Check against encoded payload and Win32_Shadowcopy access

[Omodaka9375]

Other attempts at deleting the shadow copies can be performed via invoking powershell (and WMI) or using an encoded command flag to avoid detection in the command line.

Evi commands: powershell -command "Get-WmiObject Win32Shadowcopy | ForEach-Object {$.Delete();}" powershell.exe -noprofile -encodedCommand R2V0LVdtaU9iamVjdCBXaW4zMl9TaGFkb3djb3B5IHwgRm9yRWFjaC ...

What has been added:

• Added registry patch file for powershell
• Added registry uninstaller for powershell listener
• Added powershell support only in FULL mode in batch installer
• Added check for '-encodedcommand' in .cpp file
• Added check for accessing 'Win32_Shadowcopy ' in .cpp file
• Added ability to find/compare strings within arguments (case sensitive, unlike _wcsicmp!)

Cheers