This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// https://github.com/NozomiNetworks/upx-recovery-tool | |
rule UPX_nozomi_x86 | |
{ | |
strings: $sig = { 50 e8 ?? ?? 00 00 eb 5a 58 59 97 60 8a 54 24 20 e9 ?? ?? 00 00 60 8b 74 24 24 8b 7c 24 2c 83 cd} | |
condition: any of them | |
} | |
rule UPX_nozomi_x64 | |
{ | |
strings: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import argparse | |
import sys | |
import json | |
import logging |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Simple script to demo use of yara-python + externals | |
# think of all the externals you could define! | |
import os | |
import sys | |
import yara | |
example_rule = ''' | |
rule demo_externals | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import sys, string, struct | |
def strByByte(_strval): | |
strval = bytearray(_strval.encode()) | |
for s in strval: yield s | |
def strByDword(_strval): | |
strval = bytearray(_strval.encode()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Must have console module via yara-4.2.0-rc1+ | |
// expects decoded beacons | |
import "pe" | |
import "console" | |
rule CobaltStrike_Watermark_Profiler: Profiler | |
{ | |
meta: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# for our homey, Claude Shannon | |
import sys | |
import logging | |
import binascii | |
import hashlib | |
import argparse |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule obfus_stackstring_imov { | |
meta: | |
descrption = "Identify stack-strings obfuscation via indirect moves." | |
author = "@shellcromancer <root@shellcromancer.io>" | |
version = "0.1" | |
date = "2022-01-07" | |
reference = "https://www.mandiant.com/resources/automatically-extracting-obfuscated-strings" | |
strings: | |
$mov_r = { c6 4? ?? 72 } // mov byte [rdi + ?], 0x72 ; 'r' | |
$mov_s = { c6 4? 0? 73 } // mov byte [rdi + ?], 0x73 ; 's' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "pe" | |
import "hash" | |
import "math" | |
import "time" | |
rule Gootloader_container { | |
meta: | |
description = "Gootloader Dropper Container" | |
author = "Droogy" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Goals for #100DaysofYARA: | |
better understanding of bitwise operators | |
use math module beyond general entropy of a section / resource | |
position specific things beyond what PE module tells us | |
do some funky stuff with hashing | |
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
got_tmilk.py - Go Type Milking | |
Written by Ivan Kwiatkowski @ Kaspersky GReAT | |
Shared under the terms of the GPLv3 license | |
""" | |
C_HEADER = """ | |
enum golang_kind : __int8 | |
{ | |
INVALID = 0x0, |
NewerOlder