This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "dotnet" | |
rule net_reactor_obfuscated { | |
strings: | |
$s1 = "#GUlD" fullword | |
$s2 = "#GUID" fullword | |
$s3 = "#Blop" fullword | |
$s4 = "#Blob" fullword | |
condition: | |
dotnet.is_dotnet and all of them | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
enum XLoaderStrings | |
{ | |
USERNAME = 0x0, | |
LOCALAPPDATA = 0x1, | |
USERPROFILE = 0x2, | |
APPDATA = 0x3, | |
TEMP = 0x4, | |
ProgramFiles = 0x5, | |
CommonProgramFiles =0x6, | |
ALLUSERSPROFILE = 0x7, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import ida_kernwin | |
registered_actions = ida_kernwin.get_registered_actions() | |
for action_name in registered_actions: | |
print(f'name: {action_name}') | |
print(f'label: {ida_kernwin.get_action_label(action_name)}') | |
print(f'icon: {ida_kernwin.get_action_icon(action_name)}') | |
print(f'tooltip: {ida_kernwin.get_action_tooltip(action_name)}') | |
print(f'state: {ida_kernwin.get_action_state(action_name)}') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def add_bookmark(offset, comment, check_duplicate=True): | |
""" | |
:param offset: | |
:param comment: | |
:param check_duplicate: | |
:return: | |
""" | |
for bslot in range(0, 1024, 1): | |
slotval = idc.get_bookmark(bslot) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
""" | |
NTCreateFile DesiredAccess Masks | |
0x120189 | |
0x100181 | |
0x12019f | |
0x1200a0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`C:\Program Files\IDA Pro 7.4\python\3\idc.py:5121: SyntaxWarning: "is not" with a literal. Did you mean "!="? | |
if newtype is not '':` | |
--- FIX --- | |
To resolve the above error change line 5121 to | |
`if newtype is not None:` | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule cve_2017_8759{ | |
meta: | |
sample = "0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684" | |
strings: | |
$header = "{\\rt" | |
$wsdl = "7700730064006C003D006800740074007000" | |
condition: | |
$header in (0..50) and $wsdl | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function B(C){ | |
var D = new ActiveXObject("CDO.Message"); | |
var E = D.BodyPart; | |
E.ContentTransferEncoding = "base64"; | |
E.Charset = "windows-1251"; | |
var F = E.GetEncodedContentStream(); | |
F.WriteText(C); | |
F.Flush(); | |
F = E.GetDecodedContentStream(); | |
F.Charset = "utf-8"; |
NewerOlder