For ./ScriptModification/ :

    -PSScriptAnalyzering
    -Tweaking of synopsis blocks in order to support platyPS
    -Code standardization
    -Generated docs

12 files changed, 574 insertions, 53 deletions

diff --git a/README.md b/README.md
index 60ac90f..5ec6892 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ Compresses, Base-64 encodes, and outputs generated code to load a managed dll in
 
 Encrypts text files/scripts.
 
-#### `Remove-Comments`
+#### `Remove-Comment`
 
 Strips comments and extra whitespace from a script. 
 
diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1
index 5e6897d..8608956 100644
--- a/ScriptModification/Out-CompressedDll.ps1
+++ b/ScriptModification/Out-CompressedDll.ps1
@@ -5,12 +5,12 @@ function Out-CompressedDll
 

 Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

 

-PowerSploit Function: Out-CompressedDll

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

- 

+PowerSploit Function: Out-CompressedDll  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

+

 .DESCRIPTION

 

 Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.

@@ -21,7 +21,7 @@ Specifies the path to a managed executable.
 

 .EXAMPLE

 

-C:\PS> Out-CompressedDll -FilePath evil.dll

+Out-CompressedDll -FilePath evil.dll

 

 Description

 -----------

@@ -36,7 +36,9 @@ Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it
 http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html

 #>

 

-    [CmdletBinding()] Param (

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]

+    [CmdletBinding()]

+    Param (

         [Parameter(Mandatory = $True)]

         [String]

         $FilePath

@@ -51,7 +53,7 @@ http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html
 

     $FileBytes = [System.IO.File]::ReadAllBytes($Path)

 

-    if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ')

+    if (($FileBytes[0..1] | ForEach-Object {[Char]$_}) -join '' -cne 'MZ')

     {

         Throw "$Path is not a valid executable."

     }

diff --git a/ScriptModification/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1
index 04e8c12..6f21391 100644
--- a/ScriptModification/Out-EncodedCommand.ps1
+++ b/ScriptModification/Out-EncodedCommand.ps1
@@ -5,12 +5,12 @@ function Out-EncodedCommand
 

 Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

 

-PowerSploit Function: Out-EncodedCommand

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

- 

+PowerSploit Function: Out-EncodedCommand  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

+

 .DESCRIPTION

 

 Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt. The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload. This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies.

@@ -49,13 +49,13 @@ Base-64 encodes the entirety of the output. This is usually unnecessary and effe
 

 .EXAMPLE

 

-C:\PS> Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}

+Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}

 

 powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()

 

 .EXAMPLE

 

-C:\PS> Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput

+Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput

 

 powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=

 

@@ -72,7 +72,8 @@ This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kenn
 http://www.exploit-monday.com

 #>

 

-    [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param (

+    [CmdletBinding( DefaultParameterSetName = 'FilePath')]

+    Param (

         [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )]

         [ValidateNotNullOrEmpty()]

         [ScriptBlock]

diff --git a/ScriptModification/Out-EncryptedScript.ps1 b/ScriptModification/Out-EncryptedScript.ps1
index eba48f7..c24b126 100644
--- a/ScriptModification/Out-EncryptedScript.ps1
+++ b/ScriptModification/Out-EncryptedScript.ps1
@@ -5,11 +5,11 @@ function Out-EncryptedScript
 

 Encrypts text files/scripts.

 

-PowerSploit Function: Out-EncryptedScript

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

+PowerSploit Function: Out-EncryptedScript  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

 

 .DESCRIPTION

 

@@ -36,7 +36,8 @@ is randomly generated by default.
 

 .EXAMPLE

 

-C:\PS> Out-EncryptedScript .\Naughty-Script.ps1 password salty

+$Password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+Out-EncryptedScript .\Naughty-Script.ps1 $Password salty

 

 Description

 -----------

@@ -48,10 +49,10 @@ function 'de' and the base64-encoded ciphertext.
 

