wumb0 wumb0

## PatchExtract.ps1
<#

 ____     ______   ______  ____     __  __
/\  _`\  /\  _  \ /\__  _\/\  _`\  /\ \/\ \
\ \ \L\ \\ \ \L\ \\/_/\ \/\ \ \/\_\\ \ \_\ \
 \ \ ,__/ \ \  __ \  \ \ \ \ \ \/_/_\ \  _  \
  \ \ \/   \ \ \/\ \  \ \ \ \ \ \L\ \\ \ \ \ \
   \ \_\    \ \_\ \_\  \ \_\ \ \____/ \ \_\ \_\
    \/_/     \/_/\/_/   \/_/  \/___/   \/_/\/_/


## delta_patch.py
from ctypes import (windll, wintypes, c_uint64, cast, POINTER, Union, c_ubyte,
                    LittleEndianStructure, byref, c_size_t)
import zlib


# types and flags
DELTA_FLAG_TYPE             = c_uint64
DELTA_FLAG_NONE             = 0x00000000
DELTA_APPLY_FLAG_ALLOW_PA19 = 0x00000001

## drcov-3-to-2.py
"""
drcov version 3 isn't supported by lighthouse :(
convert drcov version 3 with module table version 5 to drcov version 2
    with module table version 2 so lighthouse will eat it!
"""

import sys
import re


## CodeCoverage.cpp
#include <iostream>
#include <set>
#include <string>
#include <vector>
#include <utility>
#include <iterator>
#include <algorithm>
#include <cstdio>
#include <cstdarg>
#include <cstdlib>

## frida-drcov.py
#!/usr/bin/env python
from __future__ import print_function

import argparse
import json
import os
import sys
import threading
import functools

## asmul8r.py
# requires keystone-engine, capstone, prompt_toolkit, and pygments

import keystone as ks
import unicorn as uc
import math
import sys

from pygments.lexers.asm import NasmLexer
from pygments.styles import get_style_by_name
from prompt_toolkit.shortcuts import prompt

## asmconsole.py
'''asm console via keystone for python 2.7
pip install keystone-engine
python asmconsole.py -a ARM -m LITTLE_ENDIAN -f escape -b 0x000086e4
Little endian arm print escape codes and make base address 0x000086e4
'''

from __future__ import print_function
import keystone
import argparse
from sys import exit

## MonitorMalware.ps1
$argss = @{Name="MonitorMalwareFilt";QueryLanguage="WQL";Query="select * from __instancecreationevent within 5 where targetinstance isa 'Malware'";EventNamespace="root\Microsoft\SecurityClient"}
$filt = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $argss
$argss = @{Name="MonitorMalwareCons";CommandLineTemplate="msg * Malware: %TargetInstance.ThreatName% from %TargetInstance.User% at %TargetInstance.Path% (Severity: %TargetInstance.SeverityID%)"}
$cons = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $argss
$argss = @{Filter=$filt;Consumer=$cons}
Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $argss

## BannedFunctions.py
# This script is a simple script to locate functions within a program
# that are on the Microsoft "banned functions list" inside of banned.h
#@author Jaime Geiger
#@category Vulnerability Research
#@keybinding Ctrl-Shift-Alt-B
#@menupath Tools.Plugins.Banned Functions

banned = ["strcpy","strcpyA","strcpyW","wcscpy","_tcscpy","_mbscpy","StrCpy","StrCpyA","StrCpyW","lstrcpy","lstrcpyA","lstrcpyW","_tccpy","_mbccpy","_ftcscpy","strcat","strcatA","strcatW","wcscat","_tcscat","_mbscat","StrCat","StrCatA","StrCatW","lstrcat","lstrcatA","lstrcatW","StrCatBuff","StrCatBuffA","StrCatBuffW","StrCatChainW","_tccat","_mbccat","_ftcscat","wvsprintf","wvsprintfA","wvsprintfW","vsprintf","_vstprintf","vswprintf","strncpy","wcsncpy","_tcsncpy","_mbsncpy","_mbsnbcpy","StrCpyN","StrCpyNA","StrCpyNW","StrNCpy","strcpynA","StrNCpyA","StrNCpyW","lstrcpyn","lstrcpynA","lstrcpynW","strncat","wcsncat","_tcsncat","_mbsncat","_mbsnbcat","StrCatN","StrCatNA","StrCatNW","StrNCat","StrNCatA","StrNCatW","lstrncat","lstrcatnA","lstrcatnW"

