Skip to content

Instantly share code, notes, and snippets.

Avatar

Brian Reitz brianreitz

View GitHub Profile
@brianreitz
brianreitz / msobjs_message_table.txt
Last active May 20, 2020
msobjs.dll Message Table by MessageID
View msobjs_message_table.txt
%%279 : Undefined Access (no effect) Bit 7
%%1536 : Unused message ID
%%1537 : DELETE
%%1538 : READ_CONTROL
%%1539 : WRITE_DAC
%%1540 : WRITE_OWNER
%%1541 : SYNCHRONIZE
%%1542 : ACCESS_SYS_SEC
%%1543 : MAX_ALLOWED
%%1552 : Unknown specific access (bit 0)
@brianreitz
brianreitz / PSReflect-RegKeyFixer.ps1
Last active Jan 3, 2018
A port of Joakim Schicht's RegKeyFixer using PSReflect. Will find and delete "hidden" value entries created by PSReflect-RegHide.ps1
View PSReflect-RegKeyFixer.ps1
# A port of Joakim Schicht's RegKeyFixer in PowerShell.
# https://github.com/jschicht/RegKeyFixer
#
# This script will recursively search keys starting from the Keyname
# for any value entry names with null characters
# Example usage:
# $SID = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
# $KeyName = "\Registry\User\$SID\SOFTWARE\Microsoft\Windows\CurrentVersion"
# $Results = Get-HiddenNames -KeyName $KeyName
# $Results | Remove-HiddenNames
@brianreitz
brianreitz / PSReflect-RegHide.ps1
Created Jul 14, 2017
PowerShell script to hide a Run key like Reghide/Kovter/Poweliks
View PSReflect-RegHide.ps1
# requires PSReflect.ps1 to be in the same directory as this script
. .\PSReflect.ps1
$Module = New-InMemoryModule -ModuleName RegHide
# Define our structs.
# https://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx
# typedef struct _UNICODE_STRING {
# USHORT Length;
# USHORT MaximumLength;
You can’t perform that action at this time.