Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Created a ScriptModification module. 

* All scripts used to prepare and/or modify payload scripts were added
to the ScriptModification module.
* Added Remove-Comments - Strips comments and extra whitespace from a
script.
* Encrypt-Script was named to Out-EncryptedScript in order to conform to
proper PowerShell verbs.
This commit is contained in:
bitform 2013-01-20 10:11:30 -05:00
parent e9b22e9ae2
commit c45f3361e2
8 changed files with 326 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
README
View File

@ -4,10 +4,6 @@ PowerSploit is a series of Microsoft PowerShell scripts that can be used in post
Root Directory Root Directory
-------------- --------------
Out-EncodedCommand:
Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
Inject-Dll: Inject-Dll:
Inject-Dll injects a Dll into the process ID of your choosing. Inject-Dll injects a Dll into the process ID of your choosing.
@ -16,14 +12,6 @@ Inject-Shellcode:
Inject-Shellcode injects shellcode into the process ID of your choosing or within PowerShell locally. Inject-Shellcode injects shellcode into the process ID of your choosing or within PowerShell locally.
Out-CompressedDll:
Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
Encrypt-Script:
Encrypt-Script will encrypt a script (or any text file for that matter) and output the results to a minimally obfuscated script - evil.ps1.
Find-AVSignature: Find-AVSignature:
Locates single Byte AV signatures utilizing the same method as DSplit from "class101". Locates single Byte AV signatures utilizing the same method as DSplit from "class101".
@ -36,6 +24,28 @@ Get-TimedScreenshot:
A function that takes screenshots at a regular interval and saves them to a folder. A function that takes screenshots at a regular interval and saves them to a folder.
--------------------
.\ScriptModification
--------------------
A PowerShell module used to modify and/or prepare scripts for execution on a compromised machine.
Out-EncodedCommand:
Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
Out-CompressedDll:
Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
Out-EncryptedScript:
Encrypts text files/scripts.
Remove-Comments:
Strips comments and extra whitespace from a script.
---------- ----------
.\PETools .\PETools
---------- ----------
@ -160,7 +170,7 @@ For all contributors and future contributors to PowerSploit, I ask that you foll
* Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following: * Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following:
* [Parameter(Position = 0, Mandatory = $True)] * [Parameter(Position = 0, Mandatory = $True)]
* Don't use any aliases. They make code more difficult to read for people who are unfamiliar with a particular alias. * Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias.
* Don't let commands run on for too long. For example, a pipeline is a natural place for a line break. * Don't let commands run on for too long. For example, a pipeline is a natural place for a line break.
@ -170,6 +180,10 @@ For all contributors and future contributors to PowerSploit, I ask that you foll
* Only use .NET code when absolutely necessary. * Only use .NET code when absolutely necessary.
* use the Write-Output keyword when returning an object from a function. I know it's not necessary but it makes the code more readable. * Use the Write-Output keyword when returning an object from a function. I know it's not necessary but it makes the code more readable.
* Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters. * Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters.
* Scripts that are intended to run on a remote machine should be self-contained and not rely upon any additional scripts. Scripts that are designed to run on your host machine can have dependencies on other scripts.
* If a script creates complex custom objects, include a ps1xml file that will properly format the object's output.

2
Out-CompressedDll.ps1 → ScriptModification/Out-CompressedDll.ps1
View File

@ -8,6 +8,8 @@ Compresses, Base-64 encodes, and outputs generated code to load a managed dll in
PowerSploit Module - Out-CompressedDll PowerSploit Module - Out-CompressedDll
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION .DESCRIPTION

2
Out-EncodedCommand.ps1 → ScriptModification/Out-EncodedCommand.ps1
View File

@ -8,6 +8,8 @@ Compresses, Base-64 encodes, and generates command-line output for a PowerShell
PowerSploit Module - Out-EncodedCommand PowerSploit Module - Out-EncodedCommand
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION .DESCRIPTION

