For ./Antivirus/ :

-PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs
2016-12-14 16:17:00 -05:00 · 2016-12-14 16:17:00 -05:00 · 7cdaa3c2d6
parent 85b374c05b
commit 7cdaa3c2d6
3 changed files with 248 additions and 87 deletions
--- a/AntivirusBypass/Find-AVSignature.ps1
+++ b/AntivirusBypass/Find-AVSignature.ps1
@ -45,11 +45,11 @@ Forces the script to continue without confirmation.

 .EXAMPLE

-PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe 
-PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
-PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
-PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
-PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
+Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
+Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
+Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
+Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
+Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose

 .NOTES

@ -63,10 +63,12 @@ http://www.exploit-monday.com/
 http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
 #>

-    [CmdletBinding()] Param(
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [CmdletBinding()]
+    Param(
        [Parameter(Mandatory = $True)]
        [ValidateRange(0,4294967295)]
-		[UInt32]
+        [UInt32]
        $StartByte,

        [Parameter(Mandatory = $True)]
@ -75,23 +77,21 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2

        [Parameter(Mandatory = $True)]
        [ValidateRange(0,4294967295)]
-		[UInt32]
+        [UInt32]
        $Interval,

        [String]
-		[ValidateScript({Test-Path $_ })]
+        [ValidateScript({Test-Path $_ })]
        $Path = ($pwd.path),

        [String]
        $OutPath = ($pwd),

-		
-		[ValidateRange(1,2097152)]
-		[UInt32]
-		$BufferLen = 65536,
+        [ValidateRange(1,2097152)]
+        [UInt32]
+        $BufferLen = 65536,

        [Switch] $Force
-		
    )

    #test variables
@ -99,7 +99,7 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
    $Response = $True
    if (!(Test-Path $OutPath)) {
        if ($Force -or ($Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory}
-	}
+    }
    if (!$Response) {Throw "Output path not found"}
    if (!(Get-ChildItem $Path).Exists) {Throw "File not found"}
    [Int32] $FileSize = (Get-ChildItem $Path).Length
@ -107,17 +107,17 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
    [Int32] $MaximumByte = (($FileSize) - 1)
    if ($EndByte -ceq "max") {$EndByte = $MaximumByte}

-	#Recast $Endbyte into an Integer so that it can be compared properly. 
-	[Int32]$EndByte = $EndByte 
+    #Recast $Endbyte into an Integer so that it can be compared properly.
+    [Int32]$EndByte = $EndByte

-	#If $Endbyte is greater than the file Length, use $MaximumByte.
+    #If $Endbyte is greater than the file Length, use $MaximumByte.
    if ($EndByte -gt $FileSize) {$EndByte = $MaximumByte}

-	#If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte.
-	if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval}
+    #If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte.
+    if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval}

-	Write-Verbose "StartByte: $StartByte"
-	Write-Verbose "EndByte: $EndByte"
+    Write-Verbose "StartByte: $StartByte"
+    Write-Verbose "EndByte: $EndByte"

    #find the filename for the output name
    [String] $FileName = (Split-Path $Path -leaf).Split('.')[0]
@ -135,52 +135,52 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
    Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"."
    [Int32] $Number = [Math]::Floor($Endbyte/$Interval)

-		#Create a Read Buffer and Stream. 
-		#Note: The Filestream class takes advantage of internal .NET Buffering.  We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc.
-		[Byte[]] $ReadBuffer=New-Object byte[] $BufferLen
-		[System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen)
+    #Create a Read Buffer and Stream.
+    #Note: The Filestream class takes advantage of internal .NET Buffering.  We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc.
+    [Byte[]] $ReadBuffer=New-Object byte[] $BufferLen
+    [System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen)

-        #write out the calculated number of binaries
-        [Int32] $i = 0
-        for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++)
-        {
-			# If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval
-			if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte}
-			else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))}
+    #write out the calculated number of binaries
+    [Int32] $i = 0
+    for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++)
+    {
+        # If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval
+        if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte}
+        else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))}

-			Write-Verbose "Byte 0 -> $($SplitByte)"
+        Write-Verbose "Byte 0 -> $($SplitByte)"

-			#Reset ReadStream to beginning of file
-			$ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
+        #Reset ReadStream to beginning of file
+        $ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null

