Skip to content

Instantly share code, notes, and snippets.

View idiom's full-sized avatar

Sean Wilson idiom

166 followers · 7 following
View GitHub Profile
@idiom
idiom / clamsigs.md
Created July 30, 2024 12:54
Viewing ClamAV Signatures

Use sigtool --findsigs to dump the rule data

sigtool --find-sigs Win.Malware.Generic-10008460-0

[daily.ldb] Win.Malware.Generic-10008460-0;Engine:81-255,Target:1;0&1&2&3&4;5c47686f737442726f777365725c5573657220446174615c44656661756c745c4c6f67696e2044617461::w;5c46656e72697220496e635c536c6569706e6972355c73657474696e675c6d6f64756c65735c4368726f6d69756d5669657765725c44656661756c745c4c6f67696e2044617461::w;5c436f6d6f646f5c447261676f6e5c5573657220446174615c44656661756c745c4c6f67696e2044617461::w;4243727970742e424372797074536574416c676f726974686d50726f7065727479284243727970742e4243525950545f434841494e494e475f4d4f44452c204243727970742e4243525950545f434841494e5f4d4f44455f47434d29206661696c656420776974682073746174757320636f64653a7b307d::w;5c4272617665536f6674776172655c42726176652d42726f777365725c5573657220446174615c44656661756c745c4c6f67696e2044617461::w

To get a readable format pipe the rule contents to sigtool --decode

`echo 'Win.Malware.Generic-10008460-0;Engine:81-255,Target:1;0&1&2&3&4;5c47686f737

@idiom
idiom / reactor.yara
Created February 2, 2024 00:27
import "dotnet"
rule net_reactor_obfuscated {
strings:
$s1 = "#GUlD" fullword
$s2 = "#GUID" fullword
$s3 = "#Blop" fullword
$s4 = "#Blob" fullword
condition:
dotnet.is_dotnet and all of them
}
@idiom
idiom / xloaderstring_enum.txt
Created July 8, 2023 03:30
Enum for XLoader Decrypted Strings
enum XLoaderStrings
{
USERNAME = 0x0,
LOCALAPPDATA = 0x1,
USERPROFILE = 0x2,
APPDATA = 0x3,
TEMP = 0x4,
ProgramFiles = 0x5,
CommonProgramFiles =0x6,
ALLUSERSPROFILE = 0x7,
@idiom
idiom / GetRegistedIDAActions.py
Last active October 10, 2023 02:07
Get registered Ida Actions
import ida_kernwin
registered_actions = ida_kernwin.get_registered_actions()
for action_name in registered_actions:
print(f'name: {action_name}')
print(f'label: {ida_kernwin.get_action_label(action_name)}')
print(f'icon: {ida_kernwin.get_action_icon(action_name)}')
print(f'tooltip: {ida_kernwin.get_action_tooltip(action_name)}')
print(f'state: {ida_kernwin.get_action_state(action_name)}')
@idiom
idiom / add_bookmark.py
Created April 20, 2021 21:36
Add bookmark in Ida and optionally check if it is a duplicate
def add_bookmark(offset, comment, check_duplicate=True):
"""
:param offset:
:param comment:
:param check_duplicate:
:return:
"""
for bslot in range(0, 1024, 1):
slotval = idc.get_bookmark(bslot)
@idiom
idiom / nim_lang_re_notes.md
Last active November 14, 2022 07:02
nim lang Reverse Engineering and Analysis
@idiom
idiom / bookmarks.md
Last active November 19, 2020 22:25

Contents

  1. Web Analysis Tools
  2. Analysis Librarys
  3. Ida Plugins
  4. File Formats
  5. Yara
  6. File Id and labelling
  7. Reverse Engineering Papers

Web Analysis Tools

@idiom
idiom / am.py
Created May 21, 2020 03:11
Print access mask
import sys
"""
NTCreateFile DesiredAccess Masks
0x120189
0x100181
0x12019f
0x1200a0
@idiom
idiom / gist:7bf970f704c2f5e9b2cec825ded91df6
Last active November 5, 2020 14:04
Ida 7.4 Python 3 Error
`C:\Program Files\IDA Pro 7.4\python\3\idc.py:5121: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if newtype is not '':`
--- FIX ---
To resolve the above error change line 5121 to
`if newtype is not None:`
@idiom
idiom / cve_2017_8759.yar
Created September 12, 2017 23:48
Quick Rule for CVE-2017-8759
rule cve_2017_8759{
meta:
sample = "0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684"
strings:
$header = "{\\rt"
$wsdl = "7700730064006C003D006800740074007000"
condition:
$header in (0..50) and $wsdl
}