Merge branch 'master' of https://github.com/mattifestation/PowerSploit

Conflicts:
	Recon/Get-ComputerDetails.ps1
	Recon/Recon.psd1

Author: clymb3r

.gitignore

@@ -45,7 +45,6 @@ local.properties
 
 [Dd]ebug/
 [Rr]elease/
-x64/
 build/
 [Bb]in/
 [Oo]bj/

AntivirusBypass/AntivirusBypass.psd1

@@ -1,4 +1,4 @@
-@{
+@{
 
 # Script module or binary module file associated with this manifest.
 ModuleToProcess = 'AntivirusBypass.psm1'
@@ -84,4 +84,4 @@ FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1
 # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
 # DefaultCommandPrefix = ''
 
-}
+}

AntivirusBypass/AntivirusBypass.psm1

@@ -1 +1 @@
-Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
+Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}

AntivirusBypass/Find-AVSignature.ps1

@@ -183,4 +183,4 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
 		#During testing using large binaries, memory usage was excessive so lets fix that
         [System.GC]::Collect()
         Write-Verbose "Completed!"
-}
+}

Capstone/Capstone.psd1

@@ -0,0 +1,48 @@
+@{
+
+# Script module or binary module file associated with this manifest.
+ModuleToProcess = 'Capstone.psm1'
+
+# Version number of this module.
+ModuleVersion = '2.0.0.0'
+
+# ID used to uniquely identify this module
+GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'
+
+# Author of this module
+Author = 'Matthew Graeber'
+
+# Copyright statement for this module
+Copyright = 'see LICENSE.TXT'
+
+# Description of the functionality provided by this module
+Description = 'Capstone Disassembly Framework Binding Module'
+
+# Minimum version of the Windows PowerShell engine required by this module
+PowerShellVersion = '3.0'
+
+# Minimum version of the common language runtime (CLR) required by this module
+CLRVersion = '4.0'
+
+# Assemblies that must be loaded prior to importing this module
+RequiredAssemblies = 'lib/capstone.dll'
+
+# Format files (.ps1xml) to be loaded when importing this module
+FormatsToProcess = 'Get-CSDisassembly.format.ps1xml'
+
+# Functions to export from this module
+FunctionsToExport = '*'
+
+# List of all modules packaged with this module.
+ModuleList = @(@{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'})
+
+# List of all files packaged with this module
+FileList = 'Capstone.psm1',
+           'Capstone.psd1',
+           'Get-CSDisassembly.format.ps1xml',
+           'LICENSE.TXT',
+           'README', 
+           'lib/capstone.dll',
+           'lib/x86/libcapstone.dll',
+           'lib/x64/libcapstone.dll'
+}

Capstone/Capstone.psm1

@@ -0,0 +1,173 @@
+#Requires -Modules Capstone
+
+function Get-CSDisassembly
+{
+<#
+.SYNOPSIS
+
+    Disassembles a byte array using the Capstone Engine disassembly framework.
+
+    PowerSploit Function: Get-CSDisassembly
+    Author: Matthew Graeber (@mattifestation)
+    License: See LICENSE.TXT
+    Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll
+    Optional Dependencies: None
+
+.DESCRIPTION
+
+    Get-CSDisassembly is compatible on 32 and 64-bit.
+
+.PARAMETER Architecture
+
+    Specifies the architecture of the code to be disassembled.
+
+.PARAMETER Mode
+
+    Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'.
+
+.PARAMETER Code
+
+    A byte array consisting of the code to be disassembled.
+
+.PARAMETER Offset
+
+    Specifies the starting address of the disassembly listing.
+
+.PARAMETER Count
+
+    Specifies the maximum number of instructions to disassemble.
+
+.PARAMETER Syntax
+
+    Specifies the syntax flavor to be used (INTEL vs. ATT).
+
+.PARAMETER DetailOn
+
+    Specifies that detailed parsing should be performed - i.e. provide detailed information for each disassembled instruction.
+
+.PARAMETER Verstion
+
+    Prints the running Capstone Framework version.
+      
+.EXAMPLE
+
+    $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 )
+    Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000
+
+    $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 )
+    Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 )
+    Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT
+
+    $Bytes = [Byte[]] @( 0x55, 0x48, 0x8b, 0x05, 0xb8, 0x13, 0x00, 0x00 )
+    Get-CSDisassembly -Architecture X86 -Mode Mode64 -Code $Bytes -DetailOn
+
+    $Bytes = [Byte[]] @( 0xED, 0xFF, 0xFF, 0xEB, 0x04, 0xe0, 0x2d, 0xe5, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x83, 0x22, 0xe5, 0xf1, 0x02, 0x03, 0x0e, 0x00, 0x00, 0xa0, 0xe3, 0x02, 0x30, 0xc1, 0xe7, 0x00, 0x00, 0x53, 0xe3 )
+    Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x4f, 0xf0, 0x00, 0x01, 0xbd, 0xe8, 0x00, 0x88, 0xd1, 0xe8, 0x00, 0xf0 )
+    Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x10, 0xf1, 0x10, 0xe7, 0x11, 0xf2, 0x31, 0xe7, 0xdc, 0xa1, 0x2e, 0xf3, 0xe8, 0x4e, 0x62, 0xf3 )
+    Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x70, 0x47, 0xeb, 0x46, 0x83, 0xb0, 0xc9, 0x68 )
+    Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes -DetailOn
+
+    $Bytes = [Byte[]] @( 0x21, 0x7c, 0x02, 0x9b, 0x21, 0x7c, 0x00, 0x53, 0x00, 0x40, 0x21, 0x4b, 0xe1, 0x0b, 0x40, 0xb9 )
+    Get-CSDisassembly -Architecture Arm64 -Mode Arm -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x0C, 0x10, 0x00, 0x97, 0x00, 0x00, 0x00, 0x00, 0x24, 0x02, 0x00, 0x0c, 0x8f, 0xa2, 0x00, 0x00, 0x34, 0x21, 0x34, 0x56 )
+    Get-CSDisassembly -Architecture Mips -Mode 'Mode32, BigEndian' -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x56, 0x34, 0x21, 0x34, 0xc2, 0x17, 0x01, 0x00 )
+    Get-CSDisassembly -Architecture Mips -Mode 'Mode64, LittleEndian' -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x80, 0x20, 0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x10, 0x43, 0x23, 0x0e, 0xd0, 0x44, 0x00, 0x80, 0x4c, 0x43, 0x22, 0x02, 0x2d, 0x03, 0x00, 0x80, 0x7c, 0x43, 0x20, 0x14, 0x7c, 0x43, 0x20, 0x93, 0x4f, 0x20, 0x00, 0x21, 0x4c, 0xc8, 0x00, 0x21 )
+    Get-CSDisassembly -Architecture PPC -Mode BigEndian -Code $Bytes
+
+.INPUTS
+
+    None
+
+    You cannot pipe objects to Get-CSDisassembly.
+
+.OUTPUTS
+
+    Capstone.Instruction[]
+
+    Get-CSDisassembly returns an array of Instruction objects.
+#>
+
+    [OutputType([Capstone.Instruction])]
+    [CmdletBinding(DefaultParameterSetName = 'Disassemble')]
+    Param (
+        [Parameter(Mandatory, ParameterSetName = 'Disassemble')]
+        [Capstone.Architecture]
+        $Architecture,
+
+        [Parameter(Mandatory, ParameterSetName = 'Disassemble')]
+        [Capstone.Mode]
+        $Mode,
+
+        [Parameter(Mandatory, ParameterSetName = 'Disassemble')]
+        [ValidateNotNullOrEmpty()]
+        [Byte[]]
+        $Code,
+
+        [Parameter( ParameterSetName = 'Disassemble' )]
+        [UInt64]
+        $Offset = 0,
+
+        [Parameter( ParameterSetName = 'Disassemble' )]
+        [UInt32]
+        $Count = 0,
+
+        [Parameter( ParameterSetName = 'Disassemble' )]
+        [ValidateSet('Intel', 'ATT')]
+        [String]
+        $Syntax,
+
+        [Parameter( ParameterSetName = 'Disassemble' )]
+        [Switch]
+        $DetailOn,
+
+        [Parameter( ParameterSetName = 'Version' )]
+        [Switch]
+        $Version
+    )
+
+    if ($PsCmdlet.ParameterSetName -eq 'Version')
+    {
+        $Disassembly = New-Object Capstone.Capstone([Capstone.Architecture]::X86, [Capstone.Mode]::Mode16)
+        $Disassembly.Version
+
+        return
+    }
+
+    $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode)
+
+    if ($Disassembly.Version -ne [Capstone.Capstone]::BindingVersion)
+    {
+        Write-Error "capstone.dll version ($([Capstone.Capstone]::BindingVersion.ToString())) should be the same as libcapstone.dll version. Otherwise, undefined behavior is likely."
+    }
+
+    if ($Syntax)
+    {
+        switch ($Syntax)
+        {
+            'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel }
+            'ATT'   { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT }
+        }
+
+        $Disassembly.SetSyntax($SyntaxMode)
+    }
+
+    if ($DetailOn)
+    {
+        $Disassembly.SetDetail($True)
+    }
+
+    $Disassembly.Disassemble($Code, $Offset, $Count)
+}

Capstone/Get-CSDisassembly.format.ps1xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+    <ViewDefinitions>
+        <View>
+            <Name>InstructionView</Name>
+                <ViewSelectedBy>
+		            <TypeName>Capstone.Instruction</TypeName>
+		        </ViewSelectedBy>
+            <TableControl>
+            <AutoSize/>
+                <TableHeaders>
+                    <TableColumnHeader>
+                        <Label>Address</Label>
+                    </TableColumnHeader>
+                    <TableColumnHeader>
+                        <Label>Mnemonic</Label>
+                    </TableColumnHeader>
+                    <TableColumnHeader>
+                        <Label>Operands</Label>
+                    </TableColumnHeader>
+                </TableHeaders>
+                <TableRowEntries>
+                    <TableRowEntry>
+                        <TableColumnItems>
+                            <TableColumnItem>
+                                <PropertyName>Address</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </TableColumnItem>
+                            <TableColumnItem>
+                                <PropertyName>Mnemonic</PropertyName>
+                            </TableColumnItem>
+                            <TableColumnItem>
+                                <PropertyName>Operands</PropertyName>
+                            </TableColumnItem>
+                        </TableColumnItems>
+                    </TableRowEntry>
+                </TableRowEntries>
+            </TableControl>
+        </View>
+    </ViewDefinitions>
+</Configuration>

Capstone/LICENSE.TXT

@@ -0,0 +1,30 @@
+This is the software license for Capstone disassembly framework.
+Capstone has been designed & implemented by Nguyen Anh Quynh <[email protected]>
+See http://www.capstone-engine.org for further information.
+
+Copyright (c) 2013, COSEINC.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice,
+  this list of conditions and the following disclaimer.
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+* Neither the name of the developer(s) nor the names of its
+  contributors may be used to endorse or promote products derived from this
+  software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.

Capstone/README

@@ -0,0 +1,17 @@
+This module has three dependencies:
+* lib\x86\libcapstone.dll (the 32-bit unmanaged Capstone library)
+* lib\x64\libcapstone.dll (the 64-bit unmanaged Capstone library)
+* lib\capstone.dll (the managed C# bindings to the Capstone Framework)
+
+To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
+
+The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
+The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
+
+To use the module, type `Import-Module Capstone`
+
+To see the commands imported, type `Get-Command -Module Capstone`
+
+For help on each individual command, Get-Help is your friend.
+
+Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.