Consistency improvements in comment-based help

AntivirusBypass/Find-AVSignature.ps1

@@ -1,69 +1,84 @@
-function Find-AVSignature {
+function Find-AVSignature
+{
 <#
 .SYNOPSIS
 
-    Find-AVSignature
+Locate tiny AV signatures.
 
-    Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com
+PowerSploit Function: Find-AVSignature
-
+Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
-    Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
+License: BSD 3-Clause
-    License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
 
 .DESCRIPTION
 
-    A script to locate tiny AV signatures.
+Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.
 
 .PARAMETER Startbyte
 
-    Specifies the first byte to begin splitting on.
+Specifies the first byte to begin splitting on.
 
 .PARAMETER Endbyte
 
-    Specifies the last byte to split on.
+Specifies the last byte to split on.
 
 .PARAMETER Interval
 
-    Specifies the interval size to split with.
+Specifies the interval size to split with.
 
 .PARAMETER Path
 
-    Specifies the path to the binary you want tested.
+Specifies the path to the binary you want tested.
 
 .PARAMETER OutPath
 
-    Optionally specifies the directory to write the binaries to.
+Optionally specifies the directory to write the binaries to.
     
 .PARAMETER Force
 
-    Forces the script to continue without confirmation.    
+Forces the script to continue without confirmation.    
 
 .EXAMPLE
 
-    PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe 
+PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe 
-    PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
+PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
-    PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
+PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
-    PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
+PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
-    PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
+PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
 
 .NOTES
 
-    Several of the versions of "DSplit.exe" available on the internet contain malware.
+Several of the versions of "DSplit.exe" available on the internet contain malware.
 
 .LINK
 
-    http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
+http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
-    https://github.com/mattifestation/PowerSploit
+https://github.com/mattifestation/PowerSploit
-    http://www.exploit-monday.com/
+http://www.exploit-monday.com/
-    http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
+http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
 #>
 
-[CmdletBinding()] Param(
+    [CmdletBinding()] Param(
-        [Parameter(Mandatory = $True)] [Int32] $StartByte,
+        [Parameter(Mandatory = $True)]
-        [Parameter(Mandatory = $True)] [String] $EndByte,
+        [Int32]
-        [Parameter(Mandatory = $True)] [Int32] $Interval,
+        $StartByte,
-        [Parameter(Mandatory = $False)] [String] $Path = ($pwd.path),
+
-        [Parameter(Mandatory = $False)] [String] $OutPath = ($pwd),
+        [Parameter(Mandatory = $True)]
-        [Switch] $Force = $False
+        [String]
+        $EndByte,
+
+        [Parameter(Mandatory = $True)]
+        [Int32]
+        $Interval,
+
+        [String]
+        $Path = ($pwd.path),
+
+        [String]
+        $OutPath = ($pwd),
+
+        [Switch] $Force
     )
 
     #test variables

CodeExecution/Invoke-DllInjection.ps1

@@ -5,7 +5,7 @@ function Invoke-DllInjection
 
 Injects a Dll into the process ID of your choosing.
 
-PowerSploit Module - Invoke-DllInjection
+PowerSploit Function: Invoke-DllInjection
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

CodeExecution/Invoke-Shellcode.ps1

@@ -5,7 +5,7 @@ function Invoke-Shellcode
 
 Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
 
-PowerSploit Module - Invoke-Shellcode
+PowerSploit Function: Invoke-Shellcode
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

Exfiltration/Get-TimedScreenshot.ps1

@@ -1,99 +1,101 @@
-Function Get-TimedScreenshot {
+function Get-TimedScreenshot
+{
 <#
 .SYNOPSIS
- 
+
-    Get-TimedScreenshot
+Takes screenshots at a regular interval and saves them to disk.
-    
+
-    Author: Chris Campbell (@obscuresec)
+PowerSploit Function: Get-TimedScreenshot
-    License: BSD 3-Clause
+Author: Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
     
 .DESCRIPTION
 
-    A function that takes screenshots and saves them to a folder.
+A function that takes screenshots and saves them to a folder.
 
