diff options
Diffstat (limited to 'AntivirusBypass')
| -rw-r--r-- | AntivirusBypass/AntivirusBypass.psd1 | 87 | ||||
| -rw-r--r-- | AntivirusBypass/AntivirusBypass.psm1 | 1 | ||||
| -rw-r--r-- | AntivirusBypass/Find-AVSignature.ps1 | 118 | ||||
| -rw-r--r-- | AntivirusBypass/Usage.md | 12 | 
4 files changed, 218 insertions, 0 deletions
| diff --git a/AntivirusBypass/AntivirusBypass.psd1 b/AntivirusBypass/AntivirusBypass.psd1 new file mode 100644 index 0000000..ab2918b --- /dev/null +++ b/AntivirusBypass/AntivirusBypass.psd1 @@ -0,0 +1,87 @@ +@{
 +
 +# Script module or binary module file associated with this manifest.
 +ModuleToProcess = 'AntivirusBypass.psm1'
 +
 +# Version number of this module.
 +ModuleVersion = '1.0.0.0'
 +
 +# ID used to uniquely identify this module
 +GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'
 +
 +# Author of this module
 +Author = 'Matthew Graeber'
 +
 +# Company or vendor of this module
 +CompanyName = ''
 +
 +# Copyright statement for this module
 +Copyright = 'BSD 3-Clause'
 +
 +# Description of the functionality provided by this module
 +Description = 'PowerSploit Antivirus Avoidance/Bypass Module'
 +
 +# Minimum version of the Windows PowerShell engine required by this module
 +PowerShellVersion = '2.0'
 +
 +# Name of the Windows PowerShell host required by this module
 +# PowerShellHostName = ''
 +
 +# Minimum version of the Windows PowerShell host required by this module
 +# PowerShellHostVersion = ''
 +
 +# Minimum version of the .NET Framework required by this module
 +# DotNetFrameworkVersion = ''
 +
 +# Minimum version of the common language runtime (CLR) required by this module
 +# CLRVersion = ''
 +
 +# Processor architecture (None, X86, Amd64) required by this module
 +# ProcessorArchitecture = ''
 +
 +# Modules that must be imported into the global environment prior to importing this module
 +# RequiredModules = @()
 +
 +# Assemblies that must be loaded prior to importing this module
 +# RequiredAssemblies = @()
 +
 +# Script files (.ps1) that are run in the caller's environment prior to importing this module.
 +# ScriptsToProcess = ''
 +
 +# Type files (.ps1xml) to be loaded when importing this module
 +# TypesToProcess = @()
 +
 +# Format files (.ps1xml) to be loaded when importing this module
 +# FormatsToProcess = @()
 +
 +# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
 +# NestedModules = @()
 +
 +# Functions to export from this module
 +FunctionsToExport = '*'
 +
 +# Cmdlets to export from this module
 +CmdletsToExport = '*'
 +
 +# Variables to export from this module
 +VariablesToExport = ''
 +
 +# Aliases to export from this module
 +AliasesToExport = ''
 +
 +# List of all modules packaged with this module.
 +ModuleList = @(@{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'})
 +
 +# List of all files packaged with this module
 +FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md'
 +
 +# Private data to pass to the module specified in RootModule/ModuleToProcess
 +# PrivateData = ''
 +
 +# HelpInfo URI of this module
 +# HelpInfoURI = ''
 +
 +# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
 +# DefaultCommandPrefix = ''
 +
 +}
\ No newline at end of file diff --git a/AntivirusBypass/AntivirusBypass.psm1 b/AntivirusBypass/AntivirusBypass.psm1 new file mode 100644 index 0000000..e5234fb --- /dev/null +++ b/AntivirusBypass/AntivirusBypass.psm1 @@ -0,0 +1 @@ +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1 new file mode 100644 index 0000000..aaa68c8 --- /dev/null +++ b/AntivirusBypass/Find-AVSignature.ps1 @@ -0,0 +1,118 @@ +function Find-AVSignature {
 +<#
 +.SYNOPSIS
 +
 +    Find-AVSignature
 +
 +    Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com
 +
 +    Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
 +    License: BSD 3-Clause
 +
 +.DESCRIPTION
 +
 +    A script to locate tiny AV signatures.
