Last active
November 19, 2022 12:04
-
-
Save Dump-GUY/7114b7b8ad2d6b73ca2b8ee62a52a6c6 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple show-off using PowerShell and Reflection to extract masslogger config | |
| # Example Sample: https://bazaar.abuse.ch/sample/7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc/ | |
| # Twitter Info: https://twitter.com/vinopaljiri/status/1593125307468623874 | |
| # get the class where config is initialized -> careful, by this we invoked the constructor and all fields are already populated but encrypted | |
| $configClass = [System.Reflection.Assembly]::LoadFile("C:\Users\Inferno\Desktop\test\sample.exe").GetTypes() | ? {$_.Name -like "xmA"} | |
| # class is static so we are not creating instance of it in Invoke | |
| # by invoking this method, config gets decrypted so also its responsible fields (remember reflection Rocks :)) | |
| ($configClass.GetMethods() | ? {$_.Name -like "Aak"}).Invoke($null, $null) | Out-Null | |
| # now get me all fields of the class (fields are something like global variables in dotnet) that are already nicely populated with decrypted values and convert to object | |
| $config = New-Object -TypeName psobject; $configClass.GetFields().ForEach{Add-Member -InputObject $config -MemberType NoteProperty -Name $_.Name -Value $_.GetValue($null)} | |
| # c´mon biatch give me nice config | |
| $config | ConvertTo-Json -Depth 1 > config.json | |
| $config |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment