herrcore herrcore
herrcore
/ ramnit_dga.py
Created
April 8, 2017 02:16
Ramnit DGA generator for MD5: abd2b832007338d6d6550339eec09fb0 - seed 0x36F066D
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ################################################################## | |
| # | |
| # Ref sample: | |
| # MD5: abd2b832007338d6d6550339eec09fb0 (AegisI5.exe) | |
| # \_ MD5: cf5de95d94bb349f1f21bb5713a05d25 (fA1L0mX.exe) | |
| # \_ MD5: 17cb0563f7c4621bc98abd06965bdfa9 (svchost.exe injected DLL) | |
| # | |
| # DGA generator for Ramnit Trojan | |
| # |
herrcore
/ upatre_extractor.py
Last active
July 11, 2017 15:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/env python | |
| #################################################### | |
| ## | |
| ## All credit to @_qaz_qaz for this awesome post | |
| ## https://secrary.com/ReversingMalware/Upatre/ | |
| ## | |
| ## Original script: | |
| ## https://gist.github.com/secrary/98c563688fa6cea1fd517170f97988ab | |
| ## |
herrcore
/ redirect_hunter.js
Created
January 26, 2016 06:27
Simple CasperJS script to load page with fake referrer and follow all redirects. The HTML for the final page is printed along with the redirect URLs.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //setup casper | |
| var casper = require('casper').create({ | |
| verbose: true, | |
| //Fake the user agent | |
| pageSettings: { | |
| userAgent: 'Mozilla/5.0 (Windows NT 5.1; chromeframe/25.0.1364.152) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22' | |
| }, | |
| logLevel: "debug" | |
| //logLevel: "error" |
herrcore
/ AdWindDecryptor.py
Created
March 12, 2018 03:24
Python decryptor for newer AdWind config file - replicated from this Java version https://github.com/mhelwig/adwind-decryptor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/env python | |
| ######################################################################################################## | |
| ## | |
| ## Decrypts the AdWind configiration files! | |
| ## ** May also work for other files ** | |
| ## | |
| ## | |
| ## All credit to Michael Helwig for the original Java implementation: | |
| ## https://github.com/mhelwig/adwind-decryptor |
herrcore
/ ksearch.py
Last active
August 9, 2019 02:36
Ksearch provides a simple search interface for the amazing Koodous platform: https://koodous.com/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| ####################################################################### | |
| # Ksearch provides a simple search interface for the amazing Koodous | |
| # platform: https://koodous.com/ | |
| # | |
| # With Ksearch you have a simple way to integrate Koodous search into | |
| # any of your python projects. This gives you the ability to quickly | |
| # crowdsource the analysis of potentially malicious Android files. | |
| # |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| ####################################################################### | |
| # Kalert provides a simple Slack alert integration for the amazing Koodous | |
| # platform: https://koodous.com/ | |
| # | |
| # Simply add your TOKEN and your SLACK url to the script and setup | |
| # a cronjob to run the script ever 5min or whatever you want. | |
| # | |
| # Example: |
herrcore
/ SandBoxTest.cpp
Created
November 6, 2017 02:12
Test code for the Open Analysis Live! sandbox tutorial.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // SandBoxTest.cpp : Defines the entry point for the console application. | |
| // | |
| #include "stdafx.h" | |
| #include <windows.h> | |
| #include <tchar.h> | |
| #include <stdio.h> | |
| #include <strsafe.h> | |
| #include <string> | |
| using namespace std; |
herrcore
/ strings.py
Last active
July 17, 2020 00:49
— forked from williballenthin/strings.py
Extract ASCII and Unicode strings using Python.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ########################################################################################################## | |
| ## | |
| ## Like steroids for your strings! | |
| ## | |
| ## Original idea: @williballenthin | |
| ## Original link: https://gist.github.com/williballenthin/8e3913358a7996eab9b96bd57fc59df2 | |
| ## | |
| ## Lipstick and rouge by: @herrcore |
herrcore
/ gootkit_packer_string_decrypt.py
Created
March 3, 2018 22:35
Simple string decryptor for Gootkit packer (IDAPython script)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| import idaapi | |
| import idc | |
| def string_decrypt(data_ea, data_len): | |
| data = idc.GetManyBytes(data_ea, data_len) | |
| key = '89798798798g79er$' | |
| out = 'str_' | |
| for i in range(0 , len(data)): |
herrcore
/ simple_ast.py
Created
January 24, 2021 03:34
Simple AST implementation from https://www.youtube.com/watch?v=kzDuHh6kolk - tutorial by Jack Mott
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2.7 | |
| ##################################################################################### | |
| ## | |
| ## Simple Abstract Syntax Tree Example for Tokens x, const, add, sub | |
| ## | |
| ## Reference: https://www.youtube.com/watch?v=kzDuHh6kolk - tutorial by Jack Mott | |
| ## | |
| ##################################################################################### | |