From 6e42ba1d39b24ef8a5f3063b7806a07c8b33cc14 Mon Sep 17 00:00:00 2001 From: bitform Date: Sun, 20 Jan 2013 21:35:56 -0500 Subject: Moved scripts to their respective modules. --- Find-AVSignature.ps1 | 118 --------------------------------------------------- 1 file changed, 118 deletions(-) delete mode 100644 Find-AVSignature.ps1 (limited to 'Find-AVSignature.ps1') diff --git a/Find-AVSignature.ps1 b/Find-AVSignature.ps1 deleted file mode 100644 index aaa68c8..0000000 --- a/Find-AVSignature.ps1 +++ /dev/null @@ -1,118 +0,0 @@ -function Find-AVSignature { -<# -.SYNOPSIS - - Find-AVSignature - - Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com - - Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation) - License: BSD 3-Clause - -.DESCRIPTION - - A script to locate tiny AV signatures. - -.PARAMETER Startbyte - - Specifies the first byte to begin splitting on. - -.PARAMETER Endbyte - - Specifies the last byte to split on. - -.PARAMETER Interval - - Specifies the interval size to split with. - -.PARAMETER Path - - Specifies the path to the binary you want tested. - -.PARAMETER OutPath - - Optionally specifies the directory to write the binaries to. - -.PARAMETER Force - - Forces the script to continue without confirmation. - -.EXAMPLE - - PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe - PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose - PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose - PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose - PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose - -.NOTES - - Several of the versions of "DSplit.exe" available on the internet contain malware. - -.LINK - - http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html - https://github.com/mattifestation/PowerSploit - http://www.exploit-monday.com/ - http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 -#> - -[CmdletBinding()] Param( - [Parameter(Mandatory = $True)] [Int32] $StartByte, - [Parameter(Mandatory = $True)] [String] $EndByte, - [Parameter(Mandatory = $True)] [Int32] $Interval, - [Parameter(Mandatory = $False)] [String] $Path = ($pwd.path), - [Parameter(Mandatory = $False)] [String] $OutPath = ($pwd), - [Switch] $Force = $False - ) - - #test variables - if (!(Test-Path $Path)) {Throw "File path not found"} - $Response = $True - if (!(Test-Path $OutPath)) {} - if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory} - if (!$Response) {Throw "Output path not found"} - if (!(Get-ChildItem $Path).Exists) {Throw "File not found"} - [Int32] $FileSize = (Get-ChildItem $Path).Length - if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"} - [Int32] $MaximumByte = (($FileSize) - 1) - if ($EndByte -ceq "max") {$EndByte = $MaximumByte} - if ($EndByte -gt $FileSize -or $EndByte -lt 0) {Throw "EndByte range must be between 0 and $Filesize"} - - #read in byte array - [Byte[]] $FileByteArray = [System.IO.File]::ReadAllBytes($Path) - - #find the filename for the output name - [String] $FileName = (Split-Path $Path -leaf).Split('.')[0] - - #Calculate the number of binaries - [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval) - if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)} - - #Prompt user to verify parameters to avoid writing binaries to the wrong directory - $Response = $True - if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!", - "Do you want to continue?"))){} - if (!$Response) {Return} - - Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"." - [Int32] $Number = [Math]::Floor($Endbyte/$Interval) - - #write out the calculated number of binaries - [Int32] $i = 0 - for ($i -eq 0; $i -lt $ResultNumber; $i++) - { - [Int32] $SplitByte = (($StartByte) + (($Interval) * ($i))) - Write-Verbose "Byte 0 -> $($SplitByte)" - [IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($SplitByte).bin"), $FileByteArray[0..($SplitByte)]) - } - - #Write out the final binary - [IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($EndByte).bin"), $FileByteArray[0..($EndByte)]) - Write-Verbose "Byte 0 -> $($EndByte)" - Write-Verbose "Files written to disk. Flushing memory." - - #During testing using large binaries, memory usage was excessive so lets fix that - [System.GC]::Collect() - Write-Verbose "Completed!" -} \ No newline at end of file -- cgit v1.2.3