Skip to content

Instantly share code, notes, and snippets.

View dmknght's full-sized avatar

Nong Hoang Tu dmknght

73 followers · 13 following
View GitHub Profile
@dmknght
dmknght / dirtycow.yara
Last active October 31, 2022 20:39
A demo of using yara rule to match multiple import functions in ELF file
import "elf"
/*
ANALYSIS
Example is a compiled DirtyCow Exploit
The binary has multiple unique functions: getpass, getpid, madvise, pthread_create, pthread_join, ptrace, waitpid
Location: section ".dynstr", size 0xfa, Yara type "elf.SHT_STRTAB"
Current ELF module of Yara version (4.2.0) doesn't have built-in function to check multiple functions imported in binary.
This rule file shows an easy way to do it
*/
@dmknght
dmknght / tree_sitter_py_scan.py
Last active March 13, 2022 02:52
Simple test code to scan malicious py scripts
"""
Code parser with tree sitter
`sudo pip3 install tree_sitter`
clone parser for each programming language (same dir with code py) `git clone https://github.com/tree-sitter/tree-sitter-python`
create test code like eval(base64.decode(<base64_text>))
"""
from tree_sitter import Language, Parser
@dmknght
dmknght / tree_sitter_C_scan.py
Created March 13, 2022 02:35
Simple test code, try to parse C script and scan for dangerous function call with Tree sitter
"""
Code parser with tree sitter
`sudo pip3 install tree_sitter`
clone parser for each programming language (same dir with code py) `git clone https://github.com/tree-sitter/tree-sitter-c`
create any test code (like vuln.c)
"""
from tree_sitter import Language, Parser
@dmknght
dmknght / check_md5sum_with_deb.nim
Created February 7, 2022 20:07
Compare md5sum of a file with md5sum db of Debian's packages
#[
Work on Debian based only
Tested with Parrot 5.0
Compile: nim c -d:danger <file_name.nim>
Compare md5sum of a file with Debian's packages database.
]#
import os
import strutils
@dmknght
dmknght / sublimetext_4126_crack_linux.py
Last active August 26, 2022 00:28
import os
sublime_binary_path = "/tmp/sublime_text" # FIXME: this is the absolute path to writable sublime_text binary.
version_magic_string = "4126"
sz_magic_string = 4
version_magic_string_offset = 0x0002d78a # (Real offset from xxd)
is_file_read = os.access(sublime_binary_path, os.R_OK)
if not is_file_read:
@dmknght
dmknght / sublimetext_4121_crack_windows.py
Created November 9, 2021 05:01
Patch sublime_text build 4121 Windows. Tested with portable version
import os
sublime_binary_path = "/home/dmknght/Desktop/sublime_text_windows/sublime_text.exe"
version_magic_string = "/updates/4/stable_update_check?version=4121&platform=windows&arch=x64"
sz_magic_string = 69
version_magic_string_offset = 0x007533d5 # (Real offset from xxd)
is_file_read = os.access(sublime_binary_path, os.R_OK)
if not is_file_read:
@dmknght
dmknght / sublimetext_4121_crack.py
Last active January 19, 2022 05:37
Patch binary of sublimtext amd64 linux build 4121
import os
sublime_binary_path = "/tmp/sublime_text"
version_magic_string = "/updates/4/stable_update_check?version=4121&platform=linux&arch=x64"
sz_magic_string = 67
version_magic_string_offset = 0x000106bd # (Real offset from xxd)
is_file_read = os.access(sublime_binary_path, os.R_OK)
if not is_file_read:
@dmknght
dmknght / sublimetext_3211_crack.py
Created November 7, 2021 13:05
A short python script (no functions at all) to patch lincense check for sublime_text build 3211 Linux x64
import os
#sublime_binary_path = "/opt/sublime_text/sublime_text_b3211"
sublime_binary_path = "/tmp/sublime_text_3211/sublime_text"
version_magic_string = "/updates/3/stable/updatecheck?version=3211&platform=linux&arch=x64"
sz_magic_string = 66
#version_magic_string_offset = 0x00209ee0 # Offset from disassembler
version_magic_string_offset = 0x00009ee0 # (Real offset from xxd)
@dmknght
dmknght / metasploit_config
Last active November 1, 2021 02:07
Config for Metasploit_Prompt on parrot
path `~/.msf4/config`
Variables: `Prompt`, `PromptChar`, `MeterpreterPrompt`
Config
```
[framework/core]
Prompt=[%grnmsf%clr][%bld%yelJobs%clr:%whi%J%clr][%bld%cyaAgents%clr:%whi%S%clr]
PromptChar=%yel$%clr
MeterpreterPrompt=[ID:%S][%M][%H_%A][%U](%D)
```
- Jobs %J: How many jobs are running in background
@dmknght
dmknght / clamav_yara.md
Last active October 30, 2021 01:20
Try to make ClamAV engine uses Yara pattern matching engine

C code. Compile gcc <filename>.c -o run -lclamav -lyara Problems:

  1. Scanner sometime doesn't run. Possibly threading problem of scan engine
  2. Zip file interrupts when first file is matched as malware. It is possibly to bypass other files in archive file. We can solve it by change CL_VIRUS to CL_CLEAN in scan callback.
  3. No method to get file_path (full file path) yet
#include "clamav.h"
#include "yara.h"
#include <stdio.h>
#include <unistd.h>