|
@ -57,20 +57,23 @@ function InitialActions |
|
|
|
|
|
|
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 |
|
|
|
|
|
|
|
|
|
|
|
# Import PowerShell 5.1 modules |
|
|
|
|
|
Import-Module -Name Microsoft.PowerShell.Management, PackageManagement, Appx -UseWindowsPowerShell |
|
|
|
|
|
|
|
|
# Extract strings from %SystemRoot%\System32\shell32.dll using its number |
|
|
# Extract strings from %SystemRoot%\System32\shell32.dll using its number |
|
|
# https://github.com/SamuelArnold/StarKill3r/blob/master/Star%20Killer/Star%20Killer/bin/Debug/Scripts/SANS-SEC505-master/scripts/Day1-PowerShell/Expand-IndirectString.ps1 |
|
|
# https://github.com/SamuelArnold/StarKill3r/blob/master/Star%20Killer/Star%20Killer/bin/Debug/Scripts/SANS-SEC505-master/scripts/Day1-PowerShell/Expand-IndirectString.ps1 |
|
|
# [WinAPI.GetStrings]::GetIndirectString("@%SystemRoot%\system32\schedsvc.dll,-100") |
|
|
# [WinAPI.GetStrings]::GetIndirectString("@%SystemRoot%\system32\schedsvc.dll,-100") |
|
|
|
|
|
|
|
|
# https://github.com/PowerShell/PowerShell/issues/21070 |
|
|
# https://github.com/PowerShell/PowerShell/issues/21070 |
|
|
$Script:CompilerParameters = [System.CodeDom.Compiler.CompilerParameters]::new("System.dll") |
|
|
$Script:CompilerOptions = [System.CodeDom.Compiler.CompilerParameters]::new("System.dll") |
|
|
$Script:CompilerParameters.TempFiles = [System.CodeDom.Compiler.TempFileCollection]::new($env:TEMP, $false) |
|
|
$Script:CompilerOptions.TempFiles = [System.CodeDom.Compiler.TempFileCollection]::new($env:TEMP, $false) |
|
|
$Script:CompilerParameters.GenerateInMemory = $true |
|
|
$Script:CompilerOptions.GenerateInMemory = $true |
|
|
$Signature = @{ |
|
|
$Signature = @{ |
|
|
Namespace = "WinAPI" |
|
|
Namespace = "WinAPI" |
|
|
Name = "GetStrings" |
|
|
Name = "GetStrings" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
UsingNamespace = "System.Text" |
|
|
UsingNamespace = "System.Text" |
|
|
CompilerOptions = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
[DllImport("kernel32.dll", CharSet = CharSet.Auto)] |
|
|
[DllImport("kernel32.dll", CharSet = CharSet.Auto)] |
|
|
public static extern IntPtr GetModuleHandle(string lpModuleName); |
|
|
public static extern IntPtr GetModuleHandle(string lpModuleName); |
|
@ -125,7 +128,7 @@ public static string GetIndirectString(string indirectString) |
|
|
Namespace = "WinAPI" |
|
|
Namespace = "WinAPI" |
|
|
Name = "ForegroundWindow" |
|
|
Name = "ForegroundWindow" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
CompilerOptions = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
[DllImport("user32.dll")] |
|
|
[DllImport("user32.dll")] |
|
|
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); |
|
|
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); |
|
@ -914,11 +917,21 @@ public static extern bool SetForegroundWindow(IntPtr hWnd); |
|
|
# Extract the localized "Skip" string from shell32.dll |
|
|
# Extract the localized "Skip" string from shell32.dll |
|
|
$Script:Skip = [WinAPI.GetStrings]::GetString(16956) |
|
|
$Script:Skip = [WinAPI.GetStrings]::GetString(16956) |
|
|
|
|
|
|
|
|
|
|
|
Write-Information -MessageData "┏┓ ┓ • ┏┓ • ┏ ┓ ┏• ┓ " -InformationAction Continue |
|
|
|
|
|
