shellcromancer

#include <sys/mman.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>

int backdoor = 0;

struct node {

shellcromancer

#include <sys/mman.h>
#include <unistd.h>
#include <sys/types.h>

typedef struct {
    int data;
    void (*fp)(int);
} obj1;

typedef struct {

shellcromancer

Keybase proof

I hereby claim:

• I am shellcromancer on github.
• I am shellcromancer (https://keybase.io/shellcromancer) on keybase.
• I have a public key ASAd-lIOgtX3Pl3J20Y6R1D6kB1nFpxnYxBWfW4bXqK5pQo

To claim this, I am signing this object:

shellcromancer

#!/usr/bin/env python3

from collections import defaultdict
import io
import os
import requests
import sys
from typing import Dict, List
import zipfile

shellcromancer

rule alg_salsa20 {
    meta:
        desc = "Identify code for the Salsa20 cryptographic algorithm."
        author = "@shellcromancer <root@shellcromancer.io>"
        version = "0.1"
        last_modified = "2022-01-02"
        reference = "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions"
    strings:
        $const16 = "expand 16-byte k" ascii
        $const32 = "expand 32-byte k" ascii

shellcromancer

rule alg_crypto_rc4 {
    meta:
        descrption = "Identify code for the (A)RC4 cryptographic algorithm."
        author = "@shellcromancer <root@shellcromancer.io>"
        version = "0.1"
        date = "2022-01-03"
        reference = "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions#identifying-rc4-in-assembly"
        reference = "https://0xc0decafe.com/detect-rc4-encryption-in-malicious-binaries/"
        reference = "https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html"
    strings:

shellcromancer

#!/bin/bash

matched_yara_fn() {
    match_w_rz_cmds=$(yara -s "$1" "$2" | awk -F  ':' '/1/ {printf "%s,aac; afi. @ $(?P %s)\n", $2, $1}');
        
    IFS=$'\n'; while IFS= read -r line; do
        oIFS=$IFS

        IFS=',' read -r match rzcmd <<< "${line}"
        echo "$(rizin -qc "$rzcmd" "$2") contains match for $match";

shellcromancer

rule alg_crypto_aes {
    meta:
        descrption = "Identify code/constants for the AES cryptographic algorithm."
        author = "@shellcromancer <root@shellcromancer.io>"
        version = "0.1"
        date = "2022-01-03"
        reference = "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions-aes"
    strings:
        // T-Table value
        $c1 = { a5 63 63 c6 }

shellcromancer

rule alg_crypto_crc32 {
    meta:
        descrption = "Identify constants in the CRC32 cryptographic algorithm."
        author = "@shellcromancer <root@shellcromancer.io>"
        version = "0.1"
        creation_date = "2022-01-06"
        reference = "https://en.wikipedia.org/wiki/Cyclic_redundancy_check#CRC-32_algorithm"
        reference = "http://www.woodmann.com/fravia/crctut1.htm"
        hash = "c4f370622b7c8da5247e78a22e04a7778bd6712dbb84a05e60136b8defca4eed"
        location = "0x00401b50"

shellcromancer

rule obfus_stackstring_imov {
    meta:
        descrption = "Identify stack-strings obfuscation via indirect moves."
        author = "@shellcromancer <root@shellcromancer.io>"
        version = "0.1"
        date = "2022-01-07"
        reference = "https://www.mandiant.com/resources/automatically-extracting-obfuscated-strings"
    strings:
        $mov_r = { c6 4? ?? 72 } // mov byte [rdi + ?], 0x72 ; 'r'
        $mov_s = { c6 4? 0? 73 } // mov byte [rdi + ?], 0x73 ; 's'