Skip to content

Instantly share code, notes, and snippets.

Mathias R. Jessen IISResetMe

  • Netherlands
View GitHub Profile
IISResetMe / Get-ChildItemDeep.ps1
Created Apr 12, 2019
Get-ChildItem -Depth for PS 4.0
View Get-ChildItemDeep.ps1
function Get-ChildItemDeep
[Parameter(ParameterSetName='Items', Position=0, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
View wildcards.ps1
function Search-Stuff
$Data = 'lol', 'lol123', '123lol', '123lol123'
$Filter = if([WildcardPattern]::ContainsWildcardCharacters($string)){
{ $_ -like $string }
} else {
{ $_ -eq $string }
View CreateServicePInvoke.ps1
Add-Type '
using System;
using System.Runtime.InteropServices;
public class advapi32 {
[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Auto)]
public static extern IntPtr CreateService(
IntPtr hSCManager,
string lpServiceName,
string lpDisplayName,
uint dwDesiredAccess,
View Find-EncryptedFiles.ps1
$FAD,$kernel32 = Add-Type @'
using System;
using System.IO;
using System.Runtime.InteropServices;
public FileAttributes dwFileAttributes;
public System.Runtime.InteropServices.ComTypes.FILETIME ftCreationTime;
IISResetMe / Get-ArtisanalInteger.ps1
Created Mar 27, 2019
Handcrafted integers in a hurry
View Get-ArtisanalInteger.ps1
Acquires an organic, hand-crafter integer from Brooklyn Integers
An integer
View bad.ps1
$params = @{
Name = 'w*'
# unrelated stuff happening
# ...
# ...
# ...
$params2 = @{
View autoruns_timestamped.ps1
& autorunsc.exe * -c -nobanner |ConvertFrom-Csv |Select *,@{Label='HasTimestampedSignature';Expression={
[bool]$(if($_.'Image Path' -and $_.'Image Path' -notlike 'File not found:*'){
$sig = Get-AuthenticodeSignature $_.'Image Path'
$sig.Status -eq 'Valid' -and $sig.TimeStamperCertificate
}} |Export-Csv -Path output.csv -NoTypeInformation
IISResetMe / Get-LMHash.ps1
Last active Mar 15, 2019
LMHash generator in written in PowerShell
View Get-LMHash.ps1
function Get-WeakDESEncryptor {
Creates a DESCryptoProviderService encryptor from a potentially unsafe key
DESCryptoProviderService.GetEncryptor() attempts to ensure that 0-keys can't be used. This function bypasses the protection and creates a DES encryptor from a potentially unsafe key and an empty initialization vector
PS C:\> $DESProvider = [System.Security.Cryptography.DESCryptoServiceProvider]::new()
PS C:\> $encryptor = Get-WeakDESEncryptor -CSP $DESProvider -Key @(,0*8)
IISResetMe / TypoHijack.ps1
Last active Mar 14, 2019
Hijack a subset of non-existing commands in PowerShell
View TypoHijack.ps1
$ExecutionContext.InvokeCommand.CommandNotFoundAction = {
param([string]$CommandName, [System.Management.Automation.CommandLookupEventArgs]$evtArgs)
if($CommandName -like '*glue*'){
$evtArgs.CommandScriptBlock = {
Write-Host "Eating glue because of $CommandName ..." -ForegroundColor Green
$evtArgs.StopSearch = $true
IISResetMe / PinnedHandle.cs
Created Mar 11, 2019
Disposable pinned GCHandle
View PinnedHandle.cs
using System;
using System.Runtime.InteropServices;
namespace IISResetMe.SafeHandles
/// <summary>Disposable pinned memory handles, useful for non-blittable type references passed to unmanaged code</summary>
public class GCPinnedHandle : IDisposable
private GCHandle gcHandle;
You can’t perform that action at this time.