herrcore herrcore
herrcore
/ vawtrak_string_decoder.py
Last active
May 10, 2023 12:23
IDA python string decoder for Vawtrak 930eccf4bedcd5e0901306410787adc6a95acd957a7383d326d9949c76fcc828
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi, idc, idautils | |
| import re | |
| import struct | |
| import base64 | |
| flag_arr=[] | |
| def decrypt_algo(key, data, data_len): | |
| out="" | |
| for i in range(0, data_len): |
herrcore
/ panda_banker_string_decrypt.py
Created
November 23, 2016 23:34
Panda Banker string decrypt https://github.com/tildedennis/malware/tree/master/panda_banker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi, idc, idautils | |
| import re | |
| import struct | |
| start = 0x0041A558 | |
| end = 0x0041B1E8 | |
| for ptr in range(start,end,8): | |
| key = Byte(ptr) |
herrcore
/ asprox_id.ps1
Created
September 12, 2016 02:38
Use host specific attributes to generate asprox ID and ID_Key unique to host.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Generate asprox ID and ID_Key. | |
| .DESCRIPTION | |
| Use host specific attributes to generate asprox ID and ID_Key unique to host. | |
| .NOTES | |
| File Name : asprox_id.ps1 | |
| Author : @herrcore | |
| Prerequisite : PowerShell V2 over Vista and upper. | |
| #> |
herrcore
/ quick_ioctl_decoder.py
Created
August 14, 2016 02:53
IDA Python plugin - Decode IOCTL Codes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################################ | |
| ## | |
| ## Quick IOCTL Decoder! | |
| ## | |
| ## All credit for actual IOCTL decode logic: | |
| ## http://www.osronline.com/article.cfm?article=229 | |
| ## | |
| ## | |
| ## To install: | |
| ## Copy script into plugins directory, i.e: C:\Program Files\IDA 6.8\plugins |
herrcore
/ HummingBad.txt
Created
July 5, 2016 20:08
Koodous links for apps matching IOCs from CheckPoint "HummingBad" report (http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://analyst.koodous.com/apks/52c073ef52312049182773b3c4f3d275b2f3419e8d16d3dbdb5ed3446c09b439 | |
| https://analyst.koodous.com/apks/323d0c5ab28124361c96f2d337b2576216e076ab0e7cbc8cf981acae15916ee2 | |
| https://analyst.koodous.com/apks/dc6d831b8bd96623aef593b255a47fdc97460d7417b90478a55ea6a952b33344 | |
| https://analyst.koodous.com/apks/d337438242724d59183f769845733fc9d514b17512970c87a6a9f45547a00ee6 | |
| https://analyst.koodous.com/apks/b86c18b8c948c92966a998ede389c78c99c8f5e69779d2184fdce2a7974615b8 | |
| https://analyst.koodous.com/apks/a922f8990952c9635fb649dd735056999b0d1374f50ade15e2408d2be8a20057 | |
| https://analyst.koodous.com/apks/32a25f2f339b70601a33d5577a65424eca25e526222067699702f406be9aa027 | |
| https://analyst.koodous.com/apks/98a01bd62210bf1c818ecf64acb55fd3758a892310beaf4df28565f7df063d83 | |
| https://analyst.koodous.com/apks/cc294653372db1df592b597e4d88bdc8eb834edad9833637cff3be676f18efff | |
| https://analyst.koodous.com/apks/cb04a042013c72cebdce3dedc0c3b69ac32adb0415dd17474a4f5d05069e704a |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| ####################################################################### | |
| # Kalert provides a simple Slack alert integration for the amazing Koodous | |
| # platform: https://koodous.com/ | |
| # | |
| # Simply add your TOKEN and your SLACK url to the script and setup | |
| # a cronjob to run the script ever 5min or whatever you want. | |
| # | |
| # Example: |
herrcore
/ ksearch.py
Last active
August 9, 2019 02:36
Ksearch provides a simple search interface for the amazing Koodous platform: https://koodous.com/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| ####################################################################### | |
| # Ksearch provides a simple search interface for the amazing Koodous | |
| # platform: https://koodous.com/ | |
| # | |
| # With Ksearch you have a simple way to integrate Koodous search into | |
| # any of your python projects. This gives you the ability to quickly | |
| # crowdsource the analysis of potentially malicious Android files. | |
| # |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| __AUTHOR__ = '@herrcore' | |
| ############################################################################################### | |
| ## | |
| ## Script to reproduce the DGA for #Dromedan dropper | |
| ## Sample SHA256: f88bc84fea3695cd1da1a315eb09c65f21cfc6b764defc3c8efd94d6c6396e0c | |
| ## | |
| ## Another @herrcore production | |
| ## | |
| ## And so me put in work work work work work work! |
herrcore
/ strings.py
Last active
November 13, 2025 01:17
— forked from williballenthin/strings.py
Extract ASCII and Unicode strings using Python.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ########################################################################################################## | |
| ## | |
| ## Like steroids for your strings! | |
| ## | |
| ## Original idea: @williballenthin | |
| ## Original link: https://gist.github.com/williballenthin/8e3913358a7996eab9b96bd57fc59df2 | |
| ## | |
| ## Lipstick and rouge by: @herrcore |
herrcore
/ redirect_hunter.js
Created
January 26, 2016 06:27
Simple CasperJS script to load page with fake referrer and follow all redirects. The HTML for the final page is printed along with the redirect URLs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //setup casper | |
| var casper = require('casper').create({ | |
| verbose: true, | |
| //Fake the user agent | |
| pageSettings: { | |
| userAgent: 'Mozilla/5.0 (Windows NT 5.1; chromeframe/25.0.1364.152) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22' | |
| }, | |
| logLevel: "debug" | |
| //logLevel: "error" |