Skip to content

Instantly share code, notes, and snippets.

View herrcore's full-sized avatar

herrcore herrcore

307 followers · 9 following
View GitHub Profile
@herrcore
herrcore / lumma_cf.py
Last active April 15, 2024 02:06
Lumma Stealer Deobfuscation (IDA Python)
# import idautils
import idc
import ida_bytes
import ida_ua
import ida_funcs
import ida_idp
from idautils import DecodeInstruction
import struct
jump_instructions = [
@herrcore
herrcore / XProtect.yara
Created February 27, 2024 02:31
import "hash"
private rule Macho
{
meta:
description = "private rule to match Mach-O binaries"
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}
@herrcore
herrcore / auto_dword.py
Last active January 14, 2024 22:57
Auto-DWORD! - IDA plugin for one-click bulk DWORD conversion
############################################################################################
##
## Auto-DWORD!
##
## Updated for IDA 7.xx and Python 3
##
## To install:
## Copy script into plugins directory, i.e: C:\Program Files\<ida version>\plugins
##
## To run:
@herrcore
herrcore / PEB_UNIVERSAL.h
Created October 21, 2021 21:43
Process Environment Block (PEB) Universal Struct - Fix broken IDA struct
struct PEB_UNIVERSAL
{
BOOLEAN InheritedAddressSpace; //0x0000
BOOLEAN ReadImageFileExecOptions; //0x0001
BOOLEAN BeingDebugged; //0x0002
BYTE byte3;
HANDLE Mutant; //0x0004
void* ImageBaseAddress; //0x0008
PEB_LDR_DATA* Ldr; //0x000C
RTL_USER_PROCESS_PARAMETERS* ProcessParameters; //0x0010
@herrcore
herrcore / ucl_nrv2b.py
Created October 2, 2017 03:41
UCL NRV2B Decompression Library - Full Python (compression used by Zeus variants)
#!/usr/bin/env python
################################################################################################
## UCL NRV2B Decompression Library
##
## Code from "Clash of the Titans: ZeuS v SpyEye":
## https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393
## Author: Harshit Nayyar, harshit.nayyar@telus.com
##
## NOTE: This is the compression algorithm used in the Zeus trojan and subsequent variants
##
@herrcore
herrcore / quick_ioctl_decoder.py
Created August 14, 2016 02:53
IDA Python plugin - Decode IOCTL Codes
############################################################################################
##
## Quick IOCTL Decoder!
##
## All credit for actual IOCTL decode logic:
## http://www.osronline.com/article.cfm?article=229
##
##
## To install:
## Copy script into plugins directory, i.e: C:\Program Files\IDA 6.8\plugins
@herrcore
herrcore / pebase.h
Created May 24, 2023 23:09
PE_BASE struct to help with IDA markup of PE access
union PE_BASE {
PVOID baseAddress;
IMAGE_DOS_HEADER *mz;
IMAGE_NT_HEADERS *pe;
};
union PE_BASE64 {
PVOID baseAddress;
IMAGE_DOS_HEADER *mz;
IMAGE_NT_HEADERS64 *pe;
@herrcore
herrcore / vawtrak_string_decoder.py
Last active May 10, 2023 12:23
IDA python string decoder for Vawtrak 930eccf4bedcd5e0901306410787adc6a95acd957a7383d326d9949c76fcc828
import idaapi, idc, idautils
import re
import struct
import base64
flag_arr=[]
def decrypt_algo(key, data, data_len):
out=""
for i in range(0, data_len):
@herrcore
herrcore / lang.h
Created October 28, 2021 04:39
LANGID Windows Locals enum for quickly parsing malware language checks
enum langid_country
{
Afrikaans = 0x36,
Afrikaans_South_Africa = 0x436,
Albanian = 0x1c,
Albanian_Albania = 0x41c,
Alsatian = 0x84,
Alsatian_France = 0x484,
Amharic = 0x5e,
Amharic_Ethiopia = 0x45e,
@herrcore
herrcore / emotet_strings.py
Last active November 30, 2022 02:43
IDA Python script for Emotet String decryption ref:EEB13CD51FAA7C23D9A40241D03BEB239626FBF3EFE1DBBFA3994FC10DEA0827
import idaapi, idc, idautils
import struct
def xor_decrypt(data, key):
out = []
for i in range(len(data)):
out.append(data[i] ^ key[i%len(key)])
return bytes(out)