change

AntivirusBypass/Find-AVSignature.ps1

@@ -5,11 +5,11 @@ function Find-AVSignature
 
 Locate tiny AV signatures.
 
-PowerSploit Function: Find-AVSignature
-Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+PowerSploit Function: Find-AVSignature  
+Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None  
 
 .DESCRIPTION
 
@@ -37,19 +37,19 @@ Optionally specifies the directory to write the binaries to.
 
 .PARAMETER BufferLen
 
-Specifies the length of the file read buffer .  Defaults to 64KB.  
+Specifies the length of the file read buffer .  Defaults to 64KB.
 
 .PARAMETER Force
 
-Forces the script to continue without confirmation.    
+Forces the script to continue without confirmation.
 
 .EXAMPLE
 
-PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe 
-PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
-PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
-PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
-PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
+Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
+Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
+Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
+Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
+Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
 
 .NOTES
 
@@ -63,10 +63,12 @@ http://www.exploit-monday.com/
 http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
 #>
 
-    [CmdletBinding()] Param(
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [CmdletBinding()]
+    Param(
         [Parameter(Mandatory = $True)]
         [ValidateRange(0,4294967295)]
-		[UInt32]
+        [UInt32]
         $StartByte,
 
         [Parameter(Mandatory = $True)]
@@ -75,112 +77,110 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
 
         [Parameter(Mandatory = $True)]
         [ValidateRange(0,4294967295)]
-		[UInt32]
+        [UInt32]
         $Interval,
 
         [String]
-		[ValidateScript({Test-Path $_ })]
+        [ValidateScript({Test-Path $_ })]
         $Path = ($pwd.path),
 
         [String]
         $OutPath = ($pwd),
-
-
-		[ValidateRange(1,2097152)]
-		[UInt32]
-		$BufferLen = 65536,
-
+
+        [ValidateRange(1,2097152)]
+        [UInt32]
+        $BufferLen = 65536,
+
         [Switch] $Force
-
     )
 
     #test variables
     if (!(Test-Path $Path)) {Throw "File path not found"}
     $Response = $True
     if (!(Test-Path $OutPath)) {
         if ($Force -or ($Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory}
-	}
+    }
     if (!$Response) {Throw "Output path not found"}
     if (!(Get-ChildItem $Path).Exists) {Throw "File not found"}
     [Int32] $FileSize = (Get-ChildItem $Path).Length
     if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"}
     [Int32] $MaximumByte = (($FileSize) - 1)
     if ($EndByte -ceq "max") {$EndByte = $MaximumByte}
-	
-	#Recast $Endbyte into an Integer so that it can be compared properly. 
-	[Int32]$EndByte = $EndByte 
-	
-	#If $Endbyte is greater than the file Length, use $MaximumByte.
+
+    #Recast $Endbyte into an Integer so that it can be compared properly.
+    [Int32]$EndByte = $EndByte
+
+    #If $Endbyte is greater than the file Length, use $MaximumByte.
     if ($EndByte -gt $FileSize) {$EndByte = $MaximumByte}
-
-	#If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte.
-	if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval}
 
-	Write-Verbose "StartByte: $StartByte"
-	Write-Verbose "EndByte: $EndByte"
-
+    #If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte.
+    if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval}
+
+    Write-Verbose "StartByte: $StartByte"
+    Write-Verbose "EndByte: $EndByte"
+
     #find the filename for the output name
     [String] $FileName = (Split-Path $Path -leaf).Split('.')[0]
 
     #Calculate the number of binaries
     [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval)
     if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)}
-    
+
     #Prompt user to verify parameters to avoid writing binaries to the wrong directory
     $Response = $True
     if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!",
              "Do you want to continue?"))){}
     if (!$Response) {Return}
-    
-    Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"." 
+
+    Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"."
     [Int32] $Number = [Math]::Floor($Endbyte/$Interval)
-
-		#Create a Read Buffer and Stream. 
-		#Note: The Filestream class takes advantage of internal .NET Buffering.  We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc.
-		[Byte[]] $ReadBuffer=New-Object byte[] $BufferLen
-		[System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen)
-
-        #write out the calculated number of binaries
-        [Int32] $i = 0
-        for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++)
-        {
-			# If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval
-			if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte}
-			else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))}
-
-			Write-Verbose "Byte 0 -> $($SplitByte)"
-
-			#Reset ReadStream to beginning of file
-			$ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
-
-			#Build a new FileStream for Writing
-			[String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin"
-			[System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen)
-
-			[Int32] $BytesLeft = $SplitByte
-			Write-Verbose "$($WriteStream.name)"
-
-			#Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer 
-			while ($BytesLeft -gt $BufferLen){
-				[Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen)
-				$WriteStream.Write($ReadBuffer, 0, $count)
-				$BytesLeft = $BytesLeft - $count
-			}
-
-			#Write the remaining bytes to the file 
-			do {
-				[Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft)
-				$WriteStream.Write($ReadBuffer, 0, $count)
-				$BytesLeft = $BytesLeft - $count			
-			}
-			until ($BytesLeft -eq 0)
-			$WriteStream.Close()
-			$WriteStream.Dispose()
+
+    #Create a Read Buffer and Stream.
+    #Note: The Filestream class takes advantage of internal .NET Buffering.  We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc.
+    [Byte[]] $ReadBuffer=New-Object byte[] $BufferLen
+    [System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen)
+
+    #write out the calculated number of binaries
+    [Int32] $i = 0
+    for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++)
+    {
+        # If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval
+        if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte}
+        else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))}
+
+        Write-Verbose "Byte 0 -> $($SplitByte)"
+
+        #Reset ReadStream to beginning of file
+        $ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
+
+        #Build a new FileStream for Writing
+        [String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin"
+        [System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen)
+
+        [Int32] $BytesLeft = $SplitByte
+        Write-Verbose "$($WriteStream.name)"
+
+        #Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer
+        while ($BytesLeft -gt $BufferLen){
+            [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen)
+            $WriteStream.Write($ReadBuffer, 0, $count)
+            $BytesLeft = $BytesLeft - $count
+        }
+
+        #Write the remaining bytes to the file
+        do {
+            [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft)
+            $WriteStream.Write($ReadBuffer, 0, $count)
+            $BytesLeft = $BytesLeft - $count
         }
-        Write-Verbose "Files written to disk. Flushing memory."
-        $ReadStream.Dispose()
-
-		#During testing using large binaries, memory usage was excessive so lets fix that
-        [System.GC]::Collect()
-        Write-Verbose "Completed!"
+        until ($BytesLeft -eq 0)
+        $WriteStream.Close()
+        $WriteStream.Dispose()
+    }
+    Write-Verbose "Files written to disk. Flushing memory."
+    $ReadStream.Dispose()
+
+    #During testing using large binaries, memory usage was excessive so lets fix that
+    [System.GC]::Collect()
+    Write-Verbose "Completed!"
 }