This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter Expand-DefenderAVSignatureDB { | |
<# | |
.SYNOPSIS | |
Decompresses a Windows Defender AV signature database (.VDM file). | |
.DESCRIPTION | |
Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# Thomas Roccia | IconDhash.py | |
# pip3 install lief | |
# pip3 install pillow | |
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html | |
import lief | |
import os | |
import argparse |