Run as Logged in User
vbs=r'''
Set WshShell = CreateObject("WScript.Shell")
For i=1 To 100
WshShell.SendKeys(chr(&hAF))
Next
'''
import os
import ctypes
import time
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
def runvbs(vbs):
workdir=os.environ['PROGRAMDATA']+r'\temp'
if not os.path.isdir(workdir):
os.mkdir(workdir)
with open(workdir+r'\temprun.vbs',"w") as f :
f.write(vbs)
with disable_file_system_redirection():
print os.popen('cscript.exe "'+workdir+r'\temprun.vbs"').read()
print('Script execution completed successfully')
if os.path.isfile(workdir+r'\temprun.vbs'):
os.remove(workdir+r'\temprun.vbs')
runvbs(vbs)
time.sleep(5)
ps_content=r'''
Add-Type -AssemblyName System.speech
$speak = New-Object System.Speech.Synthesis.SpeechSynthesizer
$speak.Speak('This device has been Stolen')
'''
def ecmd(command):
import ctypes
from subprocess import PIPE, Popen
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
with disable_file_system_redirection():
obj = Popen(command, shell = True, stdout = PIPE, stderr = PIPE)
out, err = obj.communicate()
ret=obj.returncode
if ret==0:
if out:
return out.strip()
else:
return ret
else:
if err:
return err.strip()
else:
return ret
file_name='powershell_file.ps1'
file_path=os.path.join(os.environ['TEMP'], file_name)
with open(file_path, 'wb') as wr:
wr.write(ps_content)
ecmd('powershell "Set-ExecutionPolicy RemoteSigned"')
print ecmd('powershell "%s"'%file_path)
os.remove(file_path)
Comments