Skip to content

Instantly share code, notes, and snippets.

@lbpierre
lbpierre / clsid-identifier.py
Created June 25, 2024 14:45
CLSID identifier (e.g.: `python clsid-identifier.py C7A4AB2FA94D1340969720CC3FD40F85`)
import sys
import struct
CLSID = {
"IMediaEventEx": "56a868c0-0ad4-11ce-b03a-0020af0ba770,",
"INetworkCostManager": "dcb00008-570f-4a9b-8d69-199fdba5723b",
"INetworkConnectionCost": "dcb0000a-570f-4a9b-8d69-199fdba5723b",
"INetworkCostManagerEvents": "dcb00009-570f-4a9b-8d69-199fdba5723b",
"IEnumNetworks": "dcb00003-570f-4a9b-8d69-199fdba5723b",
"IEnumNetworkConnections": "dcb00006-570f-4a9b-8d69-199fdba5723b",
@lbpierre
lbpierre / pikabot-network-decrypt.py
Created May 21, 2024 14:54
Pikabot (v: 1.8.32-beta) network decryptor
# Hexdump viewer
def hexdump(data: bytes, length: int = 16) -> None:
def is_printable(b):
return 0x20 <= b < 0x7f
def to_printable(b):
if is_printable(b):
return f'\033[34m{chr(b)}\033[0m'
else:
return f'\033[31m.\033[0m'
@lbpierre
lbpierre / pikabot-s2-next-stage-execution.c
Created May 7, 2024 15:55
Pikabot cleaned function in charge of executing the last stage.
void execute_next_stage()
{
_IMAGE_DOS_HEADER *decompressed_buffer; // edi
IMAGE_NT_HEADERS *lfanew; // esi
_IMAGE_NT_HEADERS *v2; // esi
_BYTE *v3; // ebx
char *v4; // ebx
int v5; // ebx
int Heap; // [esp+C8h] [ebp-C8h]
int i; // [esp+100h] [ebp-90h]
@lbpierre
lbpierre / SW2_SyscallList_hex.dmp
Created March 8, 2024 07:46
SysWhispers2 syscall identifier script, unhex the SW2_SyscallList_hex.dmp with `binascii.unhexlify(content)`
00000000f90100001719a606d06607001f3fa801e06607001e1db13ef06607006dc1ac9700670700c1ee3e8410670700340d98322067070027ff8235306707008ef8d80040670700be8278e250670700071ccc4460670700e7188913706707001a1fb02080670700b25b283c90670700b18c0b92a06707001b344cefb0670700113b9d12c06707001b3aa70ad06707002ed4fbaae06707003398c9edf0670700ef5799a900680700b95aa8bd10680700b42f2121206807009cb0ea5f306807007e78d35b40680700c62ed4c550680700c0d041c5606807008139947e90680700169dcdf3a068070095990786b0680700ecda52edc0680700b77c2270d0680700180572e0e06807004ae3b99cf0680700129898ac00690700b1c82aaf1069070087a91483206907000819882f30690700e36cc9e2406907007e78ad5f506907008cbab828606907007528e14e706907002ddeb2d680690700f115ac36906907007fe9abb5a0690700047e9f51b0690700525cce46c0690700e350ae6fd06907005dec9fb6e0690700c9c8bc0af06907000cf194fb006a070014ef8eee106a0700b19d1483206a07007dd02ff4306a07002c40bb2a406a0700a1983398506a070007308f16606a07009683069d706a0700102cba24806a0700f8921586906a07006ad2b798a06a070067b2de86b06a07007e4eb962c06a0700541b8c3ed06a0700
@lbpierre
lbpierre / SelfAU3-deobfusct.py
Created February 21, 2024 08:43
SelfAU3 de-obfuscation script, it removes junk code, un-accessed local and global variables and de-obfuscate all strings.
import re
from itertools import filterfalse
from collections import Counter
from typing import List, Tuple, Set
reg_DENIS = re.compile(r"(dennis\(\")([0-9\]\"]{1,})(,)([0-9]{1,})([\/])([0-9]{1,})([\)])")
reg_INT_VAR = re.compile(r"(\$)(?P<name>[a-zA-Z0-9]{1,})( )=( )([0-9]{1,})")
def dennis(string, diff):
@lbpierre
lbpierre / tcp_server.py
Created January 26, 2024 08:06
DiceLoader fake C2, usage: `python3 tcp_server.py -v --host 0.0.0.0 --port 8080`
import os
import sys
import time
import struct
import logging
import socket
import select
import argparse
import platform
from itertools import zip_longest
@lbpierre
lbpierre / diceloader-extractor.py
Created January 18, 2024 10:33
DiceLoader configuration extractor
import sys
import pefile
from typing import List
def get_data_section_virtualAddress(pe: pefile.PE) -> int:
"""Return the .data section of a PE file."""
data_va: int = 0
@lbpierre
lbpierre / ReflectiveDLLInjection.h
Created January 17, 2024 10:51
C header file ingestible by IDA (>v8) for the ReflectiveDllInjection project available on github: https://github.com/stephenfewer/ReflectiveDLLInjection
#define DLL_QUERY_HMODULE 6
#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(DWORD64 *)(name)
#define DEREF_32( name )*(DWORD *)(name)
#define DEREF_16( name )*(WORD *)(name)
#define DEREF_8( name )*(BYTE *)(name)
#define DLLEXPORT __declspec( dllexport )
@lbpierre
lbpierre / darkgate-doc-action-id.md
Created November 16, 2023 15:40
DarkGate C2 communication action ID description
Action Id Description
1052 search and delete log files
1053 self update (and remove traces of the update, rmdir /s /q c:\temp && del /q /f %temp%*.au30)
1060 delete shadow copies (c vssadmin delete shadows /for=c: /all /quiet)
1072 kill rar process and remove traces of rar archive
1096 ntdll used to execute payload in memory as notepad.exe
1099 Spoof parent PID to execute a cmd.exe
1100 APC injection via NtTestAlert
1101 APC injection via NtTestAlert
@lbpierre
lbpierre / AV_checked.txt
Last active November 13, 2023 10:35
List of checked paths and binaries by DarkGate
ByteFence
C:\Program Files (x86)\Avira
C:\Program Files (x86)\F-Secu
C:\Program Files (x86)\IObit
C:\Program Files (x86)\Sophos
C:\Program Files\Malwarebytes
C:\Program Files\Quick Heal
C:\ProgramData\Emsisoft
C:\ProgramData\Kaspersky Lab
Comodo