├── README.md └── src ├── .gitignore ├── AUTHORS ├── LICENSE ├── PINdemonium ├── Config.cpp ├── Config.h ├── Debug.h ├── DumpHandler.cpp ├── DumpHandler.h ├── EntropyHeuristic.cpp ├── EntropyHeuristic.h ├── FakeReadHandler.cpp ├── FakeReadHandler.h ├── FakeWriteHandler.cpp ├── FakeWriteHandler.h ├── FilterHandler.cpp ├── FilterHandler.h ├── GdbDebugger.cpp ├── GdbDebugger.h ├── HeapModule.cpp ├── HeapModule.h ├── Helper.cpp ├── Helper.h ├── Heuristics.cpp ├── Heuristics.h ├── HookFunctions.cpp ├── HookFunctions.h ├── HookSyscalls.cpp ├── HookSyscalls.h ├── InitFunctionCall.cpp ├── InitFunctionCall.h ├── JumpOuterSectionHeuristic.cpp ├── JumpOuterSectionHeuristic.h ├── LibraryHandler.cpp ├── LibraryHandler.h ├── Log.cpp ├── Log.h ├── LongJumpHeuristic.cpp ├── LongJumpHeuristic.h ├── MyPinTool.sln ├── MyPinTool.vcxproj ├── MyPinTool.vcxproj.filters ├── OepFinder.cpp ├── OepFinder.h ├── PINdemonium.cpp ├── PINdemonium.rc ├── PINdemoniumDependencies │ ├── HeapLoader.py │ ├── Yara │ │ ├── rules │ │ │ ├── .travis.yml │ │ │ ├── LICENSE │ │ │ ├── README.md │ │ │ ├── evasion_packer │ │ │ │ ├── antidebug_antivm.yar │ │ │ │ └── packer.yar │ │ │ └── malware │ │ │ │ ├── APT1.yar │ │ │ │ ├── APT3102.yar │ │ │ │ ├── APT9002.yar │ │ │ │ ├── APT_APT17.yar │ │ │ │ ├── APT_Bestia.yar │ │ │ │ ├── APT_Blackenergy.yar │ │ │ │ ├── APT_CVE2015_5119.yar │ │ │ │ ├── APT_Carbanak2.yar │ │ │ │ ├── APT_Careto.yar │ │ │ │ ├── APT_CheshireCat.yar │ │ │ │ ├── APT_Cloudduke.yar │ │ │ │ ├── APT_Codoso.yar │ │ │ │ ├── APT_Danti_svcmondr.yar │ │ │ │ ├── APT_DeputyDog_Fexel.yar │ │ │ │ ├── APT_Derusbi.yar │ │ │ │ ├── APT_Dubnium.yar │ │ │ │ ├── APT_Duqu2.yar │ │ │ │ ├── APT_Emissary.yar │ │ │ │ ├── APT_HackingTeam.yar │ │ │ │ ├── APT_Hellsing.yar │ │ │ │ ├── APT_Hikit.yar │ │ │ │ ├── APT_Hizor_RAT.yar │ │ │ │ ├── APT_Irontiger_Trendmicro.yar │ │ │ │ ├── APT_Kaba.yar │ │ │ │ ├── APT_Laudanum_Webshells.yar │ │ │ │ ├── APT_LotusBlossom.yar │ │ │ │ ├── APT_Minidionis.yar │ │ │ │ ├── APT_Mirage.yar │ │ │ │ ├── APT_Molerats.yar │ │ │ │ ├── APT_Mongall.yar │ │ │ │ ├── APT_NGO_wuaclt.yar │ │ │ │ ├── APT_OLE_JSRat.yar │ │ │ │ ├── APT_OPCleaver.yar │ │ │ │ ├── APT_Platinum.yar │ │ │ │ ├── APT_Poseidon_Group.yar │ │ │ │ ├── APT_Prikormka.yar │ │ │ │ ├── APT_Regin.yar │ │ │ │ ├── APT_Ruag.yar │ │ │ │ ├── APT_Seaduke_Unit42.yar │ │ │ │ ├── APT_ShimRat.yar │ │ │ │ ├── APT_Sofacy_Fysbis.yar │ │ │ │ ├── APT_Sofacy_jun16.yar │ │ │ │ ├── APT_Sofacy_xtunnel_bundestag.yar │ │ │ │ ├── APT_Sphinx_Moth.yar │ │ │ │ ├── APT_Terracota.yar │ │ │ │ ├── APT_Terracota_Liudoor.yar │ │ │ │ ├── APT_TidePool.yar │ │ │ │ ├── APT_Turla_RUAG.yar │ │ │ │ ├── APT_UP007_SLServer.yar │ │ │ │ ├── APT_WildNeutron.yar │ │ │ │ ├── APT_Win_Pipcreat.yar │ │ │ │ ├── APT_Winnti.yar │ │ │ │ ├── APT_alienspy_RAT.yar │ │ │ │ ├── APT_backspace.yar │ │ │ │ ├── APT_bluetermite_emdivi.yar │ │ │ │ ├── APT_c16.yar │ │ │ │ ├── APT_indetectables_RAT.yar │ │ │ │ ├── APT_irontiger.yar │ │ │ │ ├── APT_korplug_fast.yar │ │ │ │ ├── APT_passthehashtoolkit.yar │ │ │ │ ├── APT_pcclient.yar │ │ │ │ ├── APT_putterpanda.yar │ │ │ │ ├── APT_quarkspwdump.yar │ │ │ │ ├── APT_threatgroup_3390.yar │ │ │ │ ├── APT_unit78020_malware.yar │ │ │ │ ├── APT_win32_dll_bergard_pgv_pvid_variant.yar │ │ │ │ ├── APT_win32_dll_rat_hiZorRAT.yar │ │ │ │ ├── Adwind_JAR_PACKA.yar │ │ │ │ ├── Adwind_JAR_PACKB.yar │ │ │ │ ├── Adzok_RAT.yar │ │ │ │ ├── Alina.yar │ │ │ │ ├── Andromeda.yar │ │ │ │ ├── Anthem_DeepPanda.yar │ │ │ │ ├── Athena.yar │ │ │ │ ├── Babar.yar │ │ │ │ ├── Backdoor_WinntiPharma.yar │ │ │ │ ├── Bangat.yar │ │ │ │ ├── BlackRev.yar │ │ │ │ ├── BlackShades.yar │ │ │ │ ├── BlackWorm.yar │ │ │ │ ├── Bolonyokte.yar │ │ │ │ ├── Boouset.yar │ │ │ │ ├── Bozok.yar │ │ │ │ ├── Bublik_downloader.yar │ │ │ │ ├── CAP_HookExKeylogger.yar │ │ │ │ ├── CAP_Win32Inet.yara │ │ │ │ ├── CRIME_Shifu_trojan.yar │ │ │ │ ├── Casper.yar │ │ │ │ ├── Cerberus.yar │ │ │ │ ├── Chicken.yar │ │ │ │ ├── Citadel.yar │ │ │ │ ├── Cookies.yar │ │ │ │ ├── CorkowDLL.yar │ │ │ │ ├── Crime_Fareit.yar │ │ │ │ ├── Crimson_RAT.yar │ │ │ │ ├── Crypren_ransomware │ │ │ │ ├── Crypren_ransomware.yar │ │ │ │ ├── CyberGate.yar │ │ │ │ ├── Cythosia.yar │ │ │ │ ├── DDoSTf.yar │ │ │ │ ├── DRIDEX_phish_gina_dec15.yar │ │ │ │ ├── DarkComet.yar │ │ │ │ ├── Derkziel_Stealer.yar │ │ │ │ ├── Dexter.yar │ │ │ │ ├── DiamondFox.yar │ │ │ │ ├── DirtJumper.yar │ │ │ │ ├── Dridex.yar │ │ │ │ ├── ELF_Linux_Torte.yar │ │ │ │ ├── EXPERIMENTAL_Beef_Hooked.yar │ │ │ │ ├── EXPERIMENTAL_Beef_pretty_theft.yar │ │ │ │ ├── Enfal.yar │ │ │ │ ├── Equation.yar │ │ │ │ ├── Exploit_CVE_2015_2426.yar │ │ │ │ ├── Ezcob.yar │ │ │ │ ├── F0xy.yar │ │ │ │ ├── FakeM.yar │ │ │ │ ├── FastPOS.yar │ │ │ │ ├── FinSpy.yar │ │ │ │ ├── FiveEyes.yar │ │ │ │ ├── FlyingKitten.yar │ │ │ │ ├── Gamarue.yar │ │ │ │ ├── Gen_powerkatz.yar │ │ │ │ ├── Genome.yar │ │ │ │ ├── Gh0st.yar │ │ │ │ ├── Gholee.yar │ │ │ │ ├── GlassRAT.yar │ │ │ │ ├── Glasses.yar │ │ │ │ ├── Gozi_Family.yar │ │ │ │ ├── Grozlex.yar │ │ │ │ ├── Havex.yar │ │ │ │ ├── Havex_Memdump.yar │ │ │ │ ├── Hsdfihdf_banking_malware.yar │ │ │ │ ├── IMuler.yar │ │ │ │ ├── Install11.yar │ │ │ │ ├── Intel_Virtualization.yar │ │ │ │ ├── KINS.yar │ │ │ │ ├── Kelihos.yar │ │ │ │ ├── KeyBoy.yar │ │ │ │ ├── LURK0.yar │ │ │ │ ├── LURK0_CCTV0.yar │ │ │ │ ├── Lenovo_superfish.yar │ │ │ │ ├── Leverage.yar │ │ │ │ ├── LinuxMoose.yar │ │ │ │ ├── LostDoor.yar │ │ │ │ ├── LuckyCat.yar │ │ │ │ ├── MW_Ransomware_777.yar │ │ │ │ ├── MW_elknot_xor.yar │ │ │ │ ├── MacControl.yar │ │ │ │ ├── Madness.yar │ │ │ │ ├── Mailers.yar │ │ │ │ ├── Meterpreter_Reverse_Tcp.yar │ │ │ │ ├── Miancha.yar │ │ │ │ ├── MiniAsp3_mem.yar │ │ │ │ ├── Miscelanea.yar │ │ │ │ ├── Miscelanea_Linux.yar │ │ │ │ ├── Miscelanea_RTF.yar │ │ │ │ ├── NSFree.yar │ │ │ │ ├── Naikon.yar │ │ │ │ ├── NetTraveler.yar │ │ │ │ ├── Njrat.yar │ │ │ │ ├── Notepad.yar │ │ │ │ ├── Olyx.yar │ │ │ │ ├── OpClandestineWolf.yar │ │ │ │ ├── Opcleaver.yar │ │ │ │ ├── Operation_Dust_storm.yar │ │ │ │ ├── Operation_Potao.yar │ │ │ │ ├── PE_File_pyinstaller.yar │ │ │ │ ├── POS.yar │ │ │ │ ├── POS_Easterjack.yar │ │ │ │ ├── POS_LogPOS.yar │ │ │ │ ├── POS_MalumPOS.yar │ │ │ │ ├── POS_bernhardPos.yar │ │ │ │ ├── PittyTiger.yar │ │ │ │ ├── PlugX.yar │ │ │ │ ├── PoisonIvy.yar │ │ │ │ ├── Pony.yar │ │ │ │ ├── PubSab.yar │ │ │ │ ├── Quarian.yar │ │ │ │ ├── RAT_Sakula.yar │ │ │ │ ├── RAT_Terminator.yar │ │ │ │ ├── RCS.yar │ │ │ │ ├── Ransom_DMALocker.yar │ │ │ │ ├── Ransom_TeslaCrypt.yar │ │ │ │ ├── Ransomware.yar │ │ │ │ ├── Ransomware_Locky.yar │ │ │ │ ├── Ransomware_Petya.yar │ │ │ │ ├── Regsubdat.yar │ │ │ │ ├── Retefe.yar │ │ │ │ ├── Rockloader.yar │ │ │ │ ├── Rooter.yar │ │ │ │ ├── Safenet.yar │ │ │ │ ├── Sayad.yar │ │ │ │ ├── Scarhikn.yar │ │ │ │ ├── Scieron.yar │ │ │ │ ├── ShadowTech.yar │ │ │ │ ├── Shamoon.yar │ │ │ │ ├── Skeleton.yar │ │ │ │ ├── Stealer.yar │ │ │ │ ├── Surtr.yar │ │ │ │ ├── T5000.yar │ │ │ │ ├── THOR_HackTools.yar │ │ │ │ ├── THOR_Webshells.yar │ │ │ │ ├── Tinba_Banking_Trojan.yar │ │ │ │ ├── TreasureHunt.yar │ │ │ │ ├── Trojan_Elex.yar │ │ │ │ ├── Trojan_Ponmocup.yar │ │ │ │ ├── Turla.yar │ │ │ │ ├── Urausy.yar │ │ │ │ ├── Vidgrab.yar │ │ │ │ ├── W32_NionSpy.yar │ │ │ │ ├── Wabot.yar │ │ │ │ ├── Warp.yar │ │ │ │ ├── Waterbug.yar │ │ │ │ ├── Wimmie.yar │ │ │ │ ├── Win32_Buzus_Softpulse.yar │ │ │ │ ├── WoolenGoldfish.yar │ │ │ │ ├── XOR_DDosv1.yar │ │ │ │ ├── Xtreme.yar │ │ │ │ ├── Yayih.yar │ │ │ │ ├── Zegost.yar │ │ │ │ ├── Zeus.yar │ │ │ │ ├── ZoxPNG.yar │ │ │ │ ├── backoff.yar │ │ │ │ ├── crime_upatre_oct15.yar │ │ │ │ ├── cxpid.yar │ │ │ │ ├── dubrute.yar │ │ │ │ ├── exploit_cve_2015_1701.yar │ │ │ │ ├── exploit_uac_elevators.yar │ │ │ │ ├── favorite.yar │ │ │ │ ├── general_cloaking.yar │ │ │ │ ├── generic_exe2hex_payload.yar │ │ │ │ ├── iexpl0ree.yar │ │ │ │ ├── inocnation.yar │ │ │ │ ├── jRAT.yar │ │ │ │ ├── js_obfuscator.yar │ │ │ │ ├── kraken_bot1.yar │ │ │ │ ├── mozart.yar │ │ │ │ ├── naspyupdate.yar │ │ │ │ ├── netwiredRC.yar │ │ │ │ ├── ponmocup_plugin_memory.yar │ │ │ │ ├── pyinstaller.yar │ │ │ │ ├── rovnix_downloader_sinkhole_check.yar │ │ │ │ ├── sqlite.yar │ │ │ │ ├── ssh_backdoor.yar │ │ │ │ ├── tedroo.yar │ │ │ │ ├── tox.yar │ │ │ │ ├── windigo-onimiki.yar │ │ │ │ ├── wineggdrop.yar │ │ │ │ ├── xDedic_marketplace.yar │ │ │ │ ├── xRAT.yar │ │ │ │ └── xRAT20.yar │ │ ├── yara_rules.yar │ │ ├── yara_testImportsMsgBox.yar │ │ └── yara_testStringMsgBox.yar │ └── config.json ├── PINdemoniumResults │ └── dummy_test.txt ├── PINshield.cpp ├── PINshield.h ├── PatternMatchModule.cpp ├── PatternMatchModule.h ├── PolymorphicCodeHandlerModule.cpp ├── PolymorphicCodeHandlerModule.h ├── ProcInfo.cpp ├── ProcInfo.h ├── ProcessInjectionModule.cpp ├── ProcessInjectionModule.h ├── PushadPopadHeuristic.cpp ├── PushadPopadHeuristic.h ├── Report.cpp ├── Report.h ├── ReportDump.cpp ├── ReportDump.h ├── ReportEntropy.cpp ├── ReportEntropy.h ├── ReportGeneralInformation.cpp ├── ReportGeneralInformation.h ├── ReportImportedFunction.cpp ├── ReportImportedFunction.h ├── ReportJumpOuterSection.cpp ├── ReportJumpOuterSection.h ├── ReportLongJump.cpp ├── ReportLongJump.h ├── ReportMainModule.cpp ├── ReportMainModule.h ├── ReportObject.cpp ├── ReportObject.h ├── ReportYaraRules.cpp ├── ReportYaraRules.h ├── ScyllaWrapper.cpp ├── ScyllaWrapper.h ├── ScyllaWrapperInterface.cpp ├── ScyllaWrapperInterface.h ├── Tests │ ├── EnterForever.ahk │ ├── FolderImportLister.py │ ├── ImportsTester.bat │ ├── ImportsTester.py │ ├── MalTester.bat │ ├── MalTester.py │ ├── MalwrTest.py │ ├── Test.py │ └── importLister.py ├── TimeTracker.h ├── WriteInterval.cpp ├── WriteInterval.h ├── WxorXHandler.cpp ├── WxorXHandler.h ├── YaraHeuristic.cpp ├── YaraHeuristic.h ├── json.h ├── jsoncpp.cpp ├── makefile ├── makefile.rules ├── md5.cpp ├── md5.h └── resource.h ├── PINdemoniumPlugins ├── PINdemoniumPluginTemplate │ ├── PINdemoniumPluginTemplate.sln │ └── PINdemoniumPluginTemplate │ │ ├── Helpers.cpp │ │ ├── Helpers.h │ │ ├── PINdemoniumPluginTemplate.cpp │ │ ├── PINdemoniumPluginTemplate.h │ │ ├── PINdemoniumPluginTemplate.vcxproj │ │ ├── PINdemoniumPluginTemplate.vcxproj.filters │ │ ├── ReadMe.txt │ │ ├── dllmain.cpp │ │ ├── export.def │ │ ├── stdafx.cpp │ │ ├── stdafx.h │ │ └── targetver.h ├── PINdemoniumStolenAPIPlugin │ ├── PINdemoniumPluginTemplate.sln │ ├── PINdemoniumPluginTemplate │ │ ├── Helpers.cpp │ │ ├── Helpers.h │ │ ├── PINdemoniumPluginTemplate.vcxproj │ │ ├── PINdemoniumPluginTemplate.vcxproj.filters │ │ ├── PINdemoniumStolenAPIPlugin.cpp │ │ ├── PINdemoniumStolenAPIPlugin.h │ │ ├── ReadMe.txt │ │ ├── dllmain.cpp │ │ ├── export.def │ │ ├── stdafx.cpp │ │ ├── stdafx.h │ │ └── targetver.h │ └── libdasm-1.5 │ │ ├── HISTORY.txt │ │ ├── LIB.txt │ │ ├── Makefile │ │ ├── Makefile.msvc │ │ ├── README.txt │ │ ├── TODO.txt │ │ ├── examples │ │ ├── Makefile │ │ ├── README.txt │ │ ├── das.c │ │ └── simple.c │ │ ├── libdasm.c │ │ ├── libdasm.def │ │ ├── libdasm.h │ │ ├── opcode_tables.h │ │ ├── pydasm │ │ ├── README.txt │ │ ├── das.py │ │ ├── pydasm.c │ │ └── setup.py │ │ └── rbdasm │ │ ├── Makefile │ │ ├── dasm.c │ │ ├── dasm.rb.ut.rb │ │ └── extconf.rb └── SimpleApiRedirectionPlugin │ ├── PINdemoniumPluginTemplate │ ├── Helpers.cpp │ ├── Helpers.h │ ├── PINdemoniumPluginTemplate.cpp │ ├── PINdemoniumPluginTemplate.h │ ├── PINdemoniumPluginTemplate.vcxproj │ ├── PINdemoniumPluginTemplate.vcxproj.filters │ ├── ReadMe.txt │ ├── dllmain.cpp │ ├── export.def │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h │ ├── SimpleApiRedirection.dll │ ├── SimpleApiRedirection.sln │ └── libdasm-1.5 │ ├── HISTORY.txt │ ├── LIB.txt │ ├── Makefile │ ├── Makefile.msvc │ ├── README.txt │ ├── TODO.txt │ ├── examples │ ├── Makefile │ ├── README.txt │ ├── das.c │ └── simple.c │ ├── libdasm.c │ ├── libdasm.def │ ├── libdasm.h │ ├── opcode_tables.h │ ├── pydasm │ ├── README.txt │ ├── das.py │ ├── pydasm.c │ └── setup.py │ └── rbdasm │ ├── Makefile │ ├── dasm.c │ ├── dasm.rb.ut.rb │ └── extconf.rb ├── PINdemoniumReport ├── .babelrc ├── .bowerrc ├── README.md ├── app │ └── src │ │ ├── MemoryLayout │ │ ├── infoModal.jsx │ │ ├── memoryLayout.jsx │ │ ├── slider.jsx │ │ └── sliderItem.jsx │ │ └── app.jsx ├── bower.json ├── package.json └── webpack.config.js ├── PinUnpacker.sln ├── README.md ├── Scylla ├── .gitignore ├── COMPILING ├── LICENSE ├── Plugins │ ├── ImpRec_Plugins │ │ ├── Imprec_Wrapper_DLL.dll │ │ └── PECompact 2.7.x.dll │ ├── Include_Headers │ │ └── ScyllaPlugin.h │ ├── PECompact.dll │ ├── PESpin_x64_v1.dll │ ├── ScyllaPlugins.sln │ ├── ScyllaPlugins.vcxproj │ ├── ScyllaPlugins.vcxproj.filters │ └── Sources │ │ ├── Imprec_Wrapper_DLL.cpp │ │ ├── PECompact.cpp │ │ ├── PESpin_x64_v1.cpp │ │ ├── StolenApi.cpp │ │ ├── resource.h │ │ └── scyllatoimprectree.rar ├── README.md ├── Scylla v0.9.7c │ ├── Plugins │ │ ├── ImpRec_Plugins │ │ │ ├── Imprec_Wrapper_DLL.dll │ │ │ └── PECompact 2.7.x.dll │ │ ├── Include_Headers │ │ │ └── ScyllaPlugin.h │ │ ├── PECompact.dll │ │ ├── PESpin_x64_v1.dll │ │ ├── Sources │ │ │ ├── Imprec_Wrapper_DLL.cpp │ │ │ ├── PECompact.cpp │ │ │ ├── PESpin_x64_v1.cpp │ │ │ └── scyllatoimprectree.rar │ │ ├── StolenApiPlugin.dll │ │ └── StolenApiPlugin.exp │ ├── Scylla.ini │ ├── Scylla_Exports.txt │ ├── Scylla_README.txt │ └── Scylla_x64.dll ├── Scylla.sln ├── Scylla │ ├── AboutGui.cpp │ ├── AboutGui.h │ ├── ApiReader.cpp │ ├── ApiReader.h │ ├── Architecture.cpp │ ├── Architecture.h │ ├── Configuration.cpp │ ├── Configuration.h │ ├── ConfigurationHolder.cpp │ ├── ConfigurationHolder.h │ ├── DeviceNameResolver.cpp │ ├── DeviceNameResolver.h │ ├── DisassemblerGui.cpp │ ├── DisassemblerGui.h │ ├── DllInjection.cpp │ ├── DllInjection.h │ ├── DllInjectionPlugin.cpp │ ├── DllInjectionPlugin.h │ ├── DonateGui.cpp │ ├── DonateGui.h │ ├── DumpMemoryGui.cpp │ ├── DumpMemoryGui.h │ ├── DumpSectionGui.cpp │ ├── DumpSectionGui.h │ ├── FunctionExport.cpp │ ├── FunctionExport.h │ ├── IATReferenceScan.cpp │ ├── IATReferenceScan.h │ ├── IATSearch.cpp │ ├── IATSearch.h │ ├── ImportRebuilder.cpp │ ├── ImportRebuilder.h │ ├── ImportsHandling.cpp │ ├── ImportsHandling.h │ ├── Logger.cpp │ ├── Logger.h │ ├── MainGui.cpp │ ├── MainGui.h │ ├── MainGui.rc │ ├── NativeWinApi.cpp │ ├── NativeWinApi.h │ ├── OptionsGui.cpp │ ├── OptionsGui.h │ ├── PeParser.cpp │ ├── PeParser.h │ ├── PeRebuild.cpp │ ├── PeRebuild.h │ ├── PickApiGui.cpp │ ├── PickApiGui.h │ ├── PickDllGui.cpp │ ├── PickDllGui.h │ ├── PluginLoader.cpp │ ├── PluginLoader.h │ ├── ProcessAccessHelp.cpp │ ├── ProcessAccessHelp.h │ ├── ProcessLister.cpp │ ├── ProcessLister.h │ ├── Scylla.cpp │ ├── Scylla.h │ ├── Scylla.vcxproj │ ├── Scylla.vcxproj.filters │ ├── StringConversion.cpp │ ├── StringConversion.h │ ├── SystemInformation.cpp │ ├── SystemInformation.h │ ├── Thunks.h │ ├── TreeImportExport.cpp │ ├── TreeImportExport.h │ ├── check.ico │ ├── error.ico │ ├── hexedit.h │ ├── main.cpp │ ├── multitree.h │ ├── resource.h │ ├── scylla.ico │ ├── scylla_export_functions.def │ └── warning.ico ├── ScyllaDllTest │ ├── ScyllaDllTest.sln │ ├── ScyllaDllTest │ │ ├── ScyllaDllTest.vcxproj │ │ └── Source.cpp │ └── ScyllaTestExe │ │ ├── ScyllaTestExe.sln │ │ ├── ScyllaTestExe.vcxproj │ │ └── main.cpp ├── Scylla_Exports.txt ├── WTL │ └── README ├── scylla_release.bat └── tinyxml │ ├── README │ ├── tinyxml.vcxproj │ ├── tinyxml.vcxproj.filters │ └── tinyxml.vcxproj.user ├── ScyllaDependencies ├── README.md ├── WTL.rar ├── diStorm.rar ├── tinyxml.rar └── tinyxml │ ├── README │ └── tinyxml.vcxproj.filters ├── ScyllaDumper ├── .gitignore ├── ScyllaDumper │ ├── Log.cpp │ ├── Log.h │ ├── ReadMe.txt │ ├── ScyllaDumper.cpp │ ├── ScyllaDumper.sln │ ├── ScyllaTest.vcxproj │ ├── ScyllaTest.vcxproj.filters │ ├── debug.h │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h └── ScyllaTest.sln └── ScyllaWrapper ├── Log.cpp ├── Log.h ├── ReadMe.txt ├── ScyllaWrapper.cpp ├── ScyllaWrapper.def ├── ScyllaWrapper.h ├── ScyllaWrapper.vcxproj ├── ScyllaWrapper.vcxproj.filters ├── debug.cpp ├── debug.h ├── dllmain.cpp ├── stdafx.cpp ├── stdafx.h └── targetver.h /src/AUTHORS: -------------------------------------------------------------------------------- 1 | 2 | Sebastiano Mariani 3 | Lorenzo Fontana 4 | Fabio Gritti 5 | Stefano D'Alessio 6 | -------------------------------------------------------------------------------- /src/PINdemonium/DumpHandler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "ProcInfo.h" 4 | #include 5 | namespace W{ 6 | #include "windows.h" 7 | #include 8 | #include 9 | } 10 | 11 | class DumpHandler 12 | { 13 | public: 14 | DumpHandler(void); 15 | ~DumpHandler(void); 16 | static BOOL launchScyllaDumpAndFix(string scylla,int pid, int curEip,string dumpFileName); 17 | static BOOL launchScyllaAddSection(string scylla, string dumped_file ); 18 | private: 19 | static BOOL existFile (string name); 20 | 21 | }; 22 | 23 | -------------------------------------------------------------------------------- /src/PINdemonium/EntropyHeuristic.cpp: -------------------------------------------------------------------------------- 1 | #include "EntropyHeuristic.h" 2 | 3 | float threshold=0.2f; 4 | 5 | UINT32 EntropyHeuristic::run(){ 6 | bool result = false; 7 | ProcInfo *proc_info = ProcInfo::getInstance(); 8 | float entropy_value = proc_info->GetEntropy(); 9 | float initial_entropy = proc_info->getInitialEntropy(); 10 | float difference = abs(entropy_value - initial_entropy)/initial_entropy; 11 | MYINFO("ENTROPY INITIAL IS %f" , initial_entropy); 12 | MYINFO("CURRENT ENTROPY IS %f" , entropy_value); 13 | MYINFO("ENTROPY DIFFERERNCE IS %f" , difference); 14 | if( difference > threshold){ 15 | result = true; 16 | } 17 | try{ 18 | ReportDump& report_dump = Report::getInstance()->getCurrentDump(); 19 | ReportObject* entropy_heur = new ReportEntropy(result,entropy_value,difference); 20 | report_dump.addHeuristic(entropy_heur); 21 | }catch (const std::out_of_range&){ 22 | MYERRORE("Problem creating ReportEntropy report"); 23 | } 24 | 25 | if(result == true){ 26 | return OEPFINDER_FOUND_OEP; 27 | } 28 | else return OEPFINDER_HEURISTIC_FAIL; 29 | } 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /src/PINdemonium/EntropyHeuristic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Heuristics.h" 3 | #include "ReportEntropy.h" 4 | 5 | 6 | class EntropyHeuristic 7 | { 8 | public: 9 | UINT32 run(); 10 | float GetEntropy(); 11 | }; 12 | -------------------------------------------------------------------------------- /src/PINdemonium/FakeWriteHandler.cpp: -------------------------------------------------------------------------------- 1 | #include "FakeWriteHandler.h" 2 | 3 | 4 | FakeWriteHandler::FakeWriteHandler(void) 5 | { 6 | pInfo = ProcInfo::getInstance(); 7 | } 8 | 9 | 10 | FakeWriteHandler::~FakeWriteHandler(void) 11 | { 12 | } 13 | 14 | //hijack the write operation 15 | ADDRINT FakeWriteHandler::getFakeWriteAddress(ADDRINT cur_addr){ 16 | if(pInfo->isInsideProtectedSection(cur_addr)){ 17 | MYINFO("Suspicious Write at %08x",cur_addr); 18 | fakeWriteAddress = (ADDRINT)malloc(MAX_WRITE_SIZE*sizeof(char)); 19 | return fakeWriteAddress; 20 | } 21 | return cur_addr; 22 | } -------------------------------------------------------------------------------- /src/PINdemonium/FakeWriteHandler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ProcInfo.h" 3 | 4 | #define MAX_WRITE_SIZE 16 5 | static ADDRINT fakeWriteAddress; 6 | 7 | class FakeWriteHandler 8 | { 9 | public: 10 | FakeWriteHandler(void); 11 | ~FakeWriteHandler(void); 12 | ADDRINT getFakeWriteAddress(ADDRINT cur_addr); 13 | 14 | private: 15 | ProcInfo *pInfo; 16 | }; 17 | 18 | -------------------------------------------------------------------------------- /src/PINdemonium/GdbDebugger.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | typedef void *HANDLE; 6 | 7 | class GdbDebugger 8 | 9 | { 10 | public: 11 | static GdbDebugger* getInstance(); 12 | void executeCmd(char* cmd); 13 | void connectRemote(int port); 14 | 15 | private: 16 | static GdbDebugger* instance; 17 | HANDLE g_hChildStd_IN_Rd; 18 | HANDLE g_hChildStd_IN_Wr; 19 | HANDLE g_hChildStd_OUT_Rd; 20 | HANDLE g_hChildStd_OUT_Wr; 21 | int remote_port; 22 | GdbDebugger(void); 23 | ~GdbDebugger(void); 24 | void CreateChildProcess(); 25 | void ReadFromPipe(void); 26 | void WriteToPipe(char* cmd); 27 | void ErrorExit(char* error); 28 | }; 29 | 30 | -------------------------------------------------------------------------------- /src/PINdemonium/HeapModule.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "Helper.h" 4 | #include 5 | #include "ProcInfo.h" 6 | #include "ScyllaWrapperInterface.h" 7 | #include "OepFinder.h" 8 | 9 | namespace W{ 10 | #include "windows.h" 11 | } 12 | 13 | class HeapModule 14 | { 15 | public: 16 | //singleton instance 17 | static HeapModule* getInstance(); 18 | VOID saveHeapZones(std::map hzs, std::map hzs_dumped); 19 | UINT32 checkHeapWxorX(WriteInterval* item, ADDRINT curEip, int dumpAndFixResult); 20 | 21 | private: 22 | HeapModule(void); 23 | static HeapModule *instance; 24 | std::string dumpHZ(HeapZone hz, char * data, std::string hz_md5); 25 | std::string linkHZ(std::string heap_bin_path); 26 | void logHZ(std::string heap_link_name, HeapZone hz, std::string hz_md5); 27 | 28 | }; 29 | -------------------------------------------------------------------------------- /src/PINdemonium/Helper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include 4 | 5 | namespace W{ 6 | #include "windows.h" 7 | } 8 | 9 | class Helper 10 | { 11 | public: 12 | Helper(void); 13 | static BOOL existFile (string name); 14 | static vector split(const string &s, char delim); 15 | static string replaceString(string str, const string& from, const string& to); 16 | static bool writeBufferToFile(unsigned char *buffer,UINT32 dwBytesToWrite,string path); 17 | }; 18 | 19 | -------------------------------------------------------------------------------- /src/PINdemonium/Heuristics.cpp: -------------------------------------------------------------------------------- 1 | #include "Heuristics.h" 2 | 3 | 4 | UINT32 Heuristics::longJmpHeuristic(INS ins, ADDRINT prev_ip){ 5 | LongJumpHeuristic heu = LongJumpHeuristic(); 6 | return heu.run(ins, prev_ip); 7 | } 8 | 9 | UINT32 Heuristics::entropyHeuristic(){ 10 | EntropyHeuristic heu = EntropyHeuristic(); 11 | return heu.run(); 12 | } 13 | 14 | UINT32 Heuristics::jmpOuterSectionHeuristic(INS ins, ADDRINT prev_ip){ 15 | JumpOuterSection heu = JumpOuterSection(); 16 | return heu.run(ins, prev_ip); 17 | } 18 | 19 | 20 | UINT32 Heuristics::pushadPopadHeuristic(){ 21 | PushadPopadheuristic heu = PushadPopadheuristic(); 22 | return heu.run(); 23 | } 24 | 25 | UINT32 Heuristics::yaraHeuristic(vector dumps_to_analyse){ 26 | YaraHeuristic heu = YaraHeuristic(); 27 | return heu.run(dumps_to_analyse); 28 | 29 | } -------------------------------------------------------------------------------- /src/PINdemonium/Heuristics.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "Debug.h" 4 | #include "Config.h" 5 | #include "OepFinder.h" 6 | #include "LongJumpHeuristic.h" 7 | #include "EntropyHeuristic.h" 8 | #include "JumpOuterSectionHeuristic.h" 9 | #include "WxorXHandler.h" 10 | #include "PushadPopadHeuristic.h" 11 | #include "YaraHeuristic.h" 12 | 13 | 14 | //static class where you have to define all the methods that o some kind of heuristic 15 | class Heuristics 16 | { 17 | public: 18 | static UINT32 longJmpHeuristic(INS ins, ADDRINT prev_ip); 19 | static UINT32 entropyHeuristic(); 20 | static UINT32 jmpOuterSectionHeuristic(INS ins, ADDRINT prev_ip); 21 | static UINT32 pushadPopadHeuristic(); 22 | static UINT32 yaraHeuristic(vector dumps_to_analyse); 23 | 24 | }; 25 | 26 | 27 | -------------------------------------------------------------------------------- /src/PINdemonium/HookFunctions.