豆子今天无聊在github上看看有什么有意思的PowerShell脚本,无意中发现了PowerSploit这个项目,仔细看了看,这个模块是针对入侵测试写的,里面有大量相关的黑客脚本,随便找了一个试试看。
比如说这个,可以用来记录键盘的输入内容,完整的脚本我就不贴出来了。
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-Keystrokes.ps1
具体实现的功能先不去考虑,我很好奇他是怎么在后台执行的。可以看见脚本末尾这个作者使用的是runspace,他创建了一个runspace,然后传入脚本块和对应的参数,然后触发;
1
2
3
4
5
6
7
|
# Setup KeyLogger's runspace
$PowerShell
=
[PowerShell]
::Create()
[void]
$PowerShell
.AddScript(
$Script
)
[void]
$PowerShell
.AddArgument(
$LogPath
)
if
(
$PSBoundParameters
.Timeout) {
[void]
$PowerShell
.AddArgument(
$Timeout
) }
# Start KeyLogger
[void]
$PowerShell
.BeginInvoke()
|
这种方式看起来很眼熟啊,豆子之前学习多线程的时候,就是使用runspace来替代后台的job,因为runspace的性能效率要高的多;
http://beanxyz.blog.51cto.com/5570417/1760880
事实上,我看了一下 这个黑客脚本之前也是使用的job,最新的版本改成了runspace,可见知识是相通的~
执行试试看
1
|
Get-Keystrokes
-LogPath C:\temp\key.log
|
然后随便输入一下命令,查看一下对应的日志文件是否有记录 ,果然成功记录了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
PS C:\Windows\System32\WindowsPowerShell\v1.0> gc C:\temp\key.log
"TypedKey"
,
"WindowTitle"
,
"Time"
"l"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:48 AM"
"s"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:48 AM"
"<Enter>"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:48 AM"
"g"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:50 AM"
"c"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:50 AM"
"< >"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:50 AM"
"c"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:51 AM"
"<Shift>"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:51 AM"
":"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:51 AM"
"\"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:51 AM"
"t"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:52 AM"
"e"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:52 AM"
"m"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:52 AM"
"p"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:52 AM"
"\"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:52 AM"
"k"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:53 AM"
"e"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:53 AM"
"y"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:53 AM"
"<Enter>"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:54 AM"
"<Enter>"
,
"Administrator: Windows PowerShell ISE"
,
"9/06/2016 10:59:54 AM"
|
如果我不管他,我所有的键盘操作都会被记录下来,那怎么停止这个监听?
查看一下runspace,我估计第二个最新的runspace应该是我刚刚创建的
1
2
3
4
5
|
PS C:\Windows\System32\WindowsPowerShell\v1.0>
Get-Runspace
Id Name ComputerName Type State Availability
-- ---- ------------ ---- ----- ------------
1 Runspace1 localhost Local Opened Busy
2 Runspace2 localhost Local Opened Busy
|
查看一下有啥属性和方法,发现可以close掉他
1
2
3
4
5
6
7
8
9
10
|
PS C:\Windows\System32\WindowsPowerShell\v1.0>
Get-Runspace
2 | gm
TypeName: System.Management.Automation.Runspaces.LocalRunspace
Name MemberType Definition
---- ---------- ----------
AvailabilityChanged Event System.EventHandler`1
[System.Management.Automation.Runspaces.RunspaceAvailabilityEventArgs]
AvailabilityChanged(System.Object, System.Management.Automation.Runspaces.RunspaceAvailabilit...
StateChanged Event System.EventHandler`1
[System.Management.Automation.Runspaces.RunspaceStateEventArgs]
StateChanged(System.Object, System.Management.Automation.Runspaces.RunspaceStateEventArgs)
ClearBaseTransaction Method void ClearBaseTransaction()
Close Method void Close()
CloseAsync Method void CloseAsync()
Connect Method void Connect()
|
执行试试
1
|
PS C:\Windows\System32\WindowsPowerShell\v1.0> (
Get-Runspace
2).close()
|
成功停止这个runspace,后面没有继续写入了。
现在我根据同样的方法,自己写了一个类似的小程序试试。我打算写一个后台程序,每隔30秒就弹出一个对话框,告诉我注意休息~
1
2
3
4
5
6
7
8
9
10
11
12
13
|
$scriptblock
={
while
(
$true
){
$MessageboxTitle
= “Health Reminder”
$Messageboxbody
= “Please have a
break
, my lord”
$MessageIcon
=
[System.Windows.MessageBoxImage]
::Information
$ButtonType
=
[System.Windows.MessageBoxButton]
::OK
[System.Windows.MessageBox]
::Show(
$Messageboxbody
,
$MessageboxTitle
,
$ButtonType
,
$messageicon
)
Start-Sleep
-Seconds 30
}
}
$job
=
[powershell]
::create()
$job
.addscript(
$scriptblock
)
$job
.begininvoke()
|