Write-Information -MessageData "┗┓┏┓┏┓┣┓┓┏┓ ┗┓┏┏┓┓┏┓╋ ╋┏┓┏┓ ┃┃┃┓┏┓┏┫┏┓┓┏┏┏" -InformationAction Continue |
|
|
|
|
|
Write-Information -MessageData "┗┛┗┛┣┛┛┗┗┗┻ ┗┛┗┛ ┗┣┛┗ ┛┗┛┛ ┗┻┛┗┛┗┗┻┗┛┗┻┛┛" -InformationAction Continue |
|
|
|
|
|
Write-Information -MessageData " ┛ ┛ " -InformationAction Continue |
|
|
|
|
|
|
|
|
|
|
|
Write-Information -MessageData "https://t.me/sophianews" -InformationAction Continue |
|
|
|
|
|
Write-Information -MessageData "https://t.me/sophia_chat" -InformationAction Continue |
|
|
|
|
|
Write-Information -MessageData "https://discord.gg/sSryhaEv79" -InformationAction Continue |
|
|
|
|
|
|
|
|
# Display a warning message about whether a user has customized the preset file |
|
|
# Display a warning message about whether a user has customized the preset file |
|
|
if ($Warning) |
|
|
if ($Warning) |
|
|
{ |
|
|
{ |
|
|
# Get the name of a preset (e.g Sophia.ps1) regardless it was named |
|
|
# Get the name of a preset (e.g Sophia.ps1) regardless it was named |
|
|
# $_.File has no EndsWith() method |
|
|
# $_.File has no EndsWith() method |
|
|
|
|
|
Write-Information -MessageData "" -InformationAction Continue |
|
|
$PresetName = Split-Path -Path (((Get-PSCallStack).Position | Where-Object -FilterScript {$_.File}).File | Where-Object -FilterScript {$_.EndsWith(".ps1")}) -Leaf |
|
|
$PresetName = Split-Path -Path (((Get-PSCallStack).Position | Where-Object -FilterScript {$_.File}).File | Where-Object -FilterScript {$_.EndsWith(".ps1")}) -Leaf |
|
|
Write-Verbose -Message ($Localization.CustomizationWarning -f $PresetName) -Verbose |
|
|
Write-Verbose -Message ($Localization.CustomizationWarning -f $PresetName) -Verbose |
|
|
|
|
|
|
|
@ -4481,7 +4494,7 @@ function Cursors |
|
|
Namespace = "WinAPI" |
|
|
Namespace = "WinAPI" |
|
|
Name = "Cursor" |
|
|
Name = "Cursor" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
CompilerParameters = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
[DllImport("user32.dll", EntryPoint = "SystemParametersInfo")] |
|
|
[DllImport("user32.dll", EntryPoint = "SystemParametersInfo")] |
|
|
public static extern bool SystemParametersInfo(uint uiAction, uint uiParam, uint pvParam, uint fWinIni); |
|
|
public static extern bool SystemParametersInfo(uint uiAction, uint uiParam, uint pvParam, uint fWinIni); |
|
@ -4719,7 +4732,7 @@ function OneDrive |
|
|
Namespace = "WinAPI" |
|
|
Namespace = "WinAPI" |
|
|
Name = "DeleteFiles" |
|
|
Name = "DeleteFiles" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
CompilerOptions = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
public enum MoveFileFlags |
|
|
public enum MoveFileFlags |
|
|
{ |
|
|
{ |
|
@ -5232,7 +5245,7 @@ function TempFolder |
|
|
Namespace = "WinAPI" |
|
|
Namespace = "WinAPI" |
|
|
Name = "DeleteFiles" |
|
|
Name = "DeleteFiles" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
CompilerOptions = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
public enum MoveFileFlags |
|
|
public enum MoveFileFlags |
|
|
{ |
|
|
{ |
|
@ -5356,7 +5369,7 @@ Unregister-ScheduledTask -TaskName SymbolicLink -Confirm:`$false |
|
|
Namespace = "WinAPI" |
|
|
Namespace = "WinAPI" |
|
|
Name = "DeleteFiles" |
|
|
Name = "DeleteFiles" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
