Nong Hoang Tu dmknght

## symbiote.yara
import "elf"

/*
  When system is infected by this rootkit
  all processes load malicious lib (LD_PRELOAD)
  It's possible to detect via strings, however,
  current Yara version doesn't load ELF header
  of mapped file.
*/

## dirtycow.yara
import "elf"

/*
  ANALYSIS
  Example is a compiled DirtyCow Exploit
  The binary has multiple unique functions: getpass, getpid, madvise, pthread_create, pthread_join, ptrace, waitpid
  Location: section ".dynstr", size 0xfa, Yara type "elf.SHT_STRTAB"
  Current ELF module of Yara version (4.2.0) doesn't have built-in function to check multiple functions imported in binary.
  This rule file shows an easy way to do it
*/

## tree_sitter_py_scan.py
"""
Code parser with tree sitter
`sudo pip3 install tree_sitter`
clone parser for each programming language (same dir with code py) `git clone https://github.com/tree-sitter/tree-sitter-python`
create test code like eval(base64.decode(<base64_text>))
"""


from tree_sitter import Language, Parser

## tree_sitter_C_scan.py
"""
Code parser with tree sitter
`sudo pip3 install tree_sitter`
clone parser for each programming language (same dir with code py) `git clone https://github.com/tree-sitter/tree-sitter-c`
create any test code (like vuln.c)
"""


from tree_sitter import Language, Parser

## check_md5sum_with_deb.nim
#[
  Work on Debian based only
  Tested with Parrot 5.0
  Compile: nim c -d:danger <file_name.nim>
  Compare md5sum of a file with Debian's packages database.

]#

import os
import strutils

## sublimetext_4126_crack_linux.py
import os


sublime_binary_path = "/tmp/sublime_text" # FIXME: this is the absolute path to writable sublime_text binary.
version_magic_string = "4126"
sz_magic_string = 4
version_magic_string_offset = 0x0002d78a # (Real offset from xxd)

is_file_read = os.access(sublime_binary_path, os.R_OK)
if not is_file_read:

## sublimetext_4121_crack_windows.py
import os


sublime_binary_path = "/home/dmknght/Desktop/sublime_text_windows/sublime_text.exe"
version_magic_string = "/updates/4/stable_update_check?version=4121&platform=windows&arch=x64"
sz_magic_string = 69
version_magic_string_offset = 0x007533d5 # (Real offset from xxd)

is_file_read = os.access(sublime_binary_path, os.R_OK)
if not is_file_read:

## sublimetext_4121_crack.py
import os


sublime_binary_path = "/tmp/sublime_text"
version_magic_string = "/updates/4/stable_update_check?version=4121&platform=linux&arch=x64"
sz_magic_string = 67
version_magic_string_offset = 0x000106bd # (Real offset from xxd)

is_file_read = os.access(sublime_binary_path, os.R_OK)
if not is_file_read:

## sublimetext_3211_crack.py
import os


#sublime_binary_path = "/opt/sublime_text/sublime_text_b3211"
sublime_binary_path = "/tmp/sublime_text_3211/sublime_text"
version_magic_string = "/updates/3/stable/updatecheck?version=3211&platform=linux&arch=x64"
sz_magic_string = 66
#version_magic_string_offset = 0x00209ee0 # Offset from disassembler
version_magic_string_offset = 0x00009ee0 # (Real offset from xxd)

## metasploit_config
path `~/.msf4/config`
Variables: `Prompt`, `PromptChar`, `MeterpreterPrompt`
Config
```
[framework/core]
Prompt=[%grnmsf%clr][%bld%yelJobs%clr:%whi%J%clr][%bld%cyaAgents%clr:%whi%S%clr]
PromptChar=%yel$%clr
MeterpreterPrompt=[ID:%S][%M][%H_%A][%U](%D)
```
- Jobs %J: How many jobs are running in background
	import "elf"

	/*
	When system is infected by this rootkit
	all processes load malicious lib (LD_PRELOAD)
	It's possible to detect via strings, however,
	current Yara version doesn't load ELF header
	of mapped file.
	*/
	import "elf"

	/*
	ANALYSIS
	Example is a compiled DirtyCow Exploit
	The binary has multiple unique functions: getpass, getpid, madvise, pthread_create, pthread_join, ptrace, waitpid
	Location: section ".dynstr", size 0xfa, Yara type "elf.SHT_STRTAB"
	Current ELF module of Yara version (4.2.0) doesn't have built-in function to check multiple functions imported in binary.
	This rule file shows an easy way to do it
	*/
	"""
	Code parser with tree sitter
	`sudo pip3 install tree_sitter`
	clone parser for each programming language (same dir with code py) `git clone https://github.com/tree-sitter/tree-sitter-python`
	create test code like eval(base64.decode(<base64_text>))
	"""


	from tree_sitter import Language, Parser
	#[
	Work on Debian based only
	Tested with Parrot 5.0
	Compile: nim c -d:danger <file_name.nim>
	Compare md5sum of a file with Debian's packages database.

	]#

	import os
	import strutils
	import os


	sublime_binary_path = "/tmp/sublime_text" # FIXME: this is the absolute path to writable sublime_text binary.
	version_magic_string = "4126"
	sz_magic_string = 4
	version_magic_string_offset = 0x0002d78a # (Real offset from xxd)

	is_file_read = os.access(sublime_binary_path, os.R_OK)
	if not is_file_read:
	import os


	sublime_binary_path = "/home/dmknght/Desktop/sublime_text_windows/sublime_text.exe"
	version_magic_string = "/updates/4/stable_update_check?version=4121&platform=windows&arch=x64"
	sz_magic_string = 69
	version_magic_string_offset = 0x007533d5 # (Real offset from xxd)

	is_file_read = os.access(sublime_binary_path, os.R_OK)
	if not is_file_read:
	import os


	#sublime_binary_path = "/opt/sublime_text/sublime_text_b3211"
	sublime_binary_path = "/tmp/sublime_text_3211/sublime_text"
	version_magic_string = "/updates/3/stable/updatecheck?version=3211&platform=linux&arch=x64"
	sz_magic_string = 66
	#version_magic_string_offset = 0x00209ee0 # Offset from disassembler
	version_magic_string_offset = 0x00009ee0 # (Real offset from xxd)
	path `~/.msf4/config`
	Variables: `Prompt`, `PromptChar`, `MeterpreterPrompt`
	Config
	```
	[framework/core]
	Prompt=[%grnmsf%clr][%bld%yelJobs%clr:%whi%J%clr][%bld%cyaAgents%clr:%whi%S%clr]
	PromptChar=%yel$%clr
	MeterpreterPrompt=[ID:%S][%M][%H_%A][%U](%D)
	```
	- Jobs %J: How many jobs are running in background