Skip to content

Instantly share code, notes, and snippets.

View idiom's full-sized avatar

Sean Wilson idiom

173 followers · 7 following
View GitHub Profile
@alexander-hanel
alexander-hanel / bn-cheat.md
Last active May 7, 2025 12:47
Cheat Sheet for Binary Ninja
@williballenthin
williballenthin / strings.py
Last active July 14, 2022 21:10
Extract ASCII and Unicode strings using Python.
import re
from collections import namedtuple
ASCII_BYTE = " !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t"
String = namedtuple("String", ["s", "offset"])
@fox-srt
fox-srt / fox-srt-mwi.rules
Last active April 11, 2017 10:12
Snort coverage for Microsoft Word Intruder
# Signatures for detecting Microsoft Word Intruder
# https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - Microsoft Word Intruder payload request"; content:"GET"; depth:3; flowbits:set,mwi; content:!"Referer|3a| "; content:!"Cookie|3a| "; uricontent:"&act=1"; fast_pattern: only; pcre:"/\/webstat\/image\.php\?id=[0-9]{8}/"; threshold: type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; reference:url,https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; sid:21001609; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FOX-SRT - Trojan - Microsoft Word Intruder payload response"; flowbits:isset,mwi; content:"Content-Type|3a| application/octet-stream"; content:"Content-Description|3a| File Transfer"; pcre:"/filename=[0-9]{8}\.exe/"; threshold: type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; reference:url,https://www.fir