This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# import idautils | |
import idc | |
import ida_bytes | |
import ida_ua | |
import ida_funcs | |
import ida_idp | |
from idautils import DecodeInstruction | |
import struct | |
jump_instructions = [ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "hash" | |
private rule Macho | |
{ | |
meta: | |
description = "private rule to match Mach-O binaries" | |
condition: | |
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################################ | |
## | |
## Auto-DWORD! | |
## | |
## Updated for IDA 7.xx and Python 3 | |
## | |
## To install: | |
## Copy script into plugins directory, i.e: C:\Program Files\<ida version>\plugins | |
## | |
## To run: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
struct PEB_UNIVERSAL | |
{ | |
BOOLEAN InheritedAddressSpace; //0x0000 | |
BOOLEAN ReadImageFileExecOptions; //0x0001 | |
BOOLEAN BeingDebugged; //0x0002 | |
BYTE byte3; | |
HANDLE Mutant; //0x0004 | |
void* ImageBaseAddress; //0x0008 | |
PEB_LDR_DATA* Ldr; //0x000C | |
RTL_USER_PROCESS_PARAMETERS* ProcessParameters; //0x0010 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
################################################################################################ | |
## UCL NRV2B Decompression Library | |
## | |
## Code from "Clash of the Titans: ZeuS v SpyEye": | |
## https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393 | |
## Author: Harshit Nayyar, harshit.nayyar@telus.com | |
## | |
## NOTE: This is the compression algorithm used in the Zeus trojan and subsequent variants | |
## |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################################ | |
## | |
## Quick IOCTL Decoder! | |
## | |
## All credit for actual IOCTL decode logic: | |
## http://www.osronline.com/article.cfm?article=229 | |
## | |
## | |
## To install: | |
## Copy script into plugins directory, i.e: C:\Program Files\IDA 6.8\plugins |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
union PE_BASE { | |
PVOID baseAddress; | |
IMAGE_DOS_HEADER *mz; | |
IMAGE_NT_HEADERS *pe; | |
}; | |
union PE_BASE64 { | |
PVOID baseAddress; | |
IMAGE_DOS_HEADER *mz; | |
IMAGE_NT_HEADERS64 *pe; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import idaapi, idc, idautils | |
import re | |
import struct | |
import base64 | |
flag_arr=[] | |
def decrypt_algo(key, data, data_len): | |
out="" | |
for i in range(0, data_len): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
enum langid_country | |
{ | |
Afrikaans = 0x36, | |
Afrikaans_South_Africa = 0x436, | |
Albanian = 0x1c, | |
Albanian_Albania = 0x41c, | |
Alsatian = 0x84, | |
Alsatian_France = 0x484, | |
Amharic = 0x5e, | |
Amharic_Ethiopia = 0x45e, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import idaapi, idc, idautils | |
import struct | |
def xor_decrypt(data, key): | |
out = [] | |
for i in range(len(data)): | |
out.append(data[i] ^ key[i%len(key)]) | |
return bytes(out) | |
NewerOlder