Wednesday, May 5, 2021

PowerView Invoke-ShareFinder sample

#sample partial of powerview powershell script (note: must be run on 32bit/x86 powershell)

#https://www.blackhillsinfosec.com/finding-buried-treasure-in-server-message-block-smb/

iex (get-content .\filefinds.ps1 |out-string)

PS C:\> Get-NetComputer –OperatingSystem *2003* | Out-File –Encoding ASCII Windows2003Hosts.txt 

PS C:\> Get-NetComputer –OperatingSystem *2008* | Out-File –Encoding ASCII Windows2008Hosts.txt 

PS C:\> Get-NetComputer –OperatingSystem *2012* | Out-File –Encoding ASCII Windows2012Hosts.txt 

PS C:\> Get-NetComputer –OperatingSystem *2016* | Out-File –Encoding ASCII Windows2016Hosts.txt 

PS C:\> Get-NetComputer –OperatingSystem *2019* | Out-File –Encoding ASCII Windows2019Hosts.txt 

PS C:\> Get-NetComputer –OperatingSystem *XP* | Out-File –Encoding ASCII WindowsXPHosts.txt 

PS C:\> Get-NetComputer –OperatingSystem *7* | Out-File –Encoding ASCII Windows7Hosts.txt 

PS C:\> Get-NetComputer –OperatingSystem * 8* | Out-File –Encoding ASCII Windows8Hosts.txt 

PS C:\> Get-NetComputer –OperatingSystem *10* | Out-File –Encoding ASCII Windows10Hosts.txt 

PS C:\> Invoke-ShareFinder –ComputerFile Windows2003Hosts.txt -NoPing –ExcludeIPC –ExcludePrint –CheckShareAccess | Out-File –Encoding ASCII Windows2003Shares.txt 

PS C:\> Invoke-ShareFinder –ComputerFile Windows2008Hosts.txt -NoPing –ExcludeIPC –ExcludePrint –CheckShareAccess | Out-File –Encoding ASCII Windows2008Shares.txt 

PS C:\> Invoke-ShareFinder –ComputerFile Windows2012Hosts.txt -NoPing –ExcludeIPC –ExcludePrint –CheckShareAccess | Out-File –Encoding ASCII Windows2012Shares.txt 

PS C:\> Invoke-ShareFinder –ComputerFile Windows2016Hosts.txt -NoPing –ExcludeIPC –ExcludePrint –CheckShareAccess | Out-File –Encoding ASCII Windows2016Shares.txt 

PS C:\> Invoke-ShareFinder –ComputerFile Windows2019Hosts.txt -NoPing –ExcludeIPC –ExcludePrint –CheckShareAccess | Out-File –Encoding ASCII Windows2019Shares.txt 

PS C:\> Invoke-ShareFinder –ComputerFile WindowsXPHosts.txt -NoPing –ExcludeIPC –ExcludePrint –CheckShareAccess | Out-File –Encoding ASCII WindowsXPShares.txt 

PS C:\> Invoke-ShareFinder –ComputerFile Windows7Hosts.txt -NoPing –ExcludeIPC –ExcludePrint –CheckShareAccess | Out-File –Encoding ASCII Windows7Shares.txt 

PS C:\> Invoke-ShareFinder –ComputerFile Windows8Hosts.txt -NoPing –ExcludeIPC –ExcludePrint –CheckShareAccess | Out-File –Encoding ASCII Windows8Shares.txt 

PS C:\> Invoke-ShareFinder –ComputerFile Windows10Hosts.txt -NoPing –ExcludeIPC –ExcludePrint –CheckShareAccess | Out-File –Encoding ASCII Windows10Shares.txt 


---------------------

findfiles.ps1

----------------------------


function Get-NetDomain {


    [CmdletBinding()]

    param(

        [Parameter(ValueFromPipeline=$True)]

        [String]

        $Domain

    )


    process {

        if($Domain) {

            $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain)

            try {

                [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)

            }

            catch {

                Write-Warning "The specified domain $Domain does not exist, could not be contacted, or there isn't an existing trust."

                $Null

            }

        }

        else {

            [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

        }

    }

}


function Convert-LDAPProperty {

    # helper to convert specific LDAP property result fields

    param(

        [Parameter(Mandatory=$True,ValueFromPipeline=$True)]

        [ValidateNotNullOrEmpty()]

        $Properties

    )


    $ObjectProperties = @{}


    $Properties.PropertyNames | ForEach-Object {

        if (($_ -eq "objectsid") -or ($_ -eq "sidhistory")) {

            # convert the SID to a string

            $ObjectProperties[$_] = (New-Object System.Security.Principal.SecurityIdentifier($Properties[$_][0],0)).Value

        }

        elseif($_ -eq "objectguid") {

            # convert the GUID to a string

            $ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid

        }

        elseif( ($_ -eq "lastlogon") -or ($_ -eq "lastlogontimestamp") -or ($_ -eq "pwdlastset") -or ($_ -eq "lastlogoff") -or ($_ -eq "badPasswordTime") ) {

            # convert timestamps

            if ($Properties[$_][0] -is [System.MarshalByRefObject]) {

                # if we have a System.__ComObject

                $Temp = $Properties[$_][0]

                [Int32]$High = $Temp.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)

                [Int32]$Low  = $Temp.GetType().InvokeMember("LowPart",  [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)

                $ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low)))

            }

            else {

                $ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0])))

            }

        }

        elseif($Properties[$_][0] -is [System.MarshalByRefObject]) {

            # convert misc com objects

            $Prop = $Properties[$_]

            try {

                $Temp = $Prop[$_][0]

