- Rizin, fork of radare2: https://github.com/rizinorg/rizin
- metasploit-framework: https://github.com/rapid7/metasploit-framework
- yara: https://github.com/VirusTotal/yara
- ClamAV (to compare our work): https://github.com/Cisco-Talos/clamav
diffto compare hashes saved in files- Load Library: a loader to run Windows defender on Linux https://github.com/taviso/loadlibrary/. It requires
cabextractto get latest engine of Windows Defender. I have modified version of it here https://nest.parrotsec.org/dmknght/windefender-loader which allow scan whole directory. However, it doesn't work with latest version of the engine. So i'll copy the code i added to new version of loadlibrary. - Cigarrates and Tom Ellis's songs.
Nong Hoang Tu dmknght
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys, re, requests | |
| from urllib.parse import urljoin | |
| if len(sys.argv) == 1: | |
| print("Give me URL") | |
| sys.exit(1) | |
| else: | |
| url = sys.argv[1] | |
dmknght
/ yara_section_scan.md
Last active
September 29, 2021 01:36
Defeat metasploit's binaries with yara and section scan
dmknght
/ pasre_hashes.nim
Last active
August 18, 2021 00:02
Quick and ugly script to parse section hashes from rizin's rz-bin and get same hashes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import osproc | |
| import os | |
| import strutils | |
| import sequtils | |
| const | |
| whitelisted_hashes_db_name = "whitelisted_hashes" | |
dmknght
/ yara_section_scan_2.md
Last active
August 18, 2021 00:59
Real world challenge with Mirai and its variants
Sample to use https://github.com/MalwareSamples/Linux-Malware-Samples
Run ClamScan get list of Mirai samples: clamscan -i . | grep Mirai > mirai_list
We can see 84 files were detected
$cat mirai_list | wc -l
84
84 samples matched by 22 signatures
dmknght
/ shellcode_excutor_detection_and_bypass.md
Last active
October 11, 2021 11:04
shellcode_excutor_detection_and_bypass.md
I. Info
- Analysis shellcode execution (excutor?) samples and try to create effectives rules to detect them
- Understand the method and bypass Before we start:
- Backend knowledge
- What is shellcode: https://en.wikipedia.org/wiki/Shellcode
- ELF file structure: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format. This tutorial is for ELF files, but PE file should be similar
- ELF Analysis https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/. I'd recommend the book https://www.packtpub.com/product/learning-linux-binary-analysis/9781782167105. This book is awesome!
- Tools:
- Rizin and Rizin cutter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Quick pkg build scripts to handle automation build | |
| # Depends: gbp-buildpackage (gbp) | |
| # Depends: dpkg-dev (dpkg-source) | |
| # Depends: devscripts (mk-build-deps, debuild) | |
| # Depends: apt, grep, cut | |
| function apt_install_deps() { |
dmknght
/ parrotos_on_hackerhouse.md
Last active
October 25, 2021 18:35
Note of using tools on ParrotOS with hackerHouse labs. This is the result of testing pentest tools quality
dmknght
/ clamav_yara.md
Last active
October 30, 2021 01:20
Try to make ClamAV engine uses Yara pattern matching engine
C code. Compile gcc <filename>.c -o run -lclamav -lyara
Problems:
- Scanner sometime doesn't run. Possibly threading problem of scan engine
- Zip file interrupts when first file is matched as malware. It is possibly to bypass other files in archive file. We can solve it by change CL_VIRUS to CL_CLEAN in scan callback.
- No method to get file_path (full file path) yet
#include "clamav.h"
#include "yara.h"
#include <stdio.h>
#include <unistd.h>
dmknght
/ metasploit_config
Last active
November 1, 2021 02:07
Config for Metasploit_Prompt on parrot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| path `~/.msf4/config` | |
| Variables: `Prompt`, `PromptChar`, `MeterpreterPrompt` | |
| Config | |
| ``` | |
| [framework/core] | |
| Prompt=[%grnmsf%clr][%bld%yelJobs%clr:%whi%J%clr][%bld%cyaAgents%clr:%whi%S%clr] | |
| PromptChar=%yel$%clr | |
| MeterpreterPrompt=[ID:%S][%M][%H_%A][%U](%D) | |
| ``` | |
| - Jobs %J: How many jobs are running in background |
dmknght
/ sublimetext_3211_crack.py
Created
November 7, 2021 13:05
A short python script (no functions at all) to patch lincense check for sublime_text build 3211 Linux x64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| #sublime_binary_path = "/opt/sublime_text/sublime_text_b3211" | |
| sublime_binary_path = "/tmp/sublime_text_3211/sublime_text" | |
| version_magic_string = "/updates/3/stable/updatecheck?version=3211&platform=linux&arch=x64" | |
| sz_magic_string = 66 | |
| #version_magic_string_offset = 0x00209ee0 # Offset from disassembler | |
| version_magic_string_offset = 0x00009ee0 # (Real offset from xxd) |
OlderNewer