Find-AVSignature Powershell Script



function Find-AVSignature
{
<#
.SYNOPSIS

Locate tiny AV signatures.

PowerSploit Function: Find-AVSignature
Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

.DESCRIPTION

Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.

.PARAMETER Startbyte

Specifies the first byte to begin splitting on.

.PARAMETER Endbyte

Specifies the last byte to split on.

.PARAMETER Interval

Specifies the interval size to split with.

.PARAMETER Path

Specifies the path to the binary you want tested.

.PARAMETER OutPath

Optionally specifies the directory to write the binaries to.

.PARAMETER BufferLen

Specifies the length of the file read buffer . Defaults to 64KB.

.PARAMETER Force

Forces the script to continue without confirmation.

.EXAMPLE

PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose

.NOTES

Several of the versions of "DSplit.exe" available on the internet contain malware.

.LINK

http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
https://github.com/mattifestation/PowerSploit
http://www.exploit-monday.com/
http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
#>

    [CmdletBinding()] Param(
        [Parameter(Mandatory = $True)]
        [ValidateRange(0,4294967295)]
        [UInt32]
        $StartByte,

        [Parameter(Mandatory = $True)]
        [String]
        $EndByte,

        [Parameter(Mandatory = $True)]
        [ValidateRange(0,4294967295)]
        [UInt32]
        $Interval,

        [String]
        [ValidateScript({Test-Path $_ })]
        $Path = ($pwd.path),

        [String]
        $OutPath = ($pwd),
       
       
        [ValidateRange(1,2097152)]
        [UInt32]
        $BufferLen = 65536,
       
        [Switch] $Force
       
    )

    #test variables
    if (!(Test-Path $Path)) {Throw "File path not found"}
    $Response = $True
    if (!(Test-Path $OutPath)) {
        if ($Force -or ($Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory}
    }
    if (!$Response) {Throw "Output path not found"}
    if (!(Get-ChildItem $Path).Exists) {Throw "File not found"}
    [Int32] $FileSize = (Get-ChildItem $Path).Length
    if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"}
    [Int32] $MaximumByte = (($FileSize) - 1)
    if ($EndByte -ceq "max") {$EndByte = $MaximumByte}
   
    #Recast $Endbyte into an Integer so that it can be compared properly.
    [Int32]$EndByte = $EndByte
   
    #If $Endbyte is greater than the file Length, use $MaximumByte.
    if ($EndByte -gt $FileSize) {$EndByte = $MaximumByte}
   
    #If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte.
    if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval}

    Write-Verbose "StartByte: $StartByte"
    Write-Verbose "EndByte: $EndByte"
   
    #find the filename for the output name
    [String] $FileName = (Split-Path $Path -leaf).Split('.')[0]

    #Calculate the number of binaries
    [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval)
    if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)}
   
    #Prompt user to verify parameters to avoid writing binaries to the wrong directory
    $Response = $True
    if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!",
             "Do you want to continue?"))){}
    if (!$Response) {Return}
   
    Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"."
    [Int32] $Number = [Math]::Floor($Endbyte/$Interval)
   
        #Create a Read Buffer and Stream.
        #Note: The Filestream class takes advantage of internal .NET Buffering. We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc.
        [Byte[]] $ReadBuffer=New-Object byte[] $BufferLen
        [System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen)
       
        #write out the calculated number of binaries
        [Int32] $i = 0
        for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++)
        {
            # If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval
            if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte}
            else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))}
           
            Write-Verbose "Byte 0 -> $($SplitByte)"
           
            #Reset ReadStream to beginning of file
            $ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
           
            #Build a new FileStream for Writing
            [String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin"
            [System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen)
           
            [Int32] $BytesLeft = $SplitByte
            Write-Verbose "$($WriteStream.name)"
           
            #Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer
            while ($BytesLeft -gt $BufferLen){
                [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen)
                $WriteStream.Write($ReadBuffer, 0, $count)
                $BytesLeft = $BytesLeft - $count
            }
           
            #Write the remaining bytes to the file
            do {
                [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft)
                $WriteStream.Write($ReadBuffer, 0, $count)
                $BytesLeft = $BytesLeft - $count           
            }
            until ($BytesLeft -eq 0)
            $WriteStream.Close()
            $WriteStream.Dispose()
        }
        Write-Verbose "Files written to disk. Flushing memory."
        $ReadStream.Dispose()
       
        #During testing using large binaries, memory usage was excessive so lets fix that
        [System.GC]::Collect()
        Write-Verbose "Completed!"
}


Note: How to Use This ? > open powershell and run this command :-

Set-ExecutionPolicy Unrestricted
Import-Module .\Find-AVSignature.ps1

The script accepts several arguments. First, we’ll specify the start and end bytes with -StartByte and -EndByte respectively. In our first run, we’ll specify a starting byte of “0” and an ending byte of “max” to scan the entire executable. We’ll use the -Interval parameter to specify the size of each individual segment of the file we will split. This value will depend on the size of the executable, but since the 32-bit Meterpreter executable is roughly 73 KB, we’ll set each segment to 10000 bytes. Next, we’ll specify the input file (-Path) and the output folder (-OutPath). We’ll also pass the -Verbose and -Force flags to gain additional console output and force creation of the specified
output directory, respectively.

 Find-AVSignature -StartByte 0 -EndByte max -Interval 10000 -Path C:\Tools\met.exe -OutPath C:\Tools\avtest1 -Verbose -Force
Copyright 2023 Hacker Computer School
All Rights Reserved
Powered by Hacker's Group

Privacy Policy Terms And Condition Refund Policy