                Write-Verbose $_

                [Int32]$High = $Temp.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)

                [Int32]$Low  = $Temp.GetType().InvokeMember("LowPart",  [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)

                $ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low)

            }

            catch {

                $ObjectProperties[$_] = $Prop[$_]

            }

        }

        elseif($Properties[$_].count -eq 1) {

            $ObjectProperties[$_] = $Properties[$_][0]

        }

        else {

            $ObjectProperties[$_] = $Properties[$_]

        }

    }


    New-Object -TypeName PSObject -Property $ObjectProperties

}



function Get-NetForest {


    [CmdletBinding()]

    param(

        [Parameter(ValueFromPipeline=$True)]

        [String]

        $Forest

    )


    process {

        if($Forest) {

            $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest)

            try {

                $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)

            }

            catch {

                Write-Debug "The specified forest $Forest does not exist, could not be contacted, or there isn't an existing trust."

                $Null

            }

        }

        else {

            # otherwise use the current forest

            $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

        }


        if($ForestObject) {

            # get the SID of the forest root

            $ForestSid = (New-Object System.Security.Principal.NTAccount($ForestObject.RootDomain,"krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value

            $Parts = $ForestSid -Split "-"

            $ForestSid = $Parts[0..$($Parts.length-2)] -join "-"

            $ForestObject | Add-Member NoteProperty 'RootDomainSid' $ForestSid

            $ForestObject

        }

    }

}




function Get-NetForestDomain {


    [CmdletBinding()]

    param(

        [Parameter(ValueFromPipeline=$True)]

        [String]

        $Forest,


        [String]

        $Domain

    )


    process {

        if($Domain) {

            # try to detect a wild card so we use -like

            if($Domain.Contains('*')) {

                (Get-NetForest -Forest $Forest).Domains | Where-Object {$_.Name -like $Domain}

            }

            else {

                # match the exact domain name if there's not a wildcard

                (Get-NetForest -Forest $Forest).Domains | Where-Object {$_.Name.ToLower() -eq $Domain.ToLower()}

            }

        }

        else {

            # return all domains

            $ForestObject = Get-NetForest -Forest $Forest

            if($ForestObject) {

                $ForestObject.Domains

            }

        }

    }

}



function Get-DomainSearcher {



    [CmdletBinding()]

    param(

        [String]

        $Domain,


        [String]

        $DomainController,


        [String]

        $ADSpath,


        [String]

        $ADSprefix,


        [ValidateRange(1,10000)] 

        [Int]

        $PageSize = 200

    )


    if(!$Domain) {

        $Domain = (Get-NetDomain).name

    }

    else {

        if(!$DomainController) {

            try {

                # if there's no -DomainController specified, try to pull the primary DC

                #   to reflect queries through

                $DomainController = ((Get-NetDomain).PdcRoleOwner).Name

            }

            catch {

                throw "Get-DomainSearcher: Error in retrieving PDC for current domain"

            }

        }

    }


    $SearchString = "LDAP://"


    if($DomainController) {

        $SearchString += $DomainController + "/"

    }

    if($ADSprefix) {

        $SearchString += $ADSprefix + ","

    }


    if($ADSpath) {

        if($ADSpath -like "GC://*") {

            # if we're searching the global catalog

            $DistinguishedName = $AdsPath

            $SearchString = ""

        }

        else {

            if($ADSpath -like "LDAP://*") {

                $ADSpath = $ADSpath.Substring(7)

            }

            $DistinguishedName = $ADSpath

        }

    }

    else {

        $DistinguishedName = "DC=$($Domain.Replace('.', ',DC='))"

    }


    $SearchString += $DistinguishedName

    Write-Verbose "Get-DomainSearcher search string: $SearchString"


    $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)

    $Searcher.PageSize = $PageSize

    $Searcher

}



function Get-NetComputer {


    [CmdletBinding()]

    Param (

        [Parameter(ValueFromPipeline=$True)]

        [Alias('HostName')]

        [String]

        $ComputerName = '*',


        [String]

        $SPN,


        [String]

        $OperatingSystem,


        [String]

        $ServicePack,


        [String]

        $Filter,


        [Switch]

        $Printers,


        [Switch]

        $Ping,


        [Switch]

        $FullData,


        [String]

        $Domain,


        [String]

        $DomainController,


        [String]

        $ADSpath,


        [Switch]

        $Unconstrained,


        [ValidateRange(1,10000)] 

        [Int]

        $PageSize = 200

    )


begin {

        # so this isn't repeated if users are passed on the pipeline

        $CompSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -PageSize $PageSize

    }

    process {


        if ($CompSearcher) {


            # if we're checking for unconstrained delegation

            if($Unconstrained) {

                Write-Verbose "Searching for computers with for unconstrained delegation"

                $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

            }

            # set the filters for the seracher if it exists

            if($Printers) {

                Write-Verbose "Searching for printers"

                # $CompSearcher.filter="(&(objectCategory=printQueue)$Filter)"

                $Filter += "(objectCategory=printQueue)"

            }

            if($SPN) {

                Write-Verbose "Searching for computers with SPN: $SPN"

                $Filter += "(servicePrincipalName=$SPN)"

            }

            if($OperatingSystem) {

                $Filter += "(operatingsystem=$OperatingSystem)"

            }

            if($ServicePack) {

                $Filter += "(operatingsystemservicepack=$ServicePack)"

