Skip to content

Instantly share code, notes, and snippets.

herrcore herrcore

Block or report user

Report or block herrcore

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@herrcore
herrcore / AdWindDecryptor.py
Created Mar 12, 2018
Python decryptor for newer AdWind config file - replicated from this Java version https://github.com/mhelwig/adwind-decryptor
View AdWindDecryptor.py
#!/usr/local/bin/env python
########################################################################################################
##
## Decrypts the AdWind configiration files!
## ** May also work for other files **
##
##
## All credit to Michael Helwig for the original Java implementation:
## https://github.com/mhelwig/adwind-decryptor
@herrcore
herrcore / gootkit_packer_string_decrypt.py
Created Mar 3, 2018
Simple string decryptor for Gootkit packer (IDAPython script)
View gootkit_packer_string_decrypt.py
import idautils
import idaapi
import idc
def string_decrypt(data_ea, data_len):
data = idc.GetManyBytes(data_ea, data_len)
key = '89798798798g79er$'
out = 'str_'
for i in range(0 , len(data)):
@herrcore
herrcore / HexCopy.py
Last active Mar 7, 2019
IDA Plugin for quickly copying disassembly as encoded hex bytes
View HexCopy.py
############################################################################################
##
## Quick IDA Hex Bytes Copy
##
## All credit for logic and code chunks:
## @tmr232
## https://github.com/tmr232/Sark
##
## I simply removed dependencies and made it standalone.
##
@herrcore
herrcore / ida_PYKSPA_hide_junk.py
Last active Jul 8, 2018
IDA script to hide junk code for PYKSPA malware
View ida_PYKSPA_hide_junk.py
################################################################################
##
## Junk Hide for PYKSPA
##
## Author: @herrcore
##
## Hide junk code:
## mov al <something>
## mov al <something>
## mov al <something>
@herrcore
herrcore / ida_memdump.py
Created Nov 13, 2017
Dump a blob of memory into a file - IDA Pro script
View ida_memdump.py
import idautils
import idaapi
def memdump(ea, size, file):
data = idc.GetManyBytes(ea, size)
with open(file, "wb") as fp:
fp.write(data)
print "Memdump Success!"
@herrcore
herrcore / SandBoxTest.cpp
Created Nov 6, 2017
Test code for the Open Analysis Live! sandbox tutorial.
View SandBoxTest.cpp
// SandBoxTest.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <strsafe.h>
#include <string>
using namespace std;
@herrcore
herrcore / test.js
Created Oct 29, 2017
JavaScript file to test ShellExecute using ActiveXObject
View test.js
var oShell = new ActiveXObject("Shell.Application");
var commandtoRun = "calc.exe";
oShell.ShellExecute(commandtoRun,"","","","1");
@herrcore
herrcore / ucl_nrv2b.py
Created Oct 2, 2017
UCL NRV2B Decompression Library - Full Python (compression used by Zeus variants)
View ucl_nrv2b.py
#!/usr/bin/env python
################################################################################################
## UCL NRV2B Decompression Library
##
## Code from "Clash of the Titans: ZeuS v SpyEye":
## https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393
## Author: Harshit Nayyar, harshit.nayyar@telus.com
##
## NOTE: This is the compression algorithm used in the Zeus trojan and subsequent variants
##
View upatre_extractor.py
#!/usr/local/bin/env python
####################################################
##
## All credit to @_qaz_qaz for this awesome post
## https://secrary.com/ReversingMalware/Upatre/
##
## Original script:
## https://gist.github.com/secrary/98c563688fa6cea1fd517170f97988ab
##
@herrcore
herrcore / ramnit_dga.py
Created Apr 8, 2017
Ramnit DGA generator for MD5: abd2b832007338d6d6550339eec09fb0 - seed 0x36F066D
View ramnit_dga.py
#!/usr/bin/env python
##################################################################
#
# Ref sample:
# MD5: abd2b832007338d6d6550339eec09fb0 (AegisI5.exe)
# \_ MD5: cf5de95d94bb349f1f21bb5713a05d25 (fA1L0mX.exe)
# \_ MD5: 17cb0563f7c4621bc98abd06965bdfa9 (svchost.exe injected DLL)
#
# DGA generator for Ramnit Trojan
#
You can’t perform that action at this time.