This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
advapi32.dll, ADVAPI32_1000 | |
advapi32.dll, I_ScGetCurrentGroupStateW | |
advapi32.dll, A_SHAFinal | |
advapi32.dll, A_SHAInit | |
advapi32.dll, A_SHAUpdate | |
advapi32.dll, AbortSystemShutdownA | |
advapi32.dll, AbortSystemShutdownW | |
advapi32.dll, AccessCheck | |
advapi32.dll, AccessCheckAndAuditAlarmA | |
advapi32.dll, AccessCheckAndAuditAlarmW |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from idaapi import * | |
from idautils import * | |
def ROR(x, n): | |
return ((x >> n) | (x << (32 - n))) & 0xFFFFFFFF | |
def calc_FBI_hash(dllname, function): | |
dll_hash = 0 | |
for char in dllname: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; Input SHA256 : 3A74FBDF96B5E73F930F5887A82E4008FFB8484AE180DD3F7DE7480BC5577345 | |
; Input MD5 : 614D07EF7777CFF5CFDF741587A097DA | |
; Input CRC32 : B326AB6B | |
; --------------------------------------------------------------------------- | |
; File Name : D:\_anal_temp\shellcode2.bin | |
; Format : Binary file | |
; Base Address: 0000h Range: 0000h - 02FCh Loaded length: 02FCh | |
.686p |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import struct | |
import hashlib | |
def ROR(x, n): | |
return ((x >> n) | (x << (32 - n))) & 0xFFFFFFFF | |
def ROL(x, n): | |
return ((x << n) | ((x) >> (32-(n)))) & 0xFFFFFFFF | |
def matrix_print(matrix): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
My attempt to check signatures of font files (*.ttc and *.ttf) from Dragos Ruiu's #badBIOS kit: | |
https://plus.google.com/103470457057356043365/posts/K7WeA1gqH2h | |
Used tools: | |
Sysinternals Sigcheck v2.01: http://technet.microsoft.com/en-us/sysinternals/bb897441.aspx | |
mssipotf.dll - DLL file that implements a Subject Interface Package (SIP) for font files: http://www.microsoft.com/typography/developers/dsig/dsig.htm | |
algcheck.exe - Homemade tool for checking signing algorithm and public key size | |
Following files don't have digital signature: |