RUN AS LOCALSYSTEM USER
this script has been scanned with virustotal.com and xcitium verdict cloud.
PYTHON SCRIPT FILE SHA1 VALUE - 3e80e6a60b42ef45cc13e3d22179d150d8515d04
JSON FILE SHA1 VALUE - 35d29dbdbd87e27128fb7ba8c7455035b4f4ca88
import os
from subprocess import PIPE, Popen
import ctypes
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
class ExecutionPolicy:
def __enter__(self):
with disable_file_system_redirection():
#getting current executionpolicy
self.old_policy = os.popen('powershell "Get-ExecutionPolicy"').read().strip()
#setting execution policy to RemoteSigned
os.popen('powershell "Set-ExecutionPolicy RemoteSigned"').read()
def __exit__(self, type, value, traceback):
with disable_file_system_redirection():
#setting execution policy back to previous policy
os.popen('powershell "Set-ExecutionPolicy %s"'%(self.old_policy)).read()
def ecmd(command):
from subprocess import Popen, PIPE
import ctypes
with disable_file_system_redirection():
obj = Popen(command, shell = True, stdout = PIPE, stderr = PIPE)
out, err = obj.communicate()
ret=obj.returncode
return ret,out,err
PScontent = r"""
Get-CimInstance -ClassName Win32_PnPEntity |Where-Object -Property "PNPClass" -Like "Biometric"
"""
ps_name='powershell_file.ps1'
ps_path=os.path.join(os.environ['TEMP'], ps_name)
with open(ps_path, 'wb') as wr:
wr.write(PScontent)
with ExecutionPolicy():
ret,out,err = ecmd('powershell "%s"'%ps_path)
if ret==0:
if out:
print(out)
else:
print("couldn't get any biometric informations")
else:
print(ret)
print(err)
Comments