Nong Hoang Tu dmknght
dmknght
/ sublimetext_4121_crack.py
Last active
January 19, 2022 05:37
Patch binary of sublimtext amd64 linux build 4121
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| sublime_binary_path = "/tmp/sublime_text" | |
| version_magic_string = "/updates/4/stable_update_check?version=4121&platform=linux&arch=x64" | |
| sz_magic_string = 67 | |
| version_magic_string_offset = 0x000106bd # (Real offset from xxd) | |
| is_file_read = os.access(sublime_binary_path, os.R_OK) | |
| if not is_file_read: |
dmknght
/ sublimetext_4121_crack_windows.py
Created
November 9, 2021 05:01
Patch sublime_text build 4121 Windows. Tested with portable version
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| sublime_binary_path = "/home/dmknght/Desktop/sublime_text_windows/sublime_text.exe" | |
| version_magic_string = "/updates/4/stable_update_check?version=4121&platform=windows&arch=x64" | |
| sz_magic_string = 69 | |
| version_magic_string_offset = 0x007533d5 # (Real offset from xxd) | |
| is_file_read = os.access(sublime_binary_path, os.R_OK) | |
| if not is_file_read: |
dmknght
/ sublimetext_4126_crack_linux.py
Last active
August 26, 2022 00:28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| sublime_binary_path = "/tmp/sublime_text" # FIXME: this is the absolute path to writable sublime_text binary. | |
| version_magic_string = "4126" | |
| sz_magic_string = 4 | |
| version_magic_string_offset = 0x0002d78a # (Real offset from xxd) | |
| is_file_read = os.access(sublime_binary_path, os.R_OK) | |
| if not is_file_read: |
dmknght
/ check_md5sum_with_deb.nim
Created
February 7, 2022 20:07
Compare md5sum of a file with md5sum db of Debian's packages
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #[ | |
| Work on Debian based only | |
| Tested with Parrot 5.0 | |
| Compile: nim c -d:danger <file_name.nim> | |
| Compare md5sum of a file with Debian's packages database. | |
| ]# | |
| import os | |
| import strutils |
dmknght
/ tree_sitter_C_scan.py
Created
March 13, 2022 02:35
Simple test code, try to parse C script and scan for dangerous function call with Tree sitter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Code parser with tree sitter | |
| `sudo pip3 install tree_sitter` | |
| clone parser for each programming language (same dir with code py) `git clone https://github.com/tree-sitter/tree-sitter-c` | |
| create any test code (like vuln.c) | |
| """ | |
| from tree_sitter import Language, Parser |
dmknght
/ tree_sitter_py_scan.py
Last active
March 13, 2022 02:52
Simple test code to scan malicious py scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Code parser with tree sitter | |
| `sudo pip3 install tree_sitter` | |
| clone parser for each programming language (same dir with code py) `git clone https://github.com/tree-sitter/tree-sitter-python` | |
| create test code like eval(base64.decode(<base64_text>)) | |
| """ | |
| from tree_sitter import Language, Parser |
dmknght
/ dirtycow.yara
Last active
October 31, 2022 20:39
A demo of using yara rule to match multiple import functions in ELF file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "elf" | |
| /* | |
| ANALYSIS | |
| Example is a compiled DirtyCow Exploit | |
| The binary has multiple unique functions: getpass, getpid, madvise, pthread_create, pthread_join, ptrace, waitpid | |
| Location: section ".dynstr", size 0xfa, Yara type "elf.SHT_STRTAB" | |
| Current ELF module of Yara version (4.2.0) doesn't have built-in function to check multiple functions imported in binary. | |
| This rule file shows an easy way to do it | |
| */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "elf" | |
| /* | |
| When system is infected by this rootkit | |
| all processes load malicious lib (LD_PRELOAD) | |
| It's possible to detect via strings, however, | |
| current Yara version doesn't load ELF header | |
| of mapped file. | |
| */ |
dmknght
/ meterpreter.yara
Created
December 30, 2022 10:39
Rule to detect Metasploit's meterpreter shellcode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule elf64_meterpreter_revtcp_raw { | |
| meta: | |
| description = "Detect Meterpreter ELF 64 staged reverse TCP no encoders" | |
| strings: | |
| $ = {6a 22 [4] 0f 05 [10] 6a 29 [8] 0f 05} | |
| condition: | |
| all of them | |
| } |
dmknght
/ clam_hashes_to_yara.nim
Created
January 14, 2023 03:30
A quick nim script to convert ClamAV hashes to Yara rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Compile: nim c --opt:speed clam_hashes_to_yara.nim | |
| import strutils | |
| const | |
| clam_db_path = "/home/dmknght/Desktop/performance_comparison/main.hdb" | |
| yr_converted_rule = "/home/dmknght/Desktop/performance_comparison/clam_hashes.yara" | |
| type | |
| HashSig = object |