From c45f3361e28d62a58a168de7848a8ba94e76cc33 Mon Sep 17 00:00:00 2001 From: bitform Date: Sun, 20 Jan 2013 10:11:30 -0500 Subject: Created a ScriptModification module. * All scripts used to prepare and/or modify payload scripts were added to the ScriptModification module. * Added Remove-Comments - Strips comments and extra whitespace from a script. * Encrypt-Script was named to Out-EncryptedScript in order to conform to proper PowerShell verbs. --- ScriptModification/Out-CompressedDll.ps1 | 81 ++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 ScriptModification/Out-CompressedDll.ps1 (limited to 'ScriptModification/Out-CompressedDll.ps1') diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1 new file mode 100644 index 0000000..f781c15 --- /dev/null +++ b/ScriptModification/Out-CompressedDll.ps1 @@ -0,0 +1,81 @@ +function Out-CompressedDll +{ +<# +.SYNOPSIS + +Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + +PowerSploit Module - Out-CompressedDll +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array. + +.PARAMETER FilePath + +Specifies the path to a managed executable. + +.EXAMPLE + +C:\PS> Out-CompressedDll -FilePath evil.dll + +Description +----------- +Compresses, base64 encodes, and outputs the code required to load evil.dll in memory. + +.NOTES + +Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it just works' - mixed-mode) dlls will not load. + +.LINK + +http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html +#> + + [CmdletBinding()] Param ( + [Parameter(Mandatory = $True)] + [String] + $FilePath + ) + + $Path = Resolve-Path $FilePath + + if (! [IO.File]::Exists($Path)) + { + Throw "$Path does not exist." + } + + $FileBytes = [System.IO.File]::ReadAllBytes($Path) + + if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ') + { + Throw "$Path is not a valid executable." + } + + $Length = $FileBytes.Length + $CompressedStream = New-Object IO.MemoryStream + $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) + $DeflateStream.Write($FileBytes, 0, $FileBytes.Length) + $DeflateStream.Dispose() + $CompressedFileBytes = $CompressedStream.ToArray() + $CompressedStream.Dispose() + $EncodedCompressedFile = [Convert]::ToBase64String($CompressedFileBytes) + + Write-Verbose "Compression ratio: $(($EncodedCompressedFile.Length/$FileBytes.Length).ToString('#%'))" + + $Output = @" +`$EncodedCompressedFile = @' +$EncodedCompressedFile +'@ +`$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`$EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress) +`$UncompressedFileBytes = New-Object Byte[]($Length) +`$DeflatedStream.Read(`$UncompressedFileBytes, 0, $Length) | Out-Null +[Reflection.Assembly]::Load(`$UncompressedFileBytes) +"@ + + Write-Output $Output +} \ No newline at end of file -- cgit v1.2.3