## extract_pingdata.py
from scapy.all import *
import sys
import base64

# script to extract data from ping padding (http://wumb0.in/ping-exfil.html)

try:
    config.conf.iface = sys.argv[2]
except: pass
	<#

	____ ______ ______ ____ __ __
	/\ _`\ /\ _ \ /\__ _\/\ _`\ /\ \/\ \
	\ \ \L\ \\ \ \L\ \\/_/\ \/\ \ \/\_\\ \ \_\ \
	\ \ ,__/ \ \ __ \ \ \ \ \ \ \/_/_\ \ _ \
	\ \ \/ \ \ \/\ \ \ \ \ \ \ \L\ \\ \ \ \ \
	\ \_\ \ \_\ \_\ \ \_\ \ \____/ \ \_\ \_\
	\/_/ \/_/\/_/ \/_/ \/___/ \/_/\/_/
	from ctypes import (windll, wintypes, c_uint64, cast, POINTER, Union, c_ubyte,
	LittleEndianStructure, byref, c_size_t)
	import zlib


	# types and flags
	DELTA_FLAG_TYPE = c_uint64
	DELTA_FLAG_NONE = 0x00000000
	DELTA_APPLY_FLAG_ALLOW_PA19 = 0x00000001
	"""
	drcov version 3 isn't supported by lighthouse :(
	convert drcov version 3 with module table version 5 to drcov version 2
	with module table version 2 so lighthouse will eat it!
	"""

	import sys
	import re
	#include <iostream>
	#include <set>
	#include <string>
	#include <vector>
	#include <utility>
	#include <iterator>
	#include <algorithm>
	#include <cstdio>
	#include <cstdarg>
	#include <cstdlib>
	#!/usr/bin/env python
	from __future__ import print_function

	import argparse
	import json
	import os
	import sys
	import threading
	import functools
	# requires keystone-engine, capstone, prompt_toolkit, and pygments

	import keystone as ks
	import unicorn as uc
	import math
	import sys

	from pygments.lexers.asm import NasmLexer
	from pygments.styles import get_style_by_name
	from prompt_toolkit.shortcuts import prompt
	'''asm console via keystone for python 2.7
	pip install keystone-engine
	python asmconsole.py -a ARM -m LITTLE_ENDIAN -f escape -b 0x000086e4
	Little endian arm print escape codes and make base address 0x000086e4
	'''

	from __future__ import print_function
	import keystone
	import argparse
	from sys import exit
	$argss = @{Name="MonitorMalwareFilt";QueryLanguage="WQL";Query="select * from __instancecreationevent within 5 where targetinstance isa 'Malware'";EventNamespace="root\Microsoft\SecurityClient"}
	$filt = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $argss
	$argss = @{Name="MonitorMalwareCons";CommandLineTemplate="msg * Malware: %TargetInstance.ThreatName% from %TargetInstance.User% at %TargetInstance.Path% (Severity: %TargetInstance.SeverityID%)"}
	$cons = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $argss
	$argss = @{Filter=$filt;Consumer=$cons}
	Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $argss
	# This script is a simple script to locate functions within a program
	# that are on the Microsoft "banned functions list" inside of banned.h
	#@author Jaime Geiger
	#@category Vulnerability Research
	#@keybinding Ctrl-Shift-Alt-B
	#@menupath Tools.Plugins.Banned Functions

	banned = ["strcpy","strcpyA","strcpyW","wcscpy","_tcscpy","_mbscpy","StrCpy","StrCpyA","StrCpyW","lstrcpy","lstrcpyA","lstrcpyW","_tccpy","_mbccpy","_ftcscpy","strcat","strcatA","strcatW","wcscat","_tcscat","_mbscat","StrCat","StrCatA","StrCatW","lstrcat","lstrcatA","lstrcatW","StrCatBuff","StrCatBuffA","StrCatBuffW","StrCatChainW","_tccat","_mbccat","_ftcscat","wvsprintf","wvsprintfA","wvsprintfW","vsprintf","_vstprintf","vswprintf","strncpy","wcsncpy","_tcsncpy","_mbsncpy","_mbsnbcpy","StrCpyN","StrCpyNA","StrCpyNW","StrNCpy","strcpynA","StrNCpyA","StrNCpyW","lstrcpyn","lstrcpynA","lstrcpynW","strncat","wcsncat","_tcsncat","_mbsncat","_mbsnbcat","StrCatN","StrCatNA","StrCatNW","StrNCat","StrNCatA","StrNCatW","lstrncat","lstrcatnA","lstrcatnW"
	from scapy.all import *
	import sys
	import base64

	# script to extract data from ping padding (http://wumb0.in/ping-exfil.html)

	try:
	config.conf.iface = sys.argv[2]
	except: pass