Skip to content

Instantly share code, notes, and snippets.

Avatar

Matt Suiche msuiche

View GitHub Profile
@msuiche
msuiche / GetPowerShellInfo.ps1
Last active May 23, 2020
Memory Forensics and PowerShell
View GetPowerShellInfo.ps1
##
## A good excuse to learn LINQ in WinDbg.
## Author: Matt Suiche (@msuiche) - 18-Jan-2019
##
## References:
## Extracting Forensic Script Content from PowerShell Process Dumps (Lee Holmes) - 17 Jan 2019
## http://www.leeholmes.com/blog/2019/01/17/extracting-forensic-script-content-from-powershell-process-dumps/
## Extracting Activity History from PowerShell Process Dumps (Lee Holmes) - 4 Jan 2019
## https://www.leeholmes.com/blog/2019/01/04/extracting-activity-history-from-powershell-process-dumps/
##
View WipeMeOrNot.c
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
//
// The mysterious command (0x2E214B44) results in the first 10 sectors being wiped out.Or if the original replaceBootSectors() function fails.
//
// 0x2E214B44 ??? => Mysterious process. Name very close to AVP.exe
// Source of below hashes: https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/
@msuiche
msuiche / t.wnry.bt
Created May 15, 2017
010 Template for t.wnry
View t.wnry.bt
//------------------------------------------------
//--- 010 Editor v7.0 Binary Template
//
// File:
// Authors:
// Version:
// Purpose:
// Category:
// File Mask:
// ID Bytes:
View WannaCry-KeyInitialization.c
/*
# 010 Template for t.wnry
typedef struct {
char Signature[8]; // WANACRY!
uint32 Part1Size; // Always 0x100
char DataPart1[Part1Size];
uint32 Part2Signature;
uint64 Part2Size;
char DataPart2[Part2Size];
@msuiche
msuiche / WannaCry-SMB.c
Created May 13, 2017
WannaCry - DOUBLEPULSAR references
View WannaCry-SMB.c
// https://twitter.com/msuiche
int threadMain()
{
unsigned int i; // edi@1
_DWORD *v1; // eax@2
void *v2; // esi@7
char v4; // [sp+13h] [bp-2Dh]@0
char v5; // [sp+14h] [bp-2Ch]@1
void *Memory; // [sp+18h] [bp-28h]@1
@msuiche
msuiche / EternalBlue-SmbHandler.asm
Created Apr 23, 2017
DOUBLEPULSAR - ETERNALBLUE - SmbHandler()
View EternalBlue-SmbHandler.asm
Thanks to https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5 for the description
kd> dps srv!SrvTransaction2DispatchTable
91463530 9148b56f srv!SrvSmbOpen2
91463534 91485fe4 srv!SrvSmbFindFirst2
91463538 9148606d srv!SrvSmbFindNext2
9146353c 91488a89 srv!SrvSmbQueryFsInformation
91463540 914892f3 srv!SrvSmbSetFsInformation
91463544 9147ff65 srv!SrvSmbQueryPathInformation
91463548 91480c74 srv!SrvSmbSetPathInformation
@msuiche
msuiche / Installer.dll
Created Mar 10, 2017
Installer.dll (Vault7)
View Installer.dll
// Decompiled with JetBrains decompiler
// Type: Installer.Install
// Assembly: Installer, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 1DF6A781-016A-4A47-9C62-874A888EB357
// Assembly location:
using \u0004;
using \u0006;
using Microsoft.Win32;
using System;
@msuiche
msuiche / SNPfilter.ps1
Created Jan 30, 2017
Powershell script to parse your SNP
View SNPfilter.ps1
# http://slatestarcodex.com/2014/11/12/how-to-use-23andme-irresponsibly/
$indexSNPName = 0
$indexSNPValue = 3
$fileName = "genome_Peter_Parker_Full_20170130051759.txt"
Write-Host " --- "
$rs909525 = gci $fileName | Select-String 'rs909525\t'
$rs909525 = $rs909525.Line.Split("`t")
Write-Host "[+]"$rs909525[$indexSNPName] "(Warrior Gene): ("$rs909525[$indexSNPValue]")"
View equation_drug_hashes.txt
61110bea272972903985d5d5e452802c DSZOPSDISK/Resources/Df/Uploads/i386-winnt/DoubleFeatureDll.dll.unfinalized
0d81f9972863c6d8c90100a73b0600ab DSZOPSDISK/Resources/DmGz/Uploads/i386/winnt/ntfltmgr.sys
e14ab6e6ae835792979ff50e647b89c8 DSZOPSDISK/Resources/DSky/Uploads/i386/winnt/tdi6.sys
997ba8c988340a1c644cf9a5f67e4177 DSZOPSDISK/Resources/Ep/Plugins/Files/DuplicateToken_Implant.dll
425fb612ba62fc1ecad9fb24d10f9bfa DSZOPSDISK/Resources/Ep/Plugins/Files/EventLogEdit_Implant.dll
c11142caa3013f852ccb698cc6008b51 DSZOPSDISK/Resources/Ep/Plugins/Files/GetAdmin_Implant.dll
bdd2b462e050ef2fa7778526ea4a2a58 DSZOPSDISK/Resources/Ep/Plugins/Files/kill_Implant.dll
199796e3f413074d5fdef7fe8334eccf DSZOPSDISK/Resources/Ep/Plugins/Files/LSADUMP_Implant.dll
cf5b0d82d39669f584258389f4307b82 DSZOPSDISK/Resources/Ep/Plugins/Files/modifyAudit_Implant.dll
8187650eb74ccb3f0fb647335fd54d30 DSZOPSDISK/Resources/Ep/Plugins/Files/modifyAuthentication_Implant.dll
@msuiche
msuiche / EquationDrug-IOC-list.txt
Created Jan 13, 2017
List of EquationDrug IOCs #ShadowBrokers
View EquationDrug-IOC-list.txt
PS E:\ioc> dir . | Foreach-Object{
>> $file = $_
>> $hash = Get-FileHash $file -Algorithm MD5
>> $fileinfo = Get-Item $file
>>
>> New-Object -TypeName PSObject -Property @{
>> LastWriteTime = $fileinfo.LastWriteTime
>> Length = $fileinfo.Length
>> Algorithm = $hash.Algorithm
>> MD5 = $hash.Hash
You can’t perform that action at this time.