// Here is where we execute posh code public static AttackState PSExec(AttackState attackState) { using (Pipeline pipeline = attackState.runspace.CreatePipeline()) { pipeline.Commands.AddScript(attackState.cmd); // If we're in an auto-complete loop, we want the PSObjects, not the string from the output of the command // TODO: clean this up if (attackState.loopType != null) { pipeline.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output); } else { pipeline.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output); pipeline.Commands.Add("out-default"); } try { attackState.results = pipeline.Invoke(); } catch (Exception e) { attackState.results = null; Display.Exception(attackState, e.Message); } pipeline.Dispose(); } //Clear out command so it doesn't get echo'd out to console again. attackState.ClearIO(); if (attackState.loopType == null) { attackState.cmdComplete = true; } return(attackState); }
// This is called everytime a key is pressed. public static AttackState CommandProcessor(AttackState attackState) { attackState.output = null; int relativePos = attackState.relativeCursorPos(); int cmdLength = attackState.displayCmd.Length; ///////////////////////// // BACKSPACE OR DELETE // ///////////////////////// if (attackState.keyInfo.Key == ConsoleKey.Backspace || attackState.keyInfo.Key == ConsoleKey.Delete) { attackState.ClearLoop(); if (attackState.displayCmd != "" && attackState.relativeCursorPos() > 0) { if (attackState.keyInfo.Key == ConsoleKey.Backspace) { attackState.cursorPos -= 1; } List <char> displayCmd = attackState.displayCmd.ToList(); int relativeCursorPos = attackState.relativeCmdCursorPos(); displayCmd.RemoveAt(relativeCursorPos); attackState.displayCmd = new string(displayCmd.ToArray()); } } ///////////////////////// // BACKSPACE OR DELETE // ///////////////////////// else if (attackState.keyInfo.Key == ConsoleKey.Home || attackState.keyInfo.Key == ConsoleKey.End) { if (attackState.keyInfo.Key == ConsoleKey.Home) { attackState.cursorPos = attackState.promptLength; } else { attackState.cursorPos = attackState.promptLength + attackState.displayCmd.Length; } } //////////////// // UP OR DOWN // //////////////// else if (attackState.keyInfo.Key == ConsoleKey.UpArrow || attackState.keyInfo.Key == ConsoleKey.DownArrow) { return(history(attackState)); } /////////////////// // LEFT OR RIGHT // /////////////////// // TODO: Fix arrows navigating between wrapped command lines else if (attackState.keyInfo.Key == ConsoleKey.LeftArrow) { if (attackState.relativeCmdCursorPos() > 0) { attackState.ClearLoop(); attackState.cursorPos -= 1; } return(attackState); } else if (attackState.keyInfo.Key == ConsoleKey.RightArrow) { if (attackState.relativeCmdCursorPos() < attackState.displayCmd.Length) { attackState.ClearLoop(); attackState.cursorPos += 1; } return(attackState); } /////////// // ENTER // /////////// else if (attackState.keyInfo.Key == ConsoleKey.Enter) { Console.WriteLine(); attackState.ClearLoop(); attackState.cmd = attackState.displayCmd; // don't add blank lines to history if (attackState.cmd != "") { attackState.history.Add(attackState.cmd); } if (attackState.cmd == "exit") { System.Environment.Exit(0); } else if (attackState.cmd == "clear") { Console.Clear(); attackState.displayCmd = ""; Display.printPrompt(attackState); } // TODO: Make this better. //else if (attackState.cmd.Contains(".exe")) //{ // attackState.cmd = "Start-Process -NoNewWindow -Wait " + attackState.cmd; // attackState = Processing.PSExec(attackState); // Display.Output(attackState); //} // assume that we just want to execute whatever makes it here. else { attackState = Processing.PSExec(attackState); attackState.displayCmd = ""; Display.Output(attackState); } // clear out cmd related stuff from state attackState.ClearIO(display: true); } ///////// // TAB // ///////// else if (attackState.keyInfo.Key == ConsoleKey.Tab) { return(TabExpansion.Process(attackState)); } ////////// // if nothing matched, lets assume its a character and add it to displayCmd ////////// else { attackState.ClearLoop(); // figure out where to insert the typed character List <char> displayCmd = attackState.displayCmd.ToList(); int relativeCmdCursorPos = attackState.relativeCmdCursorPos(); int cmdInsertPos = attackState.cursorPos - attackState.promptLength; displayCmd.Insert(attackState.cursorPos - attackState.promptLength, attackState.keyInfo.KeyChar); attackState.displayCmd = new string(displayCmd.ToArray()); attackState.cursorPos += 1; } return(attackState); }
