This course provides an in-depth exploration of advanced malware development techniques on Linux, focusing on sophisticated methods such as binary injection, process injection, and file hijacking. Designed for learners with a foundational understanding of Linux and programming, the course emphasizes practical application in a safe, controlled environment (virtual machines) and underscores ethical and legal considerations for academic or authorized security testing purposes.
| import tkinter as tk | |
| from tkinter import ttk, messagebox, filedialog | |
| import struct | |
| import os | |
| import hashlib | |
| from datetime import datetime | |
| from dataclasses import dataclass | |
| from typing import List, Optional, Tuple | |
| import re |
By default, update server of Avast for Linux uses HTTP protocol which is vulnerable to Man-In-The-Middle and DNS Spoofing attack. An attacker in LAN network can use ARP Spoofing attack, redirect update packet to a fake server or even capture response data and tamper update file.
| import "elf" | |
| import "console" | |
| /* | |
| To use this rule, simply run: yara <path to this rule> <pah to dir to scan> -r -p 1 -N | |
| Explain: | |
| -r: recursively search | |
| -p 1: Run single thread only. Show console log won't be messed up | |
| -N: No follow symlink. Ignore duplicate results from symlink | |
| Suggestion: In future, run with -s could be good |
| #!/usr/bin/python3 | |
| import os | |
| import requests | |
| from shodan import Shodan | |
| API_KEY_PATH = os.path.expanduser("~/.config/shodan/api_key") # read API key from config file | |
| KEYWORD = "country:cn http.status:200 \"Server: Check Point SVN foundation\"" | |
| URL_REQ = "/clients/MyCRL" |
Dlink DIR-600M C1 has buffer overflow in authentication that allows unauthenticated attacker to performce Denial of Service attack. Attacker can send payload to web login or telnet login (which is disabled by default). This vulnerability is as same as
CVE-2021-26709 which possibly leads to unauthenticated remote code execution.
| #!/bin/bash | |
| # Example of using bash with array | |
| port_arr=(80 22 3306) | |
| max_timeout=2 # Timeout requires coreutils (on Debian-based system) | |
| function do_scan_port { | |
| # If use array like above, use the line above | |
| for port in "${port_arr[@]}"; do | |
| # Otherwise, use the port range |
| import .. / src / engine / libyara # Binding lib co san. Neu tai ve thi sua cho nay, lay binding o day https://github.com/dmknght/nimyara | |
| import strformat | |
| import os | |
| # Pass vao compiler de link voi thu vien Yara | |
| {.passL: "-lyara".} | |
| type | |
| COMPILER_RESULT = object | |
| errors: int | |
| warnings: int |
| /* | |
| Forked from https://github.com/hongson11698/defender-database-extract/ | |
| - Fixed some buffer overflow in sprintf | |
| - Compile: g++ extract_sig.cpp -o extract_sig -Wall -lstdc++fs | |
| - Usage: ./extract_sig <dir to write result> <extracted av/as base> <optional: extracted av/as dlta> | |
| If both av and dlta is defined, the program will merge both of them to make a final db | |
| */ | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> |
| from qiling import * | |
| from qiling.const import * | |
| from unicorn.x86_const import UC_X86_INS_SYSCALL # https://github.com/unicorn-engine/unicorn/blob/master/bindings/python/unicorn/x86_const.py | |
| import argparse | |
| import yara | |
| def mem_scan(ql: Qiling, address: int, size: int, yr_pointer) -> None: | |
| buf = ql.mem.read(address, size) | |
| for insn in ql.arch.disassembler.disasm(buf, address): |