This fix addresses issue #99. While I'm not the biggest fan of
performing tests based on environment variables, I felt that making
additional Win32 API calls would have been overkill.
This bug fix addresses issue #96. As much as a hate dropping files to
disk, this was the easiest way to preserve objects in PSv2+. If someone
want to implement the [de]serialization themselves and keep everything
in memory, please submit a PR.
Removed extraneous parameters
Removed the following extraneous parameters:
-PEPath
-PEUrl
The functionality they provided can be easily replicated in code outside
of Invoke-ReflectivePEInjection. i.e. it should be up to the user how
they might want to download a PE before loading it. That should not be
dictated by Invoke-ReflectivePEInjection.
Removed the following extraneous parameters:
-PEPath
-PEUrl
-ComputerName
The functionality they provided can be easily replicated in code outside
of Invoke-ReflectivePEInjection. i.e. it should be up to the user how
they might want to download a PE before loading it. That should not be
dictated by Invoke-ReflectivePEInjection.
This fixes the URI bug submitted by @enigma0x3. Thank you for the PR as well! A legacy switch is added in case anyone is relying on this script and an older meterpreter handler.
Proxy support is added to grab the default proxy by way of a switch.
The default user-agent is grabbed from the registry instead of being a static string.
I tested this on a Windows 7 SP1 (both x86 and 64-bit) and Windows 8.1 (64-bit) with an older handler and an updated one.
Fixed a bug where calling GetProcAddress by ordinal instead of procedure
name failed.
Fixed a bug where reflectively loading an EXE will cause the entry
function (main()) to be called twice instead of once as expected.
Added a ForceASLR flag to force ASLR to be used even if the PE file
doesn't officially support ASLR.
Some minor other changes.
Calling CreateRemoteThread on lsass.
Bug fix: Invoke-DllInjection was checking the processor architecture
when it should have been validating the OS architecture. This would
cause Invoke-DllInjection to fail on a 32-bit OS with a 64-bit
processor.
Prior to this fix, DllMain with the ProessDetach flag was not called
when unloading the reflectively loaded DLL. This was causing very weird
crashes in the Invoke-NinjaCopy script which is built on this script.
This should fix the crash.
Another awesome addition from Joe Bialek. Invoke-ReflectivePEInjection
is a vast improvement over Invoke-ReflectiveDllInjection. It adds the
following features:
* Now supports loading exe files in memory
* Supports reflective dll injection into a remote process
* Additional sample Visual Studio solutions
Adding Invoke-ReflectiveDllInjection. PowerSploit now has reflective DLL
loading capabilities!!! Thanks to Joe Bialek @JosephBialek for writing
this awesome code!
* I unfortunately needed to change the names of Inject-Shellcode and
Inject-Dll to Invoke-Shellcode and Invoke-DllInjection in order to
confirm to proper verb naming.
HarmJ0y
Matt Graeber
Matt Graeber
Matt Graeber
Chris Campbell
clymb3r