Get De-XRAY from Hexacorn:
## at least these or just CPAN
""" | |
The script generates and prints a graph of all function-call flows that start in exported functions and end | |
in the function being pointed at in IDA. | |
This functionality is useful when you need to trigger a function in a DLL and wish to know which exported function | |
leads to it. | |
""" | |
import idaapi | |
import idautils | |
import idc |
Get De-XRAY from Hexacorn:
## at least these or just CPAN
import argparse | |
import yara | |
from colorama import init, Fore, Back, Style | |
init() | |
args_parser = argparse.ArgumentParser() | |
args_parser.add_argument('-f', '--file', help='cobaltstrike shellcode exe file', type=str, required=True) | |
args_parser.add_argument('-o', '--out', help='output file', type=str, required=False) | |
args = args_parser.parse_args() |
<!-- | |
SilkService Config | |
Author: Roberto Rodriguez (@Cyb3rWard0g) | |
License: GPL-3.0 | |
Version: 0.0.1 | |
References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml | |
--> | |
<SilkServiceConfig> | |
<!-- |
Linux | |
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n | |
macOS | |
(gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n |
Today for #100DaysOfYARA I want to dive in to some of the dirty secrets of creating/maintaining code-based YARA signatures | |
Let's use SQLite3 as an example. Go get the source here (I prefer the amalgamation): | |
https://sqlite.org/download.html | |
I would like to reliably detect when a file is using SQLite. I often look at Windows executables, so I'm going to first concentrate on x86 programs that use this library. The easiest way to find them is to first concentrate on cleartext strings. In this case, I'm gonna pop over to VirusTotal and search for an easily-identifiable string: | |
content: "failed to allocate %u bytes of memory" type:pe |
Today for #100DaysOfYARA I want to further explore one of my favorite topics | |
"How to reliably detect libraries", or how to identify that a particular program has linked or otherwise included a particular library. | |
Detecting libraries (especially ones written in C) pose unique challenges compared to malware, to include: | |
- libraries tend to be platform/architecture nonspecific | |
- compilerisms overwhelm otherwise decent signal | |
- copy/pasta and groupthink across libraries |
Matches: ("opt-out" OR unsubscribe OR "viewing the newsletter" OR "privacy policy" OR enews OR "edit your preferences" OR "email notifications" OR "update profile" OR smartunsubscribe OR secureunsubscribe OR yahoogroups OR "manage your account" OR "group-digests") Do this: Skip Inbox, Apply label "Work/Newsletters"
Matches: (subject:("invitation" OR "accepted" OR "rejected" OR "updated" OR "canceled event" OR "declined") when where calendar who organizer) Do this: Skip Inbox, Apply label "GTD/Follow up"
#!/usr/bin/env python3 | |
import sys, string, struct | |
def strByByte(_strval): | |
strval = bytearray(_strval.encode()) | |
for s in strval: yield s | |
def strByDword(_strval): | |
strval = bytearray(_strval.encode()) |
<?xml version="1.0"?> | |
<!-- | |
API Monitor Filter | |
(c) 2010-2013, Rohitab Batra <rohitab@rohitab.com> | |
http://www.rohitab.com/apimonitor/ | |
--> | |
<ApiMonitor> | |
<CaptureFilter> | |
<Module Name="Advapi32.dll"> | |
<Api Name="ControlService"/> |