            }


            $CompSearcher.filter = "(&(sAMAccountType=805306369)(dnshostname=$ComputerName)$Filter)"


            try {


                $CompSearcher.FindAll() | Where-Object {$_} | ForEach-Object {

                    $Up = $True

                    if($Ping) {

                        # TODO: how can these results be piped to ping for a speedup?

                        $Up = Test-Connection -Count 1 -Quiet -ComputerName $_.properties.dnshostname

                    }

                    if($Up) {

                        # return full data objects

                        if ($FullData) {

                            # convert/process the LDAP fields for each result

                            Convert-LDAPProperty -Properties $_.Properties

                        }

                        else {

                            # otherwise we're just returning the DNS host name

                            $_.properties.dnshostname

                        }

                    }

                }

            }

            catch {

                Write-Warning "Error: $_"

            }

        }

    }

}



function Get-NameField {

    [CmdletBinding()]

    param(

        [Parameter(Mandatory=$True,ValueFromPipeline=$True)]

        $Object

    )

    process {

        if($Object) {

            if ( [bool]($Object.PSobject.Properties.name -match "dnshostname") ) {

                # objects from Get-NetComputer

                $Object.dnshostname

            }

            elseif ( [bool]($Object.PSobject.Properties.name -match "name") ) {

                # objects from Get-NetDomainController

                $Object.name

            }

            else {

                # strings and catch alls

                $Object

            }

        }

        else {

            return $Null

        }

    }

}


function Get-NetShare {



    [CmdletBinding()]

    param(

        [Parameter(ValueFromPipeline=$True)]

        [Alias('HostName')]

        [String]

        $ComputerName = 'localhost'

    )


    begin {

        if ($PSBoundParameters['Debug']) {

            $DebugPreference = 'Continue'

        }

    }


    process {


        # process multiple host object types from the pipeline

        $ComputerName = Get-NameField -Object $ComputerName


        # arguments for NetShareEnum

        $QueryLevel = 1

        $PtrInfo = [IntPtr]::Zero

        $EntriesRead = 0

        $TotalRead = 0

        $ResumeHandle = 0


        # get the share information

        $Result = $Netapi32::NetShareEnum($ComputerName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)


        # Locate the offset of the initial intPtr

        $Offset = $PtrInfo.ToInt64()


        Write-Debug "Get-NetShare result: $Result"


        # 0 = success

        if (($Result -eq 0) -and ($Offset -gt 0)) {


            # Work out how mutch to increment the pointer by finding out the size of the structure

            $Increment = $SHARE_INFO_1::GetSize()


            # parse all the result structures

            for ($i = 0; ($i -lt $EntriesRead); $i++) {

                # create a new int ptr at the given offset and cast

                #   the pointer as our result structure

                $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset

                $Info = $NewIntPtr -as $SHARE_INFO_1

                # return all the sections of the structure

                $Info | Select-Object *

                $Offset = $NewIntPtr.ToInt64()

                $Offset += $Increment

            }


            # free up the result buffer

            $Null = $Netapi32::NetApiBufferFree($PtrInfo)

        }

        else

        {

            switch ($Result) {

                (5)           {Write-Debug 'The user does not have access to the requested information.'}

                (124)         {Write-Debug 'The value specified for the level parameter is not valid.'}

                (87)          {Write-Debug 'The specified parameter is not valid.'}

                (234)         {Write-Debug 'More entries are available. Specify a large enough buffer to receive all entries.'}

                (8)           {Write-Debug 'Insufficient memory is available.'}

                (2312)        {Write-Debug 'A session does not exist with the computer name.'}

                (2351)        {Write-Debug 'The computer name is not valid.'}

                (2221)        {Write-Debug 'Username not found.'}

                (53)          {Write-Debug 'Hostname could not be found'}

            }

        }

    }

}




function Invoke-ShareFinder {


    [CmdletBinding()]

    param(

        [Parameter(Position=0,ValueFromPipeline=$True)]

        [Alias('Hosts')]

        [String[]]

        $ComputerName,


        [ValidateScript({Test-Path -Path $_ })]

        [Alias('HostList')]

        [String]

        $ComputerFile,


        [String]

        $ComputerFilter,


        [String]

        $ComputerADSpath,


        [Switch]

        $ExcludeStandard,


        [Switch]

        $ExcludePrint,


        [Switch]

        $ExcludeIPC,


        [Switch]

        $NoPing,


        [Switch]

        $CheckShareAccess,


        [Switch]

        $CheckAdmin,


        [UInt32]

        $Delay = 0,


        [Double]

        $Jitter = .3,


        [String]

        $Domain,


        [String]

        $DomainController,

 

        [Switch]

        $SearchForest,


        [ValidateRange(1,100)] 

        [Int]

        $Threads

    )


    begin {

        if ($PSBoundParameters['Debug']) {

            $DebugPreference = 'Continue'

        }


        # random object for delay

        $RandNo = New-Object System.Random


        Write-Verbose "[*] Running Invoke-ShareFinder with delay of $Delay"


        # figure out the shares we want to ignore

        [String[]] $ExcludedShares = @('')


        if ($ExcludePrint) {

            $ExcludedShares = $ExcludedShares + "PRINT$"

        }

        if ($ExcludeIPC) {

            $ExcludedShares = $ExcludedShares + "IPC$"

        }

        if ($ExcludeStandard) {

            $ExcludedShares = @('', "ADMIN$", "IPC$", "C$", "PRINT$")

        }


        if(!$ComputerName) { 


            if($Domain) {

                $TargetDomains = @($Domain)

            }

            elseif($SearchForest) {

                # get ALL the domains in the forest to search

                $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }

            }

            else {

                # use the local domain

                $TargetDomains = @( (Get-NetDomain).name )

            }


            # if we're using a host file list, read the targets in and add them to the target list

            if($ComputerFile) {

                $ComputerName = Get-Content -Path $ComputerFile

            }

            else {

                [array]$ComputerName = @()

                ForEach ($Domain in $TargetDomains) {

                    Write-Verbose "[*] Querying domain $Domain for hosts"

                    $ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Filter $ComputerFilter -ADSpath $ComputerADSpath

                }

            }


            # remove any null target hosts, uniquify the list and shuffle it

            $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }

            if($($ComputerName.count) -eq 0) {

                throw "No hosts found!"

