Skip to content

Instantly share code, notes, and snippets.

@countercept
countercept / dotnet-runtime-etw.py
Last active Oct 9, 2019
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
View dotnet-runtime-etw.py
import time
import etw
import etw.evntrace
import sys
import argparse
import threading
class RundownDotNetETW(etw.ETW):
def __init__(self, verbose, high_risk_only):
@countercept
countercept / Get-LibraryMS.ps1
Created Jul 31, 2018
Checks the %USERPROFILE% directory for any file with library-ms extension and extract the CLSID. In particular, the <url> element with shell command.
View Get-LibraryMS.ps1
function Get-LibraryMS {
<#
.SYNOPSIS
Author: Jayden Zheng (@fuseyjz)
Checks the %USERPROFILE% directory for any file with library-ms extension and extract the CLSID.
In particular, <url> element with shell command.
Blog: pending release
You can’t perform that action at this time.