herrcore’s gists

herrcore / ResolveHash.c

Created October 12, 2021 04:56

	// Ref: Writing Shellcode with a C Compiler (https://nickharbour.wordpress.com/)

	PPEB __declspec(naked) get_peb(void)
	{
	__asm {
	mov eax, fs:[0x30]
	ret
	}
	}

herrcore / auto_dword.py

Last active January 14, 2024 22:57

Auto-DWORD! - IDA plugin for one-click bulk DWORD conversion

	############################################################################################
	##
	## Auto-DWORD!
	##
	## Updated for IDA 7.xx and Python 3
	##
	## To install:
	## Copy script into plugins directory, i.e: C:\Program Files\<ida version>\plugins
	##
	## To run:

herrcore / label_enums.py

Created October 8, 2021 03:26

IDA label enums - use to label hashes in an dynamic import address table

	#############################################################
	##
	## Highlight enum data and call label_enums()
	##
	## Each enum address will be named after the enum value it contains
	## This can be used to create an IAT struct
	##
	###############################################################

herrcore / warzone.idc

Created May 19, 2021 04:01

IDC Script for Warzone Structs - Part 1 Tutorial https://youtu.be/81fdvmGmRvM

This file has been truncated, but you can view the full file.

	//
	// +-------------------------------------------------------------------------+
	// \| This file was generated by The Interactive Disassembler (IDA) \|
	// \| Copyright (c) 2020 Hex-Rays, <[email protected]> \|
	// \| License info: 48-B331-7A44-33 \|
	// \| Sergei Frankoff, press copy \|
	// +-------------------------------------------------------------------------+
	//
	//
	// This file should be used in the following way:

herrcore / windows_defender_unquarantine.py

Created April 19, 2021 06:05 — forked from OALabs/windows_defender_unquarantine.py

Extract quarantine files from Windows Defender | System Center Endpoint Protection | Microsoft Security Essentials

	# MS SCEP & SE quarantined files decrypter
	# This script is a fork from quarantine.py from the cuckoosandbox project.
	# Also thanks to Jon Glass (https://jon.glass/quarantines-junk/)
	# Usage: quarantine.py <encryptedfile>
	#
	# Copyright (C) 2015 KillerInstinct, Optiv, Inc. ([email protected])
	# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
	# See the file 'docs/LICENSE' for copying permission.

herrcore / oalabs_x86vm.ps1

Created April 19, 2021 06:04 — forked from OALabs/oalabs_x86vm.ps1

Boxstarter package for OALABS x86 Malware Analysis VM

herrcore / wallpaper.bmp

Created April 19, 2021 06:04 — forked from OALabs/wallpaper.bmp

wallpaper.bmp

View raw

herrcore / boxstarter_oalabs_x86vm.ps1

Created April 19, 2021 06:03 — forked from OALabs/boxstarter_oalabs_x86vm.ps1

Boxstarter - One click malware analysis tools installer for 32bit VM

	Set-ExecutionPolicy Unrestricted;
	iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1'));
	get-boxstarter -Force;
	Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1';

herrcore / rc4.py

Created April 19, 2021 06:03 — forked from OALabs/rc4.py

RC4 Crypto Python Module (probably stolen from stack overflow but it's been so long I can't remember)

herrcore / revil_import_builder.py

Created April 19, 2021 06:03 — forked from OALabs/revil_import_builder.py

IDA Python script to decipher and label REvil imports

herrcore herrcore