diff options
69 files changed, 377 insertions, 96 deletions
@@ -45,7 +45,6 @@ local.properties [Dd]ebug/ [Rr]elease/ -x64/ build/ [Bb]in/ [Oo]bj/ diff --git a/AntivirusBypass/AntivirusBypass.psd1 b/AntivirusBypass/AntivirusBypass.psd1 index ab2918b..29949c1 100644 --- a/AntivirusBypass/AntivirusBypass.psd1 +++ b/AntivirusBypass/AntivirusBypass.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'AntivirusBypass.psm1'
@@ -84,4 +84,4 @@ FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1 # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
-}
\ No newline at end of file +}
diff --git a/AntivirusBypass/AntivirusBypass.psm1 b/AntivirusBypass/AntivirusBypass.psm1 index e5234fb..81d3818 100644 --- a/AntivirusBypass/AntivirusBypass.psm1 +++ b/AntivirusBypass/AntivirusBypass.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1 index 80e2b1f..d2487b3 100644 --- a/AntivirusBypass/Find-AVSignature.ps1 +++ b/AntivirusBypass/Find-AVSignature.ps1 @@ -183,4 +183,4 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 #During testing using large binaries, memory usage was excessive so lets fix that [System.GC]::Collect() Write-Verbose "Completed!" -}
\ No newline at end of file +} diff --git a/Capstone/Capstone.psd1 b/Capstone/Capstone.psd1 new file mode 100644 index 0000000..5da5a94 --- /dev/null +++ b/Capstone/Capstone.psd1 @@ -0,0 +1,47 @@ +@{ + +# Script module or binary module file associated with this manifest. +ModuleToProcess = 'Capstone.psm1' + +# Version number of this module. +ModuleVersion = '1.0.0.0' + +# ID used to uniquely identify this module +GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b' + +# Author of this module +Author = 'Matthew Graeber' + +# Copyright statement for this module +Copyright = 'BSD 3-Clause' + +# Description of the functionality provided by this module +Description = 'Capstone Disassembly Framework Binding Module' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '3.0' + +# Minimum version of the common language runtime (CLR) required by this module +CLRVersion = '4.0' + +# Assemblies that must be loaded prior to importing this module +RequiredAssemblies = 'lib/capstone.dll' + +# Format files (.ps1xml) to be loaded when importing this module +FormatsToProcess = 'Get-CSDisassembly.format.ps1xml' + +# Functions to export from this module +FunctionsToExport = '*' + +# List of all modules packaged with this module. +ModuleList = @(@{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'}) + +# List of all files packaged with this module +FileList = 'Capstone.psm1', + 'Capstone.psd1', + 'Get-CSDisassembly.ps1', + 'Usage.md', + 'lib/capstone.dll', + 'lib/libcapstone.dll' + +} diff --git a/Capstone/Capstone.psm1 b/Capstone/Capstone.psm1 new file mode 100644 index 0000000..81d3818 --- /dev/null +++ b/Capstone/Capstone.psm1 @@ -0,0 +1 @@ +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/Capstone/Get-CSDisassembly.format.ps1xml b/Capstone/Get-CSDisassembly.format.ps1xml new file mode 100644 index 0000000..e9703a2 --- /dev/null +++ b/Capstone/Get-CSDisassembly.format.ps1xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="utf-8" ?> +<Configuration> + <ViewDefinitions> + <View> + <Name>InstructionView</Name> + <ViewSelectedBy> + <TypeName>Capstone.Instruction</TypeName> + </ViewSelectedBy> + <TableControl> + <AutoSize/> + <TableHeaders> + <TableColumnHeader> + <Label>Address</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Mnemonic</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Operands</Label> + </TableColumnHeader> + </TableHeaders> + <TableRowEntries> + <TableRowEntry> + <TableColumnItems> + <TableColumnItem> + <PropertyName>Address</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Mnemonic</PropertyName> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Operands</PropertyName> + </TableColumnItem> + </TableColumnItems> + </TableRowEntry> + </TableRowEntries> + </TableControl> + </View> + </ViewDefinitions> +</Configuration>