            }

        }


        # script block that enumerates a server

        $HostEnumBlock = {

            param($ComputerName, $Ping, $CheckShareAccess, $ExcludedShares, $CheckAdmin)


            # optionally check if the server is up first

            $Up = $True

            if($Ping) {

                $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName

            }

            if($Up) {

                # get the shares for this host and check what we find

                $Shares = Get-NetShare -ComputerName $ComputerName

                ForEach ($Share in $Shares) {

                    Write-Debug "[*] Server share: $Share"

                    $NetName = $Share.shi1_netname

                    $Remark = $Share.shi1_remark

                    $Path = '\\'+$ComputerName+'\'+$NetName


                    # make sure we get a real share name back

                    if (($NetName) -and ($NetName.trim() -ne '')) {

                        # if we're just checking for access to ADMIN$

                        if($CheckAdmin) {

                            if($NetName.ToUpper() -eq "ADMIN$") {

                                try {

                                    $Null = [IO.Directory]::GetFiles($Path)

                                    "\\$ComputerName\$NetName `t- $Remark"

                                }

                                catch {

                                    Write-Debug "Error accessing path $Path : $_"

                                }

                            }

                        }

                        # skip this share if it's in the exclude list

                        elseif ($ExcludedShares -NotContains $NetName.ToUpper()) {

                            # see if we want to check access to this share

                            if($CheckShareAccess) {

                                # check if the user has access to this path

                                try {

                                    $Null = [IO.Directory]::GetFiles($Path)

                                    "\\$ComputerName\$NetName `t- $Remark"

                                }

                                catch {

                                    Write-Debug "Error accessing path $Path : $_"

                                }

                            }

                            else {

                                "\\$ComputerName\$NetName `t- $Remark"

                            }

                        }

                    }

                }

            }

        }


    }


    process {


        if($Threads) {

            Write-Verbose "Using threading with threads = $Threads"


            # if we're using threading, kick off the script block with Invoke-ThreadedFunction

            $ScriptParams = @{

                'Ping' = $(-not $NoPing)

                'CheckShareAccess' = $CheckShareAccess

                'ExcludedShares' = $ExcludedShares

                'CheckAdmin' = $CheckAdmin

            }


            # kick off the threaded script block + arguments 

            Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams

        }


        else {

            if(-not $NoPing -and ($ComputerName.count -ne 1)) {

                # ping all hosts in parallel

                $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}

                $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100

            }


            Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"

            $Counter = 0


            ForEach ($Computer in $ComputerName) {


                $Counter = $Counter + 1


                # sleep for our semi-randomized interval

                Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)


                Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"

                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $CheckShareAccess, $ExcludedShares, $CheckAdmin

            }

        }

        

    }

}


function func

{

    Param

    (

        [Parameter(Position = 0, Mandatory = $True)]

        [String]

        $DllName,


        [Parameter(Position = 1, Mandatory = $True)]

        [String]

        $FunctionName,


        [Parameter(Position = 2, Mandatory = $True)]

        [Type]

        $ReturnType,


        [Parameter(Position = 3)]

        [Type[]]

        $ParameterTypes,


        [Parameter(Position = 4)]

        [Runtime.InteropServices.CallingConvention]

        $NativeCallingConvention,


        [Parameter(Position = 5)]

        [Runtime.InteropServices.CharSet]

        $Charset,


        [Switch]

        $SetLastError

    )


    $Properties = @{

        DllName = $DllName

        FunctionName = $FunctionName

        ReturnType = $ReturnType

    }


    if ($ParameterTypes) { $Properties['ParameterTypes'] = $ParameterTypes }

    if ($NativeCallingConvention) { $Properties['NativeCallingConvention'] = $NativeCallingConvention }

    if ($Charset) { $Properties['Charset'] = $Charset }

    if ($SetLastError) { $Properties['SetLastError'] = $SetLastError }


    New-Object PSObject -Property $Properties

}


function psenum

{



    [OutputType([Type])]

    Param

    (

        [Parameter(Position = 0, Mandatory = $True)]

        [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]

        $Module,


        [Parameter(Position = 1, Mandatory = $True)]

        [ValidateNotNullOrEmpty()]

        [String]

        $FullName,


        [Parameter(Position = 2, Mandatory = $True)]

        [Type]

        $Type,


        [Parameter(Position = 3, Mandatory = $True)]

        [ValidateNotNullOrEmpty()]

        [Hashtable]

        $EnumElements,


        [Switch]

        $Bitfield

    )



    if ($Module -is [Reflection.Assembly])

    {

        $k = ($Module.GetType($FullName))

return $k

    }


    $EnumType = $Type -as [Type]


    $EnumBuilder = $Module.DefineEnum($FullName, 'Public', $EnumType)

    if ($Bitfield)

