TheKevinWang
TheKevinWang
/ show_modern_messagebox.ps1
Created
November 7, 2023 23:03
Show message box in powershell using Windows.Forms.Application in a style that fits w10/11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [System.Windows.Forms.Application]::EnableVisualStyles(); | |
| Add-Type -AssemblyName System.Windows.Forms | |
| [System.Windows.Forms.MessageBox]::Show("failed", "status", "OK", "Error") |
TheKevinWang
/ Generate-IMEI.ps1
Last active
March 29, 2022 01:58
Quick and dirty script to generate a random IMEI from an existing one.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# Takes an IMEI number, randomizes the SNR (unique identifier), calculates the check digit using Luhn algorithm, and returns the resulting IMEI. | |
| #> | |
| function Generate-IMEI([string] $seed) { | |
| #generate random SNR | |
| $str = ($seed.substring(0,8)+ [string](Get-Random -max 999999 -min 0) + $seed[14]) | |
| $ca = $str.ToCharArray() | |
| $sum = 0 | |
| #calculate check digit | |
| for($i=0; $i -lt $ca.length-1; $i++) { | |
| $digit = [int]([string]$ca[$i]) |
TheKevinWang
/ meterpreter.yara
Created
September 6, 2018 01:49
Detects meterpreter payloads in memory.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Meterpreter { | |
| meta: | |
| author = "Kevin Wang" | |
| description = "Meterpreter reverse shell in memory detecter." | |
| strings: | |
| $a = "metsrv.dll" | |
| $b = "stdapi_" | |
| $c = "priv_fs" | |
| condition: | |
| $a and $b and $c |
TheKevinWang
/ powershell2.bat
Last active
January 20, 2020 18:54
Enable and disable Powershell 2.0 via DISM
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Works on Windows 10 1803. Requires admin privileges. | |
| #Disable Powershell 2.0 and 1.0 | |
| dism /online /disable-feature /FeatureName:MicrosoftWindowsPowerShellV2Root | |
| dism /online /disable-feature /FeatureName:MicrosoftWindowsPowerShellV2 | |
| #Enable Powershell 2.0 and 1.0 | |
| dism /online /enable-feature /FeatureName:MicrosoftWindowsPowerShellV2Root | |
| dism /online /enable-feature /FeatureName:MicrosoftWindowsPowerShellV2 |
TheKevinWang
/ Get-LocalAccInfo.ps1
Last active
May 16, 2018 15:15
Get last login time and description of local accounts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ([ADSI]"WinNT://$env:COMPUTERNAME").Children | ? {$_.SchemaClassName -eq 'user'} | ft name,lastlogin,description |
TheKevinWang
/ CompileInMemory.cs
Last active
April 28, 2022 21:44
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ However, this will still execute csc.exe and drop a dll to %temp% https://twitter.com/Laughing_Mantis/status/991018563296157696
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Text; | |
| using System.CodeDom.Compiler; | |
| using Microsoft.CSharp; | |
| using System.IO; | |
| using System.Reflection; | |
| namespace InMemoryCompiler | |
| { | |
| class Program |
TheKevinWang
/ ClassModulesoAppClass
Created
January 29, 2018 02:39
Class module for VBA decoy document. It should be named "oAppClass"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Option Explicit | |
| Public WithEvents oApp As Word.Application | |
| Private Sub oApp_DocumentBeforeClose(ByVal Doc As Document, Cancel As Boolean) | |
| Cancel = True | |
| Application.Quit SaveChanges:=wdDoNotSaveChanges | |
| End Sub |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Option Explicit | |
| Dim oAppClass As New oAppClass | |
| Public Sub AutoOpen() | |
| ActiveDocument.Sections(1).Range.Font.Hidden = False | |
| Set page1 = Selection.GoTo(What:=1, Which:=2, Name:=1).Bookmarks("\Page").Range | |
| page1.Delete | |
| Set oAppClass.oApp = Word.Application | |
| End Sub | |