Karib0u

## get_call_flows_from_exports.py
"""
The script generates and prints a graph of all function-call flows that start in exported functions and end
in the function being pointed at in IDA.
This functionality is useful when you need to trigger a function in a DLL and wish to know which exported function
leads to it.
"""

import idaapi
import idautils
import idc

## gen_godmode_rule.yml
# ################################################################################
# IMPORTANT NOTE
# The most recent version of this POC rule can now be found in the main repository
# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
# ################################################################################
#    _____        __  __  ___        __
#   / ___/__  ___/ / /  |/  /__  ___/ /__
#  / (_ / _ \/ _  / / /|_/ / _ \/ _  / -_)
#  \___/\___/\_,_/ /_/  /_/\___/\_,_/\__/_
#    / __(_)__ ___ _  ___ _  / _ \__ __/ /__

## Base64_CheatSheet.md

      
              1 file
            
          
              43 forks
            
          
              6 comments
            
          
              264 stars
            
          
                Neo23x0
                / Base64_CheatSheet.md
            
            
              Last active
              May 23, 2024 08:25
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Base64 Patterns - Learning Aid


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:


TVq
📺 Television
MZ
MZ header


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


SQBFAF
🐣 Squab favorite
I.E.
PowerShell Invoke Expression (UTF-16)


SQBuAH
🐣 Squab uahhh
I.n.
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz


PAA
💪 "Pah!"
&lt;.
Often used by Emotet (UTF-16)


## erebor-SilkServiceConfig.xml
<!--
  SilkService Config
  Author:   Roberto Rodriguez (@Cyb3rWard0g)
  License:  GPL-3.0
  Version:	0.0.1

  References:   https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml
-->
<SilkServiceConfig>
    <!--

## iddqd.yar
/*
WARNING:

the newest version of this rule is now hosted here:
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
*/


/*
      _____        __  __  ___        __

## stringex.sh
Linux
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n

macOS
(gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n

## boxstarter_oalabs_x86vm.ps1
Set-ExecutionPolicy Unrestricted;
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1'));
get-boxstarter -Force;
Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1';

## AMSIScriptContentRetrieval.ps1
# Script author: Matt Graeber (@mattifestation)
# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
# Do your malicious things here that would be logged by AMSI
# logman stop AMSITrace -ets

$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture
$OSArch = $OSArchProperty.OSArchitecture

$OSPointerSize = 32
if ($OSArch -eq '64-bit') { $OSPointerSize = 64 }

## zoho_send_email.py
# Code from best solution in page below:
# https://help.zoho.com/portal/community/topic/zoho-mail-servers-reject-python-smtp-module-communications

import smtplib
from email.mime.text import MIMEText
from email.header import Header
from email.utils import formataddr

# Define to/from
sender = 'sender@example.com'

## Some of my Gmail Filters.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              15 stars
            
          
                zholmquist
                / Some of my Gmail Filters.md
            
            
              Last active
              April 26, 2022 03:16
            
          
    Gmail Filters

Catch newsletters and junk

Matches: ("opt-out" OR unsubscribe OR "viewing the newsletter" OR "privacy policy" OR enews OR "edit your preferences" OR "email notifications" OR "update profile" OR smartunsubscribe OR secureunsubscribe OR yahoogroups OR "manage your account" OR "group-digests")
Do this: Skip Inbox, Apply label "Work/Newsletters"
Keep pesky calendar invites out of inbox

Matches: (subject:("invitation" OR "accepted" OR "rejected" OR "updated" OR "canceled event" OR "declined") when where calendar who organizer)
Do this: Skip Inbox, Apply label "GTD/Follow up"
Keep 90% of Sales emails out of Inbox
	"""
	The script generates and prints a graph of all function-call flows that start in exported functions and end
	in the function being pointed at in IDA.
	This functionality is useful when you need to trigger a function in a DLL and wish to know which exported function
	leads to it.
	"""

	import idaapi
	import idautils
	import idc
	# ################################################################################
	# IMPORTANT NOTE
	# The most recent version of this POC rule can now be found in the main repository
	# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
	# ################################################################################
	# _____ __ __ ___ __
	# / ___/__ ___/ / / \|/ /__ ___/ /__
	# / (_ / _ \/ _ / / /\|_/ / _ \/ _ / -_)
	# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
	# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16), e.g. `JABlAG4AdgA` for `$env:`
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)
	<!--
	SilkService Config
	Author: Roberto Rodriguez (@Cyb3rWard0g)
	License: GPL-3.0
	Version: 0.0.1

	References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml
	-->
	<SilkServiceConfig>
	<!--
	/*
	WARNING:

	the newest version of this rule is now hosted here:
	https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
	*/


	/*
	_____ __ __ ___ __
	Linux
	(strings -a -td "$@" \| sed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 A \2/' ; strings -a -td -el "$@" \| sed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 W \2/') \| sort -n

	macOS
	(gstrings -a -td "$@" \| gsed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 A \2/' ; gstrings -a -td -el "$@" \| gsed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 W \2/') \| sort -n
	Set-ExecutionPolicy Unrestricted;
	iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1'));
	get-boxstarter -Force;
	Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1';
	# Script author: Matt Graeber (@mattifestation)
	# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
	# Do your malicious things here that would be logged by AMSI
	# logman stop AMSITrace -ets

	$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture
	$OSArch = $OSArchProperty.OSArchitecture

	$OSPointerSize = 32
	if ($OSArch -eq '64-bit') { $OSPointerSize = 64 }
	# Code from best solution in page below:
	# https://help.zoho.com/portal/community/topic/zoho-mail-servers-reject-python-smtp-module-communications

	import smtplib
	from email.mime.text import MIMEText
	from email.header import Header
	from email.utils import formataddr

	# Define to/from
	sender = 'sender@example.com'