Removed extraneous parameters
Removed the following extraneous parameters:
-PEPath
-PEUrl
The functionality they provided can be easily replicated in code outside
of Invoke-ReflectivePEInjection. i.e. it should be up to the user how
they might want to download a PE before loading it. That should not be
dictated by Invoke-ReflectivePEInjection.
Removed the following extraneous parameters:
-PEPath
-PEUrl
-ComputerName
The functionality they provided can be easily replicated in code outside
of Invoke-ReflectivePEInjection. i.e. it should be up to the user how
they might want to download a PE before loading it. That should not be
dictated by Invoke-ReflectivePEInjection.
Windows 10 breaks the current version of Invoke-TokenManipulation.ps1 because wininit is now a protected processes. Rather than hardcoding to a specific process to obtain a SYSTEM token, it's better to enumerate all processes running as SYSTEM and find one that works. I have updated the script to version 1.12 and added logic on lines 1689-1696 to make sure it can successfully grab a SYSTEM token necessary to function.
- Changed Remove-VSC to have a single mandatory parameter (DevicePath)
- Updated New-VSC to check initial state of the VSS Service and return
VSS to its inital state after execution
The column headings in the log file are out of order, e.g.
```
"TypedKey","Time","WindowTitle"
"Document1 - Word","[Shift]","01-05-2015:20:53:29:28"
"Document1 - Word","[Shift][Shift]","01-05-2015:20:53:29:31"
"Document1 - Word","[Shift]","01-05-2015:20:53:29:38"
```
The "WindowTitle" should be the first column heading like this,
```
"WindowTitle","TypedKey","Time"
"Document1 - Word","[Shift]","01-05-2015:20:53:29:28"
"Document1 - Word","[Shift][Shift]","01-05-2015:20:53:29:31"
"Document1 - Word","[Shift]","01-05-2015:20:53:29:38"
```
This fixes the URI bug submitted by @enigma0x3. Thank you for the PR as well! A legacy switch is added in case anyone is relying on this script and an older meterpreter handler.
Proxy support is added to grab the default proxy by way of a switch.
The default user-agent is grabbed from the registry instead of being a static string.
I tested this on a Windows 7 SP1 (both x86 and 64-bit) and Windows 8.1 (64-bit) with an older handler and an updated one.
Thanks, @aconite33 for the suggestion.
- TripleDESCryptoServiceProvider is now used as the crypto algorithm
because it won't break the script when FIPS compliance is enabled in the
registry.
- I actually implemented the InitializationVector parameter
- Cleaned up the output script
- Cleaned up comment-based help
Updated to the latest Mimikatz build. Added sanity checks to ensure that
32bit PowerShell isn't being run on a 64bit OS which will cause Mimikatz
to fail.
Matt Graeber
Harmj0y
Matt Graeber
FixTheExchange
clymb3r
Jared Atkinson
Chris Campbell
Jonathan