 .EXAMPLE

 

-C:\PS> [String] $cmd = Get-Content .\evil.ps1

-C:\PS> Invoke-Expression $cmd

-C:\PS> $decrypted = de password salt

-C:\PS> Invoke-Expression $decrypted

+[String] $cmd = Get-Content .\evil.ps1

+Invoke-Expression $cmd

+$decrypted = de password salt

+Invoke-Expression $decrypted

 

 Description

 -----------

@@ -64,34 +65,39 @@ unencrypted script is called via Invoke-Expression
 This command can be used to encrypt any text-based file/script

 #>

 

-    [CmdletBinding()] Param (

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]

+    [CmdletBinding()]

+    Param (

         [Parameter(Position = 0, Mandatory = $True)]

         [String]

         $ScriptPath,

-    

+

         [Parameter(Position = 1, Mandatory = $True)]

-        [String]

+        [Security.SecureString]

         $Password,

-    

+

         [Parameter(Position = 2, Mandatory = $True)]

         [String]

         $Salt,

-    

+

         [Parameter(Position = 3)]

         [ValidateLength(16, 16)]

         [String]

-        $InitializationVector = ((1..16 | % {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''),

-    

+        $InitializationVector = ((1..16 | ForEach-Object {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''),

+

         [Parameter(Position = 4)]

         [String]

         $FilePath = '.\evil.ps1'

     )

 

+    $TempCred = New-Object System.Management.Automation.PSCredential('a', $Password)

+    $PlaintextPassword = $TempCred.GetNetworkCredential().Password

+

     $AsciiEncoder = New-Object System.Text.ASCIIEncoding

     $ivBytes = $AsciiEncoder.GetBytes($InitializationVector)

     # While this can be used to encrypt any file, it's primarily designed to encrypt itself.

     [Byte[]] $scriptBytes = Get-Content -Encoding Byte -ReadCount 0 -Path $ScriptPath

-    $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)

+    $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($PlaintextPassword, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)

     $Key = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider

     $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC

     [Byte[]] $KeyBytes = $DerivedPass.GetBytes(16)

diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comment.ps1
index 45a9746..6194419 100644
--- a/ScriptModification/Remove-Comments.ps1
+++ b/ScriptModification/Remove-Comment.ps1
@@ -1,19 +1,19 @@
-function Remove-Comments

+function Remove-Comment

 {

 <#

 .SYNOPSIS

 

 Strips comments and extra whitespace from a script.

 

-PowerSploit Function: Remove-Comments

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

- 

+PowerSploit Function: Remove-Comment  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None  

+

 .DESCRIPTION

 

-Remove-Comments strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.

+Remove-Comment strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.

 

 A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. You rock, Lee!

 

@@ -27,11 +27,11 @@ Specifies the path to your script.
 

 .EXAMPLE

 

-C:\PS> $Stripped = Remove-Comments -Path .\ScriptWithComments.ps1

+$Stripped = Remove-Comment -Path .\ScriptWithComments.ps1

 

 .EXAMPLE

 

-C:\PS> Remove-Comments -ScriptBlock {

+Remove-Comment -ScriptBlock {

 ### This is my awesome script. My documentation is beyond reproach!

       Write-Host 'Hello, World!' ### Write 'Hello, World' to the host

 ### End script awesomeness

@@ -41,7 +41,7 @@ Write-Host 'Hello, World!'
 

 .EXAMPLE

 

-C:\PS> Remove-Comments -Path Inject-Shellcode.ps1 | Out-EncodedCommand

+Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand

 

 Description

 -----------

@@ -57,15 +57,17 @@ Accepts either a string containing the path to a script or a scriptblock.
 

 System.Management.Automation.ScriptBlock

 

-Remove-Comments returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.

+Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.

 

 .LINK

 

 http://www.exploit-monday.com

 http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/

 #>

-

-    [CmdletBinding( DefaultParameterSetName = 'FilePath' )] Param (

+    

+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]

+    [CmdletBinding( DefaultParameterSetName = 'FilePath' )]

+    Param (

         [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'FilePath' )]

         [ValidateNotNullOrEmpty()]

         [String]

diff --git a/ScriptModification/ScriptModification.psd1 b/ScriptModification/ScriptModification.psd1
index 923c874..07cd0bf 100644
--- a/ScriptModification/ScriptModification.psd1
+++ b/ScriptModification/ScriptModification.psd1
@@ -26,6 +26,6 @@ FunctionsToExport = '*'
 

 # List of all files packaged with this module

 FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1', 

-               'Out-EncryptedScript.ps1', 'Remove-Comments.ps1', 'Usage.md'

+               'Out-EncryptedScript.ps1', 'Remove-Comment.ps1', 'Usage.md'