 +
 +.PARAMETER Startbyte
 +
 +    Specifies the first byte to begin splitting on.
 +
 +.PARAMETER Endbyte
 +
 +    Specifies the last byte to split on.
 +
 +.PARAMETER Interval
 +
 +    Specifies the interval size to split with.
 +
 +.PARAMETER Path
 +
 +    Specifies the path to the binary you want tested.
 +
 +.PARAMETER OutPath
 +
 +    Optionally specifies the directory to write the binaries to.
 +    
 +.PARAMETER Force
 +
 +    Forces the script to continue without confirmation.    
 +
 +.EXAMPLE
 +
 +    PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe 
 +    PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
 +    PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
 +    PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
 +    PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
 +
 +.NOTES
 +
 +    Several of the versions of "DSplit.exe" available on the internet contain malware.
 +
 +.LINK
 +
 +    http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
 +    https://github.com/mattifestation/PowerSploit
 +    http://www.exploit-monday.com/
 +    http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
 +#>
 +
 +[CmdletBinding()] Param(
 +        [Parameter(Mandatory = $True)] [Int32] $StartByte,
 +        [Parameter(Mandatory = $True)] [String] $EndByte,
 +        [Parameter(Mandatory = $True)] [Int32] $Interval,
 +        [Parameter(Mandatory = $False)] [String] $Path = ($pwd.path),
 +        [Parameter(Mandatory = $False)] [String] $OutPath = ($pwd),
 +        [Switch] $Force = $False
 +    )
 +
 +    #test variables
 +    if (!(Test-Path $Path)) {Throw "File path not found"}
 +    $Response = $True
 +    if (!(Test-Path $OutPath)) {}
 +        if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory}
 +    if (!$Response) {Throw "Output path not found"}
 +    if (!(Get-ChildItem $Path).Exists) {Throw "File not found"}
 +    [Int32] $FileSize = (Get-ChildItem $Path).Length
 +    if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"}
 +    [Int32] $MaximumByte = (($FileSize) - 1)
 +    if ($EndByte -ceq "max") {$EndByte = $MaximumByte}
 +    if ($EndByte -gt $FileSize -or $EndByte -lt 0) {Throw "EndByte range must be between 0 and $Filesize"}
 +
 +    #read in byte array
 +    [Byte[]] $FileByteArray = [System.IO.File]::ReadAllBytes($Path)
 +
 +    #find the filename for the output name
 +    [String] $FileName = (Split-Path $Path -leaf).Split('.')[0]
 +
 +    #Calculate the number of binaries
 +    [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval)
 +    if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)}
 +    
 +    #Prompt user to verify parameters to avoid writing binaries to the wrong directory
 +    $Response = $True
 +    if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!",
 +             "Do you want to continue?"))){}
 +    if (!$Response) {Return}
 +    
 +    Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"." 
 +    [Int32] $Number = [Math]::Floor($Endbyte/$Interval)
 +        
 +        #write out the calculated number of binaries
 +        [Int32] $i = 0
 +        for ($i -eq 0; $i -lt $ResultNumber; $i++)
 +        {
 +            [Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))
 +            Write-Verbose "Byte 0 -> $($SplitByte)"
 +            [IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($SplitByte).bin"), $FileByteArray[0..($SplitByte)])
 +        }
 +        
 +        #Write out the final binary
 +        [IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($EndByte).bin"), $FileByteArray[0..($EndByte)])
 +        Write-Verbose "Byte 0 -> $($EndByte)"
 +        Write-Verbose "Files written to disk. Flushing memory."
 +        
 +        #During testing using large binaries, memory usage was excessive so lets fix that
 +        [System.GC]::Collect()
 +        Write-Verbose "Completed!"
 +}
\ No newline at end of file diff --git a/AntivirusBypass/Usage.md b/AntivirusBypass/Usage.md new file mode 100644 index 0000000..9eafc7b --- /dev/null +++ b/AntivirusBypass/Usage.md @@ -0,0 +1,12 @@ +To install this module, drop the entire AntivirusBypass folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
 +
 +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
 +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
 +
 +To use the module, type `Import-Module AntivirusBypass`
 +
 +To see the commands imported, type `Get-Command -Module AntivirusBypass`
 +
 +For help on each individual command, Get-Help is your friend.
 +
 +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file |