mattifestation / powershellarsenal Goto Github PK

A PowerShell Module Dedicated to Reverse Engineering

PowerShell 100.00%

powershellarsenal's Introduction

Conference Presentations

Date	Conference	Talk Title
11-Aug-22	Black Hat USA 2022	Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem
2-Oct-21	BSides Augusta 2021	Confidently Measuring Attack Technique Coverage by Asking Better Questions
3-Dec-20	CONverge Detroit	Keynote: Improving the Landscape and Messaging of Offensive Tooling and Techniques
6-Sep-19	DerbyCon IX	How do I detect technique X in Windows? Applied Methodology to Definitively Answer this Question
30-Jun-19	REcon 2019	Using WPP and TraceLogging Tracing to Facilitate Dynamic and Static Windows RE
7-Aug-18	Black Hat USA 2018	Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology
15-Mar-18	TROOPERS18	Subverting Trust in Windows
23-Jan-18	BlueHat IL 2018	Hi, My Name is 'CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
7-Nov-17	Crowdstrike Fal.Con Unite 2017	Subverting & Restoring Trust in Windows
22-Mar-17	TROOPERS17	Architecting a Modern Defense using Device Guard
22-Sep-17	DerbyCon VII	Keynote: Subverting Trust in Windows - A Case Study of the "How" and "Why" of Engaging in Security Research
24-Jan-17	BlueHat IL 2017	Device Guard Attack Surface, Bypasses, and Mitigations
3-May-17	PowerShell Conference EU 2017	Defensive Coding Strategies for a High-Security Environment
3-May-17	PowerShell Conference EU 2017	Architecting a Modern Defense Using Device Guard and PowerShell
24-Sep-16	DerbyCon 6.0	Living Off the Land 2: A Minimalist's Guide to Windows Defense
12-Jan-16	Microsoft BlueHat v15	Windows Management Instrumentation – The Omnipresent Attack and Defense Platform
8-Aug-15	DEF CON 23	WhyMI so Sexy? WMI Attacks, Real-Time Defense, and Advanced Forensic Analysis
5-Aug-15	Black Hat USA 2015	Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor
27-May-15	Microsoft BlueHat Briefing Day (Internal Conference)	Offensive PowerShell: Scripting Past Network Defenses
13-Jan-15	ShmooCon Epilogue 2015	Automating Obfuscated .NET Malware Analysis
7-Oct-14	MIRcon 2014	Analysis of Malicious Security Support Provider DLLs
28-Apr-14	PowerShell Summit 2014	Using PowerShell as a Reverse Engineering Tool
28-Apr-14	PowerShell Summit 2014	Advanced PowerShell Eventing Scripting Techniques
28-Sep-13	DerbyCon 3	Living Off The Land: A Minimalist's Guide To Windows Post Exploitation
26-Mar-13	#misec PowerShell Study Group	Parsing Binary File Formats with PowerShell

Blog Posts

Topic: Detection

Topic: Windows Defender Application Control (WDAC)

Topic: Code Signing

Topic: Windows Tradecraft

Topic: Reverse Engineering

Security Descriptor Auditing Methodology: Investigating Event Log Security
Antimalware Scan Interface Detection Optics Analysis Methodology: Identification and Analysis of AMSI for WMI
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology
mavinject.exe Functionality Deconstructed

Topic: Miscellaneous

Improving Infosec (or any Community/Industry) in One Simple but Mindful Step

Attributed CVEs

CVE	Description
CVE-2023-28228	Windows Spoofing Vulnerability
CVE-2022-35743	Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
CVE-2020-1599	Windows Spoofing Vulnerability
CVE-2019-0733	Windows Defender Application Control Security Feature Bypass Vulnerability
CVE-2019-0627	Windows Security Feature Bypass Vulnerability
CVE-2018-8222	Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2018-8221	Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2018-8211	Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2018-8204	Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2018-8200	Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2018-0854	Windows Security Feature Bypass Vulnerability
CVE-2017-0219	Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2017-0218	Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2017-0216	Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2016-3346	Windows Permissions Enforcement Elevation of Privilege Vulnerability

