You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Instantly share code, notes, and snippets.
🏴
drakonia
dr4k0nia
🏴
Security Researcher
specializing in .NET malware analysis and tooling
Since AgentTesla started using my XorStringsNET obfuscator to encrypt strings in their malware I decided to write a quick guide
on how to decrypt the strings again.
Observed in unpacked child SHA256: d56f2852762f7f9fcb07eaf018e143ab1e4ad46e1f2e943faf13618388ef21a2
Original sample SHA256: e66ffcfe9fb0d0cd80d96dcfd96e4941d3c2389d227f2655391cfdbc3bcd637c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Unpacking scripts from my livestream, unpacking and analysing DuckTail stealer malware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Quick and Dirty deobfuscator for an AutoIT script part of a malware sample, SHA256: db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Abusing homoglyphs in .NET "Obfuscation" (Write up)
Abusing homoglyphs in .NET "Obfuscation"
A while ago I watched a very interesting DEF CON talk called "Repsych: Psychological Warfare in Reverse Engineering" by Chris Domas. In his talk Chris talked about how one could fool and or piss off reverse engineers with some little tricks. This got me thinking what can I do in .net to piss off and or fool reverse engineers. After reading about homoglyphs I had a fun little idea.
What are homoglyphs?
Homoglyphs are characters that look the same but are actually from different alphabets. For our obfuscation concept, we will abuse the fact that there are unicode characters that look just like normal latin letters.
How can we use homoglyphs?
So since the homoglyph characters look just like latin characters, we can use them to have to identical looking names that are actually different. For example we could replace the character M in the name <Module> with an M from a different alphabet.
Simple Decryption Routine for strings and 2nd stage payload of malware sample SHA256: 169bf7d8d5240de6e4d3df6f6be95198075c22620d84d5e95cfc3c5f4e2e4f43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
An example of using x64 syscall shellcode to call NtProtectVirtualMemory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Destiny 2 Twitch Extension auto react to trials matches using Tampermonkey
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters