本文共 5071 字,大约阅读时间需要 16 分钟。
豆子今天无聊在github上看看有什么有意思的PowerShell脚本,无意中发现了PowerSploit这个项目,仔细看了看,这个模块是针对***测试写的,里面有大量相关的***脚本,随便找了一个试试看。
比如说这个,可以用来记录键盘的输入内容,完整的脚本我就不贴出来了。
具体实现的功能先不去考虑,我很好奇他是怎么在后台执行的。可以看见脚本末尾这个作者使用的是runspace,他创建了一个runspace,然后传入脚本块和对应的参数,然后触发;
# Setup KeyLogger's runspace $PowerShell = [PowerShell]::Create() [void]$PowerShell.AddScript($Script) [void]$PowerShell.AddArgument($LogPath) if ($PSBoundParameters.Timeout) { [void]$PowerShell.AddArgument($Timeout) } # Start KeyLogger [void]$PowerShell.BeginInvoke() 这种方式看起来很眼熟啊,豆子之前学习多线程的时候,就是使用runspace来替代后台的job,因为runspace的性能效率要高的多;
事实上,我看了一下 这个***脚本之前也是使用的job,最新的版本改成了runspace,可见知识是相通的~
执行试试看
Get-Keystrokes -LogPath C:\temp\key.log
然后随便输入一下命令,查看一下对应的日志文件是否有记录 ,果然成功记录了
PS C:\Windows\System32\WindowsPowerShell\v1.0> gc C:\temp\key.log"TypedKey","WindowTitle","Time""l","Administrator: Windows PowerShell ISE","9/06/2016 10:59:48 AM""s","Administrator: Windows PowerShell ISE","9/06/2016 10:59:48 AM""","Administrator: Windows PowerShell ISE","9/06/2016 10:59:48 AM""g","Administrator: Windows PowerShell ISE","9/06/2016 10:59:50 AM""c","Administrator: Windows PowerShell ISE","9/06/2016 10:59:50 AM""< >","Administrator: Windows PowerShell ISE","9/06/2016 10:59:50 AM""c","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM"" ","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM"":","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM""\","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM""t","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM""e","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM""m","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM""p","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM""\","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM""k","Administrator: Windows PowerShell ISE","9/06/2016 10:59:53 AM""e","Administrator: Windows PowerShell ISE","9/06/2016 10:59:53 AM""y","Administrator: Windows PowerShell ISE","9/06/2016 10:59:53 AM"" ","Administrator: Windows PowerShell ISE","9/06/2016 10:59:54 AM"" ","Administrator: Windows PowerShell ISE","9/06/2016 10:59:54 AM"
如果我不管他,我所有的键盘操作都会被记录下来,那怎么停止这个监听?
查看一下runspace,我估计第二个最新的runspace应该是我刚刚创建的
PS C:\Windows\System32\WindowsPowerShell\v1.0> Get-Runspace Id Name ComputerName Type State Availability -- ---- ------------ ---- ----- ------------ 1 Runspace1 localhost Local Opened Busy 2 Runspace2 localhost Local Opened Busy
查看一下有啥属性和方法,发现可以close掉他
PS C:\Windows\System32\WindowsPowerShell\v1.0> Get-Runspace 2 | gm TypeName: System.Management.Automation.Runspaces.LocalRunspaceName MemberType Definition ---- ---------- ---------- AvailabilityChanged Event System.EventHandler`1[System.Management.Automation.Runspaces.RunspaceAvailabilityEventArgs] AvailabilityChanged(System.Object, System.Management.Automation.Runspaces.RunspaceAvailabilit...StateChanged Event System.EventHandler`1[System.Management.Automation.Runspaces.RunspaceStateEventArgs] StateChanged(System.Object, System.Management.Automation.Runspaces.RunspaceStateEventArgs) ClearBaseTransaction Method void ClearBaseTransaction() Close Method void Close() CloseAsync Method void CloseAsync() Connect Method void Connect()
执行试试
PS C:\Windows\System32\WindowsPowerShell\v1.0> (Get-Runspace 2).close()
成功停止这个runspace,后面没有继续写入了。
现在我根据同样的方法,自己写了一个类似的小程序试试。我打算写一个后台程序,每隔30秒就弹出一个对话框,告诉我注意休息~
$scriptblock={while($true){$MessageboxTitle = “Health Reminder”$Messageboxbody = “Please have a break, my lord”$MessageIcon = [System.Windows.MessageBoxImage]::Information$ButtonType = [System.Windows.MessageBoxButton]::OK[System.Windows.MessageBox]::Show($Messageboxbody,$MessageboxTitle,$ButtonType,$messageicon)Start-Sleep -Seconds 30}}$job=[powershell]::create()$job.addscript($scriptblock)$job.begininvoke() 经测试,每隔30秒就会跳出这个对话框,成功!
转载地址:http://dxaox.baihongyu.com/