Jesse secabstraction
secabstraction
/ Get-DosDevice.ps1
Created
September 26, 2015 17:56
A powershell wrapper around QueryDosDevice
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-DosDevice { | |
| [CmdletBinding()] | |
| Param ( | |
| [Parameter()] | |
| [ValidateNotNullOrEmpty()] | |
| [String]$Name | |
| ) | |
| #region WinAPI |
secabstraction
/ Get-ProcessTrace.ps1
Last active
September 27, 2015 04:06
Trace the threads of a process, "mini-dbg" RDI detection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-ProcessTrace { | |
| <# | |
| .SYNOPSIS | |
| Walks thread stacks of specified process(es) to help identify dll injection. | |
| .DESCRIPTION | |
| This commandlet uses Windows Remote Management to trace the threads of specified process(es) of remote machines. | |
| .PARAMETER ComputerName | |
| Specify the hostname or IP address of a remote computer to retrieve data from. |
secabstraction
/ Export-MFT.ps1
Last active
August 2, 2024 19:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Export-MFT { | |
| <# | |
| .SYNOPSIS | |
| Extracts master file table from volume. | |
| Version: 0.1 | |
| Author : Jesse Davis (@secabstraction) | |
| License: BSD 3-Clause | |
| .DESCRIPTION |
secabstraction
/ Invoke-WmiRunspaceQuery.ps1
Last active
September 28, 2015 12:37
Runspace jobbing of Get-WmiObject
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-WmiRunspaceQuery { | |
| <# | |
| .SYNOPSIS | |
| Creates a multi-threaded effect by using runspaces to speed up WMI queries to multiple hosts. | |
| Version: 0.1 | |
| Author : Jesse Davis (@secabstraction) | |
| License: BSD 3-Clause | |
| .PARAMETER ComputerName |
secabstraction
/ StdOutRemedy.ps1
Last active
January 14, 2016 19:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| try { $ScriptBlock = [ScriptBlock]::Create($EncodingType.GetString($ReceivedBytes)) } | |
| catch { break } # network stream closed | |
| $Global:Error.Clear() | |
| $BytesToSend += $EncodingType.GetBytes(($ScriptBlock.Invoke() | Out-String)) | |
| foreach ($Err in $Global:Error) { $BytesToSend += $EncodingType.GetBytes($Err.Exception.Message) } | |
| $BytesToSend += $EncodingType.GetBytes(("`nPS $((Get-Location).Path)> ")) |
secabstraction
/ StdOutProblem.ps1
Created
January 14, 2016 19:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Setup_CMD | |
| { | |
| param($FuncSetupVars) | |
| if($global:Verbose){$Verbose = $True} | |
| $FuncVars = @{} | |
| $ProcessStartInfo = New-Object System.Diagnostics.ProcessStartInfo | |
| $ProcessStartInfo.FileName = $FuncSetupVars[0] | |
| $ProcessStartInfo.UseShellExecute = $False | |
| $ProcessStartInfo.RedirectStandardInput = $True | |
| $ProcessStartInfo.RedirectStandardOutput = $True |
secabstraction
/ RunawayLoop.ps1
Last active
January 14, 2016 19:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| while ($true) { continue } | |
| # With nothing to do this quickly eats 100% CPU |
secabstraction
/ ThrottledLoop.ps1
Last active
January 15, 2016 16:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| while ($true) { Start-Sleep -Milliseconds 10 ; continue } | |
| # This minute pause is imperceptible to a user, but drops the CPU to 0% |
secabstraction
/ InitializationRoutine.ps1
Last active
January 19, 2016 16:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Initilizer = { | |
| function KeyLog { | |
| # Win32 Imports | |
| Start-Sleep -Milliseconds $PollingInterval | |
| # Excessive GetAsyncKeyState loop to check for pressed keys | |
| } | |
| } | |
| Start-Job -InitializationScript $Initilizer -ScriptBlock {for (;;) {Keylog}} -Name Keylogger | Out-Null |
secabstraction
/ HookMessageLoop.ps1
Last active
January 19, 2016 16:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Set WM_KEYBOARD_LL hook | |
| $Hook = $SetWindowsHookEx.Invoke(0xD, $Callback, $ModuleHandle, 0) | |
| $Stopwatch = [Diagnostics.Stopwatch]::StartNew() | |
| # Message loop | |
| while ($true) { | |
| if ($PSBoundParameters.Timeout -and ($Stopwatch.Elapsed.TotalMinutes -gt $Timeout)) { break } | |
| $PeekMessage.Invoke([IntPtr]::Zero, [IntPtr]::Zero, 0x100, 0x109, 0) | |
| Start-Sleep -Milliseconds 10 |
OlderNewer