-			#Build a new FileStream for Writing
-			[String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin"
-			[System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen)
+        #Build a new FileStream for Writing
+        [String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin"
+        [System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen)

-			[Int32] $BytesLeft = $SplitByte
-			Write-Verbose "$($WriteStream.name)"
+        [Int32] $BytesLeft = $SplitByte
+        Write-Verbose "$($WriteStream.name)"

-			#Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer 
-			while ($BytesLeft -gt $BufferLen){
-				[Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen)
-				$WriteStream.Write($ReadBuffer, 0, $count)
-				$BytesLeft = $BytesLeft - $count
-			}
-			
-			#Write the remaining bytes to the file 
-			do {
-				[Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft)
-				$WriteStream.Write($ReadBuffer, 0, $count)
-				$BytesLeft = $BytesLeft - $count			
-			}
-			until ($BytesLeft -eq 0)
-			$WriteStream.Close()
-			$WriteStream.Dispose()
+        #Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer
+        while ($BytesLeft -gt $BufferLen){
+            [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen)
+            $WriteStream.Write($ReadBuffer, 0, $count)
+            $BytesLeft = $BytesLeft - $count
        }
-        Write-Verbose "Files written to disk. Flushing memory."
-        $ReadStream.Dispose()

-		#During testing using large binaries, memory usage was excessive so lets fix that
-        [System.GC]::Collect()
-        Write-Verbose "Completed!"
+        #Write the remaining bytes to the file
+        do {
+            [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft)
+            $WriteStream.Write($ReadBuffer, 0, $count)
+            $BytesLeft = $BytesLeft - $count
+        }
+        until ($BytesLeft -eq 0)
+        $WriteStream.Close()
+        $WriteStream.Dispose()
+    }
+    Write-Verbose "Files written to disk. Flushing memory."
+    $ReadStream.Dispose()
+
+    #During testing using large binaries, memory usage was excessive so lets fix that
+    [System.GC]::Collect()
+    Write-Verbose "Completed!"
 }
--- a/docs/AntivirusBypass/Find-AVSignature.md
+++ b/docs/AntivirusBypass/Find-AVSignature.md
@ -0,0 +1,158 @@
+# Find-AVSignature
+
+## SYNOPSIS
+Locate tiny AV signatures.
+
+PowerSploit Function: Find-AVSignature  
+Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Find-AVSignature [-StartByte] <UInt32> [-EndByte] <String> [-Interval] <UInt32> [[-Path] <String>]
+ [[-OutPath] <String>] [[-BufferLen] <UInt32>] [-Force]
+```
+
+## DESCRIPTION
+Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
+```
+
+Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
+Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
+Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
+Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
+
+## PARAMETERS
+
+### -StartByte
+Specifies the first byte to begin splitting on.
+
+```yaml
+Type: UInt32
+Parameter Sets: (All)
+Aliases: 
+
+Required: True
+Position: 1
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -EndByte
+Specifies the last byte to split on.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Interval
+Specifies the interval size to split with.
+
+```yaml
+Type: UInt32
+Parameter Sets: (All)
+Aliases: 
+
+Required: True
+Position: 3
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the path to the binary you want tested.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: 4
+Default value: ($pwd.path)
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OutPath
+Optionally specifies the directory to write the binaries to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: 5
+Default value: ($pwd)
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -BufferLen
+Specifies the length of the file read buffer . 
+Defaults to 64KB.
+
+```yaml
+Type: UInt32
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: 6
+Default value: 65536
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Forces the script to continue without confirmation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+Several of the versions of "DSplit.exe" available on the internet contain malware.
+
+## RELATED LINKS
+
+[http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
+https://github.com/mattifestation/PowerSploit
+http://www.exploit-monday.com/
+http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2](http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
+https://github.com/mattifestation/PowerSploit
+http://www.exploit-monday.com/
+http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2)
+
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -119,3 +119,6 @@ pages:
        - Invoke-WScriptUACBypass: 'Privesc/Invoke-WScriptUACBypass.md'
        - Invoke-PrivescAudit: 'Privesc/Invoke-PrivescAudit.md'
        - Get-System: 'Privesc/Get-System.md'
+- AntiVirus:
+    - Functions:
+        - Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md'