I hereby claim:
- I am rootbsd on github.
- I am rootbsd (https://keybase.io/rootbsd) on keybase.
- I have a public key ASAkLxn0rCAnzWoDxmZbbLs1sQRyHmYyjCD19CWnde82lQo
To claim this, I am signing this object:
# Simulate fake processes of analysis sandbox/VM that some malware will try to evade | |
# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...) | |
# It's just a PoC and it's ugly as f*ck but hey, if it works... | |
# Usage: .\fake_sandbox.ps1 -action {start,stop} | |
param([Parameter(Mandatory=$true)][string]$action) | |
$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe", | |
"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe", |
I hereby claim:
To claim this, I am signing this object:
#!/jb/bin/bash | |
CYCRIPT_PORT=1337 | |
function help { | |
echo "Syntax: $0 [-p PID | -P appname] [-l /path/to/yourdylib | -L feature]" | |
echo | |
echo For example: | |
echo " $0 -P Reddit.app -l /path/to/evil.dylib # Injects evil.dylib into the Reddit app" | |
echo " or" |
function pop() { | |
if [ $(pwd | sed -n -e 's!^/mnt/!!p' | wc -c) == 0 ] | |
then | |
cmd.exe /c "echo %LOCALAPPDATA%" > /tmp/LOCALAPPDATA | |
dest="$(strings -a /tmp/LOCALAPPDATA)\\Packages" | |
cmd.exe /c "dir $dest | findstr CanonicalGroupLimited" > /tmp/Canonical | |
repo=$(strings -a /tmp/Canonical | awk '{print $NF}') | |
root=$(echo "$dest\\$repo\\LocalState\\rootfs") | |
explorer.exe $(echo ${root}$(pwd | sed 's!/!\\!g')) | |
else |
#!/usr/bin/python | |
# DNSpionage log parser | |
# This script displays the exfiltrated data in the log.txt file | |
# It only supports the DNS mode. The HTTP mode does not encode the exfiltrated data in the log file | |
# Can be easily adapted to parse passive DNS logs | |
# @r00tbsd | |
import sys | |
import base64 |
bool val; | |
string Value = ""; | |
void main() { | |
AddStringInput("Value", val); | |
ModalDialog( "Material name:\n", ""); | |
string UserData = rwPath(""); | |
UserData = UserData+ "\\patterns\\" ; |
; | |
; Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya | |
; The shellcode is written for eternalblue exploit: | |
; - https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a | |
; - https://gist.github.com/worawit/074a27e90a3686506fc586249934a30e | |
; | |
; | |
; Idea for Ring 3 to Ring 0 from Sean Dillon (@zerosum0x0) | |
; | |
; |