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "pin.H" 4 | #include "ProcessInjectionModule.h" 5 | #include "ProcInfo.h" 6 | 7 | 8 | #define VIRTUALFREE_INDEX 0 9 | #define CREATEPROCESS_INDEX 1 10 | /* 11 | #define VIRTUALALLOC_INDEX 2 12 | #define RTLALLOCATEHEAP_INDEX 3 13 | #define ISDEBUGGERPRESENT_INDEX 4 14 | #define RTLREALLOCATEHEAP_INDEX 5 15 | */ 16 | 17 | class HookFunctions 18 | { 19 | public: 20 | HookFunctions(void); 21 | ~HookFunctions(void); 22 | void hookDispatcher(IMG img); 23 | 24 | private: 25 | 26 | std::map functionsMap; 27 | }; 28 | 29 | -------------------------------------------------------------------------------- /src/PINdemonium/InitFunctionCall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "WxorXHandler.h" 4 | namespace W{ 5 | #include "windows.h" 6 | #include 7 | #include 8 | } 9 | 10 | 11 | 12 | 13 | typedef int (*def_ScyllaIatSearch)(ADDRINT dwProcessId, ADDRINT * iatStart, UINT32 * iatSize, ADDRINT searchStart, BOOL advancedSearch); 14 | typedef int (*def_ScyllaIatFixAutoA)(ADDRINT iatAddr, UINT32 iatSize, UINT32 dwProcessId, const char * dumpFile, const char * iatFixFile); 15 | typedef BOOL (*def_ScyllaDumpProcessA)(ADDRINT pid, const char * fileToDump, ADDRINT imagebase, ADDRINT entrypoint, const char * fileResult); 16 | 17 | 18 | 19 | 20 | class InitFunctionCall 21 | { 22 | public: 23 | InitFunctionCall(void); 24 | ~InitFunctionCall(void); 25 | UINT32 run(ADDRINT curEip); 26 | private: 27 | def_ScyllaIatSearch ScyllaIatSearch; 28 | def_ScyllaIatFixAutoA ScyllaIatFixAutoA; 29 | def_ScyllaDumpProcessA ScyllaDumpProcessA; 30 | W::HMODULE hScylla; 31 | BOOL GetFilePathFromPID(UINT32 dwProcessId, char **filename); 32 | ADDRINT GetExeModuleBase(UINT32 dwProcessId); 33 | UINT32 getFileSize(FILE * fp); 34 | void DumpProcess(ADDRINT oep, char *outputFile); 35 | 36 | }; 37 | 38 | -------------------------------------------------------------------------------- /src/PINdemonium/JumpOuterSectionHeuristic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Heuristics.h" 3 | 4 | class JumpOuterSection 5 | 6 | { 7 | public: 8 | UINT32 JumpOuterSection::run(INS ins, ADDRINT prev_ip); 9 | 10 | private: 11 | //get the name of the section where the ip resides 12 | string getSectionName(ADDRINT ip); 13 | }; 14 | 15 | -------------------------------------------------------------------------------- /src/PINdemonium/LibraryHandler.cpp: -------------------------------------------------------------------------------- 1 | #include "LibraryHandler.h" 2 | 3 | 4 | LibraryHandler::LibraryHandler(void) 5 | { 6 | } 7 | 8 | 9 | LibraryHandler::~LibraryHandler(void) 10 | { 11 | } 12 | 13 | //Mock instruction 14 | BOOL LibraryHandler::filterLib(ADDRINT eip){ 15 | if(eip>0x00420000){ 16 | return TRUE; 17 | } 18 | return FALSE; 19 | } 20 | -------------------------------------------------------------------------------- /src/PINdemonium/LibraryHandler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "pin.h" 4 | #include "Debug.h" 5 | 6 | 7 | /* 8 | This struct will track the library loaded 9 | at program startup 10 | */ 11 | struct LibraryItem{ 12 | ADDRINT StartAddress; 13 | ADDRINT EndAddress; 14 | }; 15 | 16 | class LibraryHandler 17 | { 18 | public: 19 | LibraryHandler(void); 20 | ~LibraryHandler(void); 21 | BOOL filterLib(ADDRINT eip); 22 | private: 23 | std::vector LibrarySet; 24 | 25 | }; 26 | 27 | -------------------------------------------------------------------------------- /src/PINdemonium/LongJumpHeuristic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Heuristics.h" 3 | #include "Report.h" 4 | #include "ReportLongJump.h" 5 | 6 | 7 | class LongJumpHeuristic 8 | { 9 | public: 10 | UINT32 run(INS ins , ADDRINT prev_ip); 11 | }; 12 | -------------------------------------------------------------------------------- /src/PINdemonium/MyPinTool.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MyPinTool", "MyPinTool.vcxproj", "{639EF517-FCFC-408E-9500-71F0DC0458DB}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.Build.0 = Debug|Win32 16 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.ActiveCfg = Debug|x64 17 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.Build.0 = Debug|x64 18 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.ActiveCfg = Release|Win32 19 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.Build.0 = Release|Win32 20 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.ActiveCfg = Release|x64 21 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemonium.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/PINdemonium/PINdemonium.cpp -------------------------------------------------------------------------------- /src/PINdemonium/PINdemonium.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/PINdemonium/PINdemonium.rc -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/HeapLoader.py: -------------------------------------------------------------------------------- 1 | ''' 2 | This script will patch the idb 3 | with all the heap-zone dumped during the unpacking. 4 | ''' 5 | 6 | import idaapi 7 | import idc 8 | import idautils 9 | import os 10 | import sys 11 | 12 | path = '/'.join(GetInputFilePath().split('\\')[:-1]) 13 | path = idc.AskStr(path,'Enter path of the dump directory: ') 14 | 15 | # Open the heap_map 16 | heapmap = open(path + "/heaps/heap_map.txt",'r') 17 | 18 | if heapmap == None: 19 | print "Wrong path!\n" 20 | sys.exit(0) 21 | 22 | for line in heapmap: 23 | line = line.split(' ')[:-1] 24 | 25 | heap_bin = open(path + "/heaps/"+line[0],'rb') 26 | 27 | heap_bin_size = os.fstat(heap_bin.fileno()).st_size 28 | start_addr = int(line[1],16) 29 | end_addr = start_addr + int(line[2],10) 30 | 31 | # Create a new section that will contain the heap data 32 | is32bitSeg = 1 33 | SegAlignment = 32 34 | idc.SegCreate(start_addr,end_addr,0,is32bitSeg,SegAlignment,0) 35 | 36 | # Copy from the heap dump the data inside the new created Section 37 | addr = start_addr 38 | for i in xrange(1,heap_bin_size): 39 | byte = ord(heap_bin.read(1)) 40 | idc.PatchByte(addr,byte) 41 | addr = NextAddr(addr) 42 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT3102.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule APT3102Code : APT3102 Family 9 | { 10 | meta: 11 | description = "3102 code features" 12 | author = "Seth Hardy" 13 | last_modified = "2014-06-25" 14 | 15 | strings: 16 | $setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 } 17 | 18 | condition: 19 | any of them 20 | } 21 | 22 | rule APT3102Strings : APT3102 Family 23 | { 24 | meta: 25 | description = "3102 Identifying Strings" 26 | author = "Seth Hardy" 27 | last_modified = "2014-06-25" 28 | 29 | strings: 30 | $ = "rundll32_exec.dll\x00Update" 31 | // this is in the encrypted code - shares with 9002 variant 32 | //$ = "POST http://%ls:%d/%x HTTP/1.1" 33 | 34 | condition: 35 | any of them 36 | } 37 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_APT17.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | rule APT17_Sample_FXSST_DLL { 6 | meta: 7 | description = "Detects Samples related to APT17 activity - file FXSST.DLL" 8 | author = "Florian Roth" 9 | reference = "https://goo.gl/ZiJyQv" 10 | date = "2015-05-14" 11 | hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3" 12 | strings: 13 | $x1 = "Microsoft? Windows? Operating System" fullword wide 14 | $x2 = "fxsst.dll" fullword ascii 15 | 16 | $y1 = "DllRegisterServer" fullword ascii 17 | $y2 = ".cSV" fullword ascii 18 | 19 | $s1 = "GetLastActivePopup" 20 | $s2 = "Sleep" 21 | $s3 = "GetModuleFileName" 22 | $s4 = "VirtualProtect" 23 | $s5 = "HeapAlloc" 24 | $s6 = "GetProcessHeap" 25 | $s7 = "GetCommandLine" 26 | condition: 27 | uint16(0) == 0x5a4d and filesize < 800KB and 28 | ( 1 of ($x*) or all of ($y*) ) and all of ($s*) 29 | } 30 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_CVE2015_5119.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule Flash_CVE_2015_5119_APT3 { 7 | meta: 8 | description = "Exploit Sample CVE-2015-5119" 9 | author = "Florian Roth" 10 | score = 70 11 | yaraexchange = "No distribution without author's consent" 12 | date = "2015-08-01" 13 | strings: 14 | $s0 = "HT_exploit" fullword ascii 15 | $s1 = "HT_Exploit" fullword ascii 16 | $s2 = "flash_exploit_" ascii 17 | $s3 = "exp1_fla/MainTimeline" ascii fullword 18 | $s4 = "exp2_fla/MainTimeline" ascii fullword 19 | $s5 = "_shellcode_32" fullword ascii 20 | $s6 = "todo: unknown 32-bit target" fullword ascii 21 | condition: 22 | uint16(0) == 0x5746 and 1 of them 23 | } 24 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_Hikit.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule APT_Hikit_msrv 9 | { 10 | meta: 11 | author = "ThreatConnect Intelligence Research Team" 12 | strings: 13 | $m = {6D 73 72 76 2E 64 6C 6C 00 44 6C 6C} 14 | condition: 15 | any of them 16 | } 17 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_Kaba.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule rtf_Kaba_jDoe 9 | { 10 | meta: 11 | author = "@patrickrolsen" 12 | maltype = "APT.Kaba" 13 | filetype = "RTF" 14 | version = "0.1" 15 | description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620" 16 | date = "2013-12-10" 17 | strings: 18 | $magic1 = { 7b 5c 72 74 30 31 } // {\rt01 19 | $magic2 = { 7b 5c 72 74 66 31 } // {\rtf1 20 | $magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3 21 | $author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe" 22 | $author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone" 23 | $string1 = { 44 30 [16] 43 46 [23] 31 31 45 } 24 | condition: 25 | ($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1 26 | } 27 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_LotusBlossom.yar: -------------------------------------------------------------------------------- 1 | rule EliseLotusBlossom 2 | { 3 | meta: 4 | author = "Jose Ramon Palanco" 5 | date = "2015-06-23" 6 | description = "Elise Backdoor Trojan" 7 | ref = "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" 8 | 9 | strings: 10 | $magic = { 4d 5a } 11 | $s1 = "\",Update" wide 12 | $s2 = "LoaderDLL.dll" 13 | $s3 = "Kernel32.dll" 14 | $s4 = "{5947BACD-63BF-4e73-95D7-0C8A98AB95F2}" 15 | $s5 = "\\Network\\" wide 16 | $s6 = "0SSSSS" 17 | $s7 = "441202100205" 18 | $s8 = "0WWWWW" 19 | condition: 20 | $magic at 0 and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_Molerats.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule Molerats_certs 9 | { 10 | meta: 11 | Author = "FireEye Labs" 12 | Date = "2013/08/23" 13 | Description = "this rule detections code signed with certificates used by the Molerats actor" 14 | Reference = "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" 15 | 16 | strings: 17 | $cert1 = { 06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75 } 18 | $cert2 = { 03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28 } 19 | $cert3 = { 0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d } 20 | 21 | condition: 22 | 1 of ($cert*) 23 | } -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_OLE_JSRat.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule APT_OLE_JSRat 7 | { 8 | meta: 9 | author = "Rahul Mohandas" 10 | Date = "2015-06-16" 11 | Description = "Targeted attack using Excel/word documents" 12 | strings: 13 | $header = {D0 CF 11 E0 A1 B1 1A E1} 14 | $key1 = "AAAAAAAAAA" 15 | $key2 = "Base64Str" nocase 16 | $key3 = "DeleteFile" nocase 17 | $key4 = "Scripting.FileSystemObject" nocase 18 | condition: 19 | $header at 0 and (all of ($key*) ) 20 | } 21 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_Seaduke_Unit42.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule SeaDuke_Sample { 6 | meta: 7 | description = "SeaDuke Malware - file 3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d" 8 | author = "Florian Roth" 9 | reference = "http://goo.gl/MJ0c2M" 10 | date = "2015-07-14" 11 | score = 70 12 | hash = "d2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e" 13 | strings: 14 | $s0 = "bpython27.dll" fullword ascii 15 | $s1 = "email.header(" fullword ascii /* PEStudio Blacklist: strings */ 16 | $s2 = "LogonUI.exe" fullword wide /* PEStudio Blacklist: strings */ 17 | $s3 = "Crypto.Cipher.AES(" fullword ascii /* PEStudio Blacklist: strings */ 18 | $s4 = "mod is NULL - %s" fullword ascii 19 | condition: 20 | uint16(0) == 0x5a4d and filesize < 4000KB and all of them 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_Terracota_Liudoor.yar: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 4 | 5 | */ 6 | rule liudoor 7 | { 8 | meta: 9 | author = "RSA FirstWatch" 10 | date = "2015-07-23" 11 | description = "Detects Liudoor daemon backdoor" 12 | hash0 = "78b56bc3edbee3a425c96738760ee406" 13 | hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e" 14 | hash2 = "531d30c8ee27d62e6fbe855299d0e7de" 15 | hash3 = "2be2ac65fd97ccc97027184f0310f2f3" 16 | hash4 = "6093505c7f7ec25b1934d3657649ef07" 17 | type = "Win32 DLL" 18 | 19 | strings: 20 | $string0 = "Succ" 21 | $string1 = "Fail" 22 | $string2 = "pass" 23 | $string3 = "exit" 24 | $string4 = "svchostdllserver.dll" 25 | $string5 = "L$,PQR" 26 | $string6 = "0/0B0H0Q0W0k0" 27 | $string7 = "QSUVWh" 28 | $string8 = "Ht Hu[" 29 | condition: 30 | all of them 31 | } 32 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_Win_Pipcreat.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule APT_Win_Pipcreat { 7 | meta: 8 | author = "chort (@chort0)" 9 | description = "APT backdoor Pipcreat" 10 | filetype = "pe,dll" 11 | date = "2013-03" 12 | MD5 = "f09d832bea93cf320986b53fce4b8397" // (incorrectly?) identified as Hupigon by many AV on VT 13 | Reference = "http://www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/" 14 | version = "1.0" 15 | strings: 16 | $strA = "pip creat failed" wide fullword 17 | $strB = "CraatePipe" ascii fullword 18 | $strC = "are you there? " wide fullword 19 | $strD = "success kill process ok" wide fullword 20 | $strE = "Vista|08|Win7" wide fullword 21 | $rut = "are you there!@#$%^&*()_+" ascii fullword 22 | 23 | condition: 24 | $rut or (2 of ($str*)) 25 | } 26 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_backspace.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | rule apt_backspace{ 6 | meta: 7 | description = "Detects APT backspace" 8 | author = "Bit Byte Bitten" 9 | date = "2015-05-14" 10 | hash = "6cbfeb7526de65eb2e3c848acac05da1e885636d17c1c45c62ad37e44cd84f99" 11 | strings: 12 | $s1 = "!! Use Splice Socket !!" 13 | $s2 = "User-Agent: SJZJ (compatible; MSIE 6.0; Win32)" 14 | $s3 = "g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" 15 | condition: 16 | uint16(0) == 0x5a4d and all of them 17 | } 18 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_korplug_fast.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule Korplug_FAST { 6 | meta: 7 | description = "Rule to detect Korplug/PlugX FAST variant" 8 | author = "Florian Roth" 9 | date = "2015-08-20" 10 | hash = "c437465db42268332543fbf6fd6a560ca010f19e0fd56562fb83fb704824b371" 11 | strings: 12 | $x1 = "%s\\rundll32.exe \"%s\", ShadowPlay" fullword ascii 13 | 14 | $a1 = "ShadowPlay" fullword ascii 15 | 16 | $s1 = "%s\\rundll32.exe \"%s\"," fullword ascii 17 | $s2 = "nvdisps.dll" fullword ascii 18 | $s3 = "%snvdisps.dll" fullword ascii 19 | $s4 = "\\winhlp32.exe" fullword ascii 20 | $s5 = "nvdisps_user.dat" fullword ascii 21 | $s6 = "%snvdisps_user.dat" fullword ascii 22 | condition: 23 | uint16(0) == 0x5a4d and filesize < 500KB and 24 | ( 25 | $x1 or 26 | ($a1 and 1 of ($s*)) or 27 | 4 of ($s*) 28 | ) 29 | } 30 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_pcclient.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule backdoor_apt_pcclient 9 | { 10 | meta: 11 | author = "@patrickrolsen" 12 | maltype = "APT.PCCLient" 13 | filetype = "DLL" 14 | version = "0.1" 15 | description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)" 16 | date = "2012-10" 17 | strings: 18 | $magic = { 4d 5a } // MZ 19 | $string1 = "www.micro1.zyns.com" 20 | $string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" 21 | $string3 = "msacm32.drv" wide 22 | $string4 = "C:\\Windows\\Explorer.exe" wide 23 | $string5 = "Elevation:Administrator!" wide 24 | $string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb" 25 | condition: 26 | $magic at 0 and 4 of ($string*) 27 | } 28 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_quarkspwdump.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule QuarksPwDump_Gen { 6 | meta: 7 | description = "Detects all QuarksPWDump versions" 8 | author = "Florian Roth" 9 | date = "2015-09-29" 10 | score = 80 11 | hash1 = "2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa" 12 | hash2 = "87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f" 13 | hash3 = "a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9" 14 | hash4 = "c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab" 15 | hash5 = "677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa" 16 | hash6 = "d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674" 17 | hash7 = "8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819" 18 | strings: 19 | $s1 = "OpenProcessToken() error: 0x%08X" fullword ascii 20 | $s2 = "%d dumped" fullword ascii 21 | $s3 = "AdjustTokenPrivileges() error: 0x%08X" fullword ascii 22 | $s4 = "\\SAM-%u.dmp" fullword ascii 23 | condition: 24 | all of them 25 | } 26 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/APT_win32_dll_bergard_pgv_pvid_variant.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule apt_win32_dll_bergard_pgv_pvid_variant 6 | { 7 | 8 | meta: 9 | copyright = "Fidelis Cybersecurity" 10 | reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html" 11 | strings: 12 | $ = "Accept:" 13 | $ = "User-Agent: %s" 14 | $ = "Host: %s:%d" 15 | $ = "Cache-Control: no-cache" 16 | $ = "Connection: Keep-Alive" 17 | $ = "Cookie: pgv_pvid=" 18 | $ = "Content-Type: application/x-octet-stream" 19 | $ = "User-Agent: %s" 20 | $ = "Host: %s:%d" 21 | $ = "Pragma: no-cache" 22 | $ = "Connection: Keep-Alive" 23 | $ = "HTTP/1.0" 24 | 25 | condition: 26 | 27 | (uint16(0) == 0x5A4D) and (all of them) 28 | } 29 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Adwind_JAR_PACKA.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule Adwind_JAR_PACKA : binary 6 | { 7 | meta: 8 | author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com" 9 | reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf" 10 | last_modified = "2015-11-30" 11 | strings: 12 | $b1 = ".class" ascii 13 | $b2 = "c/a/a/" ascii 14 | $b3 = "b/a/" ascii 15 | $b4 = "a.dat" ascii 16 | $b5 = "META-INF/MANIFEST.MF" ascii 17 | condition: 18 | int16(0) == 0x4B50 and ($b1 and $b2 and $b3 and $b4 and $b5) 19 | } 20 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Adwind_JAR_PACKB.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule Adwind_JAR_PACKB { 6 | meta: 7 | author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com" 8 | reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf" 9 | last_modified = "2015-11-30" 10 | strings: 11 | $c1 = "META-INF/MANIFEST.MF" ascii 12 | $c2 = "main/Start.class" ascii 13 | $a1 = "con g/con g.perl" ascii 14 | $b1 = "java/textito.isn" ascii 15 | condition: 16 | int16(0) == 0x4B50 and ($c1 and $c2 and ($a1 or $b1)) 17 | } 18 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Adzok_RAT.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | rule Adzok : binary 6 | { 7 | meta: 8 | author = " Kevin Breen " 9 | Description = "Adzok Rat" 10 | Versions = "Free 1.0.0.3," 11 | date = "2015/05" 12 | ref = "http://malwareconfig.com/stats/Adzok" 13 | maltype = "Remote Access Trojan" 14 | filetype = "jar" 15 | 16 | strings: 17 | $a1 = "config.xmlPK" 18 | $a2 = "key.classPK" 19 | $a3 = "svd$1.classPK" 20 | $a4 = "svd$2.classPK" 21 | $a5 = "Mensaje.classPK" 22 | $a6 = "inic$ShutdownHook.class" 23 | $a7 = "Uninstall.jarPK" 24 | $a8 = "resources/icono.pngPK" 25 | 26 | condition: 27 | 7 of ($a*) 28 | } 29 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Alina.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule alina : forensic pcap 6 | { 7 | meta: 8 | author = "Brian Wallace @botnet_hunter" 9 | author_email = "bwall@ballastsecurity.net" 10 | date = "2014-08-09" 11 | description = "Identify Alina" 12 | strings: 13 | $s1 = "Alina v1.0" 14 | $s2 = "POST" 15 | $s3 = "1[0-2])[0-9]" 16 | condition: 17 | all of them 18 | } 19 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Andromeda.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule andromeda : binary 6 | { 7 | meta: 8 | author = "Brian Wallace @botnet_hunter" 9 | author_email = "bwall@ballastsecurity.net" 10 | date = "2014-03-13" 11 | description = "Identify Andromeda" 12 | strings: 13 | $config = {1c 1c 1d 03 49 47 46} 14 | $c1 = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst" 15 | condition: 16 | all of them 17 | } 18 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Backdoor_WinntiPharma.yar: -------------------------------------------------------------------------------- 1 | rule WinntiPharma 2 | { 3 | meta: 4 | author = "Jose Ramon Palanco" 5 | copyright = "Drainware, Inc." 6 | date = "2015-06-23" 7 | description = "Backdoor Win64 Winnti Pharma" 8 | ref = "https://securelist.com/blog/research/70991/games-are-over/" 9 | 10 | strings: 11 | $s0 = "Cookie: SN=" 12 | $s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}" 13 | $s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}" 14 | $s3 = "master secret" 15 | $s4 = "MyEngineNetEvent" 16 | condition: 17 | all of ($s*) 18 | } 19 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/BlackRev.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | 5 | */ 6 | 7 | rule BlackRev 8 | { 9 | meta: 10 | author = "Dennis Schwarz" 11 | date = "2013-05-21" 12 | description = "Black Revolution DDoS Malware. http://www.arbornetworks.com/asert/2013/05/the-revolution-will-be-written-in-delphi/" 13 | origin = "https://github.com/arbor/yara/blob/master/blackrev.yara" 14 | 15 | strings: 16 | $base1 = "http" 17 | $base2 = "simple" 18 | $base3 = "loginpost" 19 | $base4 = "datapost" 20 | 21 | $opt1 = "blackrev" 22 | $opt2 = "stop" 23 | $opt3 = "die" 24 | $opt4 = "sleep" 25 | $opt5 = "syn" 26 | $opt6 = "udp" 27 | $opt7 = "udpdata" 28 | $opt8 = "icmp" 29 | $opt9 = "antiddos" 30 | $opt10 = "range" 31 | $opt11 = "fastddos" 32 | $opt12 = "slowhttp" 33 | $opt13 = "allhttp" 34 | $opt14 = "tcpdata" 35 | $opt15 = "dataget" 36 | 37 | condition: 38 | all of ($base*) and 5 of ($opt*) 39 | } -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/BlackWorm.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule BlackWorm{ 6 | meta: 7 | author = "Brian Wallace @botnet_hunter" 8 | author_email = "bwall@ballastsecurity.net" 9 | date = "2015-05-20" 10 | description = "Identify BlackWorm" 11 | strings: 12 | $str1 = "m_ComputerObjectProvider" 13 | $str2 = "MyWebServices" 14 | $str3 = "get_ExecutablePath" 15 | $str4 = "get_WebServices" 16 | $str5 = "My.WebServices" 17 | $str6 = "My.User" 18 | $str7 = "m_UserObjectProvider" 19 | $str8 = "DelegateCallback" 20 | $str9 = "TargetMethod" 21 | $str10 = "000004b0" wide 22 | $str11 = "Microsoft Corporation" wide 23 | condition: 24 | all of them 25 | } 26 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Boouset.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule BoousetCode : Boouset Family 9 | { 10 | meta: 11 | description = "Boouset code tricks" 12 | author = "Seth Hardy" 13 | last_modified = "2014-06-19" 14 | 15 | strings: 16 | $boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 } 17 | 18 | condition: 19 | any of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Bozok.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule Bozok 6 | { 7 | meta: 8 | author = " Kevin Breen " 9 | date = "2014/04" 10 | ref = "http://malwareconfig.com/stats/Bozok" 11 | maltype = "Remote Access Trojan" 12 | filetype = "exe" 13 | 14 | strings: 15 | $a = "getVer" nocase 16 | $b = "StartVNC" nocase 17 | $c = "SendCamList" nocase 18 | $d = "untPlugin" nocase 19 | $e = "gethostbyname" nocase 20 | 21 | condition: 22 | all of them 23 | } 24 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Bublik_downloader.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule Bublik : Downloader 9 | { 10 | meta: 11 | author="Kevin Falcoz" 12 | date="29/09/2013" 13 | description="Bublik Trojan Downloader" 14 | 15 | strings: 16 | $signature1={63 6F 6E 73 6F 6C 61 73} 17 | $signature2={63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69} 18 | 19 | condition: 20 | $signature1 and $signature2 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/CAP_HookExKeylogger.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule CAP_HookExKeylogger 6 | { 7 | meta: 8 | author = "Brian C. Bell -- @biebsmalwareguy" 9 | reference = "https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar" 10 | 11 | strings: 12 | $str_Win32hookapi = "SetWindowsHookEx" nocase 13 | $str_Win32llkey = "WH_KEYBOARD_LL" nocase 14 | $str_Win32key = "WH_KEYBOARD" nocase 15 | 16 | condition: 17 | 2 of them 18 | } 19 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Cerberus.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule Cerberus : rat 9 | { 10 | meta: 11 | description = "Cerberus" 12 | author = "Jean-Philippe Teissier / @Jipe_" 13 | date = "2013-01-12" 14 | filetype = "memory" 15 | version = "1.0" 16 | 17 | strings: 18 | $checkin = "Ypmw1Syv023QZD" 19 | $clientpong = "wZ2pla" 20 | $serverping = "wBmpf3Pb7RJe" 21 | $generic = "cerberus" nocase 22 | 23 | condition: 24 | any of them 25 | } 26 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Citadel.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule citadel13xy : banker 6 | { 7 | meta: 8 | author = "Jean-Philippe Teissier / @Jipe_" 9 | description = "Citadel 1.5.x.y trojan banker" 10 | date = "2013-01-12" 11 | version = "1.0" 12 | filetype = "memory" 13 | 14 | strings: 15 | $a = "Coded by BRIAN KREBS for personnal use only. I love my job & wife." 16 | $b = "http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x%02x.php" 17 | $c = "%BOTID%" 18 | $d = "%BOTNET%" 19 | $e = "cit_video.module" 20 | $f = "bc_remove" 21 | $g = "bc_add" 22 | $ggurl = "http://www.google.com/webhp" 23 | 24 | condition: 25 | 3 of them 26 | } 27 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/CorkowDLL.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule CorkowDLL { 6 | meta: 7 | description = "Rule to detect the Corkow DLL files" 8 | reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf" 9 | strings: 10 | 11 | $mz = { 4d 5a } 12 | $binary1 = {60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3} 13 | $binary2 = {(FF75??|53)FF7510FF750CFF7508E8????????[3-9]C9C20C 00} 14 | $export1 = "Control_RunDLL" 15 | $export2 = "ServiceMain" 16 | $export3 = "DllGetClassObject" 17 | 18 | condition: 19 | 20 | ($mz at 0) and ($binary1 and $binary2) and any of ($export*) 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Crimson_RAT.yar: -------------------------------------------------------------------------------- 1 | rule Crimson 2 | { 3 | meta: 4 | author = " Kevin Breen " 5 | Description = "Crimson Rat" 6 | date = "2015/05" 7 | ref = "http://malwareconfig.com/stats/Crimson" 8 | maltype = "Remote Access Trojan" 9 | filetype = "jar" 10 | 11 | strings: 12 | $a1 = "com/crimson/PK" 13 | $a2 = "com/crimson/bootstrapJar/PK" 14 | $a3 = "com/crimson/permaJarMulti/PermaJarReporter$1.classPK" 15 | $a4 = "com/crimson/universal/containers/KeyloggerLog.classPK" 16 | $a5 = "com/crimson/universal/UploadTransfer.classPK" 17 | 18 | condition: 19 | all of ($a*) 20 | } 21 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Crypren_ransomware: -------------------------------------------------------------------------------- 1 | rule Ransom : Crypren{ 2 | meta: 3 | weight = 1 4 | Author = "@pekeinfo" 5 | reference = "https://github.com/pekeinfo/DecryptCrypren" 6 | strings: 7 | $a = "won't be able to recover your files anymore.

