iMHLv2
iMHLv2
/ GenericPowershell
Last active
May 1, 2023 19:24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule GenericPowershell | |
| { | |
| strings: | |
| $a = "PS>function" | |
| $b = "Invoke-Expression" | |
| $c = "<MS><S N=" | |
| $d = "</MS></Obj>" | |
| $e = "CompileAssemblyFromSource" | |
| $f = "Remoting.RemoteHostMethodId" | |
| $g = "<resp:Arguments" |
iMHLv2
/ gist:cb05924e1d6317a20fdc
Created
November 2, 2015 14:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @staticmethod | |
| def shimcache_xp(address_space): | |
| """Enumerate entries from the shared memory section | |
| on XP systems.""" | |
| seen = [] | |
| shim = lambda x : (x.Tag == "Vad " and | |
| x.VadFlags.Protection == 4) | |
| for process in tasks.pslist(address_space): |
iMHLv2
/ gist:8def92d6c3d604273f41
Created
December 9, 2014 17:42
Experimentation with Volatility's Windows 10 TP x64 Branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get the Win10 branch of Volatility | |
| git clone -b win10tp https://github.com/volatilityfoundation/volatility.git | |
| # Get the memory dump | |
| https://www.sendspace.com/pro/dl/0cte2h | |
| # Run some commands |