herrcore herrcore
herrcore
/ windows_defender_unquarantine.py
Created
April 19, 2021 06:05
— forked from OALabs/windows_defender_unquarantine.py
Extract quarantine files from Windows Defender | System Center Endpoint Protection | Microsoft Security Essentials
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # MS SCEP & SE quarantined files decrypter | |
| # This script is a fork from quarantine.py from the cuckoosandbox project. | |
| # Also thanks to Jon Glass (https://jon.glass/quarantines-junk/) | |
| # Usage: quarantine.py <encryptedfile> | |
| # | |
| # Copyright (C) 2015 KillerInstinct, Optiv, Inc. (brad.spengler@optiv.com) | |
| # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org | |
| # See the file 'docs/LICENSE' for copying permission. | |
herrcore
/ oalabs_x86vm.ps1
Created
April 19, 2021 06:04
— forked from OALabs/oalabs_x86vm.ps1
Boxstarter package for OALABS x86 Malware Analysis VM
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host -NoNewline " " | |
| Write-Host -NoNewline " _______ _______ ___ _______ _______ _______ " | |
| Write-Host -NoNewline " | || _ || | | _ || _ || | " | |
| Write-Host -NoNewline " | _ || |_| || | | |_| || |_| || _____| " | |
| Write-Host -NoNewline " | | | || || | | || || |_____ " | |
| Write-Host -NoNewline " | |_| || || |___ | || _ | |_____ | " | |
| Write-Host -NoNewline " | || _ || || _ || |_| | _____| | " | |
| Write-Host -NoNewline " |_______||__| |__||_______||__| |__||_______||_______| " | |
| Write-Host -NoNewline " " | |
| Write-Host -NoNewline " " |
herrcore
/ wallpaper.bmp
Created
April 19, 2021 06:04
— forked from OALabs/wallpaper.bmp
wallpaper.bmp
herrcore
/ boxstarter_oalabs_x86vm.ps1
Created
April 19, 2021 06:03
— forked from OALabs/boxstarter_oalabs_x86vm.ps1
Boxstarter - One click malware analysis tools installer for 32bit VM
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Set-ExecutionPolicy Unrestricted; | |
| iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1')); | |
| get-boxstarter -Force; | |
| Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1'; |
herrcore
/ rc4.py
Created
April 19, 2021 06:03
— forked from OALabs/rc4.py
RC4 Crypto Python Module (probably stolen from stack overflow but it's been so long I can't remember)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/env python | |
| ########################################################################################## | |
| ## | |
| ## RC4 Crypto | |
| ## | |
| ########################################################################################## | |
| def rc4crypt(key, data): |
herrcore
/ revil_import_builder.py
Created
April 19, 2021 06:03
— forked from OALabs/revil_import_builder.py
IDA Python script to decipher and label REvil imports
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| # fn_name = "wsprintfW" | |
| # api_hash = 0x0B6D391AE | |
| export_db = {} | |
| def get_api_hash(fn_name): | |
| result = 0x2b | |
| for c in fn_name: |
herrcore
/ dll_exports.py
Created
April 19, 2021 06:03
— forked from OALabs/dll_exports.py
Build dictionary of DLL exports (Windows API Names)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import pefile | |
| import json | |
| INTERESTING_DLLS = [ | |
| 'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll', | |
| 'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll', | |
| 'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll', | |
| 'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll', |
herrcore
/ exports.json
Created
April 19, 2021 06:03
— forked from OALabs/exports.json
Common DLL exports (Windows API Names)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"exports": ["A_SHAFinal", "A_SHAInit", "A_SHAUpdate", "AbortSystemShutdownA", "AbortSystemShutdownW", "AccessCheck", "AccessCheckAndAuditAlarmA", "AccessCheckAndAuditAlarmW", "AccessCheckByType", "AccessCheckByTypeAndAuditAlarmA", "AccessCheckByTypeAndAuditAlarmW", "AccessCheckByTypeResultList", "AccessCheckByTypeResultListAndAuditAlarmA", "AccessCheckByTypeResultListAndAuditAlarmByHandleA", "AccessCheckByTypeResultListAndAuditAlarmByHandleW", "AccessCheckByTypeResultListAndAuditAlarmW", "AddAccessAllowedAce", "AddAccessAllowedAceEx", "AddAccessAllowedObjectAce", "AddAccessDeniedAce", "AddAccessDeniedAceEx", "AddAccessDeniedObjectAce", "AddAce", "AddAuditAccessAce", "AddAuditAccessAceEx", "AddAuditAccessObjectAce", "AddConditionalAce", "AddMandatoryAce", "AddUsersToEncryptedFile", "AddUsersToEncryptedFileEx", "AdjustTokenGroups", "AdjustTokenPrivileges", "AllocateAndInitializeSid", "AllocateLocallyUniqueId", "AreAllAccessesGranted", "AreAnyAccessesGranted", "AuditComputeEffectivePolicyBySid", "AuditComputeEf |
herrcore
/ revil_strings.py
Created
April 19, 2021 06:02
— forked from OALabs/revil_strings.py
Decrypt REvil ransomware strings with IDA Python
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi, idc, idautils | |
| class DecryptorError(Exception): | |
| pass | |
| def rc4crypt(key, data): | |
| x = 0 | |
| box = range(256) |
herrcore
/ strings.py
Last active
July 17, 2020 00:49
— forked from williballenthin/strings.py
Extract ASCII and Unicode strings using Python.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ########################################################################################################## | |
| ## | |
| ## Like steroids for your strings! | |
| ## | |
| ## Original idea: @williballenthin | |
| ## Original link: https://gist.github.com/williballenthin/8e3913358a7996eab9b96bd57fc59df2 | |
| ## | |
| ## Lipstick and rouge by: @herrcore |
NewerOlder