" 8 | $b = {6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ??} 9 | $c = "Please restart your computer and wait for instructions for decrypting your files" 10 | condition: 11 | any of them 12 | } 13 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Crypren_ransomware.yar: -------------------------------------------------------------------------------- 1 | rule Ransom : Crypren{ 2 | meta: 3 | weight = 1 4 | Author = "@pekeinfo" 5 | reference = "https://github.com/pekeinfo/DecryptCrypren" 6 | strings: 7 | $a = "won't be able to recover your files anymore.

" 8 | $b = {6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ??} 9 | $c = "Please restart your computer and wait for instructions for decrypting your files" 10 | condition: 11 | any of them 12 | } 13 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/CyberGate.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule CyberGate 6 | { 7 | 8 | meta: 9 | author = " Kevin Breen " 10 | date = "2014/04" 11 | ref = "http://malwareconfig.com/stats/CyberGate" 12 | maltype = "Remote Access Trojan" 13 | filetype = "exe" 14 | 15 | strings: 16 | $string1 = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23} 17 | $string2 = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23} 18 | $string3 = "EditSvr" 19 | $string4 = "TLoader" 20 | $string5 = "Stroks" 21 | $string6 = "####@####" 22 | $res1 = "XX-XX-XX-XX" 23 | $res2 = "CG-CG-CG-CG" 24 | 25 | condition: 26 | all of ($string*) and any of ($res*) 27 | } 28 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Cythosia.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule Cythosia{ 6 | meta: 7 | author = "Brian Wallace @botnet_hunter" 8 | author_email = "bwall@ballastsecurity.net" 9 | date = "2015-03-21" 10 | description = "Identify Cythosia" 11 | strings: 12 | $str1 = "HarvesterSocksBot.Properties.Resources" wide 13 | condition: 14 | all of them 15 | } 16 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/DDoSTf.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule DDosTf : DDoS 6 | { 7 | meta: 8 | author = "benkow_ - MalwareMustDie" 9 | reference = "http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html" 10 | description = "Rule to detect ELF.DDosTf infection" 11 | strings: 12 | $st0 = "ddos.tf" 13 | $st1 = {E8 AE BE E7 BD AE 54 43 50 5F 4B 45 45 50 49 4E 54 56 4C E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPINTVL*/ 14 | $st2 = {E8 AE BE E7 BD AE 54 43 50 5F 4B 45 45 50 43 4E 54 E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPCNT*/ 15 | $st3 = "Accept-Language: zh" 16 | $st4 = "%d Kb/bps|%d%%" 17 | 18 | condition: 19 | all of them 20 | } 21 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Derkziel_Stealer.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule Derkziel 6 | { 7 | meta: 8 | description = "Derkziel info stealer (Steam, Opera, Yandex, ...)" 9 | author = "The Malware Hunter" 10 | yaraexchange = "No distribution without author's consent" 11 | filetype = "pe" 12 | date = "2015-11" 13 | md5 = "f5956953b7a4acab2e6fa478c0015972" 14 | site = "https://zoo.mlw.re/samples/f5956953b7a4acab2e6fa478c0015972" 15 | reference = "https://bhf.su/threads/137898/" 16 | strings: 17 | $drz = "{!}DRZ{!}" 18 | $ua = "User-Agent: Uploador" 19 | $steam = "SteamAppData.vdf" 20 | $login = "loginusers.vdf" 21 | $config = "config.vdf" 22 | condition: 23 | all of them 24 | } 25 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Dexter.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule Dexter_Malware { 9 | meta: 10 | description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b" 11 | author = "Florian Roth" 12 | reference = "http://goo.gl/oBvy8b" 13 | date = "2015/02/10" 14 | score = 70 15 | strings: 16 | $s0 = "Java Security Plugin" fullword wide 17 | $s1 = "%s\\%s\\%s.exe" fullword wide 18 | $s2 = "Sun Java Security Plugin" fullword wide 19 | $s3 = "\\Internet Explorer\\iexplore.exe" fullword wide 20 | condition: 21 | all of them 22 | } 23 | rule dexter_strings 24 | { 25 | meta: 26 | author = "Brian Wallace @botnet_hunter" 27 | author_email = "bwall@ballastsecurity.net" 28 | date = "2014-09-10" 29 | description = "Identify Dexter POSGrabber" 30 | strings: 31 | $s1 = "UpdateMutex:" 32 | $s2 = "response=" 33 | $s3 = "page=" 34 | $s4 = "scanin:" 35 | condition: 36 | all of them 37 | } 38 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/DiamondFox.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule diamond_fox 6 | { 7 | meta: 8 | author = "Brian Wallace @botnet_hunter" 9 | author_email = "bwall@ballastsecurity.net" 10 | date = "2015-08-22" 11 | description = "Identify DiamondFox" 12 | strings: 13 | $s1 = "UPDATE_B" 14 | $s2 = "UNISTALL_B" 15 | $s3 = "S_PROTECT" 16 | $s4 = "P_WALLET" 17 | $s5 = "GR_COMMAND" 18 | $s6 = "FTPUPLOAD" 19 | condition: 20 | all of them 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Dridex.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule Dridex_Trojan_XML { 9 | meta: 10 | description = "Dridex Malware in XML Document" 11 | author = "Florian Roth @4nc4p" 12 | reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503" 13 | date = "2015/03/08" 14 | hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082" 15 | hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395" 16 | hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514" 17 | hash4 = "981369cd53c022b434ee6d380aa9884459b63350" 18 | hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea" 19 | strings: 20 | // can be ascii or wide formatted - therefore no restriction 21 | $c_xml = "" 23 | $c_macro = "w:macrosPresent=\"yes\"" 24 | $c_binary = "0" 26 | $c_1_line = "1" 27 | condition: 28 | all of ($c*) 29 | } 30 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Ezcob.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule EzcobStrings : Ezcob Family 9 | { 10 | meta: 11 | description = "Ezcob Identifying Strings" 12 | author = "Seth Hardy" 13 | last_modified = "2014-06-23" 14 | 15 | strings: 16 | $ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12" 17 | $ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12" 18 | $ = "Ezcob" wide ascii 19 | $ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126" 20 | $ = "20110113144935" 21 | 22 | condition: 23 | any of them 24 | } 25 | 26 | rule Ezcob : Family 27 | { 28 | meta: 29 | description = "Ezcob" 30 | author = "Seth Hardy" 31 | last_modified = "2014-06-23" 32 | 33 | condition: 34 | EzcobStrings 35 | } 36 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/F0xy.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule ws_f0xy_downloader { 9 | meta: 10 | description = "f0xy malware downloader" 11 | author = "Nick Griffin (Websense)" 12 | 13 | strings: 14 | $mz="MZ" 15 | $string1="bitsadmin /transfer" 16 | $string2="del rm.bat" 17 | $string3="av_list=" 18 | 19 | condition: 20 | ($mz at 0) and (all of ($string*)) 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/FastPOS.yar: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 4 | 5 | */ 6 | rule PoS_Malware_fastpos : FastPOS 7 | { 8 | meta: 9 | author = "Trend Micro, Inc." 10 | date = "2016-05-18" 11 | description = "Used to detect FastPOS keyloggger + scraper" 12 | reference = "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf" 13 | sample_filetype = "exe" 14 | strings: 15 | $string1 = "uniqyeidclaxemain" 16 | $string2 = "http://%s/cdosys.php" 17 | $string3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" 18 | $string4 = "\\The Hook\\Release\\The Hook.pdb" nocase 19 | condition: 20 | all of ($string*) 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Gamarue.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule Worm_Gamarue { 7 | meta: 8 | author = "Centro Criptológico Nacional (CCN)" 9 | ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" 10 | description = "Gamarue_Andromeda" 11 | strings: 12 | $a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 } 13 | condition: 14 | $a 15 | } 16 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Genome.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule genome { 6 | meta: 7 | author = "Brian Wallace @botnet_hunter" 8 | author_email = "bwall@ballastsecurity.net" 9 | date = "2014-09-07" 10 | description = "Identify Genome" 11 | strings: 12 | $s1 = "Attempting to create more than one keyboard::Monitor instance" 13 | $s2 = "{Right windows}" 14 | $s3 = "Access violation - no RTTI data!" 15 | condition: 16 | all of them 17 | } 18 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/GlassRAT.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule glassrat 6 | { 7 | meta: 8 | author = "Brian Wallace @botnet_hunter" 9 | strings: 10 | $a = "PostQuitMessage" 11 | $b = "pwlfnn10,gzg" 12 | $c = "update.dll" 13 | $d = "_winver" 14 | condition: 15 | all of them 16 | 17 | } 18 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Gozi_Family.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule GoziRule : Gozi Family { 6 | meta: 7 | description = "Win32.Gozi" 8 | author = "CCN-CERT" 9 | version = "1.0" 10 | ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" 11 | strings: 12 | $ = {63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 6F 00 75 00 72 00 6E 00 61 00 6C 00 00 00 4F 50 45 52 41 2E 45 58 45 00} 13 | condition: 14 | all of them 15 | } 16 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Grozlex.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule Grozlex : Stealer 9 | { 10 | meta: 11 | author="Kevin Falcoz" 12 | date="20/08/2013" 13 | description="Grozlex Stealer - Possible HCStealer" 14 | 15 | strings: 16 | $signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E} 17 | 18 | condition: 19 | $signature 20 | } 21 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Havex_Memdump.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump 6 | { 7 | meta: 8 | description = "Detects Havex Windows process executable from memory dump" 9 | date = "2015-12-2" 10 | author = "Chris Sistrunk" 11 | hash = "8065674de8d79d1c0e7b3baf81246e7d" 12 | strings: 13 | $magic = { 4d 5a } 14 | 15 | $s1 = "~tracedscn.yls" fullword wide 16 | $s2 = "[!]Start" fullword wide 17 | $s3 = "[+]Get WSADATA" fullword wide 18 | $s4 = "[-]Can not get local ip" fullword wide 19 | $s5 = "[+]Local:" fullword wide 20 | $s6 = "[-]Threads number > Hosts number" fullword wide 21 | $s7 = "[-]Connection error" fullword wide 22 | 23 | $x1 = "bddd4e2b84fa2ad61eb065e7797270ff.exe" fullword wide 24 | condition: 25 | $magic at 0 and ( 3 of ($s*) or $x1 ) 26 | } 27 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Kelihos.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule KelihosHlux 9 | { 10 | meta: 11 | author = "@malpush" 12 | maltype = "KelihosHlux" 13 | description = "http://malwared.ru" 14 | date = "22/02/2014" 15 | strings: 16 | $KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 } 17 | 18 | condition: 19 | $KelihosHlux_HexString 20 | } 21 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Lenovo_superfish.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | /* LENOVO Superfish -------------------------------------------------------- */ 9 | 10 | rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack { 11 | meta: 12 | description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe" 13 | author = "Florian Roth / improved by kbandla" 14 | reference = "https://twitter.com/4nc4p/status/568325493558272000" 15 | date = "2015/02/19" 16 | hash1 = "99af9cfc7ab47f847103b5497b746407dc566963" 17 | hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46" 18 | hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b" 19 | hash4 = "343af97d47582c8150d63cbced601113b14fcca6" 20 | strings: 21 | $mz = { 4d 5a } 22 | //$s1 = "VisualDiscovery.exe" fullword wide 23 | $s2 = "Invalid key length used to initialize BlowFish." fullword ascii 24 | $s3 = "GetPCProxyHandler" fullword ascii 25 | $s4 = "StartPCProxy" fullword ascii 26 | $s5 = "SetPCProxyHandler" fullword ascii 27 | condition: 28 | ( $mz at 0 ) and filesize < 2MB and all of ($s*) 29 | } 30 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Leverage.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule leverage_a 9 | { 10 | meta: 11 | author = "earada@alienvault.com" 12 | version = "1.0" 13 | description = "OSX/Leverage.A" 14 | date = "2013/09" 15 | strings: 16 | $a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F" 17 | $a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:" 18 | $a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'" 19 | $script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'" 20 | $script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'" 21 | $script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'" 22 | $properties = "serverVisible \x00" 23 | condition: 24 | all of them 25 | } 26 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/LostDoor.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule lost_door : Trojan 9 | { 10 | meta: 11 | author="Kevin Falcoz" 12 | date="23/02/2013" 13 | description="Lost Door" 14 | 15 | strings: 16 | $signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/ 17 | 18 | condition: 19 | $signature1 20 | } 21 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/LuckyCat.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule LuckyCatCode : LuckyCat Family 9 | { 10 | meta: 11 | description = "LuckyCat code tricks" 12 | author = "Seth Hardy" 13 | last_modified = "2014-06-19" 14 | 15 | strings: 16 | $xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B } 17 | $dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C } 18 | $commonletters = { B? 63 B? 61 B? 73 B? 65 } 19 | 20 | condition: 21 | $xordecrypt or ($dll and $commonletters) 22 | } 23 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/MW_Ransomware_777.yar: -------------------------------------------------------------------------------- 1 | rule legion_777 2 | { 3 | meta: 4 | author = "Daxda (https://github.com/Daxda)" 5 | date = "2016/6/6" 6 | description = "Detects an UPX-unpacked .777 ransomware binary." 7 | ref = "https://github.com/Daxda/malware-analysis/tree/master/malware_samples/legion" 8 | category = "Ransomware" 9 | sample = "SHA256: 14d22359e76cf63bf17268cad24bac03663c8b2b8028b869f5cec10fe3f75548" 10 | 11 | strings: 12 | $s1 = "http://tuginsaat.com/wp-content/themes/twentythirteen/stats.php" 13 | $s2 = "read_this_file.txt" wide // Ransom note filename. 14 | $s3 = "seven_legion@india.com" // Part of the format string used to rename files. 15 | $s4 = {46 4f 52 20 44 45 43 52 59 50 54 20 46 49 4c 45 53 0d 0a 53 45 4e 44 20 4f 16 | 4e 45 20 46 49 4c 45 20 49 4e 20 45 2d 4d 41 49 4c 0d 0a 73 65 76 65 6e 5f 17 | 6c 65 67 69 6f 6e 40 69 6e 64 69 61 2e 63 6f 6d } // Ransom note content. 18 | $s5 = "%s._%02i-%02i-%02i-%02i-%02i-%02i_$%s$.777" // Renaming format string. 19 | 20 | condition: 21 | 4 of ($s*) 22 | } 23 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Madness.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | 6 | rule Madness { 7 | meta: 8 | author = "Jason Jones " 9 | date = "2014-01-15" 10 | description = "Identify Madness Pro DDoS Malware" 11 | source = "https://github.com/arbor/yara/blob/master/madness.yara" 12 | strings: 13 | $ua1 = "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE" 14 | $ua2 = "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ==" 15 | $str1= "document.cookie=" fullword 16 | $str2 = "[\"cookie\",\"" fullword 17 | $str3 = "\"realauth=" fullword 18 | $str4 = "\"location\"];" fullword 19 | $str5 = "d3Rm" fullword 20 | $str6 = "ZXhl" fullword 21 | condition: 22 | all of them 23 | } -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Meterpreter_Reverse_Tcp.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule Meterpreter_Reverse_Tcp { 6 | meta: // This is the standard backdoor/RAT from Metasploit, could be used by any actor 7 | author = "chort (@chort0)" 8 | description = "Meterpreter reverse TCP backdoor in memory. Tested on Win7x64." 9 | strings: 10 | $a = { 4d 45 54 45 52 50 52 45 54 45 52 5f 54 52 41 4e 53 50 4f 52 54 5f 53 53 4c [32-48] 68 74 74 70 73 3a 2f 2f 58 58 58 58 58 58 } // METERPRETER_TRANSPORT_SSL … https://XXXXXX 11 | $b = { 4d 45 54 45 52 50 52 45 54 45 52 5f 55 41 } // METERPRETER_UA 12 | $c = { 47 45 54 20 2f 31 32 33 34 35 36 37 38 39 20 48 54 54 50 2f 31 2e 30 } // GET /123456789 HTTP/1.0 13 | $d = { 6d 65 74 73 72 76 2e 64 6c 6c [2-4] 52 65 66 6c 65 63 74 69 76 65 4c 6f 61 64 65 72 } // metsrv.dll … ReflectiveLoader 14 | 15 | condition: 16 | $a or (any of ($b, $d) and $c) 17 | } 18 | 19 | 20 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/MiniAsp3_mem.yar: -------------------------------------------------------------------------------- 1 | rule MiniAsp3_mem { 2 | meta: author = "chort (@chort0)" 3 | description = "Detect MiniASP3 in memory" 4 | strings: 5 | $pdb = "MiniAsp3\\Release\\MiniAsp.pdb" fullword 6 | $httpAbout = "http://%s/about.htm" fullword 7 | $httpResult = "http://%s/result_%s.htm" fullword 8 | $msgInetFail = "open internet failed…" fullword 9 | $msgRunErr = "run error!" fullword 10 | $msgRunOk = "run ok!" fullword 11 | $msgTimeOutM0 = "time out,change to mode 0" fullword 12 | $msgCmdNull = "command is null!" fullword 13 | condition: 14 | ($pdb and (all of ($http*)) and any of ($msg*)) 15 | } 16 | 17 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Miscelanea_RTF.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | 9 | rule rtf_multiple 10 | { 11 | meta: 12 | author = "@patrickrolsen" 13 | maltype = "Multiple" 14 | version = "0.1" 15 | reference = "fd69a799e21ccb308531ce6056944842" 16 | date = "01/04/2014" 17 | strings: 18 | $rtf = { 7b 5c 72 74 ?? ?? } // {\rt01 {\rtf1 {\rtxa 19 | $string1 = "author user" 20 | $string2 = "title Vjkygdjdtyuj" nocase 21 | $string3 = "company ooo" 22 | $string4 = "password 00000000" 23 | condition: 24 | ($rtf at 0) and (all of ($string*)) 25 | } 26 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Notepad.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule TROJAN_Notepad { 9 | meta: 10 | Author = "RSA_IR" 11 | Date = "4Jun13" 12 | File = "notepad.exe v 1.1" 13 | MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927" 14 | strings: 15 | $s1 = "75BAA77C842BE168B0F66C42C7885997" 16 | $s2 = "B523F63566F407F3834BCC54AAA32524" 17 | condition: 18 | $s1 or $s2 19 | } 20 | 21 | 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Olyx.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule OlyxCode : Olyx Family 9 | { 10 | meta: 11 | description = "Olyx code tricks" 12 | author = "Seth Hardy" 13 | last_modified = "2014-06-19" 14 | 15 | strings: 16 | $six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 } 17 | $slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C } 18 | 19 | condition: 20 | any of them 21 | } 22 | 23 | rule OlyxStrings : Olyx Family 24 | { 25 | meta: 26 | description = "Olyx Identifying Strings" 27 | author = "Seth Hardy" 28 | last_modified = "2014-06-19" 29 | 30 | strings: 31 | $ = "/Applications/Automator.app/Contents/MacOS/DockLight" 32 | 33 | condition: 34 | any of them 35 | } 36 | 37 | rule Olyx : Family 38 | { 39 | meta: 40 | description = "Olyx" 41 | author = "Seth Hardy" 42 | last_modified = "2014-06-19" 43 | 44 | condition: 45 | OlyxCode or OlyxStrings 46 | } 47 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/PE_File_pyinstaller.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | import "pe" 6 | 7 | rule PE_File_pyinstaller 8 | { 9 | meta: 10 | author = "Didier Stevens (https://DidierStevens.com)" 11 | description = "Detect PE file produced by pyinstaller" 12 | strings: 13 | $a = "pyi-windows-manifest-filename" 14 | condition: 15 | pe.number_of_resources > 0 and $a 16 | } 17 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/POS_Easterjack.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule easterjackpos { 6 | meta: 7 | author = "Brian Wallace @botnet_hunter" 8 | author_email = "bwall@ballastsecurity.net" 9 | date = "2014-09-02" 10 | description = "Identify JackPOS" 11 | strings: 12 | $s1 = "updateinterval=" 13 | $s2 = "cardinterval=" 14 | $s3 = "{[!17!]}{[!18!]}" 15 | condition: 16 | all of them 17 | } 18 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/POS_LogPOS.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | rule LogPOS 8 | { 9 | meta: 10 | author = "Morphick Security" 11 | description = "Detects Versions of LogPOS" 12 | md5 = "af13e7583ed1b27c4ae219e344a37e2b" 13 | strings: 14 | $mailslot = "\\\\.