Search the Community

Obfuscated powershell reverse backdoor with Flipper Zero and USB Rubber Ducky payloads. Reverse backdoor written in Powershell and obfuscated with Python. Allowing the backdoor to have a new signature after every run. Also can generate auto run scripts for Flipper Zero and USB Rubber Ducky. Features Hak5 Rubber Ducky payload Flipper Zero payload Download Files from remote system Fetch target computers public IP address List local users Find Intresting Files Get OS Information Get BIOS Information Get Anti-Virus Status Get Active TCP Clients Checks for common pentesting software installed [hide][Hidden Content]]

Obfuscation Detection Automatically detect obfuscated code and other state machines Scripts to automatically detect obfuscated code and state machines in binaries. Implementation is based on IDA 7.4+ (Python3). Check out the following blog posts for more information on the Binary Ninja implementation: Automated Detection of Control-flow Flattening Automated Detection of Obfuscated Code Referenced Repository Note: Due to the recursive nature of plotting a dominator tree of every found function within the binary, the implementation and runtime overhead is expensive. As such, the flattening heuristic is omitted when the binary loaded has more than 50 functions. Functions will be skipped if the ctree structure is too large (more than 50 nodes) to prevent crashes. Changelog v1.7 Support for IDA 7.4+ (Including 7.7 onwards) Added version check for deprecated API functions [hide][Hidden Content]]

Obfuscation Detection Automatically detect obfuscated code and other state machines Scripts to automatically detect obfuscated code and state machines in binaries. Implementation is based on IDA 7.4+ (Python3). Check out the following blog posts for more information on the Binary Ninja implementation: Automated Detection of Control-flow Flattening Automated Detection of Obfuscated Code Referenced Repository Note: Due to the recursive nature of plotting a dominator tree of every found function within the binary, the implementation and runtime overhead is expensive. As such, the flattening heuristic is omitted when the binary loaded has more than 50 functions. Functions will be skipped if the ctree structure is too large (more than 50 nodes) to prevent crashes. Changelog v1.6 Refactor plugin handler Removed duplicate banner print Changed PLUGIN_FIX to PLUGIN_HIDE, user can just use Ctrl-Shift-H Code cleanup in #5 [hide][Hidden Content]]

Obfuscation Detection Automatically detect control-flow flattening and other state machines Scripts and binaries to automatically detect control-flow flattening and other state machines in binaries. Changelog v1.3 added fine-granular heuristic selection [hide][Hidden Content]]

Obfuscation Detection Automatically detect obfuscated code and other state machines Scripts to automatically detect obfuscated code and state machines in binaries. Implementation is based on IDA 7.4+ (Python3). Check out the following blog posts for more information on the Binary Ninja implementation: Automated Detection of Control-flow Flattening Automated Detection of Obfuscated Code Referenced Repository Note: Due to the recursive nature of plotting a dominator tree of every found function within the binary, the implementation and runtime overhead is expensive. As such, the flattening heuristic is omitted when the binary loaded has more than 50 functions. Functions will be skipped if the ctree structure is too large (more than 50 nodes) to prevent crashes. Changelog v1.5 GUI Features: QTable Heuristic result view Node limiting Single/All function heuristic search Heuristic result export Heuristic Features: Control-Flow Flattening Cyclomatic Complexity Basic Block Size Instruction Overlapping [hide][Hidden Content]]

Obfuscation Detection Automatically detect obfuscated code and other state machines Scripts to automatically detect obfuscated code and state machines in binaries. obfDetect v1.4 Heuristic Features: Control-Flow Flattening Cyclomatic Complexity Basic Block Size Instruction Overlapping [hide][Hidden Content]]

Modified from Apktool Decompiles almost all resource obfuscated apks (like wechat, tiktok) ... Decompiles splitted apks Renames illegal names like @layout/aa -> @layout/layout_0a12 Modified aapt binary tool (for now linux only) to handle illegal character java class names Nicely indented xml [hide][Hidden Content]]

Sharperner Sharperner is a tool written in CSharp that generates a .NET dropper with AES and XOR obfuscated shellcode. A generated executable can possibly bypass signature check but I can’t be sure it can bypass heuristic scanning. Features PE binary Process Hollowing PPID Spoofing Random generated AES key and iv Final Shellcode, Key, and IV are translated to morse code 🙂 .NET binary AES + XOR encrypted shellcode APC Process Injection (explorer.exe) Random function names Random generated AES key and iv Final Shellcode, Key, and IV are translated to morse code 🙂 [hide][Hidden Content]]

C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures. What is AMSI? As f-secure explained in one of their excellent blog-posts: AMSI is an interface on which applications or services (third-party included) are able to scan a script’s content for malicious usage. If a signature in the script is registered by the AMSI antimalware service provider (Windows Defender by default), it will be blocked. To put this into context, consider the following steps PowerShell takes to integrate with AMSI: When a PowerShell process is created, AMSI.DLL is loaded from disk into its address space. Within AMSI.DLL, there’s a function known as AmsiScanBuffer(), essentially the function used to scan a script’s content. In the PowerShell command prompt, any supplied content would first be sent to AmsiScanBuffer(), before any execution takes place. Subsequently, AmsiScanBuffer() would check with the registered anti-virus to determine if any signatures have been created. If the content is deemed malicious, it would be blocked. Since AMSI relies on being loaded within the process executing the actual script, techniques to break or patch specific functions within amsi.dll are well known. [hide][Hidden Content]]

Fnord is a pattern extractor for obfuscated code Description Fnord has two main functions: Extract byte sequences and create some statistics Use these statistics, combine length, number of occurrences, similarity and keywords to create a YARA rule 1. Statistics Fnord processes the file with a sliding window of varying size to extract all sequences of with a minimum length -m X (default: 4) up to a maximum length -x X (default: 40). For each length, Fnord will present the most frequently occurring sequences -t X (default: 3) in a table. Each line in the table contains: Length Number of occurrences Sequence (string) Formatted (ascii/wide/hex) Hex encoded form Entropy [HIDE][Hidden Content]]