Skip to content

Instantly share code, notes, and snippets.

Matt Suiche msuiche

Block or report user

Report or block msuiche

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@msuiche
msuiche / GetPowerShellInfo.ps1
Last active Mar 26, 2019
Memory Forensics and PowerShell
View GetPowerShellInfo.ps1
##
## A good excuse to learn LINQ in WinDbg.
## Author: Matt Suiche (@msuiche) - 18-Jan-2019
##
## References:
## Extracting Forensic Script Content from PowerShell Process Dumps (Lee Holmes) - 17 Jan 2019
## http://www.leeholmes.com/blog/2019/01/17/extracting-forensic-script-content-from-powershell-process-dumps/
## Extracting Activity History from PowerShell Process Dumps (Lee Holmes) - 4 Jan 2019
## https://www.leeholmes.com/blog/2019/01/04/extracting-activity-history-from-powershell-process-dumps/
##
View WipeMeOrNot.c
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
//
// The mysterious command (0x2E214B44) results in the first 10 sectors being wiped out.Or if the original replaceBootSectors() function fails.
//
// 0x2E214B44 ??? => Mysterious process. Name very close to AVP.exe
// Source of below hashes: https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/
@msuiche
msuiche / t.wnry.bt
Created May 15, 2017
010 Template for t.wnry
View t.wnry.bt
//------------------------------------------------
//--- 010 Editor v7.0 Binary Template
//
// File:
// Authors:
// Version:
// Purpose:
// Category:
// File Mask:
// ID Bytes:
View WannaCry-KeyInitialization.c
/*
# 010 Template for t.wnry
typedef struct {
char Signature[8]; // WANACRY!
uint32 Part1Size; // Always 0x100
char DataPart1[Part1Size];
uint32 Part2Signature;
uint64 Part2Size;
char DataPart2[Part2Size];
@msuiche
msuiche / WannaCry-SMB.c
Created May 13, 2017
WannaCry - DOUBLEPULSAR references
View WannaCry-SMB.c
// https://twitter.com/msuiche
int threadMain()
{
unsigned int i; // edi@1
_DWORD *v1; // eax@2
void *v2; // esi@7
char v4; // [sp+13h] [bp-2Dh]@0
char v5; // [sp+14h] [bp-2Ch]@1
void *Memory; // [sp+18h] [bp-28h]@1
@msuiche
msuiche / EternalBlue-SmbHandler.asm
Created Apr 23, 2017
DOUBLEPULSAR - ETERNALBLUE - SmbHandler()
View EternalBlue-SmbHandler.asm
Thanks to https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5 for the description
kd> dps srv!SrvTransaction2DispatchTable
91463530 9148b56f srv!SrvSmbOpen2
91463534 91485fe4 srv!SrvSmbFindFirst2
91463538 9148606d srv!SrvSmbFindNext2
9146353c 91488a89 srv!SrvSmbQueryFsInformation
91463540 914892f3 srv!SrvSmbSetFsInformation
91463544 9147ff65 srv!SrvSmbQueryPathInformation
91463548 91480c74 srv!SrvSmbSetPathInformation
@msuiche
msuiche / Installer.dll
Created Mar 10, 2017
Installer.dll (Vault7)
View Installer.dll
// Decompiled with JetBrains decompiler
// Type: Installer.Install
// Assembly: Installer, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 1DF6A781-016A-4A47-9C62-874A888EB357
// Assembly location:
using \u0004;
using \u0006;
using Microsoft.Win32;
using System;
@msuiche
msuiche / SNPfilter.ps1
Created Jan 30, 2017
Powershell script to parse your SNP
View SNPfilter.ps1
# http://slatestarcodex.com/2014/11/12/how-to-use-23andme-irresponsibly/
$indexSNPName = 0
$indexSNPValue = 3
$fileName = "genome_Peter_Parker_Full_20170130051759.txt"
Write-Host " --- "
$rs909525 = gci $fileName | Select-String 'rs909525\t'
$rs909525 = $rs909525.Line.Split("`t")
Write-Host "[+]"$rs909525[$indexSNPName] "(Warrior Gene): ("$rs909525[$indexSNPValue]")"
View equation_drug_hashes.txt
61110bea272972903985d5d5e452802c DSZOPSDISK/Resources/Df/Uploads/i386-winnt/DoubleFeatureDll.dll.unfinalized
0d81f9972863c6d8c90100a73b0600ab DSZOPSDISK/Resources/DmGz/Uploads/i386/winnt/ntfltmgr.sys
e14ab6e6ae835792979ff50e647b89c8 DSZOPSDISK/Resources/DSky/Uploads/i386/winnt/tdi6.sys
997ba8c988340a1c644cf9a5f67e4177 DSZOPSDISK/Resources/Ep/Plugins/Files/DuplicateToken_Implant.dll
425fb612ba62fc1ecad9fb24d10f9bfa DSZOPSDISK/Resources/Ep/Plugins/Files/EventLogEdit_Implant.dll
c11142caa3013f852ccb698cc6008b51 DSZOPSDISK/Resources/Ep/Plugins/Files/GetAdmin_Implant.dll
bdd2b462e050ef2fa7778526ea4a2a58 DSZOPSDISK/Resources/Ep/Plugins/Files/kill_Implant.dll
199796e3f413074d5fdef7fe8334eccf DSZOPSDISK/Resources/Ep/Plugins/Files/LSADUMP_Implant.dll
cf5b0d82d39669f584258389f4307b82 DSZOPSDISK/Resources/Ep/Plugins/Files/modifyAudit_Implant.dll
8187650eb74ccb3f0fb647335fd54d30 DSZOPSDISK/Resources/Ep/Plugins/Files/modifyAuthentication_Implant.dll
@msuiche
msuiche / EquationDrug-IOC-list.txt
Created Jan 13, 2017
List of EquationDrug IOCs #ShadowBrokers
View EquationDrug-IOC-list.txt
PS E:\ioc> dir . | Foreach-Object{
>> $file = $_
>> $hash = Get-FileHash $file -Algorithm MD5
>> $fileinfo = Get-Item $file
>>
>> New-Object -TypeName PSObject -Property @{
>> LastWriteTime = $fileinfo.LastWriteTime
>> Length = $fileinfo.Length
>> Algorithm = $hash.Algorithm
>> MD5 = $hash.Hash
You can’t perform that action at this time.