hasherezade hasherezade
hasherezade
/ str_decoder.cpp
Last active
December 20, 2018 18:11
Decoder for the obfuscated strings from malware: ef0cb0a1a29bcdf2b36622f72734aec8d38326fc8f7270f78bd956e706a5fd57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <Windows.h> | |
| char* decode_string(const char *a1) | |
| { | |
| const BYTE *enc_str = (BYTE*)a1; | |
| signed int enc_len = strlen(a1); | |
| BYTE *v4; | |
| int v5; |
hasherezade
/ extracted_list.txt
Last active
October 30, 2018 17:56
TrickBot string decoder (c3737aaf6b613a7c7d5e0c6d3c0d60a2)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1 : 1\ | |
| 2 : 1 | |
| 3 : DIAL | |
| 4 : NAT status | |
| 5 : failed | |
| 6 : client is behind NAT | |
| 7 : client is not behind NAT | |
| 8 : DNSBL | |
| 9 : listed | |
| 10 : not listed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Sample "Hello World" driver | |
| // creates a HelloDev, that expects one IOCTL | |
| #include <ntddk.h> | |
| #define HELLO_DRV_IOCTL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS) | |
| #define DOS_DEV_NAME L"\\DosDevices\\HelloDev" | |
| #define DEV_NAME L"\\Device\\HelloDev" |
hasherezade
/ output.txt
Last active
June 20, 2018 18:51
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Region Addr: 00A50000 | |
| Full Size : 00007000 | |
| --- | |
| ---ALLOC AND INFO--- | |
| nextAddr: 00A50000 | |
| info: | |
| AllocBase: 00A50000 | |
| BaseAddress: 00A50000 | |
| RegionSize: 1000 | |
| RegionState: 1000 : MEM_COMMIT |
hasherezade
/ run_elevated.cpp
Last active
November 11, 2019 12:21
Run elevated via rundll32.exe (NOTE: it is NOT a stealthy UAC bypass!)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| The role of this snippet is to enforce a user to elevate a process, | |
| simply by flooding them with repeatitive requests till they agree. | |
| I do NOT recommend it as a UAC bypass technique as it is very noisy! | |
| */ | |
| #include <stdio.h> | |
| #include <Windows.h> | |
| char mutex_name[] = "elev_mutex"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #pragma comment(lib,"Ws2_32.lib") | |
| #include "peconv.h" | |
| #include "resource.h" | |
| signed int (__cdecl *setup_flags)(BYTE *buffer) = nullptr; //0x7897 | |
| signed int (__cdecl *scan_all_network)() = nullptr; //77D1 - scan all |
hasherezade
/ trick_str.cpp
Last active
October 22, 2021 23:58
Small utility do deobfuscate TrickBot strings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include "peconv.h" | |
| /* | |
| Requires a path to the original trick bot module: 0a7da84873f2a4fe0fcc58c88bbbe39d | |
| */ | |
| #define OFFSET_DECODE_LIST 0x10ab0 //decode_from_the_list |
hasherezade
/ unpack.cpp
Last active
June 27, 2018 08:36
LibPeConv-based unpacker for sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include "peconv.h" | |
| // for the sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd | |
| // from: "Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1" | |
| // https://www.youtube.com/watch?v=HfSQlC76_s4 | |
| int (__cdecl *unpack_func)(BYTE* blob, DWORD blob_size, LPCSTR lpFileName, char r_val) = nullptr; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <psapi.h> | |
| #include <iostream> | |
| #include <string> | |
| #include <vector> | |
| #include "pe_sieve_api.h" | |
| #pragma comment(lib, "pe-sieve.lib") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <iostream> | |
| #include "ntdll_undoc.h" | |
| PPEB get_default_peb() | |
| { | |
| #if defined(_WIN64) | |
| return (PPEB)__readgsqword(0x60); | |
| #else |