I hereby claim:
- I am lbpierre on github.
- I am pierrelebourhis (https://keybase.io/pierrelebourhis) on keybase.
- I have a public key ASAFYD9yNYtd2yhH3Rru7Z6dJigyClt_5NSErPxp12bhbwo
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
import sys, struct, clr | |
clr.AddReference("System.Memory") | |
from System.Reflection import Assembly, MethodInfo, BindingFlags | |
from System import Type | |
import string | |
import hashlib | |
from base64 import b64decode | |
from itertools import combinations | |
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes |
import base64 | |
import binascii | |
import urllib | |
def unhex(hex_string): | |
"""oalabs fonction copy from: | |
https://github.com/OALabs/research/blob/master/_notebooks/2021-06-27-python3_examples.ipynb | |
""" |
ByteFence | |
C:\Program Files (x86)\Avira | |
C:\Program Files (x86)\F-Secu | |
C:\Program Files (x86)\IObit | |
C:\Program Files (x86)\Sophos | |
C:\Program Files\Malwarebytes | |
C:\Program Files\Quick Heal | |
C:\ProgramData\Emsisoft | |
C:\ProgramData\Kaspersky Lab | |
Comodo |
Action Id | Description |
---|---|
1052 | search and delete log files |
1053 | self update (and remove traces of the update, rmdir /s /q c:\temp && del /q /f %temp%*.au30) |
1060 | delete shadow copies (c vssadmin delete shadows /for=c: /all /quiet) |
1072 | kill rar process and remove traces of rar archive |
1096 | ntdll used to execute payload in memory as notepad.exe |
1099 | Spoof parent PID to execute a cmd.exe |
1100 | APC injection via NtTestAlert |
1101 | APC injection via NtTestAlert |
#define DLL_QUERY_HMODULE 6 | |
#define DEREF( name )*(UINT_PTR *)(name) | |
#define DEREF_64( name )*(DWORD64 *)(name) | |
#define DEREF_32( name )*(DWORD *)(name) | |
#define DEREF_16( name )*(WORD *)(name) | |
#define DEREF_8( name )*(BYTE *)(name) | |
#define DLLEXPORT __declspec( dllexport ) |
import sys | |
import pefile | |
from typing import List | |
def get_data_section_virtualAddress(pe: pefile.PE) -> int: | |
"""Return the .data section of a PE file.""" | |
data_va: int = 0 |
import os | |
import sys | |
import time | |
import struct | |
import logging | |
import socket | |
import select | |
import argparse | |
import platform | |
from itertools import zip_longest |
import re | |
from itertools import filterfalse | |
from collections import Counter | |
from typing import List, Tuple, Set | |
reg_DENIS = re.compile(r"(dennis\(\")([0-9\]\"]{1,})(,)([0-9]{1,})([\/])([0-9]{1,})([\)])") | |
reg_INT_VAR = re.compile(r"(\$)(?P<name>[a-zA-Z0-9]{1,})( )=( )([0-9]{1,})") | |
def dennis(string, diff): |
00000000f90100001719a606d06607001f3fa801e06607001e1db13ef06607006dc1ac9700670700c1ee3e8410670700340d98322067070027ff8235306707008ef8d80040670700be8278e250670700071ccc4460670700e7188913706707001a1fb02080670700b25b283c90670700b18c0b92a06707001b344cefb0670700113b9d12c06707001b3aa70ad06707002ed4fbaae06707003398c9edf0670700ef5799a900680700b95aa8bd10680700b42f2121206807009cb0ea5f306807007e78d35b40680700c62ed4c550680700c0d041c5606807008139947e90680700169dcdf3a068070095990786b0680700ecda52edc0680700b77c2270d0680700180572e0e06807004ae3b99cf0680700129898ac00690700b1c82aaf1069070087a91483206907000819882f30690700e36cc9e2406907007e78ad5f506907008cbab828606907007528e14e706907002ddeb2d680690700f115ac36906907007fe9abb5a0690700047e9f51b0690700525cce46c0690700e350ae6fd06907005dec9fb6e0690700c9c8bc0af06907000cf194fb006a070014ef8eee106a0700b19d1483206a07007dd02ff4306a07002c40bb2a406a0700a1983398506a070007308f16606a07009683069d706a0700102cba24806a0700f8921586906a07006ad2b798a06a070067b2de86b06a07007e4eb962c06a0700541b8c3ed06a0700 |