Skip to content

Instantly share code, notes, and snippets.

View albertzsigovits's full-sized avatar
🕹️
[_]/\XO

Albert Zsigovits albertzsigovits

🕹️
[_]/\XO
112 followers · 31 following
View GitHub Profile
@usualsuspect
usualsuspect / knotweed_config_extractor.py
Last active February 5, 2023 18:36
Config extractor for Jumplump malware family from the Knotweed report
#!/usr/bin/env python3
#
# Author: @jaydinbas
#
# Extract config from Knotweed Jumplump samples
# Note: Not all samples tagged as 'Jumplump' in the MS report
# contain a config, some just load other samples that do
#
# Works for
# cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b
@virtualex-itv
virtualex-itv / Update-AUPackages.md
Last active May 7, 2024 06:03
Update-AUPackages Report #powershell #chocolatey
@wxsBSD
wxsBSD / yara-parser.md
Last active February 5, 2023 20:18

Using YARA python interface to parse files

I've shared this technique with some people privately, but might as well share it publicly now since I was asked about it. I've been using this for a while now with good success. It works well for parsing .NET droppers and other things.

If you don't know what the -D flag to YARA does I suggest you import a module and run a file through using that flag. It will print, to stdout, everything the module parsed that doesn't involve you calling a function. This is a great way to get a quick idea for the structure of a file.

For example:

wxs@mbp yara % cat always_false.yara
@Neo23x0
Neo23x0 / yara_performance_guidelines.md
Last active April 30, 2024 10:39
YARA Performance Guidelines

This Gist has been transfered into a Github Repo. You'll find the most recent version here.

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

  • Revision 1.4, October 2020, applies to all YARA versions higher than 3.7