Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

For ./Antivirus/ : 

-PSScriptAnalyzering
    -Tweaking of synopsis blocks in order to support platyPS
    -Code standardization
    -Generated docs
This commit is contained in:
HarmJ0y 2016-12-14 16:17:00 -05:00
parent 85b374c05b
commit 7cdaa3c2d6
3 changed files with 248 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
AntivirusBypass/Find-AVSignature.ps1
View File

@ -45,11 +45,11 @@ Forces the script to continue without confirmation.
.EXAMPLE .EXAMPLE
PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
.NOTES .NOTES
@ -63,7 +63,9 @@ http://www.exploit-monday.com/
http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
#> #>
[CmdletBinding()] Param( [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[CmdletBinding()]
Param(
[Parameter(Mandatory = $True)] [Parameter(Mandatory = $True)]
[ValidateRange(0,4294967295)] [ValidateRange(0,4294967295)]
[UInt32] [UInt32]
@ -85,13 +87,11 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
[String] [String]
$OutPath = ($pwd), $OutPath = ($pwd),
[ValidateRange(1,2097152)] [ValidateRange(1,2097152)]
[UInt32] [UInt32]
$BufferLen = 65536, $BufferLen = 65536,
[Switch] $Force [Switch] $Force
) )
#test variables #test variables

158
docs/AntivirusBypass/Find-AVSignature.md Executable file
View File

@ -0,0 +1,158 @@
# Find-AVSignature
## SYNOPSIS
Locate tiny AV signatures.
PowerSploit Function: Find-AVSignature
Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
```
Find-AVSignature [-StartByte] <UInt32> [-EndByte] <String> [-Interval] <UInt32> [[-Path] <String>]
[[-OutPath] <String>] [[-BufferLen] <UInt32>] [-Force]
```
## DESCRIPTION
Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
```
Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
## PARAMETERS
### -StartByte
Specifies the first byte to begin splitting on.
```yaml
Type: UInt32
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```
### -EndByte
Specifies the last byte to split on.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Interval
Specifies the interval size to split with.
```yaml
Type: UInt32
Parameter Sets: (All)
Aliases:
Required: True
Position: 3
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```
### -Path
Specifies the path to the binary you want tested.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: ($pwd.path)
Accept pipeline input: False
Accept wildcard characters: False
```
### -OutPath
Optionally specifies the directory to write the binaries to.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 5
Default value: ($pwd)
Accept pipeline input: False
Accept wildcard characters: False
```
### -BufferLen
Specifies the length of the file read buffer .
Defaults to 64KB.
```yaml
Type: UInt32
Parameter Sets: (All)
Aliases:
Required: False
Position: 6
Default value: 65536
Accept pipeline input: False
Accept wildcard characters: False
```
### -Force
Forces the script to continue without confirmation.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
Several of the versions of "DSplit.exe" available on the internet contain malware.
## RELATED LINKS
[http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
https://github.com/mattifestation/PowerSploit
http://www.exploit-monday.com/
http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2](http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
https://github.com/mattifestation/PowerSploit
http://www.exploit-monday.com/
http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2)

3
mkdocs.yml
View File

@ -119,3 +119,6 @@ pages:
- Invoke-WScriptUACBypass: 'Privesc/Invoke-WScriptUACBypass.md' - Invoke-WScriptUACBypass: 'Privesc/Invoke-WScriptUACBypass.md'
- Invoke-PrivescAudit: 'Privesc/Invoke-PrivescAudit.md' - Invoke-PrivescAudit: 'Privesc/Invoke-PrivescAudit.md'
- Get-System: 'Privesc/Get-System.md' - Get-System: 'Privesc/Get-System.md'
- AntiVirus:
- Functions:
- Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md'