Skip to content

Instantly share code, notes, and snippets.


Block or report user

Report or block iMHLv2

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View GenericPowershell
rule GenericPowershell
$a = "PS>function"
$b = "Invoke-Expression"
$c = "<MS><S N="
$d = "</MS></Obj>"
$e = "CompileAssemblyFromSource"
$f = "Remoting.RemoteHostMethodId"
$g = "<resp:Arguments"
View gist:cb05924e1d6317a20fdc
def shimcache_xp(address_space):
"""Enumerate entries from the shared memory section
on XP systems."""
seen = []
shim = lambda x : (x.Tag == "Vad " and
x.VadFlags.Protection == 4)
for process in tasks.pslist(address_space):
iMHLv2 / gist:8def92d6c3d604273f41
Created Dec 9, 2014
Experimentation with Volatility's Windows 10 TP x64 Branch
View gist:8def92d6c3d604273f41
# Get the Win10 branch of Volatility
git clone -b win10tp
# Get the memory dump
# Run some commands
You can’t perform that action at this time.