fakeuser7
fakeuser7
/ Get-InjectedThread.ps1
Created
March 14, 2020 10:26
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
fakeuser7
/ Get-ClrReflection.ps1
Created
March 14, 2020 09:16
— forked from dezhub/Get-ClrReflection.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-ClrReflection | |
| { | |
| <# | |
| .SYNOPSIS | |
| Detects memory-only CLR (.NET) modules | |
| Author: Joe Desimone (@dez_) | |
| License: BSD 3-Clause | |
fakeuser7
/ hookdetect.c
Created
March 12, 2020 22:10
— forked from c0d3inj3cT/hookdetect.c
This pintool was written to detect the API hooks by checking the calls to VirtualProtect() that mark the memory region of Win32 APIs as PAGE_EXECUTE_READWRITE. This method is often used in API hooking.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Pintool to detect API hooks in a process | |
| c0d3inj3cT | |
| */ | |
| #include <stdio.h> | |
| #include <iostream> | |
| #include "pin.H" | |
| int i=0; |
fakeuser7
/ dllinjshim.cpp
Created
March 4, 2020 15:50
— forked from w4kfu/dllinjshim.cpp
DLL Injection via Shim
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| -------- dllinjshim.cpp -------- | |
| > cl /Fe:dllinjshim.exe dllinjshim.cpp | |
| > dllinjshim.exe | |
| > sdbinst moo.sdb | |
| /!\ On Windows 10 there is a new function `SdbIsKnownShimDll` called | |
| in `SdbGetDllPath` which will check the DLL name against the following list: |