Skip to content

Instantly share code, notes, and snippets.

View ntddk's full-sized avatar

Yuma Kurogome ntddk

322 followers · 127 following
  • Tokyo, Japan
View GitHub Profile
@williballenthin
williballenthin / hint_calls.py
Last active April 4, 2024 03:40
'''
IDA plugin to display the calls and strings referenced by a function as hints.
Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <william.ballenthin@fireeye.com>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils
@rain-1
rain-1 / Wannacrypt0r-FACTSHEET.md
Last active March 10, 2024 11:03 — forked from Epivalent/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@narusemotoki
narusemotoki / dirwatch.py
Created November 12, 2012 12:35
ディレクトリを監視して,ファイルに変更があった場合に任意のコマンドを実行します.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import datetime
import time
import os
from stat import *
import commands
def watch(dir, command):
@mrphrazer
mrphrazer / flattening_heuristic.py
Created March 4, 2021 20:28
Flattening Heuristic Implementation
# (c) Tim Blazytko 2021
# implementation based on the blog post "Automated Detection of Control-flow Flattening"
# https://synthesis.to/2021/03/03/flattening_detection.html
import sys
from miasm.analysis.binary import Container
from miasm.analysis.machine import Machine
from miasm.core.locationdb import LocationDB
@vulnersCom
vulnersCom / Petya_ransomware.md
Last active July 6, 2023 19:30

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C

Ransomware attack.

About

This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!

Gist updates

@msuiche
msuiche / EternalBlue-SmbHandler.asm
Created April 23, 2017 09:45
DOUBLEPULSAR - ETERNALBLUE - SmbHandler()
Thanks to https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5 for the description
kd> dps srv!SrvTransaction2DispatchTable
91463530 9148b56f srv!SrvSmbOpen2
91463534 91485fe4 srv!SrvSmbFindFirst2
91463538 9148606d srv!SrvSmbFindNext2
9146353c 91488a89 srv!SrvSmbQueryFsInformation
91463540 914892f3 srv!SrvSmbSetFsInformation
91463544 9147ff65 srv!SrvSmbQueryPathInformation
91463548 91480c74 srv!SrvSmbSetPathInformation
@bridgeythegeek
bridgeythegeek / MyFirstVolatilityPlugin.md
Last active March 1, 2021 16:48
My First Volatility Plugin

My First Volatility Plugin

This is out of date!

There is an updated version of this mini-tutorial which includes the much-encouraged unified_output.

Introduction

Although there are many excellent resources for learning Volatility available (The Art of Memory Forensics book, the vol-users mailing list, the Volatility Labs blog, and the Memory Analysis training course to name a few), I've never really seen a good absolute beginners guide to writing your first plugin. So if you find yourself needing that, hopefully this will help.

The Aim

@neon-izm
neon-izm / work.md
Last active December 6, 2020 13:38
確定申告時期なので、ちょっとした副業でサラリーマンが数十万円稼いでしまった時の対処

これは法律の専門家でもなんでもない1個人の記載なので、責任は負いかねます。また、有識者の方のツッコミやご意見をお待ちしています。

概要

普段は会社勤めしていて、ついうっかり友達の仕事を手伝ったり、シェアウェアや同人誌や執筆した本を売ったら20万円超(100万円以下くらいまでを想定)の売上げが出てしまうことはよくあります。そうなってしまったらどうするか。   →開業して、利益が20万円以下なら確定申告が不要なので、経費をちゃんと記載する。 サラリーマン(会社で確定申告をしてくれる、年収2000万円以下)であれば、20万円ルールがあるため
http://blog.kimutax.com/archives/51797478.html

した方が良いこと

@msuiche
msuiche / WannaCry-SMB.c
Created May 13, 2017 08:39
WannaCry - DOUBLEPULSAR references
// https://twitter.com/msuiche
int threadMain()
{
unsigned int i; // edi@1
_DWORD *v1; // eax@2
void *v2; // esi@7
char v4; // [sp+13h] [bp-2Dh]@0
char v5; // [sp+14h] [bp-2Ch]@1
void *Memory; // [sp+18h] [bp-28h]@1
@mala
mala / a.md
Last active June 30, 2020 15:13
Chrome ExtensionのLive HTTP Headersの調査(CoolBar.Pro導入 Extensionが何を行うかの調査)

Chrome ExtensionのLive HTTP Headersを調査した。Firefox用のものではない。Firefox用のものではない。

11/7追記

English version: https://translate.google.com/translate?sl=ja&tl=en&js=y&prev=_t&hl=ja&ie=UTF-8&u=https%3A%2F%2Fgist.github.com%2Fmala%2Fe87973df5029d96c9269d9431fcef5cb&edit-text=&act=url

Summary in english.