenthin/strings.py
Extract ASCII and Unicode strings using Python.
#!/usr/bin/env python
##########################################################################################################
##
## Like steroids for your strings!
##
## Original idea: @williballenthin
## Original link: https://gist.github.com/williballenthin/8e3913358a7996eab9b96bd57fc59df2
##
## Lipstick and rouge by: @herrcore