View parse_windef_sigs.nim
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import streams | |
import bitops | |
import strutils | |
import std/enumutils | |
const | |
db_name = "mpavbase.vdm.extracted" | |
type |
View clam_hashes_to_yara.nim
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Compile: nim c --opt:speed clam_hashes_to_yara.nim | |
import strutils | |
const | |
clam_db_path = "/home/dmknght/Desktop/performance_comparison/main.hdb" | |
yr_converted_rule = "/home/dmknght/Desktop/performance_comparison/clam_hashes.yara" | |
type | |
HashSig = object |
View meterpreter.yara
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule elf64_meterpreter_revtcp_raw { | |
meta: | |
description = "Detect Meterpreter ELF 64 staged reverse TCP no encoders" | |
strings: | |
$ = {6a 22 [4] 0f 05 [10] 6a 29 [8] 0f 05} | |
condition: | |
all of them | |
} |
View symbiote.yara
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "elf" | |
/* | |
When system is infected by this rootkit | |
all processes load malicious lib (LD_PRELOAD) | |
It's possible to detect via strings, however, | |
current Yara version doesn't load ELF header | |
of mapped file. | |
*/ |
View dirtycow.yara
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "elf" | |
/* | |
ANALYSIS | |
Example is a compiled DirtyCow Exploit | |
The binary has multiple unique functions: getpass, getpid, madvise, pthread_create, pthread_join, ptrace, waitpid | |
Location: section ".dynstr", size 0xfa, Yara type "elf.SHT_STRTAB" | |
Current ELF module of Yara version (4.2.0) doesn't have built-in function to check multiple functions imported in binary. | |
This rule file shows an easy way to do it | |
*/ |
View tree_sitter_py_scan.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
Code parser with tree sitter | |
`sudo pip3 install tree_sitter` | |
clone parser for each programming language (same dir with code py) `git clone https://github.com/tree-sitter/tree-sitter-python` | |
create test code like eval(base64.decode(<base64_text>)) | |
""" | |
from tree_sitter import Language, Parser |
View tree_sitter_C_scan.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
Code parser with tree sitter | |
`sudo pip3 install tree_sitter` | |
clone parser for each programming language (same dir with code py) `git clone https://github.com/tree-sitter/tree-sitter-c` | |
create any test code (like vuln.c) | |
""" | |
from tree_sitter import Language, Parser |
View check_md5sum_with_deb.nim
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#[ | |
Work on Debian based only | |
Tested with Parrot 5.0 | |
Compile: nim c -d:danger <file_name.nim> | |
Compare md5sum of a file with Debian's packages database. | |
]# | |
import os | |
import strutils |
View sublimetext_4126_crack_linux.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
sublime_binary_path = "/tmp/sublime_text" # FIXME: this is the absolute path to writable sublime_text binary. | |
version_magic_string = "4126" | |
sz_magic_string = 4 | |
version_magic_string_offset = 0x0002d78a # (Real offset from xxd) | |
is_file_read = os.access(sublime_binary_path, os.R_OK) | |
if not is_file_read: |
View sublimetext_4121_crack_windows.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
sublime_binary_path = "/home/dmknght/Desktop/sublime_text_windows/sublime_text.exe" | |
version_magic_string = "/updates/4/stable_update_check?version=4121&platform=windows&arch=x64" | |
sz_magic_string = 69 | |
version_magic_string_offset = 0x007533d5 # (Real offset from xxd) | |
is_file_read = os.access(sublime_binary_path, os.R_OK) | |
if not is_file_read: |
NewerOlder