Dump-GUY

# Harmony Reference: https://github.com/pardeike/Harmony
using assembly '.\net48\0Harmony.dll'
using namespace HarmonyLib

class HooK
{
    static [bool] PreFix_IEX($scriptText)
    {
        [Console]::WriteLine("Original IEX Command: '$scriptText'")
        return $true

Dump-GUY

'''
IDA plugin to display the calls and strings referenced by a function as hints.

Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <william.ballenthin@fireeye.com>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils

Dump-GUY

# Get IL code and pre-compiled native code disassembly of R2R Assembly methods
# Using AsmResolver + Iced + PowerShell
# More Info Here: https://docs.washi.dev/asmresolver/guides/peimage/ready-to-run.html

# Loading dependecies
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.PE.dll")) | Out-Null
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.DotNet.dll")) | Out-Null
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\Iced\netstandard2.1\Iced.dll")) | Out-Null

$filePath = [System.IO.Path]::GetFullPath(".\test_files\CompileDecoy_ReplaceReal_SC_Original.dll") # R2R Assembly Sample

Dump-GUY

# Recovering strings objects from .NET Heap
# Using clrMD "Microsoft.Diagnostics.Runtime.dll" - https://github.com/microsoft/clrmd
# Use 32-bit PowerShell to investigate 32-bit process and 64-bit PowerShell to investigate 64-bit process

[System.Reflection.Assembly]::LoadFile([System.IO.Path]::GetFullPath("Microsoft.Diagnostics.Runtime.dll")) | Out-Null
$processID = (Get-Process -Name "TestStrings_confused").Id
$dataTarget = [Microsoft.Diagnostics.Runtime.DataTarget]::AttachToProcess($processID, $false)
$clrInfo = $dataTarget.ClrVersions[0]
$clrRuntime = $clrInfo.CreateRuntime()
$objects = $clrRuntime.Heap.EnumerateObjects().Where{$_.Type.IsString}

Dump-GUY

from pprint import pprint
from dumpulator import Dumpulator

# ------------------Initialization ------------------
languages = {'0x436' : "Afrikaans_South_Africa", '0x041c' : "Albanian_Albania", '0x045e' : "Amharic_Ethiopia", '0x401' : "Arabic_Saudi_Arabia",
             '0x1401' : "Arabic_Algeria", '0x3c01' : "Arabic_Bahrain", '0x0c01' : "Arabic_Egypt", '0x801' : "Arabic_Iraq", '0x2c01' : "Arabic_Jordan",
             '0x3401' : "Arabic_Kuwait", '0x3001' : "Arabic_Lebanon", '0x1001' : "Arabic_Libya", '0x1801' : "Arabic_Morocco", '0x2001' : "Arabic_Oman",
             '0x4001' : "Arabic_Qatar", '0x2801' : "Arabic_Syria", '0x1c01' : "Arabic_Tunisia", '0x3801' : "Arabic_UAE", '0x2401' : "Arabic_Yemen",
             '0x042b' : "Armenian_Armenia", '0x044d' : "Assamese", '0x082c' : "Azeri_Cyrillic", '0x042c' : "Azeri_Latin", '0x042d' : "Basque",
             '0x423' : "Belarusian", '0x445' : "Bengali_India", '0x845' : "Bengali_Bangladesh", '0x141A' : "Bosnian_BosniaHerzegovina", '0x402' : "Bulgarian",

Dump-GUY

# Simple show-off using PowerShell and Reflection to extract masslogger config
# Example Sample: https://bazaar.abuse.ch/sample/7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc/
# Twitter Info: https://twitter.com/vinopaljiri/status/1593125307468623874

 # get the class where config is initialized -> careful, by this we invoked the constructor and all fields are already populated but encrypted
$configClass = [System.Reflection.Assembly]::LoadFile("C:\Users\Inferno\Desktop\test\sample.exe").GetTypes() | ? {$_.Name -like "xmA"}

 # class is static so we are not creating instance of it in Invoke
 # by invoking this method, config gets decrypted so also its responsible fields (remember reflection Rocks :))
($configClass.GetMethods() | ? {$_.Name -like "Aak"}).Invoke($null, $null) | Out-Null

Dump-GUY

# Simple show-off using PowerShell and Reflection to extract AsyncRat config
# Example Sample: https://bazaar.abuse.ch/sample/2a2d9b1e17cd900edcdf8d26a8ba95ba41ae276d4e0d2400e85602c51e0ab73b/
# Twitter Info: https://twitter.com/vinopaljiri/status/1589721140318339072

 # get the class where config is initialized
$settingsClass = [System.Reflection.Assembly]::LoadFile("C:\showoff\AsyncRat.bin").GetTypes() | ?{$_.Name -like "Settings"}

 # class is static so we are not creating instance of it in Invoke
 # by invoking method that is responsible for populting fields we get them decrypted (remember reflection Rocks :))
($settingsClass.GetMethods() | ? {$_.Name -like "InitializeSettings"}).Invoke($null, $null) | Out-Null

Dump-GUY

using System;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.Linq;

namespace DynamicCompiler
{
    internal class Program
    {
	public static void DynamicRun(string codes, string clazz, string method, string[] args)

Dump-GUY

import dnfile, sys, os

def Main():
    if(len(sys.argv) != 2 or sys.argv[1] == '-h' or sys.argv[1] == '--help'):
        print("Description: Creates x64dbg script for setting breakpoints on defined ImplMap (PInvoke) methods of .NET executable")
        print(f"Usage: {os.path.basename(sys.argv[0])} <filepath>\n")
        sys.exit()

    file_path = sys.argv[1]
    script_path = file_path + "_x64dbg.txt"

Dump-GUY

rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f