Skip to content

Instantly share code, notes, and snippets.

@herrcore
herrcore / label_enums.py
Created October 8, 2021 03:26
IDA label enums - use to label hashes in an dynamic import address table
#############################################################
##
## Highlight enum data and call label_enums()
##
## Each enum address will be named after the enum value it contains
## This can be used to create an IAT struct
##
###############################################################
@herrcore
herrcore / warzone.idc
Created May 19, 2021 04:01
IDC Script for Warzone Structs - Part 1 Tutorial https://youtu.be/81fdvmGmRvM
This file has been truncated, but you can view the full file.
//
// +-------------------------------------------------------------------------+
// | This file was generated by The Interactive Disassembler (IDA) |
// | Copyright (c) 2020 Hex-Rays, <support@hex-rays.com> |
// | License info: 48-B331-7A44-33 |
// | Sergei Frankoff, press copy |
// +-------------------------------------------------------------------------+
//
//
// This file should be used in the following way:
@herrcore
herrcore / windows_defender_unquarantine.py
Created April 19, 2021 06:05 — forked from OALabs/windows_defender_unquarantine.py
Extract quarantine files from Windows Defender | System Center Endpoint Protection | Microsoft Security Essentials
# MS SCEP & SE quarantined files decrypter
# This script is a fork from quarantine.py from the cuckoosandbox project.
# Also thanks to Jon Glass (https://jon.glass/quarantines-junk/)
# Usage: quarantine.py <encryptedfile>
#
# Copyright (C) 2015 KillerInstinct, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
@herrcore
herrcore / oalabs_x86vm.ps1
Created April 19, 2021 06:04 — forked from OALabs/oalabs_x86vm.ps1
Boxstarter package for OALABS x86 Malware Analysis VM
Write-Host -NoNewline " "
Write-Host -NoNewline " _______ _______ ___ _______ _______ _______ "
Write-Host -NoNewline " | || _ || | | _ || _ || | "
Write-Host -NoNewline " | _ || |_| || | | |_| || |_| || _____| "
Write-Host -NoNewline " | | | || || | | || || |_____ "
Write-Host -NoNewline " | |_| || || |___ | || _ | |_____ | "
Write-Host -NoNewline " | || _ || || _ || |_| | _____| | "
Write-Host -NoNewline " |_______||__| |__||_______||__| |__||_______||_______| "
Write-Host -NoNewline " "
Write-Host -NoNewline " "
@herrcore
herrcore / wallpaper.bmp
Created April 19, 2021 06:04 — forked from OALabs/wallpaper.bmp
wallpaper.bmp
@herrcore
herrcore / boxstarter_oalabs_x86vm.ps1
Created April 19, 2021 06:03 — forked from OALabs/boxstarter_oalabs_x86vm.ps1
Boxstarter - One click malware analysis tools installer for 32bit VM
Set-ExecutionPolicy Unrestricted;
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1'));
get-boxstarter -Force;
Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1';
@herrcore
herrcore / rc4.py
Created April 19, 2021 06:03 — forked from OALabs/rc4.py
RC4 Crypto Python Module (probably stolen from stack overflow but it's been so long I can't remember)
#! /usr/bin/env python
##########################################################################################
##
## RC4 Crypto
##
##########################################################################################
def rc4crypt(key, data):
@herrcore
herrcore / revil_import_builder.py
Created April 19, 2021 06:03 — forked from OALabs/revil_import_builder.py
IDA Python script to decipher and label REvil imports
import json
# fn_name = "wsprintfW"
# api_hash = 0x0B6D391AE
export_db = {}
def get_api_hash(fn_name):
result = 0x2b
for c in fn_name:
@herrcore
herrcore / dll_exports.py
Created April 19, 2021 06:03 — forked from OALabs/dll_exports.py
Build dictionary of DLL exports (Windows API Names)
import os
import pefile
import json
INTERESTING_DLLS = [
'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll',
'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll',
'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll',
'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll',
@herrcore
herrcore / exports.json
Created April 19, 2021 06:03 — forked from OALabs/exports.json
Common DLL exports (Windows API Names)
{"exports": ["A_SHAFinal", "A_SHAInit", "A_SHAUpdate", "AbortSystemShutdownA", "AbortSystemShutdownW", "AccessCheck", "AccessCheckAndAuditAlarmA", "AccessCheckAndAuditAlarmW", "AccessCheckByType", "AccessCheckByTypeAndAuditAlarmA", "AccessCheckByTypeAndAuditAlarmW", "AccessCheckByTypeResultList", "AccessCheckByTypeResultListAndAuditAlarmA", "AccessCheckByTypeResultListAndAuditAlarmByHandleA", "AccessCheckByTypeResultListAndAuditAlarmByHandleW", "AccessCheckByTypeResultListAndAuditAlarmW", "AddAccessAllowedAce", "AddAccessAllowedAceEx", "AddAccessAllowedObjectAce", "AddAccessDeniedAce", "AddAccessDeniedAceEx", "AddAccessDeniedObjectAce", "AddAce", "AddAuditAccessAce", "AddAuditAccessAceEx", "AddAuditAccessObjectAce", "AddConditionalAce", "AddMandatoryAce", "AddUsersToEncryptedFile", "AddUsersToEncryptedFileEx", "AdjustTokenGroups", "AdjustTokenPrivileges", "AllocateAndInitializeSid", "AllocateLocallyUniqueId", "AreAllAccessesGranted", "AreAnyAccessesGranted", "AuditComputeEffectivePolicyBySid", "AuditComputeEf