Learn how to perform background runspace~ from PowerShell intrusion scripts

Source: Internet
Author: User

Beans today bored on GitHub to see what interesting PowerShell script, inadvertently found Powersploit this project, carefully looked at, this module is for the intrusion test written, there are a lot of related hacking scripts, casually find a try.


For example, this can be used to record the keyboard input, the complete script I will not post it.

Https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-Keystrokes.ps1


The specific implementation of the function is not to consider, I am very curious about how he was executed in the background. You can see the end of the script. The author uses runspace, he creates a runspace, then passes in the script block and corresponding parameters, then triggers;


# Setup KeyLogger ' s runspace $PowerShell = [Powershell]::create () [void] $PowerShell. Addscript ($Script) [void] $Pow Ershell.addargument ($LogPath) if ($PSBoundParameters. Timeout) {[void] $PowerShell. Addargument ($Timeout)} # Start Ke Ylogger [void] $PowerShell. BeginInvoke ()


This way looks familiar ah, beans before learning multithreading, is to use runspace to replace the background job, because runspace performance efficiency is much higher;

http://beanxyz.blog.51cto.com/5570417/1760880


In fact, I looked at this hack script is also used before the job, the latest version changed to Runspace, visible knowledge is connected ~


Try it out.

Get-keystrokes-logpath C:\temp\key.log


Then enter a random command to see if the corresponding log file has a record, and it was successfully recorded

Ps c:\windows\system32\windowspowershell\v1.0> gc c:\temp\key.log "TypedKey", "WindowTitle", " Time "L", "administrator: windows powershell ise", "9/06/2016 10:59:48 am" "s", " Administrator: windows powershell ise "," 9/06/2016 10:59:48 am "" <Enter> "," Administrator: windows powershell ise "," 9/06/2016 10:59:48 am "" G "," Administrator:  windows powershell ise "," 9/06/2016 10:59:50 am "" C "," administrator: windows  powershell ise "," 9/06/2016 10:59:50 am "" < > "," administrator: windows  powershell ise "," 9/06/2016 10:59:50 am "" C "," Administrator: windows powershell  ise "," 9/06/2016 10:59:51 am "" <Shift> "," administrator: windows powershell  ISE "," 9/06/2016 10:59:51 am "": "," administrator: windows powershell ise "," 9/06/2016  10:59:51 am "" \ "," ADMINISTRATOR:&NBsp Windows powershell ise "," 9/06/2016 10:59:51 am "" T "," administrator: windows  Powershell ise "," 9/06/2016 10:59:52 am "" E "," administrator: windows powershell  ISE "," 9/06/2016 10:59:52 am "" M "," Administrator: windows powershell ise "," 9/06/2016  10:59:52 am "" P "," Administrator: windows powershell ise "," 9/06/2016 10:59:52  am "\", "Administrator: windows powershell ise", "9/06/2016 10:59:52 am" "K", " Administrator: windows powershell ise "," 9/06/2016 10:59:53 am "" E "," Administrator:  windows powershell ise "," 9/06/2016 10:59:53 am "" Y "," administrator: windows  powershell ise "," 9/06/2016 10:59:53 am "" <Enter> "," administrator: windows  Powershell ise "," 9/06/2016 10:59:54 am "" <Enter> "," administrator: windows  Powershell ise "," 9/06/2016 10: 59:54 am " 


If I don't care about him, all my keyboard operations will be recorded, how can I stop this monitoring?


Looking at Runspace, I guess the second newest runspace should be the one I just created.

ps c:\windows\system32\windowspowershell\v1.0> get-runspace id name             ComputerName    Type           State          availability    -- ----             ------------    ----           -----         ------------     1  Runspace1       localhost        local         opened         Busy             2 Runspace2        localhost       local          opened        busy


Check the properties and methods to find out if you can close him.

ps c:\windows\system32\windowspowershell\v1.0> get-runspace 2 | gm    TypeName: System.Management.Automation.Runspaces.LocalRunspaceName                           MemberType Definition                                                                                                                                                                                           ----                           ---------- ----------                                                                                                                                                                                            AvailabilityChanged           Event      system.eventhandler ' 1[ System.management.automation.runspaces.runspaceavailabilityeventargs] availabilitychanged (System.Object,  system.management.automation.runspaces.runspaceavailabilit ... Statechanged                  Event      system.eventhandler ' 1[ System.management.automation.runspaces.runspacestateeventargs] statechanged (System.Object,  System.Management.Automation.Runspaces.RunspaceStateEventArgs)               clearbasetransaction         method      void clearbasetransaction ()                                                                                                                                                                          Close                          method     void close ()                                                                                                                                                                                           CloseAsync                    method     void closeasync ()                                                                                                                                                                                      connect                       method     void connect ()


Try it out.

PS c:\windows\system32\windowspowershell\v1.0> (get-runspace 2). Close ()


Successfully stopped the runspace, and did not continue to write in the back.


Now I have written a similar applet to try it out in the same way. I'm going to write a background program that pops up a dialog box every 30 seconds and tells me to take a break ~


$scriptblock ={while ($true) {$MessageboxTitle = "health Reminder" $Messageboxbody = "a Break with my lord" $ Messageicon = [System.windows.messageboximage]::information$buttontype = [system.windows.messageboxbutton]::ok[ System.windows.messagebox]::show ($Messageboxbody, $MessageboxTitle, $ButtonType, $messageicon) start-sleep-seconds () $job =[powershell]::create () $job. Addscript ($scriptblock) $job. BeginInvoke ()



650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/82/8B/wKioL1dZD7fjtT9SAAAS9OoP1II719.png "title=" 6.PNG " alt= "Wkiol1dzd7fjtt9saaas9oop1ii719.png"/>


After testing, every 30 seconds will jump out of this dialog box, success! 650) this.width=650; "src=" Http://img.baidu.com/hi/jx2/j_0003.gif "alt=" J_0003.gif "/>



This article is from the "Mapo Tofu" blog, please be sure to keep this source http://beanxyz.blog.51cto.com/5570417/1787607

Learn how to perform background runspace~ from PowerShell intrusion scripts

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.