\ No newline at end of file diff --git a/Capstone/Get-CSDisassembly.ps1 b/Capstone/Get-CSDisassembly.ps1 new file mode 100644 index 0000000..257ba96 --- /dev/null +++ b/Capstone/Get-CSDisassembly.ps1 @@ -0,0 +1,119 @@ +#requires -Version 3 + +function Get-CSDisassembly +{ +<# +.SYNOPSIS + + Disassembles a byte array using the Capstone Engine disassembly framework. + + PowerSploit Function: Get-CSDisassembly + Author: Matthew Graeber (@mattifestation) + License: See LICENSE.TXT + Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll + Optional Dependencies: None + +.DESCRIPTION + + Get-CSDisassembly is compatible on 32 and 64-bit. + +.PARAMETER Architecture + + Specifies the architecture of the code to be disassembled. + +.PARAMETER Mode + + Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'. + +.PARAMETER Code + + A byte array consisting of the code to be disassembled. + +.PARAMETER Offset + + Specifies the starting address of the disassembly listing. + +.PARAMETER Count + + Specifies the maximum number of instructions to disassemble. + +.PARAMETER Syntax + + Specifies the syntax flavor to be used (INTEL vs. ATT). + +.PARAMETER DetailOff + + Specifies that detailed parsing should not be performed - i.e. do not perform additional analysis beyond disassembling. + +.EXAMPLE + + C:\PS>$Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000 + +.EXAMPLE + + C:\PS>$Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT + +.INPUTS + + None + + You cannot pipe objects to Get-CSDisassembly. + +.OUTPUTS + + Capstone.Instruction[] + + Get-CSDisassembly returns an array of Instruction objects. +#> + + [OutputType([Capstone.Instruction])] + [CmdletBinding()] Param ( + [Parameter(Mandatory)] + [Capstone.Architecture] + $Architecture, + + [Parameter(Mandatory)] + [Capstone.Mode] + $Mode, + + [Parameter(Mandatory)] + [ValidateNotNullOrEmpty()] + [Byte[]] + $Code, + + [UInt64] + $Offset = 0, + + [UInt32] + $Count = 0, + + [ValidateSet('Intel', 'ATT')] + [String] + $Syntax, + + [Switch] + $DetailOff + ) + + $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode) + + if ($Syntax) + { + switch ($Syntax) + { + 'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel } + 'ATT' { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT } + } + + $Disassembly.SetSyntax($SyntaxMode) + } + + if ($DetailOff) + { + $Disassembly.SetDetail($False) + } + + $Disassembly.Disassemble($Code, $Offset, $Count) +}
\ No newline at end of file diff --git a/Capstone/LICENSE.TXT b/Capstone/LICENSE.TXT new file mode 100644 index 0000000..9edde0b --- /dev/null +++ b/Capstone/LICENSE.TXT @@ -0,0 +1,30 @@ +This is the software license for Capstone disassembly framework. +Capstone has been designed & implemented by Nguyen Anh Quynh <aquynh@gmail.com> +See http://www.capstone-engine.org for further information. + +Copyright (c) 2013, COSEINC. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. +* Neither the name of the developer(s) nor the names of its + contributors may be used to endorse or promote products derived from this + software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. diff --git a/Capstone/README b/Capstone/README new file mode 100644 index 0000000..cbab0cb --- /dev/null +++ b/Capstone/README @@ -0,0 +1,17 @@ +This module has three dependencies: +* lib\x86\libcapstone.dll (the 32-bit unmanaged Capstone library) +* lib\x64\libcapstone.dll (the 64-bit unmanaged Capstone library) +* lib\capstone.dll (the