🔥 Burn Fat Fast. Discover How! 💪

for accessible 64-bit processes (except 'list') - | Ethical Hackers Vol. 2

for accessible 64-bit processes (except 'list') - RogueAssemblyHunter_x64.exe --mode=sweep - Example 2 : Scan processes, list all CLR modules in accessible 32-bit managed processes, and show error information - RogueAssemblyHunter_x86.exe --mode=sweep --hunt=list --debug - Example 3 : Watch for new processes, scan all CLR modules (if managed and 64-bit), do not scan the RogueAssemblyHunter process, and do 2 checks with a 3 second delay between - RogueAssemblyHunter_x64.exe --mode=watch --suppress --checks=2 --sleep=3 - Example 4 : Scan single process by PID, list in-memory only CLR module findings, and export CLR modules to specified path - RogueAssemblyHunter_x86.exe --mode=process --pid=4650 --hunt=memory-only --export=c:\evilassemblies\ - Example 5 : Scan processes, list in-memory only CLR module findings for accessible 64-bit processes, do no scan RogueAssemblyHunter process, and do not show title banner - RogueAssemblyHunter_x64.exe --mode=sweep --hunt=memory-only --suppress --nobanner Release Files: Invoke-RogueAssemblyHunter & Compiled Binaries For convinience, a PowerShell script along with two compiled binaries (RogueAssemblyHunter_x64.exe and RogueAssemblyHunter_x86.exe) have been included in the \Release folder. Feel free to modify to fit your use cases (e.g. deployment, embedding, checks, sleep, etc.). Example Usage: Run Invoke-RogueAssemblyHunter in sweep mode and check for all hunt options cd c:\path\to\RogueAssemblyHunter import-module .\Invoke-RogueAssemblyHunter.ps1 Invoke-RogueAssemblyHunter Run Invoke-RogueAssemblyHunter in watch mode and check for all hunt options cd c:\path\to\RogueAssemblyHunter import-module .\Invoke-RogueAssemblyHunter.ps1 Invoke-RogueAssemblyHunter -ScanMode watch SHA256 Hashes: e804711a8b6469f1b13b388de47dfa6dde1c85279d365db7b6e19e1644990fa6 Invoke-RogueAssemblyHunter.ps1 cc985d918e566671aa209142abc55bd798ca6c1a18730b785ac8c18d489736c3 RogueAssemblyHunter_x64.exe ae3aead43871e263cd8465d5356c4daaae0635714321f872c931ec825008287a RogueAssemblyHunter_x86.exe Roadmap Managed dump (.dmp) file analysis Improve sig-status check(s) Output improvements (e.g. json) Stability and bug fixes Credits, Inspiration, & Resources Hunting For In-Memory .NET Attacks (https://www.elastic.co/blog/hunting-memory-net-attacks) | by Joe Desimone (@dez_ (https://mobile.twitter.com/dez_)) Get-ClrReflection (https://gist.github.com/dezhub/2875fa6dc78083cedeab10abc551cb58) | by Joe Desimone (@dez_ (https://mobile.twitter.com/dez_)) Get-InjectedThread (https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2) | by Jared Atkinson (@jaredcatkinson (https://mobile.twitter.com/jaredcatkinson)) pe-sieve (https://github.com/hasherezade/pe-sieve) | by hasherezade (@hasherezade (https://mobile.twitter.com/hasherezade)) CLR MD — Analyzing Live Process (https://harshaprojects.wordpress.com/2015/12/29/clr-md-analyzing-live-process/) | by Harsha How to enumerate Modules in each App Domain using ClrMD (https://sukesh.me/2020/06/12/how-to-enumerate-modules-in-each-app-domain-using-clrmd/) | by Sukesh Ashok Kumar WMIProcessWatcher (https://github.com/malcomvetter/WMIProcessWatcher/) | by Tim MalcomVetter (@malcomvetter (https://twitter.com/malcomvetter))

Download RogueAssemblyHunter (https://github.com/bohops/RogueAssemblyHunter)
Next Message
telegram-store.com © 2016-2024
Non official site about Telegram
All rights reserved. Copying and using of full materials is prohibited, partial quoting is possible only with a hyperlink to the site telegram-store.com.