    {

        $FlagsConstructor = [FlagsAttribute].GetConstructor(@())

        $FlagsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($FlagsConstructor, @())

        $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute)

    }

    ForEach ($Key in $EnumElements.Keys)

    {

        # Apply the specified enum type to each element

        $Null = $EnumBuilder.DefineLiteral($Key, $EnumElements[$Key] -as $EnumType)

    }

    $EnumBuilder.CreateType()

}



# A helper function used to reduce typing while defining struct

# fields.

function field

{

    Param

    (

        [Parameter(Position = 0, Mandatory = $True)]

        [UInt16]

        $Position,


        [Parameter(Position = 1, Mandatory = $True)]

        [Type]

        $Type,


        [Parameter(Position = 2)]

        [UInt16]

        $Offset,


        [Object[]]

        $MarshalAs

    )


    @{

        Position = $Position

        Type = $Type -as [Type]

        Offset = $Offset

        MarshalAs = $MarshalAs

    }

}



function struct

{



    [OutputType([Type])]

    Param

    (

        [Parameter(Position = 1, Mandatory = $True)]

        [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]

        $Module,


        [Parameter(Position = 2, Mandatory = $True)]

        [ValidateNotNullOrEmpty()]

        [String]

        $FullName,


        [Parameter(Position = 3, Mandatory = $True)]

        [ValidateNotNullOrEmpty()]

        [Hashtable]

        $StructFields,


        [Reflection.Emit.PackingSize]

        $PackingSize = [Reflection.Emit.PackingSize]::Unspecified,


        [Switch]

        $ExplicitLayout

    )


    if ($Module -is [Reflection.Assembly])

    {

        return ($Module.GetType($FullName))

    }


    [Reflection.TypeAttributes] $StructAttributes = 'AnsiClass,

        Class,

        Public,

        Sealed,

        BeforeFieldInit'


    if ($ExplicitLayout)

    {

        $StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::ExplicitLayout

    }

    else

    {

        $StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::SequentialLayout

    }


    $StructBuilder = $Module.DefineType($FullName, $StructAttributes, [ValueType], $PackingSize)

    $ConstructorInfo = [Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]

    $SizeConst = @([Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))


    $Fields = New-Object Hashtable[]($StructFields.Count)


    # Sort each field according to the orders specified

    # Unfortunately, PSv2 doesn't have the luxury of the

    # hashtable [Ordered] accelerator.

    ForEach ($Field in $StructFields.Keys)

    {

        $Index = $StructFields[$Field]['Position']

        $Fields[$Index] = @{FieldName = $Field; Properties = $StructFields[$Field]}

    }


    ForEach ($Field in $Fields)

    {

        $FieldName = $Field['FieldName']

        $FieldProp = $Field['Properties']


        $Offset = $FieldProp['Offset']

        $Type = $FieldProp['Type']

        $MarshalAs = $FieldProp['MarshalAs']


        $NewField = $StructBuilder.DefineField($FieldName, $Type, 'Public')


        if ($MarshalAs)

        {

            $UnmanagedType = $MarshalAs[0] -as ([Runtime.InteropServices.UnmanagedType])

            if ($MarshalAs[1])

            {

                $Size = $MarshalAs[1]

                $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo,

                    $UnmanagedType, $SizeConst, @($Size))

            }

            else

            {

                $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, [Object[]] @($UnmanagedType))

            }


            $NewField.SetCustomAttribute($AttribBuilder)

        }


        if ($ExplicitLayout) { $NewField.SetOffset($Offset) }

    }


    # Make the struct aware of its own size.

    # No more having to call [Runtime.InteropServices.Marshal]::SizeOf!

    $SizeMethod = $StructBuilder.DefineMethod('GetSize',

        'Public, Static',

        [Int],

        [Type[]] @())

    $ILGenerator = $SizeMethod.GetILGenerator()

    # Thanks for the help, Jason Shirk!

    $ILGenerator.Emit([Reflection.Emit.OpCodes]::Ldtoken, $StructBuilder)

    $ILGenerator.Emit([Reflection.Emit.OpCodes]::Call,

        [Type].GetMethod('GetTypeFromHandle'))

    $ILGenerator.Emit([Reflection.Emit.OpCodes]::Call,

        [Runtime.InteropServices.Marshal].GetMethod('SizeOf', [Type[]] @([Type])))

    $ILGenerator.Emit([Reflection.Emit.OpCodes]::Ret)


    # Allow for explicit casting from an IntPtr

    # No more having to call [Runtime.InteropServices.Marshal]::PtrToStructure!

    $ImplicitConverter = $StructBuilder.DefineMethod('op_Implicit',

        'PrivateScope, Public, Static, HideBySig, SpecialName',

        $StructBuilder,

        [Type[]] @([IntPtr]))

    $ILGenerator2 = $ImplicitConverter.GetILGenerator()

    $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Nop)

    $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ldarg_0)

    $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ldtoken, $StructBuilder)

    $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Call,

        [Type].GetMethod('GetTypeFromHandle'))

    $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Call,

        [Runtime.InteropServices.Marshal].GetMethod('PtrToStructure', [Type[]] @([IntPtr], [Type])))

    $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Unbox_Any, $StructBuilder)

    $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ret)


    $StructBuilder.CreateType()

}


function Add-Win32Type

{



    [OutputType([Hashtable])]

    Param(

        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]

        [String]

        $DllName,


        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]

        [String]

        $FunctionName,


        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]