-.PARAMETER $Path
+.PARAMETER Path
 
-    Specifies the folder path.
+Specifies the folder path.
     
-.PARAMETER $Interval
+.PARAMETER Interval
     
-    Specifies the interval in seconds between taking screenshots.
+Specifies the interval in seconds between taking screenshots.
 
-.PARAMETER $EndTime
+.PARAMETER EndTime
 
-    Specifies when the script should stop running in the format HH-MM 
+Specifies when the script should stop running in the format HH-MM 
 
 .EXAMPLE 
 
-    PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00 
+PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00 
  
 .LINK
 
-    http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html
+http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html
-    https://github.com/obscuresec/random/blob/master/Get-TimedScreenshot
+https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-TimedScreenshot.ps1
-
 #>
 
     [CmdletBinding()] Param(
-            [Parameter(Mandatory=$True)]             
+        [Parameter(Mandatory=$True)]             
-            [ValidateScript({Test-Path -Path $_ })]
+        [ValidateScript({Test-Path -Path $_ })]
-            [string] $Path, 
+        [String] $Path, 
 
-            [Parameter(Mandatory=$True)]             
+        [Parameter(Mandatory=$True)]             
-            [int32] $Interval,
+        [Int32] $Interval,
 
-            [Parameter(Mandatory=$True)]             
+        [Parameter(Mandatory=$True)]             
-            [string] $EndTime    
+        [String] $EndTime    
-            )
+    )
-    
+
-        #Define helper function that generates and saves screenshot
+    #Define helper function that generates and saves screenshot
-        Function GenScreenshot {
+    Function GenScreenshot {
-           $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen
+       $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen
-           $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height
+       $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height
-           $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject)
+       $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject)
-           $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size)
+       $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size)
-           $DrawingGraphics.Dispose()
+       $DrawingGraphics.Dispose()
-           $ScreenshotObject.Save($FilePath)
+       $ScreenshotObject.Save($FilePath)
-           $ScreenshotObject.Dispose()
+       $ScreenshotObject.Dispose()
+    }
+
+    Try {
+            
+        #load required assembly
+        Add-Type -Assembly System.Windows.Forms            
+
+        Do {
+            #get the current time and build the filename from it
+            $Time = (Get-Date)
+            
+            [String] $FileName = "$($Time.Month)"
+            $FileName += '-'
+            $FileName += "$($Time.Day)" 
+            $FileName += '-'
+            $FileName += "$($Time.Year)"
+            $FileName += '-'
+            $FileName += "$($Time.Hour)"
+            $FileName += '-'
+            $FileName += "$($Time.Minute)"
+            $FileName += '-'
+            $FileName += "$($Time.Second)"
+            $FileName += '.png'
+            
+            #use join-path to add path to filename
+            [String] $FilePath = (Join-Path $Path $FileName)
+
+            #run screenshot function
+            GenScreenshot
+               
+            Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds"
+
+            Start-Sleep -Seconds $Interval
         }
 
-        Try {
+        #note that this will run once regardless if the specified time as passed
-            
+        While ((Get-Date -Format HH:%m) -lt $EndTime)
-            #load required assembly
+    }
-            Add-Type -Assembly System.Windows.Forms            
-
-            Do {
-                #get the current time and build the filename from it
-                $Time = (Get-Date)
-                
-                [string] $FileName = "$($Time.Month)"
-                $FileName += '-'
-                $FileName += "$($Time.Day)" 
-                $FileName += '-'
-                $FileName += "$($Time.Year)"
-                $FileName += '-'
-                $FileName += "$($Time.Hour)"
-                $FileName += '-'
-                $FileName += "$($Time.Minute)"
-                $FileName += '-'
-                $FileName += "$($Time.Second)"
-                $FileName += '.png'
-            
-                #use join-path to add path to filename
-                [string] $FilePath = (Join-Path $Path $FileName)
-
-                #run screenshot function
-                GenScreenshot
-                
-                Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds"
-
-                Start-Sleep -Seconds $Interval
-            }
-
-            #note that this will run once regardless if the specified time as passed
-            While ((Get-Date -Format HH:%m) -lt $EndTime)
-        }
-
-       Catch {Write-Warning "$Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage"}
 
