This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <windows.h> | |
#include "peconv.h" | |
/* | |
Requires a path to the original trick bot module: 0a7da84873f2a4fe0fcc58c88bbbe39d | |
*/ | |
#define OFFSET_DECODE_LIST 0x10ab0 //decode_from_the_list |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#![windows_subsystem = "windows"] | |
extern crate libc; | |
use std::os::raw::{c_void, c_int}; | |
use std::{ptr, thread, time}; | |
#[link(name = "kernel32")] | |
#[link(name = "user32")] | |
extern "stdcall" { | |
pub fn LoadLibraryA(lpFileName: *const u8) -> *const usize; | |
pub fn GetProcAddress(hModule: *const usize, lpProcName: *const u8) -> *const usize; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Inspired from https://medium.com/@ismailakkila/black-hat-python-encrypt-and-decrypt-with-rsa-cryptography-bd6df84d65bc | |
# Updated to use python3 bytes and pathlib | |
import zlib | |
import base64 | |
from Crypto.PublicKey import RSA | |
from Crypto.Cipher import PKCS1_OAEP | |
from pathlib import Path | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
advapi32.dll!A_SHAFinal -> 0xF4E238A7 | |
advapi32.dll!A_SHAInit -> 0xDA327198 | |
advapi32.dll!A_SHAUpdate -> 0xD0B4D215 | |
advapi32.dll!AbortSystemShutdownA -> 0xC0D2ED81 | |
advapi32.dll!AbortSystemShutdownW -> 0xD395D051 | |
advapi32.dll!AccessCheck -> 0xF9ABFC27 | |
advapi32.dll!AccessCheckAndAuditAlarmA -> 0xDB243296 | |
advapi32.dll!AccessCheckAndAuditAlarmW -> 0xC8630F46 | |
advapi32.dll!AccessCheckByType -> 0xDC6520A8 | |
advapi32.dll!AccessCheckByTypeAndAuditAlarmA -> 0xD0023DC7 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import argparse | |
import yara | |
from colorama import init, Fore, Back, Style | |
init() | |
args_parser = argparse.ArgumentParser() | |
args_parser.add_argument('-f', '--file', help='cobaltstrike shellcode exe file', type=str, required=True) | |
args_parser.add_argument('-o', '--out', help='output file', type=str, required=False) | |
args = args_parser.parse_args() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import idaapi, idc, idautils | |
class DecryptorError(Exception): | |
pass | |
def rc4crypt(key, data): | |
x = 0 | |
box = list(range(256)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Write-Host -NoNewline " " | |
Write-Host -NoNewline " _______ _______ ___ _______ _______ _______ " | |
Write-Host -NoNewline " | || _ || | | _ || _ || | " | |
Write-Host -NoNewline " | _ || |_| || | | |_| || |_| || _____| " | |
Write-Host -NoNewline " | | | || || | | || || |_____ " | |
Write-Host -NoNewline " | |_| || || |___ | || _ | |_____ | " | |
Write-Host -NoNewline " | || _ || || _ || |_| | _____| | " | |
Write-Host -NoNewline " |_______||__| |__||_______||__| |__||_______||_______| " | |
Write-Host -NoNewline " " | |
Write-Host -NoNewline " " |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Set-ExecutionPolicy Unrestricted; | |
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1')); | |
get-boxstarter -Force; | |
Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import pefile | |
import json | |
INTERESTING_DLLS = [ | |
'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll', | |
'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll', | |
'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll', | |
'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll', |