joshfinley
/ inject-profile-2.txt
Created
April 10, 2025 17:06
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| '=== NtReadVirtualMemory Called ===' | |
| Debug session time: Thu Apr 10 10:06:12.945 2025 (UTC - 7:00) | |
| System Uptime: 1 days 8:32:56.971 | |
| Process Uptime: 0 days 0:07:16.466 | |
| Kernel time: 0 days 0:00:00.093 | |
| User time: 0 days 0:00:00.046 | |
| 'RCX: ' + @rcx | |
| 'RDX: ' + @rdx | |
| 'R8: ' + @r8 | |
| 'R9: ' + @r9 |
joshfinley
/ inject-profile.txt
Created
April 10, 2025 16:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| '=== NtOpenProcess Called ===' | |
| Debug session time: Thu Apr 10 09:37:34.366 2025 (UTC - 7:00) | |
| System Uptime: 1 days 8:04:18.392 | |
| Process Uptime: 0 days 1:14:12.282 | |
| Kernel time: 0 days 0:00:39.859 | |
| User time: 0 days 0:00:13.328 | |
| 'RCX: ' + @rcx | |
| 'RDX: ' + @rdx | |
| 'R8: ' + @r8 | |
| 'R9: ' + @r9 |
joshfinley
/ sleep-profile.txt
Created
April 10, 2025 16:28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0:007> g | |
| '=== NtTerminateThread Called ===' | |
| Debug session time: Thu Apr 10 09:27:43.839 2025 (UTC - 7:00) | |
| System Uptime: 1 days 7:54:27.865 | |
| Process Uptime: 0 days 1:04:21.754 | |
| Kernel time: 0 days 0:00:39.687 | |
| User time: 0 days 0:00:13.328 | |
| 'RCX: ' + @rcx | |
| 'RDX: ' + @rdx | |
| 'R8: ' + @r8 |
joshfinley
/ ntcall-log-2.txt
Created
April 10, 2025 16:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0:009> g | |
| '=== NtTerminateThread Called ===' | |
| Debug session time: Thu Apr 10 09:19:51.565 2025 (UTC - 7:00) | |
| System Uptime: 1 days 7:46:35.591 | |
| Process Uptime: 0 days 0:15:59.024 | |
| Kernel time: 0 days 0:00:12.812 | |
| User time: 0 days 0:03:32.390 | |
| 'RCX: ' + @rcx | |
| 'RDX: ' + @rdx | |
| 'R8: ' + @r8 |
joshfinley
/ ntcall-log-1.txt
Created
April 10, 2025 16:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0:008> g | |
| '=== NtTerminateThread Called ===' | |
| Debug session time: Thu Apr 10 09:17:36.486 2025 (UTC - 7:00) | |
| System Uptime: 1 days 7:44:20.512 | |
| Process Uptime: 0 days 0:13:43.946 | |
| Kernel time: 0 days 0:00:11.750 | |
| User time: 0 days 0:03:18.703 | |
| 'RCX: ' + @rcx | |
| 'RDX: ' + @rdx | |
| 'R8: ' + @r8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM ============================================================ | |
| REM Simple ELAM Driver Signing Script | |
| REM ============================================================ | |
| REM To integrate with Visual Studio, update your SDK version | |
| REM paths below, disable default test signing, and add | |
| REM a post-build event to your build configurations in the | |
| REM driver VCXPROJ. For example, near the top, add: | |
| REM | |
| REM <PropertyGroup> |
joshfinley
/ Get-PossibleEtwRefs.ps1
Last active
March 31, 2025 17:07
Search for GUIDs in a target file or directory and check if it might be an ETW provider GUID using logman. Inspired by chapter 8 of "Evading EDR" by Matt Hand.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Search for GUIDs in a target file or directory and check | |
| # if it might be an ETW provider GUID using logman. | |
| # | |
| # Inspired by chapter 8 of "Evading EDR" by Matt Hand. | |
| # | |
| # Not fast but easy to deploy and use. | |
| param ( | |
| [string]$Path | |
| ) |
joshfinley
/ Get-EtwProviderAces.ps1
Created
March 31, 2025 01:41
Helper script to get SDDL for ETW Providers. Inspired by / draws from Chapter 8 of "Evading EDR" by Matt Hand
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Helper script to get SDDL/ACES for ETW Providers | |
| # Inspired by / draws from Chapter 8 of "Evading EDR" by Matt Hand | |
| param ( | |
| [Parameter(Mandatory = $false)] | |
| [string]$ProviderName, | |
| [Parameter(Mandatory = $false)] | |
| [Guid]$Guid | |
| ) |
joshfinley
/ Deploy-DriverToHyperVVM.ps1
Last active
March 30, 2025 03:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Deploy-DriverToVM.ps1 | |
| # Script to deploy debug drivers to Win11 Debug VM | |
| param ( | |
| [string]$VMName = "win-11-dbg", | |
| [string]$DriverPath = ".\x64\Debug\EtwResearchDriver\EtwResearchDriver.sys", | |
| [string]$VMDestPath = "C:\Drivers\EtwResearchDriver\", | |
| [string]$symbolPath = "C:\Symbols", | |
| [switch]$InstallDriver = $true, | |
| [System.Management.Automation.PSCredential]$Credential = $null |
joshfinley
/ find_etw_guid.js
Created
March 29, 2025 07:34
Windbg script for finding ETW information
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "use strict"; | |
| function initializeScript() | |
| { | |
| return [new host.apiVersionSupport(1, 7)]; | |
| } | |
| function findRegHandlesForGuid(targetGuidStr) | |
| { | |
| let dbgOutput = host.diagnostics.debugLog; |
NewerOlder