aboutsummaryrefslogtreecommitdiff
path: root/docs/ScriptModification
diff options
context:
space:
mode:
Diffstat (limited to 'docs/ScriptModification')
-rwxr-xr-xdocs/ScriptModification/Out-CompressedDll.md60
-rwxr-xr-xdocs/ScriptModification/Out-EncodedCommand.md186
-rwxr-xr-xdocs/ScriptModification/Out-EncryptedScript.md148
-rwxr-xr-xdocs/ScriptModification/Remove-Comment.md110
4 files changed, 504 insertions, 0 deletions
diff --git a/docs/ScriptModification/Out-CompressedDll.md b/docs/ScriptModification/Out-CompressedDll.md
new file mode 100755
index 0000000..df7cff5
--- /dev/null
+++ b/docs/ScriptModification/Out-CompressedDll.md
@@ -0,0 +1,60 @@
+# Out-CompressedDll
+
+## SYNOPSIS
+Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
+
+PowerSploit Function: Out-CompressedDll
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Out-CompressedDll [-FilePath] <String>
+```
+
+## DESCRIPTION
+Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Out-CompressedDll -FilePath evil.dll
+```
+
+Description
+-----------
+Compresses, base64 encodes, and outputs the code required to load evil.dll in memory.
+
+## PARAMETERS
+
+### -FilePath
+Specifies the path to a managed executable.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+Only pure MSIL-based dlls can be loaded using this technique.
+Native or IJW ('it just works' - mixed-mode) dlls will not load.
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html](http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html)
+
diff --git a/docs/ScriptModification/Out-EncodedCommand.md b/docs/ScriptModification/Out-EncodedCommand.md
new file mode 100755
index 0000000..6666796
--- /dev/null
+++ b/docs/ScriptModification/Out-EncodedCommand.md
@@ -0,0 +1,186 @@
+# Out-EncodedCommand
+
+## SYNOPSIS
+Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
+
+PowerSploit Function: Out-EncodedCommand
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+### FilePath (Default)
+```
+Out-EncodedCommand [[-Path] <String>] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64] [-WindowStyle <String>]
+ [-EncodedOutput]
+```
+
+### ScriptBlock
+```
+Out-EncodedCommand [[-ScriptBlock] <ScriptBlock>] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64]
+ [-WindowStyle <String>] [-EncodedOutput]
+```
+
+## DESCRIPTION
+Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt.
+The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload.
+This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}
+```
+
+powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream(\[IO.MemoryStream\]\[Convert\]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),\[IO.Compression.CompressionMode\]::Decompress)),\[Text.Encoding\]::ASCII)).ReadToEnd()
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput
+```
+
+powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=
+
+Description
+-----------
+Execute the above payload for the lulz.
+\>D
+
+## PARAMETERS
+
+### -ScriptBlock
+Specifies a scriptblock containing your payload.
+
+```yaml
+Type: ScriptBlock
+Parameter Sets: ScriptBlock
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the path to your payload.
+
+```yaml
+Type: String
+Parameter Sets: FilePath
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -NoExit
+Outputs the option to not exit after running startup commands.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -NoProfile
+Outputs the option to not load the Windows PowerShell profile.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -NonInteractive
+Outputs the option to not present an interactive prompt to the user.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Wow64
+Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WindowStyle
+Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -EncodedOutput
+Base-64 encodes the entirety of the output.
+This is usually unnecessary and effectively doubles the size of the output.
+This option is only for those who are extra paranoid.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kennedy and Josh Kelley's talk, "PowerShell...OMFG" (https://www.trustedsec.com/files/PowerShell_PoC.zip)
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+
diff --git a/docs/ScriptModification/Out-EncryptedScript.md b/docs/ScriptModification/Out-EncryptedScript.md
new file mode 100755
index 0000000..36db457
--- /dev/null
+++ b/docs/ScriptModification/Out-EncryptedScript.md
@@ -0,0 +1,148 @@
+# Out-EncryptedScript
+
+## SYNOPSIS
+Encrypts text files/scripts.
+
+PowerSploit Function: Out-EncryptedScript
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Out-EncryptedScript [-ScriptPath] <String> [-Password] <SecureString> [-Salt] <String>
+ [[-InitializationVector] <String>] [[-FilePath] <String>]
+```
+
+## DESCRIPTION
+Out-EncryptedScript will encrypt a script (or any text file for that
+matter) and output the results to a minimally obfuscated script -
+evil.ps1 by default.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$Password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+Out-EncryptedScript .\Naughty-Script.ps1 $Password salty
+
+Description
+-----------
+Encrypt the contents of this file with a password and salt.
+This will
+make analysis of the script impossible without the correct password
+and salt combination.
+This command will generate evil.ps1 that can
+dropped onto the victim machine.
+It only consists of a decryption
+function 'de' and the base64-encoded ciphertext.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+[String] $cmd = Get-Content .\evil.ps1
+```
+
+Invoke-Expression $cmd
+$decrypted = de password salt
+Invoke-Expression $decrypted
+
+Description
+-----------
+This series of instructions assumes you've already encrypted a script
+and named it evil.ps1.
+The contents are then decrypted and the
+unencrypted script is called via Invoke-Expression
+
+## PARAMETERS
+
+### -ScriptPath
+Path to this script
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Password
+Password to encrypt/decrypt the script
+
+```yaml
+Type: SecureString
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Salt
+Salt value for encryption/decryption.
+This can be any string value.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InitializationVector
+Specifies a 16-character the initialization vector to be used.
+This
+is randomly generated by default.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: ((1..16 | ForEach-Object {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join '')
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FilePath
+{{Fill FilePath Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: .\evil.ps1
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+This command can be used to encrypt any text-based file/script
+
+## RELATED LINKS
+
diff --git a/docs/ScriptModification/Remove-Comment.md b/docs/ScriptModification/Remove-Comment.md
new file mode 100755
index 0000000..97335ae
--- /dev/null
+++ b/docs/ScriptModification/Remove-Comment.md
@@ -0,0 +1,110 @@
+# Remove-Comment
+
+## SYNOPSIS
+Strips comments and extra whitespace from a script.
+
+PowerSploit Function: Remove-Comment
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+### FilePath (Default)
+```
+Remove-Comment [-Path] <String>
+```
+
+### ScriptBlock
+```
+Remove-Comment [-ScriptBlock] <ScriptBlock>
+```
+
+## DESCRIPTION
+Remove-Comment strips out comments and unnecessary whitespace from a script.
+This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.
+
+A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script.
+You rock, Lee!
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$Stripped = Remove-Comment -Path .\ScriptWithComments.ps1
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Remove-Comment -ScriptBlock {
+```
+
+### This is my awesome script.
+My documentation is beyond reproach!
+ Write-Host 'Hello, World!' ### Write 'Hello, World' to the host
+### End script awesomeness
+}
+
+Write-Host 'Hello, World!'
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand
+```
+
+Description
+-----------
+Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand.
+
+## PARAMETERS
+
+### -Path
+Specifies the path to your script.
+
+```yaml
+Type: String
+Parameter Sets: FilePath
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ScriptBlock
+Specifies a scriptblock containing your script.
+
+```yaml
+Type: ScriptBlock
+Parameter Sets: ScriptBlock
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### System.String, System.Management.Automation.ScriptBlock
+
+Accepts either a string containing the path to a script or a scriptblock.
+
+## OUTPUTS
+
+### System.Management.Automation.ScriptBlock
+
+Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com
+http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/]()
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 21:22:21 +0000