Nick Hoffman malware-kitten
malware-kitten
/ bitter_string_decoder.py
Created
October 31, 2019 14:03
Decode strings in Ghidra from sample 11864ec73e6226f52a1e6e4074b33e89
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ghidra.program.model.listing import CodeUnit | |
| decrypt_func = 0x004039a0 | |
| def decode(offset): | |
| count = 0 | |
| res = b'' | |
| b = getByte(toAddr(offset)) | |
| while b != 0x0: | |
| try: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import binascii | |
| import sys | |
| ''' | |
| Usage: | |
| python3 clsid.py 85131631-480C-11D2-B1F9-00C04F86C324 | |
| 311613850c48d211B1F900C04F86C324 | |
| ''' |
malware-kitten
/ instruction_state_info.py
Created
June 25, 2017 20:11
— forked from withzombies/instruction_state_info.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Copyright 2017 Ryan Stortz (@withzombies) | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # Unless required by applicable law or agreed to in writing, software |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Author: Nick Hoffman / securitykitten.github.io / @infoseckitten | |
| #Description: A bro script to find beacons | |
| module BEACON; | |
| @load base/protocols/http | |
| #this is our master collection, we'll use this to store all our information | |
| global master_collection: table[addr,addr] of vector of time &synchronized; |
malware-kitten
/ vm_detect
Created
November 10, 2014 20:37
A chunk of code found online that will check for evidence of a virtual machine
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <string> | |
| #include <tlhelp32.h> | |
| #include <TCHAR.H> | |
| #include <dir.h> | |
| using namespace std; | |
| int detected = 0; | |
| DWORD GetModulePath(HINSTANCE hInst,LPTSTR pszBuffer,DWORD dwSize) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'base64' | |
| data = "3d3duIWRvYmVzZXJ2aWNlbi5ldE=" | |
| decode = Base64.decode64(data) | |
| decode.each_byte do |b| | |
| #shr dl,6 | |
| #shl al,2 | |
| #or dl,al | |
| print (((b<<6)%0xff |(b>>2)%0xff)).chr |