managed C# bindings to the Capstone Framework) + +To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module Capstone` + +To see the commands imported, type `Get-Command -Module Capstone` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file diff --git a/Capstone/lib/capstone.dll b/Capstone/lib/capstone.dll Binary files differnew file mode 100644 index 0000000..1727436 --- /dev/null +++ b/Capstone/lib/capstone.dll diff --git a/Capstone/lib/x64/libcapstone.dll b/Capstone/lib/x64/libcapstone.dll Binary files differnew file mode 100644 index 0000000..e4f5e33 --- /dev/null +++ b/Capstone/lib/x64/libcapstone.dll diff --git a/Capstone/lib/x86/libcapstone.dll b/Capstone/lib/x86/libcapstone.dll Binary files differnew file mode 100644 index 0000000..242ad7e --- /dev/null +++ b/Capstone/lib/x86/libcapstone.dll diff --git a/CodeExecution/CodeExecution.psd1 b/CodeExecution/CodeExecution.psd1 index 394c7de..07963fc 100644 --- a/CodeExecution/CodeExecution.psd1 +++ b/CodeExecution/CodeExecution.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'CodeExecution.psm1' @@ -85,4 +85,4 @@ FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', ' # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -}
\ No newline at end of file +} diff --git a/CodeExecution/CodeExecution.psm1 b/CodeExecution/CodeExecution.psm1 index e5234fb..81d3818 100644 --- a/CodeExecution/CodeExecution.psm1 +++ b/CodeExecution/CodeExecution.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1 index 572a911..8395ab8 100644 --- a/CodeExecution/Invoke-DllInjection.ps1 +++ b/CodeExecution/Invoke-DllInjection.ps1 @@ -325,4 +325,4 @@ http://www.exploit-monday.com }
Write-Verbose "Injected DLL information:$($DllInfo)"
-}
\ No newline at end of file +}
diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index ccc1dd6..599212b 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -2840,4 +2840,4 @@ Function Main } Main -}
\ No newline at end of file +} diff --git a/CodeExecution/Invoke-ShellcodeMSIL.ps1 b/CodeExecution/Invoke-ShellcodeMSIL.ps1 index 4123d06..158a643 100644 --- a/CodeExecution/Invoke-ShellcodeMSIL.ps1 +++ b/CodeExecution/Invoke-ShellcodeMSIL.ps1 @@ -1,4 +1,4 @@ -function Invoke-ShellcodeMSIL +function Invoke-ShellcodeMSIL { <# .SYNOPSIS @@ -264,4 +264,4 @@ { Write-Verbose 'Shellcode executed successfully!' } -}
\ No newline at end of file +} diff --git a/CodeExecution/Watch-BlueScreen.ps1 b/CodeExecution/Watch-BlueScreen.ps1 index 2fa317e..0a12a91 100644 --- a/CodeExecution/Watch-BlueScreen.ps1 +++ b/CodeExecution/Watch-BlueScreen.ps1 @@ -1,4 +1,4 @@ -function Watch-BlueScreen +function Watch-BlueScreen { <# .SYNOPSIS @@ -15,7 +15,7 @@ .NOTES Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov - tweeted this technique on 5/13/2013. + ?tweeted this technique on 5/13/2013. .LINK @@ -75,4 +75,4 @@ $Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null $Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null } -}
\ No newline at end of file +} diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1 index aaddba1..68d68a1 100644 --- a/Exfiltration/Exfiltration.psd1 +++ b/Exfiltration/Exfiltration.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'Exfiltration.psm1'
@@ -86,4 +86,4 @@ FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
-}
\ No newline at end of file +}
