This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
int __fastcall addemup(int a, int b, int c) { | |
int d; | |
d = a + b + c; | |
return d; | |
} | |
void caller() { | |
int x = addemup(1, 2, 3); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
paths | |
| join(".") | |
| select(test("[.][1-9][0-9]*[.|$]?") | not) | |
| gsub("[.]0[.]"; "[].") | |
| sub("[.]0$"; "[]") | |
| sub("^"; ".") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Regular_expression('User defined','Hextostring\\(\\"[^"]+\\"\\), Hextostring\\(\\"[^"]+\\"\\)',true,true,false,false,false,false,'List matches') | |
Fork('\\n','\\n',false) | |
Register('Hextostring\\(\\"([^"]+)\\"\\), Hextostring\\(\\"([^"]+)\\"\\)',true,false,false) | |
Find_/_Replace({'option':'Regex','string':'^.*$'},'$R0',true,false,true,false) | |
From_Hex('Auto') | |
XOR({'option':'Hex','string':'$R1'},'Standard',false) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
E_MO = "113141125140131138142072109130127134134" | |
SP_LL ="125135126072127146127058073125058141127142058135135137087137145127140141064064141127142058139079087138064064141127142058139078087130127134134064064125135126073125058063139079063063135135137063063139078063058071127138058124147138123141141058071136137136131058071145058130131126126127136058071136137134137129137058131127146066104127145071105124132127125142058109147141142127135072104127142072113127124093134131127136142067072094137145136134137123126096131134127066065130142142138084073073082081072076077080072076075076072076078075073128131146146073092134123125133072127146127065070062127136144084142127135138058069058065118145136130145072127146127065067085109142123140142071106140137125127141141058062127136144084142127135138118145136130145072127146127085" | |
WScript.Echo B_RA(E_MO) | |
WScript.Echo B_RA(SP_LL) | |
Public Function B_RA(byref N_UN) | |
For O_MI = 1 To Len(N_UN) Step 3 | |
A_DE = Mid(N_UN, O_MI, 3) | |
C_YS = C_YS + Chr(int(A_DE) - 26) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Regular_expression('User defined','[a-zA-Z0-9+/=]{40,}',true,true,false,false,false,false,'List matches') | |
From_Base64('A-Za-z0-9+/=',true) | |
Decode_text('UTF-16LE (1200)') | |
Regular_expression('User defined','[a-zA-Z0-9+/=]{20,}',true,true,false,false,false,false,'List matches') | |
From_Base64('A-Za-z0-9+/=',true) | |
Gunzip() | |
Regular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List matches') | |
From_Base64('A-Za-z0-9+/=',true) | |
XOR({'option':'Decimal','string':'35'},'Standard',false) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
original_eval = eval; | |
eval = function(input_string) { | |
WScript.Echo(input_string); | |
original_eval(input_string); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
sp_ll = "125135126072127146127058073125058141127142058135135137087137145127140141064064141127142058139079087138064064141127142058139078087130127134134064064125135126073125058063139079063063135135137063063139078063058071127138058124147138123141141058071136137136131058071145058130131126126127136058071136137134137129137058131127146066104127145071105124132127125142058109147141142127135072104127142072113127124093134131127136142067072094137145136134137123126096131134127066065130142142138084073073082081072076077080072076075076072076078075073128131146146073092134123125133072127146127065070062127136144084142127135138058069058065118145136130145072127146127065067085109142123140142071106140137125127141141058062127136144084142127135138118145136130145072127146127085" | |
e_mo = "113141125140131138142072109130127134134" | |
def decode(s): | |
result = "" | |
for n in range(0, len(s), 3): | |
ch = chr(int(s[n:n+3]) - 26) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
cscript loveyou.js | |
logman stop AMSITrace -ets | |
AMSIScriptContentRetrieval > loveyou.log | |
Event1 was found using the following: | |
logman query providers Microsoft-Antimalware-Scan-Interface |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$Seen = @{} | |
foreach ($elem in $AMSIScanEvents) { | |
if (-not $Seen.ContainsKey($elem.Hash)) { | |
$elem | |
$Seen[$elem.Hash] = "" | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Script author: Matt Graeber (@mattifestation) | |
# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
# Do your malicious things here that would be logged by AMSI | |
# logman stop AMSITrace -ets | |
$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
$OSArch = $OSArchProperty.OSArchitecture | |
$OSPointerSize = 32 | |
if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
NewerOlder