ilbaroni

#include <stdio.h>
#include <windows.h>

#include "peconv.h"

/*
Requires a path to the original trick bot module: 0a7da84873f2a4fe0fcc58c88bbbe39d
*/

#define OFFSET_DECODE_LIST 0x10ab0 //decode_from_the_list

ilbaroni

#![windows_subsystem = "windows"]
extern crate libc;
use std::os::raw::{c_void, c_int};
use std::{ptr, thread, time};

#[link(name = "kernel32")]
#[link(name = "user32")]
extern "stdcall" {
    pub fn LoadLibraryA(lpFileName: *const u8) -> *const usize;
    pub fn GetProcAddress(hModule: *const usize, lpProcName: *const u8) -> *const usize;

ilbaroni

# Inspired from https://medium.com/@ismailakkila/black-hat-python-encrypt-and-decrypt-with-rsa-cryptography-bd6df84d65bc
# Updated to use python3 bytes and pathlib

import zlib
import base64
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from pathlib import Path

ilbaroni

advapi32.dll!A_SHAFinal -> 0xF4E238A7 
advapi32.dll!A_SHAInit -> 0xDA327198 
advapi32.dll!A_SHAUpdate -> 0xD0B4D215 
advapi32.dll!AbortSystemShutdownA -> 0xC0D2ED81 
advapi32.dll!AbortSystemShutdownW -> 0xD395D051 
advapi32.dll!AccessCheck -> 0xF9ABFC27 
advapi32.dll!AccessCheckAndAuditAlarmA -> 0xDB243296 
advapi32.dll!AccessCheckAndAuditAlarmW -> 0xC8630F46 
advapi32.dll!AccessCheckByType -> 0xDC6520A8 
advapi32.dll!AccessCheckByTypeAndAuditAlarmA -> 0xD0023DC7 

ilbaroni

IDAPython cheatsheet

Important links

• Porting IDAPython plugins to IDA 7.4
• Hex-Rays IDAPython official documentation

Basic commands

Get informations on the binary

ilbaroni

import argparse
import yara
from colorama import init, Fore, Back, Style

init()

args_parser = argparse.ArgumentParser()
args_parser.add_argument('-f', '--file', help='cobaltstrike shellcode exe file', type=str, required=True)
args_parser.add_argument('-o', '--out', help='output file', type=str, required=False)
args = args_parser.parse_args()

ilbaroni

import idaapi, idc, idautils


class DecryptorError(Exception):
    pass


def rc4crypt(key, data):
    x = 0
    box = list(range(256))

ilbaroni

Write-Host -NoNewline " "
Write-Host -NoNewline "  _______  _______  ___      _______  _______  _______  "
Write-Host -NoNewline " |       ||   _   ||   |    |   _   ||  _    ||       | "
Write-Host -NoNewline " |   _   ||  |_|  ||   |    |  |_|  || |_|   ||  _____| "
Write-Host -NoNewline " |  | |  ||       ||   |    |       ||       || |_____  "
Write-Host -NoNewline " |  |_|  ||       ||   |___ |       ||  _   | |_____  | "
Write-Host -NoNewline " |       ||   _   ||       ||   _   || |_|   | _____| | "
Write-Host -NoNewline " |_______||__| |__||_______||__| |__||_______||_______| "
Write-Host -NoNewline " "
Write-Host -NoNewline " "

ilbaroni

Set-ExecutionPolicy Unrestricted;
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1'));
get-boxstarter -Force;
Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1';

ilbaroni

import os
import pefile
import json 

INTERESTING_DLLS = [
    'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll',
    'gdi32.dll',    'msvcrt.dll',   'netapi32.dll', 'ntdll.dll',
    'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll',    'shell32.dll',
    'shlwapi.dll',  'srsvc.dll',    'urlmon.dll',   'user32.dll',