Created a ScriptModification module.

* All scripts used to prepare and/or modify payload scripts were added
to the ScriptModification module.
* Added Remove-Comments - Strips comments and extra whitespace from a
script.
* Encrypt-Script was named to Out-EncryptedScript in order to conform to
proper PowerShell verbs.

8 files changed, 326 insertions, 48 deletions

diff --git a/README b/README
index a07e868..1c16506 100644
--- a/README
+++ b/README
@@ -4,10 +4,6 @@ PowerSploit is a series of Microsoft PowerShell scripts that can be used in post
 Root Directory

 --------------

 

-Out-EncodedCommand:

-

-   Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

-

 Inject-Dll:

 

    Inject-Dll injects a Dll into the process ID of your choosing.

@@ -16,14 +12,6 @@ Inject-Shellcode:
 

    Inject-Shellcode injects shellcode into the process ID of your choosing or within PowerShell locally.

 

-Out-CompressedDll:

-

-   Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

-

-Encrypt-Script:

-

-   Encrypt-Script will encrypt a script (or any text file for that matter) and output the results to a minimally obfuscated script - evil.ps1.

-

 Find-AVSignature:

 

    Locates single Byte AV signatures utilizing the same method as DSplit from "class101".

@@ -36,6 +24,28 @@ Get-TimedScreenshot:
 

    A function that takes screenshots at a regular interval and saves them to a folder.

 

+--------------------

+.\ScriptModification

+--------------------

+

+A PowerShell module used to modify and/or prepare scripts for execution on a compromised machine.

+

+Out-EncodedCommand:

+

+   Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

+

+Out-CompressedDll:

+

+   Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

+

+Out-EncryptedScript:

+

+   Encrypts text files/scripts.

+

+Remove-Comments:

+

+  Strips comments and extra whitespace from a script. 

+

 ----------

 .\PETools

 ----------

@@ -160,7 +170,7 @@ For all contributors and future contributors to PowerSploit, I ask that you foll
 * Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following:

    * [Parameter(Position = 0, Mandatory = $True)]

 

-* Don't use any aliases. They make code more difficult to read for people who are unfamiliar with a particular alias.

+* Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias.

 

 * Don't let commands run on for too long. For example, a pipeline is a natural place for a line break.

 

@@ -170,6 +180,10 @@ For all contributors and future contributors to PowerSploit, I ask that you foll
 

 * Only use .NET code when absolutely necessary.

 

-* use the Write-Output keyword when returning an object from a function. I know it's not necessary but it makes the code more readable.

+* Use the Write-Output keyword when returning an object from a function. I know it's not necessary but it makes the code more readable.

 

 * Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters.

+

+* Scripts that are intended to run on a remote machine should be self-contained and not rely upon any additional scripts. Scripts that are designed to run on your host machine can have dependencies on other scripts.

+

+* If a script creates complex custom objects, include a ps1xml file that will properly format the object's output.

diff --git a/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1
index 3c59ef5..f781c15 100644
--- a/Out-CompressedDll.ps1
+++ b/ScriptModification/Out-CompressedDll.ps1
@@ -8,6 +8,8 @@ Compresses, Base-64 encodes, and outputs generated code to load a managed dll in
 PowerSploit Module - Out-CompressedDll

 Author: Matthew Graeber (@mattifestation)

 License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: None

  

 .DESCRIPTION

 

diff --git a/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1
index a27e0fb..99d3f66 100644
--- a/Out-EncodedCommand.ps1
+++ b/ScriptModification/Out-EncodedCommand.ps1
@@ -8,6 +8,8 @@ Compresses, Base-64 encodes, and generates command-line output for a PowerShell
 PowerSploit Module - Out-EncodedCommand

 Author: Matthew Graeber (@mattifestation)

 License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: None

  

 .DESCRIPTION

 

diff --git a/Encrypt-Script.ps1 b/ScriptModification/Out-EncryptedScript.ps1
index b9b0b78..1376673 100644
--- a/Encrypt-Script.ps1
+++ b/ScriptModification/Out-EncryptedScript.ps1
@@ -1,58 +1,61 @@
-function Encrypt-Script {

+function Out-EncryptedScript {

 

 <#

 .SYNOPSIS

 

-    PowerSploit Module - Encrypt-Script

-    Author: Matthew Graeber (@mattifestation)

-    License: BSD 3-Clause

- 

+Encrypts text files/scripts.

