Skip to content

Instantly share code, notes, and snippets.

@hasherezade hasherezade

Block or report user

Report or block hasherezade

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@hasherezade
hasherezade / str_decoder.cpp
Last active Dec 20, 2018
Decoder for the obfuscated strings from malware: ef0cb0a1a29bcdf2b36622f72734aec8d38326fc8f7270f78bd956e706a5fd57
View str_decoder.cpp
#include <iostream>
#include <Windows.h>
char* decode_string(const char *a1)
{
const BYTE *enc_str = (BYTE*)a1;
signed int enc_len = strlen(a1);
BYTE *v4;
int v5;
@hasherezade
hasherezade / extracted_list.txt
Last active Oct 30, 2018
TrickBot string decoder (c3737aaf6b613a7c7d5e0c6d3c0d60a2)
View extracted_list.txt
1 : 1\
2 : 1
3 : DIAL
4 : NAT status
5 : failed
6 : client is behind NAT
7 : client is not behind NAT
8 : DNSBL
9 : listed
10 : not listed
@hasherezade
hasherezade / Driver.c
Last active Jun 25, 2018
HelloWorld driver
View Driver.c
// Sample "Hello World" driver
// creates a HelloDev, that expects one IOCTL
#include <ntddk.h>
#define HELLO_DRV_IOCTL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS)
#define DOS_DEV_NAME L"\\DosDevices\\HelloDev"
#define DEV_NAME L"\\Device\\HelloDev"
View output.txt
Region Addr: 00A50000
Full Size : 00007000
---
---ALLOC AND INFO---
nextAddr: 00A50000
info:
AllocBase: 00A50000
BaseAddress: 00A50000
RegionSize: 1000
RegionState: 1000 : MEM_COMMIT
@hasherezade
hasherezade / run_elevated.cpp
Created May 17, 2018
Run elevated via rundll32.exe
View run_elevated.cpp
#include <stdio.h>
#include <Windows.h>
bool RunElevated(char *app_path)
{
char operation[] = "runas";
char run_path[MAX_PATH] = {0};
ExpandEnvironmentStrings("%SystemRoot%\\system32\\rundll32.exe", (LPSTR)run_path, MAX_PATH);
char cmd[MAX_PATH * 2] = {0};
@hasherezade
hasherezade / rabbit_ldr.cpp
Last active Apr 14, 2018
BadRabbit-based network discovery
View rabbit_ldr.cpp
#include <stdio.h>
#include <windows.h>
#pragma comment(lib,"Ws2_32.lib")
#include "peconv.h"
#include "resource.h"
signed int (__cdecl *setup_flags)(BYTE *buffer) = nullptr; //0x7897
signed int (__cdecl *scan_all_network)() = nullptr; //77D1 - scan all
@hasherezade
hasherezade / trick_str.cpp
Last active Oct 30, 2018
Small utility do deobfuscate TrickBot strings
View trick_str.cpp
#include <stdio.h>
#include <windows.h>
#include "peconv.h"
/*
Requires a path to the original trick bot module: 0a7da84873f2a4fe0fcc58c88bbbe39d
*/
#define OFFSET_DECODE_LIST 0x10ab0 //decode_from_the_list
@hasherezade
hasherezade / unpack.cpp
Last active Jun 27, 2018
LibPeConv-based unpacker for sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
View unpack.cpp
#include <stdio.h>
#include <windows.h>
#include "peconv.h"
// for the sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
// from: "Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1"
// https://www.youtube.com/watch?v=HfSQlC76_s4
int (__cdecl *unpack_func)(BYTE* blob, DWORD blob_size, LPCSTR lpFileName, char r_val) = nullptr;
@hasherezade
hasherezade / main.cpp
Created Jan 7, 2018
A tiny PE-sieve based process scanner
View main.cpp
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include <iostream>
#include <string>
#include <vector>
#include "pe_sieve_api.h"
#pragma comment(lib, "pe-sieve.lib")
@hasherezade
hasherezade / main.cpp
Last active Jul 15, 2019
Get PEB64 from a WOW64 process
View main.cpp
#include <Windows.h>
#include <iostream>
#include "ntdll_undoc.h"
PPEB get_default_peb()
{
#if defined(_WIN64)
return (PPEB)__readgsqword(0x60);
#else
You can’t perform that action at this time.