French notareverser
notareverser
/ generate-simple-yara.idc
Last active
March 11, 2025 00:16
Extremely simple IDC script to generate a YARA rule from the selected bytes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <idc.idc> | |
| static lmd5(fmd5) | |
| { | |
| auto result,size, nb, x; | |
| size=strlen(fmd5); | |
| result=""; | |
| for (x = 0; x < size; x++) | |
| { |
notareverser
/ ida-null-bytes.py
Last active
March 11, 2025 00:16
IDA Python script to NOP (x86/x64) selected bytes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi as ia, idc | |
| def PLUGIN_ENTRY(): return nop() | |
| class nop(ia.plugin_t): | |
| flags = ia.PLUGIN_UNL | |
| comment = "NOP" | |
| help = "select bytes, run" | |
| wanted_name = "NOP bytes..." | |
| wanted_hotkey = "Ctrl+Shift+N" |
notareverser
/ nozomi_upx.yara
Created
October 4, 2022 12:14
YARA signatures derived from Nozomi UPX recovery tool https://github.com/NozomiNetworks/upx-recovery-tool
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // https://github.com/NozomiNetworks/upx-recovery-tool | |
| rule UPX_nozomi_x86 | |
| { | |
| strings: $sig = { 50 e8 ?? ?? 00 00 eb 5a 58 59 97 60 8a 54 24 20 e9 ?? ?? 00 00 60 8b 74 24 24 8b 7c 24 2c 83 cd} | |
| condition: any of them | |
| } | |
| rule UPX_nozomi_x64 | |
| { | |
| strings: |
notareverser
/ snippets.py
Last active
November 11, 2022 14:44
Snippets of Python to help out with reversing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import operator | |
| def compileTime(data): | |
| from struct import unpack_from as suf | |
| if data[0:2] == b'\x4d\x5a': | |
| peOffset = suf("<H",data,0x3c)[0] | |
| if data[peOffset:peOffset+4] == b'\x50\x45\0\0': | |
| return suf("<L",data,peOffset+8)[0] | |
| return None |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import argparse | |
| import sys | |
| import mmap | |
| import logging | |
| from collections import defaultdict |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import argparse | |
| import sys | |
| import json | |
| import logging | |
notareverser
/ rename.py
Created
April 29, 2022 11:46
Simple script to rename files based on their MD5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys | |
| import argparse | |
| import os | |
| import hashlib | |
| def parseArguments(): | |
| parser = argparse.ArgumentParser(description="Rename files based on their MD5") | |
| parser.add_argument('file', |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Windows_7z_SFX | |
| { | |
| strings: | |
| $makeCommandFile_prefix_1 = {53 56 8b 75 08 66 83 7e 02 3a 0f 85 ?? ?? ?? ?? 0f b7 46 04 66 3d 5c 00 74 0a 66 3d 2f 00 0f 85 ?? ?? ?? ?? 66 8b 06 66 89 45 f0 8d 45 f0 33 db 50 66 c7 45 f2 3a 00 66 c7 45 f4 5c 00 66 89 5d f6 ff 15} | |
| $makeCommandFile_prefix_2 = {53 8b 45 08 33 db 89 5d fc 66 83 78 02 3a 0f 85 ?? ?? ?? ?? 66 8b 48 04 66 83 f9 5c 74 0a 66 83 f9 2f 0f 85 ?? ?? ?? ?? 66 8b 00 66 c7 45 e6 3a 00 66 89 45 e4 8d 45 e4 50 66 c7 45 e8 5c 00 66 89 5d ea ff 15} | |
| $makeCommandFile_prefix_3 = {53 56 8b 75 08 33 db 66 83 7e 02 3a 89 5d fc 0f 85 ?? ?? ?? ?? 66 8b 46 04 66 3d 5c 00 74 0a 66 3d 2f 00 0f 85 ?? ?? ?? ?? 66 8b 06 66 89 45 e4 8d 45 e4 50 66 c7 45 e6 3a 00 66 c7 45 e8 5c 00 66 89 5d ea ff 15} | |
| $makeCommandFile_prefix_4 = {8b 45 08 66 83 78 02 3a 0f 85 ?? ?? ?? ?? 0f b7 48 04 66 83 f9 5c 74 0a 66 83 f9 2f 0f 85 ?? ?? ?? ?? 66 8b 00 6a 3a 66 89 45 e8 58 66 89 45 ea 6a 5c 58 66 89 45 ec 33 c0 66 89 45 ee 8d 45 e8 50 ff 15} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule zlib | |
| { | |
| strings: | |
| $distfix = {10 05 01 00 17 05 01 01 13 05 11 00 1b 05 01 10 11 05 05 00 19 05 01 04 15 05 41 00 1d 05 01 40 10 05 03 00 18 05 01 02 14 05 21 00 1c 05 01 20 12 05 09 00 1a 05 01 08 16 05 81 00 40 05 00 00 10 05 02 00 17 05 81 01 13 05 19 00 1b 05 01 18 11 05 07 00 19 05 01 06 15 05 61 00 1d 05 01 60 10 05 04 00 18 05 01 03 14 05 31 00 1c 05 01 30 12 05 0d 00 1a 05 01 0c 16 05 c1 00 40 05 00 00} | |
| $lenfix_prefix = {60 07 00 00 00 08 50 00 00 08 10 00 14 08 73 00 12 07 1f 00 00 08 70 00 00 08 30 00 00 09 c0 00 10 07 0a 00 00 08 60 00 00 08 20 00 00 09 a0 00 00 08 00 00 00 08 80 00 00 08 40 00 00 09 e0 00 10 07 06 00 00 08 58 00 00 08 18 00 00 09 90 00 13 07 3b 00 00 08 78 00 00 08 38 00 00 09 d0 00 11 07 11 00 00 08 68 00 00 08 28 00 00 09 b0 00 00 08 08 00 00 08 88 00 00 08 48 00 00 09 f0 00 10 07 04 00 00 08 54 00 00 08 14 00 15 08 e3 00 13 07 2b 00 00 08 74 00 } | |
| condition: | |
| all of them | |
| } |
notareverser
/ yara-rules-for-libraries.txt
Created
February 25, 2022 14:13
Brief treatise on the tradeoffs between YARA rules made from strings, code, and data
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Today for #100DaysOfYARA I want to further explore one of my favorite topics | |
| "How to reliably detect libraries", or how to identify that a particular program has linked or otherwise included a particular library. | |
| Detecting libraries (especially ones written in C) pose unique challenges compared to malware, to include: | |
| - libraries tend to be platform/architecture nonspecific | |
| - compilerisms overwhelm otherwise decent signal | |
| - copy/pasta and groupthink across libraries |
NewerOlder