19
Encrypt-Script.ps1 → ScriptModification/Out-EncryptedScript.ps1
View File

@ -1,15 +1,19 @@
function Encrypt-Script { function Out-EncryptedScript {
<# <#
.SYNOPSIS .SYNOPSIS
PowerSploit Module - Encrypt-Script Encrypts text files/scripts.
PowerSploit Module - Out-EncryptedScript
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
Encrypt-Script will encrypt a script (or any text file for that matter) and output the results to a minimally obfuscated script - evil.ps1. Out-EncryptedScript will encrypt a script (or any text file for that matter) and output the results to a minimally obfuscated script - evil.ps1.
.PARAMETER ScriptPath .PARAMETER ScriptPath
@ -25,13 +29,13 @@ function Encrypt-Script {
.EXAMPLE .EXAMPLE
C:\PS> Encrypt-Script .\Naughty-Script.ps1 password salty C:\PS> Out-EncryptedScript .\Naughty-Script.ps1 password salty
Description Description
----------- -----------
Encrypt the contents of this file with a password and salt. This will make analysis of the script impossible without the correct password and salt combination. This command will generate evil.ps1 that can dropped onto the victim machine. It only consists of a decryption function 'de' and the base64-encoded ciphertext. Encrypt the contents of this file with a password and salt. This will make analysis of the script impossible without the correct password and salt combination. This command will generate evil.ps1 that can dropped onto the victim machine. It only consists of a decryption function 'de' and the base64-encoded ciphertext.
.Example .EXAMPLE
C:\PS> [String] $cmd = Get-Content .\evil.ps1 C:\PS> [String] $cmd = Get-Content .\evil.ps1
C:\PS> Invoke-Expression $cmd C:\PS> Invoke-Expression $cmd
@ -51,8 +55,7 @@ function Encrypt-Script {
http://www.exploit-monday.com http://www.exploit-monday.com
#> #>
Param [CmdletBinding()] Param (
(
[Parameter(Position = 0, Mandatory = $True)] [Parameter(Position = 0, Mandatory = $True)]
[String] [String]
$ScriptPath, $ScriptPath,
@ -121,6 +124,6 @@ return $encoding.GetString($h,0,$h.Length);
# Output decrypt function and ciphertext to evil.ps1 # Output decrypt function and ciphertext to evil.ps1
Out-File -InputObject $Output -Encoding ASCII $FilePath Out-File -InputObject $Output -Encoding ASCII $FilePath
Write-Host "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)" Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
} }

156
ScriptModification/Remove-Comments.ps1 Normal file
View File

@ -0,0 +1,156 @@
function Remove-Comments
{
<#
.SYNOPSIS
Strips comments and extra whitespace from a script.
PowerSploit Module - Remove-Comments
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Remove-Comments strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.
A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. You rock, Lee!
.PARAMETER ScriptBlock
Specifies a scriptblock containing your script.
.PARAMETER Path
Specifies the path to your script.
.EXAMPLE
C:\PS> $Stripped = Remove-Comments -Path .\ScriptWithComments.ps1
.EXAMPLE
C:\PS> Remove-Comments -ScriptBlock {
### This is my awesome script. My documentation is beyond reproach!
Write-Host 'Hello, World!' ### Write 'Hello, World' to the host
### End script awesomeness
}
Write-Host 'Hello, World!'
.EXAMPLE
C:\PS> Remove-Comments -Path Inject-Shellcode.ps1 | Out-EncodedCommand
Description
-----------
Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand.
.INPUTS
System.String, System.Management.Automation.ScriptBlock
Accepts either a string containing the path to a script or a scriptblock.
.OUTPUTS
System.Management.Automation.ScriptBlock
Remove-Comments returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.
.LINK
http://www.exploit-monday.com
http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/
#>
[CmdletBinding( DefaultParameterSetName = 'FilePath' )] Param (
[Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'FilePath' )]
[ValidateNotNullOrEmpty()]
[String]
$Path,
[Parameter(Position = 0, ValueFromPipeline = $True, Mandatory = $True, ParameterSetName = 'ScriptBlock' )]
[ValidateNotNullOrEmpty()]
[ScriptBlock]
$ScriptBlock
)
Set-StrictMode -Version 2
if ($PSBoundParameters['Path'])
{
Get-ChildItem $Path -ErrorAction Stop | Out-Null
$ScriptBlockString = [IO.File]::ReadAllText((Resolve-Path $Path))
$ScriptBlock = [ScriptBlock]::Create($ScriptBlockString)
}
else
{
# Convert the scriptblock to a string so that it can be referenced with array notation
$ScriptBlockString = $ScriptBlock.ToString()
}
# Tokenize the scriptblock and return all tokens except for comments
$Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptBlock, [Ref] $Null) | Where-Object { $_.Type -ne 'Comment' }
$StringBuilder = New-Object Text.StringBuilder
# The majority of the remaining code comes from Lee Holmes' Show-ColorizedContent script.
$CurrentColumn = 1
$NewlineCount = 0
foreach($CurrentToken in $Tokens)
{
# Now output the token
if(($CurrentToken.Type -eq 'NewLine') -or ($CurrentToken.Type -eq 'LineContinuation'))
{
$CurrentColumn = 1
# Only insert a single newline. Sequential newlines are ignored in order to save space.
if ($NewlineCount -eq 0)
{
$StringBuilder.AppendLine() | Out-Null
}
$NewlineCount++
}
else
{
$NewlineCount = 0
# Do any indenting
if($CurrentColumn -lt $CurrentToken.StartColumn)
{
# Insert a single space in between tokens on the same line. Extraneous whiltespace is ignored.
if ($CurrentColumn -ne 1)
{
$StringBuilder.Append(' ') | Out-Null
}
}
# See where the token ends
$CurrentTokenEnd = $CurrentToken.Start + $CurrentToken.Length - 1
# Handle the line numbering for multi-line strings
if(($CurrentToken.Type -eq 'String') -and ($CurrentToken.EndLine -gt $CurrentToken.StartLine))
{
$LineCounter = $CurrentToken.StartLine
$StringLines = $(-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd] -split '`r`n')
foreach($StringLine in $StringLines)
{
$StringBuilder.Append($StringLine) | Out-Null
$LineCounter++
}
}
# Write out a regular token
else
{
$StringBuilder.Append((-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd])) | Out-Null
}
# Update our position in the column
$CurrentColumn = $CurrentToken.EndColumn
}
}
Write-Output ([ScriptBlock]::Create($StringBuilder.ToString()))
}