diff --git a/Exfiltration/Exfiltration.psm1 b/Exfiltration/Exfiltration.psm1 index e5234fb..81d3818 100644 --- a/Exfiltration/Exfiltration.psm1 +++ b/Exfiltration/Exfiltration.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index 7dbd23d..ed331ad 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -1,4 +1,4 @@ -function Get-GPPPassword { +function Get-GPPPassword { <# .SYNOPSIS @@ -88,6 +88,7 @@ $UserName = '' $NewName = '' $Changed = '' + $Password = '' switch ($Filename) { diff --git a/Exfiltration/Get-Keystrokes.ps1 b/Exfiltration/Get-Keystrokes.ps1 index 48b7df6..75400a1 100644 --- a/Exfiltration/Get-Keystrokes.ps1 +++ b/Exfiltration/Get-Keystrokes.ps1 @@ -1,4 +1,4 @@ -function Get-Keystrokes { +function Get-Keystrokes { <# .SYNOPSIS @@ -246,4 +246,4 @@ } | Out-Null } -}
\ No newline at end of file +} diff --git a/Exfiltration/Get-TimedScreenshot.ps1 b/Exfiltration/Get-TimedScreenshot.ps1 index c14c723..e1ca823 100644 --- a/Exfiltration/Get-TimedScreenshot.ps1 +++ b/Exfiltration/Get-TimedScreenshot.ps1 @@ -1,4 +1,4 @@ -function Get-TimedScreenshot
+function Get-TimedScreenshot
{
<#
.SYNOPSIS
diff --git a/Exfiltration/Invoke-Mimikatz.ps1 b/Exfiltration/Invoke-Mimikatz.ps1 index 289652c..6eff83c 100644 --- a/Exfiltration/Invoke-Mimikatz.ps1 +++ b/Exfiltration/Invoke-Mimikatz.ps1 @@ -2710,4 +2710,4 @@ Function Main } Main -}
\ No newline at end of file +} diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1 index cfa763f..7ff5bfa 100644 --- a/Exfiltration/Invoke-NinjaCopy.ps1 +++ b/Exfiltration/Invoke-NinjaCopy.ps1 @@ -2845,4 +2845,4 @@ Main [GC]::Collect() [GC]::Collect() -}
\ No newline at end of file +} diff --git a/Exfiltration/Invoke-TokenManipulation.ps1 b/Exfiltration/Invoke-TokenManipulation.ps1 index e904cdb..8c8b7b4 100644 --- a/Exfiltration/Invoke-TokenManipulation.ps1 +++ b/Exfiltration/Invoke-TokenManipulation.ps1 @@ -1,4 +1,4 @@ -function Invoke-TokenManipulation +function Invoke-TokenManipulation { <# .SYNOPSIS diff --git a/Exfiltration/Out-Minidump.ps1 b/Exfiltration/Out-Minidump.ps1 index afb7dc9..a43ee0f 100644 --- a/Exfiltration/Out-Minidump.ps1 +++ b/Exfiltration/Out-Minidump.ps1 @@ -1,4 +1,4 @@ -function Out-Minidump +function Out-Minidump { <# .SYNOPSIS @@ -127,4 +127,4 @@ } END {} -}
\ No newline at end of file +} diff --git a/PETools/Get-LibSymbols.format.ps1xml b/PETools/Get-LibSymbols.format.ps1xml index 41747cb..5d4d848 100644 --- a/PETools/Get-LibSymbols.format.ps1xml +++ b/PETools/Get-LibSymbols.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -28,4 +28,4 @@ </ListControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/PETools/Get-LibSymbols.ps1 b/PETools/Get-LibSymbols.ps1 index 414454f..9864676 100644 --- a/PETools/Get-LibSymbols.ps1 +++ b/PETools/Get-LibSymbols.ps1 @@ -1,4 +1,4 @@ -function Get-LibSymbols +function Get-LibSymbols { <# .SYNOPSIS @@ -279,4 +279,4 @@ } END {} -}
\ No newline at end of file +} diff --git a/PETools/Get-ObjDump.format.ps1xml b/PETools/Get-ObjDump.format.ps1xml index d44ade0..25e13b8 100644 --- a/PETools/Get-ObjDump.format.ps1xml +++ b/PETools/Get-ObjDump.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -289,4 +289,4 @@ </TableControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/PETools/Get-ObjDump.ps1 b/PETools/Get-ObjDump.ps1 index 3df8235..2a8ebcb 100644 --- a/PETools/Get-ObjDump.ps1 +++ b/PETools/Get-ObjDump.ps1 @@ -1,4 +1,4 @@ -function Get-ObjDump +function Get-ObjDump { <# .SYNOPSIS @@ -705,4 +705,4 @@ } END {} -}
\ No newline at end of file +} diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1 index 2f35292..0021377 100644 --- a/PETools/Get-PEHeader.ps1 +++ b/PETools/Get-PEHeader.ps1 @@ -957,4 +957,4 @@ PROCESS { } -}
\ No newline at end of file +} diff --git a/PETools/PETools.format.ps1xml b/PETools/PETools.format.ps1xml index 17d2c56..c510281 100644 --- a/PETools/PETools.format.ps1xml +++ b/PETools/PETools.format.ps1xml @@ -371,4 +371,4 @@ </TableControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/PETools/PETools.psd1 b/PETools/PETools.psd1 index 28a60b9..ef470a7 100644 --- a/PETools/PETools.psd1 +++ b/PETools/PETools.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'PETools.psm1'
