Added 'AntivirusBypass' Module
This commit is contained in:
bitform
parent
a233d60908
commit
3d83669635
|
|
@ -0,0 +1,87 @@
|
|||
@{
|
||||
|
||||
# Script module or binary module file associated with this manifest.
|
||||
ModuleToProcess = 'AntivirusBypass.psm1'
|
||||
|
||||
# Version number of this module.
|
||||
ModuleVersion = '1.0.0.0'
|
||||
|
||||
# ID used to uniquely identify this module
|
||||
GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'
|
||||
|
||||
# Author of this module
|
||||
Author = 'Matthew Graeber'
|
||||
|
||||
# Company or vendor of this module
|
||||
CompanyName = ''
|
||||
|
||||
# Copyright statement for this module
|
||||
Copyright = 'BSD 3-Clause'
|
||||
|
||||
# Description of the functionality provided by this module
|
||||
Description = 'PowerSploit Antivirus Avoidance/Bypass Module'
|
||||
|
||||
# Minimum version of the Windows PowerShell engine required by this module
|
||||
PowerShellVersion = '2.0'
|
||||
|
||||
# Name of the Windows PowerShell host required by this module
|
||||
# PowerShellHostName = ''
|
||||
|
||||
# Minimum version of the Windows PowerShell host required by this module
|
||||
# PowerShellHostVersion = ''
|
||||
|
||||
# Minimum version of the .NET Framework required by this module
|
||||
# DotNetFrameworkVersion = ''
|
||||
|
||||
# Minimum version of the common language runtime (CLR) required by this module
|
||||
# CLRVersion = ''
|
||||
|
||||
# Processor architecture (None, X86, Amd64) required by this module
|
||||
# ProcessorArchitecture = ''
|
||||
|
||||
# Modules that must be imported into the global environment prior to importing this module
|
||||
# RequiredModules = @()
|
||||
|
||||
# Assemblies that must be loaded prior to importing this module
|
||||
# RequiredAssemblies = @()
|
||||
|
||||
# Script files (.ps1) that are run in the caller's environment prior to importing this module.
|
||||
# ScriptsToProcess = ''
|
||||
|
||||
# Type files (.ps1xml) to be loaded when importing this module
|
||||
# TypesToProcess = @()
|
||||
|
||||
# Format files (.ps1xml) to be loaded when importing this module
|
||||
# FormatsToProcess = @()
|
||||
|
||||
# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
|
||||
# NestedModules = @()
|
||||
|
||||
# Functions to export from this module
|
||||
FunctionsToExport = '*'
|
||||
|
||||
# Cmdlets to export from this module
|
||||
CmdletsToExport = '*'
|
||||
|
||||
# Variables to export from this module
|
||||
VariablesToExport = ''
|
||||
|
||||
# Aliases to export from this module
|
||||
AliasesToExport = ''
|
||||
|
||||
# List of all modules packaged with this module.
|
||||
ModuleList = @(@{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'})
|
||||
|
||||
# List of all files packaged with this module
|
||||
FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md'
|
||||
|
||||
# Private data to pass to the module specified in RootModule/ModuleToProcess
|
||||
# PrivateData = ''
|
||||
|
||||
# HelpInfo URI of this module
|
||||
# HelpInfoURI = ''
|
||||
|
||||
# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
|
||||
# DefaultCommandPrefix = ''
|
||||
|
||||
}
|
||||
|
|
@ -0,0 +1 @@
|
|||
Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
|
||||
|
|
@ -0,0 +1,118 @@
|
|||
function Find-AVSignature {
|
||||
<#
|
||||
.SYNOPSIS
|
||||
|
||||
Find-AVSignature
|
||||
|
||||
Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com
|
||||
|
||||
Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
|
||||
License: BSD 3-Clause
|
||||
|
||||
.DESCRIPTION
|
||||
|
||||
A script to locate tiny AV signatures.
|
||||
|
||||
.PARAMETER Startbyte
|
||||
|
||||
Specifies the first byte to begin splitting on.
|
||||
|
||||
.PARAMETER Endbyte
|
||||
|
||||
Specifies the last byte to split on.
|
||||
|
||||
.PARAMETER Interval
|
||||
|
||||
Specifies the interval size to split with.
