def main()

in cortado/rtas/susp_control_panel_dll_explorer.py [0:0]

• 27 lines of code
• 1 McCabe index (conditional complexity)

def main():
    exe_file = _common.get_resource_path("bin/renamed_posh.exe")
    ps1_file = _common.get_resource_path("bin/Invoke-ImageLoad.ps1")
    renamer = _common.get_resource_path("binrcedit-x64.exe")

    explorer = "C:\\Users\\Public\\explorer.exe"
    user32 = "C:\\Windows\\System32\\user32.dll"
    dll = "C:\\Users\\Public\\rta.dll"
    ps1 = "C:\\Users\\Public\\Invoke-ImageLoad.ps1"
    rcedit = "C:\\Users\\Public\\rcedit.exe"
    _common.copy_file(user32, dll)
    _common.copy_file(ps1_file, ps1)
    _common.copy_file(renamer, rcedit)
    _common.copy_file(exe_file, explorer)

    log.info("Modifying the OriginalFileName attribute to invalidate the signature")
    _ = _common.execute_command([rcedit, dll, "--set-version-string", "OriginalFilename", "rta.dll"])

    log.info("Loading rta.dll")
    _ = _common.execute_command(
        [
            explorer,
            "-c",
            f"Import-Module {ps1}; Invoke-ImageLoad {dll}; echo",
            "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}",
            ";powershell",
        ],
        timeout_secs=10,
    )
    _common.remove_files([dll, ps1, rcedit, explorer])