joshfinley
/ ntcall-log-2.txt
Created
April 10, 2025 16:20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0:009> g | |
| '=== NtTerminateThread Called ===' | |
| Debug session time: Thu Apr 10 09:19:51.565 2025 (UTC - 7:00) | |
| System Uptime: 1 days 7:46:35.591 | |
| Process Uptime: 0 days 0:15:59.024 | |
| Kernel time: 0 days 0:00:12.812 | |
| User time: 0 days 0:03:32.390 | |
| 'RCX: ' + @rcx | |
| 'RDX: ' + @rdx | |
| 'R8: ' + @r8 |
joshfinley
/ ntcall-log-1.txt
Created
April 10, 2025 16:19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0:008> g | |
| '=== NtTerminateThread Called ===' | |
| Debug session time: Thu Apr 10 09:17:36.486 2025 (UTC - 7:00) | |
| System Uptime: 1 days 7:44:20.512 | |
| Process Uptime: 0 days 0:13:43.946 | |
| Kernel time: 0 days 0:00:11.750 | |
| User time: 0 days 0:03:18.703 | |
| 'RCX: ' + @rcx | |
| 'RDX: ' + @rdx | |
| 'R8: ' + @r8 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM ============================================================ | |
| REM Simple ELAM Driver Signing Script | |
| REM ============================================================ | |
| REM To integrate with Visual Studio, update your SDK version | |
| REM paths below, disable default test signing, and add | |
| REM a post-build event to your build configurations in the | |
| REM driver VCXPROJ. For example, near the top, add: | |
| REM | |
| REM <PropertyGroup> |
joshfinley
/ Get-PossibleEtwRefs.ps1
Last active
March 31, 2025 17:07
Search for GUIDs in a target file or directory and check if it might be an ETW provider GUID using logman. Inspired by chapter 8 of "Evading EDR" by Matt Hand.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Search for GUIDs in a target file or directory and check | |
| # if it might be an ETW provider GUID using logman. | |
| # | |
| # Inspired by chapter 8 of "Evading EDR" by Matt Hand. | |
| # | |
| # Not fast but easy to deploy and use. | |
| param ( | |
| [string]$Path | |
| ) |
joshfinley
/ Get-EtwProviderAces.ps1
Created
March 31, 2025 01:41
Helper script to get SDDL for ETW Providers. Inspired by / draws from Chapter 8 of "Evading EDR" by Matt Hand
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Helper script to get SDDL/ACES for ETW Providers | |
| # Inspired by / draws from Chapter 8 of "Evading EDR" by Matt Hand | |
| param ( | |
| [Parameter(Mandatory = $false)] | |
| [string]$ProviderName, | |
| [Parameter(Mandatory = $false)] | |
| [Guid]$Guid | |
| ) |
joshfinley
/ Deploy-DriverToHyperVVM.ps1
Last active
March 30, 2025 03:00
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Deploy-DriverToVM.ps1 | |
| # Script to deploy debug drivers to Win11 Debug VM | |
| param ( | |
| [string]$VMName = "win-11-dbg", | |
| [string]$DriverPath = ".\x64\Debug\EtwResearchDriver\EtwResearchDriver.sys", | |
| [string]$VMDestPath = "C:\Drivers\EtwResearchDriver\", | |
| [string]$symbolPath = "C:\Symbols", | |
| [switch]$InstallDriver = $true, | |
| [System.Management.Automation.PSCredential]$Credential = $null |
joshfinley
/ find_etw_guid.js
Created
March 29, 2025 07:34
Windbg script for finding ETW information
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "use strict"; | |
| function initializeScript() | |
| { | |
| return [new host.apiVersionSupport(1, 7)]; | |
| } | |
| function findRegHandlesForGuid(targetGuidStr) | |
| { | |
| let dbgOutput = host.diagnostics.debugLog; |
joshfinley
/ enumerate_ec2_passwords.py
Created
March 4, 2025 18:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import boto3 | |
| import base64 | |
| import argparse | |
| # Parse command-line arguments | |
| parser = argparse.ArgumentParser(description="List EC2 instances and their passwords.") | |
| parser.add_argument("--profile", required=True, help="AWS profile to use") | |
| args = parser.parse_args() | |
| # Use specified AWS profile |
joshfinley
/ assume_tool.py
Created
March 4, 2025 16:06
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import boto3 | |
| import argparse | |
| import re | |
| import botocore.exceptions | |
| import itertools | |
| import os | |
| def generate_role_permutations(keywords): | |
| """ | |
| Generate role name permutations from a list of keywords |
joshfinley
/ s3_cred_enum.py
Last active
March 4, 2025 15:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import boto3 | |
| import re | |
| import json | |
| import sys | |
| import argparse | |
| import mimetypes | |
| import os | |
| import yaml | |
| class SecretScanner: |