@@ -86,4 +86,4 @@ FileList = 'PETools.psm1', 'PETools.psd1', 'PETools.format.ps1xml', 'Get-DllLoad # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
-}
\ No newline at end of file +}
diff --git a/PETools/PETools.psm1 b/PETools/PETools.psm1 index e5234fb..81d3818 100644 --- a/PETools/PETools.psm1 +++ b/PETools/PETools.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/Persistence/Add-Persistence.ps1 b/Persistence/Add-Persistence.ps1 index cd04fbf..27d7ba7 100644 --- a/Persistence/Add-Persistence.ps1 +++ b/Persistence/Add-Persistence.ps1 @@ -1,4 +1,4 @@ -function Add-Persistence +function Add-Persistence { <# .SYNOPSIS @@ -397,4 +397,4 @@ $UserTriggerRemoval } #endregion -}
\ No newline at end of file +} diff --git a/Persistence/New-ElevatedPersistenceOptions.ps1 b/Persistence/New-ElevatedPersistenceOptions.ps1 index 4e11dee..5e04286 100644 --- a/Persistence/New-ElevatedPersistenceOptions.ps1 +++ b/Persistence/New-ElevatedPersistenceOptions.ps1 @@ -1,4 +1,4 @@ -function New-ElevatedPersistenceOptions +function New-ElevatedPersistenceOptions { <# .SYNOPSIS @@ -167,4 +167,4 @@ $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOptions' Write-Output $PersistenceOptions -}
\ No newline at end of file +} diff --git a/Persistence/New-UserPersistenceOptions.ps1 b/Persistence/New-UserPersistenceOptions.ps1 index 9672c2e..3b33ffa 100644 --- a/Persistence/New-UserPersistenceOptions.ps1 +++ b/Persistence/New-UserPersistenceOptions.ps1 @@ -1,4 +1,4 @@ -function New-UserPersistenceOptions +function New-UserPersistenceOptions { <# .SYNOPSIS @@ -125,4 +125,4 @@ $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.UserPersistenceOptions' Write-Output $PersistenceOptions -}
\ No newline at end of file +} diff --git a/Persistence/Persistence.psd1 b/Persistence/Persistence.psd1 index 21a7871..de97697 100644 --- a/Persistence/Persistence.psd1 +++ b/Persistence/Persistence.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'Persistence.psm1' @@ -34,4 +34,4 @@ ModuleList = @(@{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = ' FileList = 'Persistence.psm1', 'Persistence.psd1', 'Add-Persistence.ps1', 'New-ElevatedPersistenceOptions.ps1', 'New-UserPersistenceOptions.ps1', 'Usage.md' -}
\ No newline at end of file +} diff --git a/Persistence/Persistence.psm1 b/Persistence/Persistence.psm1 index 4478ee1..04f36be 100644 --- a/Persistence/Persistence.psm1 +++ b/Persistence/Persistence.psm1 @@ -1,3 +1,3 @@ -. (Join-Path $PSScriptRoot New-ElevatedPersistenceOptions.ps1) +. (Join-Path $PSScriptRoot New-ElevatedPersistenceOptions.ps1) . (Join-Path $PSScriptRoot New-UserPersistenceOptions.ps1) -. (Join-Path $PSScriptRoot Add-Persistence.ps1)
\ No newline at end of file +. (Join-Path $PSScriptRoot Add-Persistence.ps1) diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index 8c7f939..049c491 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'PowerSploit.psm1' @@ -79,6 +79,7 @@ ModuleList = @( @{ModuleName = 'PowerSploit'; ModuleVersion = '1.0.0.0'; GUID = @{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'}, @{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'}, @{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'} + @{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'} ) # List of all files packaged with this module @@ -93,4 +94,4 @@ FileList = 'PowerSploit.psd1', 'PowerSploit.psm1' # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -}
\ No newline at end of file +} diff --git a/PowerSploit.psm1 b/PowerSploit.psm1 index 430c1b8..5ea3b62 100644 --- a/PowerSploit.psm1 +++ b/PowerSploit.psm1 @@ -1 +1 @@ -Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName }
\ No newline at end of file +Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName } @@ -80,6 +80,14 @@ Displays symbolic information from Windows lib files. Returns the path from which Windows will load a Dll for the given executable. +## Capstone + +**A PowerShell binding for the Capstone Engine disassembly framework.** + +#### `Get-CSDisassembly` + +Disassembles a byte array using the Capstone Engine disassembly framework. + ## ReverseEngineering **Tools to aid in reverse engineering.** @@ -144,6 +152,14 @@ Locates single Byte AV signatures utilizing the same method as DSplit from "clas **All your data belong to me!** +#### `Invoke-TokenManipulation` + +Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. + +#### `Inject-LogonCredentials` + +Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). + #### `Invoke-NinjaCopy` Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 index fde3d26..8b60306 100644 --- a/Recon/Get-HttpStatus.ps1 +++ b/Recon/Get-HttpStatus.ps1 @@ -137,4 +137,4 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Write-Output $ScanObject
}
-}
\ No newline at end of file +}
diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1 index ab03734..99bbb89 100644 --- a/Recon/Invoke-Portscan.ps1 +++ b/Recon/Invoke-Portscan.ps1 @@ -1,4 +1,4 @@ -function Invoke-Portscan +function Invoke-Portscan { <# .SYNOPSIS diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 43ba3a1..88287ef 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'Recon.psm1'
@@ -72,9 +72,9 @@ AliasesToExport = '' # List of all modules packaged with this module.
ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'})
-# List of all files packaged with this module +# List of all files packaged with this module
FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1',
- 'Invoke-Portscan.ps1', 'Usage.md' + 'Invoke-Portscan.ps1', 'Usage.md'
# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
@@ -85,4 +85,4 @@ FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsL # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
-}
\ No newline at end of file +}
diff --git a/Recon/Recon.psm1 b/Recon/Recon.psm1 index e5234fb..81d3818 100644 --- a/Recon/Recon.psm1 +++ b/Recon/Recon.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/ReverseEngineering/ConvertTo-String.ps1 b/ReverseEngineering/ConvertTo-String.ps1 index ab46c74..1c030b4 100644 --- a/ReverseEngineering/ConvertTo-String.ps1 +++ b/ReverseEngineering/ConvertTo-String.ps1 @@ -1,4 +1,4 @@ -filter ConvertTo-String +filter ConvertTo-String { <# .SYNOPSIS @@ -67,4 +67,4 @@ http://www.exploit-monday.com $FileStream.Close() Write-Output $BinaryText -}
\ No newline at end of file +} diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml index f933e1e..21115d6 100644 --- a/ReverseEngineering/Get-ILDisassembly.format.ps1xml +++ b/ReverseEngineering/Get-ILDisassembly.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -18,6 +18,9 @@ <TableColumnHeader> <Label>Operand</Label> </TableColumnHeader> + <TableColumnHeader> + <Label>MetadataToken</Label> + </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> @@ -31,10 +34,13 @@ <TableColumnItem> <PropertyName>Operand</PropertyName> </TableColumnItem> + <TableColumnItem> + <ScriptBlock>if ($_.MetadataToken) {"0x$($_.MetadataToken.ToString('X8'))"}</ScriptBlock> + </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index 645dc39..f2022e3 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -68,9 +68,9 @@ Disassembles the System.Array.BinarySearch(Array, Object) method .INPUTS
-System.Reflection.MethodInfo
+System.Reflection.MethodInfo, System.Reflection.ConstructorInfo
-The method description containing the raw IL bytecodes.
