从Powershell 入侵脚本学到的如何执行后台runspace~
生活随笔
收集整理的這篇文章主要介紹了
从Powershell 入侵脚本学到的如何执行后台runspace~
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
豆子今天無聊在github上看看有什么有意思的PowerShell腳本,無意中發現了PowerSploit這個項目,仔細看了看,這個模塊是針對入侵測試寫的,里面有大量相關的黑客腳本,隨便找了一個試試看。
比如說這個,可以用來記錄鍵盤的輸入內容,完整的腳本我就不貼出來了。
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-Keystrokes.ps1
具體實現的功能先不去考慮,我很好奇他是怎么在后臺執行的。可以看見腳本末尾這個作者使用的是runspace,他創建了一個runspace,然后傳入腳本塊和對應的參數,然后觸發;
| 1 2 3 4 5 6 7 | #?Setup?KeyLogger's?runspace ????$PowerShell?=?[PowerShell]::Create() ????[void]$PowerShell.AddScript($Script) ????[void]$PowerShell.AddArgument($LogPath) ????if?($PSBoundParameters.Timeout)?{?[void]$PowerShell.AddArgument($Timeout)?} ????#?Start?KeyLogger ????[void]$PowerShell.BeginInvoke() |
這種方式看起來很眼熟啊,豆子之前學習多線程的時候,就是使用runspace來替代后臺的job,因為runspace的性能效率要高的多;
http://beanxyz.blog.51cto.com/5570417/1760880
事實上,我看了一下 這個黑客腳本之前也是使用的job,最新的版本改成了runspace,可見知識是相通的~
執行試試看
| 1 | Get-Keystrokes?-LogPath?C:\temp\key.log |
然后隨便輸入一下命令,查看一下對應的日志文件是否有記錄 ,果然成功記錄了
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | PS?C:\Windows\System32\WindowsPowerShell\v1.0>?gc?C:\temp\key.log "TypedKey","WindowTitle","Time" "l","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:48?AM" "s","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:48?AM" "<Enter>","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:48?AM" "g","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:50?AM" "c","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:50?AM" "<?>","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:50?AM" "c","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:51?AM" "<Shift>","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:51?AM" ":","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:51?AM" "\","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:51?AM" "t","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:52?AM" "e","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:52?AM" "m","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:52?AM" "p","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:52?AM" "\","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:52?AM" "k","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:53?AM" "e","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:53?AM" "y","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:53?AM" "<Enter>","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:54?AM" "<Enter>","Administrator:?Windows?PowerShell?ISE","9/06/2016?10:59:54?AM" |
如果我不管他,我所有的鍵盤操作都會被記錄下來,那怎么停止這個監聽?
查看一下runspace,我估計第二個最新的runspace應該是我剛剛創建的
| 1 2 3 4 5 | PS?C:\Windows\System32\WindowsPowerShell\v1.0>?Get-Runspace ?Id?Name????????????ComputerName????Type??????????State?????????Availability??? ?--?----????????????------------????----??????????-----?????????------------??? ??1?Runspace1???????localhost???????Local?????????Opened????????Busy??????????? ??2?Runspace2???????localhost???????Local?????????Opened????????Busy |
查看一下有啥屬性和方法,發現可以close掉他
| 1 2 3 4 5 6 7 8 9 10 | PS?C:\Windows\System32\WindowsPowerShell\v1.0>?Get-Runspace?2?|?gm ???TypeName:?System.Management.Automation.Runspaces.LocalRunspace Name?????????????????????????MemberType?Definition?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ----?????????????????????????----------?----------?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? AvailabilityChanged??????????Event??????System.EventHandler`1[System.Management.Automation.Runspaces.RunspaceAvailabilityEventArgs]?AvailabilityChanged(System.Object,?System.Management.Automation.Runspaces.RunspaceAvailabilit... StateChanged?????????????????Event??????System.EventHandler`1[System.Management.Automation.Runspaces.RunspaceStateEventArgs]?StateChanged(System.Object,?System.Management.Automation.Runspaces.RunspaceStateEventArgs)????????????? ClearBaseTransaction?????????Method?????void?ClearBaseTransaction()????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Close????????????????????????Method?????void?Close()???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? CloseAsync???????????????????Method?????void?CloseAsync()??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Connect??????????????????????Method?????void?Connect() |
執行試試
| 1 | PS?C:\Windows\System32\WindowsPowerShell\v1.0>?(Get-Runspace?2).close() |
成功停止這個runspace,后面沒有繼續寫入了。
現在我根據同樣的方法,自己寫了一個類似的小程序試試。我打算寫一個后臺程序,每隔30秒就彈出一個對話框,告訴我注意休息~
| 1 2 3 4 5 6 7 8 9 10 11 12 13 | $scriptblock={ while($true){ $MessageboxTitle?=?“Health?Reminder” $Messageboxbody?=?“Please?have?a?break,?my?lord” $MessageIcon?=?[System.Windows.MessageBoxImage]::Information $ButtonType?=?[System.Windows.MessageBoxButton]::OK [System.Windows.MessageBox]::Show($Messageboxbody,$MessageboxTitle,$ButtonType,$messageicon) Start-Sleep?-Seconds?30 } } $job=[powershell]::create() $job.addscript($scriptblock) $job.begininvoke() |
經測試,每隔30秒就會跳出這個對話框,成功!
本文轉自 beanxyz 51CTO博客,原文鏈接:http://blog.51cto.com/beanxyz/1787607,如需轉載請自行聯系原作者
總結
以上是生活随笔為你收集整理的从Powershell 入侵脚本学到的如何执行后台runspace~的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: python 字符编码的两种方式写法:#
- 下一篇: 转 无障碍阅读 role aria-*