Skip to content

Instantly share code, notes, and snippets.

OALabs

Block or report user

Report or block OALabs

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@OALabs
OALabs / revil_strings.py
Created Jan 26, 2020
Decrypt REvil ransomware strings with IDA Python
View revil_strings.py
import idaapi, idc, idautils
class DecryptorError(Exception):
pass
def rc4crypt(key, data):
x = 0
box = range(256)
@OALabs
OALabs / exports.json
Created Dec 1, 2019
Common DLL exports (Windows API Names)
View exports.json
{"exports": ["A_SHAFinal", "A_SHAInit", "A_SHAUpdate", "AbortSystemShutdownA", "AbortSystemShutdownW", "AccessCheck", "AccessCheckAndAuditAlarmA", "AccessCheckAndAuditAlarmW", "AccessCheckByType", "AccessCheckByTypeAndAuditAlarmA", "AccessCheckByTypeAndAuditAlarmW", "AccessCheckByTypeResultList", "AccessCheckByTypeResultListAndAuditAlarmA", "AccessCheckByTypeResultListAndAuditAlarmByHandleA", "AccessCheckByTypeResultListAndAuditAlarmByHandleW", "AccessCheckByTypeResultListAndAuditAlarmW", "AddAccessAllowedAce", "AddAccessAllowedAceEx", "AddAccessAllowedObjectAce", "AddAccessDeniedAce", "AddAccessDeniedAceEx", "AddAccessDeniedObjectAce", "AddAce", "AddAuditAccessAce", "AddAuditAccessAceEx", "AddAuditAccessObjectAce", "AddConditionalAce", "AddMandatoryAce", "AddUsersToEncryptedFile", "AddUsersToEncryptedFileEx", "AdjustTokenGroups", "AdjustTokenPrivileges", "AllocateAndInitializeSid", "AllocateLocallyUniqueId", "AreAllAccessesGranted", "AreAnyAccessesGranted", "AuditComputeEffectivePolicyBySid", "AuditComputeEf
@OALabs
OALabs / dll_exports.py
Created Dec 1, 2019
Build dictionary of DLL exports (Windows API Names)
View dll_exports.py
import os
import pefile
import json
INTERESTING_DLLS = [
'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll',
'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll',
'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll',
'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll',
@OALabs
OALabs / revil_import_builder.py
Created Dec 1, 2019
IDA Python script to decipher and label REvil imports
View revil_import_builder.py
import json
# fn_name = "wsprintfW"
# api_hash = 0x0B6D391AE
export_db = {}
def get_api_hash(fn_name):
result = 0x2b
for c in fn_name:
@OALabs
OALabs / rc4.py
Created Jun 2, 2019
RC4 Crypto Python Module (probably stolen from stack overflow but it's been so long I can't remember)
View rc4.py
#! /usr/bin/env python
##########################################################################################
##
## RC4 Crypto
##
##########################################################################################
def rc4crypt(key, data):
@OALabs
OALabs / boxstarter_oalabs_x86vm.ps1
Last active May 19, 2020
Boxstarter - One click malware analysis tools installer for 32bit VM
View boxstarter_oalabs_x86vm.ps1
Set-ExecutionPolicy Unrestricted;
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1'));
get-boxstarter -Force;
Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1';
@OALabs
OALabs / oalabs_x86vm.ps1
Last active May 19, 2020
Boxstarter package for OALABS x86 Malware Analysis VM
View oalabs_x86vm.ps1
Write-Host -NoNewline " "
Write-Host -NoNewline " _______ _______ ___ _______ _______ _______ "
Write-Host -NoNewline " | || _ || | | _ || _ || | "
Write-Host -NoNewline " | _ || |_| || | | |_| || |_| || _____| "
Write-Host -NoNewline " | | | || || | | || || |_____ "
Write-Host -NoNewline " | |_| || || |___ | || _ | |_____ | "
Write-Host -NoNewline " | || _ || || _ || |_| | _____| | "
Write-Host -NoNewline " |_______||__| |__||_______||__| |__||_______||_______| "
Write-Host -NoNewline " "
Write-Host -NoNewline " "
@OALabs
OALabs / windows_defender_unquarantine.py
Last active Jul 26, 2019
Extract quarantine files from Windows Defender | System Center Endpoint Protection | Microsoft Security Essentials
View windows_defender_unquarantine.py
# MS SCEP & SE quarantined files decrypter
# This script is a fork from quarantine.py from the cuckoosandbox project.
# Also thanks to Jon Glass (https://jon.glass/quarantines-junk/)
# Usage: quarantine.py <encryptedfile>
#
# Copyright (C) 2015 KillerInstinct, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
You can’t perform that action at this time.