+A method or constructor description containing the raw IL bytecodes.
.OUTPUTS
@@ -88,7 +88,8 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf Param (
[Parameter(Mandatory = $True, ValueFromPipeline = $True)]
- [System.Reflection.MethodInfo]
+ [ValidateScript({$_ -is [Reflection.MethodInfo] -or $_ -is [Reflection.ConstructorInfo]})]
+ [Object]
$MethodInfo
)
@@ -131,6 +132,7 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf $Type = $Op.OperandType
$Operand = $null
+ $OpInt = $null
if ($Type -eq 'InlineNone') {
$OperandLength = 0
@@ -191,13 +193,14 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {
# Simply print the hex for all operands with immediate values
- $Operand = "0x{0}" -f (($IL[$Position..($Position+$OperandLength-1)] | ForEach-Object { $_.ToString('X2') }) -join '')
+ $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '')
}
$Instruction = @{
Position = $InstructionPostion
Instruction = $Op.Name
Operand = $Operand
+ MetadataToken = $OpInt
}
# Return a custom object containing a position, instruction, and fully-qualified operand
@@ -209,4 +212,4 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf # Adjust the position in the opcode array accordingly
$Position += $OperandLength
}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 index 4a488cf..1ab0d41 100644 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ b/ReverseEngineering/Get-MethodAddress.ps1 @@ -1,4 +1,4 @@ -function Get-MethodAddress +function Get-MethodAddress { <# .SYNOPSIS @@ -117,4 +117,4 @@ http://www.exploit-monday.com/2012/11/Get-MethodAddress.html { Write-Error "$($MethodInfo.Name) cannot return an unmanaged address." } -}
\ No newline at end of file +} diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml index 41b5280..fa3ed41 100644 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml @@ -437,4 +437,4 @@ </ListControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index bb0871a..2bde8f6 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -1,4 +1,4 @@ -function Get-NtSystemInformation +function Get-NtSystemInformation { <# .SYNOPSIS diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml index 3d075eb..59b5362 100644 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -1207,4 +1207,4 @@ </ListControl>
</View>
</ViewDefinitions>
-</Configuration>
\ No newline at end of file +</Configuration>
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 86e064d..7ec5089 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -1,4 +1,4 @@ -function Get-PEB
+function Get-PEB
{
<#
.SYNOPSIS
@@ -1089,4 +1089,4 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx END{}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 index 7acb9f1..2cb971c 100644 --- a/ReverseEngineering/Get-Strings.ps1 +++ b/ReverseEngineering/Get-Strings.ps1 @@ -1,4 +1,4 @@ -function Get-Strings
+function Get-Strings
{
<#
.SYNOPSIS
@@ -95,4 +95,4 @@ http://www.exploit-monday.com }
}
END {}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 index c32c190..68f7651 100644 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ b/ReverseEngineering/Get-StructFromMemory.ps1 @@ -1,4 +1,4 @@ -function Get-StructFromMemory
+function Get-StructFromMemory
{
<#
.SYNOPSIS
@@ -200,4 +200,4 @@ http://www.exploit-monday.com $SafeHandle.Close()
Write-Output $ParsedStruct
