ksose

import re
from ctypes import *

PIPE_NAME = "\\\\.\\pipe\\!mscom$" 

pipe_handle = windll.kernel32.CreateFileA(PIPE_NAME,
		0xc0000000,	#GENERIC_READ|GENERIC_WRITE
		3,		#FILE_SHARE_READ|FILE_SHARE_WRITE
		0,
		3,		#OPEN_EXISTING

ksose

# k`sOSe - detect SSDT hooks

import ctypes
import struct
from ctypes.wintypes import *
from ctypes import windll

SYSCALLS = [
	"NtAcceptConnectPort",
	"NtAccessCheck",

ksose

# k`sOSe
# extract webinjects configuration from a Shylock infected machine, tested on Shylock 1.2.1.3160
# to decode it: https://gist.github.com/1552594
import sys
import time
from ctypes import *

# each botnet has its own pipe name, change it.
PIPE_NAME = "\\\\.\\pipe\\D13A4A2693461B273701BEFB4E640D35"

ksose

// k`sOSe
// decode/unzip Shylock configuration files, tested on Shylock 1.2.1.3160
//
// Usage:
// gcc -o unpack unpack.c -lz
// wget --no-check-certificate https://paragua-analyst.cc/files/injects.jpg
// ./unpack injects.jpg injects.plain
//
// to extract webinjects from an infected machine: https://gist.github.com/1552587

ksose

#!/usr/bin/python

import sys
import subprocess
import winappdbg
from winappdbg import win32

winappdbg.System.request_debug_privileges()
system = winappdbg.System()
system.request_debug_privileges()

ksose

#!/usr/bin/python

import sys
import re
import subprocess
import winappdbg
from winappdbg import win32

winappdbg.System.request_debug_privileges()
system = winappdbg.System()

ksose

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

typedef struct _FILE_DIRECTORY_INFORMATION {
  ULONG         NextEntryOffset;
  ULONG         FileIndex;
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;

ksose

int Base64Encode(const unsigned char *buffer, size_t length, char **output) 
{
    BIO *bio, *b64;
    BUF_MEM *ptr;

    b64 = BIO_new(BIO_f_base64());
    bio = BIO_new(BIO_s_mem());
    bio = BIO_push(b64, bio);

    BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);