hasherezade
/ guard_flags.h
Last active Aug 14, 2019
View guard_flags.h
| #pragma once | |
| #define IMAGE_GUARD_CF_INSTRUMENTED 0x00000100 // Module performs control flow integrity checks using system-supplied support | |
| #define IMAGE_GUARD_CFW_INSTRUMENTED 0x00000200 // Module performs control flow and write integrity checks | |
| #define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT 0x00000400 // Module contains valid control flow target metadata | |
| #define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800 // Module does not make use of the /GS security cookie | |
| #define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT 0x00001000 // Module supports read only delay load IAT | |
| #define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION 0x00002000 // Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected | |
| #define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000 // Module contains suppressed export information. This also infers that the address taken |
hasherezade
/ str_decoder.cpp
Last active Dec 20, 2018
Decoder for the obfuscated strings from malware: ef0cb0a1a29bcdf2b36622f72734aec8d38326fc8f7270f78bd956e706a5fd57
View str_decoder.cpp
| #include <iostream> | |
| #include <Windows.h> | |
| char* decode_string(const char *a1) | |
| { | |
| const BYTE *enc_str = (BYTE*)a1; | |
| signed int enc_len = strlen(a1); | |
| BYTE *v4; | |
| int v5; |
hasherezade
/ extracted_list.txt
Last active Oct 30, 2018
TrickBot string decoder (c3737aaf6b613a7c7d5e0c6d3c0d60a2)
View extracted_list.txt
| 1 : 1\ | |
| 2 : 1 | |
| 3 : DIAL | |
| 4 : NAT status | |
| 5 : failed | |
| 6 : client is behind NAT | |
| 7 : client is not behind NAT | |
| 8 : DNSBL | |
| 9 : listed | |
| 10 : not listed |
View Driver.c
| // Sample "Hello World" driver | |
| // creates a HelloDev, that expects one IOCTL | |
| #include <ntddk.h> | |
| #define HELLO_DRV_IOCTL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS) | |
| #define DOS_DEV_NAME L"\\DosDevices\\HelloDev" | |
| #define DEV_NAME L"\\Device\\HelloDev" |
hasherezade
/ output.txt
Last active Jun 20, 2018
View output.txt
| Region Addr: 00A50000 | |
| Full Size : 00007000 | |
| --- | |
| ---ALLOC AND INFO--- | |
| nextAddr: 00A50000 | |
| info: | |
| AllocBase: 00A50000 | |
| BaseAddress: 00A50000 | |
| RegionSize: 1000 | |
| RegionState: 1000 : MEM_COMMIT |
View run_elevated.cpp
| #include <stdio.h> | |
| #include <Windows.h> | |
| bool RunElevated(char *app_path) | |
| { | |
| char operation[] = "runas"; | |
| char run_path[MAX_PATH] = {0}; | |
| ExpandEnvironmentStrings("%SystemRoot%\\system32\\rundll32.exe", (LPSTR)run_path, MAX_PATH); | |
| char cmd[MAX_PATH * 2] = {0}; |
View rabbit_ldr.cpp
| #include <stdio.h> | |
| #include <windows.h> | |
| #pragma comment(lib,"Ws2_32.lib") | |
| #include "peconv.h" | |
| #include "resource.h" | |
| signed int (__cdecl *setup_flags)(BYTE *buffer) = nullptr; //0x7897 | |
| signed int (__cdecl *scan_all_network)() = nullptr; //77D1 - scan all |
View trick_str.cpp
| #include <stdio.h> | |
| #include <windows.h> | |
| #include "peconv.h" | |
| /* | |
| Requires a path to the original trick bot module: 0a7da84873f2a4fe0fcc58c88bbbe39d | |
| */ | |
| #define OFFSET_DECODE_LIST 0x10ab0 //decode_from_the_list |
hasherezade
/ unpack.cpp
Last active Jun 27, 2018
LibPeConv-based unpacker for sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
View unpack.cpp
| #include <stdio.h> | |
| #include <windows.h> | |
| #include "peconv.h" | |
| // for the sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd | |
| // from: "Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1" | |
| // https://www.youtube.com/watch?v=HfSQlC76_s4 | |
| int (__cdecl *unpack_func)(BYTE* blob, DWORD blob_size, LPCSTR lpFileName, char r_val) = nullptr; |
View main.cpp
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <psapi.h> | |
| #include <iostream> | |
| #include <string> | |
| #include <vector> | |
| #include "pe_sieve_api.h" | |
| #pragma comment(lib, "pe-sieve.lib") |
NewerOlder