 

 }

diff --git a/docs/ScriptModification/Out-CompressedDll.md b/docs/ScriptModification/Out-CompressedDll.md
new file mode 100755
index 0000000..df7cff5
--- /dev/null
+++ b/docs/ScriptModification/Out-CompressedDll.md
@@ -0,0 +1,60 @@
+# Out-CompressedDll

+

+## SYNOPSIS

+Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

+

+PowerSploit Function: Out-CompressedDll  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Out-CompressedDll [-FilePath] <String>

+```

+

+## DESCRIPTION

+Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Out-CompressedDll -FilePath evil.dll

+```

+

+Description

+-----------

+Compresses, base64 encodes, and outputs the code required to load evil.dll in memory.

+

+## PARAMETERS

+

+### -FilePath

+Specifies the path to a managed executable.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+Only pure MSIL-based dlls can be loaded using this technique.

+Native or IJW ('it just works' - mixed-mode) dlls will not load.

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html](http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html)

+

diff --git a/docs/ScriptModification/Out-EncodedCommand.md b/docs/ScriptModification/Out-EncodedCommand.md
new file mode 100755
index 0000000..6666796
--- /dev/null
+++ b/docs/ScriptModification/Out-EncodedCommand.md
@@ -0,0 +1,186 @@
+# Out-EncodedCommand

+

+## SYNOPSIS

+Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

+

+PowerSploit Function: Out-EncodedCommand  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+### FilePath (Default)

+```

+Out-EncodedCommand [[-Path] <String>] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64] [-WindowStyle <String>]

+ [-EncodedOutput]

+```

+

+### ScriptBlock

+```

+Out-EncodedCommand [[-ScriptBlock] <ScriptBlock>] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64]

+ [-WindowStyle <String>] [-EncodedOutput]

+```

+

+## DESCRIPTION

+Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt.

+The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload.

+This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}

+```

+

+powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream(\[IO.MemoryStream\]\[Convert\]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),\[IO.Compression.CompressionMode\]::Decompress)),\[Text.Encoding\]::ASCII)).ReadToEnd()

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput

+```

+

+powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=

+

+Description

+-----------

+Execute the above payload for the lulz.

+\>D

+

+## PARAMETERS

+

+### -ScriptBlock

+Specifies a scriptblock containing your payload.

+

+```yaml

+Type: ScriptBlock

+Parameter Sets: ScriptBlock

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+### -Path

+Specifies the path to your payload.

+

+```yaml

+Type: String

+Parameter Sets: FilePath

+Aliases: 

+

+Required: False

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -NoExit

+Outputs the option to not exit after running startup commands.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -NoProfile

+Outputs the option to not load the Windows PowerShell profile.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -NonInteractive

+Outputs the option to not present an interactive prompt to the user.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Wow64

+Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -WindowStyle

+Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -EncodedOutput

+Base-64 encodes the entirety of the output.

+This is usually unnecessary and effectively doubles the size of the output.

+This option is only for those who are extra paranoid.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kennedy and Josh Kelley's talk, "PowerShell...OMFG" (https://www.trustedsec.com/files/PowerShell_PoC.zip)

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com](http://www.exploit-monday.com)

+

diff --git a/docs/ScriptModification/Out-EncryptedScript.md b/docs/ScriptModification/Out-EncryptedScript.md
new file mode 100755
index 0000000..36db457
--- /dev/null
+++ b/docs/ScriptModification/Out-EncryptedScript.md
@@ -0,0 +1,148 @@
+# Out-EncryptedScript

+

+## SYNOPSIS

+Encrypts text files/scripts.

+

+PowerSploit Function: Out-EncryptedScript  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Out-EncryptedScript [-ScriptPath] <String> [-Password] <SecureString> [-Salt] <String>

+ [[-InitializationVector] <String>] [[-FilePath] <String>]

+```

+

+## DESCRIPTION

+Out-EncryptedScript will encrypt a script (or any text file for that

+matter) and output the results to a minimally obfuscated script -

+evil.ps1 by default.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$Password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+Out-EncryptedScript .\Naughty-Script.ps1 $Password salty

+

+Description

+-----------

+Encrypt the contents of this file with a password and salt.

+This will

+make analysis of the script impossible without the correct password

+and salt combination.

