From 5e1f6ac29a851b6833b0e313c02f684f54a79b53 Mon Sep 17 00:00:00 2001 From: clymb3r Date: Tue, 3 Sep 2013 20:10:18 -0700 Subject: Call to DllMain when unloading reflective DLL Prior to this fix, DllMain with the ProessDetach flag was not called when unloading the reflectively loaded DLL. This was causing very weird crashes in the Invoke-NinjaCopy script which is built on this script. This should fix the crash. --- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'CodeExecution') diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index b582847..a9772e2 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -2620,6 +2620,15 @@ Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/ $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf($Win32Types.IMAGE_IMPORT_DESCRIPTOR)) } } + + #Call DllMain with process detach + Write-Verbose "Calling dllmain so the DLL knows it is being unloaded" + $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) + $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool]) + $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate) + + $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null + $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) if ($Success -eq $false) -- cgit v1.2.3