From ce3b21685ad74e302cefb39c07bfba9e0e178d9b Mon Sep 17 00:00:00 2001
From: Matt Graeber <mattgraeber@gmail.com>
Date: Mon, 14 Dec 2015 16:40:04 -0800
Subject: Bugfix #92: perform OS check when importing NtCreateThreadEx

---
 CodeExecution/Invoke-ReflectivePEInjection.ps1 | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'CodeExecution/Invoke-ReflectivePEInjection.ps1')

diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1
index 8f4533e..d164493 100644
--- a/CodeExecution/Invoke-ReflectivePEInjection.ps1
+++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1
@@ -710,10 +710,13 @@ $RemoteScriptBlock = {
         $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate)
 		$Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf
 		
-		$NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
-        $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
-        $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate)
-		$Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
+		# NtCreateThreadEx is only ever called on Vista and Win7. NtCreateThreadEx is not exported by ntdll.dll in Windows XP
+        if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6,2))) {
+		    $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
+            $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
+            $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate)
+		    $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
+        }
 		
 		$IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process
         $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
-- 
cgit v1.2.3


From 00af1656b2832807eadbc062eee80e21918c0276 Mon Sep 17 00:00:00 2001
From: Matt Graeber <mattgraeber@gmail.com>
Date: Mon, 14 Dec 2015 17:26:33 -0800
Subject: Bugfix #93

Removed the "EndAddress" parameter set since it was never used. This
should resolve any parameter set confusion.
---
 CodeExecution/Invoke-ReflectivePEInjection.ps1 | 14 +-------------
 Exfiltration/Invoke-Mimikatz.ps1               | 14 +-------------
 Exfiltration/Invoke-NinjaCopy.ps1              | 14 +-------------
 3 files changed, 3 insertions(+), 39 deletions(-)

(limited to 'CodeExecution/Invoke-ReflectivePEInjection.ps1')

diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1
index d164493..4a1d0e8 100644
--- a/CodeExecution/Invoke-ReflectivePEInjection.ps1
+++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1
@@ -912,24 +912,12 @@ $RemoteScriptBlock = {
 		[IntPtr]
 		$StartAddress,
 		
-		[Parameter(ParameterSetName = "EndAddress", Position = 3, Mandatory = $true)]
-		[IntPtr]
-		$EndAddress,
-		
 		[Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
 		[IntPtr]
 		$Size
 		)
 		
-		[IntPtr]$FinalEndAddress = [IntPtr]::Zero
-		if ($PsCmdlet.ParameterSetName -eq "Size")
-		{
-			[IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
-		}
-		else
-		{
-			$FinalEndAddress = $EndAddress
-		}
+	    [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
 		
 		$PEEndAddress = $PEInfo.EndAddress
 		
diff --git a/Exfiltration/Invoke-Mimikatz.ps1 b/Exfiltration/Invoke-Mimikatz.ps1
index 835d7a7..85cef30 100644
--- a/Exfiltration/Invoke-Mimikatz.ps1
+++ b/Exfiltration/Invoke-Mimikatz.ps1
@@ -802,24 +802,12 @@ $RemoteScriptBlock = {
 		[IntPtr]
 		$StartAddress,
 		
-		[Parameter(ParameterSetName = "EndAddress", Position = 3, Mandatory = $true)]
-		[IntPtr]
-		$EndAddress,
-		
 		[Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
 		[IntPtr]
 		$Size
 		)
 		
-		[IntPtr]$FinalEndAddress = [IntPtr]::Zero
-		if ($PsCmdlet.ParameterSetName -eq "Size")
-		{
-			[IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
-		}
-		else
-		{
-			$FinalEndAddress = $EndAddress
-		}
+	    [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
 		
 		$PEEndAddress = $PEInfo.EndAddress
 		
diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1
index 7ff5bfa..36cef8d 100644
--- a/Exfiltration/Invoke-NinjaCopy.ps1
+++ b/Exfiltration/Invoke-NinjaCopy.ps1
@@ -818,24 +818,12 @@ $RemoteScriptBlock = {
 		[IntPtr]
 		$StartAddress,
 		
-		[Parameter(ParameterSetName = "EndAddress", Position = 3, Mandatory = $true)]
-		[IntPtr]
-		$EndAddress,
-		
 		[Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
 		[IntPtr]
 		$Size
 		)
 		
-		[IntPtr]$FinalEndAddress = [IntPtr]::Zero
-		if ($PsCmdlet.ParameterSetName -eq "Size")
-		{
-			[IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
-		}
-		else
-		{
-			$FinalEndAddress = $EndAddress
-		}
+	    [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
 		
 		$PEEndAddress = $PEInfo.EndAddress
 		
-- 
cgit v1.2.3