| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
* All scripts used to prepare and/or modify payload scripts were added
to the ScriptModification module.
* Added Remove-Comments - Strips comments and extra whitespace from a
script.
* Encrypt-Script was named to Out-EncryptedScript in order to conform to
proper PowerShell verbs.
|
|
* Now that PETools and ReverseEngineering are both full-fledged modules
with proper manifests, the manifests will take care of loading the
appropriate ps1xml files.
* Added Usage.txt to ReverseEngineering module.
|
|
* Slight consistency modifications were made to documentation.
* Added module manifest for PETools
|
|
* I renamed RE_Tools to ReverseEngineering and made it a module.
* Slight consistency modifications were made to documentation.
* This is one step in the process of modularizing all of PowerSploit.
|
|
|
|
Forgot to add this. Oops.
|
|
That parameter attribute doesn't make sense in this context.
|
|
|
|
* Renamed Prepare-Payload to Out-EncodedCommand in order to conform to a
standard cmdlet verb.
* Fixed bug in PowerShell v2
* Defaults to full base-64 encoding unless it exceeds the cmd.exe
character limit. Otherwise, it will default to partial base-64 encoding
in an effort to save space. Thanks @Carlos_Perez for the idea!
* User will be prompted if the cmd.exe character limit is exceeded.
* Command-line output uses truncated arguments in order to save space.
Thanks @obscuresec!
|
|
A function that takes screenshots at a regular interval and saves them
to a folder.
Developed by @obscuresec
|
|
|
|
* Some payloads were not decoding properly after being uncompressed.
This was due to a bug in how `Get-Content -Encoding ASCII` was
interpreting input. When reading a script from a file, Prepare-payload
no longer makes any assumptions about the script's encoding.
* Prepare-Payload will display a warning if the cmd.exe or base64 string
length maximums are exceeded.
|
|
Returns the process environment block (PEB) of a process.
|
|
Marshals data from an unmanaged block of memory in an arbitrary process
to a newly allocated managed object of the specified type. In other
words, it will parse and return a structure at a known memory address in
any process.
|
|
* The script now silently continues if the ps1xml file is not present.
* Removed compiler parameter code. This was a remnant of the first
version of Get-KernelModuleInfo when it compiled code.
* Improved the heuristics for determining when the last kernel module is
encountered.
|
|
Get-KernelModuleInfo utilizes reflection exclusively now and no longer
requires compilation of C# code. This means that is runs entirely in
memory.
|
|
Returns loaded kernel module information.
|
|
Now, you can optionally output a call to the x86 (Wow64) version of
PowerShell.
|
|
A tool for bypassing AV signatures.
|
|
A script to aid in the loading of managed dlls in memory
|
|
|
|
Prepare-Payload compresses, Base-64 encodes, and generates command-line
output for a PowerShell payload script. This script was inspired by and
an improvement upon createcmd.ps1
(https://www.trustedsec.com/files/PowerShell_PoC.zip)
|
|
|
|
Get-Strings dumps strings from any file in Ascii and/or Unicode.
|
|
The functionality remains the same but the code was cleaned up
drastically to be more consistent with PowerShell scripting best
practices.
|
|
Updated Inject-Shellcode. If running a 32-bit Metasploit payload from
64-bit PowerShell, it will prompt the user to execute the payload from
32-bit PowerShell. This fix was in response to Chris Gate's feature
request:
http://carnal0wnage.attackresearch.com/2012/05/powershell-shellcode-metasploit-x64.html
Note, there are some side effects:
1) It takes about one minute to initialize and execute the payload in
the 32-bit process. This is because the execution essentially emulates
copying and pasting its contents into the child process.
2) You will see some output artifacts of the script running in the child
PowerShell process.
I couldn't think of a good way to rectify these problems without
dropping the contents of the script to disk, which would not be
desireable.
|
|
|
|
New Features/Changes:
- Dramatically simplified parameters. Removed redundancies and named
parameter sets more appropriately
- Added 'Shellcode' parameter. Now, you can optionally specify shellcode
as a byte array rather than having to copy and paste shellcode into the
$Shellcode32 and/or $Shellcode64 variables
- Added 'Payload' parameter. Naming is now consistant with Metasploit
payloads. Currently, only 'windows/meterpreter/reverse_http' and
'windows/meterpreter/reverse_https' payloads are supported.
- Inject-Shellcode will now prompt the user to continue the 'dangerous'
action unless the -Force switch is provided. Hopefully, this will
prevent some people from carrying out stupid/regrettable actions.
- Added the 'ListMetasploitPayloads' switch to display the Metasploit
payloads supported by Inject-Shellcode
Bug fixes/Miscellaneous:
- Added UserAgent parameter to help documentation
- Code is much more readable now
- Changed internal helper functions to 'local' scope
- Now using proper error handling versus Write-Warning statements
- Added a subtle warning to the built-in shellcode...
|
|
This extends the built-in Get-Member cmdlet by adding the '-Private'
parameter for dissecting .NET types.
|
|
|
|
* All recon scripts not live in the 'Recon' directory
* Added Get-HttpStatus - An http[s] enumeration tool
* Added default dictionary for Get-HttpStatus - .\Dictionaries\admin.txt
* Moved Invoke-ReverseDnsLookup to 'Recon'
|
|
|
|
I now check for the existance of imports/exports in the data directory.
|
|
Get-PEHeader is a 32 and 64-bit in-memory and on-disk PE parsing
utility.
PETools is now a PowerShell module that can be loaded with
`Import-Module PETools`
|
|
Added Get-ILDisassembly.
Added RE_Tools folder for all current and future reverse engineering
tools.
|
|
Fixed some spelling errors in README.
Added additional usage information
|
|
PowerShell ISE saves to UTF-16 BE by default. git doesn't diff this
properly. Diffs should now display properly.
|
|
|
|
|
|
|
|
Added: Get-DllLoadPath, Get-PEArchitecture
Updated: Readme to reflect new additions
|
|
|
|
|
|
|
|
|
|
Got rid of Write-Host output.
|
|
Used with permission from @obscuresec (www.obscuresecurity.blogspot.com)
|