Skip to content

Instantly share code, notes, and snippets.

View hasherezade's full-sized avatar

hasherezade hasherezade

5.5k followers · 27 following
View GitHub Profile
@nmarley
nmarley / README.md
Last active April 4, 2024 16:47
Go / C++ bindings example

Go / C++ bindings example

This is an example of Go code calling to a C++ library with a C wrapper.

Build

go build  # this only ensures it compiles
@stecman
stecman / dump-pyc-with-gdb.md
Last active March 25, 2024 09:20
Dumping all bytecode from a packaged Python application

This is a technique for extracting all imported modules from a packaged Python application as .pyc files, then decompiling them. The target program needs to be run from scratch, but no debugging symbols are necessary (assuming an unmodified build of Python is being used).

This was originally performed on 64-bit Linux with a Python 3.6 target. The Python scripts have since been updated to handle pyc files for Python 2.7 - 3.9.

Theory

In Python we can leverage the fact that any module import involving a .py* file will eventually arrive as ready-to-execute Python code object at this function:

PyObject* PyEval_EvalCode(PyObject *co, PyObject *globals, PyObject *locals);
@trietptm
trietptm / rol-ror.py
Created August 3, 2016 16:27 — forked from vqhuy/rol-ror.py
python rol, ror operation implement
###########################################################################
# Rotating bits (tested with Python 2.7)
from __future__ import print_function # PEP 3105
# max bits > 0 == width of the value in bits (e.g., int_16 -> 16)
# Rotate left: 0b1001 --> 0b0011
rol = lambda val, r_bits, max_bits: \
(val << r_bits%max_bits) & (2**max_bits-1) | \
@shadyeip
shadyeip / quick-disable-windows-defender.bat
Last active July 30, 2023 00:17
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
@0xZDH
0xZDH / amsi.py
Created April 5, 2020 07:33
Python implementation of AMSI API
#!/usr/bin/env python3
#> ------------------------------------
# Antimalware Scan Interface
#> ------------------------------------
import sys
from enum import IntEnum
@evilsocket
evilsocket / magniber_decryptor.cpp
Created October 19, 2017 14:09
Decryptor for Magniber ransomware ( https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/ )
/*
* This tool will decrypt files encrypted by the Magniber ransomware with
* AES128 ( CBC mode ) algorithm.
*
* RE and report by MalwareBytes ( @hasherezade )
*
* https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
*
* Decryptor written by Simone 'evilsocket' Margaritelli
*
@mrexodia
mrexodia / undocumented.h
Last active July 27, 2021 16:09
universal PEB structure
#ifndef _UNDOCUMENTED_H
#define _UNDOCUMENTED_H
#include <windows.h>
namespace Undocumented
{
#pragma pack(push)
#pragma pack(1)