From 481ebb777e7e46e622dea4deeaa428b61c78f46e Mon Sep 17 00:00:00 2001 From: bitform Date: Sat, 1 Dec 2012 13:35:26 -0500 Subject: Added Out-CompressedDll A script to aid in the loading of managed dlls in memory --- Out-CompressedDll.ps1 | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++ README | 4 +++ 2 files changed, 83 insertions(+) create mode 100644 Out-CompressedDll.ps1 diff --git a/Out-CompressedDll.ps1 b/Out-CompressedDll.ps1 new file mode 100644 index 0000000..3c59ef5 --- /dev/null +++ b/Out-CompressedDll.ps1 @@ -0,0 +1,79 @@ +function Out-CompressedDll +{ +<# +.SYNOPSIS + +Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + +PowerSploit Module - Out-CompressedDll +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause + +.DESCRIPTION + +Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array. + +.PARAMETER FilePath + +Specifies the path to a managed executable. + +.EXAMPLE + +C:\PS> Out-CompressedDll -FilePath evil.dll + +Description +----------- +Compresses, base64 encodes, and outputs the code required to load evil.dll in memory. + +.NOTES + +Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it just works' - mixed-mode) dlls will not load. + +.LINK + +http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html +#> + + [CmdletBinding()] Param ( + [Parameter(Mandatory = $True)] + [String] + $FilePath + ) + + $Path = Resolve-Path $FilePath + + if (! [IO.File]::Exists($Path)) + { + Throw "$Path does not exist." + } + + $FileBytes = [System.IO.File]::ReadAllBytes($Path) + + if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ') + { + Throw "$Path is not a valid executable." + } + + $Length = $FileBytes.Length + $CompressedStream = New-Object IO.MemoryStream + $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) + $DeflateStream.Write($FileBytes, 0, $FileBytes.Length) + $DeflateStream.Dispose() + $CompressedFileBytes = $CompressedStream.ToArray() + $CompressedStream.Dispose() + $EncodedCompressedFile = [Convert]::ToBase64String($CompressedFileBytes) + + Write-Verbose "Compression ratio: $(($EncodedCompressedFile.Length/$FileBytes.Length).ToString('#%'))" + + $Output = @" +`$EncodedCompressedFile = @' +$EncodedCompressedFile +'@ +`$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`$EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress) +`$UncompressedFileBytes = New-Object Byte[]($Length) +`$DeflatedStream.Read(`$UncompressedFileBytes, 0, $Length) | Out-Null +[Reflection.Assembly]::Load(`$UncompressedFileBytes) +"@ + + Write-Output $Output +} \ No newline at end of file diff --git a/README b/README index 5b26dc6..eda99df 100644 --- a/README +++ b/README @@ -16,6 +16,10 @@ Inject-Shellcode: Inject-Shellcode injects shellcode into the process ID of your choosing or within PowerShell locally. +Out-CompressedDll: + + Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + Encrypt-Script: Encrypt-Script will encrypt a script (or any text file for that matter) and output the results to a minimally obfuscated script - evil.ps1. -- cgit v1.2.3