diff options
| author | Matt Graeber <mattgraeber@gmail.com> | 2013-09-04 04:54:15 -0700 |
|---|---|---|
| committer | Matt Graeber <mattgraeber@gmail.com> | 2013-09-04 04:54:15 -0700 |
| commit | 65cd074eaff338ba4091eb934c442cda86cc88dc (patch) | |
| tree | 0fe4e8c1849ba6816e563bc9ca5b1e390ce44dcc | |
| parent | 6807da424fca9e1f4b4946e695486aefb7eae1fa (diff) | |
| parent | 5e1f6ac29a851b6833b0e313c02f684f54a79b53 (diff) | |
| download | PowerSploit-65cd074eaff338ba4091eb934c442cda86cc88dc.tar.gz PowerSploit-65cd074eaff338ba4091eb934c442cda86cc88dc.zip | |
Merge pull request #13 from clymb3r/master
Call to DllMain when unloading reflective DLL
| -rw-r--r-- | CodeExecution/Invoke-ReflectivePEInjection.ps1 | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index b582847..a9772e2 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -2620,6 +2620,15 @@ Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/ $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_IMPORT_DESCRIPTOR)) } } + + #Call DllMain with process detach + Write-Verbose "Calling dllmain so the DLL knows it is being unloaded" + $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) + $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool]) + $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate) + + $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null + $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) if ($Success -eq $false) |