countercept
/ dotnet-runtime-etw.py
Last active
August 22, 2023 16:02
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
countercept
/ Get-LibraryMS.ps1
Created
July 31, 2018 14:17
Checks the %USERPROFILE% directory for any file with library-ms extension and extract the CLSID. In particular, the <url> element with shell command.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-LibraryMS { | |
| <# | |
| .SYNOPSIS | |
| Author: Jayden Zheng (@fuseyjz) | |
| Checks the %USERPROFILE% directory for any file with library-ms extension and extract the CLSID. | |
| In particular, <url> element with shell command. | |
| Blog: pending release |