+

+PowerSploit Module - Out-EncryptedScript

+Author: Matthew Graeber (@mattifestation)

+License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: None

+

 .DESCRIPTION

 

-    Encrypt-Script will encrypt a script (or any text file for that matter) and output the results to a minimally obfuscated script - evil.ps1.

- 

+Out-EncryptedScript will encrypt a script (or any text file for that matter) and output the results to a minimally obfuscated script - evil.ps1.

+

 .PARAMETER ScriptPath

 

-    Path to this script

- 

+Path to this script

+

 .PARAMETER Password

 

-    Password to encrypt/decrypt the script

- 

+Password to encrypt/decrypt the script

+

 .PARAMETER Salt

 

-    Salt value for encryption/decryption. This can be any string value.

- 

+Salt value for encryption/decryption. This can be any string value.

+

 .EXAMPLE

 

-    C:\PS> Encrypt-Script .\Naughty-Script.ps1 password salty

- 

-    Description

-    -----------

-    Encrypt the contents of this file with a password and salt. This will make analysis of the script impossible without the correct password and salt combination. This command will generate evil.ps1 that can dropped onto the victim machine. It only consists of a decryption function 'de' and the base64-encoded ciphertext.

+C:\PS> Out-EncryptedScript .\Naughty-Script.ps1 password salty

 

-.Example

+Description

+-----------

+Encrypt the contents of this file with a password and salt. This will make analysis of the script impossible without the correct password and salt combination. This command will generate evil.ps1 that can dropped onto the victim machine. It only consists of a decryption function 'de' and the base64-encoded ciphertext.

 

-    C:\PS> [String] $cmd = Get-Content .\evil.ps1

-    C:\PS> Invoke-Expression $cmd

-    C:\PS> $decrypted = de password salt

-    C:\PS> Invoke-Expression $decrypted

-    

-    Description

-    -----------

-    This series of instructions assumes you've already encrypted a script and named it evil.ps1. The contents are then decrypted and the unencrypted script is called via Invoke-Expression

+.EXAMPLE

+

+C:\PS> [String] $cmd = Get-Content .\evil.ps1

+C:\PS> Invoke-Expression $cmd

+C:\PS> $decrypted = de password salt

+C:\PS> Invoke-Expression $decrypted

+

+Description

+-----------

+This series of instructions assumes you've already encrypted a script and named it evil.ps1. The contents are then decrypted and the unencrypted script is called via Invoke-Expression

 

 .NOTES

 

-    This command can be used to encrypt any text-based file/script

- 

+This command can be used to encrypt any text-based file/script

+

 .LINK

 

-    http://www.exploit-monday.com

+http://www.exploit-monday.com

 #>

 

-Param

-(

+[CmdletBinding()] Param (

     [Parameter(Position = 0, Mandatory = $True)]

     [String]

     $ScriptPath,

@@ -121,6 +124,6 @@ return $encoding.GetString($h,0,$h.Length);
 # Output decrypt function and ciphertext to evil.ps1

 Out-File -InputObject $Output -Encoding ASCII $FilePath

 

-Write-Host "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"

+Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"

 

-}

+}
\ No newline at end of file
diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comments.ps1
new file mode 100644
index 0000000..64c3e31
--- /dev/null
+++ b/ScriptModification/Remove-Comments.ps1
@@ -0,0 +1,156 @@
+function Remove-Comments

+{

+<#

+.SYNOPSIS

+

+Strips comments and extra whitespace from a script.

+

+PowerSploit Module - Remove-Comments

+Author: Matthew Graeber (@mattifestation)

+License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: None

+ 

+.DESCRIPTION

+

+Remove-Comments strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.

+

+A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. You rock, Lee!

+

+.PARAMETER ScriptBlock

+

+Specifies a scriptblock containing your script.

+

+.PARAMETER Path

+

+Specifies the path to your script.

+

+.EXAMPLE

+

+C:\PS> $Stripped = Remove-Comments -Path .\ScriptWithComments.ps1

+

+.EXAMPLE

+

+C:\PS> Remove-Comments -ScriptBlock {

+### This is my awesome script. My documentation is beyond reproach!

+      Write-Host 'Hello, World!' ### Write 'Hello, World' to the host

+### End script awesomeness

+}

+

+Write-Host 'Hello, World!'

+

+.EXAMPLE

+

+C:\PS> Remove-Comments -Path Inject-Shellcode.ps1 | Out-EncodedCommand

+

+Description

+-----------

+Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand.

+

+.INPUTS

+

+System.String, System.Management.Automation.ScriptBlock

+

+Accepts either a string containing the path to a script or a scriptblock.

+

+.OUTPUTS

+

+System.Management.Automation.ScriptBlock

+

+Remove-Comments returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.

+

+.LINK

+

+http://www.exploit-monday.com

+http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/

+#>

+

+    [CmdletBinding( DefaultParameterSetName = 'FilePath' )] Param (

+        [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'FilePath' )]

+        [ValidateNotNullOrEmpty()]

+        [String]

+        $Path,

+

+        [Parameter(Position = 0, ValueFromPipeline = $True, Mandatory = $True, ParameterSetName = 'ScriptBlock' )]

+        [ValidateNotNullOrEmpty()]

+        [ScriptBlock]

+        $ScriptBlock

+    )

+

+    Set-StrictMode -Version 2

+

+    if ($PSBoundParameters['Path'])

+    {

+        Get-ChildItem $Path -ErrorAction Stop | Out-Null

+        $ScriptBlockString = [IO.File]::ReadAllText((Resolve-Path $Path))

+        $ScriptBlock = [ScriptBlock]::Create($ScriptBlockString)

+    }

+    else

+    {

+        # Convert the scriptblock to a string so that it can be referenced with array notation

+        $ScriptBlockString = $ScriptBlock.ToString()

+    }

+

+    # Tokenize the scriptblock and return all tokens except for comments

+    $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptBlock, [Ref] $Null) | Where-Object { $_.Type -ne 'Comment' }

+

+    $StringBuilder = New-Object Text.StringBuilder

+

+    # The majority of the remaining code comes from Lee Holmes' Show-ColorizedContent script.

+    $CurrentColumn = 1

+    $NewlineCount = 0

+    foreach($CurrentToken in $Tokens)

+    {

+        # Now output the token

+        if(($CurrentToken.Type -eq 'NewLine') -or ($CurrentToken.Type -eq 'LineContinuation'))

+        {

+            $CurrentColumn = 1

+            # Only insert a single newline. Sequential newlines are ignored in order to save space.

+            if ($NewlineCount -eq 0)

+            {

+                $StringBuilder.AppendLine() | Out-Null

+            }

+            $NewlineCount++

+        }

+        else

+        {

+            $NewlineCount = 0

+

+            # Do any indenting

+            if($CurrentColumn -lt $CurrentToken.StartColumn)

+            {

+                # Insert a single space in between tokens on the same line. Extraneous whiltespace is ignored.

+                if ($CurrentColumn -ne 1)

+                {

+                    $StringBuilder.Append(' ') | Out-Null

+                }

+            }

+

+            # See where the token ends

+            $CurrentTokenEnd = $CurrentToken.Start + $CurrentToken.Length - 1

+

+            # Handle the line numbering for multi-line strings

+            if(($CurrentToken.Type -eq 'String') -and ($CurrentToken.EndLine -gt $CurrentToken.StartLine))

+            {

+                $LineCounter = $CurrentToken.StartLine

+                $StringLines = $(-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd] -split '`r`n')

+

+                foreach($StringLine in $StringLines)