CompilerOptions = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
public enum MoveFileFlags |
|
|
public enum MoveFileFlags |
|
|
{ |
|
|
{ |
|
@ -7118,7 +7131,7 @@ function Set-UserShellFolderLocation |
|
|
Namespace = "WinAPI" |
|
|
Namespace = "WinAPI" |
|
|
Name = "KnownFolders" |
|
|
Name = "KnownFolders" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
CompilerOptions = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
[DllImport("shell32.dll")] |
|
|
[DllImport("shell32.dll")] |
|
|
public extern static int SHSetKnownFolderPath(ref Guid folderId, uint flags, IntPtr token, [MarshalAs(UnmanagedType.LPWStr)] string path); |
|
|
public extern static int SHSetKnownFolderPath(ref Guid folderId, uint flags, IntPtr token, [MarshalAs(UnmanagedType.LPWStr)] string path); |
|
@ -8794,7 +8807,7 @@ function Set-Association |
|
|
Name = "Action" |
|
|
Name = "Action" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
UsingNamespace = "System.Text", "System.Security.AccessControl", "Microsoft.Win32" |
|
|
UsingNamespace = "System.Text", "System.Security.AccessControl", "Microsoft.Win32" |
|
|
CompilerOptions = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
[DllImport("advapi32.dll", CharSet = CharSet.Auto)] |
|
|
[DllImport("advapi32.dll", CharSet = CharSet.Auto)] |
|
|
private static extern int RegOpenKeyEx(UIntPtr hKey, string subKey, int ulOptions, int samDesired, out UIntPtr hkResult); |
|
|
private static extern int RegOpenKeyEx(UIntPtr hKey, string subKey, int ulOptions, int samDesired, out UIntPtr hkResult); |
|
@ -9264,7 +9277,7 @@ public static int UnloadHive(RegistryHives hive, string subKey) |
|
|
Namespace = "WinAPI" |
|
|
Namespace = "WinAPI" |
|
|
Name = "PatentHash" |
|
|
Name = "PatentHash" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
CompilerOptions = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
public static uint[] WordSwap(byte[] a, int sz, byte[] md5) |
|
|
public static uint[] WordSwap(byte[] a, int sz, byte[] md5) |
|
|
{ |
|
|
{ |
|
@ -9510,7 +9523,7 @@ public static long MakeLong(uint left, uint right) |
|
|
Namespace = "WinAPI" |
|
|
Namespace = "WinAPI" |
|
|
Name = "Signature" |
|
|
Name = "Signature" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
CompilerOptions = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
[DllImport("shell32.dll", CharSet = CharSet.Auto, SetLastError = false)] |
|
|
[DllImport("shell32.dll", CharSet = CharSet.Auto, SetLastError = false)] |
|
|
private static extern int SHChangeNotify(int eventId, int flags, IntPtr item1, IntPtr item2); |
|
|
private static extern int SHChangeNotify(int eventId, int flags, IntPtr item1, IntPtr item2); |
|
@ -14536,7 +14549,7 @@ function PostActions |
|
|
Namespace = "WinAPI" |
|
|
Namespace = "WinAPI" |
|
|
Name = "UpdateEnvironment" |
|
|
Name = "UpdateEnvironment" |
|
|
Language = "CSharp" |
|
|
Language = "CSharp" |
|
|
CompilerOptions = $CompilerParameters |
|
|
CompilerOptions = $CompilerOptions |
|
|
MemberDefinition = @" |
|
|
MemberDefinition = @" |
|
|
private static readonly IntPtr HWND_BROADCAST = new IntPtr(0xffff); |
|
|
private static readonly IntPtr HWND_BROADCAST = new IntPtr(0xffff); |
|
|
private const int WM_SETTINGCHANGE = 0x1a; |
|
|
private const int WM_SETTINGCHANGE = 0x1a; |
|
|