\\mailslot\\LogCC" 15 | $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process=" 16 | //64A130000000 mov eax, dword ptr fs:[0x30] 17 | //8B400C mov eax, dword ptr [eax + 0xc] 18 | //8B401C mov eax, dword ptr [eax + 0x1c] 19 | //8B4008 mov eax, dword ptr [eax + 8] 20 | $sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 } 21 | condition: 22 | $sc and 1 of ($mailslot,$get) 23 | } 24 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/POS_MalumPOS.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule PoS_Malware_MalumPOS 9 | { 10 | meta: 11 | author = "Trend Micro, Inc." 12 | date = "2015-05-25" 13 | description = "Used to detect MalumPOS memory dumper" 14 | sample_filtype = "exe" 15 | strings: 16 | $string1 = "SOFTWARE\\Borland\\Delphi\\RTL" 17 | $string2 = "B)[0-9]{13,19}\\" 18 | $string3 = "[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\" 19 | $string4 = "TRegExpr(exec): ExecNext Without Exec[Pos]" 20 | $string5 = /Y:\\PROGRAMS\\.{20,300}\.pas/ 21 | condition: 22 | all of ($string*) 23 | } 24 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/PittyTiger.yar: -------------------------------------------------------------------------------- 1 | rule PittyTiger { 2 | meta: 3 | author = " (@chort0)" 4 | description = "Detect PittyTiger Trojan via common strings" 5 | strings: 6 | $ptUserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.; SV1)" // missing minor digit 7 | $ptFC001 = "FC001" fullword 8 | $ptPittyTiger = "PittyTiger" fullword 9 | $trjHTMLerr = "trj:HTML Err." nocase fullword 10 | $trjworkFunc = "trj:workFunc start." nocase fullword 11 | $trjcmdtout = "trj:cmd time out." nocase fullword 12 | $trjThrtout = "trj:Thread time out." nocase fullword 13 | $trjCrPTdone = "trj:Create PT done." nocase fullword 14 | $trjCrPTerr = "trj:Create PT error: mutex already exists." nocase fullword 15 | $oddPippeFailed = "Create Pippe Failed!" fullword // extra 'p' 16 | $oddXferingFile = "Transfering File" fullword // missing 'r' 17 | $oddParasError = "put Paras Error:" fullword // abbreviated 'parameters'? 18 | $oddCmdTOutkilled = "Cmd Time Out..Cmd has been killed." fullword 19 | condition: 20 | (any of ($pt*)) and (any of ($trj*)) and (any of ($odd*)) 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Pony.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | rule pony { 5 | meta: 6 | author = "Brian Wallace @botnet_hunter" 7 | author_email = "bwall@ballastsecurity.net" 8 | date = "2014-08-16" 9 | description = "Identify Pony" 10 | strings: 11 | $s1 = "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}" 12 | $s2 = "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0" 13 | $s3 = "POST %s HTTP/1.0" 14 | $s4 = "Accept-Encoding: identity, *;q=0" 15 | 16 | //$useragent1 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" 17 | //$useragent2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)" 18 | condition: 19 | $s1 and $s2 and $s3 and $s4 20 | } 21 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/PubSab.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule PubSabCode : PubSab Family 9 | { 10 | meta: 11 | description = "PubSab code tricks" 12 | author = "Seth Hardy" 13 | last_modified = "2014-06-19" 14 | 15 | strings: 16 | $decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 } 17 | 18 | condition: 19 | any of them 20 | } 21 | 22 | rule PubSabStrings : PubSab Family 23 | { 24 | meta: 25 | description = "PubSab Identifying Strings" 26 | author = "Seth Hardy" 27 | last_modified = "2014-06-19" 28 | 29 | strings: 30 | $ = "_deamon_init" 31 | $ = "com.apple.PubSabAgent" 32 | $ = "/tmp/screen.jpeg" 33 | 34 | condition: 35 | any of them 36 | } 37 | 38 | rule PubSab : Family 39 | { 40 | meta: 41 | description = "PubSab" 42 | author = "Seth Hardy" 43 | last_modified = "2014-06-19" 44 | 45 | condition: 46 | PubSabCode or PubSabStrings 47 | } 48 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/RAT_Terminator.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | 9 | rule TerminatorRat : rat 10 | { 11 | meta: 12 | description = "Terminator RAT" 13 | author = "Jean-Philippe Teissier / @Jipe_" 14 | date = "2013-10-24" 15 | filetype = "memory" 16 | version = "1.0" 17 | ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html" 18 | 19 | strings: 20 | $a = "Accelorator" 21 | $b = "12356" 22 | 23 | condition: 24 | all of them 25 | } 26 | 27 | 28 | 29 | rule TROJAN_Notepad_shell_crew { 30 | meta: 31 | author = "RSA_IR" 32 | Date = "4Jun13" 33 | File = "notepad.exe v 1.1" 34 | MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927" 35 | strings: 36 | $s1 = "75BAA77C842BE168B0F66C42C7885997" 37 | $s2 = "B523F63566F407F3834BCC54AAA32524" 38 | condition: 39 | $s1 or $s2 40 | } 41 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Ransom_DMALocker.yar: -------------------------------------------------------------------------------- 1 | //more info at reversecodes.wordpress.com 2 | rule DMALocker 3 | { 4 | meta: 5 | Description = "Deteccion del ransomware DMA Locker desde la version 1.0 a la 4.0" 6 | ref = "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" 7 | Author = "SadFud" 8 | Date = "30/05/2016" 9 | 10 | strings: 11 | $uno = { 41 42 43 58 59 5a 31 31 } 12 | $dos = { 21 44 4d 41 4c 4f 43 4b } 13 | $tres = { 21 44 4d 41 4c 4f 43 4b 33 2e 30 } 14 | $cuatro = { 21 44 4d 41 4c 4f 43 4b 34 2e 30 } 15 | 16 | condition: 17 | any of them 18 | 19 | } 20 | 21 | //More at reversecodes.wordpress.com 22 | rule DMALocker4 { 23 | 24 | meta: 25 | Description = "Deteccion del ransomware DMA Locker version 4.0" 26 | ref = "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" 27 | Author = "SadFud" 28 | Date = "30/05/2016" 29 | Hash = "e3106005a0c026fc969b46c83ce9aeaee720df1bb17794768c6c9615f083d5d1" 30 | 31 | strings: 32 | $clave = { 21 44 4d 41 4c 4f 43 4b 34 2e 30 } 33 | 34 | condition: 35 | $clave 36 | 37 | } 38 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Ransom_TeslaCrypt.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule TeslaCrypt { 7 | meta: 8 | description = "Regla para detectar Tesla con md5" 9 | author = "CCN-CERT" 10 | version = "1.0" 11 | strings: 12 | $ = { 4E 6F 77 20 69 74 27 73 20 25 49 3A 25 4D 25 70 2E 00 00 00 76 61 6C 20 69 73 20 25 64 0A 00 00 } 13 | condition: 14 | all of them 15 | } 16 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Ransomware_Locky.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | /* 7 | Yara Rule Set 8 | Author: Florian Roth 9 | Date: 2016-02-17 10 | Identifier: Locky 11 | */ 12 | 13 | rule Locky_Ransomware { 14 | meta: 15 | description = "Detects Locky Ransomware (matches also on Win32/Kuluoz)" 16 | author = "Florian Roth (with the help of binar.ly)" 17 | reference = "https://goo.gl/qScSrE" 18 | date = "2016-02-17" 19 | hash = "5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8" 20 | strings: 21 | $o1 = { 45 b8 99 f7 f9 0f af 45 b8 89 45 b8 } // address=0x4144a7 22 | $o2 = { 2b 0a 0f af 4d f8 89 4d f8 c7 45 } // address=0x413863 23 | condition: 24 | all of ($o*) 25 | } 26 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Ransomware_Petya.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | /* 7 | Yara Rule Set 8 | Author: Florian Roth 9 | Date: 2016-03-24 10 | Identifier: Petya Ransomware 11 | */ 12 | 13 | /* Rule Set ----------------------------------------------------------------- */ 14 | 15 | rule Petya_Ransomware { 16 | meta: 17 | description = "Detects Petya Ransomware" 18 | author = "Florian Roth" 19 | reference = "http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html" 20 | date = "2016-03-24" 21 | hash = "26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739" 22 | strings: 23 | $a1 = "WinRAR SFX module" fullword ascii 24 | 25 | $s1 = "BX-Proxy-Manual-Auth" fullword wide 26 | $s2 = "" fullword ascii 27 | $s3 = "X-HTTP-Attempts" fullword wide 28 | $s4 = "@CommandLineMode" fullword wide 29 | $s5 = "X-Retry-After" fullword wide 30 | condition: 31 | uint16(0) == 0x5a4d and filesize < 500KB and $a1 and 3 of ($s*) 32 | } 33 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Retefe.yar: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 4 | 5 | */ 6 | 7 | rule Retefe 8 | { 9 | meta: 10 | author = "bartblaze" 11 | description = "Retefe" 12 | strings: 13 | $string0 = "01050000" 14 | $string1 = "00000000" 15 | $string2 = "5061636b61676500" 16 | $string3 = "000000000000000000000000000000000000000000000000000000000000000000000000000000" 17 | $string4 = "{\\stylesheet{ Normal;}{\\s1 heading 1;}{\\s2 heading 2;}}" 18 | $string5 = "02000000" 19 | condition: 20 | 5 of them 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Rockloader.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | /* 7 | Description: Rar file with a .js inside 8 | Author: iHeartMalware 9 | Priority: 5 10 | Scope: Against Attachment 11 | Tags: http://phishme.com/rockloader-new-upatre-like-downloader-pushed-dridex-downloads-malwares/ 12 | Created in PhishMe Triage on April 7, 2016 3:41 PM 13 | */ 14 | 15 | rule rar_with_js 16 | { 17 | strings: 18 | $h1 = "Rar!" 19 | $s1 = ".js" nocase 20 | 21 | condition: 22 | $h1 at 0 and $s1 23 | } 24 | 25 | 26 | 27 | rule RockLoader{ 28 | meta: 29 | name = "RockLoader" 30 | description = "RockLoader Malware" 31 | author = "@seanmw" 32 | strings: 33 | $hdr = {4d 5a 90 00} 34 | $op1 = {39 45 f0 0f 8e b0 00 00 00} 35 | $op2 = {32 03 77 73 70 72 69 6e 74 66 41 00 ce 02 53 65} 36 | condition: 37 | $hdr at 0 and all of ($op*) and filesize < 500KB 38 | } 39 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/ShadowTech.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule ShadowTech_2 9 | { 10 | meta: 11 | description = "ShadowTech RAT" 12 | author = "botherder https://github.com/botherder" 13 | 14 | strings: 15 | $string1 = /\#(S)trings/ 16 | $string2 = /\#(G)UID/ 17 | $string3 = /\#(B)lob/ 18 | $string4 = /(S)hadowTech Rat\.exe/ 19 | $string5 = /(S)hadowTech_Rat/ 20 | 21 | condition: 22 | all of them 23 | } 24 | rule ShadowTech 25 | { 26 | meta: 27 | author = " Kevin Breen " 28 | date = "2014/04" 29 | ref = "http://malwareconfig.com/stats/ShadowTech" 30 | maltype = "Remote Access Trojan" 31 | filetype = "exe" 32 | 33 | strings: 34 | $a = "ShadowTech" nocase 35 | $b = "DownloadContainer" 36 | $c = "MySettings" 37 | $d = "System.Configuration" 38 | $newline = "#-@NewLine@-#" wide 39 | $split = "pSIL" wide 40 | $key = "ESIL" wide 41 | 42 | condition: 43 | 4 of them 44 | } 45 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Shamoon.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | 9 | rule CrowdStrike_Shamoon_DroppedFile { 10 | meta: 11 | description = "Rule to detect Shamoon malware http://goo.gl/QTxohN" 12 | reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf" 13 | strings: 14 | $testn123 = "test123" wide 15 | $testn456 = "test456" wide 16 | $testn789 = "test789" wide 17 | $testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide 18 | condition: 19 | (any of ($testn*) or $pingcmd) and $testdomain 20 | } 21 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Stealer.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule universal_1337_stealer_serveur : Stealer 9 | { 10 | meta: 11 | author="Kevin Falcoz" 12 | date="24/02/2013" 13 | description="Universal 1337 Stealer Serveur" 14 | 15 | strings: 16 | $signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/ 17 | $signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/ 18 | $signature3={46 54 50 7E} /*FTP~*/ 19 | $signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/ 20 | 21 | condition: 22 | $signature1 and $signature2 or $signature3 and $signature4 23 | } 24 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/TreasureHunt.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule TreasureHunt 7 | { 8 | meta: 9 | author = "Minerva Labs" 10 | ref ="http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed" 11 | date = "2016/06" 12 | maltype = "Point of Sale (POS) Malware" 13 | filetype = "exe" 14 | 15 | strings: 16 | $a = "treasureHunter.pdb" 17 | $b = "jucheck" 18 | $c = "cmdLineDecrypted" 19 | 20 | condition: 21 | all of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Turla.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule WaterBug_turla_dll 9 | { 10 | meta: 11 | description = "Symantec Waterbug Attack - Trojan Turla DLL" 12 | author = "Symantec Security Response" 13 | date = "22.01.2015" 14 | reference = "http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats" 15 | 16 | strings: 17 | $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/ 18 | 19 | condition: 20 | pe.exports("ee") and $a 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Urausy.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule urausy_skype_dat { 9 | meta: 10 | author = "AlienVault Labs" 11 | description = "Yara rule to match against memory of processes infected by Urausy skype.dat" 12 | strings: 13 | $a = "skype.dat" ascii wide 14 | $b = "skype.ini" ascii wide 15 | $win1 = "CreateWindow" 16 | $win2 = "YIWEFHIWQ" ascii wide 17 | $desk1 = "CreateDesktop" 18 | $desk2 = "MyDesktop" ascii wide 19 | condition: 20 | $a and $b and (all of ($win*) or all of ($desk*)) 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/W32_NionSpy.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule NionSpy 6 | { 7 | meta: 8 | description = "Triggers on old and new variants of W32/NionSpy file infector" 9 | reference = "https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector" 10 | strings: 11 | $variant2015_infmarker = "aCfG92KXpcSo4Y94BnUrFmnNk27EhW6CqP5EnT" 12 | $variant2013_infmarker = "ad6af8bd5835d19cc7fdc4c62fdf02a1" 13 | $variant2013_string = "%s?cstorage=shell&comp=%s" 14 | condition: 15 | uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($variant*) 16 | } 17 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Wabot.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule Wabot : Worm 6 | { 7 | meta: 8 | author="Kevin Falcoz" 9 | date="14/08/2015" 10 | description="Wabot Trojan Worm" 11 | 12 | strings: 13 | $signature1={43 3A 5C 6D 61 72 69 6A 75 61 6E 61 2E 74 78 74} 14 | $signature2={73 49 52 43 34} 15 | 16 | condition: 17 | $signature1 and $signature2 18 | } 19 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Warp.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule WarpCode : Warp Family 9 | { 10 | meta: 11 | description = "Warp code features" 12 | author = "Seth Hardy" 13 | last_modified = "2014-07-10" 14 | 15 | strings: 16 | // character replacement 17 | $ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F } 18 | 19 | condition: 20 | any of them 21 | } 22 | 23 | rule WarpStrings : Warp Family 24 | { 25 | meta: 26 | description = "Warp Identifying Strings" 27 | author = "Seth Hardy" 28 | last_modified = "2014-07-10" 29 | 30 | strings: 31 | $ = "/2011/n325423.shtml?" 32 | $ = "wyle" 33 | $ = "\\~ISUN32.EXE" 34 | 35 | condition: 36 | any of them 37 | } 38 | 39 | rule Warp : Family 40 | { 41 | meta: 42 | description = "Warp" 43 | author = "Seth Hardy" 44 | last_modified = "2014-07-10" 45 | 46 | condition: 47 | WarpCode or WarpStrings 48 | } 49 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Win32_Buzus_Softpulse.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule Win32_Buzus_Softpulse { 7 | meta: 8 | description = "Trojan Buzus / Softpulse" 9 | author = "Florian Roth" 10 | date = "2015-05-13" 11 | hash = "2f6df200e63a86768471399a74180466d2e99ea9" 12 | score = 75 13 | strings: 14 | $x1 = "pi4izd6vp0.com" fullword ascii 15 | 16 | $s1 = "SELECT * FROM Win32_Process" fullword wide 17 | $s4 = "CurrentVersion\\Uninstall\\avast" fullword wide 18 | $s5 = "Find_RepeatProcess" fullword ascii 19 | $s6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\" fullword wide 20 | $s7 = "myapp.exe" fullword ascii 21 | $s14 = "/c ping -n 1 www.google" wide 22 | condition: 23 | uint16(0) == 0x5a4d and 24 | ( 25 | ( $x1 and 2 of ($s*) ) or 26 | all of ($s*) 27 | ) 28 | } 29 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/XOR_DDosv1.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule XOR_DDosv1 : DDoS 7 | { 8 | meta: 9 | author = "Akamai CSIRT" 10 | description = "Rule to detect XOR DDos infection" 11 | strings: 12 | $st0 = "BB2FA36AAA9541F0" 13 | $st1 = "md5=" 14 | $st2 = "denyip=" 15 | $st3 = "filename=" 16 | $st4 = "rmfile=" 17 | $st5 = "exec_packet" 18 | $st6 = "build_iphdr" 19 | condition: 20 | all of them 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Yayih.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule YayihCode : Yayih Family 9 | { 10 | meta: 11 | description = "Yayih code features" 12 | author = "Seth Hardy" 13 | last_modified = "2014-07-11" 14 | 15 | strings: 16 | // encryption 17 | $ = { 80 04 08 7A 03 C1 8B 45 FC 80 34 08 19 03 C1 41 3B 0A 7C E9 } 18 | 19 | condition: 20 | any of them 21 | } 22 | 23 | rule YayihStrings : Yayih Family 24 | { 25 | meta: 26 | description = "Yayih Identifying Strings" 27 | author = "Seth Hardy" 28 | last_modified = "2014-07-11" 29 | 30 | strings: 31 | $ = "/bbs/info.asp" 32 | $ = "\\msinfo.exe" 33 | $ = "%s\\%srcs.pdf" 34 | $ = "\\aumLib.ini" 35 | 36 | condition: 37 | any of them 38 | } 39 | 40 | rule Yayih : Family 41 | { 42 | meta: 43 | description = "Yayih" 44 | author = "Seth Hardy" 45 | last_modified = "2014-07-11" 46 | 47 | condition: 48 | YayihCode or YayihStrings 49 | } 50 | 51 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Zegost.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule Zegost : Trojan 9 | { 10 | meta: 11 | author="Kevin Falcoz" 12 | date="10/06/2013" 13 | description="Zegost Trojan" 14 | 15 | strings: 16 | $signature1={39 2F 66 33 30 4C 69 35 75 62 4F 35 44 4E 41 44 44 78 47 38 73 37 36 32 74 71 59 3D} 17 | $signature2={00 BA DA 22 51 42 6F 6D 65 00} 18 | 19 | condition: 20 | $signature1 and $signature2 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/Zeus.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule Windows_Malware : Zeus_1134 9 | { 10 | meta: 11 | author = "Xylitol xylitol@malwareint.com" 12 | date = "2014-03-03" 13 | description = "Match first two bytes, protocol and string present in Zeus 1.1.3.4" 14 | reference = "http://www.xylibox.com/2014/03/zeus-1134.html" 15 | 16 | strings: 17 | $mz = {4D 5A} 18 | $protocol1 = "X_ID: " 19 | $protocol2 = "X_OS: " 20 | $protocol3 = "X_BV: " 21 | $stringR1 = "InitializeSecurityDescriptor" 22 | $stringR2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)" 23 | condition: 24 | ($mz at 0 and all of ($protocol*) and ($stringR1 or $stringR2)) 25 | } 26 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/ZoxPNG.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule zoxPNG_RAT 9 | { 10 | meta: 11 | Author = "Novetta Advanced Research Group" 12 | Date = "2014/11/14" 13 | Description = "ZoxPNG RAT, url inside" 14 | Reference = "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf" 15 | 16 | strings: 17 | $url = "png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58" 18 | 19 | condition: 20 | $url 21 | } -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/backoff.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | rule backoff { 6 | meta: 7 | author = "Brian Wallace @botnet_hunter" 8 | author_email = "bwall@ballastsecurity.net" 9 | date = "2014-08-21" 10 | description = "Identify Backoff" 11 | strings: 12 | $s1 = "&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s" 13 | $s2 = "%s @ %s" 14 | $s3 = "Upload KeyLogs" 15 | condition: 16 | all of them 17 | } 18 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/dubrute.yar: -------------------------------------------------------------------------------- 1 | rule dubrute : bruteforcer 2 | { 3 | meta: 4 | author = "Christian Rebischke (@sh1bumi)" 5 | date = "2015-09-05" 6 | description = "Rules for DuBrute Bruteforcer" 7 | in_the_wild = true 8 | family = "Hackingtool/Bruteforcer" 9 | 10 | strings: 11 | $a = "WBrute" 12 | $b = "error.txt" 13 | $c = "good.txt" 14 | $d = "source.txt" 15 | $e = "bad.txt" 16 | $f = "Generator IP@Login;Password" 17 | 18 | condition: 19 | //check for MZ Signature at offset 0 20 | uint16(0) == 0x5A4D 21 | 22 | and 23 | 24 | //check for dubrute specific strings 25 | $a and $b and $c and $d and $e and $f 26 | } 27 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/exploit_cve_2015_1701.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule CVE_2015_1701_Taihou { 7 | meta: 8 | description = "CVE-2015-1701 compiled exploit code" 9 | author = "Florian Roth" 10 | reference = "http://goo.gl/W4nU0q" 11 | date = "2015-05-13" 12 | hash1 = "90d17ebd75ce7ff4f15b2df951572653efe2ea17" 13 | hash2 = "acf181d6c2c43356e92d4ee7592700fa01e30ffb" 14 | hash3 = "b8aabe12502f7d55ae332905acee80a10e3bc399" 15 | hash4 = "d9989a46d590ebc792f14aa6fec30560dfe931b1" 16 | hash5 = "63d1d33e7418daf200dc4660fc9a59492ddd50d9" 17 | score = 70 18 | strings: 19 | $s3 = "VirtualProtect" fullword 20 | $s4 = "RegisterClass" 21 | $s5 = "LoadIcon" 22 | $s6 = "PsLookupProcessByProcessId" fullword ascii 23 | $s7 = "LoadLibraryExA" fullword ascii 24 | $s8 = "gSharedInfo" fullword 25 | 26 | $w1 = "user32.dll" wide 27 | $w2 = "ntdll" wide 28 | condition: 29 | uint16(0) == 0x5a4d and filesize < 160KB and all of ($s*) and 1 of ($w*) 30 | } 31 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/favorite.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | 8 | rule FavoriteCode : Favorite Family 9 | { 10 | meta: 11 | description = "Favorite code features" 12 | author = "Seth Hardy" 13 | last_modified = "2014-06-24" 14 | 15 | strings: 16 | // standard string hiding 17 | $ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F } 18 | $ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 } 19 | 20 | condition: 21 | any of them 22 | } 23 | 24 | rule FavoriteStrings : Favorite Family 25 | { 26 | meta: 27 | description = "Favorite Identifying Strings" 28 | author = "Seth Hardy" 29 | last_modified = "2014-06-24" 30 | 31 | strings: 32 | $string1 = "!QAZ4rfv" 33 | $file1 = "msupdater.exe" 34 | $file2 = "FAVORITES.DAT" 35 | 36 | condition: 37 | any of ($string*) or all of ($file*) 38 | } 39 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/generic_exe2hex_payload.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | /* 7 | Yara Rule Set 8 | Author: Florian Roth 9 | Date: 2016-01-15 10 | Identifier: Exe2hex 11 | */ 12 | 13 | rule Payload_Exe2Hex { 14 | meta: 15 | description = "Detects payload generated by exe2hex" 16 | author = "Florian Roth" 17 | reference = "https://github.com/g0tmi1k/exe2hex" 18 | date = "2016-01-15" 19 | score = 70 20 | strings: 21 | $a1 = "set /p \"=4d5a" ascii 22 | $a2 = "powershell -Command \"$hex=" ascii 23 | $b1 = "set+%2Fp+%22%3D4d5" ascii 24 | $b2 = "powershell+-Command+%22%24hex" ascii 25 | $c1 = "echo 4d 5a " ascii 26 | $c2 = "echo r cx >>" ascii 27 | $d1 = "echo+4d+5a+" ascii 28 | $d2 = "echo+r+cx+%3E%3E" ascii 29 | condition: 30 | all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*) 31 | } 32 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/jRAT.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "pe" 7 | rule jRAT_conf : rat 8 | { 9 | meta: 10 | description = "jRAT configuration" 11 | author = "Jean-Philippe Teissier / @Jipe_" 12 | date = "2013-10-11" 13 | filetype = "memory" 14 | version = "1.0" 15 | ref1 = "https://github.com/MalwareLu/config_extractor/blob/master/config_jRAT.py" 16 | ref2 = "http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html" 17 | 18 | strings: 19 | $a = /port=[0-9]{1,5}SPLIT/ 20 | 21 | condition: 22 | $a 23 | } 24 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/js_obfuscator.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | rule jjEncode 6 | { 7 | meta: 8 | description = "jjencode detection" 9 | ref = "http://blog.xanda.org/2015/06/10/yara-rule-for-jjencode/" 10 | author = "adnan.shukor@gmail.com" 11 | date = "10-June-2015" 12 | version = "1" 13 | impact = 3 14 | hide = false 15 | strings: 16 | $jjencode = /(\$|[\S]+)=~\[\]\;(\$|[\S]+)\=\{[\_]{3}\:[\+]{2}(\$|[\S]+)\,[\$]{4}\:\(\!\[\]\+["]{2}\)[\S]+/ fullword 17 | condition: 18 | $jjencode 19 | } 20 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/kraken_bot1.