Rascagneres Paul rootbsd

## material_search.txt
bool val;
string Value = "";

void main() {

	AddStringInput("Value", val);
    ModalDialog( "Material name:\n", "");

	string UserData = rwPath("");
	UserData = UserData+ "\\patterns\\" ;

## DNSpionage log parser
#!/usr/bin/python

# DNSpionage log parser
# This script displays the exfiltrated data in the log.txt file
# It only supports the DNS mode. The HTTP mode does not encode the exfiltrated data in the log file
# Can be easily adapted to parse passive DNS logs
# @r00tbsd

import sys
import base64

## gist:d7af9123684d35fcca566e9c4a8f3593
function pop() {
  if [ $(pwd | sed -n -e 's!^/mnt/!!p' | wc -c) == 0 ]
  then
    cmd.exe /c "echo %LOCALAPPDATA%" > /tmp/LOCALAPPDATA
    dest="$(strings -a /tmp/LOCALAPPDATA)\\Packages"
    cmd.exe /c "dir $dest | findstr CanonicalGroupLimited" > /tmp/Canonical
    repo=$(strings -a /tmp/Canonical | awk '{print $NF}')
    root=$(echo "$dest\\$repo\\LocalState\\rootfs")
    explorer.exe $(echo ${root}$(pwd | sed 's!/!\\!g'))
  else

## bfinject
#!/jb/bin/bash

CYCRIPT_PORT=1337

function help {
    echo "Syntax: $0 [-p PID | -P appname] [-l /path/to/yourdylib | -L feature]"
    echo
    echo For example:
    echo "   $0 -P Reddit.app -l /path/to/evil.dylib   # Injects evil.dylib into the Reddit app"
    echo "     or"

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                rootbsd
                / keybase.md
            
            
              Created
              February 17, 2018 19:13
            
          
    Keybase proof

I hereby claim:

I am rootbsd on github.
I am rootbsd (https://keybase.io/rootbsd) on keybase.
I have a public key ASAkLxn0rCAnzWoDxmZbbLs1sQRyHmYyjCD19CWnde82lQo

To claim this, I am signing this object:

  
## eternalblue_kshellcode.asm
;
; Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya
; The shellcode is written for eternalblue exploit:
; - https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a
; - https://gist.github.com/worawit/074a27e90a3686506fc586249934a30e
;
;
; Idea for Ring 3 to Ring 0 from Sean Dillon (@zerosum0x0)
;
;

## fake_sandbox.ps1
# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
# It's just a PoC and it's ugly as f*ck but hey, if it works...

# Usage: .\fake_sandbox.ps1 -action {start,stop}

param([Parameter(Mandatory=$true)][string]$action)

$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
    "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",
	bool val;
	string Value = "";

	void main() {

	AddStringInput("Value", val);
	ModalDialog( "Material name:\n", "");

	string UserData = rwPath("");
	UserData = UserData+ "\\patterns\\" ;
	#!/usr/bin/python

	# DNSpionage log parser
	# This script displays the exfiltrated data in the log.txt file
	# It only supports the DNS mode. The HTTP mode does not encode the exfiltrated data in the log file
	# Can be easily adapted to parse passive DNS logs
	# @r00tbsd

	import sys
	import base64
	function pop() {
	if [ $(pwd \| sed -n -e 's!^/mnt/!!p' \| wc -c) == 0 ]
	then
	cmd.exe /c "echo %LOCALAPPDATA%" > /tmp/LOCALAPPDATA
	dest="$(strings -a /tmp/LOCALAPPDATA)\\Packages"
	cmd.exe /c "dir $dest \| findstr CanonicalGroupLimited" > /tmp/Canonical
	repo=$(strings -a /tmp/Canonical \| awk '{print $NF}')
	root=$(echo "$dest\\$repo\\LocalState\\rootfs")
	explorer.exe $(echo ${root}$(pwd \| sed 's!/!\\!g'))
	else
	#!/jb/bin/bash

	CYCRIPT_PORT=1337

	function help {
	echo "Syntax: $0 [-p PID \| -P appname] [-l /path/to/yourdylib \| -L feature]"
	echo
	echo For example:
	echo " $0 -P Reddit.app -l /path/to/evil.dylib # Injects evil.dylib into the Reddit app"
	echo " or"
	;
	; Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya
	; The shellcode is written for eternalblue exploit:
	; - https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a
	; - https://gist.github.com/worawit/074a27e90a3686506fc586249934a30e
	;
	;
	; Idea for Ring 3 to Ring 0 from Sean Dillon (@zerosum0x0)
	;
	;
	# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
	# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
	# It's just a PoC and it's ugly as f*ck but hey, if it works...

	# Usage: .\fake_sandbox.ps1 -action {start,stop}

	param([Parameter(Mandatory=$true)][string]$action)

	$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
	"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",