Skip to content

Instantly share code, notes, and snippets.

View herrcore's full-sized avatar

herrcore herrcore

306 followers · 9 following
View GitHub Profile
@herrcore
herrcore / lumma_cf.py
Last active April 15, 2024 02:06
Lumma Stealer Deobfuscation (IDA Python)
# import idautils
import idc
import ida_bytes
import ida_ua
import ida_funcs
import ida_idp
from idautils import DecodeInstruction
import struct
jump_instructions = [
@herrcore
herrcore / XProtect.yara
Created February 27, 2024 02:31
import "hash"
private rule Macho
{
meta:
description = "private rule to match Mach-O binaries"
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}
@herrcore
herrcore / pebase.h
Created May 24, 2023 23:09
PE_BASE struct to help with IDA markup of PE access
union PE_BASE {
PVOID baseAddress;
IMAGE_DOS_HEADER *mz;
IMAGE_NT_HEADERS *pe;
};
union PE_BASE64 {
PVOID baseAddress;
IMAGE_DOS_HEADER *mz;
IMAGE_NT_HEADERS64 *pe;
@herrcore
herrcore / ida_bb_extractor.py
Created April 28, 2022 20:46
Extract function and basic block info from IDA to be used as "known good" data for testing other tools
##############################################################################
#
# To be run from IDA batch mode:
#
# "c:\Program Files\IDA Pro 7.5\ida.exe" -c -A -S"c:\Users\admin\Documents\scripts\binary_map.py" z:\tmp\pe\pe.trickbot.x86
#
#
#
#
##############################################################################
@herrcore
herrcore / karama.yara
Created November 22, 2021 18:16
Yara rule generated with Binlex from our live stream https://youtu.be/hgz5gZB3DxE
rule malware_karama_0 {
meta:
descrption = "Karma Ransomware"
strings:
$name = "KARMA" ascii wide nocase
$trait_0 = {33 f6 0f b7 41 ?? 83 c1 02 8b d0 66 85 c0 75 da}
$trait_1 = {0f b7 d0 66 83 fa 5c 74 10}
condition:
uint16(0) == 0x5a4d and
uint32(uint32(0x3c)) == 0x00004550 and
@herrcore
herrcore / emotet_strings.py
Last active November 30, 2022 02:43
IDA Python script for Emotet String decryption ref:EEB13CD51FAA7C23D9A40241D03BEB239626FBF3EFE1DBBFA3994FC10DEA0827
import idaapi, idc, idautils
import struct
def xor_decrypt(data, key):
out = []
for i in range(len(data)):
out.append(data[i] ^ key[i%len(key)])
return bytes(out)
@herrcore
herrcore / lang.h
Created October 28, 2021 04:39
LANGID Windows Locals enum for quickly parsing malware language checks
enum langid_country
{
Afrikaans = 0x36,
Afrikaans_South_Africa = 0x436,
Albanian = 0x1c,
Albanian_Albania = 0x41c,
Alsatian = 0x84,
Alsatian_France = 0x484,
Amharic = 0x5e,
Amharic_Ethiopia = 0x45e,
@herrcore
herrcore / PEB_UNIVERSAL.h
Created October 21, 2021 21:43
Process Environment Block (PEB) Universal Struct - Fix broken IDA struct
struct PEB_UNIVERSAL
{
BOOLEAN InheritedAddressSpace; //0x0000
BOOLEAN ReadImageFileExecOptions; //0x0001
BOOLEAN BeingDebugged; //0x0002
BYTE byte3;
HANDLE Mutant; //0x0004
void* ImageBaseAddress; //0x0008
PEB_LDR_DATA* Ldr; //0x000C
RTL_USER_PROCESS_PARAMETERS* ProcessParameters; //0x0010
@herrcore
herrcore / ResolveHash.c
Created October 12, 2021 04:56
Code examples from https://nickharbour.wordpress.com/2010/07/01/writing-shellcode-with-a-c-compiler/
// Ref: Writing Shellcode with a C Compiler (https://nickharbour.wordpress.com/)
PPEB __declspec(naked) get_peb(void)
{
__asm {
mov eax, fs:[0x30]
ret
}
}
@herrcore
herrcore / auto_dword.py
Last active January 14, 2024 22:57
Auto-DWORD! - IDA plugin for one-click bulk DWORD conversion
############################################################################################
##
## Auto-DWORD!
##
## Updated for IDA 7.xx and Python 3
##
## To install:
## Copy script into plugins directory, i.e: C:\Program Files\<ida version>\plugins
##
## To run: