This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import base64 | |
import hashlib | |
import zlib | |
from ctypes import ( | |
CDLL, | |
POINTER, | |
LittleEndianStructure, | |
c_size_t, | |
c_ubyte, | |
c_uint64, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import malduck | |
import sys | |
import argparse | |
def main(): | |
parser = argparse.ArgumentParser(description="APLib unpacker") | |
parser.add_argument('--inpath', dest="inpath", default=None, help="APLib compressed blob", | |
required=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <stdio.h> | |
#pragma comment(lib, "ntdll.lib") | |
#define SystemBigPoolInformation 0x42 | |
#define ThreadNameInformation 0x26 | |
#define DATA_TO_COPY "AAAAAAAAAAAAABBBBBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDDDDDD" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HANDLE find_thread(HANDLE hProcess, DWORD thAccess, bool guiOnly) | |
{ | |
DWORD targetPid = GetProcessId(hProcess); | |
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); | |
THREADENTRY32 thEntry = { sizeof(THREADENTRY32) }; | |
GUITHREADINFO gui = { 0 }; | |
gui.cbSize = sizeof(GUITHREADINFO); | |
bool isGUIProcess = false; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"fmt" | |
"syscall" | |
"unsafe" | |
) | |
var ( | |
peSieveDll = syscall.NewLazyDLL("pe-sieve64.dll") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <iostream> | |
#include <Windows.h> | |
#pragma comment(lib,"LZ32.lib") | |
bool decompress(LPSTR infile, LPSTR outfile) | |
{ | |
INT hin, hout = 0; | |
OFSTRUCT ofin = { 0 }; | |
OFSTRUCT ofout = { 0 }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import sys, os, subprocess | |
import pefile | |
from pathlib import Path | |
def mal_unp_res_to_str(returncode): | |
if returncode == (-1): | |
return "ERROR" | |
if returncode == 0: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!! | |
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference | |
rem To also disable Windows Defender Security Center include this | |
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f | |
rem 1 - Disable Real-time protection | |
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
__author__ = 'Francisco Santos' | |
# URL: https://code.activestate.com/recipes/491264-mini-fake-dns-server/ | |
import socket | |
class DNSQuery: | |
def __init__(self, data): | |
self.data=data |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] | |
"LoadAppInit_DLLs"=dword:00000001 | |
"AppInit_DLLs"="C:\\dlls\\demo64.dll" | |
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows] | |
"LoadAppInit_DLLs"=dword:00000001 | |
"AppInit_DLLs"="C:\\dlls\\demo32.dll" |
NewerOlder