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule Kraken_Bot_Sample { 7 | meta: 8 | description = "Kraken Bot Sample - file inf.bin" 9 | author = "Florian Roth" 10 | reference = "https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html" 11 | date = "2015-05-07" 12 | hash = "798e9f43fc199269a3ec68980eb4d91eb195436d" 13 | score = 90 14 | strings: 15 | $s2 = "%s=?getname" fullword ascii 16 | $s4 = "&COMPUTER=^" fullword ascii 17 | $s5 = "xJWFwcGRhdGElAA=" fullword ascii /* base64 encoded string '%appdata%' */ 18 | $s8 = "JVdJTkRJUi" fullword ascii /* base64 encoded string '%WINDIR' */ 19 | $s20 = "btcplug" fullword ascii 20 | condition: 21 | uint16(0) == 0x5a4d and all of them 22 | } 23 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/pyinstaller.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | import "pe" 6 | 7 | rule PE_File_pyinstaller 8 | { 9 | meta: 10 | author = "Didier Stevens (https://DidierStevens.com)" 11 | description = "Detect PE file produced by pyinstaller" 12 | reference = "https://isc.sans.edu/diary/21057" 13 | strings: 14 | $a = "pyi-windows-manifest-filename" 15 | condition: 16 | pe.number_of_resources > 0 and $a 17 | } 18 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/rovnix_downloader_sinkhole_check.yar: -------------------------------------------------------------------------------- 1 | rule rovnix_downloader 2 | { 3 | meta: 4 | author="Intel Security" 5 | description="Rovnix downloader with sinkhole checks" 6 | reference = "https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/" 7 | strings: 8 | $sink1= "control" 9 | $sink2 = "sink" 10 | $sink3 = "hole" 11 | $sink4= "dynadot" 12 | $sink5= "block" 13 | $sink6= "malw" 14 | $sink7= "anti" 15 | $sink8= "googl" 16 | $sink9= "hack" 17 | $sink10= "trojan" 18 | $sink11= "abuse" 19 | $sink12= "virus" 20 | $sink13= "black" 21 | $sink14= "spam" 22 | $boot= "BOOTKIT_DLL.dll" 23 | $mz = { 4D 5A } 24 | condition: 25 | $mz in (0..2) and all of ($sink*) and $boot 26 | } 27 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/sqlite.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | rule with_sqlite : sqlite 6 | { 7 | meta: 8 | author = "Julian J. Gonzalez " 9 | reference = "http://www.st2labs.com" 10 | description = "Rule to detect the presence of SQLite data in raw image" 11 | strings: 12 | $hex_string = {53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00} 13 | condition: 14 | all of them 15 | } 16 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/ssh_backdoor.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule custom_ssh_backdoor_server { 7 | meta: 8 | description = "Custome SSH backdoor based on python and paramiko - file server.py" 9 | author = "Florian Roth" 10 | reference = "https://goo.gl/S46L3o" 11 | date = "2015-05-14" 12 | hash = "0953b6c2181249b94282ca5736471f85d80d41c9" 13 | strings: 14 | $s0 = "command= raw_input(\"Enter command: \").strip('n')" fullword ascii 15 | $s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" fullword ascii 16 | $s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" fullword ascii 17 | $s3 = "chan.send(command)" fullword ascii 18 | $s4 = "print '[-] SSH negotiation failed.'" fullword ascii 19 | $s5 = "except paramiko.SSHException, x:" fullword ascii 20 | condition: 21 | filesize < 10KB and 5 of them 22 | } 23 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/tedroo.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule Tedroo : Spammer 7 | { 8 | meta: 9 | author="Kevin Falcoz" 10 | date="22/11/2015" 11 | description="Tedroo Spammer" 12 | 13 | strings: 14 | $signature1={25 73 25 73 2E 65 78 65} 15 | $signature2={5F 6C 6F 67 2E 74 78 74} 16 | 17 | condition: 18 | $signature1 and $signature2 19 | } 20 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/wineggdrop.yar: -------------------------------------------------------------------------------- 1 | rule wineggdrop : portscanner 2 | { 3 | meta: 4 | author = "Christian Rebischke (@sh1bumi)" 5 | date = "2015-09-05" 6 | description = "Rules for TCP Portscanner VX.X by WinEggDrop" 7 | in_the_wild = true 8 | family = "Hackingtool/Portscanner" 9 | 10 | strings: 11 | $a = { 54 43 50 20 50 6f 72 74 20 53 63 61 6e 6e 65 72 12 | 20 56 3? 2e 3? 20 42 79 20 57 69 6e 45 67 67 44 13 | 72 6f 70 0a } 14 | $b = "Result.txt" 15 | $c = "Usage: %s TCP/SYN StartIP [EndIP] Ports [Threads] [/T(N)] [/(H)Banner] [/Save]\n" 16 | 17 | condition: 18 | //check for MZ Signature at offset 0 19 | uint16(0) == 0x5A4D 20 | 21 | and 22 | 23 | //check for wineggdrop specific strings 24 | $a and $b and $c 25 | } 26 | 27 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/rules/malware/xRAT.yar: -------------------------------------------------------------------------------- 1 | rule xRAT 2 | { 3 | meta: 4 | author = " Kevin Breen " 5 | date = "2014/04" 6 | ref = "http://malwareconfig.com/stats/xRat" 7 | maltype = "Remote Access Trojan" 8 | filetype = "exe" 9 | 10 | strings: 11 | $v1a = "DecodeProductKey" 12 | $v1b = "StartHTTPFlood" 13 | $v1c = "CodeKey" 14 | $v1d = "MESSAGEBOX" 15 | $v1e = "GetFilezillaPasswords" 16 | $v1f = "DataIn" 17 | $v1g = "UDPzSockets" 18 | $v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41} 19 | 20 | $v2a = "k__BackingField" 21 | $v2b = "k__BackingField" 22 | $v2c = "DownloadAndExecute" 23 | $v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide 24 | $v2e = "england.png" wide 25 | $v2f = "Showed Messagebox" wide 26 | condition: 27 | all of ($v1*) or all of ($v2*) 28 | } 29 | -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/yara_testImportsMsgBox.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | rule imports : imp 3 | { 4 | meta: 5 | description = "This is an example" 6 | thread_level = 3 7 | in_the_wild = true 8 | 9 | condition: 10 | pe.imports("kernel32.dll", "TerminateProcess") or pe.imports("user32.dll", "MessageBoxW") 11 | or pe.imports("user32.dll", "testtests") 12 | } -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/Yara/yara_testStringMsgBox.yar: -------------------------------------------------------------------------------- 1 | rule msg_box : test 2 | { 3 | meta: 4 | description = "This is an example" 5 | thread_level = 3 6 | in_the_wild = true 7 | strings: 8 | $a = {E9 B6 15 00 00 E9 71 03 00 00 E9 3C 14 00 00} 9 | $b = "Hello" 10 | condition: 11 | $a or $b 12 | } -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumDependencies/config.json: -------------------------------------------------------------------------------- 1 | { 2 | //General Configuration Path 3 | "results_path": "C:\\pin\\PINdemoniumResults\\", // path where the results of the unpacking will be put 4 | "dependecies_path": "C:\\pin\\PINdemoniumDependencies\\", // path containing the dependecies of Pindemonium 5 | "plugins_path": "C:\\pin\\PINdemoniumPlugins\\" , // path containing plugins for IAT fixing 6 | 7 | //Configuration Files inside the results_path folder 8 | "log_filename": "log_PINdemonium.txt", //log of the Pindemonium execution 9 | "report_filename": "report_PINdemonium.txt", //report json file containing structed information of the execution 10 | "not_working_directory": "NotWorking\\", //directory containing not working dumps 11 | 12 | //Configuration Parameters Default 13 | "filtered_writes": "teb stack", //memory area where writes to are not tracked Possible values: 14 | "timeout" : 120, //Timeout after last dump determining the end of unpacking 15 | 16 | "yara_exe_path": "C:\\pin\\PINdemoniumDependencies\\Yara\\yara32.exe", 17 | "yara_rules_path": "C:\\pin\\PINdemoniumDependencies\\Yara\\yara_rules.yar" 18 | 19 | } -------------------------------------------------------------------------------- /src/PINdemonium/PINdemoniumResults/dummy_test.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/PINdemonium/PINdemoniumResults/dummy_test.txt -------------------------------------------------------------------------------- /src/PINdemonium/PINshield.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Pin.h" 3 | #include "Debug.h" 4 | #include "Log.h" 5 | #include "FilterHandler.h" 6 | #include "PatternMatchModule.h" 7 | #include "FakeReadHandler.h" 8 | #include "FakeWriteHandler.h" 9 | 10 | namespace W { 11 | #include 12 | } 13 | 14 | class PINshield 15 | { 16 | public: 17 | PINshield(void); 18 | ~PINshield(void); 19 | void avoidEvasion(INS ins); 20 | 21 | private: 22 | PatternMatchModule evasionPatcher; 23 | FakeReadHandler fakeMemH; 24 | FakeWriteHandler fakeWriteH; 25 | BOOL firstRead; 26 | void ScanForMappedFiles(); 27 | }; 28 | 29 | -------------------------------------------------------------------------------- /src/PINdemonium/PatternMatchModule.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "pin.h" 4 | #include 5 | #include 6 | #include "Config.h" 7 | #include 8 | 9 | namespace W{ 10 | #include 11 | } 12 | 13 | class PatternMatchModule 14 | { 15 | public: 16 | PatternMatchModule(void); 17 | ~PatternMatchModule(void); 18 | bool patchDispatcher(INS ins, ADDRINT curEip); 19 | 20 | private: 21 | std::map patchesMap; 22 | AFUNPTR curPatchPointer; 23 | }; 24 | 25 | -------------------------------------------------------------------------------- /src/PINdemonium/ProcessInjectionModule.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "WxorXHandler.h" 4 | #include "Report.h" 5 | #include "Heuristics.h" 6 | #include "Helper.h" 7 | namespace W{ 8 | #include "windows.h" 9 | } 10 | class ProcessInjectionModule 11 | { 12 | public: 13 | 14 | 15 | //singleton instance 16 | static ProcessInjectionModule* getInstance(); 17 | 18 | VOID AddInjectedWrite(ADDRINT start, UINT32 size, W::DWORD ); 19 | VOID CheckInjectedExecution(W::DWORD pid ); 20 | VOID setInsideCreateProcess(); 21 | // 22 | 23 | private: 24 | VOID HandleInjectedMemory(std::vector& currentWriteSet,W::DWORD pid); 25 | string DumpRemoteWriteInterval(WriteInterval* item,W::DWORD pid); 26 | VOID WriteBufferToFile(unsigned char *buffer,UINT32 size, string path); 27 | VOID ExecuteHeuristics(string path_to_analyse); 28 | string getNameFromPid(W::DWORD pid); 29 | BOOL isInsideCreateProcess(); 30 | WxorXHandler *wxorxHandler; 31 | Config *config; 32 | Report *report; 33 | static ProcessInjectionModule *instance; 34 | BOOL insideCreateProcess; 35 | int remoteWriteInsideCreateProcess; 36 | ProcessInjectionModule(void); 37 | }; 38 | 39 | -------------------------------------------------------------------------------- /src/PINdemonium/PushadPopadHeuristic.cpp: -------------------------------------------------------------------------------- 1 | #include "PushadPopadHeuristic.h" 2 | 3 | 4 | UINT32 PushadPopadheuristic::run(){ 5 | //filter out the improper values 6 | ProcInfo *proc_info = ProcInfo::getInstance(); 7 | //if both the flag are valid our heuristic is valid 8 | if( proc_info->getPopadFlag() && proc_info->getPushadFlag() ){ 9 | MYWARN("[PUSHAD POPAD DETECTED !!]"); 10 | return OEPFINDER_FOUND_OEP 11 | } 12 | return OEPFINDER_HEURISTIC_FAIL; 13 | } 14 | -------------------------------------------------------------------------------- /src/PINdemonium/PushadPopadHeuristic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Heuristics.h" 3 | 4 | 5 | class PushadPopadheuristic 6 | { 7 | public: 8 | UINT32 run(); 9 | }; 10 | -------------------------------------------------------------------------------- /src/PINdemonium/Report.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "Config.h" 4 | #include "ReportGeneralInformation.h" 5 | #include "ReportDump.h" 6 | #include 7 | #include "json.h" 8 | 9 | class Report 10 | { 11 | private: 12 | Report(void); 13 | static Report *instance; 14 | bool already_initialized; //keep track if the report has already been initialized 15 | string report_path; //path of the report file 16 | ReportObject *info; //Object containing general info abount the current analysed executable 17 | vector dumps; 18 | Json::Value report; //json object representing current report 19 | void writeJsonToReport(Json::Value report); 20 | 21 | 22 | public: 23 | static Report* getInstance(); 24 | void initializeReport(string process_name, ADDRINT startAddr, ADDRINT endAddr, float initial_entropy); 25 | void createReportDump(ADDRINT eip,ADDRINT start_addr, ADDRINT end_addr, int dump_number, bool intra_writeset, int pid); 26 | ReportDump& getCurrentDump(); 27 | void closeReportDump(); 28 | void closeReport(); 29 | 30 | 31 | }; 32 | 33 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportEntropy.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportEntropy.h" 2 | 3 | 4 | ReportEntropy::ReportEntropy(void) 5 | { 6 | } 7 | 8 | 9 | 10 | ReportEntropy::ReportEntropy(bool result, float cur_entropy, float difference_entropy){ 11 | this->name = "EntropyHeuristic"; 12 | this->result = result; 13 | this->current_entropy = cur_entropy; 14 | this->difference_entropy = difference_entropy; 15 | } 16 | 17 | 18 | Json::Value ReportEntropy::toJson(){ 19 | root["name"] = this->name; 20 | root["result"] = this->result; 21 | root["current_entropy"] = this->current_entropy; 22 | root["difference_entropy_percentage"] = this->difference_entropy; 23 | return root; 24 | } -------------------------------------------------------------------------------- /src/PINdemonium/ReportEntropy.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "ReportObject.h" 4 | 5 | class ReportEntropy : public ReportObject 6 | { 7 | 8 | private: 9 | string name; 10 | bool result; 11 | float current_entropy; 12 | float difference_entropy; 13 | 14 | public: 15 | ReportEntropy(void); 16 | ReportEntropy( bool result, float cur_entropy, float difference_entropy); 17 | Json::Value toJson(); 18 | }; 19 | 20 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportGeneralInformation.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportGeneralInformation.h" 2 | #include "ReportMainModule.h" 3 | 4 | ReportGeneralInformation::ReportGeneralInformation(){ 5 | } 6 | ReportGeneralInformation::ReportGeneralInformation(string name, ADDRINT startAddr, ADDRINT endAddr, float initial_entropy) 7 | { 8 | this->name = name; 9 | this->entropy = initial_entropy; 10 | this->main_module = new ReportMainModule(startAddr, endAddr); 11 | 12 | } 13 | 14 | 15 | Json::Value ReportGeneralInformation::toJson(){ 16 | root["name"] = this->name; 17 | root["entropy"] =this->entropy; 18 | root["main_module"] = this->main_module->toJson(); 19 | return root; 20 | 21 | } -------------------------------------------------------------------------------- /src/PINdemonium/ReportGeneralInformation.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | #include "json.h" 4 | 5 | 6 | class ReportGeneralInformation : public ReportObject 7 | { 8 | 9 | private: 10 | string name; 11 | float entropy; 12 | ReportObject *main_module; 13 | 14 | public: 15 | ReportGeneralInformation(); 16 | ReportGeneralInformation(string name, ADDRINT startAddr, ADDRINT endAddr, float initial_entropy); 17 | Json::Value ReportGeneralInformation::toJson(); 18 | 19 | }; 20 | 21 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportImportedFunction.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportImportedFunction.h" 2 | 3 | 4 | ReportImportedFunction::ReportImportedFunction(string module, string function) 5 | { 6 | this->module_name = module; 7 | this->function_name = function; 8 | 9 | } 10 | 11 | 12 | Json::Value ReportImportedFunction::toJson(){ 13 | root["mod"] = this->module_name; 14 | root["func"] = this->function_name; 15 | return root; 16 | } -------------------------------------------------------------------------------- /src/PINdemonium/ReportImportedFunction.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | class ReportImportedFunction : public ReportObject 4 | { 5 | private: 6 | string module_name; 7 | string function_name; 8 | public: 9 | ReportImportedFunction(string module, string function); 10 | Json::Value toJson(); 11 | 12 | }; 13 | 14 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportJumpOuterSection.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportJumpOuterSection.h" 2 | 3 | 4 | ReportJumpOuterSection::ReportJumpOuterSection(void) 5 | { 6 | } 7 | 8 | ReportJumpOuterSection::ReportJumpOuterSection( bool res, string prev_sec, string cur_sec){ 9 | this->name = "JumpOuterSectionHeuristic"; 10 | this->result = res; 11 | this->prev_section = prev_sec; 12 | this->cur_section = cur_sec; 13 | } 14 | 15 | 16 | Json::Value ReportJumpOuterSection::toJson(){ 17 | root["name"] = this->name; 18 | root["result"] = this->result; 19 | root["prev_section"] = this->prev_section; 20 | root["current_section"] = this->cur_section; 21 | return root; 22 | } 23 | 24 | 25 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportJumpOuterSection.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | 4 | class ReportJumpOuterSection : public ReportObject 5 | { 6 | private: 7 | string name; 8 | bool result; 9 | string prev_section; 10 | string cur_section; 11 | public: 12 | ReportJumpOuterSection(void); 13 | ReportJumpOuterSection(bool res, string prev_sec, string cur_sec); 14 | Json::Value toJson(); 15 | }; 16 | 17 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportLongJump.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportLongJump.h" 2 | 3 | 4 | ReportLongJump::ReportLongJump(void) 5 | { 6 | } 7 | 8 | ReportLongJump::ReportLongJump(bool res,ADDRINT prev_ip, int len){ 9 | this->name = "LongJumpHeuristic"; 10 | this->result = res; 11 | this->prev_ip = prev_ip; 12 | this->length = len; 13 | 14 | } 15 | 16 | 17 | Json::Value ReportLongJump::toJson(){ 18 | root["name"] = name; 19 | root["result"] = result; 20 | root["prev_ip"] = prev_ip; 21 | root["length"] = length; 22 | return root; 23 | } -------------------------------------------------------------------------------- /src/PINdemonium/ReportLongJump.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | 4 | class ReportLongJump : public ReportObject 5 | { 6 | 7 | private: 8 | string name; 9 | bool result; 10 | ADDRINT prev_ip; 11 | int length; 12 | public: 13 | ReportLongJump(void); 14 | ReportLongJump(bool res,ADDRINT prev_ip, int len); 15 | Json::Value toJson(); 16 | 17 | }; 18 | 19 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportMainModule.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportMainModule.h" 2 | 3 | ReportMainModule::ReportMainModule(ADDRINT startAddr, ADDRINT endAddr) 4 | { 5 | this->startAddr = startAddr; 6 | this->endAddr = endAddr; 7 | } 8 | 9 | 10 | Json::Value ReportMainModule::toJson(){ 11 | root["start_address"] = this->startAddr; 12 | root["end_address"] = this->endAddr; 13 | return root; 14 | } -------------------------------------------------------------------------------- /src/PINdemonium/ReportMainModule.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | #include "json.h" 4 | 5 | 6 | class ReportMainModule : public ReportObject 7 | { 8 | 9 | private: 10 | ADDRINT startAddr; 11 | ADDRINT endAddr; 12 | 13 | public: 14 | ReportMainModule(); 15 | ReportMainModule(ADDRINT startAddr, ADDRINT endAddr); 16 | Json::Value ReportMainModule::toJson(); 17 | 18 | }; 19 | 20 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportObject.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportObject.h" 2 | 3 | 4 | ReportObject::ReportObject(void) 5 | { 6 | } 7 | 8 | 9 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportObject.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | #include "json.h" 4 | 5 | 6 | class ReportObject 7 | { 8 | protected: 9 | Json::Value root; 10 | public: 11 | ReportObject(void); 12 | virtual Json::Value toJson(void) = 0; 13 | }; 14 | 15 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportYaraRules.cpp: -------------------------------------------------------------------------------- 1 | #include "ReportYaraRules.h" 2 | 3 | 4 | ReportYaraRules::ReportYaraRules(void) 5 | { 6 | } 7 | 8 | ReportYaraRules::ReportYaraRules(bool result, vector matched_rules){ 9 | this->name = "YaraRulesHeuristic"; 10 | this->result = result; 11 | this->matched_rules = matched_rules; 12 | } 13 | 14 | Json::Value ReportYaraRules::toJson(){ 15 | root["name"] = name; 16 | root["result"] = result; 17 | root["matched_rules"] = Json::Value(Json::arrayValue); 18 | for(auto rule = std::begin(matched_rules);rule != std::end(matched_rules);++rule){ 19 | root["matched_rules"].append(*rule); 20 | } 21 | 22 | return root; 23 | } 24 | -------------------------------------------------------------------------------- /src/PINdemonium/ReportYaraRules.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ReportObject.h" 3 | #include "Debug.h" 4 | #include "Log.h" 5 | 6 | class ReportYaraRules : public ReportObject 7 | { 8 | private: 9 | string name; 10 | bool result; 11 | vector matched_rules; 12 | public: 13 | ReportYaraRules(void); 14 | ReportYaraRules(bool result,vector matched_rule); 15 | Json::Value toJson(); 16 | 17 | }; 18 | 19 | -------------------------------------------------------------------------------- /src/PINdemonium/ScyllaWrapper.cpp: -------------------------------------------------------------------------------- 1 | #include "ScyllaWrapper.h" 2 | 3 | ScyllaWrapper* ScyllaWrapper::instance = 0; 4 | 5 | //singleton 6 | ScyllaWrapper* ScyllaWrapper::getInstance() 7 | { 8 | if (instance == 0) 9 | instance = new ScyllaWrapper(); 10 | return instance; 11 | } 12 | 13 | ScyllaWrapper::ScyllaWrapper(void) 14 | { 15 | //init 16 | this->myFunc = 0; 17 | this->hScyllaWrapper = 0; 18 | //load library 19 | this->hScyllaWrapper = W::LoadLibraryW(L"C:\\pin\\PinUnpackerDependencies\\Scylla\\ScyllaWrapper.dll"); 20 | //get proc address 21 | if (this->hScyllaWrapper) 22 | { 23 | this->myFunc = (def_myFunc)W::GetProcAddress((W::HMODULE)this->hScyllaWrapper, "myFunc"); 24 | if(this->myFunc == NULL){ 25 | printf("myFunc is NULL!!!"); 26 | } 27 | this->ScyllaWrapAddSection = (def_ScyllaWrapAddSection)W::GetProcAddress((W::HMODULE)this->hScyllaWrapper, "ScyllaWrapAddSection"); 28 | if(this->ScyllaWrapAddSection == NULL){ 29 | printf("ScyllaWrapAddSection is NULL!!!"); 30 | } 31 | } 32 | } 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /src/PINdemonium/ScyllaWrapper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "pin.H" 4 | 5 | namespace W { 6 | #include 7 | }; 8 | 9 | 10 | 11 | typedef void (WINAPI * def_myFunc)(); 12 | typedef void (WINAPI * def_ScyllaWrapAddSection)(const W::WCHAR * dump_path , const W::CHAR * sectionName, W::DWORD sectionSize, UINT32 offset , W::BYTE * sectionData); 13 | 14 | class ScyllaWrapper 15 | { 16 | 17 | public: 18 | static ScyllaWrapper* getInstance(); 19 | def_myFunc myFunc; 20 | def_ScyllaWrapAddSection ScyllaWrapAddSection; 21 | 22 | private: 23 | ScyllaWrapper::ScyllaWrapper(); 24 | static ScyllaWrapper* instance; 25 | void * hScyllaWrapper; 26 | 27 | }; 28 | 29 | -------------------------------------------------------------------------------- /src/PINdemonium/Tests/EnterForever.ahk: -------------------------------------------------------------------------------- 1 |  2 | ;This will visit all windows on the entire system and display info about each of them: 3 | 4 | #Persistent 5 | 6 | #WinActivateForce 7 | 8 | x := (A_ScreenWidth // 2) 9 | y := (A_ScreenHeight // 2) 10 | MouseMove, x, y 11 | Send, {Esc} 12 | Send, {Esc} 13 | 14 | SetTimer, getWindows, 5000 15 | Return 16 | 17 | getWindows: 18 | Click 19 | Click 20 | Send, {Enter} 21 | Send, {Esc} 22 | Click, 23 | MouseMove, x, y 24 | Return 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /src/PINdemonium/Tests/FolderImportLister.py: -------------------------------------------------------------------------------- 1 | from subprocess import check_output 2 | from os import listdir 3 | from os.path import isfile, join 4 | 5 | 6 | ida_path = "C:\\Program Files\\IDA 6.6\\idaw.exe" 7 | importLister_script = "C:\\Users\\phate\\Desktop\\FindOEPPin\\FindOEPPin\\Tests\\importLister.py" 8 | 9 | 10 | def generateImportsFile(mypath): 11 | files = [f for f in listdir(mypath) if isfile(join(mypath, f))] 12 | for cur_file in files: 13 | if cur_file.split(".")[-1] == "exe": 14 | out_file = "".join(cur_file.split(".")