OALabs
/ revil_strings.py
Created
January 26, 2020 22:13
Decrypt REvil ransomware strings with IDA Python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi, idc, idautils | |
| class DecryptorError(Exception): | |
| pass | |
| def rc4crypt(key, data): | |
| x = 0 | |
| box = range(256) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"exports": ["A_SHAFinal", "A_SHAInit", "A_SHAUpdate", "AbortSystemShutdownA", "AbortSystemShutdownW", "AccessCheck", "AccessCheckAndAuditAlarmA", "AccessCheckAndAuditAlarmW", "AccessCheckByType", "AccessCheckByTypeAndAuditAlarmA", "AccessCheckByTypeAndAuditAlarmW", "AccessCheckByTypeResultList", "AccessCheckByTypeResultListAndAuditAlarmA", "AccessCheckByTypeResultListAndAuditAlarmByHandleA", "AccessCheckByTypeResultListAndAuditAlarmByHandleW", "AccessCheckByTypeResultListAndAuditAlarmW", "AddAccessAllowedAce", "AddAccessAllowedAceEx", "AddAccessAllowedObjectAce", "AddAccessDeniedAce", "AddAccessDeniedAceEx", "AddAccessDeniedObjectAce", "AddAce", "AddAuditAccessAce", "AddAuditAccessAceEx", "AddAuditAccessObjectAce", "AddConditionalAce", "AddMandatoryAce", "AddUsersToEncryptedFile", "AddUsersToEncryptedFileEx", "AdjustTokenGroups", "AdjustTokenPrivileges", "AllocateAndInitializeSid", "AllocateLocallyUniqueId", "AreAllAccessesGranted", "AreAnyAccessesGranted", "AuditComputeEffectivePolicyBySid", "AuditComputeEf |
OALabs
/ dll_exports.py
Created
December 1, 2019 05:12
Build dictionary of DLL exports (Windows API Names)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import pefile | |
| import json | |
| INTERESTING_DLLS = [ | |
| 'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll', | |
| 'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll', | |
| 'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll', | |
| 'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll', |
OALabs
/ revil_import_builder.py
Created
December 1, 2019 05:11
IDA Python script to decipher and label REvil imports
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| # fn_name = "wsprintfW" | |
| # api_hash = 0x0B6D391AE | |
| export_db = {} | |
| def get_api_hash(fn_name): | |
| result = 0x2b | |
| for c in fn_name: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/env python | |
| ########################################################################################## | |
| ## | |
| ## RC4 Crypto | |
| ## | |
| ########################################################################################## | |
| def rc4crypt(key, data): |
OALabs
/ boxstarter_oalabs_x86vm.ps1
Last active
February 12, 2025 17:52
Boxstarter - One click malware analysis tools installer for 32bit VM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Set-ExecutionPolicy Unrestricted; | |
| iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1')); | |
| get-boxstarter -Force; | |
| Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1'; |
OALabs
/ oalabs_x86vm.ps1
Last active
October 7, 2025 20:25
Boxstarter package for OALABS x86 Malware Analysis VM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host -NoNewline " " | |
| Write-Host -NoNewline " _______ _______ ___ _______ _______ _______ " | |
| Write-Host -NoNewline " | || _ || | | _ || _ || | " | |
| Write-Host -NoNewline " | _ || |_| || | | |_| || |_| || _____| " | |
| Write-Host -NoNewline " | | | || || | | || || |_____ " | |
| Write-Host -NoNewline " | |_| || || |___ | || _ | |_____ | " | |
| Write-Host -NoNewline " | || _ || || _ || |_| | _____| | " | |
| Write-Host -NoNewline " |_______||__| |__||_______||__| |__||_______||_______| " | |
| Write-Host -NoNewline " " | |
| Write-Host -NoNewline " " |
OALabs
/ windows_defender_unquarantine.py
Last active
October 10, 2025 13:55
Extract quarantine files from Windows Defender | System Center Endpoint Protection | Microsoft Security Essentials
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # MS SCEP & SE quarantined files decrypter | |
| # This script is a fork from quarantine.py from the cuckoosandbox project. | |
| # Also thanks to Jon Glass (https://jon.glass/quarantines-junk/) | |
| # Usage: quarantine.py <encryptedfile> | |
| # | |
| # Copyright (C) 2015 KillerInstinct, Optiv, Inc. ([email protected]) | |
| # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org | |
| # See the file 'docs/LICENSE' for copying permission. |