Skip to content

Instantly share code, notes, and snippets.

View Dump-GUY's full-sized avatar

Dump-GUY

580 followers · 56 following
View GitHub Profile
@Dump-GUY
Dump-GUY / PE-Inspect-PortableExecutable-Namespace.ps1
Created March 4, 2025 01:55
PowerShell (pwsh): PE-Inspect-PortableExecutable-Namespace
function Expand-Properties($Object, $Depth = 5, $Indent = 0) {
if ($Depth -le 0 -or $null -eq $Object) { return } $prefix = " " * $Indent
$Object | gm -m Property | % {
$pValue = $Object.$($_.Name)
if ($pValue -is [Enum]) { Write-Host "$prefix$($_.Name): " -F Green -N; Write-Host "$pValue" -F Blue }
elseif ($null -eq $pValue) { Write-Host "$prefix$($_.Name): " -F Green -N; Write-Host "(null)" -F Blue }
elseif ($pValue -is [Collections.IEnumerable] -and $pValue -isnot [string]) { Write-Host "$prefix$($_.Name): " -F Green; $pValue | % { Expand-Properties $_ ($Depth - 1) ($Indent + 4) } }
elseif ($pValue -is [PSObject] -or $pValue.GetType().Namespace -match "^System.Reflection") { Write-Host "$prefix$($_.Name): " -F Green; Expand-Properties $pValue ($Depth - 1) ($Indent + 4) }
else { Write-Host "$prefix$($_.Name): " -F Green -N; Write-Host "$pValue" -F Blue }}}
Expand-Properties ([Reflection.PortableExecutable.PEReader]::new([IO.File]::OpenRead([IO.Path]::G
@Dump-GUY
Dump-GUY / DtraceOnWindows.md
Created January 8, 2025 22:22 — forked from richinseattle/DtraceOnWindows.md

DTrace for Windows

https://github.com/microsoft/DTrace-on-Windows

Overview

DTrace for Windows is a port of the opensource release of DTrace originally developed by Sun for Solaris in 2005. DTrace allows for high performance function tracing with access to typed arguments and statistical event collection. DTrace utilizes several types of instrumentation or trace frameworks provided by Windows including ETW, a system call tracer, a kernel function tracer, and a userland function tracer.

Installation / Build Notes

@Dump-GUY
Dump-GUY / HookIEX.ps1
Created April 4, 2024 02:29
PowerShell IEX Hooking via Harmony Library
# Harmony Reference: https://github.com/pardeike/Harmony
using assembly '.\net48\0Harmony.dll'
using namespace HarmonyLib
class HooK
{
static [bool] PreFix_IEX($scriptText)
{
[Console]::WriteLine("Original IEX Command: '$scriptText'")
return $true
@Dump-GUY
Dump-GUY / hint_calls.py
Created March 18, 2024 07:30
Modified version of Willi Ballenthin IDA Plugin hint_calls.py ported to support Python2/3 and IDA>=7.4 (tested IDA 7.7, 8.4)
'''
IDA plugin to display the calls and strings referenced by a function as hints.
Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <[email protected]>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils
@Dump-GUY
Dump-GUY / GetR2RMethodDisassembly.ps1
Created November 20, 2023 17:06
# Get IL code and pre-compiled native code disassembly of R2R Assembly methods
# Using AsmResolver + Iced + PowerShell
# More Info Here: https://docs.washi.dev/asmresolver/guides/peimage/ready-to-run.html
# Loading dependecies
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.PE.dll")) | Out-Null
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.DotNet.dll")) | Out-Null
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\Iced\netstandard2.1\Iced.dll")) | Out-Null
$filePath = [System.IO.Path]::GetFullPath(".\test_files\CompileDecoy_ReplaceReal_SC_Original.dll") # R2R Assembly Sample
@Dump-GUY
Dump-GUY / GetStringHeapObjects.ps1
Created November 13, 2023 14:08
# Recovering strings objects from .NET Heap
# Using clrMD "Microsoft.Diagnostics.Runtime.dll" - https://github.com/microsoft/clrmd
# Use 32-bit PowerShell to investigate 32-bit process and 64-bit PowerShell to investigate 64-bit process
[System.Reflection.Assembly]::LoadFile([System.IO.Path]::GetFullPath("Microsoft.Diagnostics.Runtime.dll")) | Out-Null
$processID = (Get-Process -Name "TestStrings_confused").Id
$dataTarget = [Microsoft.Diagnostics.Runtime.DataTarget]::AttachToProcess($processID, $false)
$clrInfo = $dataTarget.ClrVersions[0]
$clrRuntime = $clrInfo.CreateRuntime()
$objects = $clrRuntime.Heap.EnumerateObjects().Where{$_.Type.IsString}
@Dump-GUY
Dump-GUY / LangID_BruteForce_Rorschach.py
Created April 4, 2023 11:06
from pprint import pprint
from dumpulator import Dumpulator
# ------------------Initialization ------------------
languages = {'0x436' : "Afrikaans_South_Africa", '0x041c' : "Albanian_Albania", '0x045e' : "Amharic_Ethiopia", '0x401' : "Arabic_Saudi_Arabia",
'0x1401' : "Arabic_Algeria", '0x3c01' : "Arabic_Bahrain", '0x0c01' : "Arabic_Egypt", '0x801' : "Arabic_Iraq", '0x2c01' : "Arabic_Jordan",
'0x3401' : "Arabic_Kuwait", '0x3001' : "Arabic_Lebanon", '0x1001' : "Arabic_Libya", '0x1801' : "Arabic_Morocco", '0x2001' : "Arabic_Oman",
'0x4001' : "Arabic_Qatar", '0x2801' : "Arabic_Syria", '0x1c01' : "Arabic_Tunisia", '0x3801' : "Arabic_UAE", '0x2401' : "Arabic_Yemen",
'0x042b' : "Armenian_Armenia", '0x044d' : "Assamese", '0x082c' : "Azeri_Cyrillic", '0x042c' : "Azeri_Latin", '0x042d' : "Basque",
'0x423' : "Belarusian", '0x445' : "Bengali_India", '0x845' : "Bengali_Bangladesh", '0x141A' : "Bosnian_BosniaHerzegovina", '0x402' : "Bulgarian",
@Dump-GUY
Dump-GUY / ExtractMassloggerConfig_PowerShell_Reflection.ps1
Last active November 19, 2022 12:04
# Simple show-off using PowerShell and Reflection to extract masslogger config
# Example Sample: https://bazaar.abuse.ch/sample/7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc/
# Twitter Info: https://twitter.com/vinopaljiri/status/1593125307468623874
# get the class where config is initialized -> careful, by this we invoked the constructor and all fields are already populated but encrypted
$configClass = [System.Reflection.Assembly]::LoadFile("C:\Users\Inferno\Desktop\test\sample.exe").GetTypes() | ? {$_.Name -like "xmA"}
# class is static so we are not creating instance of it in Invoke
# by invoking this method, config gets decrypted so also its responsible fields (remember reflection Rocks :))
($configClass.GetMethods() | ? {$_.Name -like "Aak"}).Invoke($null, $null) | Out-Null
@Dump-GUY
Dump-GUY / ExtractAsyncRatConfig_PowerShell_Reflection.ps1
Last active November 7, 2022 20:48
Simple show-off using PowerShell and Reflection to extract AsyncRat config
# Simple show-off using PowerShell and Reflection to extract AsyncRat config
# Example Sample: https://bazaar.abuse.ch/sample/2a2d9b1e17cd900edcdf8d26a8ba95ba41ae276d4e0d2400e85602c51e0ab73b/
# Twitter Info: https://twitter.com/vinopaljiri/status/1589721140318339072
# get the class where config is initialized
$settingsClass = [System.Reflection.Assembly]::LoadFile("C:\showoff\AsyncRat.bin").GetTypes() | ?{$_.Name -like "Settings"}
# class is static so we are not creating instance of it in Invoke
# by invoking method that is responsible for populting fields we get them decrypted (remember reflection Rocks :))
($settingsClass.GetMethods() | ? {$_.Name -like "InitializeSettings"}).Invoke($null, $null) | Out-Null
@Dump-GUY
Dump-GUY / Program.cs
Last active June 21, 2024 21:08
Example of DynamicCompiler - dynamically compile C# code -> but it actually spawns csc.exe
using System;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.Linq;
namespace DynamicCompiler
{
internal class Program
{
public static void DynamicRun(string codes, string clazz, string method, string[] args)