shavitush

MawaStealer

Introduction

Nyaa. You're probably familiar with it if you're a stinky weeb like me. But if you're not, it's a torrent tracker; it allows users to upload torrents and to use their server as a tracker. In the past, the website allowed for registrations.
Ever since the website was flooded with child pornography and malware, they closed down on registrations years ago & disabled guest uploads, so only old accounts exist, and uploads are mostly fine. Occasionally, accounts are stolen and are used for spreading malware in the form of torrents.

Earlier today, 2025/09/11, there was a malicious archive uploaded to the website. It was titled Dr. STONE - Science Future - S04E21.zip. Advertises itself as a pirated copy of episode 21 in the 4th season of the anime series "Dr. STONE". The issue is that the contents of the file are actually a few unrelated items..

NSG650

#include <stdio.h>
#include <windows.h>
#include <vector>

RECT gUsableAreaCoords = {0};
RECT gCurrentPos = {0};
INT gVelocityX = 5;
INT gVelocityY = 5;

DWORD gLast = 0;

susMdT

using System;
using System.Runtime.CompilerServices;
using System.Reflection;
using System.Reflection.Emit;
namespace FunkyJit
{
    class Program
    {
        public static void Nothing() { Console.WriteLine(); }
        static void Main(string[] args)

richinseattle

DTrace for Windows

https://github.com/microsoft/DTrace-on-Windows

Overview

DTrace for Windows is a port of the opensource release of DTrace originally developed by Sun for Solaris in 2005. DTrace allows for high performance function tracing with access to typed arguments and statistical event collection. DTrace utilizes several types of instrumentation or trace frameworks provided by Windows including ETW, a system call tracer, a kernel function tracer, and a userland function tracer.

Installation / Build Notes

icecr4ck

IDAPython cheatsheet

Important links

• Porting IDAPython plugins to IDA 7.4
• Hex-Rays IDAPython official documentation

Basic commands

Get informations on the binary

shadyeip

rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

stecman

This is a technique for extracting all imported modules from a packaged Python application as .pyc files, then decompiling them. The target program needs to be run from scratch, but no debugging symbols are necessary (assuming an unmodified build of Python is being used).

This was originally performed on 64-bit Linux with a Python 3.6 target. The Python scripts have since been updated to handle pyc files for Python 2.7 - 3.9.

Theory

In Python we can leverage the fact that any module import involving a .py* file will eventually arrive as ready-to-execute Python code object at this function:

PyObject* PyEval_EvalCode(PyObject *co, PyObject *globals, PyObject *locals);

mattifestation

# Example: ls 'C:\Windows\System32\*' -Include '*.dll' | Get-AuthenticodeSignature | Select -ExpandProperty SignerCertificate | Get-TBSHash

filter Get-TBSHash {
    [OutputType([String])]
    param (
        [Parameter(Mandatory, ValueFromPipeline)]
        [Security.Cryptography.X509Certificates.X509Certificate2]
        $Certificate
    )