Learn how to perform background runspace~ from PowerShell intrusion scripts

Beans today bored on GitHub to see what interesting PowerShell script, inadvertently found Powersploit this project, carefully looked at, this module is for the intrusion test written, there are a lot of related hacking scripts, casually find a try.

For example, this can be used to record the keyboard input, the complete script I will not post it.

Https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-Keystrokes.ps1

The specific implementation of the function is not to consider, I am very curious about how he was executed in the background. You can see the end of the script. The author uses runspace, he creates a runspace, then passes in the script block and corresponding parameters, then triggers;

# Setup KeyLogger ' s runspace $PowerShell = [Powershell]::create () [void] $PowerShell. Addscript ($Script) [void] $Pow Ershell.addargument ($LogPath) if ($PSBoundParameters. Timeout) {[void] $PowerShell. Addargument ($Timeout)} # Start Ke Ylogger [void] $PowerShell. BeginInvoke ()

This way looks familiar ah, beans before learning multithreading, is to use runspace to replace the background job, because runspace performance efficiency is much higher;

http://beanxyz.blog.51cto.com/5570417/1760880

In fact, I looked at this hack script is also used before the job, the latest version changed to Runspace, visible knowledge is connected ~

Try it out.

Get-keystrokes-logpath C:\temp\key.log

Then enter a random command to see if the corresponding log file has a record, and it was successfully recorded

Ps c:\windows\system32\windowspowershell\v1.0> gc c:\temp\key.log "TypedKey", "WindowTitle", " Time "L", "administrator: windows powershell ise", "9/06/2016 10:59:48 am" "s", " Administrator: windows powershell ise "," 9/06/2016 10:59:48 am "" <Enter> "," Administrator: windows powershell ise "," 9/06/2016 10:59:48 am "" G "," Administrator:  windows powershell ise "," 9/06/2016 10:59:50 am "" C "," administrator: windows  powershell ise "," 9/06/2016 10:59:50 am "" < > "," administrator: windows  powershell ise "," 9/06/2016 10:59:50 am "" C "," Administrator: windows powershell  ise "," 9/06/2016 10:59:51 am "" <Shift> "," administrator: windows powershell  ISE "," 9/06/2016 10:59:51 am "": "," administrator: windows powershell ise "," 9/06/2016  10:59:51 am "" \ "," ADMINISTRATOR:&NBsp Windows powershell ise "," 9/06/2016 10:59:51 am "" T "," administrator: windows  Powershell ise "," 9/06/2016 10:59:52 am "" E "," administrator: windows powershell  ISE "," 9/06/2016 10:59:52 am "" M "," Administrator: windows powershell ise "," 9/06/2016  10:59:52 am "" P "," Administrator: windows powershell ise "," 9/06/2016 10:59:52  am "\", "Administrator: windows powershell ise", "9/06/2016 10:59:52 am" "K", " Administrator: windows powershell ise "," 9/06/2016 10:59:53 am "" E "," Administrator:  windows powershell ise "," 9/06/2016 10:59:53 am "" Y "," administrator: windows  powershell ise "," 9/06/2016 10:59:53 am "" <Enter> "," administrator: windows  Powershell ise "," 9/06/2016 10:59:54 am "" <Enter> "," administrator: windows  Powershell ise "," 9/06/2016 10: 59:54 am " 

If I don't care about him, all my keyboard operations will be recorded, how can I stop this monitoring?

Looking at Runspace, I guess the second newest runspace should be the one I just created.

ps c:\windows\system32\windowspowershell\v1.0> get-runspace id name             ComputerName    Type           State          availability    -- ----             ------------    ----           -----         ------------     1  Runspace1       localhost        local         opened         Busy             2 Runspace2        localhost       local          opened        busy

Check the properties and methods to find out if you can close him.

ps c:\windows\system32\windowspowershell\v1.0> get-runspace 2 | gm    TypeName: System.Management.Automation.Runspaces.LocalRunspaceName                           MemberType Definition                                                                                                                                                                                           ----                           ---------- ----------                                                                                                                                                                                            AvailabilityChanged           Event      system.eventhandler ' 1[ System.management.automation.runspaces.runspaceavailabilityeventargs] availabilitychanged (System.Object,  system.management.automation.runspaces.runspaceavailabilit ... Statechanged                  Event      system.eventhandler ' 1[ System.management.automation.runspaces.runspacestateeventargs] statechanged (System.Object,  System.Management.Automation.Runspaces.RunspaceStateEventArgs)               clearbasetransaction         method      void clearbasetransaction ()                                                                                                                                                                          Close                          method     void close ()                                                                                                                                                                                           CloseAsync                    method     void closeasync ()                                                                                                                                                                                      connect                       method     void connect ()

Try it out.

PS c:\windows\system32\windowspowershell\v1.0> (get-runspace 2). Close ()

Successfully stopped the runspace, and did not continue to write in the back.

Now I have written a similar applet to try it out in the same way. I'm going to write a background program that pops up a dialog box every 30 seconds and tells me to take a break ~

$scriptblock ={while ($true) {$MessageboxTitle = "health Reminder" $Messageboxbody = "a Break with my lord" $ Messageicon = [System.windows.messageboximage]::information$buttontype = [system.windows.messageboxbutton]::ok[ System.windows.messagebox]::show ($Messageboxbody, $MessageboxTitle, $ButtonType, $messageicon) start-sleep-seconds () $job =[powershell]::create () $job. Addscript ($scriptblock) $job. BeginInvoke ()

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/82/8B/wKioL1dZD7fjtT9SAAAS9OoP1II719.png "title=" 6.PNG " alt= "Wkiol1dzd7fjtt9saaas9oop1ii719.png"/>

After testing, every 30 seconds will jump out of this dialog box, success! 650) this.width=650; "src=" Http://img.baidu.com/hi/jx2/j_0003.gif "alt=" J_0003.gif "/>

This article is from the "Mapo Tofu" blog, please be sure to keep this source http://beanxyz.blog.51cto.com/5570417/1787607

Learn how to perform background runspace~ from PowerShell intrusion scripts