2010-03-20T22:30:27Z http://blog.securitywhole.com/comments/atom.aspx Quick Blogcast tag:blog.securitywhole.com,2010-02-14:2827956 Tim Medin 2010-02-15T03:40:44Z 2010-02-15T03:40:44Z Interesting idea. I would imagine would difficult to implement with reasonable accuracy.<BR><BR>And great post. tag:blog.securitywhole.com,2010-02-12:2822208 jah 2010-02-13T02:18:15Z 2010-02-13T02:18:15Z I know that when you migrate meterpreter to a different process, you can see the change in that processes memory usage (private bytes, working set, etc). I bet if you did enough measuring, you could come up with a ballpark size as a signature for meterpreter. The problem with this approach is that you would need a baseline for the memory usage of each process on the machine.<BR> <BR>This was a very interesting article and showed some nice techniques. I was recently doing some experimentation with metasploit and wrote a blog entry on my findings. If you're interested, the url is: <A href="http://jah-internship.blogspot.com/2010/02/simwitty-internship-week-4.html">http://jah-internship.blogspot.com/2010/02/simwitty-internship-week-4.html</A> tag:blog.securitywhole.com,2010-02-11:2816782 Tim Medin 2010-02-11T16:38:13Z 2010-02-11T16:38:13Z The problem is each value does not have a timestamp, just the key. That means that you can't get the detail you want. It just isn't a feature that Windows provides.<br><br>To get the LastWriteTime of the Devices Key run the command at one key higher.<br><br>Get-RegTimestamp.ps1 HKCU "Software\Microsoft\Windows NT\CurrentVersion"<br><br><font face="Courier New">Key&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LastWriteTime<br>---&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -------------<br>...<br>Devices&nbsp;&nbsp;&nbsp; 2/11/2010 1:31:22 PM<br>...</font><br> tag:blog.securitywhole.com,2010-02-11:2815900 Paul 2010-02-11T11:46:06Z 2010-02-11T11:46:06Z Hello,<br /><br /> I`m trying to find out the date on which a network printer was installed on the workstation. I`m using the registry keys in "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices\" to find this out. Unfortunately the above command does not return the information needed. all i get is " .\Get-RegKeyLastWriteTime.ps1 <br />HKCU Software\Microsoft\Windows NT\CurrentVersion\Devices<br /><br />Key LastWriteTime<br />--- -------------<br />CurrentVersion 27.01.2010 13:54:08<br />Shell 06.01.2010 14:18:47<br />ShellNoRoam 06.01.2010 15:02:40 tag:blog.securitywhole.com,2010-02-01:2777407 Tim Medin 2010-02-01T15:00:22Z 2010-02-01T15:00:22Z You would not be able to find it with this method since explorer already loads these dll's. tag:blog.securitywhole.com,2010-02-01:2777329 CG 2010-02-01T14:19:54Z 2010-02-01T14:19:54Z if you migrate into explorer.exe to you see that same results? tag:blog.securitywhole.com,2009-10-08:2482226 Thorin 2009-10-08T14:04:55Z 2009-10-08T14:04:55Z Thanks Tim! tag:blog.securitywhole.com,2009-10-07:2481427 Tim Medin 2009-10-08T02:10:48Z 2009-10-08T02:10:48Z Just a typo, fixed.<br> tag:blog.securitywhole.com,2009-10-05:2475222 Thorin 2009-10-05T13:34:49Z 2009-10-05T13:34:49Z I'm confused about the -e option "Disable Keyboard &amp; Keyboard" .....<br> <br>See a lot of systems with dual keyboards? tag:blog.securitywhole.com,2009-10-01:2466730 Tim Medin 2009-10-01T13:05:14Z 2009-10-01T13:05:14Z That is what I decided too, but I thought it was odd that I couldn't find any documentation on it.