Using CFF explorer, check File Size and PE Size value. If File size is less than PE size then file is possibly truncated. Check this flareon7 challenge 2 solution for more details challenge 2
- HTTPS
tshark -r traffic_example.pcapng -Y "ssl.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name | sort | uniq - HTTP
tshark -r traffic_example.pcapng -Y "http.request and !(ssdp)" -T fields -e http.host | sort | uniq - Both
tshark -r traffic_example.pcapng -Y "(ssl.handshake.type == 1 or http.request) and !(ssdp)" -T fields -e tls.handshake.extensions_server_name -e http.host | sort | uniq -c
Can use plugin too https://github.com/OALabs/hashdb-ghidra
import requests
HASHDB_HUNT_URL = 'https://hashdb.openanalysis.net/hunt'
HASHDB_HASH_URL = 'https://hashdb.openanalysis.net/hash'
api_hash = 572265531
hunt_request = {"hashes": [572265531]}
r = requests.post(HASHDB_HUNT_URL, json=hunt_request)
print(r.json())
{'hits': [{'algorithm': 'add1501_shl5', 'count': 1, 'hitrate': 1.0}]}
r = requests.get(HASHDB_HASH_URL + '/add1501_shl5/' + str(api_hash))
print(r.json())
{'hashes': [{'hash': 572265531, 'string': {'string': 'ZwAllocateVirtualMemory', 'is_api': True, 'permutation': 'api', 'api': 'ZwAllocateVirtualMemory', 'modules': ['ntdll']}}]}
Can use basic profile if needed https://github.com/x64dbg/ScyllaHide
- https://github.com/Fody/Costura Used for embedding dependencies in .NET
- https://www.linqpad.net/ Use this for running/debugging .NET code, lightweight
- Use de4dot
- To remove type scarmble protection use this https://github.com/ElectroHeavenVN/ConfuserEx-UnTypeScrambler
From dr4k0nia
- asmresolver good project similar to dnlib
- Edit IL instruction if the string is too long in the UI
- Enable show hidden compiled genrated type and methods
- Edit the IL instruction and press n for nop