Ilia Dafchev idafchev

## ioctl_translator.py
import argparse
import sys

def auto_int(x):
    return int(x, 0)


# Modded by Matteo 'uf0' Malvica - 2021
# The following code is taken from
# https://github.com/mwrlabs/win_driver_plugin/blob/master/win_driver_plugin/ioctl_decoder.py

## log4j_rce_detection.md

      
              1 file
            
          
              72 forks
            
          
              70 comments
            
          
              512 stars
            
          
                Neo23x0
                / log4j_rce_detection.md
            
            
              Last active
              January 28, 2024 08:19
            
              
                Log4j RCE CVE-2021-44228 Exploitation Detection
              
          
    log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

  
## gz_extract.py
import os, gzip, shutil

dir_name = 'x'

def gz_extract(directory):
    extension = ".gz"
    os.chdir(directory)
    for item in os.listdir(directory): # loop through items in dir
      if item.endswith(extension): # check for ".gz" extension
          gz_name = os.path.abspath(item) # get full path of files

## NtMonitor.py
import frida
import sys

def on_message(message, data):
    if message['type'] == 'send':
        print(message['payload'])
    elif message['type'] == 'error':
        print(message['stack'])
    else:
     print(message)

## Base64_CheatSheet.md

      
              1 file
            
          
              43 forks
            
          
              6 comments
            
          
              263 stars
            
          
                Neo23x0
                / Base64_CheatSheet.md
            
            
              Last active
              March 10, 2024 09:15
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Base64 Patterns - Learning Aid


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:


TVq
📺 Television
MZ
MZ header


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


SQBFAF
🐣 Squab favorite
I.E.
PowerShell Invoke Expression (UTF-16)


SQBuAH
🐣 Squab uahhh
I.n.
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz


PAA
💪 "Pah!"
&lt;.
Often used by Emotet (UTF-16)


## [1] Description
// The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations.
// This function is a most public method used by anti cheat / anti virus software.

// Offical document:
// https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks

// Function syntax:
// NTSTATUS ObRegisterCallbacks(
//  POB_CALLBACK_REGISTRATION CallbackRegistration,
//  PVOID                     *RegistrationHandle

## PowershellAes.ps1
function Create-AesManagedObject($key, $IV) {
    $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
    $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
    $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
    $aesManaged.BlockSize = 128
    $aesManaged.KeySize = 256
    if ($IV) {
        if ($IV.getType().Name -eq "String") {
            $aesManaged.IV = [System.Convert]::FromBase64String($IV)
        }

## vmware.txt
#https://www.google.com/search?q=smbios.reflecthost&oq=smbios.r&aqs=chrome.0.0j69i57j0l4.2850j0j7&sourceid=chrome&ie=UTF-8 | smbios.reflecthost - Google Search
#http://www.bitcon.be/how-to-install-an-hp-branded-windows-os-as-a-virtual-server/ | How to install an HP branded Windows OS as a virtual server | BITCON - IT consultants
#https://communities.vmware.com/thread/162241?tstart=0 | This system is not supported platform |VMware Communities
#https://superuser.com/questions/199906/how-to-edit-bios-information-for-a-virtual-machine-in-vmware | How to edit BIOS information for a virtual machine in VMWare? - Super User
#http://www.insanelymac.com/forum/topic/292170-how-to-spoof-real-mac-in-vmware/ | How to spoof real Mac in VMware - Multi-booting and Virtualisation - InsanelyMac Forum

Method 1: edit VMX file for the specific VM
#add this line
SMBIOS.reflectHost = TRUE

## yara_performance_guidelines.md

      
              1 file
            
          
              26 forks
            
          
              1 comment
            
          
              118 stars
            
          
                Neo23x0
                / yara_performance_guidelines.md
            
            
              Last active
              April 30, 2024 10:39
            
              
                YARA Performance Guidelines
              
          
    This Gist has been transfered into a Github Repo.
You'll find the most recent version here.
YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them.
This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7


## SpecialFolderLocations.md

      
              1 file
            
          
              5 forks
            
          
              0 comments
            
          
              28 stars
            
          
                DamianSuess
                / SpecialFolderLocations.md
            
            
              Last active
              May 6, 2024 07:53
            
              
                C# Environment.SpecialFolder
              
          
    More info can be found at, https://docs.microsoft.com/en-us/dotnet/api/system.environment.specialfolder?view=netframework-4.7.2
Code example

// C:\ProgramData\
var path1 = System.Environment.GetFolderPath(System.Environment.SpecialFolder.CommonApplicationData);

// C:\Users\USERNAME\AppData\Roaming
var path2 = System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData);
	import argparse
	import sys

	def auto_int(x):
	return int(x, 0)


	# Modded by Matteo 'uf0' Malvica - 2021
	# The following code is taken from
	# https://github.com/mwrlabs/win_driver_plugin/blob/master/win_driver_plugin/ioctl_decoder.py
	import os, gzip, shutil

	dir_name = 'x'

	def gz_extract(directory):
	extension = ".gz"
	os.chdir(directory)
	for item in os.listdir(directory): # loop through items in dir
	if item.endswith(extension): # check for ".gz" extension
	gz_name = os.path.abspath(item) # get full path of files
	import frida
	import sys

	def on_message(message, data):
	if message['type'] == 'send':
	print(message['payload'])
	elif message['type'] == 'error':
	print(message['stack'])
	else:
	print(message)
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16), e.g. `JABlAG4AdgA` for `$env:`
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)
	// The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations.
	// This function is a most public method used by anti cheat / anti virus software.

	// Offical document:
	// https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks

	// Function syntax:
	// NTSTATUS ObRegisterCallbacks(
	// POB_CALLBACK_REGISTRATION CallbackRegistration,
	// PVOID *RegistrationHandle
	function Create-AesManagedObject($key, $IV) {
	$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
	$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
	$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
	$aesManaged.BlockSize = 128
	$aesManaged.KeySize = 256
	if ($IV) {
	if ($IV.getType().Name -eq "String") {
	$aesManaged.IV = [System.Convert]::FromBase64String($IV)
	}
	#https://www.google.com/search?q=smbios.reflecthost&oq=smbios.r&aqs=chrome.0.0j69i57j0l4.2850j0j7&sourceid=chrome&ie=UTF-8 \| smbios.reflecthost - Google Search
	#http://www.bitcon.be/how-to-install-an-hp-branded-windows-os-as-a-virtual-server/ \| How to install an HP branded Windows OS as a virtual server \| BITCON - IT consultants
	#https://communities.vmware.com/thread/162241?tstart=0 \| This system is not supported platform \|VMware Communities
	#https://superuser.com/questions/199906/how-to-edit-bios-information-for-a-virtual-machine-in-vmware \| How to edit BIOS information for a virtual machine in VMWare? - Super User
	#http://www.insanelymac.com/forum/topic/292170-how-to-spoof-real-mac-in-vmware/ \| How to spoof real Mac in VMware - Multi-booting and Virtualisation - InsanelyMac Forum

	Method 1: edit VMX file for the specific VM
	#add this line
	SMBIOS.reflectHost = TRUE