Skip to content

Instantly share code, notes, and snippets.

@herrcore
herrcore / ida_bb_extractor.py
Created Apr 28, 2022
Extract function and basic block info from IDA to be used as "known good" data for testing other tools
View ida_bb_extractor.py
##############################################################################
#
# To be run from IDA batch mode:
#
# "c:\Program Files\IDA Pro 7.5\ida.exe" -c -A -S"c:\Users\admin\Documents\scripts\binary_map.py" z:\tmp\pe\pe.trickbot.x86
#
#
#
#
##############################################################################
@herrcore
herrcore / karama.yara
Created Nov 22, 2021
Yara rule generated with Binlex from our live stream https://youtu.be/hgz5gZB3DxE
View karama.yara
rule malware_karama_0 {
meta:
descrption = "Karma Ransomware"
strings:
$name = "KARMA" ascii wide nocase
$trait_0 = {33 f6 0f b7 41 ?? 83 c1 02 8b d0 66 85 c0 75 da}
$trait_1 = {0f b7 d0 66 83 fa 5c 74 10}
condition:
uint16(0) == 0x5a4d and
uint32(uint32(0x3c)) == 0x00004550 and
@herrcore
herrcore / emotet_strings.py
Last active Nov 30, 2022
IDA Python script for Emotet String decryption ref:EEB13CD51FAA7C23D9A40241D03BEB239626FBF3EFE1DBBFA3994FC10DEA0827
View emotet_strings.py
import idaapi, idc, idautils
import struct
def xor_decrypt(data, key):
out = []
for i in range(len(data)):
out.append(data[i] ^ key[i%len(key)])
return bytes(out)
@herrcore
herrcore / lang.h
Created Oct 28, 2021
LANGID Windows Locals enum for quickly parsing malware language checks
View lang.h
enum langid_country
{
Afrikaans = 0x36,
Afrikaans_South_Africa = 0x436,
Albanian = 0x1c,
Albanian_Albania = 0x41c,
Alsatian = 0x84,
Alsatian_France = 0x484,
Amharic = 0x5e,
Amharic_Ethiopia = 0x45e,
@herrcore
herrcore / PEB_UNIVERSAL.h
Created Oct 21, 2021
Process Environment Block (PEB) Universal Struct - Fix broken IDA struct
View PEB_UNIVERSAL.h
struct PEB_UNIVERSAL
{
BOOLEAN InheritedAddressSpace; //0x0000
BOOLEAN ReadImageFileExecOptions; //0x0001
BOOLEAN BeingDebugged; //0x0002
BYTE byte3;
HANDLE Mutant; //0x0004
void* ImageBaseAddress; //0x0008
PEB_LDR_DATA* Ldr; //0x000C
RTL_USER_PROCESS_PARAMETERS* ProcessParameters; //0x0010
View ResolveHash.c
// Ref: Writing Shellcode with a C Compiler (https://nickharbour.wordpress.com/)
PPEB __declspec(naked) get_peb(void)
{
__asm {
mov eax, fs:[0x30]
ret
}
}
@herrcore
herrcore / auto_dword.py
Last active Nov 14, 2021
Auto-DWORD! - IDA plugin for one-click bulk DWORD conversion
View auto_dword.py
############################################################################################
##
## Auto-DWORD!
##
## Updated for IDA 7.xx and Python 3
##
## To install:
## Copy script into plugins directory, i.e: C:\Program Files\<ida version>\plugins
##
## To run:
@herrcore
herrcore / label_enums.py
Created Oct 8, 2021
IDA label enums - use to label hashes in an dynamic import address table
View label_enums.py
#############################################################
##
## Highlight enum data and call label_enums()
##
## Each enum address will be named after the enum value it contains
## This can be used to create an IAT struct
##
###############################################################
@herrcore
herrcore / warzone.idc
Created May 19, 2021
IDC Script for Warzone Structs - Part 1 Tutorial https://youtu.be/81fdvmGmRvM
View warzone.idc
This file has been truncated, but you can view the full file.
//
// +-------------------------------------------------------------------------+
// | This file was generated by The Interactive Disassembler (IDA) |
// | Copyright (c) 2020 Hex-Rays, <support@hex-rays.com> |
// | License info: 48-B331-7A44-33 |
// | Sergei Frankoff, press copy |
// +-------------------------------------------------------------------------+
//
//
@herrcore
herrcore / windows_defender_unquarantine.py
Created Apr 19, 2021 — forked from OALabs/windows_defender_unquarantine.py
Extract quarantine files from Windows Defender | System Center Endpoint Protection | Microsoft Security Essentials
View windows_defender_unquarantine.py
# MS SCEP & SE quarantined files decrypter
# This script is a fork from quarantine.py from the cuckoosandbox project.
# Also thanks to Jon Glass (https://jon.glass/quarantines-junk/)
# Usage: quarantine.py <encryptedfile>
#
# Copyright (C) 2015 KillerInstinct, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.