Matt Nelson enigma0x3
enigma0x3
/ Get-NonstandardService.ps1
Last active
August 12, 2022 15:41
— forked from HarmJ0y/Get-NonstandardService.ps1
Get-NonstandardService
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-NonstandardService { | |
| <# | |
| .SYNOPSIS | |
| Returns services where the associated binaries are either not signed, or are | |
| signed by an issuer not matching 'Microsoft'. | |
| Author: Will Schroeder (@harmj0y) | |
| License: BSD 3-Clause | |
| Required Dependencies: None |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $rpc = ls C:\Windows\System32\*.exe, C:\Windows\System32\*.dll |Get-RpcServer -DbgHelpPath "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll" | |
| foreach ($rpc1 in $rpc) | |
| { | |
| $ourObject = New-Object -TypeName psobject | |
| $ourObject | Add-Member -MemberType NoteProperty -Name InterfaceID -Value $rpc1.InterfaceID | |
| $ourObject | Add-Member -MemberType NoteProperty -Name FileName -Value $rpc1.Name | |
| $ourObject | Add-Member -MemberType NoteProperty -Name IsRunning -Value $rpc1.IsServiceRunning | |
| $ourObject | Add-Member -MemberType NoteProperty -Name EndpointCount -Value $rpc1.EndpointCount | |
| $procs = $rpc1.Procedures.Name | Out-String |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -TypeDefinition @" | |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| [StructLayout(LayoutKind.Sequential)] | |
| public struct PROCESS_INFORMATION | |
| { | |
| public IntPtr hProcess; public IntPtr hThread; public uint dwProcessId; public uint dwThreadId; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <xsl:stylesheet version="1.0" | |
| xmlns:xsl="http://www.w3.org/1999/XSL/Transform" | |
| xmlns:msxsl="urn:schemas-microsoft-com:xslt" | |
| xmlns:user="urn:my-scripts"> | |
| <msxsl:script language="VBScript" implements-prefix="user"> | |
| function myFunction() | |
| set shell=createobject("wscript.shell") | |
| shell.run "calc.exe",0 | |
| myFunction = 0 |
enigma0x3
/ gist:8bc8d4d529ef54b5371bf9a3c94529e4
Created
April 6, 2020 14:52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -TypeDefinition @" | |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| [StructLayout(LayoutKind.Sequential)] | |
| public struct PROCESS_INFORMATION | |
| { | |
| public IntPtr hProcess; public IntPtr hThread; public uint dwProcessId; public uint dwThreadId; | |
| } |
OlderNewer