This is an example of Go code calling to a C++ library with a C wrapper.
go build # this only ensures it compiles
This is a technique for extracting all imported modules from a packaged Python application as .pyc
files, then decompiling them. The target program needs to be run from scratch, but no debugging symbols are necessary (assuming an unmodified build of Python is being used).
This was originally performed on 64-bit Linux with a Python 3.6 target. The Python scripts have since been updated to handle pyc files for Python 2.7 - 3.9.
In Python we can leverage the fact that any module import involving a .py*
file will eventually arrive as ready-to-execute Python code object at this function:
PyObject* PyEval_EvalCode(PyObject *co, PyObject *globals, PyObject *locals);
########################################################################### | |
# Rotating bits (tested with Python 2.7) | |
from __future__ import print_function # PEP 3105 | |
# max bits > 0 == width of the value in bits (e.g., int_16 -> 16) | |
# Rotate left: 0b1001 --> 0b0011 | |
rol = lambda val, r_bits, max_bits: \ | |
(val << r_bits%max_bits) & (2**max_bits-1) | \ |
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!! | |
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference | |
rem To also disable Windows Defender Security Center include this | |
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f | |
rem 1 - Disable Real-time protection | |
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f |
#!/usr/bin/env python3 | |
#> ------------------------------------ | |
# Antimalware Scan Interface | |
#> ------------------------------------ | |
import sys | |
from enum import IntEnum |
/* | |
* This tool will decrypt files encrypted by the Magniber ransomware with | |
* AES128 ( CBC mode ) algorithm. | |
* | |
* RE and report by MalwareBytes ( @hasherezade ) | |
* | |
* https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/ | |
* | |
* Decryptor written by Simone 'evilsocket' Margaritelli | |
* |
#ifndef _UNDOCUMENTED_H | |
#define _UNDOCUMENTED_H | |
#include <windows.h> | |
namespace Undocumented | |
{ | |
#pragma pack(push) | |
#pragma pack(1) |