Karib0u

## get_call_flows_from_exports.py
"""
The script generates and prints a graph of all function-call flows that start in exported functions and end
in the function being pointed at in IDA.
This functionality is useful when you need to trigger a function in a DLL and wish to know which exported function
leads to it.
"""

import idaapi
import idautils
import idc

## dexray_rocks.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              1 star
            
          
                adricnet
                / dexray_rocks.md
            
            
              Last active
              March 2, 2021 10:12
            
              
                dexray testing
              
          
    Get De-XRAY from Hexacorn:

http://www.hexacorn.com/blog/category/software-releases/dexray/
http://hexacorn.com/d/DeXRAY.pl

Ubuntu 16.04 (Xenial)

## at least these or just CPAN


## cobaltstrike_shellcode_exe_decrypt.py
import argparse
import yara
from colorama import init, Fore, Back, Style

init()

args_parser = argparse.ArgumentParser()
args_parser.add_argument('-f', '--file', help='cobaltstrike shellcode exe file', type=str, required=True)
args_parser.add_argument('-o', '--out', help='output file', type=str, required=False)
args = args_parser.parse_args()

## erebor-SilkServiceConfig.xml
<!--
  SilkService Config
  Author:   Roberto Rodriguez (@Cyb3rWard0g)
  License:  GPL-3.0
  Version:	0.0.1

  References:   https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml
-->
<SilkServiceConfig>
    <!--

## stringex.sh
Linux
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n

macOS
(gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n

## code-signatures.treatise.txt
Today for #100DaysOfYARA I want to dive in to some of the dirty secrets of creating/maintaining code-based YARA signatures

Let's use SQLite3 as an example. Go get the source here (I prefer the amalgamation):
https://sqlite.org/download.html

I would like to reliably detect when a file is using SQLite. I often look at Windows executables, so I'm going to first concentrate on x86 programs that use this library. The easiest way to find them is to first concentrate on cleartext strings. In this case, I'm gonna pop over to VirusTotal and search for an easily-identifiable string:


content: "failed to allocate %u bytes of memory"  type:pe

## yara-rules-for-libraries.txt
Today for #100DaysOfYARA I want to further explore one of my favorite topics

"How to reliably detect libraries", or how to identify that a particular program has linked or otherwise included a particular library.


Detecting libraries (especially ones written in C) pose unique challenges compared to malware, to include:

- libraries tend to be platform/architecture nonspecific
- compilerisms overwhelm otherwise decent signal
- copy/pasta and groupthink across libraries

## Some of my Gmail Filters.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              15 stars
            
          
                zholmquist
                / Some of my Gmail Filters.md
            
            
              Last active
              April 26, 2022 03:16
            
          
    Gmail Filters

Catch newsletters and junk

Matches: ("opt-out" OR unsubscribe OR "viewing the newsletter" OR "privacy policy" OR enews OR "edit your preferences" OR "email notifications" OR "update profile" OR smartunsubscribe OR secureunsubscribe OR yahoogroups OR "manage your account" OR "group-digests")
Do this: Skip Inbox, Apply label "Work/Newsletters"
Keep pesky calendar invites out of inbox

Matches: (subject:("invitation" OR "accepted" OR "rejected" OR "updated" OR "canceled event" OR "declined") when where calendar who organizer)
Do this: Skip Inbox, Apply label "GTD/Follow up"
Keep 90% of Sales emails out of Inbox


## generate-stackstrings-yara.py
#!/usr/bin/env python3

import sys, string, struct

def strByByte(_strval):
    strval = bytearray(_strval.encode())
    for s in strval: yield s

def strByDword(_strval):
    strval = bytearray(_strval.encode())

## complete-api-filters-list.xml
<?xml version="1.0"?>
	<!--
	API Monitor Filter
	(c) 2010-2013, Rohitab Batra <rohitab@rohitab.com>
	http://www.rohitab.com/apimonitor/
	-->
<ApiMonitor>
	<CaptureFilter>
		<Module Name="Advapi32.dll">
			<Api Name="ControlService"/>
	"""
	The script generates and prints a graph of all function-call flows that start in exported functions and end
	in the function being pointed at in IDA.
	This functionality is useful when you need to trigger a function in a DLL and wish to know which exported function
	leads to it.
	"""

	import idaapi
	import idautils
	import idc
	import argparse
	import yara
	from colorama import init, Fore, Back, Style

	init()

	args_parser = argparse.ArgumentParser()
	args_parser.add_argument('-f', '--file', help='cobaltstrike shellcode exe file', type=str, required=True)
	args_parser.add_argument('-o', '--out', help='output file', type=str, required=False)
	args = args_parser.parse_args()
	<!--
	SilkService Config
	Author: Roberto Rodriguez (@Cyb3rWard0g)
	License: GPL-3.0
	Version: 0.0.1

	References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml
	-->
	<SilkServiceConfig>
	<!--
	Linux
	(strings -a -td "$@" \| sed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 A \2/' ; strings -a -td -el "$@" \| sed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 W \2/') \| sort -n

	macOS
	(gstrings -a -td "$@" \| gsed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 A \2/' ; gstrings -a -td -el "$@" \| gsed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 W \2/') \| sort -n
	Today for #100DaysOfYARA I want to dive in to some of the dirty secrets of creating/maintaining code-based YARA signatures

	Let's use SQLite3 as an example. Go get the source here (I prefer the amalgamation):
	https://sqlite.org/download.html

	I would like to reliably detect when a file is using SQLite. I often look at Windows executables, so I'm going to first concentrate on x86 programs that use this library. The easiest way to find them is to first concentrate on cleartext strings. In this case, I'm gonna pop over to VirusTotal and search for an easily-identifiable string:


	content: "failed to allocate %u bytes of memory" type:pe
	Today for #100DaysOfYARA I want to further explore one of my favorite topics

	"How to reliably detect libraries", or how to identify that a particular program has linked or otherwise included a particular library.


	Detecting libraries (especially ones written in C) pose unique challenges compared to malware, to include:

	- libraries tend to be platform/architecture nonspecific
	- compilerisms overwhelm otherwise decent signal
	- copy/pasta and groupthink across libraries
	#!/usr/bin/env python3

	import sys, string, struct

	def strByByte(_strval):
	strval = bytearray(_strval.encode())
	for s in strval: yield s

	def strByDword(_strval):
	strval = bytearray(_strval.encode())
	<?xml version="1.0"?>
	<!--
	API Monitor Filter
	(c) 2010-2013, Rohitab Batra <rohitab@rohitab.com>
	http://www.rohitab.com/apimonitor/
	-->
	<ApiMonitor>
	<CaptureFilter>
	<Module Name="Advapi32.dll">
	<Api Name="ControlService"/>