Ivan Kwiatkowski JusticeRage
JusticeRage
/ bits_clsids.yara
Last active
May 5, 2017 14:25
Yara rule to detect references to the BITS service.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule BITS_CLSID | |
| { | |
| meta: | |
| description = "References to the BITS service." | |
| author = "Ivan Kwiatkowski (@JusticeRage)" | |
| // The BITS service seems to be used heavily by EquationGroup. | |
| strings: | |
| $uuid_background_copy_manager_1_5 = { 1F 77 87 F0 4F D7 1A 4C BB 8A E1 6A CA 91 24 EA } | |
| $uuid_background_copy_manager_2_0 = { 12 AD 18 6D E3 BD 93 43 B3 11 09 9C 34 6E 6D F9 } | |
| $uuid_background_copy_manager_2_5 = { D6 98 CA 03 5D FF B8 49 AB C6 03 DD 84 12 70 20 } |
JusticeRage
/ to_clsid.py
Created
October 25, 2019 12:02
Quick IDAPython script to convert the selection to a CLSID.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idaapi import * | |
| from ida_kernwin import * | |
| def to_guid(address): | |
| format = "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}\n" | |
| msg(format % (get_wide_dword(address), | |
| get_wide_word(address + 4), | |
| get_wide_word(address + 6), | |
| get_wide_byte(address + 8), | |
| get_wide_byte(address + 9), |
JusticeRage
/ nop-hidder
Last active
November 24, 2023 00:53
— forked from dperezmavro/nop-hidder
An IDA python script that hides long sequences of nops to make the tree more readable.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idautils import * | |
| from idc import * | |
| mnemonics = dict() | |
| hides = [] | |
| in_nop_sled = 0 | |
| curr_pos = 0 | |
| sled_len = 0 | |
| for seg_ea in Segments(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| This program is free software: you can redistribute it and/or modify | |
| it under the terms of the GNU General Public License as published by | |
| the Free Software Foundation, either version 3 of the License, or | |
| (at your option) any later version. | |
| This program is distributed in the hope that it will be useful, | |
| but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| GNU General Public License for more details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Dear fellow reverser, | |
| I'm creating this Gist in the hopes that it will be indexed and that people who look up this value: 0xE7791F700 will end up here. | |
| 62135596800 is the number of seconds that separate the Go Epoch from the Unix epoch. You're probably looking at an inlined call like `time.Now().Unix()`. | |
| Cheers, | |
| @JusticeRage |
JusticeRage
/ shellcode_loader.c
Created
September 20, 2021 07:40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| unsigned char shellcode[] = "\xCC\x90\x90\x90\x90..."; | |
| int main(int argc, char argv) | |
| { | |
| auto buffer = ::VirtualAlloc(nullptr, 0x1000, MEM_COMMIT, PAGE_READWRITE); | |
| memcpy(buffer, &shellcode, sizeof(shellcode)); | |
| DWORD ignored; | |
| ::VirtualProtect(buffer, sizeof(shellcode), PAGE_EXECUTE_READ, &ignored); | |
| auto f = reinterpret_cast<int32_t(*)()>(buffer); | |
| f(); |
JusticeRage
/ go_tmilk.py
Created
October 15, 2021 17:22
Go Type Milking - IDA script to extract type information from Go binaries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| got_tmilk.py - Go Type Milking | |
| Written by Ivan Kwiatkowski @ Kaspersky GReAT | |
| Shared under the terms of the GPLv3 license | |
| """ | |
| C_HEADER = """ | |
| enum golang_kind : __int8 | |
| { | |
| INVALID = 0x0, |