diff options
| author | mattifestation <mattgraeber@gmail.com> | 2014-03-01 18:26:31 -0500 |
|---|---|---|
| committer | mattifestation <mattgraeber@gmail.com> | 2014-03-01 18:26:31 -0500 |
| commit | b450a70dbf0233f54d89ec763861882e492e0fc9 (patch) | |
| tree | 4b5cf46d793ce43806d884b15fde5f9fec3f5c0e /Exfiltration | |
| parent | 1df850208ee72efe58a7206100471b84d119fbf7 (diff) | |
| download | PowerSploit-b450a70dbf0233f54d89ec763861882e492e0fc9.tar.gz PowerSploit-b450a70dbf0233f54d89ec763861882e492e0fc9.zip | |
Added Get-VolumeShadowCopy and Mount-VolumeShadowCopy
Diffstat (limited to 'Exfiltration')
| -rw-r--r-- | Exfiltration/Exfiltration.psd1 | 3 | ||||
| -rw-r--r-- | Exfiltration/VolumeShadowCopyTools.ps1 | 147 |
2 files changed, 149 insertions, 1 deletions
diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1 index 61437d8..2a5a152 100644 --- a/Exfiltration/Exfiltration.psd1 +++ b/Exfiltration/Exfiltration.psd1 @@ -75,7 +75,8 @@ ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = # List of all files packaged with this module
FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
- 'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1'
+ 'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1',
+ 'VolumeShadowCopyTools.ps1'
# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
diff --git a/Exfiltration/VolumeShadowCopyTools.ps1 b/Exfiltration/VolumeShadowCopyTools.ps1 new file mode 100644 index 0000000..e8c28a1 --- /dev/null +++ b/Exfiltration/VolumeShadowCopyTools.ps1 @@ -0,0 +1,147 @@ +function Get-VolumeShadowCopy +{ +<# +.SYNOPSIS + + Lists the device paths of all local volume shadow copies. + + PowerSploit Function: Get-VolumeShadowCopy + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + Version: 2.0.0 +#> + + $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()) + + if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')) + { + Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.' + } + + Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.DeviceObject } +} + +function Mount-VolumeShadowCopy +{ +<# +.SYNOPSIS + + Mounts a volume shadow copy. + + PowerSploit Function: Mount-VolumeShadowCopy + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + Version: 2.0.0 + +.DESCRIPTION + + Mount-VolumeShadowCopy mounts a volume shadow copy volume by creating a symbolic link. + +.PARAMETER Path + + Specifies the path to which the symbolic link for the mounted volume shadow copy will be saved. + +.PARAMETER DevicePath + + Specifies the volume shadow copy 'DeviceObject' path. This path can be retrieved with the Get-VolumeShadowCopy PowerSploit function or with the Win32_ShadowCopy object. + +.EXAMPLE + + Get-VolumeShadowCopy | Mount-VolumeShadowCopy -Path C:\VSS + + Description + ----------- + Create a mount point in 'C:\VSS' for each volume shadow copy volume + +.EXAMPLE + + Mount-VolumeShadowCopy -Path C:\VSS -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4' + +.EXAMPLE + + Get-WmiObject Win32_ShadowCopy | % { $_.DeviceObject -Path C:\VSS -DevicePath $_ } +#> + + Param ( + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $Path, + + [Parameter(Mandatory = $True, ValueFromPipeline = $True)] + [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')] + [String[]] + $DevicePath + ) + + BEGIN + { + $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()) + + if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')) + { + Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.' + } + + # Validate that the path exists before proceeding + Get-ChildItem $Path -ErrorAction Stop | Out-Null + + $DynAssembly = New-Object System.Reflection.AssemblyName('VSSUtil') + $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VSSUtil', $False) + + # Define [VSS.Kernel32]::CreateSymbolicLink method using reflection + # (i.e. none of the forensic artifacts left with using Add-Type) + $TypeBuilder = $ModuleBuilder.DefineType('VSS.Kernel32', 'Public, Class') + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('CreateSymbolicLink', + 'kernel32.dll', + ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), + [Reflection.CallingConventions]::Standard, + [Bool], + [Type[]]@([String], [String], [UInt32]), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) + $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') + $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, + @('kernel32.dll'), + [Reflection.FieldInfo[]]@($SetLastError), + @($true)) + $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) + + $Kernel32Type = $TypeBuilder.CreateType() + } + + PROCESS + { + foreach ($Volume in $DevicePath) + { + $Volume -match '^\\\\\?\\GLOBALROOT\\Device\\(?<LinkName>HarddiskVolumeShadowCopy[0-9]{1,3})$' | Out-Null + + $LinkPath = Join-Path $Path $Matches.LinkName + + if (Test-Path $LinkPath) + { + Write-Warning "'$LinkPath' already exists." + continue + } + + if (-not $Kernel32Type::CreateSymbolicLink($LinkPath, "$($Volume)\", 1)) + { + Write-Error "Symbolic link creation failed for '$Volume'." + continue + } + + Get-Item $LinkPath + } + } + + END + { + + } +}
\ No newline at end of file |