I hereby claim:
- I am psrok1 on github.
- I am psrok1 (https://keybase.io/psrok1) on keybase.
- I have a public key whose fingerprint is FBBF CC0A 2749 2E61 3563 C205 9B05 0575 6942 E53C
To claim this, I am signing this object:
psrok1
/ icedid-strings.py
Created
December 18, 2019 19:26
IcedID strings decryption for IDAPython (py2)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| IDAPython (py2), tested on IDA 7.3. | |
| malduck.idamem is pretty beta thing, but should work in most cases. | |
| """ | |
| import string | |
| from malduck import idamem, utf16z | |
| def decrypt_strings(addr): |
psrok1
/ icedid-reconstruct.py
Last active
April 19, 2020 09:09
IcedID PNG -> PE parser and reconstructor for custom steganographic loader
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Py3 version of IcedID custom steganographic loader (PNG parser & PE reconstructor) | |
| Inspired by https://github.com/hasherezade/funky_malware_formats/tree/master/iced_id_parser | |
| Authored by @nazywam and @psrok1. | |
| pip3 install malduck lief | |
| """ | |
| import sys | |
| import malduck |
psrok1
/ keybase.md
Created
November 12, 2019 11:31
psrok1
/ malduck-isfb-jjparser.py
Created
October 11, 2019 12:23
malduck: Rewritten JJStruct parser from https://www.sentinelone.com/blog/writing-malware-configuration-extractors-isfb-ursnif/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # pip install malduck | |
| import malduck | |
| import sys | |
| p = malduck.procmem.from_file(sys.argv[1]) | |
| # Recover magic | |
| p.patchp(0, b"MZ") | |
| p.patchp(p.uint32p(0x3c), b"PE") |
psrok1
/ emotet-doc.py
Created
May 17, 2019 13:29
URL unpacker from documents with malicious macros sent by Emotet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Needs oledump.py in the same directory (download from https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/oledump.py) | |
| and olefile (pip install olefile) | |
| Usage: python2 emotet-doc.py [doc path] | |
| """ | |
| import base64 | |
| import re | |
| import sys |
psrok1
/ pdfdoc-proccheck.js
Created
January 27, 2018 10:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| try { | |
| WmiObject = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); | |
| win32ProcessList = new Enumerator(WmiObject["ExecQuery"]("Select * from Win32_Process")); | |
| win32OperatingSystem = new Enumerator(Wmi["ExecQuery"]("Select * from Win32_OperatingSystem")); | |
| while (!win32OperatingSystem["atEnd"]()) { | |
| if (i == 5) break; | |
| osInfo = osInfo + win32OperatingSystem["item"]()["Caption"] + | |
| win32OperatingSystem["item"]()["Version"]; | |
| i++; | |
| win32OperatingSystem["moveNext"](); |
psrok1
/ pdfdoc-proccheck.js
Created
January 27, 2018 10:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| try { | |
| WmiObject = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); | |
| win32ProcessList = new Enumerator(WmiObject["ExecQuery"]("Select * from Win32_Process")); | |
| win32OperatingSystem = new Enumerator(Wmi["ExecQuery"]("Select * from Win32_OperatingSystem")); | |
| while (!win32OperatingSystem["atEnd"]()) { | |
| if (i == 5) break; | |
| osInfo = osInfo + win32OperatingSystem["item"]()["Caption"] + | |
| win32OperatingSystem["item"]()["Version"]; | |
| i++; | |
| win32OperatingSystem["moveNext"](); |
psrok1
/ box-js-prototype-testcase.js
Created
August 22, 2017 00:09
box-js test case for member function declaration rewriting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "This one is global".global_func(); | |
| (function(){ | |
| "This one is scoped".scoped_func(); | |
| function String.prototype.scoped_func(arg_a, arg_b) { | |
| String.nested_func2("This one", " is nested"); | |
| function String.prototype.nested_func(arg_a, arg_b) { | |
| WScript.echo(this); | |
| } | |
| this.nested_func(); | |
| while(0) |
psrok1
/ box-js-prototype-bug.md
Created
August 22, 2017 00:07
box-js 1.8.2 output for f3b3a5fc30ecbab403b27dd853ad7f6b
box-js 1.8.2, sample f3b3a5fc30ecbab403b27dd853ad7f6b
Using a 10 seconds timeout, pass --timeout to specify another timeout in seconds
[info] Rewriting code...
[info] Replacing `function A.prototype.B()` (use --no-rewrite-prototype to skip)...
[error] Couldn't parse with Acorn:
[error] SyntaxError: Unexpected token (1:716)
[error]
[error] This doesn't seem to be a JavaScript/WScript file.
NewerOlder