added two useful windows scripts and updated generateMSBuildXML.py

2025-09-02 10:08:34 +02:00 · 2021-01-13 05:16:09 -08:00
parent fe824c97f3
commit 96317dd8f9
5 changed files with 402 additions and 48 deletions
--- a/windows/Find-CLSIDForProgID.ps1
+++ b/windows/Find-CLSIDForProgID.ps1
@ -0,0 +1,3 @@
+function Find-CLSIDForProgID($ProgId) {
+    Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\CLSID -Include PROGID -Recurse | where {$_.GetValue("") -match $ProgId }
+}
--- a/windows/PE-library
+++ b/windows/PE-library
--- a/windows/README.md
+++ b/windows/README.md
@ -3,6 +3,10 @@

 - **`awareness.bat`** - Little and quick Windows Situational-Awareness set of commands to execute after gaining initial foothold (coming from APT34: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html ) ([gist](https://gist.github.com/mgeeky/237b48e0bb6546acb53696228ab50794))

+- **`Find-CLSIDForProgID.ps1`** - Tries to locate COM object's `ProgID` based on a given CLSID.
+
+- **`find-system-and-syswow64-binaries.py`** - Finds files with specified extension in both System32 and SysWOW64 and then prints their intersection. Useful for finding executables (for process injection purposes) that reside in both directories (such as `WerFault.exe`)
+
 - **`Force-PSRemoting.ps1`** - Forcefully enable WinRM / PSRemoting. [gist](https://gist.github.com/mgeeky/313c22def5c86d7a529f41e5b6ff79b8)

 - **`GlobalProtectDisable.cpp`** - Global Protect VPN Application patcher allowing the Administrator user to disable VPN without Passcode. ([gist](https://gist.github.com/mgeeky/54ac676226a1a4bd9fd8653e24adc2e9))
--- a/windows/find-system-and-syswow64-binaries.py
+++ b/windows/find-system-and-syswow64-binaries.py
@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+import sys
+import os
+import glob
+
+def main(argv):
+    if len(argv) == 1:
+        print('Usage: ./script <ext>')
+        return False
+
+    ext = argv[1]
+    system32 = set()
+    syswow64 = set()
+    p1 = os.path.join(os.environ['Windir'], 'System32' + os.sep + '*.' + ext)
+    p2 = os.path.join(os.environ['Windir'], 'SysWOW64' + os.sep + '*.' + ext)
+
+    sys.stderr.write('[.] System32: ' + p1 + '\n')
+    sys.stderr.write('[.] SysWOW64: ' + p2 + '\n')
+
+    for file in glob.glob(p1):
+        system32.add(os.path.basename(file))
+
+    for file in glob.glob(p2):
+        syswow64.add(os.path.basename(file))
+
+    commons = system32.intersection(syswow64)
+    sys.stderr.write(f"[.] Found {len(system32)} files in System32\n")
+    sys.stderr.write(f"[.] Found {len(syswow64)} files in SysWOW64\n")
+    sys.stderr.write(f"[.] Intersection of these two sets: {len(commons)}\n")
+
+    for f in commons:
+        print(f)
+
+if __name__ == '__main__':
+    main(sys.argv)