Skip to content

Instantly share code, notes, and snippets.

View Rurik's full-sized avatar

Brian Baskin Rurik

View GitHub Profile
Rurik /
Created June 27, 2018 16:55
Tracks a public Twitter List and posts updates to a given Slack channel
### Tracks a public Twitter List and posts updates to a given Slack channel
### Example:
import datetime
import time
import twitter
from slackclient import SlackClient
slack_bot_id = '<FILL OUT>'
slack_channel = '<FILL OUT>'
Rurik /
Last active December 5, 2021 16:55
Quick tool to find and extract filters from Procmon configuration files
# Procmon Rule Parser v0.02
# Brian Baskin - @bbaskin
# Reads default rules from an exported Procmon Configuration (.PMC) or Procmon Filter (.PMF) file
# Example output:
12:09:59-bbaskin@~/Development/Noriben$ python -f ProcmonConfiguration.pmc
[Exclude] Process Name is Procmon64.exe
[Exclude] Operation is QueryStandardInformationFile
[Exclude] Operation is RegOpenKey
[Exclude] Operation is NotifyChangeDirectory
Rurik / Noriben_06_Feb_17__14_33_33_281000.txt
Last active February 6, 2017 19:52
Noriben 1.7.0 Example Output (ZA)
-=] Sandbox Analysis Report generated by Noriben v1.7.0
-=] Developed by Brian Baskin: brian @@ @bbaskin
-=] The latest release can be found at
-=] Analysis time: 61.84 seconds
Processes Created:
[CreateProcess] python.exe:2420 > "C:\malware\hehda.exe" [Child PID: 1764]
[CreateProcess] hehda.exe:1764 > "%WinDir%\system32\cmd.exe" [Child PID: 692]
Rurik /
Created July 7, 2015 16:32
Apricorn Padlock Keep-Alive
import os
import time
while True:
### Keybase proof
I hereby claim:
* I am Rurik on github.
* I am bbaskin ( on keybase.
* I have a public key whose fingerprint is AFD8 C071 A2CE E394 D226 4F19 8732 1B4E 326D FD20
To claim this, I am signing this object:
Rurik /
Created September 30, 2014 14:48
Determine the .NET version used to compile a .NET executable.
def get_NET_version(data):
Code to extract .NET compiled version.
typedef struct t_MetaData_Header {
DWORD Signature; // BSJB
WORD MajorVersion;
WORD MinorVersion;
DWORD Unknown1;
DWORD VersionSize;
PBYTE VersionString;
Rurik /
Last active September 16, 2023 17:17
Detect subroutines that may have encryption/encoding routines by finding XOR and shift routines.
# Automatically find XOR/SHL/SHR routines from an executable
# Uses IDAW (text IDA)
# @bbaskin - brian @
# While other, more powerful scripts like FindCrypt find known
# algorithms this is used to find custom encoding or modified
# encryption routines
Script results:
Rurik / cmdhere.reg
Created May 21, 2014 20:54
Registry key for Explorer right-click command prompt
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AllFilesystemObjects\shell\Command Prompt Here\command]
@="cmd.exe /k cd \"%L\""
Rurik /
Last active November 3, 2022 13:05
Generic code to do a multi-byte XOR encoding
def multibyte_xor(data, key): # Python 2
from itertools import izip, cycle
return ''.join(chr(ord(x) ^ ord(y)) for (x,y) in izip(data, cycle(key)))
Rurik / gist:6556041
Last active March 6, 2024 21:31
Python functions to compress folder paths to include their environment variable. This is the opposite of os.path.expandvars(). For example, "C:\Windows\system32\cmd.exe" would resolve to "%WINDIR%\system32\cmd.exe".
import os
import re
# Thanks to Andrew Havens of Cipher Tech for figuring out how to escape the paranthesis to work with
# both expandvars and regex
def generalize_vars_init():
Initialize a dictionary with the local system's environment variables.