Dump-GUY
/ ExtractAsyncRatConfig_PowerShell_Reflection.ps1
Last active
November 7, 2022 20:48
Simple show-off using PowerShell and Reflection to extract AsyncRat config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple show-off using PowerShell and Reflection to extract AsyncRat config | |
| # Example Sample: https://bazaar.abuse.ch/sample/2a2d9b1e17cd900edcdf8d26a8ba95ba41ae276d4e0d2400e85602c51e0ab73b/ | |
| # Twitter Info: https://twitter.com/vinopaljiri/status/1589721140318339072 | |
| # get the class where config is initialized | |
| $settingsClass = [System.Reflection.Assembly]::LoadFile("C:\showoff\AsyncRat.bin").GetTypes() | ?{$_.Name -like "Settings"} | |
| # class is static so we are not creating instance of it in Invoke | |
| # by invoking method that is responsible for populting fields we get them decrypted (remember reflection Rocks :)) | |
| ($settingsClass.GetMethods() | ? {$_.Name -like "InitializeSettings"}).Invoke($null, $null) | Out-Null |
Dump-GUY
/ Program.cs
Last active
June 21, 2024 21:08
Example of DynamicCompiler - dynamically compile C# code -> but it actually spawns csc.exe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.CodeDom.Compiler; | |
| using Microsoft.CSharp; | |
| using System.Linq; | |
| namespace DynamicCompiler | |
| { | |
| internal class Program | |
| { | |
| public static void DynamicRun(string codes, string clazz, string method, string[] args) |
Dump-GUY
/ ImplMap2x64dbg.py
Last active
November 7, 2022 20:39
Creates x64dbg script for setting breakpoints on defined ImplMap (PInvoke) methods of .NET executable
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import dnfile, sys, os | |
| def Main(): | |
| if(len(sys.argv) != 2 or sys.argv[1] == '-h' or sys.argv[1] == '--help'): | |
| print("Description: Creates x64dbg script for setting breakpoints on defined ImplMap (PInvoke) methods of .NET executable") | |
| print(f"Usage: {os.path.basename(sys.argv[0])} <filepath>\n") | |
| sys.exit() | |
| file_path = sys.argv[1] | |
| script_path = file_path + "_x64dbg.txt" |
Dump-GUY
/ quick-disable-windows-defender.bat
Created
June 9, 2022 15:08
— forked from shadyeip/quick-disable-windows-defender.bat
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!! | |
| rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference | |
| rem To also disable Windows Defender Security Center include this | |
| rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f | |
| rem 1 - Disable Real-time protection | |
| reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f |
NewerOlder