+    Catch {Write-Warning "$Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage"}
 }

PETools/Get-DllLoadPath.ps1

@@ -1,8 +1,11 @@
-function Get-DllLoadPath {
+function Get-DllLoadPath
+{
 <#
 .SYNOPSIS
 
-PowerSploit Module - Get-DllLoadPath
+Outputs the order of paths in which a dll would be loaded.
+
+PowerSploit Function: Get-DllLoadPath
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None
@@ -14,7 +17,7 @@ Get-DllLoadPath returns the path from which Windows will load a Dll for the give
 
 .PARAMETER ExecutablePath
 
- Path to the executable from which the Dll would be loaded.
+Path to the executable from which the Dll would be loaded.
 
 .PARAMETER DllName
 
@@ -38,7 +41,7 @@ C:\Windows\SysWOW64\Comctl32.dll
 
 .OUTPUTS
 
-$null, System.Management.Automation.PathInfo
+System.Management.Automation.PathInfo
 
 .NOTES
 
@@ -51,8 +54,13 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.as
 #>
 
     Param (
-        [Parameter(Position = 0, Mandatory = $True)] [String] $ExecutablePath,
+        [Parameter(Position = 0, Mandatory = $True)]
-        [Parameter(Position = 1, Mandatory = $True)] [String] $DllName
+        [String]
+        $ExecutablePath,
+
+        [Parameter(Position = 1, Mandatory = $True)]
+        [String]
+        $DllName
     )
 
     if (!(Test-Path $ExecutablePath)) {

PETools/Get-PEArchitecture.ps1

@@ -1,8 +1,11 @@
-function Get-PEArchitecture {
+function Get-PEArchitecture
+{
 <#
 .SYNOPSIS
 
-PowerSploit Module - Get-PEArchitecture
+Outputs the architecture for which a binary was compiled.
+
+PowerSploit Function: Get-PEArchitecture
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None
@@ -19,13 +22,11 @@ Path to the executable.
 .EXAMPLE
 
 C:\PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe
-
 X86
  
 .EXAMPLE
 
 C:\PS> Get-PEArchitecture C:\Windows\System32\cmd.exe
-
 X64
  
 .LINK

PETools/Get-PEHeader.ps1

@@ -1,8 +1,11 @@
-function Get-PEHeader {
+function Get-PEHeader
+{
 <#
 .SYNOPSIS
 
-PowerSploit Module - Get-PEHeader
+Parses and outputs the PE header of a process in memory or a PE file on disk.
+
+PowerSploit Function: Get-PEHeader
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

Recon/Get-GPPPassword.ps1

@@ -1,31 +1,39 @@
-function Get-GPPPassword {
+function Get-GPPPassword
-
+{
 <#
-.Synopsis
+.SYNOPSIS
 
- Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.
+Retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.
- Author: Chris Campbell (@obscuresec)
+
- License: BSD 3-Clause
+PowerSploit Function: Get-GPPPassword
+Author: Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
  
-.Description
+.DESCRIPTION
 
- Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password.
+Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password.
 
-.Parameter Path
+.PARAMETER Path
 
- The path to the targeted groups.xml file.
+The path to the targeted groups.xml file.
 
-.Example
+.EXAMPLE
 
- Get-GPPPassword -path c:\demo\groups.xml
+Get-GPPPassword -path c:\demo\groups.xml
 
-.Link
+.LINK
 
- http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
+http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
- http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
+http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
 #>
 
-Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path = "$PWD\groups.xml" )
+    Param (
+        [Parameter(Position = 0, Mandatory = $True)]
+        [String]
+        $Path = "$PWD\groups.xml"
+    )
 
     #Function to pull encrypted password string from groups.xml
     function Parse-cPassword {

Recon/Get-HttpStatus.ps1

@@ -1,47 +1,68 @@
-function Get-HttpStatus {
+function Get-HttpStatus
+{
 <#
 .SYNOPSIS
-PowerSploit Module - Get-HttpStatus
 
 Returns the HTTP Status Codes and full URL for specified paths.
 