[:-1]) + "_imports.txt" 15 | importLister_command = "\"" + ida_path + "\"" + " -A -S"+"\""+importLister_script + " " + join(mypath, out_file) + "\""+ " " + "\"" + join(mypath, cur_file) + "\"" 16 | print(importLister_command) 17 | try: 18 | check_output(importLister_command,shell=True) 19 | except Exception as e: 20 | print("error "+str(e)+" processing "+importLister_command) 21 | 22 | -------------------------------------------------------------------------------- /src/PINdemonium/Tests/ImportsTester.bat: -------------------------------------------------------------------------------- 1 | cd C:\pin\ 2 | python ImportsTester.py 3 | -------------------------------------------------------------------------------- /src/PINdemonium/Tests/MalTester.bat: -------------------------------------------------------------------------------- 1 | START C:\Users\phate\Desktop\MessageBox_reloc.exe 2 | START C:\Users\phate\Desktop\EnterForever.ahk 3 | cd C:\pin\ 4 | python MalTester.py 5 | -------------------------------------------------------------------------------- /src/PINdemonium/Tests/Test.py: -------------------------------------------------------------------------------- 1 | import subprocess, time 2 | 3 | print "\nScript Started" 4 | 5 | time.sleep(10) 6 | 7 | while 1: 8 | 9 | print "\nRestoring Virtual Machine" 10 | p = subprocess.Popen("C:\Program Files\Oracle\VirtualBox\VBoxManage.exe snapshot Windows7Reverse_1 restore BeforeTestsFinal") 11 | p.wait() 12 | 13 | print "\nStarting Virtual Machine" 14 | p = subprocess.Popen("C:\Program Files\Oracle\VirtualBox\VBoxManage.exe startvm Windows7Reverse_1") 15 | p.wait() 16 | 17 | print "\nResetting Virtual Machine" 18 | #In order to trigger the startup event that triggers the python script 19 | p = subprocess.Popen("C:\Program Files\Oracle\VirtualBox\VBoxManage.exe controlvm Windows7Reverse_1 reset") 20 | p.wait() 21 | print "\nReset complete" 22 | 23 | time.sleep(540) 24 | 25 | print "\nShutting down Virtual Machine" 26 | p = subprocess.Popen("C:\Program Files\Oracle\VirtualBox\VBoxManage.exe controlvm Windows7Reverse_1 poweroff") 27 | p.wait() 28 | 29 | time.sleep(10) 30 | -------------------------------------------------------------------------------- /src/PINdemonium/Tests/importLister.py: -------------------------------------------------------------------------------- 1 | import idaapi 2 | import idc 3 | from sets import Set 4 | imports = Set() 5 | 6 | def imp_cb(ea, name, ord): 7 | if not name: 8 | print("%08x: ord#%d" % (ea, ord)) 9 | return True #go to next function 10 | 11 | print("Found at %08x %s (ord#%d)" % (ea, name, ord)) 12 | imports.add(name) 13 | return True 14 | 15 | 16 | 17 | def main(): 18 | 19 | if len(idc.ARGV) < 2: 20 | print("importLister.py \n List in the the imports of the exe passed to idaPython ") 21 | idc.Exit(-1) 22 | 23 | outputFile = idc.ARGV[1] 24 | 25 | print("output File "+outputFile) 26 | outputF = open(outputFile,"w") 27 | 28 | nimps = idaapi.get_import_module_qty() 29 | 30 | print("Found %d import(s)..." % nimps) 31 | 32 | print(nimps) 33 | for i in xrange(0, nimps): 34 | name = idaapi.get_import_module_name(i) 35 | if not name: 36 | print("Failed to get import module name for #%d" % i) 37 | continue 38 | print("count "+ str(i) +" " + name) 39 | idaapi.enum_import_names(i, imp_cb) 40 | 41 | for imp in imports: 42 | outputF.write(str(imp)+"\n") 43 | print("All done...") 44 | outputF.close() 45 | 46 | 47 | idaapi.autoWait() 48 | main() 49 | idc.Exit(0) 50 | 51 | -------------------------------------------------------------------------------- /src/PINdemonium/TimeTracker.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | 5 | extern int divisor; -------------------------------------------------------------------------------- /src/PINdemonium/WriteInterval.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "pin.H" 3 | 4 | class WriteInterval 5 | { 6 | 7 | public: 8 | //create a new WriteInterval 9 | WriteInterval(ADDRINT addr_begin, ADDRINT addr_end, BOOL heap_flag); 10 | ~WriteInterval(void); 11 | //check if we have to expand our interval 12 | BOOL checkUpdate(ADDRINT start_addr, ADDRINT end_addr); 13 | //check if a given address is inside our interval 14 | BOOL checkInside(ADDRINT ip); 15 | //update our inteval with the new bounds 16 | VOID update(ADDRINT start_addr, ADDRINT end_addr, BOOL heap_flag); 17 | //getter 18 | ADDRINT getAddrBegin(); 19 | ADDRINT getAddrEnd(); 20 | UINT32 getBrokenFlag(); 21 | UINT32 getThreshold(); 22 | UINT32 getCurrNumberJMP(); 23 | BOOL getHeapFlag(); 24 | UINT32 getDetectedFunctions(); 25 | //setter 26 | void setBrokenFlag(BOOL flag); 27 | void incrementCurrNumberJMP(); 28 | void setDetectedFunctions(UINT32 numberOfFunctions); 29 | 30 | private: 31 | ADDRINT addr_begin; 32 | ADDRINT addr_end; 33 | BOOL broken_flag; 34 | UINT32 cur_number_jmp; 35 | BOOL heap_flag; 36 | UINT32 detectedFunctions; 37 | }; 38 | 39 | -------------------------------------------------------------------------------- /src/PINdemonium/YaraHeuristic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Heuristics.h" 3 | #include "ReportYaraRules.h" 4 | #include "Helper.h" 5 | namespace W{ 6 | #include "windows.h" 7 | } 8 | 9 | //size of the buffer used for communitating with the yara process 10 | #define PIPE_BUFSIZE 4096 11 | 12 | class YaraHeuristic 13 | { 14 | public: 15 | UINT32 run(vector paths_to_analyse); 16 | private: 17 | W::HANDLE g_hChildStd_OUT_Rd; 18 | W::HANDLE g_hChildStd_OUT_Wr; 19 | string ReadFromPipe(W::PROCESS_INFORMATION piProcInfo); 20 | BOOL launchYara(string yara_path, string yara_rules_path, string yara_input_path,string yara_output,W::PROCESS_INFORMATION * piResults); 21 | UINT32 getFileSize(FILE * fp); 22 | vector parseYaraOutput(string output); 23 | vector analyseYara(string dump_to_analyse); 24 | 25 | }; 26 | -------------------------------------------------------------------------------- /src/PINdemonium/makefile: -------------------------------------------------------------------------------- 1 | ############################################################## 2 | # 3 | # DO NOT EDIT THIS FILE! 4 | # 5 | ############################################################## 6 | 7 | # If the tool is built out of the kit, PIN_ROOT must be specified in the make invocation and point to the kit root. 8 | ifdef PIN_ROOT 9 | CONFIG_ROOT := $(PIN_ROOT)/source/tools/Config 10 | else 11 | CONFIG_ROOT := ../Config 12 | endif 13 | include $(CONFIG_ROOT)/makefile.config 14 | include makefile.rules 15 | include $(TOOLS_ROOT)/Config/makefile.default.rules 16 | 17 | ############################################################## 18 | # 19 | # DO NOT EDIT THIS FILE! 20 | # 21 | ############################################################## 22 | -------------------------------------------------------------------------------- /src/PINdemonium/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by PINdemonium.rc 4 | 5 | // Valori predefiniti successivi per i nuovi oggetti 6 | // 7 | #ifdef APSTUDIO_INVOKED 8 | #ifndef APSTUDIO_READONLY_SYMBOLS 9 | #define _APS_NEXT_RESOURCE_VALUE 101 10 | #define _APS_NEXT_COMMAND_VALUE 40001 11 | #define _APS_NEXT_CONTROL_VALUE 1001 12 | #define _APS_NEXT_SYMED_VALUE 101 13 | #endif 14 | #endif 15 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PINdemoniumPluginTemplate", "PINdemoniumPluginTemplate\PINdemoniumPluginTemplate.vcxproj", "{6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Debug|Win32.Build.0 = Debug|Win32 14 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Release|Win32.ActiveCfg = Release|Win32 15 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate/Helpers.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | 4 | // Helper classs that provides common API very useful when you are dealing with IAT fixing 5 | 6 | // read memory from the process specified 7 | // 8 | // hProcess : Handle of the process we want to read memory from 9 | // address : the starting reading address 10 | // size : how many bytes we want to read 11 | // dataBuffer : pointer to the destination buffer (where the read bytes will be saved) 12 | bool readMemoryFromProcess(static HANDLE hProcess, DWORD_PTR address, SIZE_T size, LPVOID dataBuffer); 13 | 14 | // write buffer to the process memory 15 | // 16 | // hProcess : Handle of the process we want to write the memory 17 | // address : the starting writing address 18 | // size : how many bytes we want to write 19 | // dataBuffer : pointer to the source buffer (it contains the bytes we want to write) 20 | bool writeMemoryToProcess(static HANDLE hProcess, DWORD_PTR address, SIZE_T size, LPVOID dataBuffer); 21 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "PINdemoniumPluginTemplate.h" 3 | #include "Helpers.h" 4 | 5 | // Entry point of the plugin 6 | // This function will be called PINdemonium 7 | void runPlugin(static HANDLE hProcess, PUNRESOLVED_IMPORT unresolvedImport, unsigned int eip){ 8 | 9 | //do something cool... 10 | 11 | } -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | 4 | // List of the exported function 5 | 6 | // Entry point of the plugin 7 | // This function will be called PINdemonium 8 | void runPlugin(static HANDLE hProcess, PUNRESOLVED_IMPORT unresolvedImport, unsigned int eip); -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp: definisce il punto di ingresso per l'applicazione DLL. 2 | #include "stdafx.h" 3 | 4 | BOOL APIENTRY DllMain( HMODULE hModule, 5 | DWORD ul_reason_for_call, 6 | LPVOID lpReserved 7 | ) 8 | { 9 | switch (ul_reason_for_call) 10 | { 11 | case DLL_PROCESS_ATTACH: 12 | case DLL_THREAD_ATTACH: 13 | case DLL_THREAD_DETACH: 14 | case DLL_PROCESS_DETACH: 15 | break; 16 | } 17 | return TRUE; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate/export.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | runPlugin @1 3 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/PINdemoniumPlugins/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate/stdafx.cpp -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "targetver.h" 4 | 5 | #define WIN32_LEAN_AND_MEAN 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | 13 | // Dll header and data structures 14 | 15 | 16 | /* Important note: 17 | * 18 | * If you write a plugin for the x86 (32-Bit) edition: DWORD_PTR address has 32 bit (4 byte) 19 | * If you write a plugin for the x64 (64-Bit) edition: DWORD_PTR address has 64 bit (8 byte) 20 | */ 21 | typedef struct _UNRESOLVED_IMPORT { // Scylla Plugin exchange format 22 | DWORD_PTR ImportTableAddressPointer; //in VA, address in IAT which points to an invalid api address 23 | DWORD_PTR InvalidApiAddress; //in VA, invalid api address that needs to be resolved 24 | } UNRESOLVED_IMPORT, *PUNRESOLVED_IMPORT; -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Includere SDKDDKVer.h per definire la piattaforma Windows maggiormente disponibile. 4 | 5 | // Se si desidera compilare l'applicazione per una piattaforma Windows precedente, includere WinSDKVer.h e 6 | // impostare la macro _WIN32_WINNT sulla piattaforma da supportare prima di includere SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/PINdemoniumPluginTemplate.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PINdemoniumPluginTemplate", "PINdemoniumPluginTemplate\PINdemoniumPluginTemplate.vcxproj", "{6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Debug|Win32.Build.0 = Debug|Win32 14 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Release|Win32.ActiveCfg = Release|Win32 15 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/PINdemoniumPluginTemplate/Helpers.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | 4 | // Helper classs that provides common API very useful when you are dealing with IAT fixing 5 | 6 | // read memory from the process specified 7 | // 8 | // hProcess : Handle of the process we want to read memory from 9 | // address : the starting reading address 10 | // size : how many bytes we want to read 11 | // dataBuffer : pointer to the destination buffer (where the read bytes will be saved) 12 | bool readMemoryFromProcess(static HANDLE hProcess, DWORD_PTR address, SIZE_T size, LPVOID dataBuffer); 13 | 14 | // write buffer to the process memory 15 | // 16 | // hProcess : Handle of the process we want to write the memory 17 | // address : the starting writing address 18 | // size : how many bytes we want to write 19 | // dataBuffer : pointer to the source buffer (it contains the bytes we want to write) 20 | bool writeMemoryToProcess(static HANDLE hProcess, DWORD_PTR address, SIZE_T size, LPVOID dataBuffer); 21 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/PINdemoniumPluginTemplate/PINdemoniumStolenAPIPlugin.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | 4 | // List of the exported function 5 | 6 | // Entry point of the plugin 7 | // This function will be called PINdemonium 8 | void runPlugin(static HANDLE hProcess, PUNRESOLVED_IMPORT unresolvedImport, unsigned int eip); -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/PINdemoniumPluginTemplate/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp: definisce il punto di ingresso per l'applicazione DLL. 2 | #include "stdafx.h" 3 | 4 | BOOL APIENTRY DllMain( HMODULE hModule, 5 | DWORD ul_reason_for_call, 6 | LPVOID lpReserved 7 | ) 8 | { 9 | switch (ul_reason_for_call) 10 | { 11 | case DLL_PROCESS_ATTACH: 12 | case DLL_THREAD_ATTACH: 13 | case DLL_THREAD_DETACH: 14 | case DLL_PROCESS_DETACH: 15 | break; 16 | } 17 | return TRUE; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/PINdemoniumPluginTemplate/export.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | runPlugin @1 3 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/PINdemoniumPluginTemplate/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/PINdemoniumPluginTemplate/stdafx.cpp -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/PINdemoniumPluginTemplate/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "targetver.h" 4 | 5 | #define WIN32_LEAN_AND_MEAN 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | 13 | 14 | // Dll header and data structures 15 | 16 | 17 | /* Important note: 18 | * 19 | * If you write a plugin for the x86 (32-Bit) edition: DWORD_PTR address has 32 bit (4 byte) 20 | * If you write a plugin for the x64 (64-Bit) edition: DWORD_PTR address has 64 bit (8 byte) 21 | */ 22 | typedef struct _UNRESOLVED_IMPORT { // Scylla Plugin exchange format 23 | DWORD_PTR ImportTableAddressPointer; //in VA, address in IAT which points to an invalid api address 24 | DWORD_PTR InvalidApiAddress; //in VA, invalid api address that needs to be resolved 25 | } UNRESOLVED_IMPORT, *PUNRESOLVED_IMPORT; -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/PINdemoniumPluginTemplate/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Includere SDKDDKVer.h per definire la piattaforma Windows maggiormente disponibile. 4 | 5 | // Se si desidera compilare l'applicazione per una piattaforma Windows precedente, includere WinSDKVer.h e 6 | // impostare la macro _WIN32_WINNT sulla piattaforma da supportare prima di includere SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/libdasm-1.5/LIB.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | How to compile DLL in MSVC environment 4 | ====================================== 5 | 6 | 1. Compile with 'nmake -f Makefile.msvc' 7 | 8 | 2. Copy libdasm.dll to system directory 9 | 10 | 3. Copy libdasm.lib to your LIB path 11 | 12 | 4. Copy libdasm.h to your INCLUDE path 13 | 14 | Prebuilt copy of libdasm (MSVC6) is included in bin directory. 15 | 16 | 17 | How to compile library in Unix environment 18 | ========================================== 19 | 20 | 1. Edit Makefile. You may want to check out variables CC 21 | and the installation path PREFIX. If you plan to use dynamic 22 | library (libdasm.so), you may need to add /usr/local/lib 23 | (or whatever you defined as PREFIX) in the linker cache path. 24 | This is usually in /etc/ld.so.conf on Linux systems. 25 | 26 | 2. Compile with 'make' 27 | 28 | 3. Install with 'make install' 29 | 30 | 4. Rebuild your linker cache (or reboot) 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/libdasm-1.5/Makefile: -------------------------------------------------------------------------------- 1 | 2 | # 3 | # makefile for compiling libdasm and examples 4 | # 5 | 6 | CC = gcc 7 | CFLAGS = -Wall -O3 -fPIC 8 | PREFIX = /usr/local 9 | 10 | 11 | all: libdasm.o 12 | $(CC) $(CFLAGS) -shared -o libdasm.so libdasm.c 13 | ar rc libdasm.a libdasm.o && ranlib libdasm.a 14 | cd examples && make 15 | 16 | install: 17 | cp libdasm.h $(PREFIX)/include/ 18 | cp libdasm.a $(PREFIX)/lib/ 19 | cp libdasm.so $(PREFIX)/lib/ 20 | cp libdasm.so $(PREFIX)/lib/libdasm.so.1.0 21 | 22 | uninstall: 23 | rm -f $(PREFIX)/include/libdasm.h 24 | rm -f $(PREFIX)/lib/libdasm.a 25 | rm -f $(PREFIX)/lib/libdasm.so.1.0 $(PREFIX)/lib/libdasm.so 26 | 27 | clean: 28 | rm -f libdasm.o libdasm.so libdasm.a 29 | cd examples && make clean 30 | 31 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/libdasm-1.5/Makefile.msvc: -------------------------------------------------------------------------------- 1 | 2 | # 3 | # Simple makefile for MSVC 4 | # 5 | 6 | CC = cl 7 | CFLAGS = /Ob1 /LD /DEF libdasm.def 8 | 9 | libdasm: 10 | $(CC) $(CFLAGS) libdasm.c 11 | 12 | clean: 13 | rm -f libdasm.obj libdasm.dll libdasm.lib libdasm.exp 14 | 15 | 16 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/libdasm-1.5/TODO.txt: -------------------------------------------------------------------------------- 1 | 2 | Fix or add the following shit: 3 | ============================== 4 | 5 | - Add all missing undocumented opcodes 6 | 7 | - Support for other platforms 8 | 9 | - Fix all other bugs :-) 10 | 11 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/libdasm-1.5/examples/Makefile: -------------------------------------------------------------------------------- 1 | 2 | # 3 | # Makefile for example programs 4 | # Requires libdasm static lib (libdasm.a) 5 | # 6 | 7 | CC = gcc 8 | CFLAGS = -Wall -O3 9 | 10 | all: das simple 11 | 12 | das: das.o 13 | $(CC) $(CFLAGS) -o das das.o ../libdasm.a 14 | simple: simple.o 15 | $(CC) $(CFLAGS) -o simple simple.o ../libdasm.a 16 | clean: 17 | rm -f das simple *.o 18 | 19 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/libdasm-1.5/examples/README.txt: -------------------------------------------------------------------------------- 1 | 2 | libdasm examples 3 | ================ 4 | 5 | In this directory, there should be files Makefile, das.c, and 6 | simple.c. simple.c is a very basic example disassembler which 7 | basically just disassembles and prints out one instruction. das.c 8 | is more complex example which can be used for disassembling a 9 | file with some formatting options. On unix systems, you can use 10 | supplied Makefile for compiling these examples. 11 | 12 | Have fun! 13 | 14 | 15 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/libdasm-1.5/examples/simple.c: -------------------------------------------------------------------------------- 1 | /* 2 | * simple.c -- very simple 32-bit example disassembler program 3 | * (c) 2004 jt / nologin.org 4 | * 5 | * How to compile in MSVC environment: 6 | * cl das.c ../libdasm.c 7 | * 8 | * In Unix environment, use the supplied Makefile 9 | * 10 | * 11 | * Check out "das.c" for more featured example. 12 | * 13 | */ 14 | 15 | #include 16 | #include 17 | #include 18 | 19 | // step 0: include libdasm 20 | #include "../libdasm.h" 21 | 22 | 23 | // disassembled data buffer 24 | unsigned char data[] = "\x01\x02"; 25 | 26 | int main() { 27 | // step 1: declare struct INSTRUCTION 28 | INSTRUCTION inst; 29 | char string[256]; 30 | 31 | // step 2: fetch instruction 32 | get_instruction(&inst, data, MODE_32); 33 | 34 | // step 3: print it 35 | get_instruction_string(&inst, FORMAT_ATT, 0, string, sizeof(string)); 36 | printf("%s\n", string); 37 | 38 | return 0; 39 | } 40 | 41 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/libdasm-1.5/libdasm.def: -------------------------------------------------------------------------------- 1 | 2 | LIBRARY libdasm 3 | EXPORTS 4 | get_instruction 5 | get_instruction_string 6 | get_mnemonic_string 7 | get_operand_string 8 | get_operands_string 9 | get_register_type 10 | get_operand_type 11 | get_operand_register 12 | get_operand_basereg 13 | get_operand_indexreg 14 | get_operand_scale 15 | get_operand_immediate 16 | get_operand_displacement 17 | get_source_operand 18 | get_destination_operand 19 | 20 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/libdasm-1.5/pydasm/setup.py: -------------------------------------------------------------------------------- 1 | 2 | import os 3 | from distutils.core import setup, Extension 4 | from distutils.sysconfig import get_python_inc 5 | 6 | incdir = os.path.join(get_python_inc(plat_specific=1)) 7 | 8 | module = Extension('pydasm', 9 | include_dirs = [incdir], 10 | libraries = [], 11 | library_dirs = [], 12 | sources = ['../libdasm.c', 'pydasm.c']) 13 | 14 | setup(name = 'pydasm', 15 | version = '1.5', 16 | description = 'Python module wrapping libdasm', 17 | author = 'Ero Carrera', 18 | author_email = 'ero@dkbza.org', 19 | ext_modules = [module]) 20 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/PINdemoniumStolenAPIPlugin/libdasm-1.5/rbdasm/extconf.rb: -------------------------------------------------------------------------------- 1 | require 'mkmf' 2 | create_makefile('dasm') 3 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/PINdemoniumPluginTemplate/Helpers.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | 4 | // Helper classs that provides common API very useful when you are dealing with IAT fixing 5 | 6 | // read memory from the process specified 7 | // 8 | // hProcess : Handle of the process we want to read memory from 9 | // address : the starting reading address 10 | // size : how many bytes we want to read 11 | // dataBuffer : pointer to the destination buffer (where the read bytes will be saved) 12 | bool readMemoryFromProcess(static HANDLE hProcess, DWORD_PTR address, SIZE_T size, LPVOID dataBuffer); 13 | 14 | // write buffer to the process memory 15 | // 16 | // hProcess : Handle of the process we want to write the memory 17 | // address : the starting writing address 18 | // size : how many bytes we want to write 19 | // dataBuffer : pointer to the source buffer (it contains the bytes we want to write) 20 | bool writeMemoryToProcess(static HANDLE hProcess, DWORD_PTR address, SIZE_T size, LPVOID dataBuffer); 21 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/PINdemoniumPluginTemplate/PINdemoniumPluginTemplate.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | 4 | // List of the exported function 5 | 6 | // Entry point of the plugin 7 | // This function will be called PINdemonium 8 | void runPlugin(static HANDLE hProcess, PUNRESOLVED_IMPORT unresolvedImport, unsigned int eip); -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/PINdemoniumPluginTemplate/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp: definisce il punto di ingresso per l'applicazione DLL. 2 | #include "stdafx.h" 3 | 4 | BOOL APIENTRY DllMain( HMODULE hModule, 5 | DWORD ul_reason_for_call, 6 | LPVOID lpReserved 7 | ) 8 | { 9 | switch (ul_reason_for_call) 10 | { 11 | case DLL_PROCESS_ATTACH: 12 | case DLL_THREAD_ATTACH: 13 | case DLL_THREAD_DETACH: 14 | case DLL_PROCESS_DETACH: 15 | break; 16 | } 17 | return TRUE; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/PINdemoniumPluginTemplate/export.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | runPlugin @1 3 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/PINdemoniumPluginTemplate/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/PINdemoniumPluginTemplate/stdafx.cpp -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/PINdemoniumPluginTemplate/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "targetver.h" 4 | 5 | #define WIN32_LEAN_AND_MEAN 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | 13 | // Dll header and data structures 14 | 15 | 16 | /* Important note: 17 | * 18 | * If you write a plugin for the x86 (32-Bit) edition: DWORD_PTR address has 32 bit (4 byte) 19 | * If you write a plugin for the x64 (64-Bit) edition: DWORD_PTR address has 64 bit (8 byte) 20 | */ 21 | typedef struct _UNRESOLVED_IMPORT { // Scylla Plugin exchange format 22 | DWORD_PTR ImportTableAddressPointer; //in VA, address in IAT which points to an invalid api address 23 | DWORD_PTR InvalidApiAddress; //in VA, invalid api address that needs to be resolved 24 | } UNRESOLVED_IMPORT, *PUNRESOLVED_IMPORT; -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/PINdemoniumPluginTemplate/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Includere SDKDDKVer.h per definire la piattaforma Windows maggiormente disponibile. 