+This command will generate evil.ps1 that can

+dropped onto the victim machine.

+It only consists of a decryption

+function 'de' and the base64-encoded ciphertext.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+[String] $cmd = Get-Content .\evil.ps1

+```

+

+Invoke-Expression $cmd

+$decrypted = de password salt

+Invoke-Expression $decrypted

+

+Description

+-----------

+This series of instructions assumes you've already encrypted a script

+and named it evil.ps1.

+The contents are then decrypted and the

+unencrypted script is called via Invoke-Expression

+

+## PARAMETERS

+

+### -ScriptPath

+Path to this script

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Password

+Password to encrypt/decrypt the script

+

+```yaml

+Type: SecureString

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 2

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Salt

+Salt value for encryption/decryption.

+This can be any string value.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: True

+Position: 3

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -InitializationVector

+Specifies a 16-character the initialization vector to be used.

+This

+is randomly generated by default.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 4

+Default value: ((1..16 | ForEach-Object {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join '')

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -FilePath

+{{Fill FilePath Description}}

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 5

+Default value: .\evil.ps1

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+This command can be used to encrypt any text-based file/script

+

+## RELATED LINKS

+

diff --git a/docs/ScriptModification/Remove-Comment.md b/docs/ScriptModification/Remove-Comment.md
new file mode 100755
index 0000000..97335ae
--- /dev/null
+++ b/docs/ScriptModification/Remove-Comment.md
@@ -0,0 +1,110 @@
+# Remove-Comment

+

+## SYNOPSIS

+Strips comments and extra whitespace from a script.

+

+PowerSploit Function: Remove-Comment  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+### FilePath (Default)

+```

+Remove-Comment [-Path] <String>

+```

+

+### ScriptBlock

+```

+Remove-Comment [-ScriptBlock] <ScriptBlock>

+```

+

+## DESCRIPTION

+Remove-Comment strips out comments and unnecessary whitespace from a script.

+This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.

+

+A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script.

+You rock, Lee!

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$Stripped = Remove-Comment -Path .\ScriptWithComments.ps1

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Remove-Comment -ScriptBlock {

+```

+

+### This is my awesome script.

+My documentation is beyond reproach!

+      Write-Host 'Hello, World!' ### Write 'Hello, World' to the host

+### End script awesomeness

+}

+

+Write-Host 'Hello, World!'

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand

+```

+

+Description

+-----------

+Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand.

+

+## PARAMETERS

+

+### -Path

+Specifies the path to your script.

+

+```yaml

+Type: String

+Parameter Sets: FilePath

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ScriptBlock

+Specifies a scriptblock containing your script.

+

+```yaml

+Type: ScriptBlock

+Parameter Sets: ScriptBlock

+Aliases: 

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: True (ByValue)

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+### System.String, System.Management.Automation.ScriptBlock

+

+Accepts either a string containing the path to a script or a scriptblock.

+

+## OUTPUTS

+

+### System.Management.Automation.ScriptBlock

+

+Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.

+

+## NOTES

+

+## RELATED LINKS

+

+[http://www.exploit-monday.com

+http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/]()

+

diff --git a/docs/index.md b/docs/index.md
index ac37071..9c001da 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -15,7 +15,7 @@ Modify and/or prepare scripts for execution on a compromised machine.
     Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
     Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
     Out-EncryptedScript - Encrypts text files/scripts.
-    Remove-Comments - Strips comments and extra whitespace from a script.
+    Remove-Comment - Strips comments and extra whitespace from a script.
 
 ### Persistence
 
diff --git a/mkdocs.yml b/mkdocs.yml
index a0838fd..a24f7e4 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -139,3 +139,9 @@ pages:
         - Add-Persistence: 'Persistence/Add-Persistence.md'
         - Install-SSP: 'Persistence/Install-SSP.md'
         - Get-SecurityPackage: 'Persistence/Get-SecurityPackage.md'
+- ScriptModification:
+    - Functions:
+        - Out-CompressedDll: 'ScriptModification/Out-CompressedDll.md'
+        - Out-EncodedCommand: 'ScriptModification/Out-EncodedCommand.md'
+        - Out-EncryptedScript: 'ScriptModification/Out-EncryptedScript.md'
+        - Remove-Comment: 'ScriptModification/Remove-Comment.md'