Beans today bored on GitHub to see what interesting PowerShell script, inadvertently found Powersploit this project, carefully looked at, this module is for the intrusion test written, there are a lot of related hacking scripts, casually find a try.
For example, this can be used to record the keyboard input, the complete script I will not post it.
Https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-Keystrokes.ps1
The specific implementation of the function is not to consider, I am very curious about how he was executed in the background. You can see the end of the script. The author uses runspace, he creates a runspace, then passes in the script block and corresponding parameters, then triggers;
# Setup KeyLogger ' s runspace $PowerShell = [Powershell]::create () [void] $PowerShell. Addscript ($Script) [void] $Pow Ershell.addargument ($LogPath) if ($PSBoundParameters. Timeout) {[void] $PowerShell. Addargument ($Timeout)} # Start Ke Ylogger [void] $PowerShell. BeginInvoke ()
This way looks familiar ah, beans before learning multithreading, is to use runspace to replace the background job, because runspace performance efficiency is much higher;
http://beanxyz.blog.51cto.com/5570417/1760880
In fact, I looked at this hack script is also used before the job, the latest version changed to Runspace, visible knowledge is connected ~
Try it out.
Get-keystrokes-logpath C:\temp\key.log
Then enter a random command to see if the corresponding log file has a record, and it was successfully recorded
Ps c:\windows\system32\windowspowershell\v1.0> gc c:\temp\key.log "TypedKey", "WindowTitle", " Time "L", "administrator: windows powershell ise", "9/06/2016 10:59:48 am" "s", " Administrator: windows powershell ise "," 9/06/2016 10:59:48 am "" <Enter> "," Administrator: windows powershell ise "," 9/06/2016 10:59:48 am "" G "," Administrator: windows powershell ise "," 9/06/2016 10:59:50 am "" C "," administrator: windows powershell ise "," 9/06/2016 10:59:50 am "" < > "," administrator: windows powershell ise "," 9/06/2016 10:59:50 am "" C "," Administrator: windows powershell ise "," 9/06/2016 10:59:51 am "" <Shift> "," administrator: windows powershell ISE "," 9/06/2016 10:59:51 am "": "," administrator: windows powershell ise "," 9/06/2016 10:59:51 am "" \ "," ADMINISTRATOR:&NBsp Windows powershell ise "," 9/06/2016 10:59:51 am "" T "," administrator: windows Powershell ise "," 9/06/2016 10:59:52 am "" E "," administrator: windows powershell ISE "," 9/06/2016 10:59:52 am "" M "," Administrator: windows powershell ise "," 9/06/2016 10:59:52 am "" P "," Administrator: windows powershell ise "," 9/06/2016 10:59:52 am "\", "Administrator: windows powershell ise", "9/06/2016 10:59:52 am" "K", " Administrator: windows powershell ise "," 9/06/2016 10:59:53 am "" E "," Administrator: windows powershell ise "," 9/06/2016 10:59:53 am "" Y "," administrator: windows powershell ise "," 9/06/2016 10:59:53 am "" <Enter> "," administrator: windows Powershell ise "," 9/06/2016 10:59:54 am "" <Enter> "," administrator: windows Powershell ise "," 9/06/2016 10: 59:54 am "
If I don't care about him, all my keyboard operations will be recorded, how can I stop this monitoring?
Looking at Runspace, I guess the second newest runspace should be the one I just created.
ps c:\windows\system32\windowspowershell\v1.0> get-runspace id name ComputerName Type State availability -- ---- ------------ ---- ----- ------------ 1 Runspace1 localhost local opened Busy 2 Runspace2 localhost local opened busy
Check the properties and methods to find out if you can close him.
ps c:\windows\system32\windowspowershell\v1.0> get-runspace 2 | gm TypeName: System.Management.Automation.Runspaces.LocalRunspaceName MemberType Definition ---- ---------- ---------- AvailabilityChanged Event system.eventhandler ' 1[ System.management.automation.runspaces.runspaceavailabilityeventargs] availabilitychanged (System.Object, system.management.automation.runspaces.runspaceavailabilit ... Statechanged Event system.eventhandler ' 1[ System.management.automation.runspaces.runspacestateeventargs] statechanged (System.Object, System.Management.Automation.Runspaces.RunspaceStateEventArgs) clearbasetransaction method void clearbasetransaction () Close method void close () CloseAsync method void closeasync () connect method void connect ()
Try it out.
PS c:\windows\system32\windowspowershell\v1.0> (get-runspace 2). Close ()
Successfully stopped the runspace, and did not continue to write in the back.
Now I have written a similar applet to try it out in the same way. I'm going to write a background program that pops up a dialog box every 30 seconds and tells me to take a break ~
$scriptblock ={while ($true) {$MessageboxTitle = "health Reminder" $Messageboxbody = "a Break with my lord" $ Messageicon = [System.windows.messageboximage]::information$buttontype = [system.windows.messageboxbutton]::ok[ System.windows.messagebox]::show ($Messageboxbody, $MessageboxTitle, $ButtonType, $messageicon) start-sleep-seconds () $job =[powershell]::create () $job. Addscript ($scriptblock) $job. BeginInvoke ()
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/82/8B/wKioL1dZD7fjtT9SAAAS9OoP1II719.png "title=" 6.PNG " alt= "Wkiol1dzd7fjtt9saaas9oop1ii719.png"/>
After testing, every 30 seconds will jump out of this dialog box, success! 650) this.width=650; "src=" Http://img.baidu.com/hi/jx2/j_0003.gif "alt=" J_0003.gif "/>
This article is from the "Mapo Tofu" blog, please be sure to keep this source http://beanxyz.blog.51cto.com/5570417/1787607
Learn how to perform background runspace~ from PowerShell intrusion scripts