petri pierrehpezier
pierrehpezier
/ extract.py
Created
April 9, 2025 08:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| import magic | |
| from PIL import Image | |
| import sys | |
| img = Image.open(open(sys.argv[1], "rb")) | |
| img_data = b"" | |
| for x in range(img.width): | |
| if len(img_data) >= 2 and not img_data.startswith(b"MZ"): | |
| print("Not a valid PE file") |
pierrehpezier
/ python_FEEDFACE_extraction.py
Created
April 17, 2025 12:15
Python interpreter FEEDFACE extraction
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| RC4 Decryption Utility for Malicious Payload Extraction | |
| """ | |
| import sys | |
| import pathlib | |
| import binascii | |
| from Cryptodome.Cipher import ARC4 | |
| def main(): | |
| if len(sys.argv) != 3: |
pierrehpezier
/ plague_backdoor_deobfuscation.py
Created
July 30, 2025 07:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import binascii | |
| from unicorn import * | |
| from unicorn.x86_const import * | |
| import ida_segment | |
| import ida_bytes | |
| import ida_funcs | |
| import ida_nalt | |
| import idc | |
| import idautils |
pierrehpezier
/ CFG_deobf.py
Created
March 19, 2026 14:30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2026 Nextron Systems | |
| # Author: Pierre-Henri Pezier | |
| import idaapi | |
| import idautils | |
| import idc | |
| import re | |
| import struct | |
| from unicorn import * |
pierrehpezier
/ deobfuscate_calls.py
Created
March 19, 2026 14:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2026 Nextron Systems | |
| # Author: Pierre-Henri Pezier | |
| import idaapi | |
| import idautils | |
| import idc | |
| def _touches_rax(ea): | |
| """Check if instruction at ea writes to rax/eax/ax/al/ah.""" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Copyright (c) 2026 Nextron Systems | |
| * Author: Pierre-Henri Pezier | |
| * | |
| * POC: Trigger attack chain for the signed kernel rootkit | |
| * | |
| * This demonstrates the usermode-to-kernel code execution pipeline: | |
| * 1. Map a PE payload into process memory | |
| * 2. Resolve ntoskrnl function RVAs from usermode | |
| * 3. Build the 56-byte XOR-encrypted command buffer |
pierrehpezier
/ poc_trigger.c
Created
March 19, 2026 14:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Copyright (c) 2026 Nextron Systems | |
| * Author: Pierre-Henri Pezier | |
| * | |
| * POC: Trigger attack chain for the signed kernel rootkit | |
| * | |
| * This demonstrates the usermode-to-kernel code execution pipeline: | |
| * 1. Map a PE payload into process memory | |
| * 2. Resolve ntoskrnl function RVAs from usermode | |
| * 3. Build the 56-byte XOR-encrypted command buffer |
pierrehpezier
/ handshake_hash.py
Created
May 5, 2026 12:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| handshake_hash.py | |
| ================= | |
| Emulate the Htsysm49BE01 driver's RE_handshake_hash_v[0..3] in user-mode | |
| via Unicorn so a client can compute the expected verify hash for IOCTL | |
| 0xAA023828 without any kernel-mode hooks, breakpoints, or driver patching. | |
| Why this works (and why the driver author thought it wouldn't): |