diff options
| author | Jared Atkinson <jared@invoke-ir.com> | 2015-07-08 22:27:12 -0400 |
|---|---|---|
| committer | Jared Atkinson <jared@invoke-ir.com> | 2015-07-08 22:27:12 -0400 |
| commit | c29f9b4743b5451e12d270da45072e72d1a480af (patch) | |
| tree | b1c20eedfb764fd0e42166eb6fd5a037c6abc551 /Exfiltration | |
| parent | 25934d4719faabfb2d94645e1ed2cd5738ead2d7 (diff) | |
| download | PowerSploit-c29f9b4743b5451e12d270da45072e72d1a480af.tar.gz PowerSploit-c29f9b4743b5451e12d270da45072e72d1a480af.zip | |
Cleaned up Remove-VSC and New-VSC
- Changed Remove-VSC to have a single mandatory parameter (DevicePath)
- Updated New-VSC to check initial state of the VSS Service and return
VSS to its inital state after execution
Diffstat (limited to 'Exfiltration')
| -rw-r--r-- | Exfiltration/VolumeShadowCopyTools.ps1 | 46 |
1 files changed, 12 insertions, 34 deletions
diff --git a/Exfiltration/VolumeShadowCopyTools.ps1 b/Exfiltration/VolumeShadowCopyTools.ps1 index 6d47c34..49fe22d 100644 --- a/Exfiltration/VolumeShadowCopyTools.ps1 +++ b/Exfiltration/VolumeShadowCopyTools.ps1 @@ -77,6 +77,9 @@ function New-VolumeShadowCopy Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.' } + # Save VSS Service initial state + $running = (Get-Service -Name VSS).Status + $class = [WMICLASS]"root\cimv2:win32_shadowcopy" $return = $class.create("$Volume", "$Context") @@ -98,6 +101,12 @@ function New-VolumeShadowCopy 13 {Write-Error "Unknown error."; break} default {break} } + + # If VSS Service was Stopped at the start, return VSS to "Stopped" state + if($running -eq "Stopped") + { + Stop-Service -Name VSS + } } function Remove-VolumeShadowCopy @@ -136,27 +145,15 @@ function Remove-VolumeShadowCopy .EXAMPLE - Get-WmiObject Win32_ShadowCopy | Remove-VolumeShadowCopy - - Description - ----------- - Removes all volume shadow copy - -.EXAMPLE - Remove-VolumeShadowCopy -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4' Description ----------- Removes the volume shadow copy at the 'DeviceObject' path \\?\GLOBALROOT\DeviceHarddiskVolumeShadowCopy4 #> + [CmdletBinding(SupportsShouldProcess = $True)] Param( - [Parameter(Mandatory = $False, ValueFromPipeline = $True)] - [ValidateNotNullOrEmpty()] - [Object] - $InputObject, - - [Parameter(Mandatory = $False)] + [Parameter(Mandatory = $True, ValueFromPipeline = $True)] [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')] [String] $DevicePath @@ -164,29 +161,10 @@ function Remove-VolumeShadowCopy PROCESS { - if($PSBoundParameters.ContainsKey("InputObject")) - { - if($InputObject.GetType().Name -eq "String") - { - (Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $InputObject}).Delete() - } - else - { - $InputObject.Delete() - } - } - elseif($PSBoundParameters.ContainsKey("DevicePath")) + if($PSCmdlet.ShouldProcess("The VolumeShadowCopy at DevicePath $DevicePath will be removed")) { (Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $DevicePath}).Delete() } - else - { - $vsc = Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy - foreach($copy in $vsc) - { - $copy.Delete() - } - } } } |