herrcore herrcore
herrcore
/ ida_memdump.py
Created
November 13, 2017 03:38
Dump a blob of memory into a file - IDA Pro script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| import idaapi | |
| def memdump(ea, size, file): | |
| data = idc.GetManyBytes(ea, size) | |
| with open(file, "wb") as fp: | |
| fp.write(data) | |
| print "Memdump Success!" |
herrcore
/ SandBoxTest.cpp
Created
November 6, 2017 02:12
Test code for the Open Analysis Live! sandbox tutorial.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // SandBoxTest.cpp : Defines the entry point for the console application. | |
| // | |
| #include "stdafx.h" | |
| #include <windows.h> | |
| #include <tchar.h> | |
| #include <stdio.h> | |
| #include <strsafe.h> | |
| #include <string> | |
| using namespace std; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var oShell = new ActiveXObject("Shell.Application"); | |
| var commandtoRun = "calc.exe"; | |
| oShell.ShellExecute(commandtoRun,"","","","1"); |
herrcore
/ ucl_nrv2b.py
Created
October 2, 2017 03:41
UCL NRV2B Decompression Library - Full Python (compression used by Zeus variants)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ################################################################################################ | |
| ## UCL NRV2B Decompression Library | |
| ## | |
| ## Code from "Clash of the Titans: ZeuS v SpyEye": | |
| ## https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393 | |
| ## Author: Harshit Nayyar, [email protected] | |
| ## | |
| ## NOTE: This is the compression algorithm used in the Zeus trojan and subsequent variants | |
| ## |
herrcore
/ upatre_extractor.py
Last active
July 11, 2017 15:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/env python | |
| #################################################### | |
| ## | |
| ## All credit to @_qaz_qaz for this awesome post | |
| ## https://secrary.com/ReversingMalware/Upatre/ | |
| ## | |
| ## Original script: | |
| ## https://gist.github.com/secrary/98c563688fa6cea1fd517170f97988ab | |
| ## |
herrcore
/ ramnit_dga.py
Created
April 8, 2017 02:16
Ramnit DGA generator for MD5: abd2b832007338d6d6550339eec09fb0 - seed 0x36F066D
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ################################################################## | |
| # | |
| # Ref sample: | |
| # MD5: abd2b832007338d6d6550339eec09fb0 (AegisI5.exe) | |
| # \_ MD5: cf5de95d94bb349f1f21bb5713a05d25 (fA1L0mX.exe) | |
| # \_ MD5: 17cb0563f7c4621bc98abd06965bdfa9 (svchost.exe injected DLL) | |
| # | |
| # DGA generator for Ramnit Trojan | |
| # |
herrcore
/ brazil_banker_string_decrypt.py
Created
January 26, 2017 19:49
String decryption for unknown Brazil banker trojan; packed:dc8a114965069f91081c2bb0b9a0e8635c1627648a9b599f573c35713724b204, unpacked: 96d4a0d59f27be9cceb1473cb3d5f4dc2863837a9dfd94f0dfeab20092ea6466
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def decrypt_string(ctxt): | |
| tbl = 'UmlXZEyNki880daneIlvAipdZ5Kz45FucTmGiIhYdbFHromzJjbisCtBCm' | |
| ctxt_bin = '' | |
| for i in re.findall('..',ctxt): | |
| ctxt_bin += chr(int(i,16)) | |
| ptxt = '' | |
| for i in range(0,len(ctxt_bin) - 1): | |
| mut_chr = ord(ctxt_bin[i]) | |
| tmp_chr = ord(ctxt_bin[i+1]) ^ ord(tbl[i]) | |
| if mut_chr > tmp_chr: |
herrcore
/ hancitor_download_decrypt.py
Last active
January 20, 2017 18:04
Decrypt hancitor downloads; first 8 bytes xor key, then lznt1 decompress
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| try: | |
| import lznt1 | |
| except: | |
| print "Cannot import lznt1, try this lib: https://gist.github.com/herrcore/344ba2ea540f622b52efba858050539f" | |
| import struct | |
| def decrypt(data): | |
| key = data[:8] | |
| data = data[8:] |
herrcore
/ lznt1.py
Created
January 20, 2017 14:12
Decompress lznt1 without the need for Windows! Standalone version of https://github.com/MITRECND/chopshop/blob/master/ext_libs/lznt1.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2014 The MITRE Corporation. All rights reserved. | |
| # | |
| # Redistribution and use in source and binary forms, with or without | |
| # modification, are permitted provided that the following conditions | |
| # are met: | |
| # 1. Redistributions of source code must retain the above copyright | |
| # notice, this list of conditions and the following disclaimer. | |
| # 2. Redistributions in binary form must reproduce the above copyright | |
| # notice, this list of conditions and the following disclaimer in the | |
| # documentation and/or other materials provided with the distribution. |
herrcore
/ memory_map.py
Created
January 3, 2017 17:58
Stand alone memory map tool using winappdbg based on: http://winappdbg.sourceforge.net/doc/v1.4/tutorial/_downloads/07_memory_map.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!~/.wine/drive_c/Python25/python.exe | |
| # -*- coding: utf-8 -*- | |
| # Copyright (c) 2009-2014, Mario Vilas | |
| # All rights reserved. | |
| # | |
| # Redistribution and use in source and binary forms, with or without | |
| # modification, are permitted provided that the following conditions are met: | |
| # | |
| # * Redistributions of source code must retain the above copyright notice, |