Skip to content

Instantly share code, notes, and snippets.

View edeca's full-sized avatar

David Cannings edeca

78 followers · 4 following
View GitHub Profile
@edeca
edeca / high_entropy_pe_rules.yar
Created January 2, 2022 14:46
Variations on Yara rules by @greglesnewich
/*
Original rule from: https://gist.github.com/g-les/0745a9d6cd7f4abb3083a8dee1eaf984
Two variations on the original rule by @greglesnewich.
Conversation on Twitter at: https://twitter.com/edeca/status/1477650229709225990
*/
@edeca
edeca / yara_example_1.yar
Last active January 6, 2023 02:13
Yara rule to find a string near to other strings
import "math"
rule example {
meta:
author = "David Cannings"
description = "Rule example - finding a chunk of code near other known code"
strings:
$chunk = { AA BB CC DD }
$chunk_prologue = { 11 22 33 44 }
@edeca
edeca / mstscax_ole.yar
Last active January 6, 2023 02:14
Yara rule to detect documents (RTF/CDF/OOXML) using MsTscAx scripting controls
rule terminal_services_scripting {
meta:
author = "David Cannings"
description = "Microsoft Terminal Services Client Control (not safe for scripting)"
ref = "https://twitter.com/joe4security/status/1221765460502421504?s=20%E2%80%9D"
generated_by = "yaml2yara, see https://github.com/nccgroup/yaml2yara/"
strings:
// Parsers will open files without the full 'rtf'
$header_rtf = "{\\rt" nocase
@edeca
edeca / ida_find_internal_functions.py
Last active December 16, 2019 13:28
Find functions in IDA which are called by library functions and probably aren't user code
import idaapi
from idautils import *
########
# Date: October 2019
# Author: David Cannings (@edeca)
#
# Rename all functions that are called by library code as "__unknown_library_function_N".
#
@edeca
edeca / ida2yara.py
Created October 17, 2019 12:57
Simple script to turn strings copied from IDA into Yara strings
import fileinput
import re
import string
########
# Author: David Cannings
#
# Convert IDA string output to a Yara rule, escaping as necessary
# and using unicode modifiers.
########
@edeca
edeca / decrypt_cpassword.py
Created November 7, 2018 15:09
import argparse
from base64 import b64decode
from binascii import unhexlify
from Crypto.Cipher import AES
########
# Author: David Cannings
# Date: 7th November 2018
#
# Quick and dirty cpassword decryption tool, ported to Python from the
@edeca
edeca / pe_mitigation_check.py
Created September 20, 2018 21:36
A simple script to check PE files for exploit mitigations (/DYNAMICBASE, /NXCOMPAT, /HIGHENTROPYVA) and anomalies
import argparse
import logging
import pefile
import sys
from prettytable import PrettyTable
########
# Author: David Cannings @edeca
# Date: September 2018
#
@edeca
edeca / paranoid-plugx-august-2017.md
Last active September 14, 2017 05:38
List of additional Paranoid PlugX indicators

Paranoid PlugX

This gist contains brief details of additional "Paranoid PlugX" files, likely associated with a sophisticated attacker. NCC Group is monitoring a number of OOXML and RTF techniques our red team has been using since September 2016, which uncovered multiple malicious documents from around August 2017.

For the original Paranoid PlugX article, please see: https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/ (h/t Palo and @tlansec).

Documents

A few documents can be found which use 203.248.116.182 to obtain further malicious content.

@edeca
edeca / suko-smt.py
Created June 3, 2017 14:05
Basic solving of a "suko" puzzle using pysmt
from pysmt.shortcuts import Symbol, Plus, Equals, GE, LE, And, Int, AllDifferent, get_model
from pysmt.typing import INT
########
# Author: David Cannings
# Date: June 2017
#
# Basic example using pysmt to solve "Suko", a puzzle printed in some
# UK newspapers and available online.
#
@edeca
edeca / keybase.md
Created February 26, 2017 21:47

Keybase proof

I hereby claim:

  • I am edeca on github.
  • I am edeca (https://keybase.io/edeca) on keybase.
  • I have a public key ASDaV4zBSc-1Hdqt39Lrgyu7mA2gekr6ho9ax92nm3BzYAo

To claim this, I am signing this object: