Scripts

Filter by Category

Title	Categories	Script
Base64 decode strings in file	file
import re import base64 def extract_base64(filename): with open(filename, "r", errors="ignore") as f: content = f.read() pattern = r"[A-Za-z0-9+/=]{20,}" return [base64.b64decode(match) for match in re.findall(pattern, content)] decoded_blobs = extract_base64("sample.txt") for blob in decoded_blobs: print(blob[:100])
Binutil (common operations)	utility
{% raw %} import argparse import hashlib import base64 import re import struct import os def calc_hashes(filepath): hashes = {'md5': hashlib.md5(), 'sha1': hashlib.sha1(), 'sha256': hashlib.sha256()} with open(filepath, 'rb') as f: while chunk := f.read(8192): for h in hashes.values(): h.update(chunk) for name, h in hashes.items(): print(f"{name.upper()}: {h.hexdigest()}") def base64_decode(input_str): decoded = base64.b64decode(input_str) print("Decoded (Base64):", decoded) def xor_decode(hex_str, key): data = bytes.fromhex(hex_str) key_bytes = key.encode() decoded = bytes([b ^ key_bytes[i % len(key_bytes)] for i, b in enumerate(data)]) print("Decoded (XOR):", decoded) def string_to_bytes(string): print("Byte representation:", string.encode()) def hex_to_bytes(hex_string): print("Converted bytes:", bytes.fromhex(hex_string)) def unpack_le(hex_string): data = bytes.fromhex(hex_string) print("LE unpacked int:", struct.unpack('<I', data[:4])[0]) def calc_entropy(filepath): with open(filepath, 'rb') as f: data = f.read() if not data: print("Empty file.") return occur = [0] * 256 for b in data: occur[b] += 1 entropy = 0 for count in occur: if count: p = count / len(data) entropy -= p * (p).bit_length() print(f"Entropy: {entropy:.4f}") def extract_strings(filepath, min_length=4): with open(filepath, 'rb') as f: data = f.read() strings = re.findall(rb'[ -~]{%d,}' % min_length, data) for s in strings: print(s.decode(errors='ignore')) def yara_rule_from_strings(name, strings): rule = f"rule {name}\n strings:\n" for i, s in enumerate(strings): rule += f" $s{i} = \"{s}\"\n" rule += " condition:\n all of them\n}" print(rule) def disassemble_shellcode(hex_string): try: from capstone import Cs, CS_ARCH_X86, CS_MODE_32 except ImportError: print("Capstone is not installed. Run: pip install capstone") return shellcode = bytes.fromhex(hex_string) md = Cs(CS_ARCH_X86, CS_MODE_32) for i in md.disasm(shellcode, 0x1000): print(f"0x{i.address:x}: {i.mnemonic} {i.op_str}") def parse_pe_headers(filepath): try: import pefile except ImportError: print("pefile is not installed. Run: pip install pefile") return pe = pefile.PE(filepath) print("[*] Sections:") for section in pe.sections: print(f" {section.Name.strip().decode(errors='ignore')}: {hex(section.VirtualAddress)} - {hex(section.Misc_VirtualSize)}") def extract_iocs(filepath): with open(filepath, "rb") as f: data = f.read() text = data.decode('utf-8', errors='ignore') urls = re.findall(r'https?://[\w./\-]+', text) ips = re.findall(r'\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b', text) emails = re.findall(r'[\w.-]+@[\w.-]+', text) print("[*] URLs:") for url in urls: print(" ", url) print("[*] IPs:") for ip in ips: print(" ", ip) print("[*] Emails:") for email in emails: print(" ", email) def carve_pe_from_memory(filepath, output_dir="carved"): with open(filepath, "rb") as f: data = f.read() matches = [m.start() for m in re.finditer(b'MZ', data)] os.makedirs(output_dir, exist_ok=True) for i, offset in enumerate(matches): chunk = data[offset:offset + 1024*1024] out_path = os.path.join(output_dir, f"carved_{i}.exe") with open(out_path, "wb") as f: f.write(chunk) print(f"[+] Carved PE saved to: {out_path}") def batch_scan(directory): print(f"[+] Scanning directory: {directory}") for root, dirs, files in os.walk(directory): for file in files: path = os.path.join(root, file) try: size = os.path.getsize(path) sha256 = hashlib.sha256(open(path, 'rb').read()).hexdigest() print(f"{path} | {size} bytes | SHA256: {sha256}") except Exception as e: print(f"Failed to process {path}: {e}") def main(): parser = argparse.ArgumentParser(description="Binary Analysis Toolkit") subparsers = parser.add_subparsers(dest='command') subparsers.add_parser('hash', help="Calculate MD5/SHA1/SHA256 hashes") subparsers.add_parser('entropy', help="Calculate file entropy") subparsers.add_parser('strings', help="Extract ASCII strings from file") b64_parser = subparsers.add_parser('b64decode', help="Decode Base64 string") b64_parser.add_argument('string') xor_parser = subparsers.add_parser('xordecode', help="XOR decode hex string with key") xor_parser.add_argument('hex_string') xor_parser.add_argument('key') str2b = subparsers.add_parser('str2bytes', help="Convert string to bytes") str2b.add_argument('string') hex2b = subparsers.add_parser('hex2bytes', help="Convert hex string to bytes") hex2b.add_argument('hex_string') unpack = subparsers.add_parser('unpackle', help="Unpack little-endian hex string to int") unpack.add_argument('hex_string') yara = subparsers.add_parser('yara', help="Generate YARA rule from strings") yara.add_argument('name') yara.add_argument('strings', nargs='+') shellcode = subparsers.add_parser('disasm', help="Disassemble shellcode (x86)") shellcode.add_argument('hex_string') peparse = subparsers.add_parser('peparse', help="Parse PE file headers") peparse.add_argument('file') ioc = subparsers.add_parser('iocs', help="Extract IOCs (URLs, IPs, Emails)") ioc.add_argument('file') carve = subparsers.add_parser('carvepe', help="Carve PE files from memory dump") carve.add_argument('file') carve.add_argument('--out', default='carved') batch = subparsers.add_parser('batchscan', help="Batch scan directory for SHA256 hashes") batch.add_argument('directory') args = parser.parse_args() if args.command == 'hash' and args.file: calc_hashes(args.file) elif args.command == 'entropy' and args.file: calc_entropy(args.file) elif args.command == 'strings' and args.file: extract_strings(args.file) elif args.command == 'b64decode': base64_decode(args.string) elif args.command == 'xordecode': xor_decode(args.hex_string, args.key) elif args.command == 'str2bytes': string_to_bytes(args.string) elif args.command == 'hex2bytes': hex_to_bytes(args.hex_string) elif args.command == 'unpackle': unpack_le(args.hex_string) elif args.command == 'yara': yara_rule_from_strings(args.name, args.strings) elif args.command == 'disasm': disassemble_shellcode(args.hex_string) elif args.command == 'peparse': parse_pe_headers(args.file) elif args.command == 'iocs': extract_iocs(args.file) elif args.command == 'carvepe': carve_pe_from_memory(args.file, args.out) elif args.command == 'batchscan': batch_scan(args.directory) else: parser.print_help() if __name__ == "__main__": main() {% endraw %}
Disassemble shellcode	pe
from capstone import * CODE = b"\x55\x48\x8b\x05\xb8\x13\x00\x00" md = Cs(CS_ARCH_X86, CS_MODE_64) for i in md.disasm(CODE, 0x1000): print(f"0x{i.address:x}:\t{i.mnemonic}\t{i.op_str}")
Dump PE headers	pe
{% raw %} import sys import pefile def dump_pe_headers(file_path): try: pe = pefile.PE(file_path) except pefile.PEFormatError: print(f"[!] {file_path} is not a valid PE file.") return print(f"== PE Header Info: {file_path} ==") print(f"Entry Point: 0x{pe.OPTIONAL_HEADER.AddressOfEntryPoint:X}") print(f"Image Base: 0x{pe.OPTIONAL_HEADER.ImageBase:X}") print(f"Subsystem: {pe.OPTIONAL_HEADER.Subsystem}") print(f"Number of Sections: {pe.FILE_HEADER.NumberOfSections}") print(f"Timestamp: {pe.FILE_HEADER.TimeDateStamp}") print("\n== Sections ==") for section in pe.sections: name = section.Name.decode(errors='ignore').rstrip('\x00') vsize = section.Misc_VirtualSize rsize = section.SizeOfRawData vaddr = section.VirtualAddress print(f"[{name}] VA: 0x{vaddr:X}, VS: {vsize}, RS: {rsize}, Entropy: {section.get_entropy():.2f}") print("\n== Imports ==") if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'): for entry in pe.DIRECTORY_ENTRY_IMPORT: print(f"{entry.dll.decode()}:") for imp in entry.imports: print(f" {hex(imp.address)} {imp.name}") else: print("No import table found.") print("\n== Exports ==") if hasattr(pe, 'DIRECTORY_ENTRY_EXPORT'): for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: print(f" Ordinal: {exp.ordinal} | Address: {hex(pe.OPTIONAL_HEADER.ImageBase + exp.address)} | Name: {exp.name}") else: print("No export table found.") if __name__ == "__main__": if len(sys.argv) != 2: print("Usage: python3 dump_pe_headers.py <pe_file>") sys.exit(1) dump_pe_headers(sys.argv[1]) {% endraw %}
Encryption: Detect RC4	pe, encryption
{% raw %} import sys import os from collections import Counter def rc4_stream(key, data_len): S = list(range(256)) j = 0 key = [k for k in key] for i in range(256): j = (j + S[i] + key[i % len(key)]) % 256 S[i], S[j] = S[j], S[i] i = j = 0 keystream = [] for _ in range(data_len): i = (i + 1) % 256 j = (j + S[i]) % 256 S[i], S[j] = S[j], S[i] keystream.append(S[(S[i] + S[j]) % 256]) return bytes(keystream) def is_mostly_ascii(data, threshold=0.85): return sum(32 <= b <= 126 for b in data) / len(data) > threshold def try_rc4_keys(data, key_lengths=(5, 6, 8, 16)): results = [] for offset in range(0, len(data) - 512, 256): chunk = data[offset:offset+512] for key_len in key_lengths: for i in range(0, len(chunk) - key_len - 256, 64): key_candidate = chunk[i:i+key_len] stream = rc4_stream(key_candidate, 256) plaintext = bytes([c ^ s for c, s in zip(chunk[i+key_len:i+key_len+256], stream)]) if is_mostly_ascii(plaintext): results.append({ 'key': key_candidate, 'offset': offset + i, 'preview': plaintext[:100], 'full': plaintext }) return results def format_key(key): return ' '.join(f'{b:02x}' for b in key) if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 detect_rc4.py <binary_file>") sys.exit(1) filename = sys.argv[1] with open(filename, "rb") as f: data = f.read() print(f"[+] Scanning for RC4-encrypted blocks in: {filename}") results = try_rc4_keys(data) if results: os.makedirs("rc4_output", exist_ok=True) for i, result in enumerate(results): print(f"[!] Potential RC4 key found at offset 0x{result['offset']:x}") print(f" Key: {format_key(result['key'])}") print(f" Preview: {result['preview'].decode(errors='ignore')}") out_file = f"rc4_output/rc4_candidate_{i}.bin" with open(out_file, "wb") as f: f.write(result['full']) print(f" Full output saved to: {out_file}") else: print("[-] No RC4-encrypted content detected.") {% endraw %}
Encryption: Detect XOR	pe, encryption
{% raw %} import sys def detect_xor(data, threshold=5): """ Detect possible XOR-encoded blocks in a binary blob. Looks for blocks with low entropy that become readable ASCII after XOR. """ results = [] for key in range(1, 256): decoded = bytes([b ^ key for b in data]) printable = sum([32 <= c <= 126 for c in decoded]) ratio = printable / len(decoded) if ratio > 0.85: results.append((key, decoded[:200])) return results def sliding_windows(buf, size=256, step=128): for i in range(0, len(buf) - size, step): yield i, buf[i:i+size] if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 detect_xor.py <binary_file>") sys.exit(1) filename = sys.argv[1] with open(filename, "rb") as f: data = f.read() print(f"[+] Scanning for XOR-encoded blocks in: {filename}") found = False for offset, block in sliding_windows(data): hits = detect_xor(block) for key, preview in hits: print(f"[!] Possible XOR key: 0x{key:02x} at offset 0x{offset:x}") print(f" Decoded preview: {preview.decode(errors='ignore')[:100]}") found = True if not found: print("[-] No obvious XOR-encoded data found.") {% endraw %}
Encryption: Detect XOR Advanced	pe, encryption
{% raw %} import sys import math import os from itertools import cycle def entropy(data): if not data: return 0 occurences = [0] * 256 for byte in data: occurences[byte] += 1 entropy = 0 for count in occurences: if count: p_x = count / len(data) entropy -= p_x * math.log2(p_x) return entropy def detect_xor(data, max_key_len=4, min_ascii_ratio=0.85, max_entropy=5.5): results = [] for key_len in range(1, max_key_len + 1): for i in range(0, len(data) - key_len): key = data[i:i+key_len] decoded = bytes([b ^ k for b, k in zip(data, cycle(key))]) printable = sum([32 <= c <= 126 for c in decoded]) ratio = printable / len(decoded) ent = entropy(decoded) if ratio > min_ascii_ratio and ent < max_entropy: results.append({ 'key': key, 'offset': i, 'ratio': ratio, 'entropy': ent, 'preview': decoded[:100], 'decoded': decoded }) return results def sliding_windows(buf, size=512, step=256): for i in range(0, len(buf) - size, step): yield i, buf[i:i+size] def format_key(key): return ' '.join(f'{b:02x}' for b in key) if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 detect_xor_advanced.py <binary_file> [--output]") sys.exit(1) filename = sys.argv[1] enable_output = "--output" in sys.argv with open(filename, "rb") as f: data = f.read() if enable_output: os.makedirs("output", exist_ok=True) print(f"[+] Scanning for XOR-encoded blocks in: {filename}") found = False counter = 0 for offset, block in sliding_windows(data): hits = detect_xor(block) for hit in hits: print(f"[!] XOR key: {format_key(hit['key'])} at offset 0x{offset + hit['offset']:x}") print(f" Entropy: {hit['entropy']:.2f}, Printable Ratio: {hit['ratio']:.2f}") print(f" Decoded preview: {hit['preview'].decode(errors='ignore')}") if enable_output: output_file = f"output/decoded_output_{counter}.bin" with open(output_file, "wb") as out: out.write(hit['decoded']) print(f" Full decoded output saved to: {output_file}") counter += 1 found = True if not found: print("[-] No XOR-encoded data found.") {% endraw %}
Extract MZ from file	pe
def extract_pe_from_file(filepath): with open(filepath, "rb") as f: data = f.read() pe_offsets = [m.start() for m in re.finditer(b'MZ', data)] for i, offset in enumerate(pe_offsets): with open(f"extracted_{i}.exe", "wb") as out: out.write(data[offset:offset + 1024 * 1024]) # 1MB max extract
Extract URLs from binary	pe
import re def extract_urls(filename): with open(filename, "rb") as f: data = f.read() urls = re.findall(rb"https?://[^\s\"']+", data) return [u.decode("utf-8", errors="ignore") for u in urls] print(extract_urls("malware_sample.bin"))
Config extractor: AgentTesla	extractor
{% raw %} import re def extract_strings(filename, min_len=4): with open(filename, 'rb') as f: data = f.read() pattern = rb'[ -~]{%d,}' % min_len return re.findall(pattern, data) for s in extract_strings("sample.bin"): print(s.decode(errors="ignore")) {% endraw %}
Config extractor: Formbook	extractor
{% raw %} import re def extract_formbook_config(data): pattern = rb'(http[s]?://[a-zA-Z0-9\.\-]+/[^\s]+\.php)' return re.findall(pattern, data) if __name__ == "__main__": with open("sample.bin", "rb") as f: data = f.read() config = extract_formbook_config(data) print(config) {% endraw %}
Config extractor: Lokibot	extractor
{% raw %} import re def extract_lokibot_config(data): pattern = rb'(http[s]?://[a-zA-Z0-9\.\-]+/panel/[^\s]+)' return re.findall(pattern, data) if __name__ == "__main__": with open("sample.bin", "rb") as f: data = f.read() config = extract_lokibot_config(data) print(config) {% endraw %}
Config extractor: Qakbot	extractor
{% raw %} import re def extract_qakbot_config(data): pattern = rb'\x00\x00\x00\x01.{4}(.{256})' matches = re.findall(pattern, data, re.DOTALL) return matches if __name__ == "__main__": with open("sample.bin", "rb") as f: data = f.read() config = extract_qakbot_config(data) print(config) {% endraw %}
Config extractor: Racoon Stealer	extractor
{% raw %} import re def extract_racoon_config(data): pattern = rb'(http[s]?://[\w\.-]+(:\d+)?/gateway)' return re.findall(pattern, data) if __name__ == "__main__": with open("sample.bin", "rb") as f: data = f.read() config = extract_racoon_config(data) for url in config: print(url[0].decode()) {% endraw %}
Config extractor: Redline Stealer	extractor
{% raw %} import re import base64 def extract_redline_config(data): urls = re.findall(rb'(https?://[^\s\'"]+)', data) b64_configs = re.findall(rb'([A-Za-z0-9+/=]{50,})', data) decoded_configs = [] for b64 in b64_configs: try: decoded = base64.b64decode(b64) if b"http" in decoded: decoded_configs.append(decoded) except Exception: continue return {"urls": urls, "configs": decoded_configs} if __name__ == "__main__": with open("sample.bin", "rb") as f: data = f.read() config = extract_redline_config(data) print(config) {% endraw %}
Config extractor: Vidar Stealer	extractor
{% raw %} import re def extract_vidar_config(data): pattern = rb'(http[s]?://[\w\.-]+/gate\.php)' return re.findall(pattern, data) if __name__ == "__main__": with open("sample.bin", "rb") as f: data = f.read() config = extract_vidar_config(data) print(config) {% endraw %}
Find binary strings	pe
{% raw %} import re def extract_strings(filename, min_len=4): with open(filename, "rb") as f: data = f.read() pattern = rb"[ -~]{%d,}" % min_len return re.findall(pattern, data) for s in extract_strings("sample.bin"): print(s.decode(errors="ignore")) {% endraw %}
Generate file hash	file
import hashlib def hash_file(filepath): hashes = {"md5": hashlib.md5(), "sha1": hashlib.sha1(), "sha256": hashlib.sha256()} with open(filepath, "rb") as f: while chunk := f.read(8192): for h in hashes.values(): h.update(chunk) return {k: h.hexdigest() for k, h in hashes.items()} print(hash_file("sample.exe"))
Generate yara rule template	yara
def yara_rule_template(name, strings): rule = f"rule {name}\n strings:\n" for i, s in enumerate(strings): rule += f" $s{i} = \"{s}\"\n" rule += " condition:\n all of them\n}" return rule print(yara_rule_template("SampleRule", ["malicious", "http://evil.com"]))
Match file with yara rule	yara
import yara rules = yara.compile(filepath="rules.yar") matches = rules.match("sample.exe") print(matches)
Packer detection	pe
import pefile def is_packed(pe): entropy_threshold = 7.0 for section in pe.sections: if section.get_entropy() > entropy_threshold: return True return False pe = pefile.PE("sample.exe") print("Likely Packed" if is_packed(pe) else "Not Packed")
PE file analysis	pe
import pefile pe = pefile.PE("sample.exe") # Print imported DLLs and functions for entry in pe.DIRECTORY_ENTRY_IMPORT: print(f"[*] {entry.dll.decode()}") for imp in entry.imports: print(f"\t{hex(imp.address)}: {imp.name}")