Skip to content

Instantly share code, notes, and snippets.

iMHLv2

Block or report user

Report or block iMHLv2

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View GenericPowershell
rule GenericPowershell
{
strings:
$a = "PS>function"
$b = "Invoke-Expression"
$c = "<MS><S N="
$d = "</MS></Obj>"
$e = "CompileAssemblyFromSource"
$f = "Remoting.RemoteHostMethodId"
$g = "<resp:Arguments"
View gist:cb05924e1d6317a20fdc
@staticmethod
def shimcache_xp(address_space):
"""Enumerate entries from the shared memory section
on XP systems."""
seen = []
shim = lambda x : (x.Tag == "Vad " and
x.VadFlags.Protection == 4)
for process in tasks.pslist(address_space):
@iMHLv2
iMHLv2 / gist:8def92d6c3d604273f41
Created Dec 9, 2014
Experimentation with Volatility's Windows 10 TP x64 Branch
View gist:8def92d6c3d604273f41
# Get the Win10 branch of Volatility
git clone -b win10tp https://github.com/volatilityfoundation/volatility.git
# Get the memory dump
https://www.sendspace.com/pro/dl/0cte2h
# Run some commands
You can’t perform that action at this time.