+PowerSploit Function: Get-HttpStatus
 Author: Chris Campbell (@obscuresec)
 License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
 
 .DESCRIPTION
+
 A script to check for the existence of a path or file on a webserver.
 
 .PARAMETER Target
+
 Specifies the remote web host either by IP or hostname.
 
 .PARAMETER Path
+
 Specifies the remost host.
 
 .PARAMETER Port
+
 Specifies the port to connect to.
 
 .PARAMETER UseSSL
+
 Use an SSL connection.
 
 .EXAMPLE
-PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
+
+C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
 
 .EXAMPLE
-PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
+
+C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
 
 .NOTES
-HTTP Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
+
-Status Codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
+HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
     
 .LINK
+
 http://obscuresecurity.blogspot.com
+http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
 #>
 
     [CmdletBinding()] Param(
-        [Parameter(Mandatory = $True)] [String] $Target,
+        [Parameter(Mandatory = $True)]
-        [Parameter()] [String] [ValidateNotNullOrEmpty()] $Path = '.\Dictionaries\admin.txt',
+        [String]
-        [Parameter()] [Int] $Port,
+        $Target,
-        [Parameter()] [Switch] $UseSSL
+
+        [String]
+        [ValidateNotNullOrEmpty()]
+        $Path = '.\Dictionaries\admin.txt',
+
+        [Int]
+        $Port,
+
+        [Switch]
+        $UseSSL
     )
     
     if (Test-Path $Path) {

Recon/Invoke-ReverseDnsLookup.ps1

@@ -1,64 +1,66 @@
 function Invoke-ReverseDnsLookup
 {
-
 <#
-.Synopsis
+.SYNOPSIS
 
- PowerSploit Module - Invoke-ReverseDnsLookup
+Perform a reverse DNS lookup scan on a range of IP addresses.
- Author: Matthew Graeber (@mattifestation)
- License: BSD 3-Clause
- 
-.Description
 
- Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script
+PowerSploit Function: Invoke-ReverseDnsLookup
- is useful for performing DNS reconnaisance prior to conducting an authorized
+Author: Matthew Graeber (@mattifestation)
- penetration test.
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
  
-.Parameter IPRange
+.DESCRIPTION
 
- Specifies the IP address range. The range provided can be in the form of a single
+Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test.
- IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be
- provided.
  
-.Example
+.PARAMETER IPRange
 
- PS> Invoke-ReverseDnsLookup 74.125.228.0/29
+Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided.
+ 
+.EXAMPLE
 
- IP              HostName
+C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29
- --              --------
- 74.125.228.1    iad23s05-in-f1.1e100.net
- 74.125.228.2    iad23s05-in-f2.1e100.net
- 74.125.228.3    iad23s05-in-f3.1e100.net
- 74.125.228.4    iad23s05-in-f4.1e100.net
- 74.125.228.5    iad23s05-in-f5.1e100.net
- 74.125.228.6    iad23s05-in-f6.1e100.net
- 
- Description
- -----------
- Returns the hostnames of the IP addresses specified by the CIDR range.
- 
-.Example
 
- PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
+IP              HostName
+--              --------
+74.125.228.1    iad23s05-in-f1.1e100.net
+74.125.228.2    iad23s05-in-f2.1e100.net
+74.125.228.3    iad23s05-in-f3.1e100.net
+74.125.228.4    iad23s05-in-f4.1e100.net
+74.125.228.5    iad23s05-in-f5.1e100.net
+74.125.228.6    iad23s05-in-f6.1e100.net
  
- IP              HostName
+Description
- --              --------
+-----------
- 74.125.228.1    iad23s05-in-f1.1e100.net
+Returns the hostnames of the IP addresses specified by the CIDR range.
- 74.125.228.4    iad23s05-in-f4.1e100.net
- 74.125.228.5    iad23s05-in-f5.1e100.net
- 74.125.228.6    iad23s05-in-f6.1e100.net
  
