_0:00F20012 33 D2 xor edx, edx
_0:00F20014 64 8B 52 30 mov edx, fs:[edx+30h] // TEB->PEB
_0:00F20018 8B 52 0C mov edx, [edx+0Ch] // PEB->LDR_DATA
_0:00F2001B 8B 52 14 mov edx, [edx+14h] // LDR_DATA->InMemoryOrderLinks (_LDR_DATA_TABLE_ENTRY)
// alt: 0xC: InLoadOrderLinks
// alt: 0x1C: InInitializationOrderLinks
Steve stvemillertime
stvemillertime
/ peb_parsing.md
Created
August 16, 2021 13:34
— forked from williballenthin/peb_parsing.md
stvemillertime
/ stackstrings.yara
Last active
August 16, 2021 13:35
— forked from williballenthin/stackstrings.yara
match x86 that appears to be stack string creation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule stack_strings | |
| { | |
| meta: | |
| author = "William Ballenthin" | |
| email = "william.ballenthin@fireeye.com" | |
| license = "Apache 2.0" | |
| copyright = "FireEye, Inc" | |
| description = "Match x86 that appears to be stack string creation." | |
| strings: |
stvemillertime
/ ida_match_yara.py
Created
August 16, 2021 13:36
— forked from williballenthin/ida_match_yara.py
search for YARA matches in each function within IDA Pro.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ''' | |
| search for YARA matches in each function within IDA Pro. | |
| upon execution, prompts the user to provide the YARA rules file. | |
| requirements: | |
| - hexdump | |
| - yara-python | |
| author: Willi Ballenthin |
stvemillertime
/ get_eip.yara
Created
August 16, 2021 13:36
— forked from williballenthin/get_eip.yara
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule get_eip | |
| { | |
| meta: | |
| author = "William Ballenthin" | |
| email = "william.ballenthin@fireeye.com" | |
| license = "Apache 2.0" | |
| copyright = "FireEye, Inc" | |
| description = "Match x86 that appears to fetch $PC." | |
| strings: |
stvemillertime
/ floss-lite.py
Created
August 16, 2021 13:37
— forked from williballenthin/floss-lite.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| A simplified FLOSS implementation that only supports stackstrings. | |
| requirements: | |
| - yara-python | |
| - unicorn | |
| author: Willi Ballenthin | |
| email: william.ballenthin@fireeye.com |
stvemillertime
/ beacon.ksy
Created
September 26, 2021 14:17
— forked from sixdub/beacon.ksy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| meta: | |
| id: beaconconfig | |
| title: Cobalt Strike Beacon Config | |
| endian: be | |
| doc: | | |
| Cobalt Strike Beacon is a popular offensive security tool. Beacon itself | |
| is a DLL that gets injected into memory and can be staged from C2 servers. | |
| The Beacon DLL (in unencoded form) contains a configuration section that gets | |
| patched by the C2 server. This section is a fixed predictable structure |
stvemillertime
/ go_tmilk.py
Created
October 21, 2021 16:04
— forked from JusticeRage/go_tmilk.py
Go Type Milking - IDA script to extract type information from Go binaries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| got_tmilk.py - Go Type Milking | |
| Written by Ivan Kwiatkowski @ Kaspersky GReAT | |
| Shared under the terms of the GPLv3 license | |
| """ | |
| C_HEADER = """ | |
| enum golang_kind : __int8 | |
| { | |
| INVALID = 0x0, |
stvemillertime
/ 100DaysOfYARA.yar
Created
January 3, 2022 22:16
— forked from Droogy/100DaysOfYARA.yar
100 Days of YARA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| import "hash" | |
| import "math" | |
| rule packedTextSection { | |
| meta: | |
| description = " Look for high-entropy .text sections within PE files " | |
| author = "Droogy" | |
| DaysOfYARA = "3/100" |
stvemillertime
/ DhashIcon.py
Created
January 4, 2022 14:01
— forked from fr0gger/DhashIcon.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # Thomas Roccia | IconDhash.py | |
| # pip3 install lief | |
| # pip3 install pillow | |
| # resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html | |
| import lief | |
| import os | |
| import argparse |
stvemillertime
/ shannon-sig.py
Created
January 19, 2022 18:46
— forked from notareverser/shannon-sig.py
A Python program to generate regular-expression YARA signatures for yes/no maps of shellcode under single-byte encodings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # for our homey, Claude Shannon | |
| import sys | |
| import logging | |
| import binascii | |
| import hashlib | |
| import argparse |
OlderNewer