4 | 5 | // Se si desidera compilare l'applicazione per una piattaforma Windows precedente, includere WinSDKVer.h e 6 | // impostare la macro _WIN32_WINNT sulla piattaforma da supportare prima di includere SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/SimpleApiRedirection.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/SimpleApiRedirection.dll -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/SimpleApiRedirection.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PINdemoniumPluginTemplate", "PINdemoniumPluginTemplate\PINdemoniumPluginTemplate.vcxproj", "{6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Debug|Win32.Build.0 = Debug|Win32 14 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Release|Win32.ActiveCfg = Release|Win32 15 | {6FDB6882-5F29-43B6-921D-A9AE69B5B8ED}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/libdasm-1.5/LIB.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | How to compile DLL in MSVC environment 4 | ====================================== 5 | 6 | 1. Compile with 'nmake -f Makefile.msvc' 7 | 8 | 2. Copy libdasm.dll to system directory 9 | 10 | 3. Copy libdasm.lib to your LIB path 11 | 12 | 4. Copy libdasm.h to your INCLUDE path 13 | 14 | Prebuilt copy of libdasm (MSVC6) is included in bin directory. 15 | 16 | 17 | How to compile library in Unix environment 18 | ========================================== 19 | 20 | 1. Edit Makefile. You may want to check out variables CC 21 | and the installation path PREFIX. If you plan to use dynamic 22 | library (libdasm.so), you may need to add /usr/local/lib 23 | (or whatever you defined as PREFIX) in the linker cache path. 24 | This is usually in /etc/ld.so.conf on Linux systems. 25 | 26 | 2. Compile with 'make' 27 | 28 | 3. Install with 'make install' 29 | 30 | 4. Rebuild your linker cache (or reboot) 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/libdasm-1.5/Makefile: -------------------------------------------------------------------------------- 1 | 2 | # 3 | # makefile for compiling libdasm and examples 4 | # 5 | 6 | CC = gcc 7 | CFLAGS = -Wall -O3 -fPIC 8 | PREFIX = /usr/local 9 | 10 | 11 | all: libdasm.o 12 | $(CC) $(CFLAGS) -shared -o libdasm.so libdasm.c 13 | ar rc libdasm.a libdasm.o && ranlib libdasm.a 14 | cd examples && make 15 | 16 | install: 17 | cp libdasm.h $(PREFIX)/include/ 18 | cp libdasm.a $(PREFIX)/lib/ 19 | cp libdasm.so $(PREFIX)/lib/ 20 | cp libdasm.so $(PREFIX)/lib/libdasm.so.1.0 21 | 22 | uninstall: 23 | rm -f $(PREFIX)/include/libdasm.h 24 | rm -f $(PREFIX)/lib/libdasm.a 25 | rm -f $(PREFIX)/lib/libdasm.so.1.0 $(PREFIX)/lib/libdasm.so 26 | 27 | clean: 28 | rm -f libdasm.o libdasm.so libdasm.a 29 | cd examples && make clean 30 | 31 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/libdasm-1.5/Makefile.msvc: -------------------------------------------------------------------------------- 1 | 2 | # 3 | # Simple makefile for MSVC 4 | # 5 | 6 | CC = cl 7 | CFLAGS = /Ob1 /LD /DEF libdasm.def 8 | 9 | libdasm: 10 | $(CC) $(CFLAGS) libdasm.c 11 | 12 | clean: 13 | rm -f libdasm.obj libdasm.dll libdasm.lib libdasm.exp 14 | 15 | 16 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/libdasm-1.5/TODO.txt: -------------------------------------------------------------------------------- 1 | 2 | Fix or add the following shit: 3 | ============================== 4 | 5 | - Add all missing undocumented opcodes 6 | 7 | - Support for other platforms 8 | 9 | - Fix all other bugs :-) 10 | 11 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/libdasm-1.5/examples/Makefile: -------------------------------------------------------------------------------- 1 | 2 | # 3 | # Makefile for example programs 4 | # Requires libdasm static lib (libdasm.a) 5 | # 6 | 7 | CC = gcc 8 | CFLAGS = -Wall -O3 9 | 10 | all: das simple 11 | 12 | das: das.o 13 | $(CC) $(CFLAGS) -o das das.o ../libdasm.a 14 | simple: simple.o 15 | $(CC) $(CFLAGS) -o simple simple.o ../libdasm.a 16 | clean: 17 | rm -f das simple *.o 18 | 19 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/libdasm-1.5/examples/README.txt: -------------------------------------------------------------------------------- 1 | 2 | libdasm examples 3 | ================ 4 | 5 | In this directory, there should be files Makefile, das.c, and 6 | simple.c. simple.c is a very basic example disassembler which 7 | basically just disassembles and prints out one instruction. das.c 8 | is more complex example which can be used for disassembling a 9 | file with some formatting options. On unix systems, you can use 10 | supplied Makefile for compiling these examples. 11 | 12 | Have fun! 13 | 14 | 15 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/libdasm-1.5/examples/simple.c: -------------------------------------------------------------------------------- 1 | /* 2 | * simple.c -- very simple 32-bit example disassembler program 3 | * (c) 2004 jt / nologin.org 4 | * 5 | * How to compile in MSVC environment: 6 | * cl das.c ../libdasm.c 7 | * 8 | * In Unix environment, use the supplied Makefile 9 | * 10 | * 11 | * Check out "das.c" for more featured example. 12 | * 13 | */ 14 | 15 | #include 16 | #include 17 | #include 18 | 19 | // step 0: include libdasm 20 | #include "../libdasm.h" 21 | 22 | 23 | // disassembled data buffer 24 | unsigned char data[] = "\x01\x02"; 25 | 26 | int main() { 27 | // step 1: declare struct INSTRUCTION 28 | INSTRUCTION inst; 29 | char string[256]; 30 | 31 | // step 2: fetch instruction 32 | get_instruction(&inst, data, MODE_32); 33 | 34 | // step 3: print it 35 | get_instruction_string(&inst, FORMAT_ATT, 0, string, sizeof(string)); 36 | printf("%s\n", string); 37 | 38 | return 0; 39 | } 40 | 41 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/libdasm-1.5/libdasm.def: -------------------------------------------------------------------------------- 1 | 2 | LIBRARY libdasm 3 | EXPORTS 4 | get_instruction 5 | get_instruction_string 6 | get_mnemonic_string 7 | get_operand_string 8 | get_operands_string 9 | get_register_type 10 | get_operand_type 11 | get_operand_register 12 | get_operand_basereg 13 | get_operand_indexreg 14 | get_operand_scale 15 | get_operand_immediate 16 | get_operand_displacement 17 | get_source_operand 18 | get_destination_operand 19 | 20 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/libdasm-1.5/pydasm/setup.py: -------------------------------------------------------------------------------- 1 | 2 | import os 3 | from distutils.core import setup, Extension 4 | from distutils.sysconfig import get_python_inc 5 | 6 | incdir = os.path.join(get_python_inc(plat_specific=1)) 7 | 8 | module = Extension('pydasm', 9 | include_dirs = [incdir], 10 | libraries = [], 11 | library_dirs = [], 12 | sources = ['../libdasm.c', 'pydasm.c']) 13 | 14 | setup(name = 'pydasm', 15 | version = '1.5', 16 | description = 'Python module wrapping libdasm', 17 | author = 'Ero Carrera', 18 | author_email = 'ero@dkbza.org', 19 | ext_modules = [module]) 20 | -------------------------------------------------------------------------------- /src/PINdemoniumPlugins/SimpleApiRedirectionPlugin/libdasm-1.5/rbdasm/extconf.rb: -------------------------------------------------------------------------------- 1 | require 'mkmf' 2 | create_makefile('dasm') 3 | -------------------------------------------------------------------------------- /src/PINdemoniumReport/.babelrc: -------------------------------------------------------------------------------- 1 | { 2 | "presets": ["es2015", "react"] 3 | } -------------------------------------------------------------------------------- /src/PINdemoniumReport/.bowerrc: -------------------------------------------------------------------------------- 1 | { 2 | "directory": "compiled/static/vendor" 3 | } 4 | -------------------------------------------------------------------------------- /src/PINdemoniumReport/README.md: -------------------------------------------------------------------------------- 1 | # PINdemonium report 2 | 3 | This project is the skeleton of the analysis report visualizer made for PINdemonium. 4 | 5 | ## Setup Dev environment 6 | 7 | 8 | * Install nodejs and npm (Be sure that your version of nodejs and npm are up to date) 9 | 10 | 11 | * Go to the root of the project (PINdemonium/PINdemoniumReport) 12 | 13 | 14 | * Install node dependencies 15 | ```bash 16 | npm install 17 | ``` 18 | 19 | 20 | * Compile the react app 21 | ```bash 22 | npm run build 23 | ``` 24 | 25 | 26 | * Open in the browser the file "compiled/index.html" 27 | 28 | 29 | If you want the live reloading of the react application launch the webpack watchpoint in another terminal with: 30 | ```bash 31 | npm run dev 32 | ``` 33 | 34 | 35 | -------------------------------------------------------------------------------- /src/PINdemoniumReport/bower.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "PINdemoniumReport", 3 | "description": "", 4 | "main": "report_builder.js", 5 | "authors": [ 6 | "Sebastiano Mariani" 7 | ], 8 | "license": "ISC", 9 | "homepage": "https://github.com/seba0691/PINdemonium", 10 | "ignore": [ 11 | "**/.*", 12 | "node_modules", 13 | "bower_components", 14 | "compiled/static/vendor", 15 | "test", 16 | "tests" 17 | ], 18 | "dependencies": { 19 | "bootstrap": "^3.3.6" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /src/PINdemoniumReport/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "PINdemoniumReport", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "index.js", 6 | "scripts": { 7 | "dev": "webpack -d --watch", 8 | "build": "webpack -d" 9 | }, 10 | "author": "Sebastiano Mariani", 11 | "license": "ISC", 12 | "dependencies": { 13 | "babel-core": "^6.7.6", 14 | "babel-loader": "^6.2.4", 15 | "babel-preset-es2015": "^6.6.0", 16 | "babel-preset-react": "^6.5.0", 17 | "react": "^15.0.1", 18 | "react-bootstrap": "^0.29.5", 19 | "react-dom": "^15.0.1", 20 | "webpack": "^1.13.0" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/PINdemoniumReport/webpack.config.js: -------------------------------------------------------------------------------- 1 | var webpack = require('webpack'); 2 | var path = require('path'); 3 | 4 | // where the compiled files will reside 5 | var BUILD_DIR = path.resolve(__dirname, 'compiled/static/js'); 6 | // where the src files that have to be compiled reside 7 | var APP_DIR = path.resolve(__dirname, 'app/src'); 8 | 9 | var config = { 10 | // main of the application 11 | entry: APP_DIR + '/app.jsx', 12 | // after the build phase place the compiled file 'report_builder.js' in the output dir 13 | output: { 14 | path: BUILD_DIR, 15 | filename: 'report_builder.js' 16 | }, 17 | // tell to webpack to use babel as converter in order to convert from ES6 to ES5 18 | module: { 19 | loaders: [ 20 | { 21 | // "test" is commonly used to match the file extension 22 | test: /\.jsx$/, 23 | 24 | // "include" is commonly used to match the directories 25 | include: [ 26 | APP_DIR 27 | ], 28 | 29 | // "exclude" should be used to exclude exceptions 30 | // try to prefer "include" when possible 31 | // the "loader" 32 | loader: "babel" 33 | } 34 | ] 35 | } 36 | }; 37 | 38 | module.exports = config; -------------------------------------------------------------------------------- /src/Scylla/.gitignore: -------------------------------------------------------------------------------- 1 | #generic files/directories to ignore 2 | Win32/ 3 | x64/ 4 | ipch/ 5 | *.opensdf 6 | *.sdf 7 | *.aps 8 | *.suo 9 | Scylla.vcxproj.user 10 | 11 | #tinyxml ignore + exceptions 12 | tinyxml/* 13 | !tinyxml/README 14 | !tinyxml/tinyxml.vcxproj* 15 | 16 | #WTL ignore + exceptions 17 | WTL/* 18 | !WTL/README -------------------------------------------------------------------------------- /src/Scylla/COMPILING: -------------------------------------------------------------------------------- 1 | To compile Scylla you need to have VS2008 installed. 2 | In addition to that you need source codes for the following libraries: 3 | diStorm 4 | tinyxml 5 | WTL 6 | 7 | See the corresponding README files for installation instructions. -------------------------------------------------------------------------------- /src/Scylla/Plugins/ImpRec_Plugins/Imprec_Wrapper_DLL.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Plugins/ImpRec_Plugins/Imprec_Wrapper_DLL.dll -------------------------------------------------------------------------------- /src/Scylla/Plugins/ImpRec_Plugins/PECompact 2.7.x.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Plugins/ImpRec_Plugins/PECompact 2.7.x.dll -------------------------------------------------------------------------------- /src/Scylla/Plugins/PECompact.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Plugins/PECompact.dll -------------------------------------------------------------------------------- /src/Scylla/Plugins/PESpin_x64_v1.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Plugins/PESpin_x64_v1.dll -------------------------------------------------------------------------------- /src/Scylla/Plugins/ScyllaPlugins.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScyllaPlugins", "ScyllaPlugins.vcxproj", "{64D0A170-2AAB-14E2-D792-3EB175D03D67}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {64D0A170-2AAB-14E2-D792-3EB175D03D67}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {64D0A170-2AAB-14E2-D792-3EB175D03D67}.Debug|Win32.Build.0 = Debug|Win32 14 | {64D0A170-2AAB-14E2-D792-3EB175D03D67}.Release|Win32.ActiveCfg = Release|Win32 15 | {64D0A170-2AAB-14E2-D792-3EB175D03D67}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /src/Scylla/Plugins/Sources/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by ScyllaPlugins.rc 4 | 5 | // Valori predefiniti successivi per i nuovi oggetti 6 | // 7 | #ifdef APSTUDIO_INVOKED 8 | #ifndef APSTUDIO_READONLY_SYMBOLS 9 | #define _APS_NEXT_RESOURCE_VALUE 101 10 | #define _APS_NEXT_COMMAND_VALUE 40001 11 | #define _APS_NEXT_CONTROL_VALUE 1001 12 | #define _APS_NEXT_SYMED_VALUE 101 13 | #endif 14 | #endif 15 | -------------------------------------------------------------------------------- /src/Scylla/Plugins/Sources/scyllatoimprectree.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Plugins/Sources/scyllatoimprectree.rar -------------------------------------------------------------------------------- /src/Scylla/Scylla v0.9.7c/Plugins/ImpRec_Plugins/Imprec_Wrapper_DLL.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla v0.9.7c/Plugins/ImpRec_Plugins/Imprec_Wrapper_DLL.dll -------------------------------------------------------------------------------- /src/Scylla/Scylla v0.9.7c/Plugins/ImpRec_Plugins/PECompact 2.7.x.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla v0.9.7c/Plugins/ImpRec_Plugins/PECompact 2.7.x.dll -------------------------------------------------------------------------------- /src/Scylla/Scylla v0.9.7c/Plugins/PECompact.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla v0.9.7c/Plugins/PECompact.dll -------------------------------------------------------------------------------- /src/Scylla/Scylla v0.9.7c/Plugins/PESpin_x64_v1.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla v0.9.7c/Plugins/PESpin_x64_v1.dll -------------------------------------------------------------------------------- /src/Scylla/Scylla v0.9.7c/Plugins/Sources/scyllatoimprectree.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla v0.9.7c/Plugins/Sources/scyllatoimprectree.rar -------------------------------------------------------------------------------- /src/Scylla/Scylla v0.9.7c/Plugins/StolenApiPlugin.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla v0.9.7c/Plugins/StolenApiPlugin.dll -------------------------------------------------------------------------------- /src/Scylla/Scylla v0.9.7c/Plugins/StolenApiPlugin.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla v0.9.7c/Plugins/StolenApiPlugin.exp -------------------------------------------------------------------------------- /src/Scylla/Scylla v0.9.7c/Scylla.ini: -------------------------------------------------------------------------------- 1 | [SCYLLA_CONFIG] 2 | USE_PE_HEADER_FROM_DISK=1 3 | DEBUG_PRIVILEGE=1 4 | VALIDATE_PE=1 5 | DLL_INJECTION_AUTO_UNLOAD=0 6 | CREATE_BACKUP=1 7 | IAT_SECTION_NAME=.SCY 8 | UPDATE_HEADER_CHECKSUM=1 9 | REMOVE_DOS_HEADER_STUB=1 10 | IAT_FIX_AND_OEP_FIX=1 11 | SUSPEND_PROCESS_FOR_DUMPING=0 12 | OriginalFirstThunk_SUPPORT=1 13 | 14 | USE_ADVANCED_IAT_SEARCH=1 15 | SCAN_DIRECT_IMPORTS=1 16 | FIX_DIRECT_IMPORTS=0 17 | CREATE_NEW_IAT_IN_SECTION=0 18 | FIX_DIRECT_IMPORTS_NORMAL=0 19 | FIX_DIRECT_IMPORTS_UNIVERSAL=1 20 | -------------------------------------------------------------------------------- /src/Scylla/Scylla v0.9.7c/Scylla_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla v0.9.7c/Scylla_x64.dll -------------------------------------------------------------------------------- /src/Scylla/Scylla/Architecture.cpp: -------------------------------------------------------------------------------- 1 | #include "Architecture.h" 2 | 3 | /* 4 | #ifdef _WIN64 5 | 6 | const WCHAR Architecture::NAME[] = L"x64"; 7 | 8 | const WCHAR Architecture::PRINTF_DWORD_PTR[] = L"%I64X"; 9 | const WCHAR Architecture::PRINTF_DWORD_PTR_FULL[] = L"%016I64X"; 10 | const WCHAR Architecture::PRINTF_DWORD_PTR_HALF[] = L"%08I64X"; 11 | const WCHAR Architecture::PRINTF_INTEGER[] = L"%I64u"; 12 | 13 | #else 14 | 15 | const WCHAR Architecture::NAME[] = L"x86"; 16 | 17 | const WCHAR Architecture::PRINTF_DWORD_PTR[] = L"%X"; 18 | const WCHAR Architecture::PRINTF_DWORD_PTR_FULL[] = L"%08X"; 19 | const WCHAR Architecture::PRINTF_DWORD_PTR_HALF[] = L"%08X"; 20 | const WCHAR Architecture::PRINTF_INTEGER[] = L"%u"; 21 | 22 | #endif 23 | */ 24 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/Architecture.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #ifdef _WIN64 6 | 7 | #define ARCHITECTURE_S "x64" 8 | #define PRINTF_DWORD_PTR_S "%I64X" 9 | #define PRINTF_DWORD_PTR_FULL_S "%016I64X" 10 | #define PRINTF_DWORD_PTR_HALF_S "%08I64X" 11 | #define PRINTF_INTEGER_S "%I64u" 12 | 13 | #else 14 | 15 | #define ARCHITECTURE_S "x86" 16 | #define PRINTF_DWORD_PTR_S "%X" 17 | #define PRINTF_DWORD_PTR_FULL_S "%08X" 18 | #define PRINTF_DWORD_PTR_HALF_S "%08X" 19 | #define PRINTF_INTEGER_S "%u" 20 | 21 | #endif 22 | 23 | #define ARCHITECTURE TEXT(ARCHITECTURE_S) 24 | #define PRINTF_DWORD_PTR TEXT(PRINTF_DWORD_PTR_S) 25 | #define PRINTF_DWORD_PTR_FULL TEXT(PRINTF_DWORD_PTR_FULL_S) 26 | #define PRINTF_DWORD_PTR_HALF TEXT(PRINTF_DWORD_PTR_HALF_S) 27 | #define PRINTF_INTEGER TEXT(PRINTF_INTEGER_S) 28 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/Configuration.cpp: -------------------------------------------------------------------------------- 1 | #include "Configuration.h" 2 | 3 | Configuration::Configuration(const WCHAR* name, Type type) 4 | { 5 | wcscpy_s(this->name, name); 6 | this->type = type; 7 | valueNumeric = 0; 8 | valueString[0] = L'\0'; 9 | } 10 | 11 | const WCHAR* Configuration::getName() const 12 | { 13 | return name; 14 | } 15 | 16 | Configuration::Type Configuration::getType() const 17 | { 18 | return type; 19 | } 20 | 21 | DWORD_PTR Configuration::getNumeric() const 22 | { 23 | return valueNumeric; 24 | } 25 | 26 | void Configuration::setNumeric(DWORD_PTR value) 27 | { 28 | valueNumeric = value; 29 | } 30 | 31 | const WCHAR* Configuration::getString() const 32 | { 33 | return valueString; 34 | } 35 | 36 | void Configuration::setString(const WCHAR* str) 37 | { 38 | wcsncpy_s(valueString, str, _countof(valueString)); 39 | } 40 | 41 | bool Configuration::getBool() const 42 | { 43 | return getNumeric() == 1; 44 | } 45 | 46 | void Configuration::setBool(bool flag) 47 | { 48 | setNumeric(flag ? 1 : 0); 49 | } 50 | 51 | bool Configuration::isTrue() const 52 | { 53 | return getBool(); 54 | } 55 | 56 | void Configuration::setTrue() 57 | { 58 | setBool(true); 59 | } 60 | 61 | void Configuration::setFalse() 62 | { 63 | setBool(false); 64 | } 65 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/Configuration.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | class Configuration 6 | { 7 | public: 8 | 9 | enum Type { 10 | String, 11 | Decimal, 12 | Hexadecimal, 13 | Boolean 14 | }; 15 | 16 | static const size_t CONFIG_NAME_LENGTH = 100; 17 | static const size_t CONFIG_STRING_LENGTH = 100; 18 | 19 | Configuration(const WCHAR* name = L"", Type type = String); 20 | 21 | const WCHAR* getName() const; 22 | Type getType() const; 23 | 24 | DWORD_PTR getNumeric() const; 25 | void setNumeric(DWORD_PTR value); 26 | 27 | const WCHAR* getString() const; 28 | void setString(const WCHAR* str); 29 | 30 | bool getBool() const; 31 | void setBool(bool flag); 32 | 33 | // Redundant (we have getBool and setBool), but easier on the eye 34 | bool isTrue() const; 35 | void setTrue(); 36 | void setFalse(); 37 | 38 | private: 39 | 40 | WCHAR name[CONFIG_NAME_LENGTH]; 41 | Type type; 42 | 43 | DWORD_PTR valueNumeric; 44 | WCHAR valueString[CONFIG_STRING_LENGTH]; 45 | }; 46 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/DeviceNameResolver.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | #pragma once 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | class HardDisk { 11 | public: 12 | TCHAR shortName[3]; 13 | TCHAR longName[MAX_PATH]; 14 | size_t longNameLength; 15 | }; 16 | 17 | class DeviceNameResolver 18 | { 19 | public: 20 | DeviceNameResolver(); 21 | ~DeviceNameResolver(); 22 | bool resolveDeviceLongNameToShort(const TCHAR * sourcePath, TCHAR * targetPath); 23 | private: 24 | std::vector deviceNameList; 25 | 26 | void initDeviceNameList(); 27 | void fixVirtualDevices(); 28 | }; 29 | 30 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/DllInjection.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | class DllInjection 6 | { 7 | public: 8 | 9 | HMODULE dllInjection(HANDLE hProcess, const WCHAR * filename); 10 | bool unloadDllInProcess(HANDLE hProcess, HMODULE hModule); 11 | HANDLE startRemoteThread(HANDLE hProcess, LPVOID lpStartAddress, LPVOID lpParameter); 12 | 13 | private: 14 | 15 | HANDLE customCreateRemoteThread(HANDLE hProcess, LPVOID lpStartAddress, LPVOID lpParameter); 16 | void specialThreadSettings(HANDLE hThread); 17 | HMODULE getModuleHandleByFilename(HANDLE hProcess, const WCHAR * filename); 18 | }; 19 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/DonateGui.cpp: -------------------------------------------------------------------------------- 1 | #include "DonateGui.h" 2 | 3 | #include "Scylla.h" 4 | #include "Architecture.h" 5 | 6 | const WCHAR DonateGui::TEXT_DONATE[] = L"If you like this tool, please feel free to donate some Bitcoins to support this project.\n\n\nBTC Address:\n\n" TEXT(DONATE_BTC_ADDRESS); 7 | 8 | 9 | BOOL DonateGui::OnInitDialog(CWindow wndFocus, LPARAM lInitParam) 10 | { 11 | DoDataExchange(); // attach controls 12 | 13 | DonateInfo.SetWindowText(TEXT_DONATE); 14 | 15 | CenterWindow(); 16 | 17 | // Set focus to button 18 | GotoDlgCtrl(GetDlgItem(IDC_BUTTON_COPYBTC)); 19 | return FALSE; 20 | } 21 | 22 | void DonateGui::OnClose() 23 | { 24 | EndDialog(0); 25 | } 26 | 27 | void DonateGui::OnExit(UINT uNotifyCode, int nID, CWindow wndCtl) 28 | { 29 | SendMessage(WM_CLOSE); 30 | } 31 | 32 | void DonateGui::CopyBtcAddress(UINT uNotifyCode, int nID, CWindow wndCtl) 33 | { 34 | if(OpenClipboard()) 35 | { 36 | EmptyClipboard(); 37 | size_t len = strlen(DONATE_BTC_ADDRESS); 38 | HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, (len + 1) * sizeof(CHAR)); 39 | if(hMem) 40 | { 41 | strcpy_s(static_cast(GlobalLock(hMem)), len + 1, DONATE_BTC_ADDRESS); 42 | GlobalUnlock(hMem); 43 | if(!SetClipboardData(CF_TEXT, hMem)) 44 | { 45 | GlobalFree(hMem); 46 | } 47 | } 48 | CloseClipboard(); 49 | } 50 | } -------------------------------------------------------------------------------- /src/Scylla/Scylla/Logger.