Skip to content

Instantly share code, notes, and snippets.

View enkomio's full-sized avatar
💭
not a hacker

Antonio Parata enkomio

💭
not a hacker
View GitHub Profile
@enkomio
enkomio / rovnix_conn.py
Created August 25, 2015 16:53
Rovnix key generation and data encryption
from unicorn import *
from unicorn.x86_const import *
from capstone import *
import base64
import time
from collections import deque
encrypt_data_code = b"\x55\x8B\xEC\x83\xEC\x18\x8B\x50\x20\x53\x8B\x58\x28\x56\x8B\x70\x24\x57\x8B\xF9\x33\x5F\x08\x33\x17\x33\x77\x04\x33\x98\x38\x02\x00\x00\x33\x90\x30\x02\x00\x00\x33\xB0\x34\x02\x00\x00\x8B\x48\x2C\x33\x4F\x0C\x33\x88\x3C\x02\x00\x00\x8B\xF9\x0B\xCA\x33\xFE\x89\x4D\xFC\x8B\xCB\x33\xCE\x89\x7D\xF8\x89\x4D\xEC\x33\x4D\xFC\x8B\xFE\x33\xFA\x89\x4D\xF4\x8B\xCF\x23\x7D\xF8\x23\xCB\x8B\x5D\xF8\xF7\xD3\x0B\xCB\x8B\x5D\xEC\x0B\xDA\x33\xCB\x33\xF9\x33\x7D\xF4\x33\xFA\x8B\xDF\x0B\xD9\x23\x5D\xFC\x33\xDE\xC1\xC1\x0D\xC1\xC3\x03\x8B\xF3\x33\xF7\x33\xF1\x89\x4D\xF8\xD1\xC6\x8B\xD1\xC1\xE2\x03\x33\xD3\x33\x55\xF4\x8B\xCE\xC1\xE1\x07\x33\xCB\xC1\xC2\x07\x8B\xDE\x33\x5D\xF8\x33\x70\x34\x33\xCA\x33\xDA\x33\x50\x3C\xC1\xC1\x16\x33\x48\x38\xC1\xC3\x05\x33\x58\x30\x8B\xFB\x33\xFA\x89\x7D\xF0\x8B\xFE\x33\xFA\x89\x7D\xF4\x8B\xF9\xF7\xD7\x89\x7D\xFC\x8B\xFE\x89\x5D\xF8\x23\xFB\x33
@enkomio
enkomio / phquirk.py
Created May 13, 2017 19:16
Script to interact with hidden web shell
import httplib2
import binascii
import os
import base64
import sys
if len(sys.argv) < 3:
print "Usage: {0} <url> <command>".format(sys.argv[0])
exit(1)
@enkomio
enkomio / Ploutus.D_rebuilder.fs
Last active May 28, 2024 21:19
This code extracts the real MSIL bytecode of the malware sample and rebuild a new assembly
open System
open System.Linq
open System.Reflection
open System.Runtime.CompilerServices
open System.Collections
open System.Collections.Generic
open System.Diagnostics
open Microsoft.Diagnostics.Runtime
open dnlib.DotNet
open dnlib.DotNet.Emit
@enkomio
enkomio / qtlEIBBYuV.cs
Created February 27, 2018 07:51
compileMethod hook
[MethodImpl(MethodImplOptions.NoInlining)]
internal static uint qtlEIBBYuV(IntPtr \u0020, IntPtr a1, IntPtr \u0020, [MarshalAs(UnmanagedType.U4)] uint \u0020, IntPtr \u0020, ref uint \u0020)
{
// thisi s a pointer to the COREINFO_METHOD_INFO structure
IntPtr ptr = \u0020;
if (P9ZBIKXMsRMxLdTfcG.KOnEge1tX2)
{
ptr = a1;
}
long num;
@enkomio
enkomio / AssemblyAlternativeLoader.fs
Last active July 11, 2020 12:07
An alternative method to load an Assembly
open System
open System.Reflection
open System.IO
/// Use the private method GetTypeByNameUsingCARules in order to load the Assembly. This method will in turn uses the internal
/// method: private static extern void GetTypeByNameUsingCARules(string name, RuntimeModule scope, ObjectHandleOnStack type);
let loadAssembly(filename: String, className: String, methodName: String, methodArguments: Object array) =
let bindingFlags = BindingFlags.Static ||| BindingFlags.NonPublic ||| BindingFlags.Public ||| BindingFlags.Instance
let assemblyName = AssemblyName.GetAssemblyName(Path.GetFullPath(filename))
let fullName = String.Format("{0},{1}", className, assemblyName.FullName)
proc main
push buffer /* push arguments */
push buffer_length
push key
push key_length
push 4 /* number of arguments */
push de_encrypt /* method to invoke */
call
halt
endp
proc data_section
S:
// Hardcode the initial state of the S array
byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
byte 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F
byte 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F
byte 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F
byte 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F
byte 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F