From 3d836696355f61f4fff5b31b328dbe500a4db0d6 Mon Sep 17 00:00:00 2001 From: bitform Date: Sun, 20 Jan 2013 21:35:04 -0500 Subject: Added 'AntivirusBypass' Module --- AntivirusBypass/AntivirusBypass.psd1 | 87 ++++++++++++++++++++++++++ AntivirusBypass/AntivirusBypass.psm1 | 1 + AntivirusBypass/Find-AVSignature.ps1 | 118 +++++++++++++++++++++++++++++++++++ AntivirusBypass/Usage.md | 12 ++++ 4 files changed, 218 insertions(+) create mode 100644 AntivirusBypass/AntivirusBypass.psd1 create mode 100644 AntivirusBypass/AntivirusBypass.psm1 create mode 100644 AntivirusBypass/Find-AVSignature.ps1 create mode 100644 AntivirusBypass/Usage.md (limited to 'AntivirusBypass') diff --git a/AntivirusBypass/AntivirusBypass.psd1 b/AntivirusBypass/AntivirusBypass.psd1 new file mode 100644 index 0000000..ab2918b --- /dev/null +++ b/AntivirusBypass/AntivirusBypass.psd1 @@ -0,0 +1,87 @@ +@{ + +# Script module or binary module file associated with this manifest. +ModuleToProcess = 'AntivirusBypass.psm1' + +# Version number of this module. +ModuleVersion = '1.0.0.0' + +# ID used to uniquely identify this module +GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b' + +# Author of this module +Author = 'Matthew Graeber' + +# Company or vendor of this module +CompanyName = '' + +# Copyright statement for this module +Copyright = 'BSD 3-Clause' + +# Description of the functionality provided by this module +Description = 'PowerSploit Antivirus Avoidance/Bypass Module' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '2.0' + +# Name of the Windows PowerShell host required by this module +# PowerShellHostName = '' + +# Minimum version of the Windows PowerShell host required by this module +# PowerShellHostVersion = '' + +# Minimum version of the .NET Framework required by this module +# DotNetFrameworkVersion = '' + +# Minimum version of the common language runtime (CLR) required by this module +# CLRVersion = '' + +# Processor architecture (None, X86, Amd64) required by this module +# ProcessorArchitecture = '' + +# Modules that must be imported into the global environment prior to importing this module +# RequiredModules = @() + +# Assemblies that must be loaded prior to importing this module +# RequiredAssemblies = @() + +# Script files (.ps1) that are run in the caller's environment prior to importing this module. +# ScriptsToProcess = '' + +# Type files (.ps1xml) to be loaded when importing this module +# TypesToProcess = @() + +# Format files (.ps1xml) to be loaded when importing this module +# FormatsToProcess = @() + +# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess +# NestedModules = @() + +# Functions to export from this module +FunctionsToExport = '*' + +# Cmdlets to export from this module +CmdletsToExport = '*' + +# Variables to export from this module +VariablesToExport = '' + +# Aliases to export from this module +AliasesToExport = '' + +# List of all modules packaged with this module. +ModuleList = @(@{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'}) + +# List of all files packaged with this module +FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md' + +# Private data to pass to the module specified in RootModule/ModuleToProcess +# PrivateData = '' + +# HelpInfo URI of this module +# HelpInfoURI = '' + +# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. +# DefaultCommandPrefix = '' + +} \ No newline at end of file diff --git a/AntivirusBypass/AntivirusBypass.psm1 b/AntivirusBypass/AntivirusBypass.psm1 new file mode 100644 index 0000000..e5234fb --- /dev/null +++ b/AntivirusBypass/AntivirusBypass.psm1 @@ -0,0 +1 @@ +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1 new file mode 100644 index 0000000..aaa68c8 --- /dev/null +++ b/AntivirusBypass/Find-AVSignature.ps1 @@ -0,0 +1,118 @@ +function Find-AVSignature { +<# +.SYNOPSIS + + Find-AVSignature + + Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com + + Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation) + License: BSD 3-Clause + +.DESCRIPTION + + A script to locate tiny AV signatures. + +.PARAMETER Startbyte + + Specifies the first byte to begin splitting on. + +.PARAMETER Endbyte + + Specifies the last byte to split on. + +.PARAMETER Interval + + Specifies the interval size to split with. + +.PARAMETER Path + + Specifies the path to the binary you want tested. + +.PARAMETER OutPath + + Optionally specifies the directory to write the binaries to. + +.PARAMETER Force + + Forces the script to continue without confirmation. + +.EXAMPLE + + PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe + PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose + PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose + PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose + PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose + +.NOTES + + Several of the versions of "DSplit.exe" available on the internet contain malware. + +.LINK + + http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html + https://github.com/mattifestation/PowerSploit + http://www.exploit-monday.com/ + http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 +#> + +[CmdletBinding()] Param( + [Parameter(Mandatory = $True)] [Int32] $StartByte, + [Parameter(Mandatory = $True)] [String] $EndByte, + [Parameter(Mandatory = $True)] [Int32] $Interval, + [Parameter(Mandatory = $False)] [String] $Path = ($pwd.path), + [Parameter(Mandatory = $False)] [String] $OutPath = ($pwd), + [Switch] $Force = $False + ) + + #test variables + if (!(Test-Path $Path)) {Throw "File path not found"} + $Response = $True + if (!(Test-Path $OutPath)) {} + if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory} + if (!$Response) {Throw "Output path not found"} + if (!(Get-ChildItem $Path).Exists) {Throw "File not found"} + [Int32] $FileSize = (Get-ChildItem $Path).Length + if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"} + [Int32] $MaximumByte = (($FileSize) - 1) + if ($EndByte -ceq "max") {$EndByte = $MaximumByte} + if ($EndByte -gt $FileSize -or $EndByte -lt 0) {Throw "EndByte range must be between 0 and $Filesize"} + + #read in byte array + [Byte[]] $FileByteArray = [System.IO.File]::ReadAllBytes($Path) + + #find the filename for the output name + [String] $FileName = (Split-Path $Path -leaf).Split('.')[0] + + #Calculate the number of binaries + [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval) + if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)} + + #Prompt user to verify parameters to avoid writing binaries to the wrong directory + $Response = $True + if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!", + "Do you want to continue?"))){} + if (!$Response) {Return} + + Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"." + [Int32] $Number = [Math]::Floor($Endbyte/$Interval) + + #write out the calculated number of binaries + [Int32] $i = 0 + for ($i -eq 0; $i -lt $ResultNumber; $i++) + { + [Int32] $SplitByte = (($StartByte) + (($Interval) * ($i))) + Write-Verbose "Byte 0 -> $($SplitByte)" + [IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($SplitByte).bin"), $FileByteArray[0..($SplitByte)]) + } + + #Write out the final binary + [IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($EndByte).bin"), $FileByteArray[0..($EndByte)]) + Write-Verbose "Byte 0 -> $($EndByte)" + Write-Verbose "Files written to disk. Flushing memory." + + #During testing using large binaries, memory usage was excessive so lets fix that + [System.GC]::Collect() + Write-Verbose "Completed!" +} \ No newline at end of file diff --git a/AntivirusBypass/Usage.md b/AntivirusBypass/Usage.md new file mode 100644 index 0000000..9eafc7b --- /dev/null +++ b/AntivirusBypass/Usage.md @@ -0,0 +1,12 @@ +To install this module, drop the entire AntivirusBypass folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module AntivirusBypass` + +To see the commands imported, type `Get-Command -Module AntivirusBypass` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. \ No newline at end of file -- cgit v1.2.3