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | class Logger 6 | { 7 | public: 8 | 9 | virtual void log(const WCHAR * format, ...); 10 | virtual void log(const CHAR * format, ...); 11 | 12 | protected: 13 | 14 | virtual void write(const WCHAR * str) = 0; 15 | virtual void write(const CHAR * str); 16 | }; 17 | 18 | class FileLog : public Logger 19 | { 20 | public: 21 | 22 | FileLog(const WCHAR * fileName); 23 | 24 | private: 25 | 26 | void write(const WCHAR * str); 27 | void write(const CHAR * str); 28 | 29 | WCHAR filePath[MAX_PATH]; 30 | }; 31 | 32 | class ListboxLog : public Logger 33 | { 34 | public: 35 | 36 | ListboxLog() : window(0) { } 37 | ListboxLog(HWND window); 38 | 39 | void setWindow(HWND window); 40 | 41 | private: 42 | 43 | void write(const WCHAR * str); 44 | //void write(const CHAR * str); 45 | 46 | HWND window; 47 | }; 48 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/MainGui.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla/MainGui.rc -------------------------------------------------------------------------------- /src/Scylla/Scylla/Scylla.cpp: -------------------------------------------------------------------------------- 1 | #include "Scylla.h" 2 | 3 | #include "NativeWinApi.h" 4 | #include "SystemInformation.h" 5 | #include "ProcessAccessHelp.h" 6 | 7 | ConfigurationHolder Scylla::config(L"Scylla.ini"); 8 | PluginLoader Scylla::plugins; 9 | 10 | ProcessLister Scylla::processLister; 11 | 12 | const WCHAR Scylla::DEBUG_LOG_FILENAME[] = L"Scylla_debug.log"; 13 | 14 | FileLog Scylla::debugLog(DEBUG_LOG_FILENAME); 15 | ListboxLog Scylla::windowLog; 16 | 17 | void Scylla::initAsGuiApp() 18 | { 19 | config.loadConfiguration(); 20 | plugins.findAllPlugins(); 21 | 22 | NativeWinApi::initialize(); 23 | SystemInformation::getSystemInformation(); 24 | 25 | if(config[DEBUG_PRIVILEGE].isTrue()) 26 | { 27 | processLister.setDebugPrivileges(); 28 | } 29 | 30 | ProcessAccessHelp::getProcessModules(GetCurrentProcess(), ProcessAccessHelp::ownModuleList); 31 | } 32 | 33 | void Scylla::initAsDll() 34 | { 35 | ProcessAccessHelp::ownModuleList.clear(); 36 | 37 | NativeWinApi::initialize(); 38 | SystemInformation::getSystemInformation(); 39 | ProcessAccessHelp::getProcessModules(GetCurrentProcess(), ProcessAccessHelp::ownModuleList); 40 | } -------------------------------------------------------------------------------- /src/Scylla/Scylla/Scylla.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "ConfigurationHolder.h" 4 | #include "PluginLoader.h" 5 | #include "ProcessLister.h" 6 | #include "Logger.h" 7 | 8 | #define APPNAME_S "Scylla" 9 | #define APPVERSION_S "v0.9.8" 10 | #define APPVERSIONDWORD 0x00009800 11 | 12 | #define DONATE_BTC_ADDRESS "1GmVrhWwUhwLohaCLP4SKV5kkz8rd16N8h" 13 | 14 | #define APPNAME TEXT(APPNAME_S) 15 | #define APPVERSION TEXT(APPVERSION_S) 16 | 17 | class Scylla 18 | { 19 | public: 20 | 21 | static void initAsGuiApp(); 22 | static void initAsDll(); 23 | 24 | static ConfigurationHolder config; 25 | static PluginLoader plugins; 26 | 27 | static ProcessLister processLister; 28 | 29 | static FileLog debugLog; 30 | static ListboxLog windowLog; 31 | 32 | private: 33 | 34 | static const WCHAR DEBUG_LOG_FILENAME[]; 35 | }; 36 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/StringConversion.cpp: -------------------------------------------------------------------------------- 1 | #include "StringConversion.h" 2 | //#include 3 | #include 4 | #include 5 | 6 | const char* StringConversion::ToASCII(const wchar_t* str, char* buf, size_t bufsize) 7 | { 8 | //wcstombs(buf, str, bufsize); 9 | ATL::CW2A str_a = str; 10 | strncpy_s(buf, bufsize, str_a, bufsize); 11 | buf[bufsize - 1] = '\0'; 12 | return buf; 13 | } 14 | 15 | const wchar_t* StringConversion::ToUTF16(const char* str, wchar_t* buf, size_t bufsize) 16 | { 17 | //mbstowcs_s(buf, str, bufsize); 18 | ATL::CA2W str_w = str; 19 | wcsncpy_s(buf, bufsize, str_w, bufsize); 20 | buf[bufsize - 1] = L'\0'; 21 | return buf; 22 | } 23 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/StringConversion.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class StringConversion 4 | { 5 | public: 6 | 7 | static const char* ToASCII(const wchar_t* str, char* buf, size_t bufsize); 8 | static const wchar_t* ToUTF16(const char* str, wchar_t* buf, size_t bufsize); 9 | }; 10 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/SystemInformation.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | enum OPERATING_SYSTEM { 6 | UNKNOWN_OS, 7 | WIN_XP_32, 8 | WIN_XP_64, 9 | WIN_VISTA_32, 10 | WIN_VISTA_64, 11 | WIN_7_32, 12 | WIN_7_64, 13 | WIN_8_32, 14 | WIN_8_64 15 | }; 16 | 17 | typedef void (WINAPI *def_GetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo); 18 | 19 | class SystemInformation 20 | { 21 | public: 22 | 23 | static OPERATING_SYSTEM currenOS; 24 | static bool getSystemInformation(); 25 | }; 26 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/Thunks.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | // WTL 7 | #include 8 | #include 9 | #include // CTreeItem 10 | 11 | class ImportThunk 12 | { 13 | public: 14 | WCHAR moduleName[MAX_PATH]; 15 | char name[MAX_PATH]; 16 | DWORD_PTR va; 17 | DWORD_PTR rva; 18 | WORD ordinal; 19 | DWORD_PTR apiAddressVA; 20 | WORD hint; 21 | bool valid; 22 | bool suspect; 23 | 24 | CTreeItem hTreeItem; 25 | DWORD_PTR key; 26 | 27 | void invalidate(); 28 | }; 29 | 30 | class ImportModuleThunk 31 | { 32 | public: 33 | WCHAR moduleName[MAX_PATH]; 34 | std::map thunkList; 35 | 36 | DWORD_PTR firstThunk; 37 | 38 | CTreeItem hTreeItem; 39 | DWORD_PTR key; 40 | 41 | DWORD_PTR getFirstThunk() const; 42 | bool isValid() const; 43 | }; 44 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/check.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla/check.ico -------------------------------------------------------------------------------- /src/Scylla/Scylla/error.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla/error.ico -------------------------------------------------------------------------------- /src/Scylla/Scylla/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla/resource.h -------------------------------------------------------------------------------- /src/Scylla/Scylla/scylla.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla/scylla.ico -------------------------------------------------------------------------------- /src/Scylla/Scylla/scylla_export_functions.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | ScyllaDumpCurrentProcessW @1 3 | ScyllaDumpCurrentProcessA @2 4 | ScyllaDumpProcessW @3 5 | ScyllaDumpProcessA @4 6 | ScyllaRebuildFileW @5 7 | ScyllaRebuildFileA @6 8 | ScyllaVersionInformationW @7 9 | ScyllaVersionInformationA @8 10 | ScyllaVersionInformationDword @9 11 | ScyllaStartGui @10 12 | ScyllaIatSearch @11 13 | ScyllaIatFixAutoW @12 14 | ScyllaAddSection @13 15 | -------------------------------------------------------------------------------- /src/Scylla/Scylla/warning.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/Scylla/Scylla/warning.ico -------------------------------------------------------------------------------- /src/Scylla/ScyllaDllTest/ScyllaTestExe/ScyllaTestExe.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScyllaTestExe", "ScyllaTestExe.vcxproj", "{756E4AF7-342C-417F-86DC-3B2A78E782C9}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {756E4AF7-342C-417F-86DC-3B2A78E782C9}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {756E4AF7-342C-417F-86DC-3B2A78E782C9}.Debug|Win32.Build.0 = Debug|Win32 14 | {756E4AF7-342C-417F-86DC-3B2A78E782C9}.Release|Win32.ActiveCfg = Release|Win32 15 | {756E4AF7-342C-417F-86DC-3B2A78E782C9}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /src/Scylla/ScyllaDllTest/ScyllaTestExe/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | 5 | int CALLBACK WinMain( 6 | _In_ HINSTANCE hInstance, 7 | _In_ HINSTANCE hPrevInstance, 8 | _In_ LPSTR lpCmdLine, 9 | _In_ int nCmdShow 10 | ) 11 | { 12 | MessageBoxW(0, L"Test", L"Test", MB_OK); 13 | return 0; 14 | } -------------------------------------------------------------------------------- /src/Scylla/WTL/README: -------------------------------------------------------------------------------- 1 | Download WTL from here: https://sourceforge.net/projects/wtl/ 2 | Extract the contents of the ZIP in this directory. -------------------------------------------------------------------------------- /src/Scylla/scylla_release.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | SET SCYVERSION=Scylla_v0.11 3 | if not exist .\%SCYVERSION% mkdir .\%SCYVERSION% 4 | copy ".\Win32\Release\Scylla.exe" ".\%SCYVERSION%\Scylla_x86.exe" 5 | copy ".\x64\Release\Scylla.exe" ".\%SCYVERSION%\Scylla_x64.exe" 6 | copy ".\Win32\Release\Scylla.map" ".\%SCYVERSION%\Scylla_x86.map" 7 | copy ".\x64\Release\Scylla.map" ".\%SCYVERSION%\Scylla_x64.map" 8 | copy ".\Win32\Release\ScyllaDLL.dll" ".\%SCYVERSION%\Scylla_x86.dll" 9 | copy ".\x64\Release\ScyllaDLL.dll" ".\%SCYVERSION%\Scylla_x64.dll" 10 | copy ".\Win32\Release\ScyllaDLL.lib" ".\%SCYVERSION%\Scylla_x86.lib" 11 | copy ".\x64\Release\ScyllaDLL.lib" ".\%SCYVERSION%\Scylla_x64.lib" 12 | pause -------------------------------------------------------------------------------- /src/Scylla/tinyxml/README: -------------------------------------------------------------------------------- 1 | Download tinyxml from here: https://sourceforge.net/projects/tinyxml/ 2 | Copy the following files in this directory: 3 | tinystr.cpp 4 | tinyxml.cpp 5 | tinyxmlerror.cpp 6 | tinyxmlparser.cpp 7 | tinystr.h 8 | tinyxml.h -------------------------------------------------------------------------------- /src/Scylla/tinyxml/tinyxml.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | -------------------------------------------------------------------------------- /src/ScyllaDependencies/README.md: -------------------------------------------------------------------------------- 1 | **DISTORM** 2 | 3 | diStorm3 is really a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text, which is great for advanced binary code analysis. 4 | 5 | diStorm3 is super lightweight (~45KB), ultra fast and easy to use (a single API)! 6 | 7 | https://github.com/gdabah/distorm 8 | 9 |
10 | 11 | **TINYXML** 12 | 13 | TinyXML is a simple, small, minimal, C++ XML parser that can be easily integrating into other programs. It reads XML and creates C++ objects representing the XML document. The objects can be manipulated, changed, and saved again as XML. 14 | 15 | https://sourceforge.net/projects/tinyxml/ 16 | 17 |
18 | 19 | **WTL** 20 | 21 | Windows Template Library (WTL) is a C++ library for developing Windows applications and UI components. It extends ATL (Active Template Library) and provides a set of classes for controls, dialogs, frame windows, GDI objects, and more. 22 | 23 | https://sourceforge.net/projects/wtl/ 24 | -------------------------------------------------------------------------------- /src/ScyllaDependencies/WTL.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/ScyllaDependencies/WTL.rar -------------------------------------------------------------------------------- /src/ScyllaDependencies/diStorm.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/ScyllaDependencies/diStorm.rar -------------------------------------------------------------------------------- /src/ScyllaDependencies/tinyxml.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/ScyllaDependencies/tinyxml.rar -------------------------------------------------------------------------------- /src/ScyllaDependencies/tinyxml/README: -------------------------------------------------------------------------------- 1 | Download tinyxml from here: https://sourceforge.net/projects/tinyxml/ 2 | Copy the following files in this directory: 3 | tinystr.cpp 4 | tinyxml.cpp 5 | tinyxmlerror.cpp 6 | tinyxmlparser.cpp 7 | tinystr.h 8 | tinyxml.h -------------------------------------------------------------------------------- /src/ScyllaDumper/ScyllaDumper/Log.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | FILE *log_file; 3 | 4 | FILE *report_file; 5 | 6 | Log* Log::instance = 0; 7 | 8 | //at the first time open the log file 9 | Log::Log(){ 10 | this->log_file = fopen(LOG_FILENAME,"w"); 11 | 12 | } 13 | 14 | //singleton 15 | Log* Log::getInstance() 16 | { 17 | if (instance == 0) 18 | instance = new Log(); 19 | return instance; 20 | } 21 | 22 | //flush the buffer and close the file 23 | void Log::closeLogFile() 24 | { 25 | fflush(this->log_file); 26 | fclose(this->log_file); 27 | } 28 | 29 | 30 | //return the file pointer 31 | FILE* Log::getLogFile() 32 | { 33 | #ifdef LOG_WRITE_TO_FILE 34 | return this->log_file; 35 | #else 36 | return stdout; 37 | #endif 38 | } 39 | 40 | 41 | -------------------------------------------------------------------------------- /src/ScyllaDumper/ScyllaDumper/Log.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | 5 | 6 | //#define LOG_WRITE_TO_FILE 1 //if it is uncommented the result will be saved on file otherwise they'll be printed to stdout 7 | #define LOG_FILENAME "C:\\pin\\TempOEPin\\Scylla\\ScyllaTestLog.txt" 8 | 9 | class Log 10 | { 11 | 12 | public: 13 | static Log* getInstance(); 14 | void Log::closeLogFile(); 15 | void Log::closeReportFile(); 16 | FILE* Log::getLogFile(); 17 | 18 | 19 | private: 20 | Log::Log(); 21 | static Log* instance; 22 | FILE *log_file; 23 | 24 | }; 25 | 26 | -------------------------------------------------------------------------------- /src/ScyllaDumper/ScyllaDumper/ScyllaDumper.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScyllaDumper", "ScyllaTest.vcxproj", "{C9D83AE7-64DA-411D-BDAC-C60ABE35612C}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {C9D83AE7-64DA-411D-BDAC-C60ABE35612C}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {C9D83AE7-64DA-411D-BDAC-C60ABE35612C}.Debug|Win32.Build.0 = Debug|Win32 14 | {C9D83AE7-64DA-411D-BDAC-C60ABE35612C}.Release|Win32.ActiveCfg = Release|Win32 15 | {C9D83AE7-64DA-411D-BDAC-C60ABE35612C}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /src/ScyllaDumper/ScyllaDumper/debug.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define DEBUG_BUILD 1 4 | #define INFO_BUILD 1 5 | #define WARN_BUILD 1 6 | #define ERROR_BUILD 1 7 | #define LOG_BUILD 1 8 | 9 | #define __FILENAME__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__) 10 | #define DEBUG(fmt, ...) \ 11 | do { if (DEBUG_BUILD) fprintf(stderr, "[DEBUG](%s):%d:%s(): " fmt, __FILENAME__, \ 12 | __LINE__, __FUNCTION__, __VA_ARGS__); } while (0) 13 | 14 | 15 | #define WARN(fmt, ...) \ 16 | do { if (WARN_BUILD) fprintf(Log::getInstance()->getLogFile(),"[WARNING](%s) "fmt"\n",__FILENAME__, __VA_ARGS__);fflush(Log::getInstance()->getLogFile()); } while (0) 17 | 18 | #define ERRORE(fmt, ...) \ 19 | do { if (ERROR_BUILD) fprintf(Log::getInstance()->getLogFile(),"[ERROR](%s) "fmt"\n",__FILENAME__, __VA_ARGS__);fflush(Log::getInstance()->getLogFile()); } while (0) 20 | 21 | #define INFO(fmt, ...) \ 22 | do { if (LOG_BUILD){ fprintf(Log::getInstance()->getLogFile(),"[INFO](%s) "fmt"\n",__FILENAME__, __VA_ARGS__);fflush(Log::getInstance()->getLogFile()); } } while (0) 23 | 24 | 25 | #define CLOSELOG()\ 26 | do { if (LOG_BUILD){ Log::getInstance()->closeLogFile();}}while (0) 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /src/ScyllaDumper/ScyllaDumper/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/ScyllaDumper/ScyllaDumper/stdafx.cpp -------------------------------------------------------------------------------- /src/ScyllaDumper/ScyllaDumper/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : file di inclusione per file di inclusione di sistema standard 2 | // o file di inclusione specifici del progetto utilizzati di frequente, ma 3 | // modificati raramente 4 | // 5 | 6 | #pragma once 7 | 8 | #define _CRT_SECURE_NO_WARNINGS 9 | #include "targetver.h" 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include "Log.h" 17 | 18 | 19 | 20 | 21 | 22 | 23 | // TODO: fare riferimento qui alle intestazioni aggiuntive richieste dal programma 24 | -------------------------------------------------------------------------------- /src/ScyllaDumper/ScyllaDumper/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Includere SDKDDKVer.h per definire la piattaforma Windows maggiormente disponibile. 4 | 5 | // Se si desidera compilare l'applicazione per una piattaforma Windows precedente, includere WinSDKVer.h e 6 | // impostare la macro _WIN32_WINNT sulla piattaforma da supportare prima di includere SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /src/ScyllaDumper/ScyllaTest.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScyllaTest", "ScyllaTest\ScyllaTest.vcxproj", "{C9D83AE7-64DA-411D-BDAC-C60ABE35612C}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {C9D83AE7-64DA-411D-BDAC-C60ABE35612C}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {C9D83AE7-64DA-411D-BDAC-C60ABE35612C}.Debug|Win32.Build.0 = Debug|Win32 14 | {C9D83AE7-64DA-411D-BDAC-C60ABE35612C}.Release|Win32.ActiveCfg = Release|Win32 15 | {C9D83AE7-64DA-411D-BDAC-C60ABE35612C}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /src/ScyllaWrapper/Log.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | 4 | FILE *log_file; 5 | 6 | FILE *report_file; 7 | 8 | Log* Log::instance = 0; 9 | 10 | WCHAR * Log::LOG_FILENAME = L"ScyllaWrapperLog.txt"; 11 | 12 | //at the first time open the log file 13 | Log::Log(){ 14 | 15 | } 16 | 17 | void Log::initLogPath(WCHAR * cur_path){ 18 | 19 | WCHAR buffer[MAX_PATH]; 20 | 21 | swprintf(buffer,MAX_PATH, L"%s%s", cur_path ,Log::LOG_FILENAME); 22 | 23 | this->log_file = _wfopen(buffer,L"a"); 24 | 25 | //this->log_file = fopen("C:\\pin\\log_prova_c.log","w"); 26 | } 27 | 28 | //singleton 29 | Log* Log::getInstance() 30 | { 31 | if (instance == 0) 32 | instance = new Log(); 33 | return instance; 34 | } 35 | 36 | //flush the buffer and close the file 37 | void Log::closeLogFile() 38 | { 39 | fflush(this->log_file); 40 | fclose(this->log_file); 41 | } 42 | 43 | 44 | //return the file pointer 45 | FILE* Log::getLogFile() 46 | { 47 | #ifdef LOG_WRITE_TO_FILE 48 | return this->log_file; 49 | #else 50 | return stdout; 51 | #endif 52 | } 53 | 54 | 55 | -------------------------------------------------------------------------------- /src/ScyllaWrapper/Log.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | 4 | 5 | 6 | 7 | 8 | //#define LOG_WRITE_TO_FILE 1 //if it is uncommented the result will be saved on file otherwise they'll be printed to stdout 9 | //#define LOG_FILENAME "C:\\pin\\PinUnpackerDependencies\\ScyllaWrapperLog.txt" 10 | 11 | 12 | class Log 13 | { 14 | 15 | public: 16 | static Log* getInstance(); 17 | void Log::closeLogFile(); 18 | void Log::closeReportFile(); 19 | FILE* Log::getLogFile(); 20 | void Log::initLogPath(WCHAR * cur_path); 21 | static WCHAR * LOG_FILENAME; 22 | 23 | 24 | 25 | private: 26 | Log::Log(); 27 | static Log* instance; 28 | FILE *log_file; 29 | 30 | }; 31 | 32 | -------------------------------------------------------------------------------- /src/ScyllaWrapper/ScyllaWrapper.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | ScyllaDumpAndFix @1 3 | ScyllaWrapAddSection @2 4 | 5 | -------------------------------------------------------------------------------- /src/ScyllaWrapper/ScyllaWrapper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | #include 4 | 5 | UINT32 ScyllaDumpAndFix(int pid, int oep, WCHAR * output_file, WCHAR * cur_path, WCHAR * tmp_dump, WCHAR *reconstructed_imports_file); 6 | 7 | 8 | /* 9 | Add a new section to a dumped file 10 | 11 | Args: 12 | dump_path = path to the dumped file 13 | sectionName = name of the new section that you want to create 14 | sectionSize = size of the section you want to add 15 | sectionData = stuff to put in the new section 16 | 17 | Ret: 18 | True or False if Scylla sucessfully add the new section 19 | */ 20 | UINT32 ScyllaWrapAddSection(const WCHAR * dump_path , const CHAR * sectionName, DWORD sectionSize, UINT32 offset, BYTE * sectionData,WCHAR *reconstructed_imports_file); 21 | 22 | -------------------------------------------------------------------------------- /src/ScyllaWrapper/debug.cpp: -------------------------------------------------------------------------------- 1 | #include "StdAfx.h" 2 | #include "debug.h" 3 | 4 | 5 | debug::debug(void) 6 | { 7 | } 8 | 9 | 10 | debug::~debug(void) 11 | { 12 | } 13 | -------------------------------------------------------------------------------- /src/ScyllaWrapper/debug.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define DEBUG_BUILD 1 4 | #define INFO_BUILD 1 5 | #define WARN_BUILD 1 6 | #define ERROR_BUILD 1 7 | #define LOG_BUILD 1 8 | 9 | #define __FILENAME__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__) 10 | #define DEBUG(fmt, ...) \ 11 | do { if (DEBUG_BUILD) fprintf(stderr, "[DEBUG](%s):%d:%s(): " fmt, __FILENAME__, \ 12 | __LINE__, __FUNCTION__, __VA_ARGS__); } while (0) 13 | 14 | 15 | #define WARN(fmt, ...) \ 16 | do { if (WARN_BUILD) fprintf(Log::getInstance()->getLogFile(),"[WARNING](%s) "fmt"\n",__FILENAME__, __VA_ARGS__);fflush(Log::getInstance()->getLogFile()); } while (0) 17 | 18 | #define ERRORE(fmt, ...) \ 19 | do { if (ERROR_BUILD) fprintf(Log::getInstance()->getLogFile(),"[ERROR](%s) "fmt"\n",__FILENAME__, __VA_ARGS__);fflush(Log::getInstance()->getLogFile()); } while (0) 20 | 21 | #define INFO(fmt, ...) \ 22 | do { if (LOG_BUILD){ fprintf(Log::getInstance()->getLogFile(),"[INFO](%s) "fmt"\n",__FILENAME__, __VA_ARGS__);fflush(Log::getInstance()->getLogFile()); } } while (0) 23 | 24 | #define PRINT(fmt, ...) \ 25 | do { if (LOG_BUILD){ fprintf(Log::getInstance()->getLogFile(),fmt"\n", __VA_ARGS__); } } while (0) 26 | 27 | #define CLOSELOG()\ 28 | do { if (LOG_BUILD){ Log::getInstance()->closeLogFile();}}while (0) 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /src/ScyllaWrapper/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp: definisce il punto di ingresso per l'applicazione DLL. 2 | #include "stdafx.h" 3 | 4 | BOOL APIENTRY DllMain( HMODULE hModule, 5 | DWORD ul_reason_for_call, 6 | LPVOID lpReserved 7 | ) 8 | { 9 | switch (ul_reason_for_call) 10 | { 11 | case DLL_PROCESS_ATTACH: 12 | case DLL_THREAD_ATTACH: 13 | case DLL_THREAD_DETACH: 14 | case DLL_PROCESS_DETACH: 15 | break; 16 | } 17 | return TRUE; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /src/ScyllaWrapper/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/necst/arancino/7de9dd89c22de2d44a8682ce162e6fb900c8a4ad/src/ScyllaWrapper/stdafx.cpp -------------------------------------------------------------------------------- /src/ScyllaWrapper/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : file di inclusione per file di inclusione di sistema standard 2 | // o file di inclusione specifici del progetto utilizzati di frequente, ma 3 | // modificati raramente 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Escludere gli elementi utilizzati di rado dalle intestazioni di Windows 11 | // File di intestazione di Windows: 12 | #include 13 | #include 14 | #include 15 | #include "FunctionExport.h" 16 | #include 17 | #include 18 | #include "Log.h" 19 | 20 | 21 | 22 | // TODO: fare riferimento qui alle intestazioni aggiuntive richieste dal programma 23 | -------------------------------------------------------------------------------- /src/ScyllaWrapper/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Includere SDKDDKVer.h per definire la piattaforma Windows maggiormente disponibile. 4 | 5 | // Se si desidera compilare l'applicazione per una piattaforma Windows precedente, includere WinSDKVer.h e 6 | // impostare la macro _WIN32_WINNT sulla piattaforma da supportare prima di includere SDKDDKVer.h. 7 | 8 | #include 9 | --------------------------------------------------------------------------------