_0:00F20012 33 D2 xor edx, edx
_0:00F20014 64 8B 52 30 mov edx, fs:[edx+30h] // TEB->PEB
_0:00F20018 8B 52 0C mov edx, [edx+0Ch] // PEB->LDR_DATA
_0:00F2001B 8B 52 14 mov edx, [edx+14h] // LDR_DATA->InMemoryOrderLinks (_LDR_DATA_TABLE_ENTRY)
// alt: 0xC: InLoadOrderLinks
// alt: 0x1C: InInitializationOrderLinks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule stack_strings | |
{ | |
meta: | |
author = "William Ballenthin" | |
email = "william.ballenthin@fireeye.com" | |
license = "Apache 2.0" | |
copyright = "FireEye, Inc" | |
description = "Match x86 that appears to be stack string creation." | |
strings: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2 | |
''' | |
search for YARA matches in each function within IDA Pro. | |
upon execution, prompts the user to provide the YARA rules file. | |
requirements: | |
- hexdump | |
- yara-python | |
author: Willi Ballenthin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule get_eip | |
{ | |
meta: | |
author = "William Ballenthin" | |
email = "william.ballenthin@fireeye.com" | |
license = "Apache 2.0" | |
copyright = "FireEye, Inc" | |
description = "Match x86 that appears to fetch $PC." | |
strings: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
''' | |
A simplified FLOSS implementation that only supports stackstrings. | |
requirements: | |
- yara-python | |
- unicorn | |
author: Willi Ballenthin | |
email: william.ballenthin@fireeye.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
meta: | |
id: beaconconfig | |
title: Cobalt Strike Beacon Config | |
endian: be | |
doc: | | |
Cobalt Strike Beacon is a popular offensive security tool. Beacon itself | |
is a DLL that gets injected into memory and can be staged from C2 servers. | |
The Beacon DLL (in unencoded form) contains a configuration section that gets | |
patched by the C2 server. This section is a fixed predictable structure |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
got_tmilk.py - Go Type Milking | |
Written by Ivan Kwiatkowski @ Kaspersky GReAT | |
Shared under the terms of the GPLv3 license | |
""" | |
C_HEADER = """ | |
enum golang_kind : __int8 | |
{ | |
INVALID = 0x0, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "pe" | |
import "hash" | |
import "math" | |
rule packedTextSection { | |
meta: | |
description = " Look for high-entropy .text sections within PE files " | |
author = "Droogy" | |
DaysOfYARA = "3/100" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# Thomas Roccia | IconDhash.py | |
# pip3 install lief | |
# pip3 install pillow | |
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html | |
import lief | |
import os | |
import argparse |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# for our homey, Claude Shannon | |
import sys | |
import logging | |
import binascii | |
import hashlib | |
import argparse |
OlderNewer