Skip to content

Instantly share code, notes, and snippets.

Avatar

sysopfb

View GitHub Profile
@sysopfb
sysopfb / sharpext.md
Created Jul 29, 2022
kimusky sharpext data
View sharpext.md

Not sure if this is victim related data or what

   "NewTabPage": {
        "PrevNavigationTime": "13292560510726665"
    }, 
    "gaia_cookie": {
        "hash": "2gW6ZW+guv8Us/fjpeX7conzXoo=", 
        "last_list_accounts_data": "[\"gaia.l.a.r\",[[\"gaia.l.a\",1,\"Sang Hyun Lee\",\"leesh65@gmail.com\",\"https://lh3.googleusercontent.com/-daipoVZf-r8/AAAAAAAAAAI/AAAAAAAAAAA/TagFXSnGLoE/s48-c/photo.jpg\",1,1,0,null,1,\"100934410837439495113\",null,null,null,null,1]]]", 
        "changed_time": 1640301806.63822
@sysopfb
sysopfb / decode.md
Created Jul 8, 2022
lockbit black blob decoding POC
View decode.md

Blobs in lockbit black are decoded similar to BlackMatter but with a new LCG based on 64 bit

The init seed for the sample I REd was at the start of .pdata

POC decoding, pretty quick and dirty due to time constraints

def mul64(a1, a2):
    return(a1 * a2)
@sysopfb
sysopfb / UpdateAgent Golang
Created Jun 2, 2022
UpdateAgent - GolangVersion
View UpdateAgent Golang
2aaebf0282463c60aa8866e733799eee97f41af1e3ac8ae7855279595217aa2f
SnapITool.zip
```
https://vzhqu.snapitool.com/SnapITool.zip
```
```
@sysopfb
sysopfb / lznt1_no_error_checking.py
Created Oct 23, 2021
pure python LZNT1 wrapped in try block to allow for partial decompression or decompression of data that doesn't error out on extra data at the end
View lznt1_no_error_checking.py
# Rekall Memory Forensics
# Copyright 2014 Google Inc. All Rights Reserved.
#
# Author: Michael Cohen scudette@google.com.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
@sysopfb
sysopfb / s.md
Created Oct 19, 2021
FlawedGrace partial strings
View s.md
View sc_in_jquery.yar
rule sc_in_jquery
{
strings:
$a = {5? 8b [1-3] 83 ?? 04 8b [1-2] 31 [1-2] 83 ?? 04 5? 8b [1-2] 31 ?? 8?}
$b = "jquery.org/license" nocase
condition:
all of them
}
@sysopfb
sysopfb / sift4.py
Created Aug 24, 2021
Sift4 in python
View sift4.py
"""
Based on: https://gist.github.com/lbenedix/8275d01c2289a7a20d2c6c27ee8ae68e
Moved an if block and added a double empty string check for input validation
"""
def sift4_simple(s1, s2, max_offset=5):
"""
@sysopfb
sysopfb / decoder.py
Created Aug 2, 2021
Black Matter blob decoder
View decoder.py
# Python2 just because
# Samples:
# 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
# c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99
import pefile
import struct
import sys
@sysopfb
sysopfb / Gopclntab.py
Created May 7, 2021
My version of IDAGolangHelper is older than current
View Gopclntab.py
import idc
import idautils
import idaapi
import ida_bytes
import ida_funcs
import ida_search
import ida_segment
import Utils
info = idaapi.get_inf_structure()
View go_116_pclntab.py
import sys
import struct
magic = '\xfa\xff\xff\xff\x00\x00'
ver = 'le'
psize = 8
def find_pclntab(data):
off = data.find(magic)