dso deeso
deeso
/ rename_hosts.py
Created
August 29, 2015 03:59
quick script to login and rename the hosts with ssh, username, and password
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import paramiko, re, time | |
| script_target = '/srv/nfs/cortana/logs/cmd/modify_host.py' | |
| script_data= '''data = open('/etc/hosts').read() | |
| name = open('/etc/hostname').read().strip() | |
| new_data = data.replace('python-workx64-replaceme', name) | |
| open('/etc/hosts', 'w').write(new_data)''' | |
| open(script_target, 'w').write(script_data) |
deeso
/ gist:c6f8141bff00335f48369da81759ed55
Last active
September 20, 2017 18:51
Using pyhashdd to perform malware checks when a sandbox is not available
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Hunting for MD5s on a Disk Image Using pyhashdd and Linux | |
| 0) Figure out how to mount the image (YMMV) depending on image type. Here we mount a raw disk image. | |
| ```fdisk msedge_disk.img``` | |
| output: | |
| ``` | |
| Welcome to fdisk (util-linux 2.27.1). | |
| Changes will remain in memory only, until you decide to write them. | |
| Be careful before using the write command. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple Breakpoint hooks for Immunity debug | |
| # Important note that all data related to BP hooking and handling | |
| # must be re-entrant, meaning extraneous global values in Python | |
| # classes and script environment are bad. Lesson learned | |
| # to use this script, put in the PyCommands directory of Immunity Debug | |
| # !simplebphook <hex_base_address_of_exe> | |
| # | |
| # | |
| # To (easily) get the BP_BASE_ADDRS, set breakpoints on all |
deeso
/ some_support_code.py
Created
November 18, 2017 16:02
Supporting code for some malware analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # command for running socat on the remote system in a separate terminal or window | |
| # sudo socat -v openssl-listen:443,reuseaddr,cert=$HOME/socat_ssl_server/server.pem,verify=0,fork tcp4:127.0.0.1:6000 | |
| # code for capturing SSL stripped traffic | |
| import socket | |
| host = ('', 6000) | |
| s = socket.socket() | |
| s.bind(host) | |
| s.listen(100) | |
| def get_it(s): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple memory dump script for Immunity debug | |
| # to use this script, put in the PyCommands directory of Immunity Debug | |
| # !dumpit <file name prefix> | |
| # | |
| # | |
| # Dump memory in SZ_LOC list to "C:\\{name}-{address}-manual-dump.bin" | |
| import immlib | |
| SZ_LOCS = [ |
deeso
/ simplified_email.py
Last active
December 10, 2018 17:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Adam Pridgen | |
| # Licensed to the Apache Software Foundation (ASF) under one | |
| # or more contributor license agreements. See the NOTICE file | |
| # distributed with this work for additional information | |
| # regarding copyright ownership. The ASF licenses this file | |
| # to you under the Apache License, Version 2.0 (the | |
| # "License"); you may not use this file except in compliance | |
| # with the License. You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 |
deeso
/ stop_cpuid_detect.py
Last active
December 5, 2022 05:50
use x64dbg look for cpuid instructions and unset the HVM bit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from x64dbgpy import pluginsdk | |
| # Put this script in the Python path, and | |
| # execute the following Python snippets in | |
| # the Python dialog in x64dbg: | |
| # | |
| # from stop_cpuid_detect import * | |
| # trace_cpuid(n=1000) | |
| # the above code will trace through the program |
deeso
/ vt-rate-limited-submit.py
Created
January 26, 2018 17:51
Rate limit the IOCs submitted to VT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import string | |
| from pymongo import MongoClient | |
| from datetime import datetime | |
| import traceback | |
| import argparse | |
| import sys | |
| from threading import Thread, Lock | |
| import logging | |
| import time | |
| from virus_total_apis import PublicApi as VTPublic |
deeso
/ gist:d64e91412388f7f2428a926e0b3c8ef5
Last active
July 28, 2018 09:48
enumerate the top 1m sites SSL certificates.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import traceback | |
| from datetime import datetime | |
| import ssl | |
| import socket | |
| from OpenSSL import SSL | |
| from multiprocessing import Pool | |
| CN_S = 'commonName' | |
| O_S = 'organizationName' | |
| C_S = 'countryName' |
deeso
/ safebrowsing_lookup.py
Last active
March 22, 2018 11:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pymongo import MongoClient | |
| import json, os, time, signal, threading, sys | |
| from datetime import datetime, timedelta | |
| from gglsbl import SafeBrowsingList | |
| from datetime import datetime | |
| from datetime import datetime, timedelta | |
| from virus_total_apis import PrivateApi, PublicApi | |
| import argparse | |
| import sys |