Skip to content

Instantly share code, notes, and snippets.

View shellcromancer's full-sized avatar
💻
Hacking

Daniel Stinson-Diess shellcromancer

💻
Hacking
141 followers · 636 following
View GitHub Profile
@shellcromancer
shellcromancer / .bashrc
Last active January 5, 2022 12:12
Find function definitions from YARA matches
#!/bin/bash
matched_yara_fn() {
match_w_rz_cmds=$(yara -s "$1" "$2" | awk -F ':' '/1/ {printf "%s,aac; afi. @ $(?P %s)\n", $2, $1}');
IFS=$'\n'; while IFS= read -r line; do
oIFS=$IFS
IFS=',' read -r match rzcmd <<< "${line}"
echo "$(rizin -qc "$rzcmd" "$2") contains match for $match";
@shellcromancer
shellcromancer / alg_crypto_rc4.yara
Created January 4, 2022 04:12
Identify code for the RC4 cryptographic algorithm.
rule alg_crypto_rc4 {
meta:
descrption = "Identify code for the (A)RC4 cryptographic algorithm."
author = "@shellcromancer <[email protected]>"
version = "0.1"
date = "2022-01-03"
reference = "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions#identifying-rc4-in-assembly"
reference = "https://0xc0decafe.com/detect-rc4-encryption-in-malicious-binaries/"
reference = "https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html"
strings:
@shellcromancer
shellcromancer / alg_salsa20.yara
Created January 2, 2022 21:22
Identify code for the Salsa20 cryptographic algorithm.
rule alg_salsa20 {
meta:
desc = "Identify code for the Salsa20 cryptographic algorithm."
author = "@shellcromancer <[email protected]>"
version = "0.1"
last_modified = "2022-01-02"
reference = "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions"
strings:
$const16 = "expand 16-byte k" ascii
$const32 = "expand 32-byte k" ascii
@shellcromancer
shellcromancer / pull_obj_see.py
Last active November 17, 2022 15:39
Pull all malware samples from https://objective-see.com/malware.html into a nice tree structure by sample type and unzip them.
#!/usr/bin/env python3
from collections import defaultdict
import io
import os
import requests
import sys
from typing import Dict, List
import zipfile
@shellcromancer
shellcromancer / keybase.md
Created September 20, 2019 00:16

Keybase proof

I hereby claim:

  • I am shellcromancer on github.
  • I am shellcromancer (https://keybase.io/shellcromancer) on keybase.
  • I have a public key ASAd-lIOgtX3Pl3J20Y6R1D6kB1nFpxnYxBWfW4bXqK5pQo

To claim this, I am signing this object:

@shellcromancer
shellcromancer / vul_UAF.c
Created October 10, 2018 18:46
Vulnerable Use-After-Free Sample
#include <sys/mman.h>
#include <unistd.h>
#include <sys/types.h>
typedef struct {
int data;
void (*fp)(int);
} obj1;
typedef struct {
@shellcromancer
shellcromancer / vul_list.c
Created October 10, 2018 18:43
Vulnerable Linked List Program
#include <sys/mman.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
int backdoor = 0;
struct node {