Skip to content

Instantly share code, notes, and snippets.

@deeso
deeso / rename_hosts.py
Created August 29, 2015 03:59
quick script to login and rename the hosts with ssh, username, and password
import paramiko, re, time
script_target = '/srv/nfs/cortana/logs/cmd/modify_host.py'
script_data= '''data = open('/etc/hosts').read()
name = open('/etc/hostname').read().strip()
new_data = data.replace('python-workx64-replaceme', name)
open('/etc/hosts', 'w').write(new_data)'''
open(script_target, 'w').write(script_data)
@deeso
deeso / gist:c6f8141bff00335f48369da81759ed55
Last active September 20, 2017 18:51
Using pyhashdd to perform malware checks when a sandbox is not available
# Hunting for MD5s on a Disk Image Using pyhashdd and Linux
0) Figure out how to mount the image (YMMV) depending on image type. Here we mount a raw disk image.
```fdisk msedge_disk.img```
output:
```
Welcome to fdisk (util-linux 2.27.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
@deeso
deeso / simplebphook.py
Created November 18, 2017 15:42
Simple Immunity Debugger BP Hook
# Simple Breakpoint hooks for Immunity debug
# Important note that all data related to BP hooking and handling
# must be re-entrant, meaning extraneous global values in Python
# classes and script environment are bad. Lesson learned
# to use this script, put in the PyCommands directory of Immunity Debug
# !simplebphook <hex_base_address_of_exe>
#
#
# To (easily) get the BP_BASE_ADDRS, set breakpoints on all
@deeso
deeso / some_support_code.py
Created November 18, 2017 16:02
Supporting code for some malware analysis
# command for running socat on the remote system in a separate terminal or window
# sudo socat -v openssl-listen:443,reuseaddr,cert=$HOME/socat_ssl_server/server.pem,verify=0,fork tcp4:127.0.0.1:6000
# code for capturing SSL stripped traffic
import socket
host = ('', 6000)
s = socket.socket()
s.bind(host)
s.listen(100)
def get_it(s):
@deeso
deeso / dumpit.py
Created November 19, 2017 18:47
Immunity Debug Command to dump memory on demand
# Simple memory dump script for Immunity debug
# to use this script, put in the PyCommands directory of Immunity Debug
# !dumpit <file name prefix>
#
#
# Dump memory in SZ_LOC list to "C:\\{name}-{address}-manual-dump.bin"
import immlib
SZ_LOCS = [
# Adam Pridgen
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
@deeso
deeso / stop_cpuid_detect.py
Last active December 5, 2022 05:50
use x64dbg look for cpuid instructions and unset the HVM bit
from x64dbgpy import pluginsdk
# Put this script in the Python path, and
# execute the following Python snippets in
# the Python dialog in x64dbg:
#
# from stop_cpuid_detect import *
# trace_cpuid(n=1000)
# the above code will trace through the program
@deeso
deeso / vt-rate-limited-submit.py
Created January 26, 2018 17:51
Rate limit the IOCs submitted to VT
import string
from pymongo import MongoClient
from datetime import datetime
import traceback
import argparse
import sys
from threading import Thread, Lock
import logging
import time
from virus_total_apis import PublicApi as VTPublic
@deeso
deeso / enum_top1m_sslcerts.py
Last active July 28, 2018 09:48
enumerate the top 1m sites SSL certificates.
import traceback
from datetime import datetime
import ssl
import socket
from OpenSSL import SSL
from multiprocessing import Pool
CN_S = 'commonName'
O_S = 'organizationName'
C_S = 'countryName'
from pymongo import MongoClient
import json, os, time, signal, threading, sys
from datetime import datetime, timedelta
from gglsbl import SafeBrowsingList
from datetime import datetime
from datetime import datetime, timedelta
from virus_total_apis import PrivateApi, PublicApi
import argparse
import sys