Skip to content

Instantly share code, notes, and snippets.

@kaganisildak

kaganisildak/dopp.cs

Created July 25, 2019 09:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kaganisildak/2552f009198542982648d91a3fc05b1a to your computer and use it in GitHub Desktop.
Save kaganisildak/2552f009198542982648d91a3fc05b1a to your computer and use it in GitHub Desktop.
Download ZIP
Rekall Doppelgänging Detector
Raw
dopp.cs
using System;
using System.IO;
using System.Text.RegularExpressions;
namespace DoppSearcher
{
class Program
{
static void Main(string[] args)
{
string[] readeddata = File.ReadAllLines("3doppmod.json");
foreach (string chill in readeddata)
{
try
{
string mempath, mapped, eprocess;
eprocess = mempath = Regex.Split(chill, @"/.\\")[1].Trim();
mempath = Regex.Split(chill, @"/.\\")[10].Trim().ToUpper(new System.Globalization.CultureInfo("en-US", true));
mapped = Regex.Split(chill, @"/.\\")[11].Trim().ToUpper(new System.Globalization.CultureInfo("en-US", true));
if (mempath != mapped && mempath != "-" && mempath.Contains("SYSTEM32") == false && mapped.Contains("SYSWOW64") == false && mempath.Contains("WINSXS") == false && eprocess != "")
{
Console.WriteLine(eprocess + " " + mempath + " " + mapped + "\n");
}
}
catch (Exception)
{
}
}
Console.ReadLine();
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment