rex-powershell 0.1.0

data/lib/rex/powershell/function.rb

@@ -0,0 +1,61 @@
+# -*- coding: binary -*-
+
+module Rex
+module Powershell
+  class Function
+    FUNCTION_REGEX = Regexp.new(/\[(\w+\[\])\]\$(\w+)\s?=|\[(\w+)\]\$(\w+)\s?=|\[(\w+\[\])\]\s+?\$(\w+)\s+=|\[(\w+)\]\s+\$(\w+)\s?=/i)
+    PARAMETER_REGEX = Regexp.new(/param\s+\(|param\(/im)
+    attr_accessor :code, :name, :params
+
+    include Output
+    include Parser
+    include Obfu
+
+    def initialize(name, code)
+      @name = name
+      @code = code
+      populate_params
+    end
+
+    #
+    # To String
+    #
+    # @return [String] Powershell function
+    def to_s
+      "function #{name} #{code}"
+    end
+
+    #
+    # Identify the parameters from the code and
+    # store as Param in @params
+    #
+    def populate_params
+      @params = []
+      start = code.index(PARAMETER_REGEX)
+      return unless start
+      # Get start of our block
+      idx = scan_with_index('(', code[start..-1]).first.last + start
+      pclause = block_extract(idx)
+
+      matches = pclause.scan(FUNCTION_REGEX)
+
+      # Ignore assignment, create params with class and variable names
+      matches.each do |param|
+        klass = nil
+        name = nil
+        param.each do |value|
+          if value
+            if klass
+              name = value
+              @params << Param.new(klass, name)
+              break
+            else
+              klass = value
+            end
+          end
+        end
+      end
+    end
+  end
+end
+end

data/lib/rex/powershell/obfu.rb

@@ -0,0 +1,96 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+
+module Rex
+module Powershell
+  module Obfu
+    MULTI_LINE_COMMENTS_REGEX = Regexp.new(/<#(.*?)#>/m)
+    SINGLE_LINE_COMMENTS_REGEX = Regexp.new(/^\s*#(?!.*region)(.*$)/i)
+    WINDOWS_EOL_REGEX = Regexp.new(/[\r\n]+/)
+    UNIX_EOL_REGEX = Regexp.new(/[\n]+/)
+    WHITESPACE_REGEX = Regexp.new(/\s+/)
+    EMPTY_LINE_REGEX = Regexp.new(/^$|^\s+$/)
+
+    #
+    # Remove comments
+    #
+    # @return [String] code without comments
+    def strip_comments
+      # Multi line
+      code.gsub!(MULTI_LINE_COMMENTS_REGEX, '')
+      # Single line
+      code.gsub!(SINGLE_LINE_COMMENTS_REGEX, '')
+
+      code
+    end
+
+    #
+    # Remove empty lines
+    #
+    # @return [String] code without empty lines
+    def strip_empty_lines
+      # Windows EOL
+      code.gsub!(WINDOWS_EOL_REGEX, "\r\n")
+      # UNIX EOL
+      code.gsub!(UNIX_EOL_REGEX, "\n")
+
+      code
+    end
+
+    #
+    # Remove whitespace
+    # This can break some codes using inline .NET
+    #
+    # @return [String] code with whitespace stripped
+    def strip_whitespace
+      code.gsub!(WHITESPACE_REGEX, ' ')
+
+      code
+    end
+
+    #
+    # Identify variables and replace them
+    #
+    # @return [String] code with variable names replaced with unique values
+    def sub_vars
+      # Get list of variables, remove reserved
+      get_var_names.each do |var, _sub|
+        code.gsub!(var, "$#{@rig.init_var(var)}")
+      end
+
+      code
+    end
+
+    #
+    # Identify function names and replace them
+    #
+    # @return [String] code with function names replaced with unique
+    #   values
+    def sub_funcs
+      # Find out function names, make map
+      get_func_names.each do |var, _sub|
+        code.gsub!(var, @rig.init_var(var))
+      end
+
+      code
+    end
+
+    #
+    # Perform standard substitutions
+    #
+    # @return [String] code with standard substitution methods applied
+    def standard_subs(subs = %w(strip_comments strip_whitespace sub_funcs sub_vars))
+      # Save us the trouble of breaking injected .NET and such
+      subs.delete('strip_whitespace') unless get_string_literals.empty?
+      # Run selected modifiers
+      subs.each do |modifier|
+        send(modifier)
+      end
+      code.gsub!(EMPTY_LINE_REGEX, '')
+
+      code
+    end
+  end # Obfu
+end
+end

data/lib/rex/powershell/output.rb

@@ -0,0 +1,157 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Powershell
+  module Output
+    #
+    # To String
+    #
+    # @return [String] Code
+    def to_s
+      code
+    end
+
+    #
+    # Returns code size
+    #
+    # @return [Integer] Code size
+    def size
+      code.size
+    end
+
+    #
+    # Return code with numbered lines
+    #
+    # @return [String] Powershell code with line numbers
+    def to_s_lineno
+      numbered = ''
+      code.split(/\r\n|\n/).each_with_index do |line, idx|
+        numbered << "#{idx}: #{line}"
+      end
+
+      numbered
+    end
+
+    #
+    # Return a zlib compressed powershell code wrapped in decode stub
+    #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Zlib compressed powershell code wrapped in
+    # decompression stub
+    def deflate_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = ::Zlib::Deflate.deflate(code,
+                                                  ::Zlib::BEST_COMPRESSION)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  "$s=New-Object IO.MemoryStream(,"
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
+      # Read & delete the first two bytes due to incompatibility with MS
+      psh_expression << '$s.ReadByte();'
+      psh_expression << '$s.ReadByte();'
+      # Uncompress and invoke the expression (execute)
+      psh_expression << 'IEX (New-Object IO.StreamReader('
+      psh_expression << 'New-Object IO.Compression.DeflateStream('
+      psh_expression << '$s,'
+      psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
+      psh_expression << ')).ReadToEnd();'
+
+      # If eof is set, add a marker to signify end of code output
+      # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+    end
+
+    #
+    # Return Base64 encoded powershell code
+    #
+    # @return [String] Base64 encoded powershell code
+    def encode_code(eof = nil)
+      @code = Rex::Text.encode_base64(Rex::Text.to_unicode(code))
+    end
+
+    #
+    # Return ASCII powershell code from base64/unicode
+    #
+    # @return [String] ASCII powershell code
+    def decode_code
+      @code = Rex::Text.to_ascii(Rex::Text.decode_base64(code))
+    end
+
+    #
+    # Return a gzip compressed powershell code wrapped in decoder stub
+    #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Gzip compressed powershell code wrapped in
+    # decompression stub
+    def gzip_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = Rex::Text.gzip(code)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  "$s=New-Object IO.MemoryStream(,"
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
+      # Uncompress and invoke the expression (execute)
+      psh_expression << 'IEX (New-Object IO.StreamReader('
+      psh_expression << 'New-Object IO.Compression.GzipStream('
+      psh_expression << '$s,'
+      psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
+      psh_expression << ')).ReadToEnd();'
+
+      # If eof is set, add a marker to signify end of code output
+      # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+    end
+
+    #
+    # Compresses script contents with gzip (default) or deflate
+    #
+    # @param eof [String] End of file identifier to append to code
+    # @param gzip [Boolean] Whether to use gzip compression or deflate
+    #
+    # @return [String] Compressed code wrapped in decompression stub
+    def compress_code(eof = nil, gzip = true)
+      @code = gzip ? gzip_code(eof) : deflate_code(eof)
+    end
+
+    #
+    # Reverse the compression process
+    # Try gzip, inflate if that fails
+    #
+    # @return [String] Decompressed powershell code
+    def decompress_code
+      # Extract substring with payload
+      encoded_stream = @code.scan(/FromBase64String\('(.*)'/).flatten.first
+      # Decode and decompress the string
+      unencoded = Rex::Text.decode_base64(encoded_stream)
+      begin
+        @code = Rex::Text.ungzip(unencoded) || Rex::Text.zlib_inflate(unencoded)
+      rescue Zlib::GzipFile::Error
+        begin
+          @code = Rex::Text.zlib_inflate(unencoded)
+        rescue Zlib::DataError => e
+          raise RuntimeError, 'Invalid compression'
+        end
+      end
+
+      @code
+    end
+  end
+end
+end

data/lib/rex/powershell/param.rb

@@ -0,0 +1,21 @@
+# -*- coding: binary -*-
+
+module Rex
+module Powershell
+  class Param
+    attr_accessor :klass, :name
+    def initialize(klass, name)
+      @klass = klass.strip
+      @name = name.strip.gsub(/\s|,/, '')
+    end
+
+    #
+    # To String
+    #
+    # @return [String] Powershell param
+    def to_s
+      "[#{klass}]$#{name}"
+    end
+  end
+end
+end

data/lib/rex/powershell/parser.rb

@@ -0,0 +1,182 @@
+# -*- coding: binary -*-
+
+module Rex
+module Powershell
+module Parser
+  # Reserved special variables
+  # Acquired with: Get-Variable | Format-Table name, value -auto
+  RESERVED_VARIABLE_NAMES = [
+    '$$',
+    '$?',
+    '$^',
+    '$_',
+    '$args',
+    '$ConfirmPreference',
+    '$ConsoleFileName',
+    '$DebugPreference',
+    '$Env',
+    '$Error',
+    '$ErrorActionPreference',
+    '$ErrorView',
+    '$ExecutionContext',
+    '$false',
+    '$FormatEnumerationLimit',
+    '$HOME',
+    '$Host',
+    '$input',
+    '$LASTEXITCODE',
+    '$MaximumAliasCount',
+    '$MaximumDriveCount',
+    '$MaximumErrorCount',
+    '$MaximumFunctionCount',
+    '$MaximumHistoryCount',
+    '$MaximumVariableCount',
+    '$MyInvocation',
+    '$NestedPromptLevel',
+    '$null',
+    '$OutputEncoding',
+    '$PID',
+    '$PROFILE',
+    '$ProgressPreference',
+    '$PSBoundParameters',
+    '$PSCulture',
+    '$PSEmailServer',
+    '$PSHOME',
+    '$PSSessionApplicationName',
+    '$PSSessionConfigurationName',
+    '$PSSessionOption',
+    '$PSUICulture',
+    '$PSVersionTable',
+    '$PWD',
+    '$ReportErrorShowExceptionClass',
+    '$ReportErrorShowInnerException',
+    '$ReportErrorShowSource',
+    '$ReportErrorShowStackTrace',
+    '$ShellId',
+    '$StackTrace',
+    '$true',
+    '$VerbosePreference',
+    '$WarningPreference',
+    '$WhatIfPreference'
+  ].map(&:downcase).freeze
+
+  #
+  # Get variable names from code, removes reserved names from return
+  #
+  # @return [Array] variable names
+  def get_var_names
+    our_vars = code.scan(/\$[a-zA-Z\-\_0-9]+/).uniq.flatten.map(&:strip)
+    our_vars.select { |v| !RESERVED_VARIABLE_NAMES.include?(v.downcase) }
+  end
+
+  #
+  # Get function names from code
+  #
+  # @return [Array] function names
+  def get_func_names
+    code.scan(/function\s([a-zA-Z\-\_0-9]+)/).uniq.flatten
+  end
+
+  #
+  # Attempt to find string literals in PSH expression
+  #
+  # @return [Array] string literals
+  def get_string_literals
+    code.scan(/@"(.+?)"@|@'(.+?)'@/m)
+  end
+
+  #
+  # Scan code and return matches with index
+  #
+  # @param str [String] string to match in code
+  # @param source [String] source code to match, defaults to @code
+  #
+  # @return [Array[String,Integer]] matched items with index
+  def scan_with_index(str, source = code)
+    ::Enumerator.new do |y|
+      source.scan(str) do
+        y << ::Regexp.last_match
+      end
+    end.map { |m| [m.to_s, m.offset(0)[0]] }
+  end
+
+  #
+  # Return matching bracket type
+  #
+  # @param char [String] opening bracket character
+  #
+  # @return [String] matching closing bracket
+  def match_start(char)
+    case char
+    when '{'
+      '}'
+    when '('
+      ')'
+    when '['
+      ']'
+    when '<'
+      '>'
+    else
+      fail ArgumentError, 'Unknown starting bracket'
+    end
+  end
+
+  #
+  # Extract block of code inside brackets/parenthesis
+  #
+  # Attempts to match the bracket at idx, handling nesting manually
+  # Once the balanced matching bracket is found, all script content
+  # between idx and the index of the matching bracket is returned
+  #
+  # @param idx [Integer] index of opening bracket
+  #
+  # @return [String] content between matching brackets
+  def block_extract(idx)
+    fail ArgumentError unless idx
+
+    if idx < 0 || idx >= code.length
+      fail ArgumentError, 'Invalid index'
+    end
+
+    start = code[idx]
+    stop = match_start(start)
+    delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/, code[idx + 1..-1])
+    delims.map { |x| x[1] = x[1] + idx + 1 }
+    c = 1
+    sidx = nil
+    # Go through delims till we balance, get idx
+    while (c != 0) && (x = delims.shift)
+      sidx = x[1]
+      x[0] == stop ? c -= 1 : c += 1
+    end
+
+    code[idx..sidx]
+  end
+
+  #
+  # Extract a block of function code
+  #
+  # @param func_name [String] function name
+  # @param delete [Boolean] delete the function from the code
+  #
+  # @return [String] function block
+  def get_func(func_name, delete = false)
+    start = code.index(func_name)
+
+    return nil unless start
+
+    idx = code[start..-1].index('{') + start
+    func_txt = block_extract(idx)
+
+    if delete
+      delete_code = code[0..idx]
+      delete_code << code[(idx + func_txt.length)..-1]
+      @code = delete_code
+    end
+
+    Function.new(func_name, func_txt)
+  end
+end # Parser
+end
+end
+