I hereby claim:
- I am dr4k0nia on github.
- I am drakonia (https://keybase.io/drakonia) on keybase.
- I have a public key ASDJQW68e8R8Pr2vUw-Ro9isLWz5D8Dd8lPF6kRy2ArDsAo
To claim this, I am signing this object:
dr4k0nia
/ keybase.md
Created
December 2, 2019 20:56
dr4k0nia
/ Homoglyph_Obfuscation.md
Last active
October 28, 2022 16:55
Abusing homoglyphs in .NET "Obfuscation" (Write up)
A while ago I watched a very interesting DEF CON talk called "Repsych: Psychological Warfare in Reverse Engineering" by Chris Domas. In his talk Chris talked about how one could fool and or piss off reverse engineers with some little tricks. This got me thinking what can I do in .net to piss off and or fool reverse engineers. After reading about homoglyphs I had a fun little idea.
Homoglyphs are characters that look the same but are actually from different alphabets. For our obfuscation concept, we will abuse the fact that there are unicode characters that look just like normal latin letters.
So since the homoglyph characters look just like latin characters, we can use them to have to identical looking names that are actually different. For example we could replace the character M in the name <Module> with an M from a different alphabet.
dr4k0nia
/ DynamicInvokeExample.cs
Last active
September 12, 2021 16:37
DynamicInvoke of native functions using GetProcAddress
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Diagnostics; | |
| using System.Text; | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace Code_Projects | |
| { | |
| public static class DynamicInvokeExample | |
| { |
dr4k0nia
/ Suscall.cs
Created
August 3, 2021 13:30
An example of using x64 syscall shellcode to call NtProtectVirtualMemory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.ComponentModel; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace Code_Projects | |
| { | |
| public unsafe class Suscall | |
| { | |
| [DllImport("kernel32", SetLastError = true)] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Simple crackme example by drakonia | |
| Console.WriteLine("Enter the correct password:"); | |
| string? solution = null; | |
| while (solution == null) | |
| { | |
| string? input = Console.ReadLine(); | |
| solution = Verify(input); | |
| } |
dr4k0nia
/ D2_ReactionFarmer.js
Created
July 25, 2022 14:18
Destiny 2 Twitch Extension auto react to trials matches using Tampermonkey
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ==UserScript== | |
| // @name D2 Reaction Farmer | |
| // @namespace https://github.com/dr4k0nia | |
| // @version 1.0 | |
| // @description Auto click reaction for Destiny 2 Twitch Extension | |
| // @author drakonia | |
| // @match https://63i11l5ul8pm3buvheb3j2oyflbhtw.ext-twitch.tv/63i11l5ul8pm3buvheb3j2oyflbhtw/1.61/a2539f7f48a126bb354318161238275c/video_overlay.html* | |
| // @run-at document-end | |
| // @icon https://raw.githubusercontent.com/justrealmilk/destiny-icons/8b697d4529262a850d0c987ca78db86d3989850b/factions/faction_osiris.svg | |
| // @grant none |
dr4k0nia
/ HInvoke.cs
Last active
November 14, 2024 09:32
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Linq; | |
| using System.Reflection; | |
| namespace HashInvoke; | |
| public class HInvoke | |
| { | |
| public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null) | |
| { | |
| // Get the System assembly and go trough all its types hash their name |
dr4k0nia
/ Decryption.linq
Last active
October 6, 2022 20:39
Simple Decryption Routine for strings and 2nd stage payload of malware sample SHA256: 169bf7d8d5240de6e4d3df6f6be95198075c22620d84d5e95cfc3c5f4e2e4f43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void Main() | |
| { | |
| Decrypt("bISU^wHNIS").Dump(); | |
| Decrypt("fTTBJEK^").Dump(); | |
| Decrypt("kHFC").Dump(); | |
| var file = File.ReadAllBytes("ThomasEdinson.bin"); | |
| var result = file.Select(new Func<byte, int, byte>(stageDecryption)).ToArray<byte>(); | |
dr4k0nia
/ Program.cs
Created
January 15, 2023 20:21
Quick and Dirty deobfuscator for an AutoIT script part of a malware sample, SHA256: db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Deobfuscator for a3x file of sample SHA256: db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f | |
| using System.Text; | |
| using System.Text.RegularExpressions; | |
| internal class Program | |
| { | |
| private static void Main(string[] args) | |
| { | |
| var strings = new StringBuilder(); | |
| string pattern = @"DoctrineDrama\(""(\w+)"",\s*(\d+)\)"; |
Unpacking XorStringsNET
Since AgentTesla started using my XorStringsNET obfuscator to encrypt strings in their malware I decided to write a quick guide on how to decrypt the strings again.
Observed in unpacked child SHA256: d56f2852762f7f9fcb07eaf018e143ab1e4ad46e1f2e943faf13618388ef21a2
Original sample SHA256: e66ffcfe9fb0d0cd80d96dcfd96e4941d3c2389d227f2655391cfdbc3bcd637c
Using de4dot
OlderNewer