Added 'AntivirusBypass' Module

4 files changed, 218 insertions, 0 deletions

diff --git a/AntivirusBypass/AntivirusBypass.psd1 b/AntivirusBypass/AntivirusBypass.psd1
new file mode 100644
index 0000000..ab2918b
--- /dev/null
+++ b/AntivirusBypass/AntivirusBypass.psd1
@@ -0,0 +1,87 @@
+@{

+

+# Script module or binary module file associated with this manifest.

+ModuleToProcess = 'AntivirusBypass.psm1'

+

+# Version number of this module.

+ModuleVersion = '1.0.0.0'

+

+# ID used to uniquely identify this module

+GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'

+

+# Author of this module

+Author = 'Matthew Graeber'

+

+# Company or vendor of this module

+CompanyName = ''

+

+# Copyright statement for this module

+Copyright = 'BSD 3-Clause'

+

+# Description of the functionality provided by this module

+Description = 'PowerSploit Antivirus Avoidance/Bypass Module'

+

+# Minimum version of the Windows PowerShell engine required by this module

+PowerShellVersion = '2.0'

+

+# Name of the Windows PowerShell host required by this module

+# PowerShellHostName = ''

+

+# Minimum version of the Windows PowerShell host required by this module

+# PowerShellHostVersion = ''

+

+# Minimum version of the .NET Framework required by this module

+# DotNetFrameworkVersion = ''

+

+# Minimum version of the common language runtime (CLR) required by this module

+# CLRVersion = ''

+

+# Processor architecture (None, X86, Amd64) required by this module

+# ProcessorArchitecture = ''

+

+# Modules that must be imported into the global environment prior to importing this module

+# RequiredModules = @()

+

+# Assemblies that must be loaded prior to importing this module

+# RequiredAssemblies = @()

+

+# Script files (.ps1) that are run in the caller's environment prior to importing this module.

+# ScriptsToProcess = ''

+

+# Type files (.ps1xml) to be loaded when importing this module

+# TypesToProcess = @()

+

+# Format files (.ps1xml) to be loaded when importing this module

+# FormatsToProcess = @()

+

+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess

+# NestedModules = @()

+

+# Functions to export from this module

+FunctionsToExport = '*'

+

+# Cmdlets to export from this module

+CmdletsToExport = '*'

+

+# Variables to export from this module

+VariablesToExport = ''

+

+# Aliases to export from this module

+AliasesToExport = ''

+

+# List of all modules packaged with this module.

+ModuleList = @(@{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'})

+

+# List of all files packaged with this module

+FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md'

+

+# Private data to pass to the module specified in RootModule/ModuleToProcess

+# PrivateData = ''

+

+# HelpInfo URI of this module

+# HelpInfoURI = ''

+

+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.

+# DefaultCommandPrefix = ''

+

+}
\ No newline at end of file
diff --git a/AntivirusBypass/AntivirusBypass.psm1 b/AntivirusBypass/AntivirusBypass.psm1
new file mode 100644
index 0000000..e5234fb
--- /dev/null
+++ b/AntivirusBypass/AntivirusBypass.psm1
@@ -0,0 +1 @@
+Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file
diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1
new file mode 100644
index 0000000..aaa68c8
--- /dev/null
+++ b/AntivirusBypass/Find-AVSignature.ps1
@@ -0,0 +1,118 @@
+function Find-AVSignature {

+<#

+.SYNOPSIS

+

+    Find-AVSignature

+

+    Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com

+

+    Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)

+    License: BSD 3-Clause

+

+.DESCRIPTION

+

+    A script to locate tiny AV signatures.

+

+.PARAMETER Startbyte

+

+    Specifies the first byte to begin splitting on.

+

+.PARAMETER Endbyte

+

+    Specifies the last byte to split on.

+

+.PARAMETER Interval

+

+    Specifies the interval size to split with.

+

+.PARAMETER Path

+

+    Specifies the path to the binary you want tested.

+

+.PARAMETER OutPath

+

+    Optionally specifies the directory to write the binaries to.

+    

+.PARAMETER Force

+

+    Forces the script to continue without confirmation.    

+

+.EXAMPLE

+

+    PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe 

+    PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose

+    PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose

+    PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose

+    PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose

+

+.NOTES

+

+    Several of the versions of "DSplit.exe" available on the internet contain malware.

+

+.LINK

+

+    http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html

+    https://github.com/mattifestation/PowerSploit

+    http://www.exploit-monday.com/

+    http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2

+#>

+

+[CmdletBinding()] Param(

+        [Parameter(Mandatory = $True)] [Int32] $StartByte,

+        [Parameter(Mandatory = $True)] [String] $EndByte,

+        [Parameter(Mandatory = $True)] [Int32] $Interval,

+        [Parameter(Mandatory = $False)] [String] $Path = ($pwd.path),

+        [Parameter(Mandatory = $False)] [String] $OutPath = ($pwd),

+        [Switch] $Force = $False

+    )

+

+    #test variables

+    if (!(Test-Path $Path)) {Throw "File path not found"}

+    $Response = $True

+    if (!(Test-Path $OutPath)) {}

+        if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory}

+    if (!$Response) {Throw "Output path not found"}

+    if (!(Get-ChildItem $Path).Exists) {Throw "File not found"}

+    [Int32] $FileSize = (Get-ChildItem $Path).Length

+    if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"}

+    [Int32] $MaximumByte = (($FileSize) - 1)

+    if ($EndByte -ceq "max") {$EndByte = $MaximumByte}

+    if ($EndByte -gt $FileSize -or $EndByte -lt 0) {Throw "EndByte range must be between 0 and $Filesize"}

+

+    #read in byte array

+    [Byte[]] $FileByteArray = [System.IO.File]::ReadAllBytes($Path)

+

+    #find the filename for the output name

+    [String] $FileName = (Split-Path $Path -leaf).Split('.')[0]

+

+    #Calculate the number of binaries

+    [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval)

+    if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)}

+    

+    #Prompt user to verify parameters to avoid writing binaries to the wrong directory

+    $Response = $True

+    if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!",

+             "Do you want to continue?"))){}

+    if (!$Response) {Return}

+    

+    Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"." 

+    [Int32] $Number = [Math]::Floor($Endbyte/$Interval)

+        

+        #write out the calculated number of binaries

+        [Int32] $i = 0

+        for ($i -eq 0; $i -lt $ResultNumber; $i++)

+        {

+            [Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))

+            Write-Verbose "Byte 0 -> $($SplitByte)"

+            [IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($SplitByte).bin"), $FileByteArray[0..($SplitByte)])

+        }

+        

+        #Write out the final binary

+        [IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($EndByte).bin"), $FileByteArray[0..($EndByte)])

+        Write-Verbose "Byte 0 -> $($EndByte)"

+        Write-Verbose "Files written to disk. Flushing memory."

+        

+        #During testing using large binaries, memory usage was excessive so lets fix that

+        [System.GC]::Collect()

+        Write-Verbose "Completed!"

+}
\ No newline at end of file
diff --git a/AntivirusBypass/Usage.md b/AntivirusBypass/Usage.md
new file mode 100644
index 0000000..9eafc7b
--- /dev/null
+++ b/AntivirusBypass/Usage.md
@@ -0,0 +1,12 @@
+To install this module, drop the entire AntivirusBypass folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.

+

+The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"

+The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"

+

+To use the module, type `Import-Module AntivirusBypass`

+

+To see the commands imported, type `Get-Command -Module AntivirusBypass`

+

+For help on each individual command, Get-Help is your friend.

+

+Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file