cecio

## bat2exe.txt
bp ShellExecuteEx

// Repeat as needed for the Executed files which can be more than one. The file that is going to be executed is put
// in the log, so you can inspect it

mov $addr,[esp+4]+0x10                // Address of SHELLEXECUTEINFOA
mov $path, ReadDword($addr)           // lpFile
mov $param, ReadDword($addr+4)        // lpParameters
log "Executing: {s:0} {s:1}", $path, $param

## log4jscan.ps1
## Based on https://cyberwatch.fr/cve/cve-2021-44228-log4shell-comment-detecter-et-corriger-cette-vulnerabilite-sur-log4j/
## Added "deep" function to scan for the problematic class in each JAR file
##
## WARNING: the scan is pretty CPU/disk intensive (beware if you scan huge disks), especially the "deep" function.
## For critical servers, run it off-hours or in maintenace window

$param1=$args[0]

Write-Output "Starting..."
$jar = @()

## flareon8_Ch10_decrypt
lookup = [ 90,132,6,69,174,203,232,243,87,254,166,61,94,65,8,208,51,
           34,33,129,32,221,0,160,35,175,113,4,139,245,24,29,225,15,
           101,9,206,66,120,62,195,55,202,143,100,50,224,172,222,145,
           124,42,192,7,244,149,159,64,83,229,103,182,122,82,78,63,131,
           75,201,130,114,46,118,28,241,30,204,183,215,199,138,16,121,26,
           77,25,53,22,125,67,43,205,134,171,68,146,212,14,152,20,185,
           155,167,36,27,60,226,58,211,240,253,79,119,209,163,12,72,128,
           106,218,189,216,71,91,250,150,11,236,207,73,217,17,127,177,39,
           231,197,178,99,230,40,54,179,93,251,220,168,112,37,246,176,156,
           165,95,184,57,228,133,169,252,19,2,81,48,242,105,255,116,191,89,
	bp ShellExecuteEx

	// Repeat as needed for the Executed files which can be more than one. The file that is going to be executed is put
	// in the log, so you can inspect it

	mov $addr,[esp+4]+0x10 // Address of SHELLEXECUTEINFOA
	mov $path, ReadDword($addr) // lpFile
	mov $param, ReadDword($addr+4) // lpParameters
	log "Executing: {s:0} {s:1}", $path, $param
	## Based on https://cyberwatch.fr/cve/cve-2021-44228-log4shell-comment-detecter-et-corriger-cette-vulnerabilite-sur-log4j/
	## Added "deep" function to scan for the problematic class in each JAR file
	##
	## WARNING: the scan is pretty CPU/disk intensive (beware if you scan huge disks), especially the "deep" function.
	## For critical servers, run it off-hours or in maintenace window

	$param1=$args[0]

	Write-Output "Starting..."
	$jar = @()
	lookup = [ 90,132,6,69,174,203,232,243,87,254,166,61,94,65,8,208,51,
	34,33,129,32,221,0,160,35,175,113,4,139,245,24,29,225,15,
	101,9,206,66,120,62,195,55,202,143,100,50,224,172,222,145,
	124,42,192,7,244,149,159,64,83,229,103,182,122,82,78,63,131,
	75,201,130,114,46,118,28,241,30,204,183,215,199,138,16,121,26,
	77,25,53,22,125,67,43,205,134,171,68,146,212,14,152,20,185,
	155,167,36,27,60,226,58,211,240,253,79,119,209,163,12,72,128,
	106,218,189,216,71,91,250,150,11,236,207,73,217,17,127,177,39,
	231,197,178,99,230,40,54,179,93,251,220,168,112,37,246,176,156,
	165,95,184,57,228,133,169,252,19,2,81,48,242,105,255,116,191,89,