| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
Get-NtSystemInformation is a wrapper function for
NtQuerySystemInformation. It is a swiss-army knife tool for obtaining
internal OS information. It can currently be used to query the
following: global flags, handles, objects, kernel pool allocations, and
loaded kernel modules
|
|
Making way for Get-NtSystemInformation. Loaded kernel module information
can be viewed with `Get-NtSystemInformation -ModuleInformation`
|
|
There was some test code at the end of Invoke-ShellcodeMSIL that would
cause the function to execute when the script was dotsourced.
|
|
ConvertTo-String converts the bytes of a file to a string that has a
1-to-1 mapping back to the file's original bytes. ConvertTo-String is
useful for performing binary regular expressions.
|
|
Merged Find-AVSignature performance improvements from garignack. Thanks, garignack!
|
|
Added comment-based help parameter, added additional parameter
validation, piped ReadStream.seek command to out-null to prevent output
to stdout.
|
|
Updated code to use [System.IO.FileStream] class with a buffer (64kb
default) to greatly increase performance, especially when handling large
files.
Updated $EndBytes validation logic to change it to a valid value rather
than throw an error.
|
|
Also fixed various pointer width bugs
|
|
Adding Invoke-ReflectiveDllInjection. PowerSploit now has reflective DLL
loading capabilities!!! Thanks to Joe Bialek @JosephBialek for writing
this awesome code!
|
|
Invoke-ShellcodeMSIL executes shellcode without making any Win32
function calls.
|
|
Get-MethodAddress was not working correctly in 32-bit PowerShell because
it was returning a [UInt64] value when it should have been a [UInt32].
This fix will detect if PowerShell is running as 32 or 64-bit and define
its return type accordingly.
|
|
|
|
|
|
|
|
After parsing a PE header with Get-PEHeader, you now have the option of
downloading the original executable from Microsoft's symbol server for
reference/comparision.
|
|
|
|
It previously returned a UInt64. Returning an IntPtr makes more sense.
|
|
They weren't relevant.
|
|
|
|
PowerSploit just got a complete makeover! It is now comprised of a
collection of modules grouped by category.
|
|
|
|
|
|
|
|
|
|
* I unfortunately needed to change the names of Inject-Shellcode and
Inject-Dll to Invoke-Shellcode and Invoke-DllInjection in order to
confirm to proper verb naming.
|
|
|
|
|
|
|
|
|
|
|
|
* All scripts used to prepare and/or modify payload scripts were added
to the ScriptModification module.
* Added Remove-Comments - Strips comments and extra whitespace from a
script.
* Encrypt-Script was named to Out-EncryptedScript in order to conform to
proper PowerShell verbs.
|
|
* Now that PETools and ReverseEngineering are both full-fledged modules
with proper manifests, the manifests will take care of loading the
appropriate ps1xml files.
* Added Usage.txt to ReverseEngineering module.
|
|
* Slight consistency modifications were made to documentation.
* Added module manifest for PETools
|
|
* I renamed RE_Tools to ReverseEngineering and made it a module.
* Slight consistency modifications were made to documentation.
* This is one step in the process of modularizing all of PowerSploit.
|
|
|
|
Forgot to add this. Oops.
|
|
That parameter attribute doesn't make sense in this context.
|
|
|
|
* Renamed Prepare-Payload to Out-EncodedCommand in order to conform to a
standard cmdlet verb.
* Fixed bug in PowerShell v2
* Defaults to full base-64 encoding unless it exceeds the cmd.exe
character limit. Otherwise, it will default to partial base-64 encoding
in an effort to save space. Thanks @Carlos_Perez for the idea!
* User will be prompted if the cmd.exe character limit is exceeded.
* Command-line output uses truncated arguments in order to save space.
Thanks @obscuresec!
|
|
A function that takes screenshots at a regular interval and saves them
to a folder.
Developed by @obscuresec
|
|
|
|
* Some payloads were not decoding properly after being uncompressed.
This was due to a bug in how `Get-Content -Encoding ASCII` was
interpreting input. When reading a script from a file, Prepare-payload
no longer makes any assumptions about the script's encoding.
* Prepare-Payload will display a warning if the cmd.exe or base64 string
length maximums are exceeded.
|
|
Returns the process environment block (PEB) of a process.
|
|
Marshals data from an unmanaged block of memory in an arbitrary process
to a newly allocated managed object of the specified type. In other
words, it will parse and return a structure at a known memory address in
any process.
|
|
* The script now silently continues if the ps1xml file is not present.
* Removed compiler parameter code. This was a remnant of the first
version of Get-KernelModuleInfo when it compiled code.
* Improved the heuristics for determining when the last kernel module is
encountered.
|
|
Get-KernelModuleInfo utilizes reflection exclusively now and no longer
requires compilation of C# code. This means that is runs entirely in
memory.
|
|
Returns loaded kernel module information.
|