Last active
November 7, 2022 20:48
-
-
Save Dump-GUY/36f65e731c5d1ce8200f25120af12fc1 to your computer and use it in GitHub Desktop.
Simple show-off using PowerShell and Reflection to extract AsyncRat config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple show-off using PowerShell and Reflection to extract AsyncRat config | |
| # Example Sample: https://bazaar.abuse.ch/sample/2a2d9b1e17cd900edcdf8d26a8ba95ba41ae276d4e0d2400e85602c51e0ab73b/ | |
| # Twitter Info: https://twitter.com/vinopaljiri/status/1589721140318339072 | |
| # get the class where config is initialized | |
| $settingsClass = [System.Reflection.Assembly]::LoadFile("C:\showoff\AsyncRat.bin").GetTypes() | ?{$_.Name -like "Settings"} | |
| # class is static so we are not creating instance of it in Invoke | |
| # by invoking method that is responsible for populting fields we get them decrypted (remember reflection Rocks :)) | |
| ($settingsClass.GetMethods() | ? {$_.Name -like "InitializeSettings"}).Invoke($null, $null) | Out-Null | |
| # now get me all fields of the class (fields are something like global variables in dotnet) that are already nicely populated with decrypted values and convert to object | |
| $config = New-Object -TypeName psobject; $settingsClass.GetFields().ForEach{Add-Member -InputObject $config -MemberType NoteProperty -Name $_.Name -Value $_.GetValue($null)} | |
| # c´mon biatch give me nice config | |
| $config | ConvertTo-Json -Depth 1 > config.json | |
| $config |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment