Jiří Vinopal
@vinopaljiri
Threat Researcher at Check Point @_CPResearch_ #DFIR #Reversing - All opinions expressed here are mine only.
https://t.co/iWvwWF1AnN
ID:1046078641409544197
https://github.com/Dump-GUY 29-09-2018 16:45:58
2,7K Tweets
8,3K Followers
429 Following
RussianPanda 🐼 🇺🇦 So true, needed 15mins for this 😄🤓
'rule SUSP_Panda{strings:$='Yara'wide$='false positives'wide$='low quality'wide$='5-minute job'wide condition:all of them}'|sc .\p.yar;start 'twitter.com/RussianPanda9x…';sleep 2;(ps 'firefox').ForEach{.\yara64.exe .\p.yar $_.Id};rm .\p.yar
I am done 😄☹️ Writing a Live Hunt #VirusTotal Rule that needs to check Windows #drivers loading...
I was so naive to check for setting values of services key, till I found this is perfectly fine for Windows to load Kernel driver via #NtLoadDriver 😥
So far not so bad... if you consider that I am using pure #PowerShell Method defined in #PowerShell class via reflection as a patch for pure .NET method with #Harmony library 🤓😄🤟
But a loot of limitation actually sucks in wide usage☹️
#Hooking #Harmony #dotnet #PowerShell
As I found this IDA plugin idea pretty cool and useful, I ported it to support Python2/3 and IDA>=7.4 (tested IDA 7.7, 8.4) ➡️ available Here:
gist.github.com/Dump-GUY/be133…
It is a modified version of Willi Ballenthin IDA Plugin 'hint_calls.py''. Enjoy, and thank you Willi 💙😊🙏