I hereby claim:
- I am shellcromancer on github.
- I am shellcromancer (https://keybase.io/shellcromancer) on keybase.
- I have a public key ASAd-lIOgtX3Pl3J20Y6R1D6kB1nFpxnYxBWfW4bXqK5pQo
To claim this, I am signing this object:
Daniel Stinson-Diess shellcromancer
💻
shellcromancer
/ .bashrc
Last active
January 5, 2022 12:12
Find function definitions from YARA matches
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| matched_yara_fn() { | |
| match_w_rz_cmds=$(yara -s "$1" "$2" | awk -F ':' '/1/ {printf "%s,aac; afi. @ $(?P %s)\n", $2, $1}'); | |
| IFS=$'\n'; while IFS= read -r line; do | |
| oIFS=$IFS | |
| IFS=',' read -r match rzcmd <<< "${line}" | |
| echo "$(rizin -qc "$rzcmd" "$2") contains match for $match"; |
shellcromancer
/ alg_crypto_rc4.yara
Created
January 4, 2022 04:12
Identify code for the RC4 cryptographic algorithm.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule alg_crypto_rc4 { | |
| meta: | |
| descrption = "Identify code for the (A)RC4 cryptographic algorithm." | |
| author = "@shellcromancer <[email protected]>" | |
| version = "0.1" | |
| date = "2022-01-03" | |
| reference = "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions#identifying-rc4-in-assembly" | |
| reference = "https://0xc0decafe.com/detect-rc4-encryption-in-malicious-binaries/" | |
| reference = "https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html" | |
| strings: |
shellcromancer
/ alg_salsa20.yara
Created
January 2, 2022 21:22
Identify code for the Salsa20 cryptographic algorithm.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule alg_salsa20 { | |
| meta: | |
| desc = "Identify code for the Salsa20 cryptographic algorithm." | |
| author = "@shellcromancer <[email protected]>" | |
| version = "0.1" | |
| last_modified = "2022-01-02" | |
| reference = "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions" | |
| strings: | |
| $const16 = "expand 16-byte k" ascii | |
| $const32 = "expand 32-byte k" ascii |
shellcromancer
/ pull_obj_see.py
Last active
November 17, 2022 15:39
Pull all malware samples from https://objective-see.com/malware.html into a nice tree structure by sample type and unzip them.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from collections import defaultdict | |
| import io | |
| import os | |
| import requests | |
| import sys | |
| from typing import Dict, List | |
| import zipfile |
shellcromancer
/ keybase.md
Created
September 20, 2019 00:16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <sys/mman.h> | |
| #include <unistd.h> | |
| #include <sys/types.h> | |
| typedef struct { | |
| int data; | |
| void (*fp)(int); | |
| } obj1; | |
| typedef struct { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <sys/mman.h> | |
| #include <unistd.h> | |
| #include <sys/types.h> | |
| #include <stdbool.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| int backdoor = 0; | |
| struct node { |
NewerOlder