Skip to content

Instantly share code, notes, and snippets.

View stvemillertime's full-sized avatar

Steve stvemillertime

72 followers · 39 following
View GitHub Profile
@shellcromancer
shellcromancer / imov_stackstrings.yara
Created January 8, 2022 03:51
YARA rule to find stack strings via indirect moves.
rule obfus_stackstring_imov {
meta:
descrption = "Identify stack-strings obfuscation via indirect moves."
author = "@shellcromancer <root@shellcromancer.io>"
version = "0.1"
date = "2022-01-07"
reference = "https://www.mandiant.com/resources/automatically-extracting-obfuscated-strings"
strings:
$mov_r = { c6 4? ?? 72 } // mov byte [rdi + ?], 0x72 ; 'r'
$mov_s = { c6 4? 0? 73 } // mov byte [rdi + ?], 0x73 ; 's'
@wxsBSD
wxsBSD / rules.md
Last active January 12, 2022 19:51
xor PE rules

One way to find PE files that start at offset 0 and have a single byte xor key:

rule single_byte_xor_pe_and_mz {
  meta:
    author = "Wesley Shields <wxs@atarininja.org>"
    description = "Look for single byte xor of a PE starting at offset 0"
  strings:
    $b = "PE\x00\x00" xor(0x01-0xff)
 condition:
@yt0ng
yt0ng / console_kungfu.yar
Created February 5, 2022 15:38
// Must have console module via yara-4.2.0-rc1+
// expects decoded beacons
import "pe"
import "console"
rule CobaltStrike_Watermark_Profiler: Profiler
{
meta:
@notareverser
notareverser / shannon-sig.py
Created January 19, 2022 16:37
A Python program to generate regular-expression YARA signatures for yes/no maps of shellcode under single-byte encodings
#!/usr/bin/env python
# for our homey, Claude Shannon
import sys
import logging
import binascii
import hashlib
import argparse
@tlansec
tlansec / externals_example.py
Created February 21, 2022 10:08
Simple script to demo use of yara-python + externals
# Simple script to demo use of yara-python + externals
# think of all the externals you could define!
import os
import sys
import yara
example_rule = '''
rule demo_externals
{
@JusticeRage
JusticeRage / go_tmilk.py
Created October 15, 2021 17:22
Go Type Milking - IDA script to extract type information from Go binaries
"""
got_tmilk.py - Go Type Milking
Written by Ivan Kwiatkowski @ Kaspersky GReAT
Shared under the terms of the GPLv3 license
"""
C_HEADER = """
enum golang_kind : __int8
{
INVALID = 0x0,
@notareverser
notareverser / generate-stackstrings-yara.py
Last active May 14, 2022 17:15
Script to generate stackstrings YARA signatures for common implementation patterns
#!/usr/bin/env python3
import sys, string, struct
def strByByte(_strval):
strval = bytearray(_strval.encode())
for s in strval: yield s
def strByDword(_strval):
strval = bytearray(_strval.encode())
@notareverser
notareverser / boilerplate.py
Created May 13, 2022 11:45
Boilerplate Python script
#!/usr/bin/env python3
import argparse
import sys
import json
import logging
@wxsBSD
wxsBSD / gist:3e9452c3699bf68ff2e83a5d6a521801
Created September 29, 2021 02:23
french yara hits, no sorting

Test rules:

wxs@wxs-mbp yara % cat rules/test.yara
rule b {
  strings:
    $a = "LSCOLORS"
  condition:
    $a
}
@Droogy
Droogy / 100DaysOfYARA.yar
Last active September 6, 2022 05:55
100 Days of YARA
import "pe"
import "hash"
import "math"
import "time"
rule Gootloader_container {
meta:
description = "Gootloader Dropper Container"
author = "Droogy"