Skip to content

Instantly share code, notes, and snippets.

View dr4k0nia's full-sized avatar
🏴

drakonia dr4k0nia

🏴
609 followers · 40 following
View GitHub Profile
@dr4k0nia
dr4k0nia / DuckTail_Unpacker_ADAPTER.cs
Last active July 19, 2023 08:13
Unpacking scripts from my livestream, unpacking and analysing DuckTail stealer malware
using System;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Threading;
public class Program
{
private void Main()
@dr4k0nia
dr4k0nia / HInvokeHashGen.cs
Created May 22, 2023 18:43
Tool to generate Hashes for HInvoke
using System;
using System.Collections;
using System.Collections.Generic;
using System.Linq;
using System.Linq.Expressions;
using System.Reflection;
using System.Text;
GetMethodHash("System.Reflection.Assembly", "Load");
@dr4k0nia
dr4k0nia / readme.md
Created February 24, 2023 13:32
Decrypting XorStringsNET the easy way

Unpacking XorStringsNET

Since AgentTesla started using my XorStringsNET obfuscator to encrypt strings in their malware I decided to write a quick guide on how to decrypt the strings again.

Observed in unpacked child SHA256: d56f2852762f7f9fcb07eaf018e143ab1e4ad46e1f2e943faf13618388ef21a2

Original sample SHA256: e66ffcfe9fb0d0cd80d96dcfd96e4941d3c2389d227f2655391cfdbc3bcd637c

Using de4dot

@dr4k0nia
dr4k0nia / Program.cs
Created January 15, 2023 20:21
Quick and Dirty deobfuscator for an AutoIT script part of a malware sample, SHA256: db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f
// Deobfuscator for a3x file of sample SHA256: db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f
using System.Text;
using System.Text.RegularExpressions;
internal class Program
{
private static void Main(string[] args)
{
var strings = new StringBuilder();
string pattern = @"DoctrineDrama\(""(\w+)"",\s*(\d+)\)";
@dr4k0nia
dr4k0nia / Decryption.linq
Last active October 6, 2022 20:39
Simple Decryption Routine for strings and 2nd stage payload of malware sample SHA256: 169bf7d8d5240de6e4d3df6f6be95198075c22620d84d5e95cfc3c5f4e2e4f43
void Main()
{
Decrypt("bISU^wHNIS").Dump();
Decrypt("fTTBJEK^").Dump();
Decrypt("kHFC").Dump();
var file = File.ReadAllBytes("ThomasEdinson.bin");
var result = file.Select(new Func<byte, int, byte>(stageDecryption)).ToArray<byte>();
@dr4k0nia
dr4k0nia / HInvoke.cs
Last active November 14, 2024 09:32
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
using System.Linq;
using System.Reflection;
namespace HashInvoke;
public class HInvoke
{
public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null)
{
// Get the System assembly and go trough all its types hash their name
@dr4k0nia
dr4k0nia / D2_ReactionFarmer.js
Created July 25, 2022 14:18
Destiny 2 Twitch Extension auto react to trials matches using Tampermonkey
// ==UserScript==
// @name D2 Reaction Farmer
// @namespace https://github.com/dr4k0nia
// @version 1.0
// @description Auto click reaction for Destiny 2 Twitch Extension
// @author drakonia
// @match https://63i11l5ul8pm3buvheb3j2oyflbhtw.ext-twitch.tv/63i11l5ul8pm3buvheb3j2oyflbhtw/1.61/a2539f7f48a126bb354318161238275c/video_overlay.html*
// @run-at document-end
// @icon https://raw.githubusercontent.com/justrealmilk/destiny-icons/8b697d4529262a850d0c987ca78db86d3989850b/factions/faction_osiris.svg
// @grant none
@dr4k0nia
dr4k0nia / crackme.cs
Created January 25, 2022 20:12
Simple crackme example
// Simple crackme example by drakonia
Console.WriteLine("Enter the correct password:");
string? solution = null;
while (solution == null)
{
string? input = Console.ReadLine();
solution = Verify(input);
}
@dr4k0nia
dr4k0nia / Suscall.cs
Created August 3, 2021 13:30
An example of using x64 syscall shellcode to call NtProtectVirtualMemory
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace Code_Projects
{
public unsafe class Suscall
{
[DllImport("kernel32", SetLastError = true)]
@dr4k0nia
dr4k0nia / DynamicInvokeExample.cs
Last active September 12, 2021 16:37
DynamicInvoke of native functions using GetProcAddress
using System.Diagnostics;
using System.Text;
using System;
using System.Runtime.InteropServices;
namespace Code_Projects
{
public static class DynamicInvokeExample
{