Lean And Mean snippets for power users RunAsTI / reg_own / ToggleDefender / Edge removal / redirect

Discussion in 'Scripting' started by AveYo, May 7, 2021.

Tags:
Page 11 of 11
  1. Dark Vador

    Dark Vador X Æ A-12

    Feb 2, 2011
    4,761
    7,025
    150
    #201 Dark Vador, Aug 4, 2025
    Last edited: Aug 4, 2025
    So, after little upgrde -> just make sure, to be with administrator prev.
    Changes ? now windows visible, with new flags
    And, 1 call only, instead 4 (User -> Elavate Admin -> Elavate System -> Run Command Under System
    and i can do even better, make it encoded :D
    im impress from this code, he skip few APi, and write manualy structs'

    * any one notice, that, he just grab handle, from current running process,
    * which, i thought, it should nt be work, but it does work.!
    Code:
    function RunAsTI {
    param (
        $CommndLine
    )
    $I=[int32];
    $M=$I.module.gettype("System.Runtime.InteropServices.Marshal");
    $P=$I.module.gettype("System.IntPtr");
    $S=[string]; $D=@(); $T=@(); $Z=[uintptr]::size
    $DM=[AppDomain]::CurrentDomain."DefineDynamicAssembly"(1,1)."DefineDynamicModule"(1);
    0..5|% {$D += $DM."DefineType"("AveYo_$_",1179913,[ValueType])};
    $D += [uintptr];
    4..6|% {$D += $D[$_]."MakeByRefType"()}
    $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I)
    0..2|% {$9=$D[0]."DefinePInvokeMethod"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}
    $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
    1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k]."DefineField"('f' + $n++, $_, 6)}};
    0..5|% {$T += $D[$_]."CreateType"()}
    0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -fo};
    function F ($1,$2) {$T[0]."GetMethod"($1).invoke(0,$2)}
    $TI=(whoami /groups)-like'*1-16-16384*'; $As=0;
    'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}}
    function M ($1,$2,$3) {$M."GetMethod"($1,[type[]]$2).invoke(0,$3)};
    $H=@(); $Z,(4*$Z+16)|% {$H += M "AllocHGlobal" $I $_}
    M "WriteIntPtr" ($P,$P) ($H[0],$As.Handle);
    # PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000
    $A1.f1=131072;  $A1.f2=$Z;  $A1.f3=$H[0];  $A2.f1=1;
    $A2.f2=1;  $A2.f3=1;  $A2.f4=1 ; $A2.f6=$A1;
    $A3.f1=10*$Z+32;  $A4.f1=$A3;  $A4.f2=$H[1];
    M "StructureToPtr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)
    $Run=@($null, $CommndLine, 0, 0, 0, (0x00080000 -bor 0x00000010) , 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))
    F 'CreateProcess' $Run;
}
RunAsTI -CommndLine "cmd /k whoami"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Page 11 of 11