+                {

+                    $StringBuilder.Append($StringLine) | Out-Null

+                    $LineCounter++

+                }

+            }

+            # Write out a regular token

+            else

+            {

+                $StringBuilder.Append((-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd])) | Out-Null

+            }

+

+            # Update our position in the column

+            $CurrentColumn = $CurrentToken.EndColumn

+        }

+    }

+

+    Write-Output ([ScriptBlock]::Create($StringBuilder.ToString()))

+}
\ No newline at end of file
diff --git a/ScriptModification/ScriptModification.psd1 b/ScriptModification/ScriptModification.psd1
new file mode 100644
index 0000000..df07db5
--- /dev/null
+++ b/ScriptModification/ScriptModification.psd1
@@ -0,0 +1,88 @@
+@{

+

+# Script module or binary module file associated with this manifest.

+ModuleToProcess = 'ScriptModification.psm1'

+

+# Version number of this module.

+ModuleVersion = '1.0.0.0'

+

+# ID used to uniquely identify this module

+GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'

+

+# Author of this module

+Author = 'Matthew Graeber'

+

+# Company or vendor of this module

+CompanyName = ''

+

+# Copyright statement for this module

+Copyright = 'BSD 3-Clause'

+

+# Description of the functionality provided by this module

+Description = 'PowerSploit Script Preparation/Modification Module'

+

+# Minimum version of the Windows PowerShell engine required by this module

+PowerShellVersion = '2.0'

+

+# Name of the Windows PowerShell host required by this module

+# PowerShellHostName = ''

+

+# Minimum version of the Windows PowerShell host required by this module

+# PowerShellHostVersion = ''

+

+# Minimum version of the .NET Framework required by this module

+# DotNetFrameworkVersion = ''

+

+# Minimum version of the common language runtime (CLR) required by this module

+# CLRVersion = ''

+

+# Processor architecture (None, X86, Amd64) required by this module

+# ProcessorArchitecture = ''

+

+# Modules that must be imported into the global environment prior to importing this module

+# RequiredModules = @()

+

+# Assemblies that must be loaded prior to importing this module

+# RequiredAssemblies = @()

+

+# Script files (.ps1) that are run in the caller's environment prior to importing this module.

+# ScriptsToProcess = ''

+

+# Type files (.ps1xml) to be loaded when importing this module

+# TypesToProcess = @()

+

+# Format files (.ps1xml) to be loaded when importing this module

+# FormatsToProcess = @()

+

+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess

+# NestedModules = @()

+

+# Functions to export from this module

+FunctionsToExport = '*'

+

+# Cmdlets to export from this module

+CmdletsToExport = '*'

+

+# Variables to export from this module

+VariablesToExport = ''

+

+# Aliases to export from this module

+AliasesToExport = ''

+

+# List of all modules packaged with this module.

+ModuleList = @(@{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'})

+

+# List of all files packaged with this module

+FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1', 

+               'Out-EncryptedScript.ps1', 'Remove-Comments.ps1', 'Usage.txt'

+

+# Private data to pass to the module specified in RootModule/ModuleToProcess

+# PrivateData = ''

+

+# HelpInfo URI of this module

+# HelpInfoURI = ''

+

+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.

+# DefaultCommandPrefix = ''

+

+}
\ No newline at end of file
diff --git a/ScriptModification/ScriptModification.psm1 b/ScriptModification/ScriptModification.psm1
new file mode 100644
index 0000000..5bb81d3
--- /dev/null
+++ b/ScriptModification/ScriptModification.psm1
@@ -0,0 +1 @@
+Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file
diff --git a/ScriptModification/Usage.txt b/ScriptModification/Usage.txt
new file mode 100644
index 0000000..ddff666
--- /dev/null
+++ b/ScriptModification/Usage.txt
@@ -0,0 +1,12 @@
+To install this module, drop the entire PETools folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.

+

+The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"

+The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"

+

+To use the module, type `Import-Module ScriptModification`

+

+To see the commands imported, type `Get-Command -Module ScriptModification`

+

+For help on each individual command, Get-Help is your friend.

+

+Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file