        [Type]

        $ReturnType,


        [Parameter(ValueFromPipelineByPropertyName = $True)]

        [Type[]]

        $ParameterTypes,


        [Parameter(ValueFromPipelineByPropertyName = $True)]

        [Runtime.InteropServices.CallingConvention]

        $NativeCallingConvention = [Runtime.InteropServices.CallingConvention]::StdCall,


        [Parameter(ValueFromPipelineByPropertyName = $True)]

        [Runtime.InteropServices.CharSet]

        $Charset = [Runtime.InteropServices.CharSet]::Auto,


        [Parameter(ValueFromPipelineByPropertyName = $True)]

        [Switch]

        $SetLastError,


        [Parameter(Mandatory = $True)]

        [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]

        $Module,


        [ValidateNotNull()]

        [String]

        $Namespace = ''

    )


    BEGIN

    {

        $TypeHash = @{}

    }


    PROCESS

    {

        if ($Module -is [Reflection.Assembly])

        {

            if ($Namespace)

            {

                $TypeHash[$DllName] = $Module.GetType("$Namespace.$DllName")

            }

            else

            {

                $TypeHash[$DllName] = $Module.GetType($DllName)

            }

        }

        else

        {

            # Define one type for each DLL

            if (!$TypeHash.ContainsKey($DllName))

            {

                if ($Namespace)

                {

                    $TypeHash[$DllName] = $Module.DefineType("$Namespace.$DllName", 'Public,BeforeFieldInit')

                }

                else

                {

                    $TypeHash[$DllName] = $Module.DefineType($DllName, 'Public,BeforeFieldInit')

                }

            }


            $Method = $TypeHash[$DllName].DefineMethod(

                $FunctionName,

                'Public,Static,PinvokeImpl',

                $ReturnType,

                $ParameterTypes)


            # Make each ByRef parameter an Out parameter

            $i = 1

            ForEach($Parameter in $ParameterTypes)

            {

                if ($Parameter.IsByRef)

                {

                    [void] $Method.DefineParameter($i, 'Out', $Null)

                }


                $i++

            }


            $DllImport = [Runtime.InteropServices.DllImportAttribute]

            $SetLastErrorField = $DllImport.GetField('SetLastError')

            $CallingConventionField = $DllImport.GetField('CallingConvention')

            $CharsetField = $DllImport.GetField('CharSet')

            if ($SetLastError) { $SLEValue = $True } else { $SLEValue = $False }


            # Equivalent to C# version of [DllImport(DllName)]

            $Constructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor([String])

            $DllImportAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($Constructor,

                $DllName, [Reflection.PropertyInfo[]] @(), [Object[]] @(),

                [Reflection.FieldInfo[]] @($SetLastErrorField, $CallingConventionField, $CharsetField),

                [Object[]] @($SLEValue, ([Runtime.InteropServices.CallingConvention] $NativeCallingConvention), ([Runtime.InteropServices.CharSet] $Charset)))


            $Method.SetCustomAttribute($DllImportAttribute)

        }

    }


    END

    {

        if ($Module -is [Reflection.Assembly])

        {

            return $TypeHash

        }


        $ReturnTypes = @{}


        ForEach ($Key in $TypeHash.Keys)

        {

            $Type = $TypeHash[$Key].CreateType()


            $ReturnTypes[$Key] = $Type

        }


        return $ReturnTypes

    }

}


function New-InMemoryModule

{



    Param

    (

        [Parameter(Position = 0)]

        [ValidateNotNullOrEmpty()]

        [String]

        $ModuleName = [Guid]::NewGuid().ToString()

    )


    $LoadedAssemblies = [AppDomain]::CurrentDomain.GetAssemblies()


    ForEach ($Assembly in $LoadedAssemblies) {

        if ($Assembly.FullName -and ($Assembly.FullName.Split(',')[0] -eq $ModuleName)) {

            return $Assembly

        }

    }


    $DynAssembly = New-Object Reflection.AssemblyName($ModuleName)

    $Domain = [AppDomain]::CurrentDomain

    $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, 'Run')

    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule($ModuleName, $False)


    return $ModuleBuilder

}



$Mod = New-InMemoryModule -ModuleName Win32


# all of the Win32 API functions we need

$FunctionDefinitions = @(

    (func netapi32 NetShareEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),

    (func netapi32 NetWkstaUserEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),

    (func netapi32 NetSessionEnum ([Int]) @([String], [String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),

    (func netapi32 NetApiBufferFree ([Int]) @([IntPtr])),

    (func advapi32 OpenSCManagerW ([IntPtr]) @([String], [String], [Int])),

    (func advapi32 CloseServiceHandle ([Int]) @([IntPtr])),

    (func wtsapi32 WTSOpenServerEx ([IntPtr]) @([String])),

    (func wtsapi32 WTSEnumerateSessionsEx ([Int]) @([IntPtr], [Int32].MakeByRefType(), [Int], [IntPtr].MakeByRefType(),  [Int32].MakeByRefType())),

    (func wtsapi32 WTSQuerySessionInformation ([Int]) @([IntPtr], [Int], [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType())),

    (func wtsapi32 WTSFreeMemoryEx ([Int]) @([Int32], [IntPtr], [Int32])),

    (func wtsapi32 WTSFreeMemory ([Int]) @([IntPtr])),

    (func wtsapi32 WTSCloseServer ([Int]) @([IntPtr])),

    (func kernel32 GetLastError ([Int]) @())

)


