Added New-VolumeShadowCopy and Remove-VolumeShadowCopy Cmdlets

1 files changed, 168 insertions, 1 deletions

diff --git a/Exfiltration/VolumeShadowCopyTools.ps1 b/Exfiltration/VolumeShadowCopyTools.ps1
index e8c28a1..6d47c34 100644
--- a/Exfiltration/VolumeShadowCopyTools.ps1
+++ b/Exfiltration/VolumeShadowCopyTools.ps1
@@ -20,7 +20,174 @@
         Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
     }
 
-    Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.DeviceObject }
+    Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | ForEach-Object { $_.DeviceObject }
+}
+
+function New-VolumeShadowCopy
+{
+<#
+.SYNOPSIS
+
+    Creates a new volume shadow copy.
+
+    PowerSploit Function: New-VolumeShadowCopy
+    Author: Jared Atkinson (@jaredcatkinson)
+    License: BSD 3-Clause
+    Required Dependencies: None
+    Optional Dependencies: None
+    Version: 2.0.0
+
+.DESCRIPTION
+
+    New-VolumeShadowCopy creates a volume shadow copy for the specified volume.
+
+.PARAMETER Volume
+
+    Volume used for the shadow copy. This volume is sometimes referred to as the original volume. 
+    The Volume parameter can be specified as a volume drive letter, mount point, or volume globally unique identifier (GUID) name.
+
+.PARAMETER Context
+
+    Context that the provider uses when creating the shadow. The default is "ClientAccessible".
+
+.EXAMPLE
+
+    New-VolumeShadowCopy -Volume C:\
+
+    Description
+    -----------
+    Creates a new VolumeShadowCopy of the C drive
+#>
+    Param(
+        [Parameter(Mandatory = $True)]
+        [ValidatePattern('^\w:\\')]
+        [String]
+        $Volume,
+
+        [Parameter(Mandatory = $False)]
+        [ValidateSet("ClientAccessible")]
+        [String]
+        $Context = "ClientAccessible"
+    )
+
+    $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
+
+    if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
+    {
+        Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
+    }
+
+    $class = [WMICLASS]"root\cimv2:win32_shadowcopy"
+
+    $return = $class.create("$Volume", "$Context")
+
+    switch($return.returnvalue)
+    {
+        1 {Write-Error "Access denied."; break}
+        2 {Write-Error "Invalid argument."; break}
+        3 {Write-Error "Specified volume not found."; break}
+        4 {Write-Error "Specified volume not supported."; break}
+        5 {Write-Error "Unsupported shadow copy context."; break}
+        6 {Write-Error "Insufficient storage."; break}
+        7 {Write-Error "Volume is in use."; break}
+        8 {Write-Error "Maximum number of shadow copies reached."; break}
+        9 {Write-Error "Another shadow copy operation is already in progress."; break}
+        10 {Write-Error "Shadow copy provider vetoed the operation."; break}
+        11 {Write-Error "Shadow copy provider not registered."; break}
+        12 {Write-Error "Shadow copy provider failure."; break}
+        13 {Write-Error "Unknown error."; break}
+        default {break}
+    }
+}
+
+function Remove-VolumeShadowCopy
+{
+<#
+.SYNOPSIS
+
+    Deletes a volume shadow copy.
+
+    PowerSploit Function: Remove-VolumeShadowCopy
+    Author: Jared Atkinson (@jaredcatkinson)
+    License: BSD 3-Clause
+    Required Dependencies: None
+    Optional Dependencies: None
+    Version: 2.0.0
+
+.DESCRIPTION
+
+    Remove-VolumeShadowCopy deletes a volume shadow copy from the system.
+
+.PARAMETER InputObject
+
+    Specifies the Win32_ShadowCopy object to remove
+
+.PARAMETER DevicePath
+
+    Specifies the volume shadow copy 'DeviceObject' path. This path can be retrieved with the Get-VolumeShadowCopy PowerSploit function or with the Win32_ShadowCopy object.
+
+.EXAMPLE
+
+    Get-VolumeShadowCopy | Remove-VolumeShadowCopy
+
+    Description
+    -----------
+    Removes all volume shadow copy
+
+.EXAMPLE
+
+    Get-WmiObject Win32_ShadowCopy | Remove-VolumeShadowCopy
+
+    Description
+    -----------
+    Removes all volume shadow copy
+
+.EXAMPLE
+
+    Remove-VolumeShadowCopy -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4'
+
+    Description
+    -----------
+    Removes the volume shadow copy at the 'DeviceObject' path \\?\GLOBALROOT\DeviceHarddiskVolumeShadowCopy4
+#>
+    Param(
+        [Parameter(Mandatory = $False, ValueFromPipeline = $True)]
+        [ValidateNotNullOrEmpty()]
+        [Object]
+        $InputObject,
+
+        [Parameter(Mandatory = $False)]
+        [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')]
+        [String]
+        $DevicePath
+    )
+
+    PROCESS
+    {
+        if($PSBoundParameters.ContainsKey("InputObject"))
+        {
+            if($InputObject.GetType().Name -eq "String")
+            {
+                (Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $InputObject}).Delete()
+            }
+            else
+            {
+                $InputObject.Delete() 
+            }
+        }
+        elseif($PSBoundParameters.ContainsKey("DevicePath"))
+        {
+            (Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $DevicePath}).Delete()
+        }
+        else
+        {
+            $vsc = Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy
+            foreach($copy in $vsc)
+            {
+                $copy.Delete()
+            }
+        }
+    }
 }
 
 function Mount-VolumeShadowCopy