Skip to content

Instantly share code, notes, and snippets.

@OALabs
OALabs / revil_strings.py
Created January 26, 2020 22:13
Decrypt REvil ransomware strings with IDA Python
import idaapi, idc, idautils
class DecryptorError(Exception):
pass
def rc4crypt(key, data):
x = 0
box = range(256)
@OALabs
OALabs / exports.json
Created December 1, 2019 05:14
Common DLL exports (Windows API Names)
{"exports": ["A_SHAFinal", "A_SHAInit", "A_SHAUpdate", "AbortSystemShutdownA", "AbortSystemShutdownW", "AccessCheck", "AccessCheckAndAuditAlarmA", "AccessCheckAndAuditAlarmW", "AccessCheckByType", "AccessCheckByTypeAndAuditAlarmA", "AccessCheckByTypeAndAuditAlarmW", "AccessCheckByTypeResultList", "AccessCheckByTypeResultListAndAuditAlarmA", "AccessCheckByTypeResultListAndAuditAlarmByHandleA", "AccessCheckByTypeResultListAndAuditAlarmByHandleW", "AccessCheckByTypeResultListAndAuditAlarmW", "AddAccessAllowedAce", "AddAccessAllowedAceEx", "AddAccessAllowedObjectAce", "AddAccessDeniedAce", "AddAccessDeniedAceEx", "AddAccessDeniedObjectAce", "AddAce", "AddAuditAccessAce", "AddAuditAccessAceEx", "AddAuditAccessObjectAce", "AddConditionalAce", "AddMandatoryAce", "AddUsersToEncryptedFile", "AddUsersToEncryptedFileEx", "AdjustTokenGroups", "AdjustTokenPrivileges", "AllocateAndInitializeSid", "AllocateLocallyUniqueId", "AreAllAccessesGranted", "AreAnyAccessesGranted", "AuditComputeEffectivePolicyBySid", "AuditComputeEf
@OALabs
OALabs / dll_exports.py
Created December 1, 2019 05:12
Build dictionary of DLL exports (Windows API Names)
import os
import pefile
import json
INTERESTING_DLLS = [
'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll',
'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll',
'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll',
'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll',
@OALabs
OALabs / revil_import_builder.py
Created December 1, 2019 05:11
IDA Python script to decipher and label REvil imports
import json
# fn_name = "wsprintfW"
# api_hash = 0x0B6D391AE
export_db = {}
def get_api_hash(fn_name):
result = 0x2b
for c in fn_name:
@OALabs
OALabs / rc4.py
Created June 2, 2019 22:55
RC4 Crypto Python Module (probably stolen from stack overflow but it's been so long I can't remember)
#! /usr/bin/env python
##########################################################################################
##
## RC4 Crypto
##
##########################################################################################
def rc4crypt(key, data):
@OALabs
OALabs / boxstarter_oalabs_x86vm.ps1
Last active December 17, 2022 22:03
Boxstarter - One click malware analysis tools installer for 32bit VM
Set-ExecutionPolicy Unrestricted;
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1'));
get-boxstarter -Force;
Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1';
@OALabs
OALabs / wallpaper.bmp
Last active April 19, 2021 06:04
wallpaper.bmp
@OALabs
OALabs / oalabs_x86vm.ps1
Last active March 18, 2024 14:19
Boxstarter package for OALABS x86 Malware Analysis VM
Write-Host -NoNewline " "
Write-Host -NoNewline " _______ _______ ___ _______ _______ _______ "
Write-Host -NoNewline " | || _ || | | _ || _ || | "
Write-Host -NoNewline " | _ || |_| || | | |_| || |_| || _____| "
Write-Host -NoNewline " | | | || || | | || || |_____ "
Write-Host -NoNewline " | |_| || || |___ | || _ | |_____ | "
Write-Host -NoNewline " | || _ || || _ || |_| | _____| | "
Write-Host -NoNewline " |_______||__| |__||_______||__| |__||_______||_______| "
Write-Host -NoNewline " "
Write-Host -NoNewline " "
@OALabs
OALabs / windows_defender_unquarantine.py
Last active October 1, 2024 10:14
Extract quarantine files from Windows Defender | System Center Endpoint Protection | Microsoft Security Essentials
# MS SCEP & SE quarantined files decrypter
# This script is a fork from quarantine.py from the cuckoosandbox project.
# Also thanks to Jon Glass (https://jon.glass/quarantines-junk/)
# Usage: quarantine.py <encryptedfile>
#
# Copyright (C) 2015 KillerInstinct, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.