Module: Rex::Exploitation::Powershell::Parser

Included in:

Function, Script

Defined in:

lib/rex/exploitation/powershell/parser.rb

Constant Summary

RESERVED_VARIABLE_NAMES =

Reserved special variables Acquired with: Get-Variable | Format-Table name, value -auto

[
  '$$',
  '$?',
  '$^',
  '$_',
  '$args',
  '$ConfirmPreference',
  '$ConsoleFileName',
  '$DebugPreference',
  '$Env',
  '$Error',
  '$ErrorActionPreference',
  '$ErrorView',
  '$ExecutionContext',
  '$false',
  '$FormatEnumerationLimit',
  '$HOME',
  '$Host',
  '$input',
  '$LASTEXITCODE',
  '$MaximumAliasCount',
  '$MaximumDriveCount',
  '$MaximumErrorCount',
  '$MaximumFunctionCount',
  '$MaximumHistoryCount',
  '$MaximumVariableCount',
  '$MyInvocation',
  '$NestedPromptLevel',
  '$null',
  '$OutputEncoding',
  '$PID',
  '$PROFILE',
  '$ProgressPreference',
  '$PSBoundParameters',
  '$PSCulture',
  '$PSEmailServer',
  '$PSHOME',
  '$PSSessionApplicationName',
  '$PSSessionConfigurationName',
  '$PSSessionOption',
  '$PSUICulture',
  '$PSVersionTable',
  '$PWD',
  '$ReportErrorShowExceptionClass',
  '$ReportErrorShowInnerException',
  '$ReportErrorShowSource',
  '$ReportErrorShowStackTrace',
  '$ShellId',
  '$StackTrace',
  '$true',
  '$VerbosePreference',
  '$WarningPreference',
  '$WhatIfPreference'
].map(&:downcase).freeze

Instance Method Summary

• #block_extract(idx) ⇒ String

  Extract block of code inside brackets/parenthesis.

• #get_func(func_name, delete = false) ⇒ String

  Extract a block of function code.

• #get_func_names ⇒ Array

  Get function names from code.

• #get_string_literals ⇒ Array

  Attempt to find string literals in PSH expression.

• #get_var_names ⇒ Array

  Get variable names from code, removes reserved names from return.

• #match_start(char) ⇒ String

  Return matching bracket type.

• #scan_with_index(str, source = code) ⇒ Array[String,Integer]

  Scan code and return matches with index.

Instance Method Details

#block_extract(idx) ⇒ String

Extract block of code inside brackets/parenthesis

Attempts to match the bracket at idx, handling nesting manually Once the balanced matching bracket is found, all script content between idx and the index of the matching bracket is returned

Parameters:

• idx (Integer) —

  index of opening bracket

Returns:

• (String) —

  content between matching brackets

# File 'lib/rex/exploitation/powershell/parser.rb', line 135

def block_extract(idx)
  fail ArgumentError unless idx

  if idx < 0 || idx >= code.length
    fail ArgumentError, 'Invalid index'
  end

  start = code[idx]
  stop = match_start(start)
  delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/, code[idx + 1..-1])
  delims.map { |x| x[1] = x[1] + idx + 1 }
  c = 1
  sidx = nil
  # Go through delims till we balance, get idx
  while (c != 0) && (x = delims.shift)
    sidx = x[1]
    x[0] == stop ? c -= 1 : c += 1
  end

  code[idx..sidx]
end

#get_func(func_name, delete = false) ⇒ String

Extract a block of function code

Parameters:

• func_name (String) —

  function name

• delete (Boolean) (defaults to: false) —

  delete the function from the code

Returns:

• (String) —

  function block

# File 'lib/rex/exploitation/powershell/parser.rb', line 164

def get_func(func_name, delete = false)
  start = code.index(func_name)

  return nil unless start

  idx = code[start..-1].index('{') + start
  func_txt = block_extract(idx)

  if delete
    delete_code = code[0..idx]
    delete_code << code[(idx + func_txt.length)..-1]
    @code = delete_code
  end

  Function.new(func_name, func_txt)
end

#get_func_names ⇒ Array

Get function names from code

Returns:

• (Array) —

  function names

# File 'lib/rex/exploitation/powershell/parser.rb', line 77

def get_func_names
  code.scan(/function\s([a-zA-Z\-\_0-9]+)/).uniq.flatten
end

#get_string_literals ⇒ Array

Attempt to find string literals in PSH expression

Returns:

• (Array) —

  string literals

# File 'lib/rex/exploitation/powershell/parser.rb', line 85

def get_string_literals
  code.scan(/@"(.+?)"@|@'(.+?)'@/m)
end

#get_var_names ⇒ Array

Get variable names from code, removes reserved names from return

Returns:

• (Array) —

  variable names

# File 'lib/rex/exploitation/powershell/parser.rb', line 68

def get_var_names
  our_vars = code.scan(/\$[a-zA-Z\-\_0-9]+/).uniq.flatten.map(&:strip)
  our_vars.select { |v| !RESERVED_VARIABLE_NAMES.include?(v.downcase) }
end

#match_start(char) ⇒ String

Return matching bracket type

Parameters:

• char (String) —

  opening bracket character

Returns:

• (String) —

  matching closing bracket

# File 'lib/rex/exploitation/powershell/parser.rb', line 110

def match_start(char)
  case char
  when '{'
    '}'
  when '('
    ')'
  when '['
    ']'
  when '<'
    '>'
  else
    fail ArgumentError, 'Unknown starting bracket'
  end
end

#scan_with_index(str, source = code) ⇒ Array[String,Integer]

Scan code and return matches with index

Parameters:

• str (String) —

  string to match in code

• source (String) (defaults to: code) —

  source code to match, defaults to @code

Returns:

• (Array[String,Integer]) —

  matched items with index

# File 'lib/rex/exploitation/powershell/parser.rb', line 96

def scan_with_index(str, source = code)
  ::Enumerator.new do |y|
    source.scan(str) do
      y << ::Regexp.last_match
    end
  end.map { |m| [m.to_s, m.offset(0)[0]] }
end