Skip to content

Instantly share code, notes, and snippets.

View shekkbuilder's full-sized avatar

shekk shekkbuilder

147 followers · 777 following
View GitHub Profile
@shekkbuilder
shekkbuilder / yara_performance_guidelines.md
Created November 30, 2017 14:29 — forked from Neo23x0/yara_performance_guidelines.md
YARA Performance Guidelines

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

  • Revision 1.1, February 2016, applies to all YARA version 3.3+

Global Rules

Global rules are evaluated first. Only if they are satisfied non-global rules are evaluated. This may be useful if all samples exhibit the same characteristics. Use them combined with the "private" statement to suppress a match notification on the global rules.

@shekkbuilder
shekkbuilder / Makefile
Created November 28, 2017 18:44 — forked from anryko/Makefile
Simple kernel module example. Lists process list and count.
obj-m += lkm_hello1.o
KDIR ?= /lib/modules/$(shell uname -r)/build
all:
make -C $(KDIR) M=$(PWD) modules
clean:
make -C $(KDIR) M=$(PWD) clean
@shekkbuilder
shekkbuilder / latency.txt
Created October 12, 2017 12:24 — forked from jboner/latency.txt
Latency Numbers Every Programmer Should Know
Latency Comparison Numbers
--------------------------
L1 cache reference 0.5 ns
Branch mispredict 5 ns
L2 cache reference 7 ns 14x L1 cache
Mutex lock/unlock 25 ns
Main memory reference 100 ns 20x L2 cache, 200x L1 cache
Compress 1K bytes with Zippy 3,000 ns 3 us
Send 1K bytes over 1 Gbps network 10,000 ns 10 us
Read 4K randomly from SSD* 150,000 ns 150 us ~1GB/sec SSD
@shekkbuilder
shekkbuilder / install.bash
Created July 15, 2017 15:44 — forked from nnarain/install.bash
setup virtual can bus linux
#!/bin/bash
# install can-utils
git clone https://github.com/linux-can/can-utils.git
cd can-utils
./autogen.sh
./configure
make
sudo make install
@shekkbuilder
shekkbuilder / pwn.py
Created June 19, 2017 13:37 — forked from saelo/pwn.py
Solution for "assignment" of GoogleCTF 2017
#!/usr/bin/env python3
#
# Exploit for "assignment" of GoogleCTF 2017
#
# CTF-quality exploit...
#
# Slightly simplified and shortened explanation:
#
# The bug is a UAF of one or both values during add_assign() if a GC is
# triggered during allocate_value(). The exploit first abuses this two leak a
@shekkbuilder
shekkbuilder / pwn.py
Created June 19, 2017 13:37 — forked from saelo/pwn.py
Solution for "assignment" of GoogleCTF 2017
#!/usr/bin/env python3
#
# Exploit for "assignment" of GoogleCTF 2017
#
# CTF-quality exploit...
#
# Slightly simplified and shortened explanation:
#
# The bug is a UAF of one or both values during add_assign() if a GC is
# triggered during allocate_value(). The exploit first abuses this two leak a
@shekkbuilder
shekkbuilder / nmap-cmdline
Created May 15, 2017 07:26 — forked from Neo23x0/nmap-cmdline
Nmap Scan Params for CVE-2017-0143 MS17-010 Scanning
# CVE-2017-0143 MS17-010 Scaning
# The vulnerability that uses WannaCry Ransomware
#
# Use @calderpwn's script
# http://seclists.org/nmap-dev/2017/q2/79
#
# Save it to Nmap NSE script directory
# Linux
# /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
# OSX
@shekkbuilder
shekkbuilder / Wannacrypt0r-FACTSHEET.md
Created May 14, 2017 18:38 — forked from rain-1/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@shekkbuilder
shekkbuilder / extract_sql.pl
Created May 13, 2017 20:48 — forked from leoromanovsky/extract_sql.pl
Extract SQL tables from database dump
#!/usr/bin/perl -w
##############################################################################
##
## Written by: Jared Cheney <[email protected]>
##
## Original Template written by:
## Brandon Zehm <[email protected]> and Jared Cheney <[email protected]>
##
## License:
##
@shekkbuilder
shekkbuilder / extract_sql.pl
Created May 13, 2017 20:48 — forked from leoromanovsky/extract_sql.pl
Extract SQL tables from database dump
#!/usr/bin/perl -w
##############################################################################
##
## Written by: Jared Cheney <[email protected]>
##
## Original Template written by:
## Brandon Zehm <[email protected]> and Jared Cheney <[email protected]>
##
## License:
##