Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge fa3a3bc10e into c7985c9bc3

This commit is contained in:
Mariusz 2018-01-29 00:53:42 +00:00 committed by GitHub
parent c7985c9bc3 fa3a3bc10e
commit 719ca60316
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
CodeExecution/Invoke-ReflectivePEInjection.ps1
View File

@ -125,7 +125,13 @@ remoting will not be returned to you. If you just run the PowerShell script loca
applications because it will just appear in the console window. The limitation only applies when using PowerShell remoting.
For DLL Loading:
Once this script loads the DLL, it calls a function in the DLL. There is a section near the bottom labeled "YOUR CODE GOES HERE"
Once this script loads the DLL, it may call a function in the DLL if you specified a -FuncReturnType parameter other than None.
If you haven't, all the script will do is to load up a DLL, launch it DllMain and leave all the rest to the code in DllMain
that hopefully will handle DLL_PROCESS_ATTACH / DLL_THREAD_ATTACH event and do the job locally. This is how the msfvenom generates it's DLLs,
they all start up from DllMain not from any export.
In case you have specified -FuncReturnType other than None, this script will call an exported from DLL function - with the name alike to return type.
There is a section near the bottom labeled "YOUR CODE GOES HERE"
I recommend your DLL take no parameters. I have prewritten code to handle functions which take no parameters are return
the following types: char*, wchar_t*, and void. If the function returns char* or wchar_t* the script will output the
returned data. The FuncReturnType parameter can be used to specify which return type to use. The mapping is as follows:
@ -171,9 +177,9 @@ Param(
$ComputerName,
[Parameter(Position = 2)]
[ValidateSet( 'WString', 'String', 'Void' )]
[ValidateSet( 'WString', 'String', 'Void', 'None' )]
[String]
$FuncReturnType = 'Void',
$FuncReturnType = 'None',
[Parameter(Position = 3)]
[String]
@ -2809,6 +2815,10 @@ $RemoteScriptBlock = {
$VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate)
$VoidFunc.Invoke() | Out-Null
}
'None' {
Write-Verbose "Not calling any function. Leaving it all to DllMain(DLL_PROCESS_ATTACH)."
}
}
#########################################
### END OF YOUR CODE