hasherezade hasherezade

## params.txt
kernel32;LoadLibraryW;1
kernel32;LoadLibraryA;1
kernel32;GetProcAddress;2
advapi32;RegQueryValueW;3
advapi32;RegOpenKeyExW;5
advapi32;RegQueryValueExW;6
kernel32;CreateFileW;6
kernel32;VirtualProtect;4
wininet;InternetCrackUrlA;4
wininet;InternetOpenA;5

## delta_patch.py
import base64
import hashlib
import zlib
from ctypes import (
    CDLL,
    POINTER,
    LittleEndianStructure,
    c_size_t,
    c_ubyte,
    c_uint64,

## aplib_decompress.py
#!/usr/bin/env python3

import malduck
import sys
import argparse

def main():
    parser = argparse.ArgumentParser(description="APLib unpacker")
    parser.add_argument('--inpath', dest="inpath", default=None, help="APLib compressed blob",
                            required=True)

## AllocateLargePool.c
#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "ntdll.lib")

#define SystemBigPoolInformation 0x42
#define ThreadNameInformation 0x26

#define DATA_TO_COPY "AAAAAAAAAAAAABBBBBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDDDDDD"

## gui_threads.cpp
HANDLE find_thread(HANDLE hProcess, DWORD thAccess, bool guiOnly)
{
	DWORD targetPid = GetProcessId(hProcess);
	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	THREADENTRY32 thEntry = { sizeof(THREADENTRY32) };

	GUITHREADINFO gui = { 0 };
	gui.cbSize = sizeof(GUITHREADINFO);

	bool isGUIProcess = false;

## PesieveLdr.go
package main

import (
	"fmt"
	"syscall"
	"unsafe"
)

var (
	peSieveDll  = syscall.NewLazyDLL("pe-sieve64.dll")

## LZDecompress.cpp
#include <iostream>
#include <Windows.h>

#pragma comment(lib,"LZ32.lib")

bool decompress(LPSTR infile, LPSTR outfile)
{
    INT hin, hout = 0;
    OFSTRUCT ofin = { 0 };
    OFSTRUCT ofout = { 0 };

## mal_unpack_runner.py
#!/usr/bin/env python3

import sys, os, subprocess
import pefile
from pathlib import Path

def mal_unp_res_to_str(returncode):
    if returncode == (-1):
        return "ERROR"
    if returncode == 0:

## quick-disable-windows-defender.bat
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

## fakedns.py
#!/usr/bin/python3

__author__ = 'Francisco Santos'
# URL: https://code.activestate.com/recipes/491264-mini-fake-dns-server/

import socket

class DNSQuery:
  def __init__(self, data):
    self.data=data
	kernel32;LoadLibraryW;1
	kernel32;LoadLibraryA;1
	kernel32;GetProcAddress;2
	advapi32;RegQueryValueW;3
	advapi32;RegOpenKeyExW;5
	advapi32;RegQueryValueExW;6
	kernel32;CreateFileW;6
	kernel32;VirtualProtect;4
	wininet;InternetCrackUrlA;4
	wininet;InternetOpenA;5
	import base64
	import hashlib
	import zlib
	from ctypes import (
	CDLL,
	POINTER,
	LittleEndianStructure,
	c_size_t,
	c_ubyte,
	c_uint64,
	#!/usr/bin/env python3

	import malduck
	import sys
	import argparse

	def main():
	parser = argparse.ArgumentParser(description="APLib unpacker")
	parser.add_argument('--inpath', dest="inpath", default=None, help="APLib compressed blob",
	required=True)
	#include <windows.h>
	#include <stdio.h>

	#pragma comment(lib, "ntdll.lib")

	#define SystemBigPoolInformation 0x42
	#define ThreadNameInformation 0x26

	#define DATA_TO_COPY "AAAAAAAAAAAAABBBBBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDDDDDD"
	HANDLE find_thread(HANDLE hProcess, DWORD thAccess, bool guiOnly)
	{
	DWORD targetPid = GetProcessId(hProcess);
	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	THREADENTRY32 thEntry = { sizeof(THREADENTRY32) };

	GUITHREADINFO gui = { 0 };
	gui.cbSize = sizeof(GUITHREADINFO);

	bool isGUIProcess = false;
	package main

	import (
	"fmt"
	"syscall"
	"unsafe"
	)

	var (
	peSieveDll = syscall.NewLazyDLL("pe-sieve64.dll")
	#include <iostream>
	#include <Windows.h>

	#pragma comment(lib,"LZ32.lib")

	bool decompress(LPSTR infile, LPSTR outfile)
	{
	INT hin, hout = 0;
	OFSTRUCT ofin = { 0 };
	OFSTRUCT ofout = { 0 };
	#!/usr/bin/env python3

	import sys, os, subprocess
	import pefile
	from pathlib import Path

	def mal_unp_res_to_str(returncode):
	if returncode == (-1):
	return "ERROR"
	if returncode == 0:
	rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
	rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
	rem To also disable Windows Defender Security Center include this
	rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
	rem 1 - Disable Real-time protection
	reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
	#!/usr/bin/python3

	__author__ = 'Francisco Santos'
	# URL: https://code.activestate.com/recipes/491264-mini-fake-dns-server/

	import socket

	class DNSQuery:
	def __init__(self, data):
	self.data=data