blob: 16061541430c1b898ac4379e4a61da835578f3bb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
# Find-AVSignature
## SYNOPSIS
Locate tiny AV signatures.
PowerSploit Function: Find-AVSignature
Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
```
Find-AVSignature [-StartByte] <UInt32> [-EndByte] <String> [-Interval] <UInt32> [[-Path] <String>]
[[-OutPath] <String>] [[-BufferLen] <UInt32>] [-Force]
```
## DESCRIPTION
Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
```
Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
## PARAMETERS
### -StartByte
Specifies the first byte to begin splitting on.
```yaml
Type: UInt32
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```
### -EndByte
Specifies the last byte to split on.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Interval
Specifies the interval size to split with.
```yaml
Type: UInt32
Parameter Sets: (All)
Aliases:
Required: True
Position: 3
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```
### -Path
Specifies the path to the binary you want tested.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: ($pwd.path)
Accept pipeline input: False
Accept wildcard characters: False
```
### -OutPath
Optionally specifies the directory to write the binaries to.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 5
Default value: ($pwd)
Accept pipeline input: False
Accept wildcard characters: False
```
### -BufferLen
Specifies the length of the file read buffer .
Defaults to 64KB.
```yaml
Type: UInt32
Parameter Sets: (All)
Aliases:
Required: False
Position: 6
Default value: 65536
Accept pipeline input: False
Accept wildcard characters: False
```
### -Force
Forces the script to continue without confirmation.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
Several of the versions of "DSplit.exe" available on the internet contain malware.
## RELATED LINKS
[http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
https://github.com/mattifestation/PowerSploit
http://www.exploit-monday.com/
http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2](http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
https://github.com/mattifestation/PowerSploit
http://www.exploit-monday.com/
http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2)
|