Skip to content

Instantly share code, notes, and snippets.

View pedramamini's full-sized avatar
👋

Pedram Amini pedramamini

👋
462 followers · 947 following
View GitHub Profile
@pedramamini
pedramamini / 20200730-emotet.txt
Created July 31, 2020 21:33
Emotet samples from 7/30/2020 with VT score (out of ~60) and InQuest score (out of 10).
00077dbdfe4e79c38048d2060cb90ea2bdd50cc346a45bae87ea6093ddb02321 vt=25 iq=9
0039413ea9580579720c262bf207d64bacac7b1c93056c8b5fa2f2347714b096 vt=27 iq=9
005307ad7426c4c1b014c27f51ba5c0ad2ca752195099a7378e3d622cdf7a2d6 vt=29 iq=9
007fc402dd61e8222bb4fd1214544b0a620f622aaa186b1bd5a2207613fdd558 vt=28 iq=9
00812e8bf247cc4740941ed973f367678110761be944eef39e69217fc78412cb vt=25 iq=9
00884a49002e25be473b8704fa9935f7cfcbb2d4bf75dc4fa054f16019eac82d vt=24 iq=9
00dd0eb0c5acbcc376a26eb4f974187be2bac8a4e9c00876faa23d656953fa53 vt=28 iq=9
014e0bfbd01c796a79ea0324177bf7bb89e6e1d7dccd58008d62024f1bbcfe5d vt=27 iq=9
01663b94d847370d937c017344092fb204b3fef3bca2c0d26c9f49ebac946525 vt=29 iq=9
0195eda6f0dbf03b6fa7c2689f538bb998ce4cc533fd7117c956c7c5c2f62437 vt=27 iq=9
@pedramamini
pedramamini / xor201_macro.vba
Last active October 14, 2019 16:51
' Our comments are prefixed with the string "[InQuest]". Other comments are preserved originals from the macro.
' The sample is available for download from InQuest Labs:
'
' https://labs.inquest.net/dfi/sha256/12d21da9bd0f7d877e04e59ad347b0e8787124c9f0ec170a913451acfb14a3b6
'
' Examining the OLE directory structure with oledump:
'
' $ oledump.py 12d21da9bd0f7d877e04e59ad347b0e8787124c9f0ec170a913451acfb14a3b6
' 1: 146 '\x01CompObj'
' 2: 6 '\x03ObjInfo'
@pedramamini
pedramamini / xor201_extractor.py
Created October 12, 2019 15:14
import sys
if len(sys.argv) != 2:
sys.stderr.write("usage: %s <input path>\n" % sys.argv[0])
sys.exit(1)
path = sys.argv.pop()
data1 = []
data2 = []
data3 = []
@pedramamini
pedramamini / the_carver.py
Last active March 16, 2019 15:34
Carve files out of a blob.
#!/usr/bin/env python
# source: https://gist.github.com/pedramamini/54df2648a1b73adf9a0d6d0b1a75ca0a
import os
import re
import sys
import errno
import string
# debug output.
@pedramamini
pedramamini / disable_ddeauto.reg
Created October 20, 2017 03:41 — forked from wdormann/disable_ddeauto.reg
Disable DDEAUTO for Outlook, Word, and Excel versions 2010, 2013, 2016
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"DontUpdateLinks"=dword:00000001
@pedramamini
pedramamini / yara_fn.py
Created August 19, 2016 13:41 — forked from williballenthin/yara_fn.py
generate a yara rule that matches the basic blocks of the current function in IDA Pro
'''
IDAPython script that generates a YARA rule to match against the
basic blocks of the current function. It masks out relocation bytes
and ignores jump instructions (given that we're already trying to
match compiler-specific bytes, this is of arguable benefit).
If python-yara is installed, the IDAPython script also validates that
the generated rule matches at least one segment in the current file.
author: Willi Ballenthin <william.ballenthin@fireeye.com>
@pedramamini
pedramamini / 00_close_to_low.py
Last active April 22, 2016 18:03
Stock Market Games... these are from 2008.
import sys
import thax
import datetime
y = thax.misc.finance.yahoo()
my_adds = ["ALU", "AMZN", "CMG", "COMS", "DCA", "PLA", "PZZA", "RICK", "UA", "VMW"]
sp_500 = ["BBT", "BDX", "BBBY", "BMS", "BBY", "BIG", "BIIB", "BJS", "BDK", "HRB", "BMC", "BA", "BXP", "BSX", "BMY", "BRCM", "BF.B", "BNI", "CHRW", "CA", "COG", "CAM", "CPB", "COF", "CAH", "CCL", "CAT", "CBG", "CBS", "CELG", "CNP", "CTX", "CTL", "CF", "SCHW", "CHK", "CVX", "CB", "CIEN", "CI", "CINF", "CTAS", "CSCO", "CIT", "C", "CTXS", "CLX", "CME", "CMS", "COH", "KO", "CCE", "CTSH", "CL", "CMCSA", "CMA", "CSC", "CPWR", "CAG", "COP", "CNX", "ED", "STZ", "CEG", "CVG", "CBE", "GLW", "COST", "CVH", "COV", "CSX", "CMI", "CVS", "DHI", "DHR", "DRI", "DVA", "DF", "DE", "DELL", "DDR", "DVN", "DTV", "DFS", "D", "RRD", "DOV", "DOW", "DPS", "DTE", "DD", "DUK", "DYN", "ETFC", "EMN", "EK", "ETN", "EBAY", "ECL", "EIX", "EP", "ERTS", "EQ", "EMC", "EMR", "ESV", "ETR", "EOG", "EFX", "EQR", "EL", "EXC", "EXPE", "EXPD", "ESRX", "XOM", "FDO", "FAST", "FII", "FDX", "FIS", "FITB
@pedramamini
pedramamini / pedram-sublimetext-setup.md
Last active January 1, 2016 06:29
My SublimeText setup.

I'm running SublimeText 3 beta on MacOS, but this should apply everywhere. My user prefs:

{
	"always_show_minimap_viewport": true,
	"bold_folder_labels": true,
	"drag_text": false,
	"draw_minimap_border": true,
	"ensure_newline_at_eof_on_save": true,
	"highlight_line": true,
@pedramamini
pedramamini / ped_missile.py
Created January 10, 2013 22:13
USB Missile Launcher Python Interface written by Pedram Amini <pamini@tippingpoint.com> http://dvlabs.tippingpoint.com/blog/2009/02/12/python-interfacing-a-usb-missile-launcher
"""
USB Missile Launcher Python Interface
written by Pedram Amini <pamini@tippingpoint.com>
http://dvlabs.tippingpoint.com/blog/2009/02/12/python-interfacing-a-usb-missile-launcher
"""
import ctypes
import struct
import time
@pedramamini
pedramamini / chuck_norris_facts.py
Last active December 10, 2015 21:38
import random
def random_fact ():
return facts[random.randint(0, len(facts)-1)]
facts = \
[
"Chuck Norris' tears cure cancer. Too bad he has never cried. Ever.",
"Chuck Norris does not sleep. He waits.",
"Chuck Norris is currently suing NBC, claiming Law and Order are trademarked names for his left and right legs.",