- Description
+.EXAMPLE
- -----------
- Returns the hostnames of the IP addresses specified by the IP range specified.
- 
- 
-.Link
 
- My blog: http://www.exploit-monday.com
+C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
+ 
+IP              HostName
+--              --------
+74.125.228.1    iad23s05-in-f1.1e100.net
+74.125.228.4    iad23s05-in-f4.1e100.net
+74.125.228.5    iad23s05-in-f5.1e100.net
+74.125.228.6    iad23s05-in-f6.1e100.net
+ 
+Description
+-----------
+Returns the hostnames of the IP addresses specified by the IP range specified.
+  
+.LINK
+
+http://www.exploit-monday.com
 #>
 
-Param( [Parameter(Position = 0, Mandatory = $True)] [String] $IpRange )
+    Param (
+        [Parameter(Position = 0, Mandatory = $True)]
+        [String]
+        $IpRange
+    )
 
     function Parse-IPList ([String] $IpRange)
     {

ReverseEngineering/Get-ILDisassembly.ps1

@@ -3,7 +3,9 @@ function Get-ILDisassembly
 <#
 .SYNOPSIS
 
-PowerSploit Module - Get-ILDisassembly
+A MSIL (Microsoft Intermediate Language) disassembler.
+
+PowerSploit Function: Get-ILDisassembly
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

ReverseEngineering/Get-KernelModuleInfo.ps1

@@ -5,7 +5,7 @@
 
 Returns loaded kernel module information.
 
-PowerSploit Module - Get-KernelModuleInfo
+PowerSploit Function: Get-KernelModuleInfo
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

ReverseEngineering/Get-Member.ps1

@@ -5,7 +5,7 @@ function Get-Member
 
 Gets the properties and methods of objects.
 
-PowerSploit Module - Get-Member
+PowerSploit Proxy Function: Get-Member
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause (Except for the help documentation derived from the original Get-Member)
 Required Dependencies: None

ReverseEngineering/Get-MethodAddress.ps1

@@ -5,7 +5,7 @@
 
 Get the unmanaged function address of a .NET method.
 
-PowerSploit Module - Get-MethodAddress
+PowerSploit Function: Get-MethodAddress
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

ReverseEngineering/Get-PEB.ps1

@@ -5,7 +5,7 @@
 
 Returns the process environment block (PEB) of a process.
 
-PowerSploit Module - Get-PEB
+PowerSploit Function: Get-PEB
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

ReverseEngineering/Get-Strings.ps1

@@ -5,7 +5,7 @@
 
 Gets strings from a file.
 
-PowerSploit Module - Inject-Shellcode
+PowerSploit Function: Get-Strings
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

ReverseEngineering/Get-StructFromMemory.ps1

@@ -5,7 +5,7 @@
 
 Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.
 
-PowerSploit Module - Get-StructFromMemory
+PowerSploit Function: Get-StructFromMemory
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

ScriptModification/Out-CompressedDll.ps1

@@ -5,7 +5,7 @@
 
 Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
 
-PowerSploit Module - Out-CompressedDll
+PowerSploit Function: Out-CompressedDll
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

ScriptModification/Out-EncodedCommand.ps1

@@ -5,7 +5,7 @@
 
 Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
 
-PowerSploit Module - Out-EncodedCommand
+PowerSploit Function: Out-EncodedCommand
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None

ScriptModification/Out-EncryptedScript.ps1

@@ -1,11 +1,11 @@
-function Out-EncryptedScript {
+function Out-EncryptedScript
-
+{
 <#
 .SYNOPSIS
 
 Encrypts text files/scripts.
 