|
||||
|
||||
.PARAMETER Path
|
||||
|
||||
Specifies the path to the binary you want tested.
|
||||
|
||||
.PARAMETER OutPath
|
||||
|
||||
Optionally specifies the directory to write the binaries to.
|
||||
|
||||
.PARAMETER Force
|
||||
|
||||
Forces the script to continue without confirmation.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
|
||||
PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
|
||||
PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
|
||||
PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
|
||||
PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
|
||||
|
||||
.NOTES
|
||||
|
||||
Several of the versions of "DSplit.exe" available on the internet contain malware.
|
||||
|
||||
.LINK
|
||||
|
||||
http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
|
||||
https://github.com/mattifestation/PowerSploit
|
||||
http://www.exploit-monday.com/
|
||||
http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
|
||||
#>
|
||||
|
||||
[CmdletBinding()] Param(
|
||||
[Parameter(Mandatory = $True)] [Int32] $StartByte,
|
||||
[Parameter(Mandatory = $True)] [String] $EndByte,
|
||||
[Parameter(Mandatory = $True)] [Int32] $Interval,
|
||||
[Parameter(Mandatory = $False)] [String] $Path = ($pwd.path),
|
||||
[Parameter(Mandatory = $False)] [String] $OutPath = ($pwd),
|
||||
[Switch] $Force = $False
|
||||
)
|
||||
|
||||
#test variables
|
||||
if (!(Test-Path $Path)) {Throw "File path not found"}
|
||||
$Response = $True
|
||||
if (!(Test-Path $OutPath)) {}
|
||||
if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory}
|
||||
if (!$Response) {Throw "Output path not found"}
|
||||
if (!(Get-ChildItem $Path).Exists) {Throw "File not found"}
|
||||
[Int32] $FileSize = (Get-ChildItem $Path).Length
|
||||
if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"}
|
||||
[Int32] $MaximumByte = (($FileSize) - 1)
|
||||
if ($EndByte -ceq "max") {$EndByte = $MaximumByte}
|
||||
if ($EndByte -gt $FileSize -or $EndByte -lt 0) {Throw "EndByte range must be between 0 and $Filesize"}
|
||||
|
||||
#read in byte array
|
||||
[Byte[]] $FileByteArray = [System.IO.File]::ReadAllBytes($Path)
|
||||
|
||||
#find the filename for the output name
|
||||
[String] $FileName = (Split-Path $Path -leaf).Split('.')[0]
|
||||
|
||||
#Calculate the number of binaries
|
||||
[Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval)
|
||||
if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)}
|
||||
|
||||
#Prompt user to verify parameters to avoid writing binaries to the wrong directory
|
||||
$Response = $True
|
||||
if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!",
|
||||
"Do you want to continue?"))){}
|
||||
if (!$Response) {Return}
|
||||
|
||||
Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"."
|
||||
[Int32] $Number = [Math]::Floor($Endbyte/$Interval)
|
||||
|
||||
#write out the calculated number of binaries
|
||||
[Int32] $i = 0
|
||||
for ($i -eq 0; $i -lt $ResultNumber; $i++)
|
||||
{
|
||||
[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))
|
||||
Write-Verbose "Byte 0 -> $($SplitByte)"
|
||||
[IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($SplitByte).bin"), $FileByteArray[0..($SplitByte)])
|
||||
}
|
||||
|
||||
#Write out the final binary
|
||||
[IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($EndByte).bin"), $FileByteArray[0..($EndByte)])
|
||||
Write-Verbose "Byte 0 -> $($EndByte)"
|
||||
Write-Verbose "Files written to disk. Flushing memory."
|
||||
|
||||
#During testing using large binaries, memory usage was excessive so lets fix that
|
||||
[System.GC]::Collect()
|
||||
Write-Verbose "Completed!"
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
To install this module, drop the entire AntivirusBypass folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
|
||||
|
||||
The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
|
||||
The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
|
||||
|
||||
To use the module, type `Import-Module AntivirusBypass`
|
||||
|
||||
To see the commands imported, type `Get-Command -Module AntivirusBypass`
|
||||
|
||||
For help on each individual command, Get-Help is your friend.
|
||||
|
||||
Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
|
||||
Loading…
Reference in New Issue