from gevent import spawn
from gevent import monkey
monkey.patch_all()
from master import celery_app
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| message Module | |
| { | |
| required int32 type = 1; | |
| required bytes blob = 2; | |
| } | |
| message ModuleResponse { | |
| repeated Module modules = 1 [packed=true]; | |
| required uint32 timestamp = 2; | |
| } |
psrok1
/ emotet.spamreq.proto
Last active
May 19, 2017 12:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| message SpamRequest { | |
| message SpamRequestBody { | |
| required string botId = 1; | |
| required int32 flags = 2 [default = 3]; | |
| required string additionalData = 3; | |
| } | |
| required int32 command = 1 [default = 18]; | |
| optional SpamRequestBody spamRequest = 2; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| message EmailAccount { | |
| required int32 id = 1; | |
| required string mail_server = 2; | |
| required int32 port = 3; | |
| required string login = 4; | |
| required string password = 5; | |
| required string email = 6; | |
| } | |
| message EmailRecipient { |
psrok1
/ box-js-prototype-bug.md
Created
August 22, 2017 00:07
box-js 1.8.2 output for f3b3a5fc30ecbab403b27dd853ad7f6b
box-js 1.8.2, sample f3b3a5fc30ecbab403b27dd853ad7f6b
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Rewriting code...
[info] Replacing `function A.prototype.B()` (use --no-rewrite-prototype to skip)...
[error] Couldn't parse with Acorn:
[error] SyntaxError: Unexpected token (1:716)
[error]
[error] This doesn't seem to be a JavaScript/WScript file.
psrok1
/ box-js-prototype-testcase.js
Created
August 22, 2017 00:09
box-js test case for member function declaration rewriting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "This one is global".global_func(); | |
| (function(){ | |
| "This one is scoped".scoped_func(); | |
| function String.prototype.scoped_func(arg_a, arg_b) { | |
| String.nested_func2("This one", " is nested"); | |
| function String.prototype.nested_func(arg_a, arg_b) { | |
| WScript.echo(this); | |
| } | |
| this.nested_func(); | |
| while(0) |
psrok1
/ pdfdoc-proccheck.js
Created
January 27, 2018 10:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| try { | |
| WmiObject = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); | |
| win32ProcessList = new Enumerator(WmiObject["ExecQuery"]("Select * from Win32_Process")); | |
| win32OperatingSystem = new Enumerator(Wmi["ExecQuery"]("Select * from Win32_OperatingSystem")); | |
| while (!win32OperatingSystem["atEnd"]()) { | |
| if (i == 5) break; | |
| osInfo = osInfo + win32OperatingSystem["item"]()["Caption"] + | |
| win32OperatingSystem["item"]()["Version"]; | |
| i++; | |
| win32OperatingSystem["moveNext"](); |
psrok1
/ pdfdoc-proccheck.js
Created
January 27, 2018 10:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| try { | |
| WmiObject = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); | |
| win32ProcessList = new Enumerator(WmiObject["ExecQuery"]("Select * from Win32_Process")); | |
| win32OperatingSystem = new Enumerator(Wmi["ExecQuery"]("Select * from Win32_OperatingSystem")); | |
| while (!win32OperatingSystem["atEnd"]()) { | |
| if (i == 5) break; | |
| osInfo = osInfo + win32OperatingSystem["item"]()["Caption"] + | |
| win32OperatingSystem["item"]()["Version"]; | |
| i++; | |
| win32OperatingSystem["moveNext"](); |
psrok1
/ emotet-doc.py
Created
May 17, 2019 13:29
URL unpacker from documents with malicious macros sent by Emotet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Needs oledump.py in the same directory (download from https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/oledump.py) | |
| and olefile (pip install olefile) | |
| Usage: python2 emotet-doc.py [doc path] | |
| """ | |
| import base64 | |
| import re | |
| import sys |
psrok1
/ malduck-isfb-jjparser.py
Created
October 11, 2019 12:23
malduck: Rewritten JJStruct parser from https://www.sentinelone.com/blog/writing-malware-configuration-extractors-isfb-ursnif/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # pip install malduck | |
| import malduck | |
| import sys | |
| p = malduck.procmem.from_file(sys.argv[1]) | |
| # Recover magic | |
| p.patchp(0, b"MZ") | |
| p.patchp(p.uint32p(0x3c), b"PE") |