-PowerSploit Module - Out-EncryptedScript
+PowerSploit Function: Out-EncryptedScript
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None
@@ -55,46 +55,46 @@ This command can be used to encrypt any text-based file/script
 http://www.exploit-monday.com
 #>
 
-[CmdletBinding()] Param (
+    [CmdletBinding()] Param (
-    [Parameter(Position = 0, Mandatory = $True)]
+        [Parameter(Position = 0, Mandatory = $True)]
-    [String]
+        [String]
-    $ScriptPath,
+        $ScriptPath,
     
-    [Parameter(Position = 1, Mandatory = $True)]
+        [Parameter(Position = 1, Mandatory = $True)]
-    [String]
+        [String]
-    $Password,
+        $Password,
     
-    [Parameter(Position = 2, Mandatory = $True)]
+        [Parameter(Position = 2, Mandatory = $True)]
-    [String]
+        [String]
-    $Salt,
+        $Salt,
     
-    [Parameter(Position = 3)]
+        [Parameter(Position = 3)]
-    [String]
+        [String]
-    $InitializationVector = ( @( foreach ($i in 1..16) { [Char](Get-Random -Min 0x41 -Max 0x5B) } ) -join '' ), # Generate random 16 character IV
+        $InitializationVector = ( @( foreach ($i in 1..16) { [Char](Get-Random -Min 0x41 -Max 0x5B) } ) -join '' ), # Generate random 16 character IV
     
-    [Parameter(Position = 4)]
+        [Parameter(Position = 4)]
-    [String]
+        [String]
-    $FilePath = '.\evil.ps1'
+        $FilePath = '.\evil.ps1'
-)
+    )
 
-$AsciiEncoder = New-Object System.Text.ASCIIEncoding
+    $AsciiEncoder = New-Object System.Text.ASCIIEncoding
-$ivBytes = $AsciiEncoder.GetBytes("CRACKMEIFYOUCAN!")
+    $ivBytes = $AsciiEncoder.GetBytes("CRACKMEIFYOUCAN!")
-# While this can be used to encrypt any file, it's primarily designed to encrypt itself.
+    # While this can be used to encrypt any file, it's primarily designed to encrypt itself.
-[Byte[]] $scriptBytes = Get-Content -Encoding byte -Path $ScriptPath
+    [Byte[]] $scriptBytes = Get-Content -Encoding byte -Path $ScriptPath
-$DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)
+    $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)
-$Key = New-Object System.Security.Cryptography.RijndaelManaged
+    $Key = New-Object System.Security.Cryptography.RijndaelManaged
-$Key.Mode = [System.Security.Cryptography.CipherMode]::CBC
+    $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC
-[Byte[]] $KeyBytes = $DerivedPass.GetBytes(32)
+    [Byte[]] $KeyBytes = $DerivedPass.GetBytes(32)
-$Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes)
+    $Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes)
-$MemStream = New-Object System.IO.MemoryStream
+    $MemStream = New-Object System.IO.MemoryStream
-$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
+    $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
-$CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length)
+    $CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length)
-$CryptoStream.FlushFinalBlock()
+    $CryptoStream.FlushFinalBlock()
-$CipherTextBytes = $MemStream.ToArray()
+    $CipherTextBytes = $MemStream.ToArray()
-$MemStream.Close()
+    $MemStream.Close()
-$CryptoStream.Close()
+    $CryptoStream.Close()
-$Key.Clear()
+    $Key.Clear()
-$Cipher = [Convert]::ToBase64String($CipherTextBytes)
+    $Cipher = [Convert]::ToBase64String($CipherTextBytes)
 
 # Generate encrypted PS1 file. All that will be included is the base64-encoded ciphertext and a slightly 'obfuscated' decrypt function
 $Output = 'function de([String] $b, [String] $c)
@@ -121,9 +121,9 @@ $f.Clear();
 return $encoding.GetString($h,0,$h.Length);
 }'
 
-# Output decrypt function and ciphertext to evil.ps1
+    # Output decrypt function and ciphertext to evil.ps1
-Out-File -InputObject $Output -Encoding ASCII $FilePath
+    Out-File -InputObject $Output -Encoding ASCII $FilePath
 
-Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
+    Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
 
 }

ScriptModification/Remove-Comments.ps1

@@ -5,7 +5,7 @@
 
 Strips comments and extra whitespace from a script.
 
-PowerSploit Module - Remove-Comments
+PowerSploit Function: Remove-Comments
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
 Required Dependencies: None