Skip to content

Instantly share code, notes, and snippets.

View ntddk's full-sized avatar

Yuma Kurogome ntddk

322 followers · 127 following
  • Tokyo, Japan
View GitHub Profile
@mrphrazer
mrphrazer / flattening_heuristic.py
Created March 4, 2021 20:28
Flattening Heuristic Implementation
# (c) Tim Blazytko 2021
# implementation based on the blog post "Automated Detection of Control-flow Flattening"
# https://synthesis.to/2021/03/03/flattening_detection.html
import sys
from miasm.analysis.binary import Container
from miasm.analysis.machine import Machine
from miasm.core.locationdb import LocationDB
@trishume
trishume / Flagsifier.ipynb
Created May 14, 2018 02:45
DEF CON Quals 2018 Flagsifier Notebook
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@ninoseki
ninoseki / memo.md
Last active February 8, 2018 09:02
2018年度(平成30年度)税制改正について.doc

2018年度(平成30年度)税制改正について.doc

Imgur

Decoded payload(AYRUNSC.EXE)

@RKX1209
RKX1209 / r2-internal.md
Created November 3, 2017 14:51
radare2 source code note

radare2のなかみ(radare2 internal)

Timeless Debuging

r2でもTimeless Debugingしたい。(GSoC2017) mid-termまでにrrやqiraのログを読んでTDできるように。finalでデバッガのプラグインとしてレコーダも開発。

疑問

  • dsb(debugger step back)を作れとの事だが、これは1ステップバックコマンド。で、ステップ"オーバー"するべきなの? 関数呼び出した後、後ろに戻ったら関数内のretに戻るべき?
  • qiraとかrrのtracing sessionはどうやって読み込む? r2実行時コマンドオプションで渡す? 読み込むタイミングは?
  • dsbの実装案、RDebugがその時のデバッギの状態っぽい。これを前の状態に戻す。dsoの場合r_debug_step_overからptrace(SINGLE_STEP)でデバッギの状態を更新 じゃあdsbやろうと思うと、PC含めレジスタの書き換えができるのでptraceで制御を1命令戻すとかは可能。なので必要なのは、デバッグログ。このログを読んでいってptrace で状態を前に戻していけば良さそう。
@pinksawtooth
pinksawtooth / nao_sec-170712_Malware dropped by RIG(2017 May-June).md
Last active July 31, 2017 10:24
nao_sec-170712_Malware dropped by RIG(2017 May-June)

DecimalIP

Date Hash Family
5/1 0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330 SmokeLoader
5/2 b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7 SmokeLoader
5/7 0aea25457447b35ef7bb9baa849be1a2c5a06f926d4387d9540040f34cc25851 SmokeLoader
5/8 0fd66826ca59b33c8f9d116c97a80e632cf87821fba6e9a3ea10321e757e41c2 SmokeLoader
5/10 0fd66826ca59b33c8f9d116c97a80e632cf87821fba6e9a3ea10321e757e41c2 SmokeLoader
@nunoplopes
nunoplopes / z3_dimacs.patch
Created July 13, 2017 12:32
diff --git a/src/sat/tactic/sat_tactic.cpp b/src/sat/tactic/sat_tactic.cpp
index 6775409..634d2dc 100644
--- a/src/sat/tactic/sat_tactic.cpp
+++ b/src/sat/tactic/sat_tactic.cpp
@@ -65,6 +65,9 @@ class sat_tactic : public tactic {
CASSERT("sat_solver", m_solver.check_invariant());
IF_VERBOSE(TACTIC_VERBOSITY_LVL, m_solver.display_status(verbose_stream()););
+ m_solver.display_dimacs(std::cout);
+ std::flush(std::cout);
@vulnersCom
vulnersCom / Petya_ransomware.md
Last active July 6, 2023 19:30

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C

Ransomware attack.

About

This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!

Gist updates

@msuiche
msuiche / WannaCry-SMB.c
Created May 13, 2017 08:39
WannaCry - DOUBLEPULSAR references
// https://twitter.com/msuiche
int threadMain()
{
unsigned int i; // edi@1
_DWORD *v1; // eax@2
void *v2; // esi@7
char v4; // [sp+13h] [bp-2Dh]@0
char v5; // [sp+14h] [bp-2Ch]@1
void *Memory; // [sp+18h] [bp-28h]@1
@rain-1
rain-1 / Wannacrypt0r-FACTSHEET.md
Last active March 10, 2024 11:03 — forked from Epivalent/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@msuiche
msuiche / EternalBlue-SmbHandler.asm
Created April 23, 2017 09:45
DOUBLEPULSAR - ETERNALBLUE - SmbHandler()
Thanks to https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5 for the description
kd> dps srv!SrvTransaction2DispatchTable
91463530 9148b56f srv!SrvSmbOpen2
91463534 91485fe4 srv!SrvSmbFindFirst2
91463538 9148606d srv!SrvSmbFindNext2
9146353c 91488a89 srv!SrvSmbQueryFsInformation
91463540 914892f3 srv!SrvSmbSetFsInformation
91463544 9147ff65 srv!SrvSmbQueryPathInformation
91463548 91480c74 srv!SrvSmbSetPathInformation