static AttackState PSInit() { // Display Loading Message Console.ForegroundColor = PSColors.logoText; Random random = new Random(); int pspLogoInt = random.Next(Strings.psaLogos.Count); Console.WriteLine(Strings.psaLogos[pspLogoInt]); Console.WriteLine("Loading..."); // create attackState AttackState attackState = new AttackState(); attackState.cursorPos = attackState.promptLength; // Get Encrypted Values Assembly assembly = Assembly.GetExecutingAssembly(); Stream valueStream = assembly.GetManifestResourceStream("PSAttack.Resources." + Properties.Settings.Default.valueStore); MemoryStream valueStore = CryptoUtils.DecryptFile(valueStream); string valueStoreStr = Encoding.Unicode.GetString(valueStore.ToArray()); string[] valuePairs = valueStoreStr.Replace("\r","").Split('\n'); foreach (string value in valuePairs) { if (value != "") { string[] entry = value.Split('|'); attackState.decryptedStore.Add(entry[0], entry[1]); } } // amsi bypass (thanks matt!!) if (Environment.OSVersion.Version.Major > 9) { try { attackState.cmd = attackState.decryptedStore["amsiBypass"]; Processing.PSExec(attackState); } catch { Console.WriteLine("Could not run AMSI bypass."); } } // Decrypt modules string[] resources = assembly.GetManifestResourceNames(); foreach (string resource in resources) { if (resource.Contains("PSAttack.Modules.")) { string fileName = resource.Replace("PSAttack.Modules.", ""); string decFilename = CryptoUtils.DecryptString(fileName); Console.ForegroundColor = PSColors.loadingText; Console.WriteLine("Decrypting: {0}", decFilename); Stream moduleStream = assembly.GetManifestResourceStream(resource); PSAUtils.ImportModules(attackState, moduleStream); } } // Setup PS env attackState.cmd = attackState.decryptedStore["setExecutionPolicy"]; Processing.PSExec(attackState); // check for admin Boolean isAdmin = false; Boolean debugProc = false; if (new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator)) { isAdmin = true; try { System.Diagnostics.Process.EnterDebugMode(); debugProc = true; } catch { Console.Write("Could not grab debug rights for process."); } } // Setup Console Console.Title = Strings.windowTitle; Console.BufferHeight = Int16.MaxValue - 10; Console.BackgroundColor = PSColors.background; Console.TreatControlCAsInput = true; Console.Clear(); // get build info string buildString; Boolean builtWithBuildTool = true; DateTime storedBuildDate = new DateTime(); try { storedBuildDate = Convert.ToDateTime(attackState.decryptedStore["buildDate"]); } catch { } DateTime textBuildDate = new DateTime(); try { string buildDate = new StreamReader(assembly.GetManifestResourceStream("PSAttack.Resources.BuildDate.txt")).ReadToEnd(); textBuildDate = Convert.ToDateTime(buildDate); } catch { } if (storedBuildDate > textBuildDate) { buildString = "Build Date " + storedBuildDate + "\n\nThis is a custom baked build.\n"; } else { buildString = "Build Date " + textBuildDate + "\n\nIf you'd like a version of PS>Attack thats even harder for AV \nto detect checkout http://github.com/jaredhaight/PSAttackBuildTool \n"; builtWithBuildTool = false; } // Figure out if we're 32 or 64bit string arch = "64bit"; if (IntPtr.Size == 4) { arch = "32bit"; } // setup debug variable String debugCmd = "$debug = @{'psaVersion'='" + Strings.version + "';'osVersion'='" + Environment.OSVersion.ToString() + "';'.NET'='" + System.Environment.Version + "';'isAdmin'='"+ isAdmin + "';'builtWithBuildTool'='" + builtWithBuildTool.ToString() +"';'debugRights'='" + debugProc + "';'arch'='" + arch + "'}"; attackState.cmd = debugCmd; Processing.PSExec(attackState); // print intro Console.ForegroundColor = PSColors.introText; Console.WriteLine(Strings.welcomeMessage, Strings.version, buildString); // Display Prompt attackState.ClearLoop(); attackState.ClearIO(); Display.printPrompt(attackState); return attackState; }
// This is called everytime a key is pressed. public static AttackState CommandProcessor(AttackState attackState) { attackState.output = null; int relativePos = attackState.relativeCursorPos(); int cmdLength = attackState.displayCmd.Length; ///////////////////////// // BACKSPACE OR DELETE // ///////////////////////// if (attackState.keyInfo.Key == ConsoleKey.Backspace || attackState.keyInfo.Key == ConsoleKey.Delete) { attackState.ClearLoop(); if (attackState.displayCmd != "" && attackState.relativeCursorPos() > 0) { if (attackState.keyInfo.Key == ConsoleKey.Backspace) { attackState.cursorPos -= 1; } List<char> displayCmd = attackState.displayCmd.ToList(); int relativeCursorPos = attackState.relativeCmdCursorPos(); displayCmd.RemoveAt(relativeCursorPos); attackState.displayCmd = new string(displayCmd.ToArray()); } } ///////////////////////// // BACKSPACE OR DELETE // ///////////////////////// else if (attackState.keyInfo.Key == ConsoleKey.Home || attackState.keyInfo.Key == ConsoleKey.End) { if (attackState.keyInfo.Key == ConsoleKey.Home) { attackState.cursorPos = attackState.promptLength; } else { attackState.cursorPos = attackState.promptLength + attackState.displayCmd.Length; } } //////////////// // UP OR DOWN // //////////////// else if (attackState.keyInfo.Key == ConsoleKey.UpArrow || attackState.keyInfo.Key == ConsoleKey.DownArrow) { return history(attackState); } /////////////////// // LEFT OR RIGHT // /////////////////// // TODO: Fix arrows navigating between wrapped command lines else if (attackState.keyInfo.Key == ConsoleKey.LeftArrow) { if (attackState.relativeCmdCursorPos() > 0) { attackState.cursorPos -= 1; } return attackState; } else if (attackState.keyInfo.Key == ConsoleKey.RightArrow) { if (attackState.relativeCmdCursorPos() < attackState.displayCmd.Length) { attackState.cursorPos += 1; } return attackState; } /////////// // ENTER // /////////// else if (attackState.keyInfo.Key == ConsoleKey.Enter) { Console.WriteLine("\n"); attackState.ClearLoop(); attackState.cmd = attackState.displayCmd; // don't add blank lines to history if (attackState.cmd != "") { attackState.history.Add(attackState.cmd); } if (attackState.cmd == "exit") { System.Environment.Exit(0); } else if (attackState.cmd == "clear") { Console.Clear(); attackState.displayCmd = ""; Display.printPrompt(attackState); } // TODO: Make this better. else if (attackState.cmd.Contains(".exe")) { attackState.cmd = "Start-Process -NoNewWindow -Wait " + attackState.cmd; attackState = Processing.PSExec(attackState); Display.Output(attackState); } // assume that we just want to execute whatever makes it here. else { attackState = Processing.PSExec(attackState); attackState.displayCmd = ""; Display.Output(attackState); } // clear out cmd related stuff from state attackState.ClearIO(display:true); } ///////// // TAB // ///////// else if (attackState.keyInfo.Key == ConsoleKey.Tab) { return TabExpansion.Process(attackState); } ////////// // if nothing matched, lets assume its a character and add it to displayCmd ////////// else { attackState.ClearLoop(); // figure out where to insert the typed character List<char> displayCmd = attackState.displayCmd.ToList(); int relativeCmdCursorPos = attackState.relativeCmdCursorPos(); int cmdInsertPos = attackState.cursorPos - attackState.promptLength; displayCmd.Insert(attackState.cursorPos - attackState.promptLength, attackState.keyInfo.KeyChar); attackState.displayCmd = new string(displayCmd.ToArray()); attackState.cursorPos += 1; } return attackState; }
// Here is where we execute posh code public static AttackState PSExec(AttackState attackState) { using (Pipeline pipeline = attackState.runspace.CreatePipeline()) { pipeline.Commands.AddScript(attackState.cmd); // If we're in an auto-complete loop, we want the PSObjects, not the string from the output of the command // TODO: clean this up if (attackState.loopType != null) { pipeline.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output); } else { pipeline.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output); pipeline.Commands.Add("out-default"); } try { attackState.results = pipeline.Invoke(); } catch (Exception e) { attackState.results = null; Display.Exception(attackState, e.Message); } pipeline.Dispose(); } //Clear out command so it doesn't get echo'd out to console again. attackState.ClearIO(); if (attackState.loopType == null) { attackState.cmdComplete = true; } return attackState; }
// Here is where we execute posh code public static AttackState PSExec(AttackState attackState) { using (Pipeline pipeline = attackState.runspace.CreatePipeline()) { //Console.WriteLine("[*] puting cmd in pipeline"); pipeline.Commands.AddScript(attackState.cmd); // If we're in an auto-complete loop, we want the PSObjects, not the string from the output of the command // TODO: clean this up if ((attackState.loopType != null) || (!attackState.console)) { //Console.WriteLine("[*] Merging results 1"); pipeline.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output); } else { //Console.WriteLine("[*] Merging results 2"); pipeline.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output); pipeline.Commands.Add("out-default"); pipeline.Commands.Add("Write-Host"); } //try //{ //Console.WriteLine("[*] trying to evoke pipeline"); if (attackState.console) { attackState.results = pipeline.Invoke(); } else { pipeline.InvokeAsync(); while (!pipeline.Output.EndOfPipeline) { pipeline.Output.WaitHandle.WaitOne(); while (pipeline.Output.Count > 0) { PSObject psObject = pipeline.Output.Read(); // Write output object data. Console.WriteLine(psObject.ToString()); Collection <PSObject> results = new Collection <PSObject>(); results.Add(psObject); attackState.results = results; } } } //} //catch (Exception e) //{ // Console.WriteLine("[!] Exeception.."); // attackState.results = null; // Display.Exception(attackState, e.Message); //} pipeline.Dispose(); } //Clear out command so it doesn't get echo'd out to console again. attackState.ClearIO(); if (attackState.loopType == null) { attackState.cmdComplete = true; } return(attackState); }