Skip to content

Instantly share code, notes, and snippets.

Avatar

David Cannings edeca

View GitHub Profile
@edeca
edeca / yara_example_1.yar
Last active May 5, 2020
Yara rule to find a string near to other strings
View yara_example_1.yar
import "math"
rule example {
meta:
author = "David Cannings"
description = "Rule example - finding a chunk of code near other known code"
strings:
$chunk = { AA BB CC DD }
$chunk_prologue = { 11 22 33 44 }
@edeca
edeca / mstscax_ole.yar
Last active Feb 3, 2020
Yara rule to detect documents (RTF/CDF/OOXML) using MsTscAx scripting controls
View mstscax_ole.yar
rule terminal_services_scripting {
meta:
author = "David Cannings"
description = "Microsoft Terminal Services Client Control (not safe for scripting)"
ref = "https://twitter.com/joe4security/status/1221765460502421504?s=20%E2%80%9D"
generated_by = "yaml2yara, see https://github.com/nccgroup/yaml2yara/"
strings:
// Parsers will open files without the full 'rtf'
$header_rtf = "{\\rt" nocase
@edeca
edeca / ida_find_internal_functions.py
Last active Dec 16, 2019
Find functions in IDA which are called by library functions and probably aren't user code
View ida_find_internal_functions.py
import idaapi
from idautils import *
########
# Date: October 2019
# Author: David Cannings (@edeca)
#
# Rename all functions that are called by library code as "__unknown_library_function_N".
#
@edeca
edeca / ida2yara.py
Created Oct 17, 2019
Simple script to turn strings copied from IDA into Yara strings
View ida2yara.py
import fileinput
import re
import string
########
# Author: David Cannings
#
# Convert IDA string output to a Yara rule, escaping as necessary
# and using unicode modifiers.
########
View decrypt_cpassword.py
import argparse
from base64 import b64decode
from binascii import unhexlify
from Crypto.Cipher import AES
########
# Author: David Cannings
# Date: 7th November 2018
#
# Quick and dirty cpassword decryption tool, ported to Python from the
@edeca
edeca / pe_mitigation_check.py
Created Sep 20, 2018
A simple script to check PE files for exploit mitigations (/DYNAMICBASE, /NXCOMPAT, /HIGHENTROPYVA) and anomalies
View pe_mitigation_check.py
import argparse
import logging
import pefile
import sys
from prettytable import PrettyTable
########
# Author: David Cannings @edeca
# Date: September 2018
#
@edeca
edeca / paranoid-plugx-august-2017.md
Last active Sep 14, 2017
List of additional Paranoid PlugX indicators
View paranoid-plugx-august-2017.md

Paranoid PlugX

This gist contains brief details of additional "Paranoid PlugX" files, likely associated with a sophisticated attacker. NCC Group is monitoring a number of OOXML and RTF techniques our red team has been using since September 2016, which uncovered multiple malicious documents from around August 2017.

For the original Paranoid PlugX article, please see: https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/ (h/t Palo and @tlansec).

Documents

A few documents can be found which use 203.248.116.182 to obtain further malicious content.

@edeca
edeca / suko-smt.py
Created Jun 3, 2017
Basic solving of a "suko" puzzle using pysmt
View suko-smt.py
from pysmt.shortcuts import Symbol, Plus, Equals, GE, LE, And, Int, AllDifferent, get_model
from pysmt.typing import INT
########
# Author: David Cannings
# Date: June 2017
#
# Basic example using pysmt to solve "Suko", a puzzle printed in some
# UK newspapers and available online.
#
View keybase.md

Keybase proof

I hereby claim:

  • I am edeca on github.
  • I am edeca (https://keybase.io/edeca) on keybase.
  • I have a public key ASDaV4zBSc-1Hdqt39Lrgyu7mA2gekr6ho9ax92nm3BzYAo

To claim this, I am signing this object:

You can’t perform that action at this time.