# enum used by $WTS_SESSION_INFO_1 below

$WTSConnectState = psenum $Mod WTS_CONNECTSTATE_CLASS UInt16 @{

    Active       =    0

    Connected    =    1

    ConnectQuery =    2

    Shadow       =    3

    Disconnected =    4

    Idle         =    5

    Listen       =    6

    Reset        =    7

    Down         =    8

    Init         =    9

}


# the WTSEnumerateSessionsEx result structure

$WTS_SESSION_INFO_1 = struct $Mod WTS_SESSION_INFO_1 @{

    ExecEnvId = field 0 UInt32

    State = field 1 $WTSConnectState

    SessionId = field 2 UInt32

    pSessionName = field 3 String -MarshalAs @('LPWStr')

    pHostName = field 4 String -MarshalAs @('LPWStr')

    pUserName = field 5 String -MarshalAs @('LPWStr')

    pDomainName = field 6 String -MarshalAs @('LPWStr')

    pFarmName = field 7 String -MarshalAs @('LPWStr')

}


# the particular WTSQuerySessionInformation result structure

$WTS_CLIENT_ADDRESS = struct $mod WTS_CLIENT_ADDRESS @{

    AddressFamily = field 0 UInt32

    Address = field 1 Byte[] -MarshalAs @('ByValArray', 20)

}


# the NetShareEnum result structure

$SHARE_INFO_1 = struct $Mod SHARE_INFO_1 @{

    shi1_netname = field 0 String -MarshalAs @('LPWStr')

    shi1_type = field 1 UInt32

    shi1_remark = field 2 String -MarshalAs @('LPWStr')

}


# the NetWkstaUserEnum result structure

$WKSTA_USER_INFO_1 = struct $Mod WKSTA_USER_INFO_1 @{

    wkui1_username = field 0 String -MarshalAs @('LPWStr')

    wkui1_logon_domain = field 1 String -MarshalAs @('LPWStr')

    wkui1_oth_domains = field 2 String -MarshalAs @('LPWStr')

    wkui1_logon_server = field 3 String -MarshalAs @('LPWStr')

}


# the NetSessionEnum result structure

$SESSION_INFO_10 = struct $Mod SESSION_INFO_10 @{

    sesi10_cname = field 0 String -MarshalAs @('LPWStr')

    sesi10_username = field 1 String -MarshalAs @('LPWStr')

    sesi10_time = field 2 UInt32

    sesi10_idle_time = field 3 UInt32

}




$Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32'

$Netapi32 = $Types['netapi32']

$Advapi32 = $Types['advapi32']

$Kernel32 = $Types['kernel32']

$Wtsapi32 = $Types['wtsapi32']


12 comments:

  1. I was thrown out of my own house was sleeping in a hotel for weeks she also took possession of my son could only see him once a week then I found out she was in love with my accountant all these while so I went online and I came across a Russian private investigator who help me get all my properties and my accounts back even my company back how he did these I don’t know but I gave all the information he asked for and followed all his instructions and now I’m happy my life’s better now.
    Thanks to HACKINTECHNOLOGY@CYBERSERVICES.COM
    I just said I should share my own story here
    Thank you

    ReplyDelete
  2. Cyberspaceshield is a company with group of certified hacker, who are always ready to assist you with all your cyber problems.

    We’ve been in existence for ages now, we are reliable and helpful in terms of cyber bullying.

    We can help you get all your cyber threats and bullies solved in less than what you can ever imagine.

    These are somethings we specializes on:

    ➡️ Phone Hacks

    ➡️ Credit scores

    ➡️ Social media Hacks (Facebook, Instagram, tik tok).

    ➡️ Binary options

    ➡️ Binary Recovery

    ➡️ Clear criminal records etc.


    The internet is full of scammers, that’s why we’re here to help you fight them out.

    If you have been a victim of scam, don’t hesitate to write us on

    EMAIL: Cyberspaceshield@gmail.com

    Thank you!!!

    ReplyDelete
  3. I know of a group of private investigators who can help you with they are also hackers but prefer to be called private investigators They can help with your bitcoin issues and your clients will be happy doing business with you,they can also help yo with your bad credit score,hacking into phones,binary recovery,wiping criminal records,increase school score, stolen files in your office or school,blank atm etc. Just name it and you will live a better life
    Contact +1(407) 777-4240
    Premiumhackservices@gmail.com

    ReplyDelete
  4. He is the best out there,I tested him and he delivered a good job,he helped me settle bank loans,he also helped my son upgrade his scores at high school final year which made him graduate successfully and he gave my son free scholarship into the college,all I had to do was to settle the bills for the tools on the job,I used $500 to get a job of $50000 done all thanks to Robertson he saved me from all my troubles,sharing this is how I can show gratitude in return for all he has done for me and my family

    Contact premiumhackservices@gmail.com

    Text/call ‪+1 (984) 733‑3673‬

    WhatsApp ‪+1 (984) 733‑3673‬

    Telegram ‪+1 (984) 733‑3673‬

    ReplyDelete
  5. I lost my job few months back and there was no way to get income for my family, things was so tough and I couldn't get anything for my children, not until a met a recommendation on a page writing how Mr Bernie Wilfred helped a lady in getting a huge amount of profit every 6 working days on trading with his management on the cryptocurrency Market, to be honest I never believe it but I took the risk to take a loan of $1000. and I contacted him unbelievable and I was so happy I earn $12,500 in 6 working days, the most joy is that I can now take care of my family I don't know how to appreciate your good work Mr. Bernie Doran God will continue to bless you for being a life saver I have no way to appreciate you than to tell people about your good services.
For a perfect investment and good strategies contact Mr Bernie Doran via WhatsApp :+1(424)285-0682 or Telegram : @Bernie_doran_fx or Email : Bernie.doranfx01@gmail.com

    ReplyDelete
  6. Came to this country and made a few financial mistakes. People told me I’d never be able to get my credit back on track and that it would take years. My friend introduced me to PINNACLE CREDIT SPECIALIST and trust me when I tell you I can’t believe my scores!!! I keep checking to ensure its saying 805. I love you guys!!! Reach them via : pinnaclecreditspecialist@gmail.com Phone: +1 585 466 4373.