88
ScriptModification/ScriptModification.psd1 Normal file
View File

@ -0,0 +1,88 @@
@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'ScriptModification.psm1'
# Version number of this module.
ModuleVersion = '1.0.0.0'
# ID used to uniquely identify this module
GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'
# Author of this module
Author = 'Matthew Graeber'
# Company or vendor of this module
CompanyName = ''
# Copyright statement for this module
Copyright = 'BSD 3-Clause'
# Description of the functionality provided by this module
Description = 'PowerSploit Script Preparation/Modification Module'
# Minimum version of the Windows PowerShell engine required by this module
PowerShellVersion = '2.0'
# Name of the Windows PowerShell host required by this module
# PowerShellHostName = ''
# Minimum version of the Windows PowerShell host required by this module
# PowerShellHostVersion = ''
# Minimum version of the .NET Framework required by this module
# DotNetFrameworkVersion = ''
# Minimum version of the common language runtime (CLR) required by this module
# CLRVersion = ''
# Processor architecture (None, X86, Amd64) required by this module
# ProcessorArchitecture = ''
# Modules that must be imported into the global environment prior to importing this module
# RequiredModules = @()
# Assemblies that must be loaded prior to importing this module
# RequiredAssemblies = @()
# Script files (.ps1) that are run in the caller's environment prior to importing this module.
# ScriptsToProcess = ''
# Type files (.ps1xml) to be loaded when importing this module
# TypesToProcess = @()
# Format files (.ps1xml) to be loaded when importing this module
# FormatsToProcess = @()
# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
# NestedModules = @()
# Functions to export from this module
FunctionsToExport = '*'
# Cmdlets to export from this module
CmdletsToExport = '*'
# Variables to export from this module
VariablesToExport = ''
# Aliases to export from this module
AliasesToExport = ''
# List of all modules packaged with this module.
ModuleList = @(@{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'})
# List of all files packaged with this module
FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1',
'Out-EncryptedScript.ps1', 'Remove-Comments.ps1', 'Usage.txt'
# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
# HelpInfo URI of this module
# HelpInfoURI = ''
# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
}

1
ScriptModification/ScriptModification.psm1 Normal file
View File

@ -0,0 +1 @@
Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}

12
ScriptModification/Usage.txt Normal file
View File

@ -0,0 +1,12 @@
To install this module, drop the entire PETools folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
To use the module, type `Import-Module ScriptModification`
To see the commands imported, type `Get-Command -Module ScriptModification`
For help on each individual command, Get-Help is your friend.
Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.