Brian Baskin Rurik
Rurik
/ getNETversion.py
Created
September 30, 2014 14:48
Determine the .NET version used to compile a .NET executable.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_NET_version(data): | |
| """ | |
| Code to extract .NET compiled version. | |
| typedef struct t_MetaData_Header { | |
| DWORD Signature; // BSJB | |
| WORD MajorVersion; | |
| WORD MinorVersion; | |
| DWORD Unknown1; | |
| DWORD VersionSize; | |
| PBYTE VersionString; |
Rurik
/ gist:4402ab9a7a1b3fbc14d7
Created
October 23, 2014 18:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am Rurik on github. | |
| * I am bbaskin (https://keybase.io/bbaskin) on keybase. | |
| * I have a public key whose fingerprint is AFD8 C071 A2CE E394 D226 4F19 8732 1B4E 326D FD20 | |
| To claim this, I am signing this object: |
Rurik
/ gist:5440114
Last active
December 16, 2015 13:09
See if a process name is currently running or not (Windows)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based on WMI code from http://mail.python.org/pipermail/python-win32/2006-March/004340.html | |
| import os | |
| def process_running(procname): | |
| def find_pid(processname): | |
| import win32com.client | |
| for proc in win32com.client.GetObject('winmgmts:').InstancesOf('win32_process'): | |
| if proc.Name.upper() == processname.upper(): | |
| return proc.Properties_('ProcessId') | |
Rurik
/ TrueCrypt_Guess.py
Created
May 5, 2013 15:13
TrueCrypt password guesser for leet-speak passwords. Blog post here: http://ghettoforensics.blogspot.com/2013/05/31337-password-guessing.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import subprocess | |
| tc_exe = "C:\\Program Files\\TrueCrypt\\truecrypt.exe" | |
| tc_file = "E:\\test.tlc" | |
| drive_letter = "P" | |
| def leet_lookup(char): | |
| list = {"a": ["a","A","@"], | |
| "b": ["b", "B", "8"], |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| from PyQt4.QtCore import * | |
| from PyQt4.QtGui import * | |
| import base64 | |
| def main(): | |
| app = QApplication(sys.argv) | |
| w = MyWindow() | |
| w.show() |
Rurik
/ Noriben_06_Feb_17__14_33_33_281000.txt
Last active
February 6, 2017 19:52
Noriben 1.7.0 Example Output (ZA)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -=] Sandbox Analysis Report generated by Noriben v1.7.0 | |
| -=] Developed by Brian Baskin: brian @@ thebaskins.com @bbaskin | |
| -=] The latest release can be found at https://github.com/Rurik/Noriben | |
| -=] Analysis time: 61.84 seconds | |
| Processes Created: | |
| ================== | |
| [CreateProcess] python.exe:2420 > "C:\malware\hehda.exe" [Child PID: 1764] | |
| [CreateProcess] hehda.exe:1764 > "%WinDir%\system32\cmd.exe" [Child PID: 692] |
Rurik
/ slack_twitter_follow.py
Created
June 27, 2018 16:55
Tracks a public Twitter List and posts updates to a given Slack channel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Tracks a public Twitter List and posts updates to a given Slack channel | |
| ### Example: https://i.imgur.com/RMQB27N.png | |
| import datetime | |
| import time | |
| import twitter | |
| from slackclient import SlackClient | |
| slack_bot_id = '<FILL OUT>' | |
| slack_channel = '<FILL OUT>' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CLASSES_ROOT\AllFilesystemObjects\shell\Command Prompt Here\command] | |
| @="cmd.exe /k cd \"%L\"" | |
Rurik
/ encoded_PHP_decoder.py
Last active
April 3, 2021 16:46
A quickie decoder script for encoded PHP code. May be Fort Disco?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import base64 | |
| script = """ | |
| <? $GLOBALS['_584730172_']=Array(base64_decode('ZXJy' .'b' .'3JfcmVw' .'b' .'3J0aW5n'),base64_decode('c' .'2V0X3RpbWV' .'fbGl' .'taXQ' .'='),base64_decode('' .'ZG' .'Vma' .'W' .'5l'),base64_decode('' .'ZGlyb' .'mFtZQ=='),base64_decode('ZGVm' .'aW5l'),base64_decode('' .'d' .'W5saW5r'),base64_decode('Zml' .'sZ' .'V9le' .'G' .'lzdHM='),base64_decode('dG91Y2' .'g='),base64_decode('aXNfd3J' .'p' .'dGFibGU='),base64_decode('dHJ' .'p' .'bQ=='),base64_decode('ZmlsZ' .'V9nZXRf' .'Y29udGVud' .'HM='),base64_decode('dW5s' .'aW5r'),base64_decode('Zm' .'lsZ' .'V9nZXRf' .'Y2' .'9u' .'dGVudHM='),base64_decode('d' .'W5' .'saW5r'),base64_decode('cH' .'JlZ19' .'tYX' .'Rj' .'aA=='),base64_decode('aW1wb' .'G9kZ' .'Q=='),base64_decode('cHJlZ19t' .'YXRja' .'A=='),base64_decode('a' .'W1w' .'bG9k' .'Z' .'Q=='),base64_decode('Zml' .'s' .'ZV' .'9nZXRfY' .'29' .'udGV' .'udH' .'M='),base64_decode('Z' .'m9w' .'ZW4='),base64_decode('' .'ZmxvY' .'2' .'s' .'='),base64_decode('ZnB1' .'dH' .'M='),base64_decode('Zmx' |
Rurik
/ parse_procmon_filters.py
Last active
December 5, 2021 16:55
Quick tool to find and extract filters from Procmon configuration files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Procmon Rule Parser v0.02 | |
| # Brian Baskin - @bbaskin | |
| # Reads default rules from an exported Procmon Configuration (.PMC) or Procmon Filter (.PMF) file | |
| # Example output: | |
| """ | |
| 12:09:59-bbaskin@~/Development/Noriben$ python parse_procmon_filters.py -f ProcmonConfiguration.pmc | |
| [Exclude] Process Name is Procmon64.exe | |
| [Exclude] Operation is QueryStandardInformationFile | |
| [Exclude] Operation is RegOpenKey | |
| [Exclude] Operation is NotifyChangeDirectory |
OlderNewer