powershellarsenal's People

Contributors

Stargazers

Watchers

Forkers

johnjohnsp1 idkwim lobsange trumb 5w1tch davehull jirohori michaelevanchik jajp777 nidongde daniel-lamb8840 darkgreising theralfbrown alexdhand solgrid meizhoubao z8oon modulexcite nakokulma nootropics 0x90shell wikijm jack51706 rikkouri masterdon eniac888 james-baud esk1llz team-firebugs hungdluit rojaster borjamerino 453483289 vaginessa regina-book jamalmo camilohe aisling-kells jacobjacob f00bar10 rsdovers lucabongiorni n0clues mobiletta snollyg0st3r gkantsidis dmwoods38 deki0r v4n0m glasseyez 0v3rm1nd-dr4g0n weeshlow techlord-rce 0x13337 songofhack jackbro h1d3r michalkoczwara moriarty2016 silosec michaeltestliu thereal-configmgr buckshotwhoami olivierh59500 lowleveldesign mavenrain vector-sec deeps1x dissx2k adnoh silogit houcy deelmind j4ckc4t fo0xy ampersanded johnwalk61 lidd1224856175 subzeroking samyoyo ykankaya heruix livz fingerleakers shad0w008 mr-m0nst3r cerebralmischief atpit quietpirate neilbryant firebitsbr 216giorgiy ro9ueadmin mmg1 jjackel84 m00zh33 applesky6 indigos33k3r attackgithub orf53975

powershellarsenal's Issues

Get-ILDisassembly -MethodInfo should accept ConstructorInfo

It make sense to change expected object from MethodInfo to MethodBase to enable ctor disassembling.

Error undecorating symbols in Get-LibSymbols.ps1

In Line 241 of Get-LibSymbols.ps1 the call:
[COFF.Functions]::UnDecorateSymbolName( ....
should be (?):
[COFF2.Functions]::UnDecorateSymbolName( ....

(use COFF2 instead of COFF).

Btw, thanks for making the project available.

You will likely need to run this script elevated

Hi! I execute command with Administrator privileges, thanks for all!
My PowerShell Version : 5.0.10586.122 in Windows 10 64bits

**PS C:\WINDOWS\system32> $AllPEBs = Get-Process | Get-PEB
Get-PEB : Unable to obtain a handle for PID 10844. You will likely need to run this script elevated.
At line:1 char:26

$AllPEBs = Get-Process | Get-PEB
```
                     ~~~~~~~
```
- CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
- FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-PEB**

Get-Entropy

Works slow with huge files. Fastest way (pwsh is required):

using namespace System.Reflection.Emit

Set-Alias -Name ent -Value Get-Entropy
function Get-Entropy {
  [CmdletBinding()]
  param(
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [Byte[]]$Bytes
  )

  process {
    if (!($e = $ExecutionContext.SessionState.PSVariable.Get('PSEntropy').Value)) {
      $dm = [DynamicMethod]::new('Entropy', [Double], [Type[]]([Byte[]]))
      $il = $dm.GetILGenerator()
      # variables
      $i   = $il.DeclareLocal([Int32])
      $rng = $il.DeclareLocal([Type]::GetType('System.Int32*'))
      $pi  = $il.DeclareLocal([Type]::GetType('System.Int32*'))
      $ent = $il.DeclareLocal([Double])
      $src = $il.DeclareLocal([Double])
      # labels (four totally)
      $labels = (0..3).ForEach{ $il.DefineLabel() }
      # function body
      $il.Emit([OpCodes]::ldc_i4, 0x100)
      $il.Emit([OpCodes]::conv_u)
      $il.Emit([OpCodes]::ldc_i4_4)
      $il.Emit([OpCodes]::mul_ovf_un)
      $il.Emit([OpCodes]::localloc)
      $il.Emit([OpCodes]::stloc_1)
      $il.Emit([OpCodes]::ldloc_1)
      $il.Emit([OpCodes]::ldc_i4, 0x400)
      $il.Emit([OpCodes]::conv_i)
      $il.Emit([OpCodes]::add)
      $il.Emit([OpCodes]::stloc_2)
      $il.Emit([OpCodes]::ldc_r8, 0.0)
      $il.Emit([OpCodes]::stloc_3)
      $il.Emit([OpCodes]::ldarg_0)
      $il.Emit([OpCodes]::ldlen)
      $il.Emit([OpCodes]::conv_i4)
      $il.Emit([OpCodes]::dup)
      $il.Emit([OpCodes]::stloc_0)
      $il.Emit([OpCodes]::conv_r8)
      $il.Emit([OpCodes]::stloc_s, $src)
      $il.Emit([OpCodes]::br_s, $labels[0])
      $il.MarkLabel($labels[1]) # 0x28
      $il.Emit([OpCodes]::ldloc_1)
      $il.Emit([OpCodes]::ldarg_0)
      $il.Emit([OpCodes]::ldloc_0)
      $il.Emit([OpCodes]::ldelem_u1)
      $il.Emit([OpCodes]::conv_i)
      $il.Emit([OpCodes]::ldc_i4_4)
      $il.Emit([OpCodes]::mul)
      $il.Emit([OpCodes]::add)
      $il.Emit([OpCodes]::dup)
      $il.Emit([OpCodes]::ldind_i4)
      $il.Emit([OpCodes]::ldc_i4_1)
      $il.Emit([OpCodes]::add)
      $il.Emit([OpCodes]::stind_i4)
      $il.MarkLabel($labels[0]) # 0x35
      $il.Emit([OpCodes]::ldloc_0)
      $il.Emit([OpCodes]::ldc_i4_1)
      $il.Emit([OpCodes]::sub)
      $il.Emit([OpCodes]::dup)
      $il.Emit([OpCodes]::stloc_0)
      $il.Emit([OpCodes]::ldc_i4_0)
      $il.Emit([OpCodes]::bge_s, $labels[1])
      $il.Emit([OpCodes]::br_s, $labels[2])
      $il.MarkLabel($labels[3]) # 0x3f
      $il.Emit([OpCodes]::ldloc_2)
      $il.Emit([OpCodes]::ldind_i4)
      $il.Emit([OpCodes]::ldc_i4_0)
      $il.Emit([OpCodes]::ble_s, $labels[2])
      $il.Emit([OpCodes]::ldloc_3)
      $il.Emit([OpCodes]::ldloc_2)
      $il.Emit([OpCodes]::ldind_i4)
      $il.Emit([OpCodes]::conv_r8)
      $il.Emit([OpCodes]::ldloc_2)
      $il.Emit([OpCodes]::ldind_i4)
      $il.Emit([OpCodes]::conv_r8)
      $il.Emit([OpCodes]::ldloc_s, $src)
      $il.Emit([OpCodes]::div)
      $il.Emit([OpCodes]::ldc_r8, 2.)
      $il.Emit([OpCodes]::call, [Math].GetMethod('Log', [Type[]]([Double], [Double])))
      $il.Emit([OpCodes]::mul)
      $il.Emit([OpCodes]::add)
      $il.Emit([OpCodes]::stloc_3)
      $il.MarkLabel($labels[2]) # 0x5f
      $il.Emit([OpCodes]::ldloc_2)
      $il.Emit([OpCodes]::ldc_i4_4)
      $il.Emit([OpCodes]::conv_i)
      $il.Emit([OpCodes]::sub)
      $il.Emit([OpCodes]::dup)
      $il.Emit([OpCodes]::stloc_2)
      $il.Emit([OpCodes]::ldloc_1)
      $il.Emit([OpCodes]::bge_un_s, $labels[3])
      $il.Emit([OpCodes]::ldloc_3)
      $il.Emit([OpCodes]::neg)
      $il.Emit([OpCodes]::ldloc_s, $src)
      $il.Emit([OpCodes]::div)
      $il.Emit([OpCodes]::ret)

      Set-Variable -Name PSEntropy -Value (
        $e = $dm.CreateDelegate([Func[[Byte[]], Double]])
      ) -Option Constant -Scope Global -Visibility Private
    }
    '{0:F3}' -f $e.Invoke($Bytes)
  }
}

Support for -MethodInfo in Get-CSDisassembly

First of all, thank you for a great module!
I currently interested only in a small part: Disassembling.
I found this super convenient:

(Get-ILDisassembly -MethodInfo ([string].GetMethod("GetHashCode"))).Instructions

Is it possible to support same scenario for Get-CSDisassembly ?

[Get-PEB] argument transformation on parameter 'Id'

Taken from .EXAMPLE

$NotepadPEB = Get-PEB -Id (ps notepad)
Get-PEB : Cannot process argument transformation on parameter 'Id'. Cannot convert the "System.Diagnostics.Process (notepad)" value of type "System.Diagnostics.Process" to type "System.UInt16[]".
At line:1 char:27
+ $NotepadPEB = Get-PEB -Id (ps notepad)
+                           ~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-PEB], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-PEB

my ps version:

Major	Minor	Build	Revision
5	1	17763	316

Get-PEB: getting current directory works for cmd.exe, but not for powershell.exe

On my Windows 10 box I opened a Powershell session and a Cmd session in both of which I changed the current working directory with "cd Desktop". Now I do this:

PS C:\Users\XXX\Desktop> (Get-PEB -Id (ps powershell).Id).ProcessParameters.CurrentDirectory
C:\Users\XXX\

PS C:\Users\XXX\Desktop> (Get-PEB -Id (ps cmd).Id).ProcessParameters.CurrentDirectory
C:\Users\XXX\Desktop\

As you can see, the output is correct for Cmd, but wrong for Powershell. Is this a known problem?

Update: SysInternals Process Explorer shows the same discrepancy, so at least the two of them behave in the same way - but still unexpectedly.

Update 2: In the command line help there is a little bug in an example:

 C:\PS>$NotepadPEB = Get-PEB -Id (ps notepad)
 C:\PS> $NotepadPEB.InInitializationOrderModuleList

You forgot .Id. So in the first line it sould be: Get-PEB -Id (ps notepad).Id.