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/New-Object.ps1 b/ReverseEngineering/New-Object.ps1 Binary files differindex 77b24f6..52c38c8 100644 --- a/ReverseEngineering/New-Object.ps1 +++ b/ReverseEngineering/New-Object.ps1 diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml index fbad0b9..ffb6761 100644 --- a/ReverseEngineering/ProcessModuleTrace.format.ps1xml +++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -33,4 +33,4 @@ </ListControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 index 3eb57a7..85f7105 100644 --- a/ReverseEngineering/ProcessModuleTrace.ps1 +++ b/ReverseEngineering/ProcessModuleTrace.ps1 @@ -1,4 +1,4 @@ -function Register-ProcessModuleTrace +function Register-ProcessModuleTrace { <# .SYNOPSIS @@ -100,4 +100,4 @@ function Unregister-ProcessModuleTrace #> Unregister-Event -SourceIdentifier 'ModuleLoaded' -}
\ No newline at end of file +} diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 index b7da355..de364e1 100644 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ b/ReverseEngineering/ReverseEngineering.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'ReverseEngineering.psm1'
diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1 index 5bb81d3..81d3818 100644 --- a/ReverseEngineering/ReverseEngineering.psm1 +++ b/ReverseEngineering/ReverseEngineering.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1 index 3aa5c2b..5e6897d 100644 --- a/ScriptModification/Out-CompressedDll.ps1 +++ b/ScriptModification/Out-CompressedDll.ps1 @@ -1,4 +1,4 @@ -function Out-CompressedDll
+function Out-CompressedDll
{
<#
.SYNOPSIS
@@ -78,4 +78,4 @@ $EncodedCompressedFile "@
Write-Output $Output
-}
\ No newline at end of file +}
diff --git a/ScriptModification/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1 index cae4715..04e8c12 100644 --- a/ScriptModification/Out-EncodedCommand.ps1 +++ b/ScriptModification/Out-EncodedCommand.ps1 @@ -1,4 +1,4 @@ -function Out-EncodedCommand
+function Out-EncodedCommand
{
<#
.SYNOPSIS
@@ -181,4 +181,4 @@ http://www.exploit-monday.com }
Write-Output $CommandLineOutput
-}
\ No newline at end of file +}
diff --git a/ScriptModification/Out-EncryptedScript.ps1 b/ScriptModification/Out-EncryptedScript.ps1 index 3f09020..4fc69cf 100644 --- a/ScriptModification/Out-EncryptedScript.ps1 +++ b/ScriptModification/Out-EncryptedScript.ps1 @@ -126,4 +126,4 @@ return $encoding.GetString($h,0,$h.Length); Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
-}
\ No newline at end of file +}
diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comments.ps1 index ec75927..45a9746 100644 --- a/ScriptModification/Remove-Comments.ps1 +++ b/ScriptModification/Remove-Comments.ps1 @@ -1,4 +1,4 @@ -function Remove-Comments
+function Remove-Comments
{
<#
.SYNOPSIS
@@ -153,4 +153,4 @@ http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/ }
Write-Output ([ScriptBlock]::Create($StringBuilder.ToString()))
-}
\ No newline at end of file +}
diff --git a/ScriptModification/ScriptModification.psd1 b/ScriptModification/ScriptModification.psd1 index 7393c29..d326c12 100644 --- a/ScriptModification/ScriptModification.psd1 +++ b/ScriptModification/ScriptModification.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'ScriptModification.psm1'
@@ -85,4 +85,4 @@ FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-Compressed # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
-}
\ No newline at end of file +}
diff --git a/ScriptModification/ScriptModification.psm1 b/ScriptModification/ScriptModification.psm1 index 5bb81d3..81d3818 100644 --- a/ScriptModification/ScriptModification.psm1 +++ b/ScriptModification/ScriptModification.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} |