    ReplyDelete
  7. I highly recommend Wardriver's Cyber service to help you recover your funds if you have ever been a victim of a bitcoin and cryptocurrency scam. I was contacted a few weeks ago on Instagram by someone claiming to be into investment and I could make huge profits on all my investment returns, I was moved by it and invested $70,000 into this cryptocurrency scam after he promised I will get a huge return on my investment in a few days, I realize it was all a scam when it was time to get my profits and they stopped responding to me and logged me out of my account on their platform. I heard about Wardriver's Cyber service from a colleague of mine and how they can help me recover my funds by hacking into their system. I contacted them and provide them with the information they requested and my funds were refunded to me within 24 hours. I feel relieved and thought it would be best to share this with many others out there who might need their service. You can contact them with the following information.
    Email: wardriverscyberservice @techie.com
    Whats-App/Tele-Gram: +1 ( 6 1 6) 8 9 8-7 2 8 5

    ReplyDelete
  8. Excellent article and I think the post that touchs readers's concerns always rock.
    bmo contact us
    maintenance enforcement ns

    ReplyDelete
  9. I am Richard Harrell and I live in AZ. My most gratitude goes to DOVLY CREDIT SOLUTION. Few months ago, I needed help with my credit. I had nowhere to run to. My whole life was in shambles because my current credit score was low 500, I wanted a higher score and negative items deleted although most of them I had no idea why they were there because I never opened accounts with credit cards. I went on the internet to search for help, and I found DOVLY CREDIT SOLUTION the credit professional and I immediately contacted them through (+1 713 396 5299 / OR DOVLYCREDITSOLUTION@GMAIL.COM). We got started with the process with some few questions and a little display of competency as a proof of legitimacy. The good news is that they did all they promised to do (deleted the accounts, erased all the inquiries and eventually raised my score to an 808 excellent score). Someone might be in a similar situation that’s the reason I decided to do this. Cheers!

    ReplyDelete
  10. Some FICO hackers will delay you; some will scam you, but here is how I got my FICO score to 805 excellent score from as low 500, due to my diabetic condition I got a setback on my payments owing to medical bills, my world started falling apart because I wanted to rent a home and take some loans but couldn’t. I kept looking for someone who could help me fix my credit to no avail, until October last year when I met DOVLY CREDIT SOLUTION through a friend whom they had worked for. DOVLY CREDIT SOLUTION boosted my credit in 6 days and restored my dignity. I was able to purchase a home. You can contact them by email: DOVLYCREDITSOLUTION@GMAIL.COM OR Call +1 (713) 396-5299. Only DOVLY CREDIT SOLUTION can do it for you.

    ReplyDelete
  11. Hello everyone! Ok…I’ll try to shorten this as best I can. After many years of marriage, I finally got divorced about three years ago. My ex-wife had major spending issues. Both of us have very good jobs. She is a physician and I’m a pharmacist/software engineer. We are both high earners, but she spent like the money was endless. We had a $2 million home in Miami, new cars every couple years, and her credit card spending was out of control. It was to the point that she was racking my credit cards up as well. I finally decided enough was enough and I left. Moved to the other side of the country with extreme amounts of debt. In a two years period I paid off almost $240,000 of debt. Some of it had gone to collections, and some of it had not. But my credit score was in the toilet. I have been a software engineer for a long time. I had not practiced pharmacy in many years though I kept my license active. My software engineering has always been around pharmacy systems. So, I started working three jobs. Software engineer during the day, working as a pharmacist part time during the evenings and weekends, and doing telephonic patient counseling for medication. I was constantly tired. But paid off every penny of the debt I had including student loans. I owe no one anything now. The real problem was my credit score was in the mid-600s. That was equally embarrassing. I went a little crazy looking for hackers to help me increase my credit score until a colleague recommended DOVLY CREDIT SOLUTION to me. I quickly searched about them and discovered they had so many positive reviews that I quickly contacted them by email: DOVLYCREDITSOLUTION@GMAIL.COM / I also gave them a call +1 (713) 396-5299. They responded swiftly, and I explained my predicament to them, which they accepted to boost my credit score to an excellent score. To my greatest surprise after 9 days, I got a call from them by 7:00AM to confirm my current credit score, which I quickly logged into Credit Karma and discovered my score has been boosted to 800s across the credit bureaus. They also deleted all the collections and inquiries on my credit report. I have no regrets working with DOVLY CREDIT SOLUTION. Hit them up if you have any credit related issues. I’m now well qualified credit wise.

    ReplyDelete
  12. 4 years ago, my scores were all under 600, and had been below 500 a couple of years before that. It has been a long road, but I finally got there! All thanks to PINNACLE CREDIT SPECIALIST. They can do it for you too! Hit him up on email: pinnaclecreditspecialist@gmail.com OR Call +1 (409) 231 0041.

    ReplyDelete